[libvirt] [PATCH] Fix TLS tests with gnutls 3
From: "Daniel P. Berrange" <berrange(a)redhat.com>
When given a CA cert with basic constraints to set non-critical,
and key usage of 'key signing', this should be rejected. Version
of GNUTLS < 3 do not rejecte it though, so we never noticed the
test case was broken
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
tests/virnettlscontexttest.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
index 3df8a70..f53ea0e 100644
--- a/tests/virnettlscontexttest.c
+++ b/tests/virnettlscontexttest.c
@@ -873,15 +873,6 @@ mymain(void)
false, false, NULL, NULL,
0, 0,
};
- /* Key usage:dig-sig:not-critical */
- static struct testTLSCertReq cacert5req = {
- NULL, NULL, "cacert5.pem", "UK",
- "libvirt CA 5", NULL, NULL, NULL, NULL,
- true, true, true,
- true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
- false, false, NULL, NULL,
- 0, 0,
- };
DO_CTX_TEST(true, cacert1req, servercertreq, false);
DO_CTX_TEST(true, cacert2req, servercertreq, false);
@@ -889,10 +880,18 @@ mymain(void)
DO_CTX_TEST(true, cacert3req, servercertreq, false);
# endif
DO_CTX_TEST(true, cacert4req, servercertreq, false);
- DO_CTX_TEST(true, cacert5req, servercertreq, false);
/* Now some bad certs */
+ /* Key usage:dig-sig:not-critical */
+ static struct testTLSCertReq cacert5req = {
+ NULL, NULL, "cacert5.pem", "UK",
+ "libvirt CA 5", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ false, false, NULL, NULL,
+ 0, 0,
+ };
/* no-basic */
static struct testTLSCertReq cacert6req = {
NULL, NULL, "cacert6.pem", "UK",
@@ -912,6 +911,16 @@ mymain(void)
0, 0,
};
+ /* Technically a CA cert with basic constraints
+ * key purpose == key signing + non-critical should
+ * be rejected. GNUTLS < 3 does not reject it and
+ * we don't anticipate them changing this behaviour
+ */
+# if GNUTLS_VERSION_MAJOR >= 3
+ DO_CTX_TEST(true, cacert5req, servercertreq, true);
+# else
+ DO_CTX_TEST(true, cacert5req, servercertreq, false);
+# endif
DO_CTX_TEST(true, cacert6req, servercertreq, true);
DO_CTX_TEST(true, cacert7req, servercertreq, true);
--
1.8.1.2