Blame SOURCES/gnutls-3.6.16-trust-ca-sha1.patch

9bef94
From c2409e479df41620bceac314c76cabb1d35a4075 Mon Sep 17 00:00:00 2001
9bef94
From: Daiki Ueno <ueno@gnu.org>
9bef94
Date: Mon, 3 May 2021 16:35:43 +0200
9bef94
Subject: [PATCH] x509/verify: treat SHA-1 signed CA in the trusted set
9bef94
 differently
9bef94
MIME-Version: 1.0
9bef94
Content-Type: text/plain; charset=UTF-8
9bef94
Content-Transfer-Encoding: 8bit
9bef94
9bef94
Suppose there is a certificate chain ending with an intermediate CA:
9bef94
EE → ICA1 → ICA2.  If the system trust store contains a root CA
9bef94
generated with the same key as ICA2 but signed with a prohibited
9bef94
algorithm, such as SHA-1, the library previously reported a
9bef94
verification failure, though the situation is not uncommon during a
9bef94
transition period of root CA.
9bef94
9bef94
This changes the library behavior such that the check on signature
9bef94
algorithm will be skipped when examining the trusted root CA.
9bef94
9bef94
Signed-off-by: Daiki Ueno <ueno@gnu.org>
9bef94
---
9bef94
 lib/x509/verify.c   |  26 ++++---
9bef94
 tests/test-chains.h | 165 ++++++++++++++++++++++++++++++++++++++++++++
9bef94
 2 files changed, 182 insertions(+), 9 deletions(-)
9bef94
9bef94
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
9bef94
index fd7c6a164..a50b5ea44 100644
9bef94
--- a/lib/x509/verify.c
9bef94
+++ b/lib/x509/verify.c
9bef94
@@ -415,14 +415,19 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
9bef94
 #define CASE_SEC_PARAM(profile, level) \
9bef94
 	case profile: \
9bef94
 		sym_bits = gnutls_sec_param_to_symmetric_bits(level); \
9bef94
-		hash = gnutls_sign_get_hash_algorithm(sigalg); \
9bef94
-		entry = mac_to_entry(hash); \
9bef94
-		if (hash <= 0 || entry == NULL) { \
9bef94
+		se = _gnutls_sign_to_entry(sigalg); \
9bef94
+		if (unlikely(se == NULL)) { \
9bef94
+			_gnutls_cert_log("cert", crt); \
9bef94
+			_gnutls_debug_log(#level": certificate's signature algorithm is unknown\n"); \
9bef94
+			return gnutls_assert_val(0); \
9bef94
+		} \
9bef94
+		if (unlikely(se->hash == GNUTLS_DIG_UNKNOWN)) {	\
9bef94
 			_gnutls_cert_log("cert", crt); \
9bef94
 			_gnutls_debug_log(#level": certificate's signature hash is unknown\n"); \
9bef94
 			return gnutls_assert_val(0); \
9bef94
 		} \
9bef94
-		if (_gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
9bef94
+		if (!trusted && \
9bef94
+		    _gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
9bef94
 			_gnutls_cert_log("cert", crt); \
9bef94
 			_gnutls_debug_log(#level": certificate's signature hash strength is unacceptable (is %u bits, needed %u)\n", _gnutls_sign_get_hash_strength(sigalg), sym_bits); \
9bef94
 			return gnutls_assert_val(0); \
9bef94
@@ -449,19 +454,22 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
9bef94
  * @crt: a certificate
9bef94
  * @issuer: the certificates issuer (allowed to be NULL)
9bef94
  * @sigalg: the signature algorithm used
9bef94
+ * @trusted: whether @crt is treated as trusted (e.g., present in the system
9bef94
+ *           trust list); if it is true, the check on signature algorithm will
9bef94
+ *           be skipped
9bef94
  * @flags: the specified verification flags
9bef94
  */
9bef94
 static unsigned is_level_acceptable(
9bef94
 	gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
9bef94
-	gnutls_sign_algorithm_t sigalg, unsigned flags)
9bef94
+	gnutls_sign_algorithm_t sigalg, bool trusted,
9bef94
+	unsigned flags)
9bef94
 {
9bef94
 	gnutls_certificate_verification_profiles_t profile = GNUTLS_VFLAGS_TO_PROFILE(flags);
9bef94
-	const mac_entry_st *entry;
9bef94
 	int issuer_pkalg = 0, pkalg, ret;
9bef94
 	unsigned bits = 0, issuer_bits = 0, sym_bits = 0;
9bef94
 	gnutls_pk_params_st params;
9bef94
 	gnutls_sec_param_t sp;
9bef94
-	int hash;
9bef94
+	const gnutls_sign_entry_st *se;
9bef94
 	gnutls_certificate_verification_profiles_t min_profile;
9bef94
 
9bef94
 	min_profile = _gnutls_get_system_wide_verification_profile();
9bef94
@@ -798,7 +806,7 @@ verify_crt(gnutls_x509_crt_t cert,
9bef94
 	}
9bef94
 
9bef94
 	if (sigalg >= 0 && se) {
9bef94
-		if (is_level_acceptable(cert, issuer, sigalg, flags) == 0) {
9bef94
+		if (is_level_acceptable(cert, issuer, sigalg, false, flags) == 0) {
9bef94
 			MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM);
9bef94
 		}
9bef94
 
9bef94
@@ -893,7 +901,7 @@ unsigned check_ca_sanity(const gnutls_x509_crt_t issuer,
9bef94
 
9bef94
 	/* we explicitly allow CAs which we do not support their self-algorithms
9bef94
 	 * to pass. */
9bef94
-	if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, flags)) {
9bef94
+	if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, true, flags)) {
9bef94
 		status |= GNUTLS_CERT_INSECURE_ALGORITHM|GNUTLS_CERT_INVALID;
9bef94
 	}
9bef94
 
9bef94
diff --git a/tests/test-chains.h b/tests/test-chains.h
9bef94
index 9b06b85f5..64f50fabf 100644
9bef94
--- a/tests/test-chains.h
9bef94
+++ b/tests/test-chains.h
9bef94
@@ -4106,6 +4106,163 @@ static const char *superseding_ca[] = {
9bef94
 	NULL
9bef94
 };
9bef94
 
9bef94
+static const char *rsa_sha1_in_trusted[] = {
9bef94
+	"-----BEGIN CERTIFICATE-----\n"
9bef94
+	"MIID0jCCAoqgAwIBAgIUezaBB7f4TW75oc3UV57oJvXmbBYwDQYJKoZIhvcNAQEL\n"
9bef94
+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyNzIxWhcN\n"
9bef94
+	"MjIwNTAzMTQyNzIxWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
9bef94
+	"BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
9bef94
+	"AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
9bef94
+	"dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
9bef94
+	"Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
9bef94
+	"mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
9bef94
+	"+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
9bef94
+	"CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
9bef94
+	"ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
9bef94
+	"MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
9bef94
+	"ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
9bef94
+	"GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
9bef94
+	"AAOCATEAXs8lOV231HQerhSGEjZJz0vBuA3biKYlu3cwCTKvF6EOyYMSWOnfqqD0\n"
9bef94
+	"eDhpo1pzGtUa2zYLHagb+sU2NSTe0sqP+PK1giUg8X8/tRtWKk1p/m76yK/3iaty\n"
9bef94
+	"flgz+eMai4xQu2FvAJzIASFjM9R+Pgpcf/zdvkiUPv8Rdm9FieyAZnJSo9hJHLxN\n"
9bef94
+	"x60tfC5yyswdbGGW0GbJ2kr+xMfVZvxgO/x6AXlOaUGQ+jZAu9eJwFQMDW5h5/S1\n"
9bef94
+	"PJkIt7f7jkU33cG+BawcjhT0GzxuvDnnCG0L7/z7bR+Sw2kNKqHbHorzv91R20Oh\n"
9bef94
+	"CIISJPkiiP+mYcglTp1d9gw09GwSkGbldb9ibfc0hKyxiImFfIiTqDbXJcpKH98o\n"
9bef94
+	"W8hWkb20QURlY+QM5MD49znfhPKMTQ==\n"
9bef94
+	"-----END CERTIFICATE-----\n",
9bef94
+	"-----BEGIN CERTIFICATE-----\n"
9bef94
+	"MIID2TCCAkGgAwIBAgIUWsb4DATcefXbo0WrBfgqVMvPGawwDQYJKoZIhvcNAQEL\n"
9bef94
+	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI2\n"
9bef94
+	"MzVaFw0yMjA1MDMxNDI2MzVaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
9bef94
+	"UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
9bef94
+	"g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
9bef94
+	"EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
9bef94
+	"cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
9bef94
+	"sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
9bef94
+	"67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
9bef94
+	"CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
9bef94
+	"AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
9bef94
+	"BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
9bef94
+	"GctysPWxl+SfMA0GCSqGSIb3DQEBCwUAA4IBgQBbboeDr/rLT1tZWrdHq8FvflGm\n"
9bef94
+	"EpxZIRU4DdDD/SUCWSPQvjBq0MvuKxs5FfJCKrDf2kS2qlZ1rO0AuWwREoDeTOEc\n"
9bef94
+	"arjFoCry+JQ+USqS5F4gsp4XlYvli27iMp3dlnhFXEQQy7/y+gM5c9wnMi8v/LUz\n"
9bef94
+	"AV6QHX0fkb4XeazeJ+Nq0EkjqiYxylN6mP+5LAEMBG/wGviAoviQ5tN9zdoQs/nT\n"
9bef94
+	"3jTw3cOauuPjdcOTfo71+/MtBzhPchgNIyQo4aB40XVWsLAoruL/3CFFlTniihtd\n"
9bef94
+	"zA2zA7JvbuuKx6BOv2IbWOUweb732ZpYbDgEcXp/6Cj/SIUGxidpEgdCJGqyqdC7\n"
9bef94
+	"b58ujxclC6QTcicw+SX5LBox8WGLfj+x+V3uVBz9+EK608xphTj4kLh9peII9v3n\n"
9bef94
+	"vBUoZRTiUTCvH4AJJgAfa3mYrSxzueuqBOwXcvZ+8OJ0J1CP21pmK5nxR7f1nm9Q\n"
9bef94
+	"sYA1VHfC2dtyAYlByeF5iHl5hFR6vy1jJyzxg2M=\n"
9bef94
+	"-----END CERTIFICATE-----\n",
9bef94
+	NULL
9bef94
+};
9bef94
+
9bef94
+static const char *rsa_sha1_in_trusted_ca[] = {
9bef94
+	/* This CA is generated with the same key as rsa_sha1_in_trusted[1], but
9bef94
+	 * self-signed using SHA-1.
9bef94
+	 */
9bef94
+	"-----BEGIN CERTIFICATE-----\n"
9bef94
+	"MIIDYzCCAhugAwIBAgIUahO8CvYPHTAltKCC2rAIcXUiLlAwDQYJKoZIhvcNAQEF\n"
9bef94
+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyMDM1WhcN\n"
9bef94
+	"MjIwNTAzMTQyMDM1WjAZMRcwFQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCCAVIwDQYJ\n"
9bef94
+	"KoZIhvcNAQEBBQADggE/ADCCAToCggExAJzkQrF9bp5f/38tnddOeF3biIP9wqlQ\n"
9bef94
+	"Wk9x3GuuUhKA8IdCoj7UKDoGS3SmNnKGxrP6I2LTo3LNCp5T2HZrYxIelhIbiVPe\n"
9bef94
+	"b+E0HQuDizIhOeniBqtudoWQGx6Ey/OENeA8UFhrs0CvN9Ippe328NlnCHEUPLxR\n"
9bef94
+	"rPEs318Ot/jCOhauojAECKj9PFsxpkUcy+cLwoj4QlZKz5sG16AAbm+gALGMFjyQ\n"
9bef94
+	"fdTPf5ceYBR+ZPf4j34t7NioNxfDDnKaahWI8Q0p7H4s+njIdfm2FSAKN+u7xlWB\n"
9bef94
+	"4oFzBGQthXs5cCB2mc6RKBZWN2uyxSdNMq40PddK/FBPghDE2MxONA9KJQjKOxQP\n"
9bef94
+	"UQo3jt21CKGGiHVU1BlhBh1knqMRnovRpJurvgEo/H/otI8XQ9ql7HsCAwEAAaND\n"
9bef94
+	"MEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQe\n"
9bef94
+	"dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQUFAAOCATEAYLm/4DfUp+mA\n"
9bef94
+	"S/23a2bwybJoPCMzKZpi+veXkqoq/a/BCUkFpqnjpVjz0ujVKK121oeOPBAa/mG1\n"
9bef94
+	"Y3fJYP+b3PloL/6xj/8680TveGirCr0Rp/8XWa8lt+Ge8DM3mfTGWFTWHa0lD9VK\n"
9bef94
+	"gjV1oNZNLe5SKA6dJLAp/NjCxc/vuOkThQPeaoO5Iy/Z6m7CpTLO7T4syJFtDmSn\n"
9bef94
+	"Pa/yFUDTgJYFlGVM+KC1r8bhZ6Ao1CAXTcT5Lcbe/aCcyk6B3J2AnYsqPMVNEVhb\n"
9bef94
+	"9eMGO/WG24hMLy6eb1r/yL8uQ/uGi2rRlNJN8GTg09YR7l5fHrHxuHc/sme0jsnJ\n"
9bef94
+	"wtqGLCJsrh7Ae1fKVUueO00Yx9BGuzLswMvnT5f0oYs0jrXgMrTbIWS/DjOcYIHb\n"
9bef94
+	"w3SV1ZRcNg==\n"
9bef94
+	"-----END CERTIFICATE-----\n",
9bef94
+	NULL
9bef94
+};
9bef94
+
9bef94
+static const char *rsa_sha1_not_in_trusted[] = {
9bef94
+	"-----BEGIN CERTIFICATE-----\n"
9bef94
+	"MIID0jCCAoqgAwIBAgIUNCvPV9OvyuVMtnkC3ZAvh959h4MwDQYJKoZIhvcNAQEL\n"
9bef94
+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTA0MDg0NzAzWhcN\n"
9bef94
+	"MjIwNTA0MDg0NzAzWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
9bef94
+	"BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
9bef94
+	"AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
9bef94
+	"dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
9bef94
+	"Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
9bef94
+	"mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
9bef94
+	"+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
9bef94
+	"CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
9bef94
+	"ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
9bef94
+	"MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
9bef94
+	"ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
9bef94
+	"GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
9bef94
+	"AAOCATEAWs/Qa1Ebydwo4Ke2KEdy5cUTSZjnoz93XpbrP9W60MJ4d2DIQPcYUcLF\n"
9bef94
+	"+glez+mRtVXDRtH5V/4yZX1EdgrPVQGeVlO5HbNiYyYw/Yj3H6kzWtUbBxdOAOE/\n"
9bef94
+	"/ul8RCKKMfvYBHCBgjBMW0aFm31Q1Z8m8nanBusyJ0DG1scBHu4/3vTCZthZAxc5\n"
9bef94
+	"3l3t/jjsNRS+k5t6Ay8nEY1tAZSGVqN8qufzO2NBO06sQagp09FTfDh581OBcVtF\n"
9bef94
+	"X7O0cffAWHk3JoywzEWFEAhVPqFlk07wG2O+k+fYZfavsJko5q+yWkxu8RDh4wAx\n"
9bef94
+	"7UzKudGOQ+NhfYJ7N7V1/RFg1z75gE3GTUX7qmGZEVDOsMyiuUeYg8znyYpBV55Q\n"
9bef94
+	"4BNr0ukwmwOdvUf+ksCu6PdOGaqThA==\n"
9bef94
+	"-----END CERTIFICATE-----\n",
9bef94
+	/* ICA with SHA1 signature */
9bef94
+	"-----BEGIN CERTIFICATE-----\n"
9bef94
+	"MIID2TCCAkGgAwIBAgIUYaKJkQft87M1TF+Jd30py3yIq4swDQYJKoZIhvcNAQEF\n"
9bef94
+	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDQwODQ1\n"
9bef94
+	"NDdaFw0yMjA1MDQwODQ1NDdaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
9bef94
+	"UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
9bef94
+	"g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
9bef94
+	"EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
9bef94
+	"cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
9bef94
+	"sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
9bef94
+	"67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
9bef94
+	"CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
9bef94
+	"AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
9bef94
+	"BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
9bef94
+	"GctysPWxl+SfMA0GCSqGSIb3DQEBBQUAA4IBgQAewBcAGUGX28I5PDtuJkxoHonD\n"
9bef94
+	"muHdXpYnrz1YXN4b7odNXockz++Xovgj126fo+PeWgmaaCic98ZcGnyVTi9+3oqN\n"
9bef94
+	"2Bf4NNfyzSccgZZTphzbwjMcnc983HLQgsLSAOVivPHj5GEN58EWWamc9yA0VjGn\n"
9bef94
+	"cuYmFN2dlFA8/ClEbVGu3UXBe6OljR5zUr+6oiSp2J+Rl7SerVSHlst07iU2tkeB\n"
9bef94
+	"dlfOD5CquUGSka3SKvEfvu5SwYrCQVfYB6eMLInm7A0/ca0Jn3Oh4fMf2rIg/E3K\n"
9bef94
+	"qsopxsu8BXrLoGK4MxbxPA65JpczhZgilQQi3e3RIvxrvyD2qamjaNbyG5cr8mW4\n"
9bef94
+	"VOLf3vUORbkTi5sE7uRMu2B3z3N7ajsuQM8RHB17hOCB2FO/8rermq/oeJNtx57L\n"
9bef94
+	"5s5NxCHYTksQ4gkpR4gfTIO/zwXJSwGa/Zi2y2wIi/1qr7lppBsKV2rDWX7QiIeA\n"
9bef94
+	"PxOxyJA2eSeqCorz9vk3aHXleSpxsWGgKiJVmV0=\n"
9bef94
+	"-----END CERTIFICATE-----\n",
9bef94
+	NULL
9bef94
+};
9bef94
+
9bef94
+static const char *rsa_sha1_not_in_trusted_ca[] = {
9bef94
+	"-----BEGIN CERTIFICATE-----\n"
9bef94
+	"MIIEDTCCAnWgAwIBAgIUd5X8NZput+aNPEd9h92r4KAu16MwDQYJKoZIhvcNAQEL\n"
9bef94
+	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI1\n"
9bef94
+	"MDNaFw0yMjA1MDMxNDI1MDNaMB4xHDAaBgNVBAMTE0dudVRMUyB0ZXN0IHJvb3Qg\n"
9bef94
+	"Q0EwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCsFAaMb/iRN+OFqQNh\n"
9bef94
+	"OkkXGZlb+eLerLuB9ELnYwyLIh4MTXh0RjFZdCQLsQHfY/YFv0C50rmoXTA/d3Ef\n"
9bef94
+	"K/P243KjX0XBWjO9TBuN0zth50eq94zf69yxA/a+kmT+O5YLfhi2ELM5F3IjOUoZ\n"
9bef94
+	"lL0IGlFJwauAkaNylp/Evd5nW7g5DUJvMm4A3RXNfZt9gAD4lPRwryQq9jxT48Xu\n"
9bef94
+	"fB0kAPEG/l/Izbz2rYin5+nySL+a0CSNuEbITxidtMhveB747oR0QS2sMQKji1ur\n"
9bef94
+	"pRJ945SHiYJIgVuFAJc9StikSyIrxZgK45kAzcQAyRWWKiMNH5PprGFYJp+ypwhm\n"
9bef94
+	"1t8Bphj2RFJAG3XRRZF/9uJIYc5mEHCsZFZ/IFRaKqyN30kAUijgNt+lW5mZXVFU\n"
9bef94
+	"aqzV2zHjSG8jsGdia3cfBP46Z1q2eAh5jOCucTq1F7qZdVhOFmP9jFE6Uy5Kbwgc\n"
9bef94
+	"kNAnsEllQeJQL2odVa7woKkZZ4M/c72X5tpBU38Rs3krn3sCAwEAAaNDMEEwDwYD\n"
9bef94
+	"VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQgKVNENacW\n"
9bef94
+	"S/gFtxnLcrD1sZfknzANBgkqhkiG9w0BAQsFAAOCAYEAaZMV71mZ9FYoVdpho61h\n"
9bef94
+	"WWPs5GppQLJ1w70DNtGZ+lFrk/KopeDvOu1i61QLWRzcZCZMl+npiX1KH5kjVo3v\n"
9bef94
+	"C9G8kdMW6EVRk5p6qCJMPFN2U+grMMp50aY5kmw+/v+Lhk5T/VG93l63P91FkUre\n"
9bef94
+	"o8qhOudJExoUnR1uB9M6HMAxVn8Lm/N1LGPiP6A6Pboo716H7mg/A7pv9zoZ6jUp\n"
9bef94
+	"7x693mA/b3I/QpDx/nJcmcdqxgEuW+aRlFXgnYZRFAawxi+5M9EwCWbkSTO4OMHP\n"
9bef94
+	"Qlvak3tJO+wb92b0cICOOtzIPgQ+caiLg9d0FvesALmQzDmNmtqynoO85+Ia2Ywh\n"
9bef94
+	"nxKPlpeImhLN9nGl9sOeW2m4mnA5r0h1vgML4v/MWL4TQhXallc31uFNj5HyFaTh\n"
9bef94
+	"6Mr0g3GeQgN0jpT+aIOiKuW9fLts54+Ntj1NN40slqi3Y+/Yd6xhj+NgmbRvybZu\n"
9bef94
+	"tnYFXKC0Q+QUf38horqG2Mc3/uh8MOm0eYUXwGJOdXYD\n"
9bef94
+	"-----END CERTIFICATE-----\n",
9bef94
+	NULL
9bef94
+};
9bef94
+
9bef94
 #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
9bef94
 #  pragma GCC diagnostic push
9bef94
 #  pragma GCC diagnostic ignored "-Wunused-variable"
9bef94
@@ -4275,6 +4432,14 @@ static struct
9bef94
   { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
9bef94
     0, NULL, 1584352960, 1},
9bef94
   { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 },
9bef94
+  { "rsa-sha1 in trusted - ok",
9bef94
+    rsa_sha1_in_trusted, rsa_sha1_in_trusted_ca,
9bef94
+    GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
9bef94
+    0, NULL, 1620052390, 1},
9bef94
+  { "rsa-sha1 not in trusted - not ok",
9bef94
+    rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca,
9bef94
+    GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
9bef94
+    GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
9bef94
   { NULL, NULL, NULL, 0, 0}
9bef94
 };
9bef94
 
9bef94
-- 
9bef94
2.31.1
9bef94