[gnutls-devel] GnuTLS | cannot generate RSA-OAEP key outside of FIPS mode with certtool (#1653)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Tue Feb 4 10:26:54 CET 2025
Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1653
On Fedora gnutls-3.8.8-3.fc41 and/or master (2b8c3e4c), I can't seem to generate a PKCS#8 RSA-OAEP key without going into FIPS mode or going beyond certtool.
* `certtool --generate-privkey --key-type rsa-oaep --outfile oaep` -> raw RSA key with no OAEP parameters encoded
* `certtool --generate-privkey --key-type rsa-oaep --outfile oaep --p8` -> same, raw RSA key
but
* `env GNUTLS_FORCE_FIPS_MODE=1 certtool --generate-privkey --key-type rsa-oaep --outfile oaep` -> `:rsaesOaep` OID key with `:1.3.6.1.4.1.2312.18.8.1` validation params present
despite
* `env GNUTLS_FORCE_FIPS_MODE=1 build/src/certtool --generate-privkey --key-type rsa-oaep --outfile oaep --provable` -> `The --provable parameter can only be used with RSA and DSA keys.`
That doesn't look right to me at all, I'd rather expect all of the above to produce `:rsaesOaep`-tagged keys and `--provable` not tell me I cannot generate provable keys when I actually can.
My current workaround is to generate regular RSA keys, import and `gnutls_x509_spki_set_rsa_oaep_params()` them into OAEP keys with the parameters I need.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1653
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250204/6710c21f/attachment.html>
More information about the Gnutls-devel
mailing list