From aef00dae5c55919e9a36e61c0db00869067dd285 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Mon, 21 Jan 2019 20:33:00 +0100
Subject: gnutls_pkcs11_privkey_import_url: enable RSA-PSS only when an RSA key
 can sign

In gnutls_pkcs11_privkey_import_url() we only enabled RSA-PSS functionality to
the key if the CKM_RSA_PKCS_PSS mechanism is available to the token. However,
if the specific key is not marked for use with digital signatures (CKA_SIGN
set), then we may have still ended-up using it and fail when using it. We
now test whether CKA_SIGN is set prior to enabling such keys for PSS.

Resolves: #667

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 NEWS                              |  3 +++
 lib/pkcs11_privkey.c              | 12 ++++++++++--
 tests/pkcs11/tls-neg-pkcs11-key.c |  8 ++++++++
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index b109e78b6e..9d3a7d8c65 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ See the end for copying conditions.
    This solves a regression since 3.5.x and improves compatibility of the server
    side with certain clients.
 
+** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
+   the CKA_SIGN is not set (#667).
+
 ** GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. The previous
    definition was buggy and non-functional.
 
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index bf69b69ce4..53a2d8a937 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -581,17 +581,25 @@ gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey,
 
 
 	if (pkey->pk_algorithm == GNUTLS_PK_RSA) { /* determine whether it can do rsa-pss */
+		ck_bool_t tval = 0;
+
 		a[0].type = CKA_MODULUS;
 		a[0].value = NULL;
 		a[0].value_len = 0;
-		if (pkcs11_get_attribute_value(pkey->sinfo.module, pkey->sinfo.pks, pkey->ref, a, 1)
+		a[1].type = CKA_SIGN;
+		a[1].value = &tval;
+		a[1].value_len = sizeof(tval);
+		if (pkcs11_get_attribute_value(pkey->sinfo.module, pkey->sinfo.pks, pkey->ref, a, 2)
 		    == CKR_OK) {
 			pkey->bits = a[0].value_len*8;
 		}
 
 		ret = gnutls_pkcs11_token_check_mechanism(url, CKM_RSA_PKCS_PSS, NULL, 0, 0);
-		if (ret != 0)
+		if (ret != 0 && tval) {
 			pkey->rsa_pss_ok = 1;
+		} else {
+			_gnutls_debug_log("Detected incompatible with TLS1.3 RSA key! (%s)\n", url);
+		}
 	}
 
 	a[0].type = CKA_ALWAYS_AUTHENTICATE;
diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
index 764e93b6ad..f91414a6af 100644
--- a/tests/pkcs11/tls-neg-pkcs11-key.c
+++ b/tests/pkcs11/tls-neg-pkcs11-key.c
@@ -280,6 +280,14 @@ static const test_st tests[] = {
 	 .exp_kx = GNUTLS_KX_RSA,
 	 .needs_decryption = 1
 	},
+	{.name = "tls1.2: rsa-decryption key, signatures prioritized",
+	 .pk = GNUTLS_PK_RSA,
+	 .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+RSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256",
+	 .cert = &server_ca3_localhost_cert,
+	 .key = &server_ca3_key,
+	 .exp_kx = GNUTLS_KX_RSA,
+	 .needs_decryption = 1
+	},
 	{.name = "tls1.2: ecc key",
 	 .pk = GNUTLS_PK_ECDSA,
 	 .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
-- 
cgit v1.2.1