]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
projects / thirdparty / gnutls.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: dafe828)
x509: corrected issue in the algorithm parameters comparison
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 11 Feb 2019 08:18:46 +0000 (09:18 +0100)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 14 Feb 2019 10:21:57 +0000 (11:21 +0100)
Each certificate has two fields to set the signature algorithm
and parameters used for the digital signature. One of the fields is
authenticated and the other is not. It is required from RFC5280 to
enforce the equality of these fields, but currently due to an issue
we wouldn't enforce the equality of the parameters fields. This
fix corrects the issue.

We also move an RSA-PSS certificate in chainverify that was relying
on invalid parameters, to this set of invalid certificates.

Resolves: #698

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
NEWS patch | blob | blame | history
lib/x509/x509.c patch | blob | blame | history
tests/cert-tests/Makefile.am patch | blob | blame | history
tests/cert-tests/data/invalid-sig4.pem [new file with mode: 0644] patch | blob
tests/cert-tests/data/invalid-sig5.pem [new file with mode: 0644] patch | blob
tests/cert-tests/invalid-sig patch | blob | blame | history
tests/test-chains.h patch | blob | blame | history

diff --git a/NEWS b/NEWS
index af6aee6872d4e1d162f3d750fc43fc623fa3e830..b171ef71e81212478188d206c2896df1c3071015 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,10 @@ See the end for copying conditions.
    an inappropriate for TLS1.3 certificate is seen on the credentials structure
    GnuTLS will disable TLS1.3 support for that session (#690).
 
+** libgnutls: enforce the equality of the two signature parameters fields in
+   a certificate. We were already enforcing the signature algorithm, but there
+   was a bug in parameter checking code.
+
 ** API and ABI modifications:
 No changes since last version.
 
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index b5de7cb7c84d80f6245fdd012e10c444c0c2d533..88aab5538e9d78724c8f51df1e54858b10d1ac1a 100644 (file)
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -338,7 +338,7 @@ static int compare_sig_algorithm(gnutls_x509_crt_t cert)
                return ret;
        }
 
-       ret = _gnutls_x509_read_value(cert->cert, "signatureAlgorithm.parameters", &sp2);
+       ret = _gnutls_x509_read_value(cert->cert, "tbsCertificate.signature.parameters", &sp2);
        if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) {
                empty2 = 1;
        } else if (ret < 0) {
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 0e5692df6dcffdf582df5e6e6849d5af09714a34..f3beadec0de333fc77fb80e58242685f95fb0255 100644 (file)
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -35,8 +35,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
        templates/template-generalized.tmpl data/privkey1.pem data/privkey2.pem data/privkey3.pem \
        data/name-constraints-ip.pem data/cert-invalid-utf8.der data/very-long-dn.pem \
        data/provable3072.pem data/provable2048.pem data/provable-dsa2048.pem \
-       data/provable-dsa2048-fips.pem templates/template-crq.tmpl \
-       templates/template-unique.tmpl data/template-unique.pem \
+       data/provable-dsa2048-fips.pem templates/template-crq.tmpl data/invalid-sig5.pem \
+       templates/template-unique.tmpl data/template-unique.pem data/invalid-sig4.pem \
        templates/template-othername.tmpl data/template-othername.pem \
        templates/template-othername-xmpp.tmpl data/template-othername-xmpp.pem \
        templates/template-krb5name.tmpl data/crl-demo1.pem data/crl-demo2.pem data/crl-demo3.pem \
diff --git a/tests/cert-tests/data/invalid-sig4.pem b/tests/cert-tests/data/invalid-sig4.pem
new file mode 100644 (file)
index 0000000..f039e3c
--- /dev/null
+++ b/tests/cert-tests/data/invalid-sig4.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID1jCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
+MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
+YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
+EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
+IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
+l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
+6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
+ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
+N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
+HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
+gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
+St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
+EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
+Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
+JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTAOBgkqhkiG9w0B
+AQUEAUEDggEBAKu8vApdGJTjwbHDqExV1r60mPHuPBzNz/MkJFyWAydY/Dauoi+P
+8f7aKwLDM73I3UgiK2APpQMQ/Xf40O2WZ0/96kcgcFTcqQxVfuGWJYrZtdpXSr6N
+jklDY6VsTieHJetbbf6ifzgo4DarrTmlpWLEt1xYLKpdAWCmYmejwMdiI/TnbEbu
+tdOAaiIT0i0/dE/qr4xftDic267Or4QepvY0UVl50+N13LzX83PfkuzSIFlvnPuV
++JJ2GAp8Dyymyt6KYnvY885faL2PPsF0uxVyOhaDqQvmTZmc2FfsqAFRx29XNF6r
+SixC9k8ciXjeJk71b5NMFWsnVk0AVGx6t7c=
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/invalid-sig5.pem b/tests/cert-tests/data/invalid-sig5.pem
new file mode 100644 (file)
index 0000000..f7a148c
--- /dev/null
+++ b/tests/cert-tests/data/invalid-sig5.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDmjCCAlKgAwIBAgIMWXnRYyHbNWzuFxmzMD0GCSqGSIb3DQEBCjAwoA0wCwYJ
+YIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFAMA8xDTAL
+BgNVBAMTBENBLTAwIBcNMTcwNzI3MTE0MTIzWhgPOTk5OTEyMzEyMzU5NTlaMA8x
+DTALBgNVBAMTBENBLTEwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIB
+oRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEKAoIBAQDB
+uQ2UwKWT1BfN6H2B3svKL34aPW/+MTfN8McvExZsZYuQyRxeG8SV4uJ+GAtJ/Ml/
+eaUqiKG0pNCna846FUtAax/0quuVSaZ2xOVA3lMKj2frtRLJ3W6ZaglCHkZUHhII
+JEtE1s0F8aaaZ6X4/57OAi6uyFNuBSBsp3giQS6SrtFMbhq7OuSSt2T14XlVGvAI
+TiO7t21+Eukq2jDGOerUax4Yxki4l8589uXu5IQzZalj42hr9YKbNb75RAICNnY8
+jxCezc0o8KNoDF0IAK7UERz6uUQElUh/bdm0k3UV+uVA6t0disZ4gdenPuLsGSVD
+9fcbh/zFlv2V3A9HLJB3AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P
+AQH/BAUDAwcEADAdBgNVHQ4EFgQU6h4fxmpkIoNy/qx6u4Z13H7WN+QwHwYDVR0j
+BBgwFoAUZ97LfvATPRiWxwNOO+sxC5ig8VkwPQYJKoZIhvcNAQEKMDCgDTALBglg
+hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEBAFGH
+zxWW8R95wmmuDecuKf31LEKPubtaeqMRqt2Vk2mGCQOxcerl6MMGyl3w46hEkAjU
+jAPwmNnB9xyEyqR5w2TYrpzsrnUcZn+6HzSiPTEJ0jhY2S8N2V+Bch1QgMwlgeaD
+bZrY6qAG6PeqoQ8XhZ8+1sI/IpQKJHmmBN+qYbLFxEPjE4QnBahPbKfbpMY0MMX0
+uuI2nSBKcYmkYiWBYdydpP24VfeoUP0V6bXc5rrDdCNGp+AxUID51GT0AoMf2FGK
+LeOLJtPqH7raz44pa1qezHq4gPeXC0Ende9j7IimpsdB6eDVle8UZipfeASq9XVL
+F430KTcS7x42r71NZUU=
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/invalid-sig b/tests/cert-tests/invalid-sig
index eaa75c7543ce5bd340b046dce6b6c5be1b0f59df..bc2774e1f5bbfb404940057eb1dc86dcf5f0346b 100755 (executable)
--- a/tests/cert-tests/invalid-sig
+++ b/tests/cert-tests/invalid-sig
@@ -59,4 +59,24 @@ if test "${rc}" = "0"; then
        exit ${rc}
 fi
 
+#check whether different parameters in tbsCertificate than the outer signature is tolerated
+${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig4.pem"
+rc=$?
+
+# We're done.
+if test "${rc}" = "0"; then
+       echo "Verification of invalid signature (4) failed"
+       exit ${rc}
+fi
+
+#check whether different RSA-PSS parameters in tbsCertificate than the outer signature is tolerated
+${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/invalid-sig5.pem"
+rc=$?
+
+# We're done.
+if test "${rc}" = "0"; then
+       echo "Verification of invalid signature (4) failed"
+       exit ${rc}
+fi
+
 exit 0
diff --git a/tests/test-chains.h b/tests/test-chains.h
index 09a386c821872aca536168ad0a814704743b9447..095ccbabd2607a5d6a86ca6a0416cfc3af41d518 100644 (file)
--- a/tests/test-chains.h
+++ b/tests/test-chains.h
@@ -154,71 +154,76 @@ static const char *chain_with_no_subject_id_in_ca_ok[] = {
        "-----END CERTIFICATE-----\n"
 };
 
+/* This chain was generated by a modified gnutls lib. The script tests/suite/certs/create-chain.sh
+ * was used after modifying it to generate RSA-PSS certificates and set 64 byte salt in intermediate
+ * CA, and 48-byte otherwise. Then _gnutls_x509_write_sign_params() was modified to set a 32-byte salt
+ * when it would have set a 64-byte one. That way signatures from the intermediate certificate restricted
+ * to 64-byte salts will be incorrectly set to 32-bytes. */
 static const char *rsa_pss_chain_smaller_salt_in_sig_fail[] = {
        "-----BEGIN CERTIFICATE-----\n"
-       "MIIDfzCCAjegAwIBAgIMWXnRYyUPHcgwMUF2MD0GCSqGSIb3DQEBCjAwoA0wCwYJ\n"
-       "YIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgMA8xDTAL\n"
-       "BgNVBAMTBENBLTEwIBcNMTcwNzI3MTE0MTIzWhgPOTk5OTEyMzEyMzU5NTlaMBMx\n"
-       "ETAPBgNVBAMTCHNlcnZlci0yMIIBIDALBgkqhkiG9w0BAQoDggEPADCCAQoCggEB\n"
-       "ALPUjrvjgPh9hv3gYDxu/Un28TzS3os+O1eAbVGuTeO0BX3u5D2ZtaVeB7gLwSku\n"
-       "YkDKLrXs+M5BsvpZOfKIyQjrLuc5U5ik8W7SsSH5MVliergMTz4Qi+DtXdsrIjpk\n"
-       "oTDxgUatrpYQSocPfqdMgma3DyW3jlZv4BoLZ95TsJi23qZxZI9fQeGG9DZ+x2h6\n"
-       "3QeW4OTpJB75O6ruas7KiId9RH6WHj/JvLF99RGhPHa7SUZstyvnDA80Igood6S6\n"
-       "J3GNs1RHnaHeOqcyfbdNzlyTaLK0Acos6AKlkm4OYABXRmfDSyjVPto7FTV4I9CV\n"
-       "jSRXOa5IK3kUvFApM6SvzQsCAwEAAaN3MHUwDAYDVR0TAQH/BAIwADAUBgNVHREE\n"
-       "DTALgglsb2NhbGhvc3QwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUhAHLtEhd\n"
-       "NxMr6TQX5GB4a29ng4YwHwYDVR0jBBgwFoAU6h4fxmpkIoNy/qx6u4Z13H7WN+Qw\n"
-       "PQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJ\n"
-       "YIZIAWUDBAIBogMCASADggEBAL5SQpMtcGQ4mNZaaW3SNB8EBPo4VZ1GXYsOd0ef\n"
-       "JmhNKKrw5Z2WHR8xDbP7cwq/X+U0M9TMhCWPaDgzt46TJu+ct43UqGt/bgz2Xt2R\n"
-       "xCvlhwGNM3A5c417jmNQiQvMyCiEZSPD7RLowoE34XyjaxydYoWGq9otNoIq0CX9\n"
-       "Q7GZudWfWvwDU3zM8gy6k8EPmOgG8PdvW6PjKyf5y/uSDHY7Dm8d9E/uybAbZUVo\n"
-       "WfdwhhP66EDmNozTNaBcfIkJTmuxq2oxnA8JS1V5hMccfZLIRh0hBkpdGXSAOMNV\n"
-       "qjqJUOWrbU5hbcZUk2UHK34rNvkX+rDmuKD2vAQ7MguzHfI=\n"
+       "MIIDiTCCAkGgAwIBAgIUMquMu6/Azo9N40rNZ1z7hkotqC0wPQYJKoZIhvcNAQEK\n"
+       "MDCgDTALBglghkgBZQMEAgKhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogMC\n"
+       "ASAwDzENMAsGA1UEAxMEQ0EtMTAgFw0xOTAyMTIyMDU0NTlaGA85OTk5MTIzMTIz\n"
+       "NTk1OVowEzERMA8GA1UEAxMIc2VydmVyLTIwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+       "DwAwggEKAoIBAQDrEJ5ONj7OYNjDZ3johFKItvX6BFJ7ejLfNELvT7I9hsiGJBr5\n"
+       "Q/NgeQolSXLKHYG0L5Lxu1fbHINzC43NEivY3KMKKl0+MdXWwAr0yW/cTeuDc/+e\n"
+       "YqGT3TpCcxa/0dJ+Y3zAS1DqsHjNOxyYBvyKATyvFKo+oAwOqtR/OLflUvoXvYZV\n"
+       "YByseOLhE70Vfuk8yppRcKwokwk/3S6dZjoxK1K3PBQGARJNaUChtx5iM1qMrluK\n"
+       "uDj7yV9DYhtyhSmYvcZ1gb3t0aAxGoGbfdOHa7XMovzfRDUPbwvkKUJqcNfGkeGn\n"
+       "pZRzbA8D/YrjFtm7QVgf6yD20DbZChzoxRWzAgMBAAGjdzB1MAwGA1UdEwEB/wQC\n"
+       "MAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0O\n"
+       "BBYEFM/CHpfVzdNRBMYfqBXUieW9m9oFMB8GA1UdIwQYMBaAFDBBFsyy+oqRFlRx\n"
+       "MH5qlHt7guXUMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAICoRowGAYJKoZI\n"
+       "hvcNAQEIMAsGCWCGSAFlAwQCAqIDAgEgA4IBAQADuShUlCXrs5K6Yu7mKvoyZztJ\n"
+       "dQFuxv4WDvbhoZ19GEEg6icRUoaA3tWKf7tNRnqQklMLhWIZParXtt+xz7q5K6ic\n"
+       "kX5oGzzUNryAx5DJkZCCffdA1FaQjCEI6Cy5cEnGifXyacwA7BViUwMnWvJRSKYi\n"
+       "gvBVKc1TBwA+vPIzlSb3COo1zhshxM+C7mhzspDFkceXV7qapFDMj7M/GbgqH7h0\n"
+       "yuJv2bymytjXadR43LuG6yqqsFvIPHYBcyPq3Uzu+57UJbHhAlkTXaAXfZkc1Ut7\n"
+       "Xz8pOEzcxZHl4SEgsO6KeT2uQUE1Zx5AgwaNfuMmg0aFJep8vKcQ1jvdzxS2\n"
        "-----END CERTIFICATE-----\n",
        "-----BEGIN CERTIFICATE-----\n"
-       "MIIDmjCCAlKgAwIBAgIMWXnRYyHbNWzuFxmzMD0GCSqGSIb3DQEBCjAwoA0wCwYJ\n"
-       "YIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFAMA8xDTAL\n"
-       "BgNVBAMTBENBLTAwIBcNMTcwNzI3MTE0MTIzWhgPOTk5OTEyMzEyMzU5NTlaMA8x\n"
-       "DTALBgNVBAMTBENBLTEwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIB\n"
-       "oRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEKAoIBAQDB\n"
-       "uQ2UwKWT1BfN6H2B3svKL34aPW/+MTfN8McvExZsZYuQyRxeG8SV4uJ+GAtJ/Ml/\n"
-       "eaUqiKG0pNCna846FUtAax/0quuVSaZ2xOVA3lMKj2frtRLJ3W6ZaglCHkZUHhII\n"
-       "JEtE1s0F8aaaZ6X4/57OAi6uyFNuBSBsp3giQS6SrtFMbhq7OuSSt2T14XlVGvAI\n"
-       "TiO7t21+Eukq2jDGOerUax4Yxki4l8589uXu5IQzZalj42hr9YKbNb75RAICNnY8\n"
-       "jxCezc0o8KNoDF0IAK7UERz6uUQElUh/bdm0k3UV+uVA6t0disZ4gdenPuLsGSVD\n"
-       "9fcbh/zFlv2V3A9HLJB3AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P\n"
-       "AQH/BAUDAwcEADAdBgNVHQ4EFgQU6h4fxmpkIoNy/qx6u4Z13H7WN+QwHwYDVR0j\n"
-       "BBgwFoAUZ97LfvATPRiWxwNOO+sxC5ig8VkwPQYJKoZIhvcNAQEKMDCgDTALBglg\n"
-       "hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEBAFGH\n"
-       "zxWW8R95wmmuDecuKf31LEKPubtaeqMRqt2Vk2mGCQOxcerl6MMGyl3w46hEkAjU\n"
-       "jAPwmNnB9xyEyqR5w2TYrpzsrnUcZn+6HzSiPTEJ0jhY2S8N2V+Bch1QgMwlgeaD\n"
-       "bZrY6qAG6PeqoQ8XhZ8+1sI/IpQKJHmmBN+qYbLFxEPjE4QnBahPbKfbpMY0MMX0\n"
-       "uuI2nSBKcYmkYiWBYdydpP24VfeoUP0V6bXc5rrDdCNGp+AxUID51GT0AoMf2FGK\n"
-       "LeOLJtPqH7raz44pa1qezHq4gPeXC0Ende9j7IimpsdB6eDVle8UZipfeASq9XVL\n"
-       "F430KTcS7x42r71NZUU=\n"
+       "MIIDojCCAlqgAwIBAgIUYIZPL5Kf86B0XYSKAdI8dv4HJY8wPQYJKoZIhvcNAQEK\n"
+       "MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n"
+       "ATAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTAyMTIyMDU0NTlaGA85OTk5MTIzMTIz\n"
+       "NTk1OVowDzENMAsGA1UEAxMEQ0EtMTCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n"
+       "hkgBZQMEAgKhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogMCAUADggEPADCC\n"
+       "AQoCggEBANCQ6fUJYYI3OTDYIcyshBdnVBQq0uGjHg/04niCpoAZi/nlfP3tCRZS\n"
+       "k44kMt6hla9cEkdj5mzeGFlG5AYG9C5MimyYwTJ5Sho6t8ct4wPESeypuDbcvMRX\n"
+       "MTLM/9+ZECkDgKA238z4sNX0T0ppsCXy8IK0Jmn7bky6lqNmaMTjYWy7Tu4kQOMX\n"
+       "7RE4tv/WlaH95d7zHYuaAf5dNY5GJ/cGrkYLrL1KpN/UU/4KKxvWs3EbsnDvrTcs\n"
+       "mzLrTOIaedrrNXY6FsGE3+XKDCo+Z80LsrySpCozAECrEFCENMfS3ptOwI+Vblb1\n"
+       "Kar8+4+7uMxbGY/RJ/gGIKGYibkpzicCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB\n"
+       "/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQwQRbMsvqKkRZUcTB+apR7e4Ll\n"
+       "1DAfBgNVHSMEGDAWgBR1lWzS3rLSrmdPPgma8JL4j1PJgzA9BgkqhkiG9w0BAQow\n"
+       "MKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIB\n"
+       "MAOCAQEAnYZf5bo7ZtysyLO/3QjAM+o1IWXinH97XANEbs5oZOK/rQNLBIpOLaYp\n"
+       "YcnziJTEIqvy+7/KNwdjLcKZ4f5PBlDHBsr70XeJmMc+9/ZadY14BHZUEWNfBPx5\n"
+       "dZR55/g62CdermdCJEoY6XdIMqdTHrdwmBIS/7g/dciQt0+lrjanX14VLAVRUAIu\n"
+       "HMn5C4ZGeBDd8av3P+VIqdkFfpAYlZ5BsYqshel4pnAyhpUO5wTmY7cm78fqctyX\n"
+       "qmQ0PRLQXmlqrL2oJtlGcSWlT0u1bS0gJPpvszataCZhnX/O9x6yzzgeUpP4I/AR\n"
+       "KS4ZXRehFmQH4xS1eq5fmWiTzbvWHA==\n"
        "-----END CERTIFICATE-----\n",
        NULL,
        "-----BEGIN CERTIFICATE-----\n"
-       "MIIDeTCCAjGgAwIBAgIMWXnRYxvG34hjjASYMD0GCSqGSIb3DQEBCjAwoA0wCwYJ\n"
-       "YIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFAMA8xDTAL\n"
-       "BgNVBAMTBENBLTAwIBcNMTcwNzI3MTE0MTIzWhgPOTk5OTEyMzEyMzU5NTlaMA8x\n"
-       "DTALBgNVBAMTBENBLTAwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIB\n"
-       "oRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFAA4IBDwAwggEKAoIBAQCw\n"
-       "/vJ8ccKv5ptzLvQjduQJ67JMAsizWhdkOlEy1idzXo/qjtEw6eqUJdcraF5Nzhon\n"
-       "HnXtioIvV2C3cYtauKO2rCKjlChiK59YaaeIbl521sSLRpFYhYIKkjOLHJePxHny\n"
-       "FTQEuF8b8CvrM8GsxIVZ9U+DRnxJdzhUiqxadnPpiXG/IrQRBjm/Abb8s/CG+Ny6\n"
-       "sEJBt9gDYfIfgDfbzeLu5zaPibi4N/+fYfToA7I8LXn7/AmsWAIjrY9rSOxdKJKw\n"
-       "H5C0Yd7myhtJY0EeHDl3Y3L+lwO/JkqxhRzIiZnIbxFcgeb9lZjeU94z/oi3mI7H\n"
-       "xzOk+D7IGgCkEBhfY53RAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P\n"
-       "AQH/BAUDAwcGADAdBgNVHQ4EFgQUZ97LfvATPRiWxwNOO+sxC5ig8VkwPQYJKoZI\n"
-       "hvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUD\n"
-       "BAIBogMCAUADggEBAH3ilegUORDk8WQ7sQWFsM1L3nnfGLlHAcac+P6vLnMCkkiD\n"
-       "bpzqKEfAvEnRnZhU9vMLJkv2vUNzqIaLalPveZx98yYAxDkjGbF3PU9Eesd+JYWd\n"
-       "aJQIqpFxMDgnAXhpny6JFnMS4PWqu8NDLukEXCeeC+asweChP4TubHTJYXVRlCPL\n"
-       "Xla2fDgaG3ZKAgoUo18Hmc+Ju/17jQxgVa+SUQW9AJL+87pUoaGP1lzwrRuZl4rr\n"
-       "kmuKVjoKukJ9BYIlz6RZ/8kZZtoCd7e84DJ+zEAd0/s9w5K6lzS0gpFDi/Yo23sr\n"
-       "6L6PwffJ42OdtgXobk6AlzKU5r3iQFdu4juNNQ0=\n"
+       "MIIDgTCCAjmgAwIBAgIUUVxp7I/ecuDCjWdn2Rng+TBNidUwPQYJKoZIhvcNAQEK\n"
+       "MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n"
+       "ATAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTAyMTIyMDU0NTlaGA85OTk5MTIzMTIz\n"
+       "NTk1OVowDzENMAsGA1UEAxMEQ0EtMDCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n"
+       "hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCATADggEPADCC\n"
+       "AQoCggEBAMcPAwX89KK6Nz39xdQRbSy9Ax7XzKAqtmmIczRVTKqsdQh4bm/gDuD6\n"
+       "Edxjl02cISBLczWV13brINSBI+QX/eLPyBmGGzI4ryyJuP+1qc0NMjDAlfYw+kXF\n"
+       "NZz02W6svxvrrt26mKJ1F+K/bZE+s9XHN0DW+hifQBBr8HX3BWJ9g6yj6YPd55pm\n"
+       "kQQcVgRG3BG1EMkJGK4LNesGdJGTHy+uqgtcykrMjh25uhr0oTOG6UjVYjXalZ5o\n"
+       "rOqo6CV+uGPmJYW2pBOlAOmblMMXSHXhIAhRBY8+h01BCsCU5wlEfPIsvclP2gSG\n"
+       "RVbM/9XgS/+4yN0fD+oXgi5Jh6TCYz8CAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB\n"
+       "/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBR1lWzS3rLSrmdPPgma8JL4j1PJ\n"
+       "gzA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDAL\n"
+       "BglghkgBZQMEAgGiAwIBMAOCAQEAqudvb92hfo7iAS63u902onL2XwhfS9IZtu3D\n"
+       "Lum78Q8nzhWf+YSls4/o8ln/Erv8LfrrhxoPEVpxQTPCbj/mmHez3hh+xrb0ZUVQ\n"
+       "pi5gE6kkkzzvL1VEMce85RLbm4AyVDl4onU2gaFXTxpMpKwBTZoKRbLcG2TsQgyW\n"
+       "Kgq+XnyT/1AC2vp4Ou8G1MIh5bkfetTeo2KJ3lmEVGoUh0k0diayDwaBgBDeX7hl\n"
+       "XvKrG/hhhWPVWNDXdQsiYYKVty76yM3vJiK9No1+jPZzNTv+pZaRqJiQ/ZaCICvC\n"
+       "uK/63Yrle+W/W1Jdj23/kSSL94ugw7PFwbqo2gPkECbG2Mk8pw==\n"
        "-----END CERTIFICATE-----\n"
 };
 
@@ -4120,7 +4125,7 @@ static struct
   { "rsa pss: invalid self sig - fail", rsa_pss_invalid_self_sig, &rsa_pss_invalid_self_sig[0], GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1501138253},
   { "rsa pss: invalid chain with pkcs#1 1.5 sig - fail", rsa_pss_invalid_chain_with_pkcs1_sig, &rsa_pss_invalid_chain_with_pkcs1_sig[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1501138253},
   { "rsa pss: invalid chain with wrong hash (sha384-sha256) - fail", rsa_pss_invalid_chain_with_wrong_hash, &rsa_pss_invalid_chain_with_wrong_hash[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1501138253},
-  { "rsa pss: smaller salt in sig than spki - fail", rsa_pss_chain_smaller_salt_in_sig_fail, &rsa_pss_chain_smaller_salt_in_sig_fail[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1501159136},
+  { "rsa pss: smaller salt in sig than spki - fail", rsa_pss_chain_smaller_salt_in_sig_fail, &rsa_pss_chain_smaller_salt_in_sig_fail[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1550005473},
   { "rsa pss: chain with sha1 hash - fail", rsa_pss_chain_with_sha1_fail, &rsa_pss_chain_with_sha1_fail[3], 0, GNUTLS_CERT_INVALID, 0, 1501159136},
   { "rsa pss: chain with different mgf hash - fail", rsa_pss_chain_with_diff_mgf_oid_fail, &rsa_pss_chain_with_diff_mgf_oid_fail[3], 0, GNUTLS_CERT_INVALID, 0, 1501159136},
   { "rsa pss: chain with sha256 - ok", rsa_pss_chain_sha256_ok, &rsa_pss_chain_sha256_ok[3], 0, 0, 0, 1501138253},
Mirror of https://gitlab.com/gnutls/gnutls.git