gnutls_pkcs11_privkey_import_url: enable RSA-PSS only when an RSA key can signtmp-key-rsa-pss

In gnutls_pkcs11_privkey_import_url() we only enabled RSA-PSS functionality to the key if the CKM_RSA_PKCS_PSS mechanism is available to the token. However, if the specific key is not marked for use with digital signatures (CKA_SIGN set), then we may have still ended-up using it and fail when using it. We now test whether CKA_SIGN is set prior to enabling such keys for PSS. Resolves: #667 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2019-01-21 20:33:00 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2019-01-22 09:50:48 +0100
commit: aef00dae5c55919e9a36e61c0db00869067dd285 (patch)
tree: ebc427259f60079c9e76b6021e845a1c585b50f3 /NEWS
parent: 69bd75e39d0ddd4e86630facf38e7bf3186f3b06 (diff)
download: gnutls-aef00dae5c55919e9a36e61c0db00869067dd285.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index b109e78b6e..9d3a7d8c65 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ See the end for copying conditions.
    This solves a regression since 3.5.x and improves compatibility of the server
    side with certain clients.
 
+** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
+   the CKA_SIGN is not set (#667).
+
 ** GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. The previous
    definition was buggy and non-functional.
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-01-21 20:33:00 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-01-22 09:50:48 +0100
commit	aef00dae5c55919e9a36e61c0db00869067dd285 (patch)
tree	ebc427259f60079c9e76b6021e845a1c585b50f3 /NEWS
parent	69bd75e39d0ddd4e86630facf38e7bf3186f3b06 (diff)
download	gnutls-aef00dae5c55919e9a36e61c0db00869067dd285.tar.gz