diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-04-20 18:46:23 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-04-25 08:48:36 +0200 |
commit | 86640a54f758f24fd13c83ec2c64a3270e461794 (patch) | |
tree | b0cdafe10adf4988cc20b13d9cb3549538130d1a /src | |
parent | d3ee878e02d9804787179993de513d27b3e53f80 (diff) | |
download | gnutls-86640a54f758f24fd13c83ec2c64a3270e461794.tar.gz |
certtool: refuse to accept an incompatible key type
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/certtool.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/src/certtool.c b/src/certtool.c index 4d2b7c6a98..6623b86385 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -92,9 +92,11 @@ static gnutls_digest_algorithm_t get_dig(gnutls_x509_crt_t crt, common_info_st * FILE *outfile; static const char *outfile_name = NULL; /* to delete on exit */ +#define REQ_KEY_TYPE_DEFAULT GNUTLS_PK_RSA + FILE *infile; static unsigned int incert_format, outcert_format; -static unsigned int req_key_type = GNUTLS_PK_RSA; +static unsigned int req_key_type = REQ_KEY_TYPE_DEFAULT; gnutls_certificate_print_formats_t full_format = GNUTLS_CRT_PRINT_FULL; /* non interactive operation if set @@ -719,6 +721,13 @@ generate_certificate(gnutls_privkey_t * ret_key, app_exit(1); } + if ((HAVE_OPT(KEY_TYPE) || req_key_type != REQ_KEY_TYPE_DEFAULT) && req_key_type != pk) { + if (pk != GNUTLS_PK_RSA || req_key_type != GNUTLS_PK_RSA_PSS) { + fprintf(stderr, "cannot set certificate type (%s) incompatible with the key (%s)\n", + gnutls_pk_get_name(req_key_type), gnutls_pk_get_name(pk)); + app_exit(1); + } + } /* Set algorithm parameter restriction in CAs. */ @@ -1257,7 +1266,9 @@ static void cmd_parser(int argc, char **argv) outcert_format = GNUTLS_X509_FMT_PEM; /* legacy options */ - if (HAVE_OPT(DSA)) { + if (HAVE_OPT(RSA)) { + req_key_type = GNUTLS_PK_RSA; + } else if (HAVE_OPT(DSA)) { req_key_type = GNUTLS_PK_DSA; } else if (HAVE_OPT(ECC)) { req_key_type = GNUTLS_PK_ECDSA; |