* @GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS: If set a signer in the trusted
* list is never checked for expiration or activation.
* @GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT: Allow only trusted CA
- * certificates that have version 1. This is safer than
- * %GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be used
- * instead. That way only signers in your trusted list will be
- * allowed to have certificates of version 1.
+ * certificates that have version 1. This is the default.
+ * @GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT: Do not allow trusted CA
+ * certificates that have version 1. This option is to be used
+ * to deprecate all V1 certificates.
* @GNUTLS_VERIFY_DO_NOT_ALLOW_SAME: If a certificate is not signed by
* anyone trusted but exists in the trusted CA list do not treat it
* as trusted.
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
- GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128
+ GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256
} gnutls_certificate_verify_flags;
int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
{ "CVE-2008-4989", cve_2008_4989_chain, &cve_2008_4989_chain[2],
0, GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID },
{ "verisign.com v1 fail", verisign_com_chain, &verisign_com_chain[3],
- 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
- { "verisign.com v1 fail2", verisign_com_chain, &verisign_com_chain[3],
- GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+ 0,
GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
{ "verisign.com v1 ok", verisign_com_chain, &verisign_com_chain[3],
GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
0 },
{ "citibank.com v1 fail", citibank_com_chain, &citibank_com_chain[2],
- 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
{ "expired self signed", pem_self_cert, &pem_self_cert[0],
0, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
{ "self signed", pem_self_cert, &pem_self_cert[0],
{ "ca=false2", thea_chain, &thea_chain[1],
0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
{ "hbci v1 fail", hbci_chain, &hbci_chain[2],
- 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID},
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID},
{ "hbci v1 ok expired", hbci_chain, &hbci_chain[2],
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
{ "rsa-md5 ok", mayfirst_chain, &mayfirst_chain[1],
GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5, 0 },
{ "v1ca fail", v1ca, &v1ca[2],
- 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
{ "v1ca expired", v1ca, &v1ca[2],
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
fail ("chain[%s]: verify_status: %d expected: %d\n", chains[i].name,
verify_status, chains[i].expected_verify_result);
+#if 0
+ j=0;
+ do
+ {
+ fprintf(stderr, "%s\n", chains[i].chain[j]);
+ }
+ while(chains[i].chain[++j] != NULL);
+#endif
+
if (!debug)
exit (1);
}