From 20510b6e45da4f4f28fbf0c20fe901eaa049e3c7 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 28 Mar 2014 11:06:14 +0100 Subject: Added self checks for various verification profiles --- tests/chainverify.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'tests') diff --git a/tests/chainverify.c b/tests/chainverify.c index d9d1207184..bf74ee8717 100644 --- a/tests/chainverify.c +++ b/tests/chainverify.c @@ -1141,8 +1141,14 @@ static struct 0, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID }, { "verisign.com v1 ok", verisign_com_chain, &verisign_com_chain[3], - GNUTLS_VERIFY_DISABLE_TIME_CHECKS, + GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW), 0 }, + { "verisign.com v1 not ok due to profile", verisign_com_chain, &verisign_com_chain[3], + GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LEGACY), + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID }, + { "verisign.com v1 not ok due to profile", verisign_com_chain, &verisign_com_chain[3], + GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_HIGH), + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID }, { "citibank.com v1 fail", citibank_com_chain, &citibank_com_chain[2], GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID }, { "expired self signed", pem_self_cert, &pem_self_cert[0], @@ -1211,7 +1217,12 @@ static struct GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID }, { "cacertrsamd5 short-cut ok", cacertrsamd5, &cacertrsamd5[1], 0, 0 }, - { "ecc cert ok", ecc_cert, &ecc_cert[1], 0, 0 }, + { "ecc cert ok", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_HIGH), 0 }, + { "ecc cert ok", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB128), 0 }, + { "ecc cert not ok (due to profile)", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID }, + { "ecc cert not ok (due to profile)", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB192), + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID }, { "name constraints chain ok", nc_good, &nc_good[4], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0 }, { "name constraints chain bad1", nc_bad1, &nc_bad1[2], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE}, { "name constraints chain bad2", nc_bad2, &nc_bad2[4], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE}, -- cgit v1.2.1