diff options
author | Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> | 2019-01-23 15:17:00 +0000 |
---|---|---|
committer | Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> | 2019-01-23 15:17:00 +0000 |
commit | 0d8ebf4ec05aa8f55b3cc66fabdacf25fa3cf871 (patch) | |
tree | d373fa9193ea6120ba5725387a4233f69659a60c /lib | |
parent | d1ac5403102a48b9c3187011beeac410b892d1ca (diff) | |
parent | aef00dae5c55919e9a36e61c0db00869067dd285 (diff) | |
download | gnutls-0d8ebf4ec05aa8f55b3cc66fabdacf25fa3cf871.tar.gz |
Merge branch 'tmp-key-rsa-pss' into 'master'
gnutls_pkcs11_privkey_import_url: enable RSA-PSS only when an RSA key can sign
Closes #667
See merge request gnutls/gnutls!884
Diffstat (limited to 'lib')
-rw-r--r-- | lib/pkcs11_privkey.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index bf69b69ce4..53a2d8a937 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -581,17 +581,25 @@ gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey, if (pkey->pk_algorithm == GNUTLS_PK_RSA) { /* determine whether it can do rsa-pss */ + ck_bool_t tval = 0; + a[0].type = CKA_MODULUS; a[0].value = NULL; a[0].value_len = 0; - if (pkcs11_get_attribute_value(pkey->sinfo.module, pkey->sinfo.pks, pkey->ref, a, 1) + a[1].type = CKA_SIGN; + a[1].value = &tval; + a[1].value_len = sizeof(tval); + if (pkcs11_get_attribute_value(pkey->sinfo.module, pkey->sinfo.pks, pkey->ref, a, 2) == CKR_OK) { pkey->bits = a[0].value_len*8; } ret = gnutls_pkcs11_token_check_mechanism(url, CKM_RSA_PKCS_PSS, NULL, 0, 0); - if (ret != 0) + if (ret != 0 && tval) { pkey->rsa_pss_ok = 1; + } else { + _gnutls_debug_log("Detected incompatible with TLS1.3 RSA key! (%s)\n", url); + } } a[0].type = CKA_ALWAYS_AUTHENTICATE; |