]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Added self checks for various verification profiles
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 28 Mar 2014 10:06:14 +0000 (11:06 +0100)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 28 Mar 2014 10:06:14 +0000 (11:06 +0100)
tests/chainverify.c

index d9d120718415ef689037aa6de97433692337f214..bf74ee8717384465f91a83083aa517404d8e07a2 100644 (file)
@@ -1141,8 +1141,14 @@ static struct
     0,
     GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
   { "verisign.com v1 ok", verisign_com_chain, &verisign_com_chain[3],
-    GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
+    GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW),
     0 },
+  { "verisign.com v1 not ok due to profile", verisign_com_chain, &verisign_com_chain[3],
+    GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LEGACY),
+    GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID },
+  { "verisign.com v1 not ok due to profile", verisign_com_chain, &verisign_com_chain[3],
+    GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_HIGH),
+    GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID },
   { "citibank.com v1 fail", citibank_com_chain, &citibank_com_chain[2],
     GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
   { "expired self signed", pem_self_cert, &pem_self_cert[0],
@@ -1211,7 +1217,12 @@ static struct
     GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID },
   { "cacertrsamd5 short-cut ok", cacertrsamd5, &cacertrsamd5[1],
     0, 0 },
-  { "ecc cert ok", ecc_cert, &ecc_cert[1], 0, 0 },
+  { "ecc cert ok", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_HIGH), 0 },
+  { "ecc cert ok", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB128), 0 },
+  { "ecc cert not ok (due to profile)", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), 
+       GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID },
+  { "ecc cert not ok (due to profile)", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB192), 
+       GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID },
   { "name constraints chain ok", nc_good, &nc_good[4], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0 },
   { "name constraints chain bad1", nc_bad1, &nc_bad1[2], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE},
   { "name constraints chain bad2", nc_bad2, &nc_bad2[4], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE},