From 62e7cc66d066bc2a7933f52dc08690f2db88be05 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 10 Oct 2023 15:18:11 +0200
Subject: [PATCH] Specify key usage to be digital signature

If not set, the created keys allows signing plus decrypt which is bad
practice. Setting the key usage explicitly will generate keys that
allow only signing.
---
 lib/dns/opensslecdsa_link.c | 6 ++++--
 lib/dns/opensslrsa_link.c   | 8 +++++---
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index 9ca9abad89..2c99650285 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -416,11 +416,13 @@ opensslecdsa_generate_pkey_with_uri(int group_nid, const char *label,
 	isc_result_t ret;
 	char *uri = UNCONST(label);
 	EVP_PKEY_CTX *ctx = NULL;
-	OSSL_PARAM params[2];
+	OSSL_PARAM params[3];
 
 	/* Generate the key's parameters. */
 	params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_uri", uri, 0);
-	params[1] = OSSL_PARAM_construct_end();
+	params[1] = OSSL_PARAM_construct_utf8_string(
+		"pkcs11_key_usage", (char *)"digitalSignature", 0);
+	params[2] = OSSL_PARAM_construct_end();
 
 	ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", "provider=pkcs11");
 	if (ctx == NULL) {
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index e1e804bbdc..6e26f8651b 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -500,14 +500,16 @@ static isc_result_t
 opensslrsa_generate_pkey_with_uri(size_t key_size, const char *label,
 				  EVP_PKEY **retkey) {
 	EVP_PKEY_CTX *ctx = NULL;
-	OSSL_PARAM params[3];
+	OSSL_PARAM params[4];
 	char *uri = UNCONST(label);
 	isc_result_t ret;
 	int status;
 
 	params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_uri", uri, 0);
-	params[1] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &key_size);
-	params[2] = OSSL_PARAM_construct_end();
+	params[1] = OSSL_PARAM_construct_utf8_string(
+		"pkcs11_key_usage", (char *)"digitalSignature", 0);
+	params[2] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &key_size);
+	params[3] = OSSL_PARAM_construct_end();
 
 	ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", "provider=pkcs11");
 	if (ctx == NULL) {