diff options
| -rw-r--r-- | src/certtool-common.c | 18 | ||||
| -rw-r--r-- | src/certtool-common.h | 14 | ||||
| -rw-r--r-- | src/certtool.c | 4 |
3 files changed, 15 insertions, 21 deletions
diff --git a/src/certtool-common.c b/src/certtool-common.c index 6a7d983fd7..fa834f83e5 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -1286,7 +1286,7 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k if (cinfo->outcert_format == GNUTLS_X509_FMT_PEM) privkey_info_int(outfile, cinfo, key); - switch_to_pkcs8_when_needed(cinfo, gnutls_x509_privkey_get_pk_algorithm(key)); + switch_to_pkcs8_when_needed(cinfo, key, gnutls_x509_privkey_get_pk_algorithm(key)); if (!cinfo->pkcs8) { @@ -1298,22 +1298,6 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k gnutls_strerror(ret)); app_exit(1); } - - if (cinfo->no_compat == 0 && gnutls_x509_privkey_get_seed(key, NULL, NULL, 0) != GNUTLS_E_INVALID_REQUEST) { - gnutls_x509_privkey_set_flags(key, GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT); - - fwrite(lbuffer, 1, size, outfile); - - size = lbuffer_size; - ret = gnutls_x509_privkey_export(key, cinfo->outcert_format, - lbuffer, &size); - if (ret < 0) { - fprintf(stderr, "privkey_export: %s\n", - gnutls_strerror(ret)); - app_exit(1); - } - } - } else { unsigned int flags = 0; const char *pass; diff --git a/src/certtool-common.h b/src/certtool-common.h index a4a8b5e085..066c98d5fe 100644 --- a/src/certtool-common.h +++ b/src/certtool-common.h @@ -81,15 +81,25 @@ typedef struct common_info { } common_info_st; static inline -void switch_to_pkcs8_when_needed(common_info_st *cinfo, unsigned key_type) +void switch_to_pkcs8_when_needed(common_info_st *cinfo, gnutls_x509_privkey_t key, unsigned key_type) { - if ((key_type == GNUTLS_PK_RSA_PSS || key_type == GNUTLS_PK_EDDSA_ED25519) && !cinfo->pkcs8) { + if (cinfo->pkcs8) + return; + + if ((key_type == GNUTLS_PK_RSA_PSS || key_type == GNUTLS_PK_EDDSA_ED25519)) { fprintf(stderr, "Assuming --pkcs8 is given; %s private keys can only be exported in PKCS#8 format\n", gnutls_pk_algorithm_get_name(key_type)); cinfo->pkcs8 = 1; if (cinfo->password == NULL) cinfo->password = ""; } + + if (gnutls_x509_privkey_get_seed(key, NULL, NULL, 0) != GNUTLS_E_INVALID_REQUEST) { + fprintf(stderr, "Assuming --pkcs8 is given; provable private keys can only be exported in PKCS#8 format\n"); + cinfo->pkcs8 = 1; + if (cinfo->password == NULL) + cinfo->password = ""; + } } /* this must be provided by the app */ diff --git a/src/certtool.c b/src/certtool.c index 7afbb8297e..f0b154b8c5 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -149,8 +149,6 @@ generate_private_key_int(common_info_st * cinfo) bits = get_bits(key_type, cinfo->bits, cinfo->sec_param, 1); - switch_to_pkcs8_when_needed(cinfo, key_type); - if (key_type == GNUTLS_PK_ECDSA || key_type == GNUTLS_PK_EDDSA_ED25519) { char name[64]; int ecc_bits; @@ -197,6 +195,8 @@ generate_private_key_int(common_info_st * cinfo) app_exit(1); } + switch_to_pkcs8_when_needed(cinfo, key, key_type); + if (cinfo->seed_size > 0) { kdata[kdata_size].type = GNUTLS_KEYGEN_SEED; kdata[kdata_size].data = (void*)cinfo->seed; |