When given a CA cert with basic constraints to set non-critical, and key usage of 'key signing', this should be rejected. Version of GNUTLS < 3 do not rejecte it though, so we never noticed the test case was broken
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> ---
+ /* Technically a CA cert with basic constraints + * key purpose == key signing + non-critical should + * be rejected. GNUTLS < 3 does not reject it and + * we don't anticipate them changing this behaviour + */ +# if GNUTLS_VERSION_MAJOR >= 3 + DO_CTX_TEST(true, cacert5req, servercertreq, true); +# else + DO_CTX_TEST(true, cacert5req, servercertreq, false); +# endif
To avoid the #if, you could write this as: DO_CTX_TEST(true, cacert5req, servercertreq, GNUTLS_VERSION_MAJOR >= 3); ACK with that tweak. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org