Fix TLS tests with gnutls 3

When given a CA cert with basic constraints to set non-critical, and key usage of 'key signing', this should be rejected. Version of GNUTLS < 3 do not rejecte it though, so we never noticed the test case was broken Signed-off-by: N Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit 0204d6d7) (cherry picked from commit ec5190af)

Fix TLS tests with gnutls 3
When given a CA cert with basic constraints to set non-critical, and key usage of 'key signing', this should be rejected. Version of GNUTLS < 3 do not rejecte it though, so we never noticed the test case was broken Signed-off-by: N Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit 0204d6d7) (cherry picked from commit ec5190af)
bffb9448 · Daniel P. Berrange · Eric Blake · 9dc3c586 · bffb9448
隐藏空白更改
内联并排

Showing with 15 addition and 10 deletion

tests/virnettlscontexttest.c tests/virnettlscontexttest.c +15 -10

未找到文件。
--- a/tests/virnettlscontexttest.c
+++ b/tests/virnettlscontexttest.c
@@ -870,15 +870,6 @@ mymain(void)
        false, false, NULL, NULL,
        0, 0,
    };
-    /* Key usage:dig-sig:not-critical */
-    static struct testTLSCertReq cacert5req = {
-        NULL, NULL, "cacert5.pem", "UK",
-        "libvirt CA 5", NULL, NULL, NULL, NULL,
-        true, true, true,
-        true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
-        false, false, NULL, NULL,
-        0, 0,
-    };

    DO_CTX_TEST(true, cacert1req, servercertreq, false);
    DO_CTX_TEST(true, cacert2req, servercertreq, false);
@@ -886,10 +877,18 @@ mymain(void)
    DO_CTX_TEST(true, cacert3req, servercertreq, false);
 # endif
    DO_CTX_TEST(true, cacert4req, servercertreq, false);
-    DO_CTX_TEST(true, cacert5req, servercertreq, false);

    /* Now some bad certs */

+    /* Key usage:dig-sig:not-critical */
+    static struct testTLSCertReq cacert5req = {
+        NULL, NULL, "cacert5.pem", "UK",
+        "libvirt CA 5", NULL, NULL, NULL, NULL,
+        true, true, true,
+        true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
+        false, false, NULL, NULL,
+        0, 0,
+    };
    /* no-basic */
    static struct testTLSCertReq cacert6req = {
        NULL, NULL, "cacert6.pem", "UK",
@@ -909,6 +908,12 @@ mymain(void)
        0, 0,
    };

+    /* Technically a CA cert with basic constraints
+     * key purpose == key signing + non-critical should
+     * be rejected. GNUTLS < 3 does not reject it and
+     * we don't anticipate them changing this behaviour
+     */
+    DO_CTX_TEST(true, cacert5req, servercertreq, GNUTLS_VERSION_MAJOR >= 3);
    DO_CTX_TEST(true, cacert6req, servercertreq, true);
    DO_CTX_TEST(true, cacert7req, servercertreq, true);