|
 |
9bef94 |
From c2409e479df41620bceac314c76cabb1d35a4075 Mon Sep 17 00:00:00 2001
|
|
|
9bef94 |
From: Daiki Ueno <ueno@gnu.org>
|
|
|
9bef94 |
Date: Mon, 3 May 2021 16:35:43 +0200
|
|
|
9bef94 |
Subject: [PATCH] x509/verify: treat SHA-1 signed CA in the trusted set
|
|
|
9bef94 |
differently
|
|
|
9bef94 |
MIME-Version: 1.0
|
|
|
9bef94 |
Content-Type: text/plain; charset=UTF-8
|
|
|
9bef94 |
Content-Transfer-Encoding: 8bit
|
|
|
9bef94 |
|
|
|
9bef94 |
Suppose there is a certificate chain ending with an intermediate CA:
|
|
|
9bef94 |
EE → ICA1 → ICA2. If the system trust store contains a root CA
|
|
|
9bef94 |
generated with the same key as ICA2 but signed with a prohibited
|
|
|
9bef94 |
algorithm, such as SHA-1, the library previously reported a
|
|
|
9bef94 |
verification failure, though the situation is not uncommon during a
|
|
|
9bef94 |
transition period of root CA.
|
|
|
9bef94 |
|
|
|
9bef94 |
This changes the library behavior such that the check on signature
|
|
|
9bef94 |
algorithm will be skipped when examining the trusted root CA.
|
|
|
9bef94 |
|
|
|
9bef94 |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
9bef94 |
---
|
|
|
9bef94 |
lib/x509/verify.c | 26 ++++---
|
|
|
9bef94 |
tests/test-chains.h | 165 ++++++++++++++++++++++++++++++++++++++++++++
|
|
|
9bef94 |
2 files changed, 182 insertions(+), 9 deletions(-)
|
|
|
9bef94 |
|
|
|
9bef94 |
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
|
|
|
9bef94 |
index fd7c6a164..a50b5ea44 100644
|
|
|
9bef94 |
--- a/lib/x509/verify.c
|
|
|
9bef94 |
+++ b/lib/x509/verify.c
|
|
|
9bef94 |
@@ -415,14 +415,19 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
|
|
|
9bef94 |
#define CASE_SEC_PARAM(profile, level) \
|
|
|
9bef94 |
case profile: \
|
|
|
9bef94 |
sym_bits = gnutls_sec_param_to_symmetric_bits(level); \
|
|
|
9bef94 |
- hash = gnutls_sign_get_hash_algorithm(sigalg); \
|
|
|
9bef94 |
- entry = mac_to_entry(hash); \
|
|
|
9bef94 |
- if (hash <= 0 || entry == NULL) { \
|
|
|
9bef94 |
+ se = _gnutls_sign_to_entry(sigalg); \
|
|
|
9bef94 |
+ if (unlikely(se == NULL)) { \
|
|
|
9bef94 |
+ _gnutls_cert_log("cert", crt); \
|
|
|
9bef94 |
+ _gnutls_debug_log(#level": certificate's signature algorithm is unknown\n"); \
|
|
|
9bef94 |
+ return gnutls_assert_val(0); \
|
|
|
9bef94 |
+ } \
|
|
|
9bef94 |
+ if (unlikely(se->hash == GNUTLS_DIG_UNKNOWN)) { \
|
|
|
9bef94 |
_gnutls_cert_log("cert", crt); \
|
|
|
9bef94 |
_gnutls_debug_log(#level": certificate's signature hash is unknown\n"); \
|
|
|
9bef94 |
return gnutls_assert_val(0); \
|
|
|
9bef94 |
} \
|
|
|
9bef94 |
- if (_gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
|
|
|
9bef94 |
+ if (!trusted && \
|
|
|
9bef94 |
+ _gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
|
|
|
9bef94 |
_gnutls_cert_log("cert", crt); \
|
|
|
9bef94 |
_gnutls_debug_log(#level": certificate's signature hash strength is unacceptable (is %u bits, needed %u)\n", _gnutls_sign_get_hash_strength(sigalg), sym_bits); \
|
|
|
9bef94 |
return gnutls_assert_val(0); \
|
|
|
9bef94 |
@@ -449,19 +454,22 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
|
|
|
9bef94 |
* @crt: a certificate
|
|
|
9bef94 |
* @issuer: the certificates issuer (allowed to be NULL)
|
|
|
9bef94 |
* @sigalg: the signature algorithm used
|
|
|
9bef94 |
+ * @trusted: whether @crt is treated as trusted (e.g., present in the system
|
|
|
9bef94 |
+ * trust list); if it is true, the check on signature algorithm will
|
|
|
9bef94 |
+ * be skipped
|
|
|
9bef94 |
* @flags: the specified verification flags
|
|
|
9bef94 |
*/
|
|
|
9bef94 |
static unsigned is_level_acceptable(
|
|
|
9bef94 |
gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
|
|
|
9bef94 |
- gnutls_sign_algorithm_t sigalg, unsigned flags)
|
|
|
9bef94 |
+ gnutls_sign_algorithm_t sigalg, bool trusted,
|
|
|
9bef94 |
+ unsigned flags)
|
|
|
9bef94 |
{
|
|
|
9bef94 |
gnutls_certificate_verification_profiles_t profile = GNUTLS_VFLAGS_TO_PROFILE(flags);
|
|
|
9bef94 |
- const mac_entry_st *entry;
|
|
|
9bef94 |
int issuer_pkalg = 0, pkalg, ret;
|
|
|
9bef94 |
unsigned bits = 0, issuer_bits = 0, sym_bits = 0;
|
|
|
9bef94 |
gnutls_pk_params_st params;
|
|
|
9bef94 |
gnutls_sec_param_t sp;
|
|
|
9bef94 |
- int hash;
|
|
|
9bef94 |
+ const gnutls_sign_entry_st *se;
|
|
|
9bef94 |
gnutls_certificate_verification_profiles_t min_profile;
|
|
|
9bef94 |
|
|
|
9bef94 |
min_profile = _gnutls_get_system_wide_verification_profile();
|
|
|
9bef94 |
@@ -798,7 +806,7 @@ verify_crt(gnutls_x509_crt_t cert,
|
|
|
9bef94 |
}
|
|
|
9bef94 |
|
|
|
9bef94 |
if (sigalg >= 0 && se) {
|
|
|
9bef94 |
- if (is_level_acceptable(cert, issuer, sigalg, flags) == 0) {
|
|
|
9bef94 |
+ if (is_level_acceptable(cert, issuer, sigalg, false, flags) == 0) {
|
|
|
9bef94 |
MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM);
|
|
|
9bef94 |
}
|
|
|
9bef94 |
|
|
|
9bef94 |
@@ -893,7 +901,7 @@ unsigned check_ca_sanity(const gnutls_x509_crt_t issuer,
|
|
|
9bef94 |
|
|
|
9bef94 |
/* we explicitly allow CAs which we do not support their self-algorithms
|
|
|
9bef94 |
* to pass. */
|
|
|
9bef94 |
- if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, flags)) {
|
|
|
9bef94 |
+ if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, true, flags)) {
|
|
|
9bef94 |
status |= GNUTLS_CERT_INSECURE_ALGORITHM|GNUTLS_CERT_INVALID;
|
|
|
9bef94 |
}
|
|
|
9bef94 |
|
|
|
9bef94 |
diff --git a/tests/test-chains.h b/tests/test-chains.h
|
|
|
9bef94 |
index 9b06b85f5..64f50fabf 100644
|
|
|
9bef94 |
--- a/tests/test-chains.h
|
|
|
9bef94 |
+++ b/tests/test-chains.h
|
|
|
9bef94 |
@@ -4106,6 +4106,163 @@ static const char *superseding_ca[] = {
|
|
|
9bef94 |
NULL
|
|
|
9bef94 |
};
|
|
|
9bef94 |
|
|
|
9bef94 |
+static const char *rsa_sha1_in_trusted[] = {
|
|
|
9bef94 |
+ "-----BEGIN CERTIFICATE-----\n"
|
|
|
9bef94 |
+ "MIID0jCCAoqgAwIBAgIUezaBB7f4TW75oc3UV57oJvXmbBYwDQYJKoZIhvcNAQEL\n"
|
|
|
9bef94 |
+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyNzIxWhcN\n"
|
|
|
9bef94 |
+ "MjIwNTAzMTQyNzIxWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
|
|
|
9bef94 |
+ "BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
|
|
|
9bef94 |
+ "AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
|
|
|
9bef94 |
+ "dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
|
|
|
9bef94 |
+ "Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
|
|
|
9bef94 |
+ "mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
|
|
|
9bef94 |
+ "+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
|
|
|
9bef94 |
+ "CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
|
|
|
9bef94 |
+ "ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
|
|
|
9bef94 |
+ "MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
|
|
|
9bef94 |
+ "ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
|
|
|
9bef94 |
+ "GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
|
|
|
9bef94 |
+ "AAOCATEAXs8lOV231HQerhSGEjZJz0vBuA3biKYlu3cwCTKvF6EOyYMSWOnfqqD0\n"
|
|
|
9bef94 |
+ "eDhpo1pzGtUa2zYLHagb+sU2NSTe0sqP+PK1giUg8X8/tRtWKk1p/m76yK/3iaty\n"
|
|
|
9bef94 |
+ "flgz+eMai4xQu2FvAJzIASFjM9R+Pgpcf/zdvkiUPv8Rdm9FieyAZnJSo9hJHLxN\n"
|
|
|
9bef94 |
+ "x60tfC5yyswdbGGW0GbJ2kr+xMfVZvxgO/x6AXlOaUGQ+jZAu9eJwFQMDW5h5/S1\n"
|
|
|
9bef94 |
+ "PJkIt7f7jkU33cG+BawcjhT0GzxuvDnnCG0L7/z7bR+Sw2kNKqHbHorzv91R20Oh\n"
|
|
|
9bef94 |
+ "CIISJPkiiP+mYcglTp1d9gw09GwSkGbldb9ibfc0hKyxiImFfIiTqDbXJcpKH98o\n"
|
|
|
9bef94 |
+ "W8hWkb20QURlY+QM5MD49znfhPKMTQ==\n"
|
|
|
9bef94 |
+ "-----END CERTIFICATE-----\n",
|
|
|
9bef94 |
+ "-----BEGIN CERTIFICATE-----\n"
|
|
|
9bef94 |
+ "MIID2TCCAkGgAwIBAgIUWsb4DATcefXbo0WrBfgqVMvPGawwDQYJKoZIhvcNAQEL\n"
|
|
|
9bef94 |
+ "BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI2\n"
|
|
|
9bef94 |
+ "MzVaFw0yMjA1MDMxNDI2MzVaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
|
|
|
9bef94 |
+ "UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
|
|
|
9bef94 |
+ "g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
|
|
|
9bef94 |
+ "EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
|
|
|
9bef94 |
+ "cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
|
|
|
9bef94 |
+ "sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
|
|
|
9bef94 |
+ "67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
|
|
|
9bef94 |
+ "CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
|
|
|
9bef94 |
+ "AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
|
|
|
9bef94 |
+ "BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
|
|
|
9bef94 |
+ "GctysPWxl+SfMA0GCSqGSIb3DQEBCwUAA4IBgQBbboeDr/rLT1tZWrdHq8FvflGm\n"
|
|
|
9bef94 |
+ "EpxZIRU4DdDD/SUCWSPQvjBq0MvuKxs5FfJCKrDf2kS2qlZ1rO0AuWwREoDeTOEc\n"
|
|
|
9bef94 |
+ "arjFoCry+JQ+USqS5F4gsp4XlYvli27iMp3dlnhFXEQQy7/y+gM5c9wnMi8v/LUz\n"
|
|
|
9bef94 |
+ "AV6QHX0fkb4XeazeJ+Nq0EkjqiYxylN6mP+5LAEMBG/wGviAoviQ5tN9zdoQs/nT\n"
|
|
|
9bef94 |
+ "3jTw3cOauuPjdcOTfo71+/MtBzhPchgNIyQo4aB40XVWsLAoruL/3CFFlTniihtd\n"
|
|
|
9bef94 |
+ "zA2zA7JvbuuKx6BOv2IbWOUweb732ZpYbDgEcXp/6Cj/SIUGxidpEgdCJGqyqdC7\n"
|
|
|
9bef94 |
+ "b58ujxclC6QTcicw+SX5LBox8WGLfj+x+V3uVBz9+EK608xphTj4kLh9peII9v3n\n"
|
|
|
9bef94 |
+ "vBUoZRTiUTCvH4AJJgAfa3mYrSxzueuqBOwXcvZ+8OJ0J1CP21pmK5nxR7f1nm9Q\n"
|
|
|
9bef94 |
+ "sYA1VHfC2dtyAYlByeF5iHl5hFR6vy1jJyzxg2M=\n"
|
|
|
9bef94 |
+ "-----END CERTIFICATE-----\n",
|
|
|
9bef94 |
+ NULL
|
|
|
9bef94 |
+};
|
|
|
9bef94 |
+
|
|
|
9bef94 |
+static const char *rsa_sha1_in_trusted_ca[] = {
|
|
|
9bef94 |
+ /* This CA is generated with the same key as rsa_sha1_in_trusted[1], but
|
|
|
9bef94 |
+ * self-signed using SHA-1.
|
|
|
9bef94 |
+ */
|
|
|
9bef94 |
+ "-----BEGIN CERTIFICATE-----\n"
|
|
|
9bef94 |
+ "MIIDYzCCAhugAwIBAgIUahO8CvYPHTAltKCC2rAIcXUiLlAwDQYJKoZIhvcNAQEF\n"
|
|
|
9bef94 |
+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyMDM1WhcN\n"
|
|
|
9bef94 |
+ "MjIwNTAzMTQyMDM1WjAZMRcwFQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCCAVIwDQYJ\n"
|
|
|
9bef94 |
+ "KoZIhvcNAQEBBQADggE/ADCCAToCggExAJzkQrF9bp5f/38tnddOeF3biIP9wqlQ\n"
|
|
|
9bef94 |
+ "Wk9x3GuuUhKA8IdCoj7UKDoGS3SmNnKGxrP6I2LTo3LNCp5T2HZrYxIelhIbiVPe\n"
|
|
|
9bef94 |
+ "b+E0HQuDizIhOeniBqtudoWQGx6Ey/OENeA8UFhrs0CvN9Ippe328NlnCHEUPLxR\n"
|
|
|
9bef94 |
+ "rPEs318Ot/jCOhauojAECKj9PFsxpkUcy+cLwoj4QlZKz5sG16AAbm+gALGMFjyQ\n"
|
|
|
9bef94 |
+ "fdTPf5ceYBR+ZPf4j34t7NioNxfDDnKaahWI8Q0p7H4s+njIdfm2FSAKN+u7xlWB\n"
|
|
|
9bef94 |
+ "4oFzBGQthXs5cCB2mc6RKBZWN2uyxSdNMq40PddK/FBPghDE2MxONA9KJQjKOxQP\n"
|
|
|
9bef94 |
+ "UQo3jt21CKGGiHVU1BlhBh1knqMRnovRpJurvgEo/H/otI8XQ9ql7HsCAwEAAaND\n"
|
|
|
9bef94 |
+ "MEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQe\n"
|
|
|
9bef94 |
+ "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQUFAAOCATEAYLm/4DfUp+mA\n"
|
|
|
9bef94 |
+ "S/23a2bwybJoPCMzKZpi+veXkqoq/a/BCUkFpqnjpVjz0ujVKK121oeOPBAa/mG1\n"
|
|
|
9bef94 |
+ "Y3fJYP+b3PloL/6xj/8680TveGirCr0Rp/8XWa8lt+Ge8DM3mfTGWFTWHa0lD9VK\n"
|
|
|
9bef94 |
+ "gjV1oNZNLe5SKA6dJLAp/NjCxc/vuOkThQPeaoO5Iy/Z6m7CpTLO7T4syJFtDmSn\n"
|
|
|
9bef94 |
+ "Pa/yFUDTgJYFlGVM+KC1r8bhZ6Ao1CAXTcT5Lcbe/aCcyk6B3J2AnYsqPMVNEVhb\n"
|
|
|
9bef94 |
+ "9eMGO/WG24hMLy6eb1r/yL8uQ/uGi2rRlNJN8GTg09YR7l5fHrHxuHc/sme0jsnJ\n"
|
|
|
9bef94 |
+ "wtqGLCJsrh7Ae1fKVUueO00Yx9BGuzLswMvnT5f0oYs0jrXgMrTbIWS/DjOcYIHb\n"
|
|
|
9bef94 |
+ "w3SV1ZRcNg==\n"
|
|
|
9bef94 |
+ "-----END CERTIFICATE-----\n",
|
|
|
9bef94 |
+ NULL
|
|
|
9bef94 |
+};
|
|
|
9bef94 |
+
|
|
|
9bef94 |
+static const char *rsa_sha1_not_in_trusted[] = {
|
|
|
9bef94 |
+ "-----BEGIN CERTIFICATE-----\n"
|
|
|
9bef94 |
+ "MIID0jCCAoqgAwIBAgIUNCvPV9OvyuVMtnkC3ZAvh959h4MwDQYJKoZIhvcNAQEL\n"
|
|
|
9bef94 |
+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTA0MDg0NzAzWhcN\n"
|
|
|
9bef94 |
+ "MjIwNTA0MDg0NzAzWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
|
|
|
9bef94 |
+ "BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
|
|
|
9bef94 |
+ "AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
|
|
|
9bef94 |
+ "dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
|
|
|
9bef94 |
+ "Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
|
|
|
9bef94 |
+ "mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
|
|
|
9bef94 |
+ "+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
|
|
|
9bef94 |
+ "CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
|
|
|
9bef94 |
+ "ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
|
|
|
9bef94 |
+ "MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
|
|
|
9bef94 |
+ "ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
|
|
|
9bef94 |
+ "GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
|
|
|
9bef94 |
+ "AAOCATEAWs/Qa1Ebydwo4Ke2KEdy5cUTSZjnoz93XpbrP9W60MJ4d2DIQPcYUcLF\n"
|
|
|
9bef94 |
+ "+glez+mRtVXDRtH5V/4yZX1EdgrPVQGeVlO5HbNiYyYw/Yj3H6kzWtUbBxdOAOE/\n"
|
|
|
9bef94 |
+ "/ul8RCKKMfvYBHCBgjBMW0aFm31Q1Z8m8nanBusyJ0DG1scBHu4/3vTCZthZAxc5\n"
|
|
|
9bef94 |
+ "3l3t/jjsNRS+k5t6Ay8nEY1tAZSGVqN8qufzO2NBO06sQagp09FTfDh581OBcVtF\n"
|
|
|
9bef94 |
+ "X7O0cffAWHk3JoywzEWFEAhVPqFlk07wG2O+k+fYZfavsJko5q+yWkxu8RDh4wAx\n"
|
|
|
9bef94 |
+ "7UzKudGOQ+NhfYJ7N7V1/RFg1z75gE3GTUX7qmGZEVDOsMyiuUeYg8znyYpBV55Q\n"
|
|
|
9bef94 |
+ "4BNr0ukwmwOdvUf+ksCu6PdOGaqThA==\n"
|
|
|
9bef94 |
+ "-----END CERTIFICATE-----\n",
|
|
|
9bef94 |
+ /* ICA with SHA1 signature */
|
|
|
9bef94 |
+ "-----BEGIN CERTIFICATE-----\n"
|
|
|
9bef94 |
+ "MIID2TCCAkGgAwIBAgIUYaKJkQft87M1TF+Jd30py3yIq4swDQYJKoZIhvcNAQEF\n"
|
|
|
9bef94 |
+ "BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDQwODQ1\n"
|
|
|
9bef94 |
+ "NDdaFw0yMjA1MDQwODQ1NDdaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
|
|
|
9bef94 |
+ "UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
|
|
|
9bef94 |
+ "g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
|
|
|
9bef94 |
+ "EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
|
|
|
9bef94 |
+ "cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
|
|
|
9bef94 |
+ "sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
|
|
|
9bef94 |
+ "67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
|
|
|
9bef94 |
+ "CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
|
|
|
9bef94 |
+ "AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
|
|
|
9bef94 |
+ "BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
|
|
|
9bef94 |
+ "GctysPWxl+SfMA0GCSqGSIb3DQEBBQUAA4IBgQAewBcAGUGX28I5PDtuJkxoHonD\n"
|
|
|
9bef94 |
+ "muHdXpYnrz1YXN4b7odNXockz++Xovgj126fo+PeWgmaaCic98ZcGnyVTi9+3oqN\n"
|
|
|
9bef94 |
+ "2Bf4NNfyzSccgZZTphzbwjMcnc983HLQgsLSAOVivPHj5GEN58EWWamc9yA0VjGn\n"
|
|
|
9bef94 |
+ "cuYmFN2dlFA8/ClEbVGu3UXBe6OljR5zUr+6oiSp2J+Rl7SerVSHlst07iU2tkeB\n"
|
|
|
9bef94 |
+ "dlfOD5CquUGSka3SKvEfvu5SwYrCQVfYB6eMLInm7A0/ca0Jn3Oh4fMf2rIg/E3K\n"
|
|
|
9bef94 |
+ "qsopxsu8BXrLoGK4MxbxPA65JpczhZgilQQi3e3RIvxrvyD2qamjaNbyG5cr8mW4\n"
|
|
|
9bef94 |
+ "VOLf3vUORbkTi5sE7uRMu2B3z3N7ajsuQM8RHB17hOCB2FO/8rermq/oeJNtx57L\n"
|
|
|
9bef94 |
+ "5s5NxCHYTksQ4gkpR4gfTIO/zwXJSwGa/Zi2y2wIi/1qr7lppBsKV2rDWX7QiIeA\n"
|
|
|
9bef94 |
+ "PxOxyJA2eSeqCorz9vk3aHXleSpxsWGgKiJVmV0=\n"
|
|
|
9bef94 |
+ "-----END CERTIFICATE-----\n",
|
|
|
9bef94 |
+ NULL
|
|
|
9bef94 |
+};
|
|
|
9bef94 |
+
|
|
|
9bef94 |
+static const char *rsa_sha1_not_in_trusted_ca[] = {
|
|
|
9bef94 |
+ "-----BEGIN CERTIFICATE-----\n"
|
|
|
9bef94 |
+ "MIIEDTCCAnWgAwIBAgIUd5X8NZput+aNPEd9h92r4KAu16MwDQYJKoZIhvcNAQEL\n"
|
|
|
9bef94 |
+ "BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI1\n"
|
|
|
9bef94 |
+ "MDNaFw0yMjA1MDMxNDI1MDNaMB4xHDAaBgNVBAMTE0dudVRMUyB0ZXN0IHJvb3Qg\n"
|
|
|
9bef94 |
+ "Q0EwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCsFAaMb/iRN+OFqQNh\n"
|
|
|
9bef94 |
+ "OkkXGZlb+eLerLuB9ELnYwyLIh4MTXh0RjFZdCQLsQHfY/YFv0C50rmoXTA/d3Ef\n"
|
|
|
9bef94 |
+ "K/P243KjX0XBWjO9TBuN0zth50eq94zf69yxA/a+kmT+O5YLfhi2ELM5F3IjOUoZ\n"
|
|
|
9bef94 |
+ "lL0IGlFJwauAkaNylp/Evd5nW7g5DUJvMm4A3RXNfZt9gAD4lPRwryQq9jxT48Xu\n"
|
|
|
9bef94 |
+ "fB0kAPEG/l/Izbz2rYin5+nySL+a0CSNuEbITxidtMhveB747oR0QS2sMQKji1ur\n"
|
|
|
9bef94 |
+ "pRJ945SHiYJIgVuFAJc9StikSyIrxZgK45kAzcQAyRWWKiMNH5PprGFYJp+ypwhm\n"
|
|
|
9bef94 |
+ "1t8Bphj2RFJAG3XRRZF/9uJIYc5mEHCsZFZ/IFRaKqyN30kAUijgNt+lW5mZXVFU\n"
|
|
|
9bef94 |
+ "aqzV2zHjSG8jsGdia3cfBP46Z1q2eAh5jOCucTq1F7qZdVhOFmP9jFE6Uy5Kbwgc\n"
|
|
|
9bef94 |
+ "kNAnsEllQeJQL2odVa7woKkZZ4M/c72X5tpBU38Rs3krn3sCAwEAAaNDMEEwDwYD\n"
|
|
|
9bef94 |
+ "VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQgKVNENacW\n"
|
|
|
9bef94 |
+ "S/gFtxnLcrD1sZfknzANBgkqhkiG9w0BAQsFAAOCAYEAaZMV71mZ9FYoVdpho61h\n"
|
|
|
9bef94 |
+ "WWPs5GppQLJ1w70DNtGZ+lFrk/KopeDvOu1i61QLWRzcZCZMl+npiX1KH5kjVo3v\n"
|
|
|
9bef94 |
+ "C9G8kdMW6EVRk5p6qCJMPFN2U+grMMp50aY5kmw+/v+Lhk5T/VG93l63P91FkUre\n"
|
|
|
9bef94 |
+ "o8qhOudJExoUnR1uB9M6HMAxVn8Lm/N1LGPiP6A6Pboo716H7mg/A7pv9zoZ6jUp\n"
|
|
|
9bef94 |
+ "7x693mA/b3I/QpDx/nJcmcdqxgEuW+aRlFXgnYZRFAawxi+5M9EwCWbkSTO4OMHP\n"
|
|
|
9bef94 |
+ "Qlvak3tJO+wb92b0cICOOtzIPgQ+caiLg9d0FvesALmQzDmNmtqynoO85+Ia2Ywh\n"
|
|
|
9bef94 |
+ "nxKPlpeImhLN9nGl9sOeW2m4mnA5r0h1vgML4v/MWL4TQhXallc31uFNj5HyFaTh\n"
|
|
|
9bef94 |
+ "6Mr0g3GeQgN0jpT+aIOiKuW9fLts54+Ntj1NN40slqi3Y+/Yd6xhj+NgmbRvybZu\n"
|
|
|
9bef94 |
+ "tnYFXKC0Q+QUf38horqG2Mc3/uh8MOm0eYUXwGJOdXYD\n"
|
|
|
9bef94 |
+ "-----END CERTIFICATE-----\n",
|
|
|
9bef94 |
+ NULL
|
|
|
9bef94 |
+};
|
|
|
9bef94 |
+
|
|
|
9bef94 |
#if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
|
|
|
9bef94 |
# pragma GCC diagnostic push
|
|
|
9bef94 |
# pragma GCC diagnostic ignored "-Wunused-variable"
|
|
|
9bef94 |
@@ -4275,6 +4432,14 @@ static struct
|
|
|
9bef94 |
{ "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
|
|
|
9bef94 |
0, NULL, 1584352960, 1},
|
|
|
9bef94 |
{ "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 },
|
|
|
9bef94 |
+ { "rsa-sha1 in trusted - ok",
|
|
|
9bef94 |
+ rsa_sha1_in_trusted, rsa_sha1_in_trusted_ca,
|
|
|
9bef94 |
+ GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
|
|
|
9bef94 |
+ 0, NULL, 1620052390, 1},
|
|
|
9bef94 |
+ { "rsa-sha1 not in trusted - not ok",
|
|
|
9bef94 |
+ rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca,
|
|
|
9bef94 |
+ GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
|
|
|
9bef94 |
+ GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
|
|
|
9bef94 |
{ NULL, NULL, NULL, 0, 0}
|
|
|
9bef94 |
};
|
|
|
9bef94 |
|
|
|
9bef94 |
--
|
|
|
9bef94 |
2.31.1
|
|
|
9bef94 |
|