diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-24 09:42:26 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-16 15:47:10 +0100 |
| commit | b26a40b616a90ab6af9408cabf228bdec2e15b69 (patch) | |
| tree | 1f096d27af3aebd8f7cc1f5a24ee5853eb3b2559 | |
| parent | 1d75e116b1681d0e6b140d7530e7f0403088da88 (diff) | |
| download | gnutls-b26a40b616a90ab6af9408cabf228bdec2e15b69.tar.gz | |
tests: updated to account SHA1 move to broken set
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rwxr-xr-x | tests/cert-tests/aki | 2 | ||||
| -rwxr-xr-x | tests/cert-tests/certtool-long-oids | 4 | ||||
| -rwxr-xr-x | tests/cert-tests/name-constraints | 4 | ||||
| -rwxr-xr-x | tests/cert-tests/pathlen | 2 | ||||
| -rwxr-xr-x | tests/cert-tests/pem-decoding | 2 | ||||
| -rwxr-xr-x | tests/cert-tests/pkcs1-pad | 4 | ||||
| -rwxr-xr-x | tests/cert-tests/pkcs7-cat | 2 | ||||
| -rw-r--r-- | tests/chainverify-unsorted.c | 2 | ||||
| -rw-r--r-- | tests/cve-2008-4989.c | 2 | ||||
| -rw-r--r-- | tests/dn2.c | 2 | ||||
| -rw-r--r-- | tests/mini-tdb.c | 2 | ||||
| -rw-r--r-- | tests/ocsp.c | 16 | ||||
| -rwxr-xr-x | tests/suite/chain.sh | 2 | ||||
| -rwxr-xr-x | tests/suite/crl-test | 2 | ||||
| -rwxr-xr-x | tests/suite/pkcs7-cat | 4 | ||||
| -rw-r--r-- | tests/test-chains.h | 36 | ||||
| -rw-r--r-- | tests/x509cert-tl.c | 4 |
17 files changed, 47 insertions, 45 deletions
diff --git a/tests/cert-tests/aki b/tests/cert-tests/aki index 1c72f0d433..e8d39588e3 100755 --- a/tests/cert-tests/aki +++ b/tests/cert-tests/aki @@ -36,7 +36,7 @@ if ! test -z "${VALGRIND}"; then fi ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/data/aki-cert.pem" \ - |grep -v "Algorithm Security Level" > $TMPFILE + |grep -v "Algorithm Security Level"|grep -v ^warning > $TMPFILE rc=$? if test "${rc}" != "0"; then diff --git a/tests/cert-tests/certtool-long-oids b/tests/cert-tests/certtool-long-oids index c2e9559326..c06cf73a31 100755 --- a/tests/cert-tests/certtool-long-oids +++ b/tests/cert-tests/certtool-long-oids @@ -36,7 +36,7 @@ if ! test -z "${VALGRIND}"; then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=3" fi -${VALGRIND} "${CERTTOOL}" -i --infile "${srcdir}/data/long-oids.pem"|grep -v "Not After:" >$OUTFILE +${VALGRIND} "${CERTTOOL}" -i --infile "${srcdir}/data/long-oids.pem"|grep -v "Not After:"|grep -v ^warning >$OUTFILE rc=$? if test "${rc}" != 0;then @@ -44,7 +44,7 @@ if test "${rc}" != 0;then exit 1 fi -cat "${srcdir}/data/long-oids.pem" |grep -v "Not After:" >${TMPFILE1} +cat "${srcdir}/data/long-oids.pem" |grep -v "Not After:"|grep -v ^warning >${TMPFILE1} $DIFF ${TMPFILE1} ${OUTFILE} if test $? != 0;then echo "Error in parsing cert with long OIDs" diff --git a/tests/cert-tests/name-constraints b/tests/cert-tests/name-constraints index 9f7e453f36..c28259e25f 100755 --- a/tests/cert-tests/name-constraints +++ b/tests/cert-tests/name-constraints @@ -39,7 +39,7 @@ TMPFILE=tmp.$$.pem check_for_datefudge datefudge -s "2016-04-22" \ - ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/name-constraints-ip.pem" + ${VALGRIND} "${CERTTOOL}" --verify-allow-broken -e --infile "${srcdir}/data/name-constraints-ip.pem" rc=$? if test "${rc}" != "0"; then @@ -55,7 +55,7 @@ if test "${rc}" != "0"; then exit 1 fi -${DIFF} "${TMPFILE}" "${srcdir}/data/name-constraints-ip2.pem" >/dev/null 2>&1 +${DIFF} -I ^warning "${TMPFILE}" "${srcdir}/data/name-constraints-ip2.pem" >/dev/null 2>&1 rc=$? if test "${rc}" != "0"; then diff --git a/tests/cert-tests/pathlen b/tests/cert-tests/pathlen index 7f250e03b4..d532012295 100755 --- a/tests/cert-tests/pathlen +++ b/tests/cert-tests/pathlen @@ -37,7 +37,7 @@ fi TMPFILE1=ca-no-pathlen-$$.tmp TMPFILE2=no-ca-or-pathlen-$$.tmp ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/data/ca-no-pathlen.pem" \ - |grep -v "Algorithm Security Level" > $TMPFILE1 + |grep -v "Algorithm Security Level"|grep -v ^warning > $TMPFILE1 rc=$? if test "${rc}" != "0"; then diff --git a/tests/cert-tests/pem-decoding b/tests/cert-tests/pem-decoding index b4c2a44120..a31f412b48 100755 --- a/tests/cert-tests/pem-decoding +++ b/tests/cert-tests/pem-decoding @@ -96,7 +96,7 @@ fi cat "${srcdir}/data/xmpp-othername.pem" |grep -v "Not After:" >${TMPFILE1} cat ${TMPFILE} |grep -v "Not After:" >${TMPFILE2} -${DIFF} -I 'Algorithm Security Level' ${TMPFILE1} ${TMPFILE2} || ${DIFF} -I 'Algorithm Security Level' --strip-trailing-cr ${TMPFILE1} ${TMPFILE2} +${DIFF} -I ^warning -I 'Algorithm Security Level' ${TMPFILE1} ${TMPFILE2} || ${DIFF} -I 'Algorithm Security Level' --strip-trailing-cr ${TMPFILE1} ${TMPFILE2} rc=$? if test "${rc}" != "0"; then diff --git a/tests/cert-tests/pkcs1-pad b/tests/cert-tests/pkcs1-pad index bc859cc31d..8fa341b38f 100755 --- a/tests/cert-tests/pkcs1-pad +++ b/tests/cert-tests/pkcs1-pad @@ -46,8 +46,8 @@ TMPFILE2=pkcs1-pad-2.$$.tmp EXPECT1=2002 -datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-ok.pem" | tee $TMPFILE1 >/dev/null 2>&1 -datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken.pem" | tee $TMPFILE2 >/dev/null 2>&1 +datefudge "2006-09-23" "${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/data/pkcs1-pad-ok.pem" | tee $TMPFILE1 >/dev/null 2>&1 +datefudge "2006-09-23" "${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken.pem" | tee $TMPFILE2 >/dev/null 2>&1 out1oks=`grep 'Verified.' $TMPFILE1 | wc -l | tr -d " "` out2oks=`grep 'Verified.' $TMPFILE2 | wc -l | tr -d " "` diff --git a/tests/cert-tests/pkcs7-cat b/tests/cert-tests/pkcs7-cat index f55c085ab2..0f5b82df12 100755 --- a/tests/cert-tests/pkcs7-cat +++ b/tests/cert-tests/pkcs7-cat @@ -38,7 +38,7 @@ OUTFILE=out-pkcs7.$$.tmp check_for_datefudge datefudge -s "2016-10-1" \ -${VALGRIND} "${CERTTOOL}" --p7-verify --inder --infile "${srcdir}/data/pkcs7-cat.p7" --load-ca-certificate "${srcdir}/data/pkcs7-cat-ca.pem" +${VALGRIND} "${CERTTOOL}" --verify-allow-broken --p7-verify --inder --infile "${srcdir}/data/pkcs7-cat.p7" --load-ca-certificate "${srcdir}/data/pkcs7-cat-ca.pem" rc=$? if test "${rc}" != "0"; then diff --git a/tests/chainverify-unsorted.c b/tests/chainverify-unsorted.c index 8dc99bbbd9..f51aff6f23 100644 --- a/tests/chainverify-unsorted.c +++ b/tests/chainverify-unsorted.c @@ -603,7 +603,7 @@ void doit(void) gnutls_x509_crt_t *crts; unsigned int crts_size, i; gnutls_x509_trust_list_t tl; - unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN; + unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN|GNUTLS_VERIFY_ALLOW_BROKEN; unsigned int not_flags = GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN; /* this must be called once in the program diff --git a/tests/cve-2008-4989.c b/tests/cve-2008-4989.c index 1e54115659..c745b99dee 100644 --- a/tests/cve-2008-4989.c +++ b/tests/cve-2008-4989.c @@ -202,7 +202,7 @@ int main(int argc, char *argv[]) ret = gnutls_x509_crt_list_verify(certs, CHAIN_LENGTH, &ca, 1, NULL, 0, - GNUTLS_VERIFY_DISABLE_TIME_CHECKS, + GNUTLS_VERIFY_DISABLE_TIME_CHECKS|GNUTLS_VERIFY_ALLOW_BROKEN, &verify_status); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_list_verify[%d]: %s", diff --git a/tests/dn2.c b/tests/dn2.c index 9145803923..8732939ac9 100644 --- a/tests/dn2.c +++ b/tests/dn2.c @@ -64,7 +64,7 @@ static char pem[] = "/do1TDFI0vSl5+M=\n" "-----END CERTIFICATE-----\n"; static const char *info = - "subject `CN=www.gmx.de,O=GMX GmbH,street=Frankfurter Ring 129,L=Muenchen,ST=Bavaria,postalCode=80807,C=DE,serialNumber=HRB 144261,businessCategory=V1.0\\, Clause 5.(b),jurisdictionOfIncorporationLocalityName=Muenchen,jurisdictionOfIncorporationCountryName=DE', issuer `CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US', serial 0x48eca1e3c658be04c547c1eca67a6433, RSA key 1024 bits, signed using RSA-SHA1, activated `2008-11-13 00:00:00 UTC', expires `2009-11-13 23:59:59 UTC', pin-sha256=\"sVjloAiiqTbOeTkJWYtVweNaVPijLP/X95L96gJOSvk=\""; + "subject `CN=www.gmx.de,O=GMX GmbH,street=Frankfurter Ring 129,L=Muenchen,ST=Bavaria,postalCode=80807,C=DE,serialNumber=HRB 144261,businessCategory=V1.0\\, Clause 5.(b),jurisdictionOfIncorporationLocalityName=Muenchen,jurisdictionOfIncorporationCountryName=DE', issuer `CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US', serial 0x48eca1e3c658be04c547c1eca67a6433, RSA key 1024 bits, signed using RSA-SHA1 (broken!), activated `2008-11-13 00:00:00 UTC', expires `2009-11-13 23:59:59 UTC', pin-sha256=\"sVjloAiiqTbOeTkJWYtVweNaVPijLP/X95L96gJOSvk=\""; void doit(void) { diff --git a/tests/mini-tdb.c b/tests/mini-tdb.c index cbd7520670..e508eb8b9d 100644 --- a/tests/mini-tdb.c +++ b/tests/mini-tdb.c @@ -116,7 +116,7 @@ void doit(void) /* verify whether the stored hash verification succeeeds */ ret = gnutls_store_commitment(TMP_FILE, NULL, "localhost", "https", - GNUTLS_DIG_SHA1, &hash, 0, 0); + GNUTLS_DIG_SHA1, &hash, 0, GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN); if (ret != 0) { fail("commitment storage: %s\n", gnutls_strerror(ret)); goto fail; diff --git a/tests/ocsp.c b/tests/ocsp.c index a3b16041e2..aea1139b8e 100644 --- a/tests/ocsp.c +++ b/tests/ocsp.c @@ -110,6 +110,7 @@ static const gnutls_datum_t resp1 = " Extensions:\n" \ " Nonce: 16897d913ab525a445fec9fdc2e508a4\n" \ " Signature Algorithm: RSA-SHA1\n" \ + "warning: signed using a broken signature algorithm that can be forged.\n" \ " Signature:\n" \ " 4e:ad:6b:2b:f7:f2:bf:a9:23:1e:3a:0b:06:db:55:53\n" \ " 2b:64:54:11:32:bf:60:f7:4f:e0:8e:9b:a0:a2:4c:79\n" \ @@ -151,6 +152,7 @@ static const gnutls_datum_t resp2 = " Next Update: Thu Sep 11 06:04:00 UTC 2014\n" \ " Extensions:\n" \ " Signature Algorithm: RSA-SHA1\n" \ +"warning: signed using a broken signature algorithm that can be forged.\n" \ " Signature:\n" \ " 6e:5e:5e:81:ff:3f:4d:c7:53:c7:1b:f3:d3:1d:dc:9a\n" \ " c7:ce:77:2c:67:56:13:98:91:02:01:76:dc:48:b2:1f\n" \ @@ -1449,7 +1451,7 @@ static void resp_verify(void) /* check direct verify with signer (should succeed) */ - ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, 0); + ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, GNUTLS_VERIFY_ALLOW_BROKEN); if (ret < 0) { fail("gnutls_ocsp_resp_verify_direct (signer) %d\n", ret); exit(1); @@ -1462,7 +1464,7 @@ static void resp_verify(void) /* check direct verify with cert (should fail) */ - ret = gnutls_ocsp_resp_verify_direct(resp, cert, &verify, 0); + ret = gnutls_ocsp_resp_verify_direct(resp, cert, &verify, GNUTLS_VERIFY_ALLOW_BROKEN); if (ret < 0) { fail("gnutls_ocsp_resp_verify_direct (cert) %d\n", ret); exit(1); @@ -1487,7 +1489,7 @@ static void resp_verify(void) exit(1); } - ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0); + ret = gnutls_ocsp_resp_verify(resp, list, &verify, GNUTLS_VERIFY_ALLOW_BROKEN); if (ret < 0) { fail("gnutls_ocsp_resp_verify (issuer) %d\n", ret); exit(1); @@ -1514,7 +1516,7 @@ static void resp_verify(void) exit(1); } - ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0); + ret = gnutls_ocsp_resp_verify(resp, list, &verify, GNUTLS_VERIFY_ALLOW_BROKEN); if (ret < 0) { fail("gnutls_ocsp_resp_verify (issuer) %d\n", ret); exit(1); @@ -1541,7 +1543,7 @@ static void resp_verify(void) exit(1); } - ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0); + ret = gnutls_ocsp_resp_verify(resp, list, &verify, GNUTLS_VERIFY_ALLOW_BROKEN); if (ret < 0) { fail("gnutls_ocsp_resp_verify (issuer) %d\n", ret); exit(1); @@ -1580,7 +1582,7 @@ static void resp_verify(void) exit(1); } - ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0); + ret = gnutls_ocsp_resp_verify(resp, list, &verify, GNUTLS_VERIFY_ALLOW_BROKEN); if (ret < 0) { fail("gnutls_ocsp_resp_verify (issuer) %d\n", ret); exit(1); @@ -1640,7 +1642,7 @@ static void long_resp_check(void) /* check direct verify with signer (should succeed) */ - ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, 0); + ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, GNUTLS_VERIFY_ALLOW_BROKEN); if (ret < 0) { fail("gnutls_ocsp_resp_verify_direct (signer) %d\n", ret); exit(1); diff --git a/tests/suite/chain.sh b/tests/suite/chain.sh index d671aa89e2..d9e04bead7 100755 --- a/tests/suite/chain.sh +++ b/tests/suite/chain.sh @@ -50,7 +50,7 @@ while test -d X509tests/test${i}; do find X509tests/test${i} -name I*.crt -print0 |sort -r -z|xargs -n1 --null ${VALGRIND} "${CERTTOOL}" --certificate-info --inder --infile >> chains/chain${i}.pem fi find X509tests/test${i} -name T*.crt -print0 |sort -r -z|xargs -n1 --null ${VALGRIND} "${CERTTOOL}" --certificate-info --inder --infile >> chains/chain${i}.pem - ${VALGRIND} "${CERTTOOL}" -e --infile chains/chain${i}.pem > out + ${VALGRIND} "${CERTTOOL}" --verify-allow-broken -e --infile chains/chain${i}.pem > out rc=$? if test $rc != 0 && test $rc != 1; then echo "Chain ${i} FATAL failure." diff --git a/tests/suite/crl-test b/tests/suite/crl-test index 85c40e50fb..2f52c94496 100755 --- a/tests/suite/crl-test +++ b/tests/suite/crl-test @@ -44,7 +44,7 @@ if test "${rc}" != "0"; then exit ${rc} fi -${DIFF} "${srcdir}/crl/long.pem" "$TMPFILE" || ${DIFF} --strip-trailing-cr "${srcdir}/crl/long.pem" $TMPFILE +${DIFF} -I ^warning "${srcdir}/crl/long.pem" "$TMPFILE" || ${DIFF} -I ^warning --strip-trailing-cr "${srcdir}/crl/long.pem" $TMPFILE rc=$? if test "${rc}" != "0"; then diff --git a/tests/suite/pkcs7-cat b/tests/suite/pkcs7-cat index 1ddfd6bab1..602e056c68 100755 --- a/tests/suite/pkcs7-cat +++ b/tests/suite/pkcs7-cat @@ -38,7 +38,7 @@ check_for_datefudge #try verification datefudge -s "2010-10-10" \ -${VALGRIND} "${CERTTOOL}" --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/ca.pem" +${VALGRIND} "${CERTTOOL}" --verify-allow-broken --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/ca.pem" rc=$? if test "${rc}" = "0"; then @@ -47,7 +47,7 @@ if test "${rc}" = "0"; then fi datefudge -s "2016-10-10" \ -${VALGRIND} "${CERTTOOL}" --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/ca.pem" +${VALGRIND} "${CERTTOOL}" --verify-allow-broken --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/ca.pem" rc=$? if test "${rc}" != "0"; then diff --git a/tests/test-chains.h b/tests/test-chains.h index 0afde54ed9..d3580824a5 100644 --- a/tests/test-chains.h +++ b/tests/test-chains.h @@ -2928,16 +2928,16 @@ static struct 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL, 1412850586}, { "CVE-2008-4989", cve_2008_4989_chain, &cve_2008_4989_chain[2], - 0, + GNUTLS_VERIFY_ALLOW_BROKEN, GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID, NULL}, { "amazon.com ok", verisign_com_chain_g5, &verisign_com_chain_g5[4], - GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW), + GNUTLS_VERIFY_ALLOW_BROKEN | GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW), 0, NULL}, { "verisign.com v1 fail", verisign_com_chain, &verisign_com_chain[3], - 0, + GNUTLS_VERIFY_ALLOW_BROKEN, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID, NULL}, { "verisign.com v1 ok", verisign_com_chain, &verisign_com_chain[3], - GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW), + GNUTLS_VERIFY_ALLOW_BROKEN | GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW), 0, NULL}, { "verisign.com v1 not ok due to profile", verisign_com_chain, &verisign_com_chain[3], GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LEGACY), @@ -2946,23 +2946,23 @@ static struct GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_HIGH), GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL}, { "citibank.com v1 fail", citibank_com_chain, &citibank_com_chain[2], - GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL}, + GNUTLS_VERIFY_ALLOW_BROKEN | GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL}, { "expired self signed", pem_self_cert, &pem_self_cert[0], 0, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID, NULL}, { "self signed", pem_self_cert, &pem_self_cert[0], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0, NULL}, { "ca=false", thea_chain, &thea_chain[1], - 0, + GNUTLS_VERIFY_ALLOW_BROKEN, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL}, { "ca=false2", thea_chain, &thea_chain[1], - 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL}, + GNUTLS_VERIFY_ALLOW_BROKEN, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL}, { "hbci v1 fail", hbci_chain, &hbci_chain[2], - GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL}, + GNUTLS_VERIFY_ALLOW_BROKEN | GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL}, { "hbci v1 ok expired", hbci_chain, &hbci_chain[2], - 0, + GNUTLS_VERIFY_ALLOW_BROKEN, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID, NULL}, { "hbci v1 ok", hbci_chain, &hbci_chain[2], - GNUTLS_VERIFY_DISABLE_TIME_CHECKS, + GNUTLS_VERIFY_ALLOW_BROKEN|GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0, NULL}, { "rsa-md5 fail", mayfirst_chain, &mayfirst_chain[1], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, @@ -2976,7 +2976,7 @@ static struct { "rsa-md5 ok", mayfirst_chain, &mayfirst_chain[1], GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5, 0, NULL}, { "v1ca fail", v1ca, &v1ca[2], - GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL}, + GNUTLS_VERIFY_ALLOW_BROKEN|GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL}, { "pathlen fail", pathlen_check, &pathlen_check[2], GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT | GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL}, @@ -2994,26 +2994,26 @@ static struct GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0, NULL}, { "v1ca expired", v1ca, &v1ca[2], - 0, + GNUTLS_VERIFY_ALLOW_BROKEN, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID , NULL}, { "v1ca ok", v1ca, &v1ca[2], - GNUTLS_VERIFY_DISABLE_TIME_CHECKS, + GNUTLS_VERIFY_ALLOW_BROKEN|GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0, NULL}, { "v1ca2 expired", v1ca, &v1ca[2], - GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, + GNUTLS_VERIFY_ALLOW_BROKEN|GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID, NULL}, { "v1ca2 ok", v1ca, &v1ca[2], - GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, + GNUTLS_VERIFY_ALLOW_BROKEN|GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, 0, NULL}, { "cacertrsamd5 fail", cacertrsamd5, &cacertrsamd5[2], 0, GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL}, { "cacertrsamd5 ok", cacertrsamd5, &cacertrsamd5[2], - GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5, 0, NULL}, + GNUTLS_VERIFY_ALLOW_BROKEN, 0, NULL}, { "cacertrsamd5 short-cut not ok", cacertrsamd5, &cacertrsamd5[0], GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL}, { "cacertrsamd5 short-cut ok", cacertrsamd5, &cacertrsamd5[1], - 0, 0, NULL}, + GNUTLS_VERIFY_ALLOW_BROKEN, 0, NULL}, { "ecc cert ok", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_HIGH), 0, NULL}, { "ecc cert ok", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB128), 0, NULL}, { "ecc cert not ok (due to profile)", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), @@ -3030,7 +3030,7 @@ static struct { "name constraints: basic dns intersection", nc_bad4, &nc_bad4[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586}, { "name constraints: IP in excluded range", nc_bad5, &nc_bad5[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1469540953}, { "name constraints: 2 constraints (dns, email), non-intuitive order", nc_bad6, &nc_bad6[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1469540953}, - { "not-modified", modified2, &modified2[3], 0, 0, NULL, 1412850586}, + { "not-modified", modified2, &modified2[3], GNUTLS_VERIFY_ALLOW_BROKEN, 0, NULL, 1412850586}, { "kp-interm", kp_fail1, &kp_fail1[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_PURPOSE_MISMATCH, GNUTLS_KP_TLS_WWW_SERVER, 1412850586}, { "kp-fin", kp_fail2, &kp_fail2[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_PURPOSE_MISMATCH, GNUTLS_KP_TLS_WWW_SERVER, 1412850586}, { "kp-ok", kp_ok, &kp_ok[3], 0, 0, GNUTLS_KP_OCSP_SIGNING, 1412850586}, diff --git a/tests/x509cert-tl.c b/tests/x509cert-tl.c index e636ccc0a9..c1a629543a 100644 --- a/tests/x509cert-tl.c +++ b/tests/x509cert-tl.c @@ -320,7 +320,7 @@ void doit(void) vdata.size = NAME_SIZE; ret = gnutls_x509_trust_list_verify_crt2(tl, &server_crt, 1, &vdata, 1, - 0, &status, NULL); + GNUTLS_VERIFY_ALLOW_BROKEN, &status, NULL); if (ret < 0 || status != 0) fail("gnutls_x509_trust_list_verify_crt2 - 1: status: %x\n", status); @@ -340,7 +340,7 @@ void doit(void) fail("gnutls_x509_trust_list_add_trust_dir: %d\n", ret); ret = - gnutls_x509_trust_list_verify_crt(tl, &server_crt, 1, 0, + gnutls_x509_trust_list_verify_crt(tl, &server_crt, 1, GNUTLS_VERIFY_ALLOW_BROKEN, &status, NULL); if (ret < 0 || status != 0) fail("gnutls_x509_trust_list_verify_crt\n"); |