[libvirt] [PATCH] Fix TLS tests with gnutls 3

Mon Mar 4 17:32:44 UTC 2013

From: "Daniel P. Berrange" <berrange at redhat.com>

When given a CA cert with basic constraints to set non-critical,
and key usage of 'key signing', this should be rejected. Version
of GNUTLS < 3 do not rejecte it though, so we never noticed the
test case was broken

Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
---
 tests/virnettlscontexttest.c | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
index 3df8a70..f53ea0e 100644
--- a/tests/virnettlscontexttest.c
+++ b/tests/virnettlscontexttest.c
@@ -873,15 +873,6 @@ mymain(void)
         false, false, NULL, NULL,
         0, 0,
     };
-    /* Key usage:dig-sig:not-critical */
-    static struct testTLSCertReq cacert5req = {
-        NULL, NULL, "cacert5.pem", "UK",
-        "libvirt CA 5", NULL, NULL, NULL, NULL,
-        true, true, true,
-        true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
-        false, false, NULL, NULL,
-        0, 0,
-    };
 
     DO_CTX_TEST(true, cacert1req, servercertreq, false);
     DO_CTX_TEST(true, cacert2req, servercertreq, false);
@@ -889,10 +880,18 @@ mymain(void)
     DO_CTX_TEST(true, cacert3req, servercertreq, false);
 # endif
     DO_CTX_TEST(true, cacert4req, servercertreq, false);
-    DO_CTX_TEST(true, cacert5req, servercertreq, false);
 
     /* Now some bad certs */
 
+    /* Key usage:dig-sig:not-critical */
+    static struct testTLSCertReq cacert5req = {
+        NULL, NULL, "cacert5.pem", "UK",
+        "libvirt CA 5", NULL, NULL, NULL, NULL,
+        true, true, true,
+        true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
+        false, false, NULL, NULL,
+        0, 0,
+    };
     /* no-basic */
     static struct testTLSCertReq cacert6req = {
         NULL, NULL, "cacert6.pem", "UK",
@@ -912,6 +911,16 @@ mymain(void)
         0, 0,
     };
 
+    /* Technically a CA cert with basic constraints
+     * key purpose == key signing + non-critical should
+     * be rejected. GNUTLS < 3 does not reject it and
+     * we don't anticipate them changing this behaviour
+     */
+# if GNUTLS_VERSION_MAJOR >= 3
+    DO_CTX_TEST(true, cacert5req, servercertreq, true);
+# else
+    DO_CTX_TEST(true, cacert5req, servercertreq, false);
+# endif
     DO_CTX_TEST(true, cacert6req, servercertreq, true);
     DO_CTX_TEST(true, cacert7req, servercertreq, true);
 
-- 
1.8.1.2


