diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-07-26 15:41:51 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-08-04 09:38:27 +0200 |
| commit | 4267ef871db68c3981e44b8581d77894a2173b54 (patch) | |
| tree | c6c7e083947780a039d2736b6cec14387d103fef | |
| parent | 7995e79c48105a16e6e130139e3807ad6224f5b1 (diff) | |
| download | gnutls-4267ef871db68c3981e44b8581d77894a2173b54.tar.gz | |
certtool: copy SPKI information from private key when available
That also addresses a bug due to which SPKI information was not set.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | src/certtool.c | 29 |
1 files changed, 14 insertions, 15 deletions
diff --git a/src/certtool.c b/src/certtool.c index e4421c2dd1..906ab9f500 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -292,6 +292,7 @@ generate_certificate(gnutls_privkey_t * ret_key, int vers; unsigned int usage = 0, server, ask; gnutls_x509_crq_t crq; /* request */ + unsigned pk; ret = gnutls_x509_crt_init(&crt); if (ret < 0) { @@ -359,6 +360,7 @@ generate_certificate(gnutls_privkey_t * ret_key, } gnutls_pubkey_deinit(pubkey); } else { + result = gnutls_x509_crt_set_crq(crt, crq); if (result < 0) { fprintf(stderr, "set_crq: %s\n", @@ -369,6 +371,7 @@ generate_certificate(gnutls_privkey_t * ret_key, crq_extensions_set(crt, crq); } + pk = gnutls_x509_crt_get_pk_algorithm(crt, NULL); { size_t serial_size; @@ -516,11 +519,6 @@ generate_certificate(gnutls_privkey_t * ret_key, } if (!ca_status || server) { - int pk; - - - pk = gnutls_x509_crt_get_pk_algorithm(crt, NULL); - if (pk == GNUTLS_PK_RSA) { /* DSA and ECDSA keys can only sign. */ result = get_sign_status(server); if (result) @@ -691,9 +689,9 @@ generate_certificate(gnutls_privkey_t * ret_key, app_exit(1); } - /* Algorithm restriction. + /* Set algorithm parameter restriction in CAs. */ - if (req_key_type == GNUTLS_PK_RSA_PSS) { + if (pk == GNUTLS_PK_RSA_PSS && ca_status && key) { gnutls_x509_spki_t spki; result = gnutls_x509_spki_init(&spki); @@ -703,16 +701,17 @@ generate_certificate(gnutls_privkey_t * ret_key, app_exit(1); } - gnutls_x509_spki_set_pk_algorithm(spki, GNUTLS_PK_RSA_PSS); - gnutls_x509_spki_set_digest_algorithm(spki, get_dig(crt)); + result = gnutls_privkey_get_spki(key, spki, 0); + if (result >= 0) { + result = gnutls_x509_crt_set_spki(crt, spki, 0); + if (result < 0) { + fprintf(stderr, "error setting RSA-PSS SPKI information: %s\n", + gnutls_strerror(result)); + app_exit(1); + } + } - result = gnutls_x509_crt_set_spki(crt, spki, 0); gnutls_x509_spki_deinit(spki); - if (result < 0) { - fprintf(stderr, "error setting signing algorithm: %s\n", - gnutls_strerror(result)); - app_exit(1); - } } *ret_key = key; |