certtool: only suggest --sec-param if bits matches exactly (!1530) · Merge requests · gnutls / GnuTLS

Daiki Ueno requested to merge dueno/gnutls:wip/dueno/certtool-pk into master Feb 10, 2022

Previously, when generating an RSA key with --bits=4096, certtool suggested:

  ** Note: You may use '--sec-param High' instead of '--bits 4096'

while the effect is not exactly the same: '--sec-param High' implies 3072 bits. This adds a check whether the --sec-param argument matches the actual bit length and otherwise omit the warning.

Fixes: #1320

Checklist

Commits have Signed-off-by: with name/author being identical to the commit author
Code modified for feature
Test suite updated with functionality tests
Test suite updated with negative tests
Documentation updated / NEWS entry present (for non-trivial changes)
CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)

Reviewer's checklist:

Any issues marked for closing are addressed
There is a test suite reasonably covering new functionality or modifications
Function naming, parameters, return values, types, etc., are consistent and according to CONTRIBUTION.md
This feature/change has adequate documentation added
No obvious mistakes in the code

certtool: only suggest --sec-param if bits matches exactly

Checklist

Reviewer's checklist:

Merge request reports