Support additional types of certificates

[fpoirotte]

Hello,

Trying to load a custom certificate & key with pcs pcsd certkey localhost.pem localhost.key gave me the following error:

Error: Invalid key: 140223656355744:error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key:p_lib.c:288:

Indeed, the certificate uses the ECDSA family of algorithms, which do not seem to be supported yet:

$ openssl x509 -noout -text -in /etc/pki/tls/certs/localhost.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 14169319637959834167 (0xc4a38923718ffa37)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=ca.example.com
        Validity
            Not Before: Jan 04 17:32:19 2016 GMT
            Not After : Jan 04 17:32:19 2017 GMT
        Subject: CN=host1.example.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub: 
                    04:da:df:4a:46:2f:a0:97:c7:de:4e:5a:5d:16:01:
                    9e:f4:33:fb:67:bc:1b:98:13:a5:76:3d:83:9f:ee:
                    37:b0:a6:3c:e2:60:fe:54:5f:90:57:09:57:a0:23:
                    f2:8e:cc:95:24:12:e8:ca:11:3f:9c:bb:64:77:e4:
                    ed:98:f4:1d:23:cd:c0:29:cd:3b:3c:03:e6:09:b0:
                    7e:f4:1d:63:57:0e:ed:dd:84:76:cc:3b:07:97:cd:
                    0e:40:c2:74:bf:b1:83
                ASN1 OID: secp384r1
    ...

Would it be possible to add support for other types of certificates in addition to just RSA ones?

[tomjelinek]

Hi,

code related to TLS certificates has been overhauled in commit d6fc2a5. It now supports more types of certificates than just RSA.