From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> When given a CA cert with basic constraints to set non-critical, and key usage of 'key signing', this should be rejected. Version of GNUTLS < 3 do not rejecte it though, so we never noticed the test case was broken Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> (cherry picked from commit 0204d6d7a0519377b2e6bc296b00328cd748f55d) --- tests/virnettlscontexttest.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c index e745487..78063a3 100644 --- a/tests/virnettlscontexttest.c +++ b/tests/virnettlscontexttest.c @@ -870,15 +870,6 @@ mymain(void) false, false, NULL, NULL, 0, 0, }; - /* Key usage:dig-sig:not-critical */ - static struct testTLSCertReq cacert5req = { - NULL, NULL, "cacert5.pem", "UK", - "libvirt CA 5", NULL, NULL, NULL, NULL, - true, true, true, - true, false, GNUTLS_KEY_DIGITAL_SIGNATURE, - false, false, NULL, NULL, - 0, 0, - }; DO_CTX_TEST(true, cacert1req, servercertreq, false); DO_CTX_TEST(true, cacert2req, servercertreq, false); @@ -886,10 +877,18 @@ mymain(void) DO_CTX_TEST(true, cacert3req, servercertreq, false); # endif DO_CTX_TEST(true, cacert4req, servercertreq, false); - DO_CTX_TEST(true, cacert5req, servercertreq, false); /* Now some bad certs */ + /* Key usage:dig-sig:not-critical */ + static struct testTLSCertReq cacert5req = { + NULL, NULL, "cacert5.pem", "UK", + "libvirt CA 5", NULL, NULL, NULL, NULL, + true, true, true, + true, false, GNUTLS_KEY_DIGITAL_SIGNATURE, + false, false, NULL, NULL, + 0, 0, + }; /* no-basic */ static struct testTLSCertReq cacert6req = { NULL, NULL, "cacert6.pem", "UK", @@ -909,6 +908,12 @@ mymain(void) 0, 0, }; + /* Technically a CA cert with basic constraints + * key purpose == key signing + non-critical should + * be rejected. GNUTLS < 3 does not reject it and + * we don't anticipate them changing this behaviour + */ + DO_CTX_TEST(true, cacert5req, servercertreq, GNUTLS_VERSION_MAJOR >= 3); DO_CTX_TEST(true, cacert6req, servercertreq, true); DO_CTX_TEST(true, cacert7req, servercertreq, true); -- 1.8.3.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list