[v0.9.12-maint 5/5] Fix TLS tests with gnutls 3

Eric Blake <eblake@xxxxxxxxxx> · Wed, 18 Sep 2013 21:09:37 -0600

From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

When given a CA cert with basic constraints to set non-critical,
and key usage of 'key signing', this should be rejected. Version
of GNUTLS < 3 do not rejecte it though, so we never noticed the
test case was broken

Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
(cherry picked from commit 0204d6d7a0519377b2e6bc296b00328cd748f55d)
---
 tests/virnettlscontexttest.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
index e745487..78063a3 100644
--- a/tests/virnettlscontexttest.c
+++ b/tests/virnettlscontexttest.c
@@ -870,15 +870,6 @@ mymain(void)
         false, false, NULL, NULL,
         0, 0,
     };
-    /* Key usage:dig-sig:not-critical */
-    static struct testTLSCertReq cacert5req = {
-        NULL, NULL, "cacert5.pem", "UK",
-        "libvirt CA 5", NULL, NULL, NULL, NULL,
-        true, true, true,
-        true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
-        false, false, NULL, NULL,
-        0, 0,
-    };

     DO_CTX_TEST(true, cacert1req, servercertreq, false);
     DO_CTX_TEST(true, cacert2req, servercertreq, false);
@@ -886,10 +877,18 @@ mymain(void)
     DO_CTX_TEST(true, cacert3req, servercertreq, false);
 # endif
     DO_CTX_TEST(true, cacert4req, servercertreq, false);
-    DO_CTX_TEST(true, cacert5req, servercertreq, false);

     /* Now some bad certs */

+    /* Key usage:dig-sig:not-critical */
+    static struct testTLSCertReq cacert5req = {
+        NULL, NULL, "cacert5.pem", "UK",
+        "libvirt CA 5", NULL, NULL, NULL, NULL,
+        true, true, true,
+        true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
+        false, false, NULL, NULL,
+        0, 0,
+    };
     /* no-basic */
     static struct testTLSCertReq cacert6req = {
         NULL, NULL, "cacert6.pem", "UK",
@@ -909,6 +908,12 @@ mymain(void)
         0, 0,
     };

+    /* Technically a CA cert with basic constraints
+     * key purpose == key signing + non-critical should
+     * be rejected. GNUTLS < 3 does not reject it and
+     * we don't anticipate them changing this behaviour
+     */
+    DO_CTX_TEST(true, cacert5req, servercertreq, GNUTLS_VERSION_MAJOR >= 3);
     DO_CTX_TEST(true, cacert6req, servercertreq, true);
     DO_CTX_TEST(true, cacert7req, servercertreq, true);

-- 
1.8.3.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list







