diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-01-21 20:33:00 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-01-22 09:50:48 +0100 |
commit | aef00dae5c55919e9a36e61c0db00869067dd285 (patch) | |
tree | ebc427259f60079c9e76b6021e845a1c585b50f3 /NEWS | |
parent | 69bd75e39d0ddd4e86630facf38e7bf3186f3b06 (diff) | |
download | gnutls-aef00dae5c55919e9a36e61c0db00869067dd285.tar.gz |
gnutls_pkcs11_privkey_import_url: enable RSA-PSS only when an RSA key can signtmp-key-rsa-pss
In gnutls_pkcs11_privkey_import_url() we only enabled RSA-PSS functionality to
the key if the CKM_RSA_PKCS_PSS mechanism is available to the token. However,
if the specific key is not marked for use with digital signatures (CKA_SIGN
set), then we may have still ended-up using it and fail when using it. We
now test whether CKA_SIGN is set prior to enabling such keys for PSS.
Resolves: #667
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -20,6 +20,9 @@ See the end for copying conditions. This solves a regression since 3.5.x and improves compatibility of the server side with certain clients. +** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if + the CKA_SIGN is not set (#667). + ** GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. The previous definition was buggy and non-functional. |