Blame SOURCES/gnutls-3.6.16-trust-ca-sha1.patch

0bb701
From c2409e479df41620bceac314c76cabb1d35a4075 Mon Sep 17 00:00:00 2001
0bb701
From: Daiki Ueno <ueno@gnu.org>
0bb701
Date: Mon, 3 May 2021 16:35:43 +0200
0bb701
Subject: [PATCH] x509/verify: treat SHA-1 signed CA in the trusted set
0bb701
 differently
0bb701
MIME-Version: 1.0
0bb701
Content-Type: text/plain; charset=UTF-8
0bb701
Content-Transfer-Encoding: 8bit
0bb701
0bb701
Suppose there is a certificate chain ending with an intermediate CA:
0bb701
EE → ICA1 → ICA2.  If the system trust store contains a root CA
0bb701
generated with the same key as ICA2 but signed with a prohibited
0bb701
algorithm, such as SHA-1, the library previously reported a
0bb701
verification failure, though the situation is not uncommon during a
0bb701
transition period of root CA.
0bb701
0bb701
This changes the library behavior such that the check on signature
0bb701
algorithm will be skipped when examining the trusted root CA.
0bb701
0bb701
Signed-off-by: Daiki Ueno <ueno@gnu.org>
0bb701
---
0bb701
 lib/x509/verify.c   |  26 ++++---
0bb701
 tests/test-chains.h | 165 ++++++++++++++++++++++++++++++++++++++++++++
0bb701
 2 files changed, 182 insertions(+), 9 deletions(-)
0bb701
0bb701
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
0bb701
index fd7c6a164..a50b5ea44 100644
0bb701
--- a/lib/x509/verify.c
0bb701
+++ b/lib/x509/verify.c
0bb701
@@ -415,14 +415,19 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
0bb701
 #define CASE_SEC_PARAM(profile, level) \
0bb701
 	case profile: \
0bb701
 		sym_bits = gnutls_sec_param_to_symmetric_bits(level); \
0bb701
-		hash = gnutls_sign_get_hash_algorithm(sigalg); \
0bb701
-		entry = mac_to_entry(hash); \
0bb701
-		if (hash <= 0 || entry == NULL) { \
0bb701
+		se = _gnutls_sign_to_entry(sigalg); \
0bb701
+		if (unlikely(se == NULL)) { \
0bb701
+			_gnutls_cert_log("cert", crt); \
0bb701
+			_gnutls_debug_log(#level": certificate's signature algorithm is unknown\n"); \
0bb701
+			return gnutls_assert_val(0); \
0bb701
+		} \
0bb701
+		if (unlikely(se->hash == GNUTLS_DIG_UNKNOWN)) {	\
0bb701
 			_gnutls_cert_log("cert", crt); \
0bb701
 			_gnutls_debug_log(#level": certificate's signature hash is unknown\n"); \
0bb701
 			return gnutls_assert_val(0); \
0bb701
 		} \
0bb701
-		if (_gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
0bb701
+		if (!trusted && \
0bb701
+		    _gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
0bb701
 			_gnutls_cert_log("cert", crt); \
0bb701
 			_gnutls_debug_log(#level": certificate's signature hash strength is unacceptable (is %u bits, needed %u)\n", _gnutls_sign_get_hash_strength(sigalg), sym_bits); \
0bb701
 			return gnutls_assert_val(0); \
0bb701
@@ -449,19 +454,22 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
0bb701
  * @crt: a certificate
0bb701
  * @issuer: the certificates issuer (allowed to be NULL)
0bb701
  * @sigalg: the signature algorithm used
0bb701
+ * @trusted: whether @crt is treated as trusted (e.g., present in the system
0bb701
+ *           trust list); if it is true, the check on signature algorithm will
0bb701
+ *           be skipped
0bb701
  * @flags: the specified verification flags
0bb701
  */
0bb701
 static unsigned is_level_acceptable(
0bb701
 	gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
0bb701
-	gnutls_sign_algorithm_t sigalg, unsigned flags)
0bb701
+	gnutls_sign_algorithm_t sigalg, bool trusted,
0bb701
+	unsigned flags)
0bb701
 {
0bb701
 	gnutls_certificate_verification_profiles_t profile = GNUTLS_VFLAGS_TO_PROFILE(flags);
0bb701
-	const mac_entry_st *entry;
0bb701
 	int issuer_pkalg = 0, pkalg, ret;
0bb701
 	unsigned bits = 0, issuer_bits = 0, sym_bits = 0;
0bb701
 	gnutls_pk_params_st params;
0bb701
 	gnutls_sec_param_t sp;
0bb701
-	int hash;
0bb701
+	const gnutls_sign_entry_st *se;
0bb701
 	gnutls_certificate_verification_profiles_t min_profile;
0bb701
 
0bb701
 	min_profile = _gnutls_get_system_wide_verification_profile();
0bb701
@@ -798,7 +806,7 @@ verify_crt(gnutls_x509_crt_t cert,
0bb701
 	}
0bb701
 
0bb701
 	if (sigalg >= 0 && se) {
0bb701
-		if (is_level_acceptable(cert, issuer, sigalg, flags) == 0) {
0bb701
+		if (is_level_acceptable(cert, issuer, sigalg, false, flags) == 0) {
0bb701
 			MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM);
0bb701
 		}
0bb701
 
0bb701
@@ -893,7 +901,7 @@ unsigned check_ca_sanity(const gnutls_x509_crt_t issuer,
0bb701
 
0bb701
 	/* we explicitly allow CAs which we do not support their self-algorithms
0bb701
 	 * to pass. */
0bb701
-	if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, flags)) {
0bb701
+	if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, true, flags)) {
0bb701
 		status |= GNUTLS_CERT_INSECURE_ALGORITHM|GNUTLS_CERT_INVALID;
0bb701
 	}
0bb701
 
0bb701
diff --git a/tests/test-chains.h b/tests/test-chains.h
0bb701
index 9b06b85f5..64f50fabf 100644
0bb701
--- a/tests/test-chains.h
0bb701
+++ b/tests/test-chains.h
0bb701
@@ -4106,6 +4106,163 @@ static const char *superseding_ca[] = {
0bb701
 	NULL
0bb701
 };
0bb701
 
0bb701
+static const char *rsa_sha1_in_trusted[] = {
0bb701
+	"-----BEGIN CERTIFICATE-----\n"
0bb701
+	"MIID0jCCAoqgAwIBAgIUezaBB7f4TW75oc3UV57oJvXmbBYwDQYJKoZIhvcNAQEL\n"
0bb701
+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyNzIxWhcN\n"
0bb701
+	"MjIwNTAzMTQyNzIxWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
0bb701
+	"BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
0bb701
+	"AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
0bb701
+	"dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
0bb701
+	"Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
0bb701
+	"mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
0bb701
+	"+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
0bb701
+	"CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
0bb701
+	"ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
0bb701
+	"MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
0bb701
+	"ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
0bb701
+	"GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
0bb701
+	"AAOCATEAXs8lOV231HQerhSGEjZJz0vBuA3biKYlu3cwCTKvF6EOyYMSWOnfqqD0\n"
0bb701
+	"eDhpo1pzGtUa2zYLHagb+sU2NSTe0sqP+PK1giUg8X8/tRtWKk1p/m76yK/3iaty\n"
0bb701
+	"flgz+eMai4xQu2FvAJzIASFjM9R+Pgpcf/zdvkiUPv8Rdm9FieyAZnJSo9hJHLxN\n"
0bb701
+	"x60tfC5yyswdbGGW0GbJ2kr+xMfVZvxgO/x6AXlOaUGQ+jZAu9eJwFQMDW5h5/S1\n"
0bb701
+	"PJkIt7f7jkU33cG+BawcjhT0GzxuvDnnCG0L7/z7bR+Sw2kNKqHbHorzv91R20Oh\n"
0bb701
+	"CIISJPkiiP+mYcglTp1d9gw09GwSkGbldb9ibfc0hKyxiImFfIiTqDbXJcpKH98o\n"
0bb701
+	"W8hWkb20QURlY+QM5MD49znfhPKMTQ==\n"
0bb701
+	"-----END CERTIFICATE-----\n",
0bb701
+	"-----BEGIN CERTIFICATE-----\n"
0bb701
+	"MIID2TCCAkGgAwIBAgIUWsb4DATcefXbo0WrBfgqVMvPGawwDQYJKoZIhvcNAQEL\n"
0bb701
+	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI2\n"
0bb701
+	"MzVaFw0yMjA1MDMxNDI2MzVaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
0bb701
+	"UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
0bb701
+	"g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
0bb701
+	"EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
0bb701
+	"cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
0bb701
+	"sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
0bb701
+	"67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
0bb701
+	"CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
0bb701
+	"AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
0bb701
+	"BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
0bb701
+	"GctysPWxl+SfMA0GCSqGSIb3DQEBCwUAA4IBgQBbboeDr/rLT1tZWrdHq8FvflGm\n"
0bb701
+	"EpxZIRU4DdDD/SUCWSPQvjBq0MvuKxs5FfJCKrDf2kS2qlZ1rO0AuWwREoDeTOEc\n"
0bb701
+	"arjFoCry+JQ+USqS5F4gsp4XlYvli27iMp3dlnhFXEQQy7/y+gM5c9wnMi8v/LUz\n"
0bb701
+	"AV6QHX0fkb4XeazeJ+Nq0EkjqiYxylN6mP+5LAEMBG/wGviAoviQ5tN9zdoQs/nT\n"
0bb701
+	"3jTw3cOauuPjdcOTfo71+/MtBzhPchgNIyQo4aB40XVWsLAoruL/3CFFlTniihtd\n"
0bb701
+	"zA2zA7JvbuuKx6BOv2IbWOUweb732ZpYbDgEcXp/6Cj/SIUGxidpEgdCJGqyqdC7\n"
0bb701
+	"b58ujxclC6QTcicw+SX5LBox8WGLfj+x+V3uVBz9+EK608xphTj4kLh9peII9v3n\n"
0bb701
+	"vBUoZRTiUTCvH4AJJgAfa3mYrSxzueuqBOwXcvZ+8OJ0J1CP21pmK5nxR7f1nm9Q\n"
0bb701
+	"sYA1VHfC2dtyAYlByeF5iHl5hFR6vy1jJyzxg2M=\n"
0bb701
+	"-----END CERTIFICATE-----\n",
0bb701
+	NULL
0bb701
+};
0bb701
+
0bb701
+static const char *rsa_sha1_in_trusted_ca[] = {
0bb701
+	/* This CA is generated with the same key as rsa_sha1_in_trusted[1], but
0bb701
+	 * self-signed using SHA-1.
0bb701
+	 */
0bb701
+	"-----BEGIN CERTIFICATE-----\n"
0bb701
+	"MIIDYzCCAhugAwIBAgIUahO8CvYPHTAltKCC2rAIcXUiLlAwDQYJKoZIhvcNAQEF\n"
0bb701
+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyMDM1WhcN\n"
0bb701
+	"MjIwNTAzMTQyMDM1WjAZMRcwFQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCCAVIwDQYJ\n"
0bb701
+	"KoZIhvcNAQEBBQADggE/ADCCAToCggExAJzkQrF9bp5f/38tnddOeF3biIP9wqlQ\n"
0bb701
+	"Wk9x3GuuUhKA8IdCoj7UKDoGS3SmNnKGxrP6I2LTo3LNCp5T2HZrYxIelhIbiVPe\n"
0bb701
+	"b+E0HQuDizIhOeniBqtudoWQGx6Ey/OENeA8UFhrs0CvN9Ippe328NlnCHEUPLxR\n"
0bb701
+	"rPEs318Ot/jCOhauojAECKj9PFsxpkUcy+cLwoj4QlZKz5sG16AAbm+gALGMFjyQ\n"
0bb701
+	"fdTPf5ceYBR+ZPf4j34t7NioNxfDDnKaahWI8Q0p7H4s+njIdfm2FSAKN+u7xlWB\n"
0bb701
+	"4oFzBGQthXs5cCB2mc6RKBZWN2uyxSdNMq40PddK/FBPghDE2MxONA9KJQjKOxQP\n"
0bb701
+	"UQo3jt21CKGGiHVU1BlhBh1knqMRnovRpJurvgEo/H/otI8XQ9ql7HsCAwEAAaND\n"
0bb701
+	"MEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQe\n"
0bb701
+	"dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQUFAAOCATEAYLm/4DfUp+mA\n"
0bb701
+	"S/23a2bwybJoPCMzKZpi+veXkqoq/a/BCUkFpqnjpVjz0ujVKK121oeOPBAa/mG1\n"
0bb701
+	"Y3fJYP+b3PloL/6xj/8680TveGirCr0Rp/8XWa8lt+Ge8DM3mfTGWFTWHa0lD9VK\n"
0bb701
+	"gjV1oNZNLe5SKA6dJLAp/NjCxc/vuOkThQPeaoO5Iy/Z6m7CpTLO7T4syJFtDmSn\n"
0bb701
+	"Pa/yFUDTgJYFlGVM+KC1r8bhZ6Ao1CAXTcT5Lcbe/aCcyk6B3J2AnYsqPMVNEVhb\n"
0bb701
+	"9eMGO/WG24hMLy6eb1r/yL8uQ/uGi2rRlNJN8GTg09YR7l5fHrHxuHc/sme0jsnJ\n"
0bb701
+	"wtqGLCJsrh7Ae1fKVUueO00Yx9BGuzLswMvnT5f0oYs0jrXgMrTbIWS/DjOcYIHb\n"
0bb701
+	"w3SV1ZRcNg==\n"
0bb701
+	"-----END CERTIFICATE-----\n",
0bb701
+	NULL
0bb701
+};
0bb701
+
0bb701
+static const char *rsa_sha1_not_in_trusted[] = {
0bb701
+	"-----BEGIN CERTIFICATE-----\n"
0bb701
+	"MIID0jCCAoqgAwIBAgIUNCvPV9OvyuVMtnkC3ZAvh959h4MwDQYJKoZIhvcNAQEL\n"
0bb701
+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTA0MDg0NzAzWhcN\n"
0bb701
+	"MjIwNTA0MDg0NzAzWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
0bb701
+	"BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
0bb701
+	"AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
0bb701
+	"dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
0bb701
+	"Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
0bb701
+	"mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
0bb701
+	"+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
0bb701
+	"CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
0bb701
+	"ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
0bb701
+	"MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
0bb701
+	"ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
0bb701
+	"GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
0bb701
+	"AAOCATEAWs/Qa1Ebydwo4Ke2KEdy5cUTSZjnoz93XpbrP9W60MJ4d2DIQPcYUcLF\n"
0bb701
+	"+glez+mRtVXDRtH5V/4yZX1EdgrPVQGeVlO5HbNiYyYw/Yj3H6kzWtUbBxdOAOE/\n"
0bb701
+	"/ul8RCKKMfvYBHCBgjBMW0aFm31Q1Z8m8nanBusyJ0DG1scBHu4/3vTCZthZAxc5\n"
0bb701
+	"3l3t/jjsNRS+k5t6Ay8nEY1tAZSGVqN8qufzO2NBO06sQagp09FTfDh581OBcVtF\n"
0bb701
+	"X7O0cffAWHk3JoywzEWFEAhVPqFlk07wG2O+k+fYZfavsJko5q+yWkxu8RDh4wAx\n"
0bb701
+	"7UzKudGOQ+NhfYJ7N7V1/RFg1z75gE3GTUX7qmGZEVDOsMyiuUeYg8znyYpBV55Q\n"
0bb701
+	"4BNr0ukwmwOdvUf+ksCu6PdOGaqThA==\n"
0bb701
+	"-----END CERTIFICATE-----\n",
0bb701
+	/* ICA with SHA1 signature */
0bb701
+	"-----BEGIN CERTIFICATE-----\n"
0bb701
+	"MIID2TCCAkGgAwIBAgIUYaKJkQft87M1TF+Jd30py3yIq4swDQYJKoZIhvcNAQEF\n"
0bb701
+	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDQwODQ1\n"
0bb701
+	"NDdaFw0yMjA1MDQwODQ1NDdaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
0bb701
+	"UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
0bb701
+	"g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
0bb701
+	"EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
0bb701
+	"cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
0bb701
+	"sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
0bb701
+	"67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
0bb701
+	"CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
0bb701
+	"AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
0bb701
+	"BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
0bb701
+	"GctysPWxl+SfMA0GCSqGSIb3DQEBBQUAA4IBgQAewBcAGUGX28I5PDtuJkxoHonD\n"
0bb701
+	"muHdXpYnrz1YXN4b7odNXockz++Xovgj126fo+PeWgmaaCic98ZcGnyVTi9+3oqN\n"
0bb701
+	"2Bf4NNfyzSccgZZTphzbwjMcnc983HLQgsLSAOVivPHj5GEN58EWWamc9yA0VjGn\n"
0bb701
+	"cuYmFN2dlFA8/ClEbVGu3UXBe6OljR5zUr+6oiSp2J+Rl7SerVSHlst07iU2tkeB\n"
0bb701
+	"dlfOD5CquUGSka3SKvEfvu5SwYrCQVfYB6eMLInm7A0/ca0Jn3Oh4fMf2rIg/E3K\n"
0bb701
+	"qsopxsu8BXrLoGK4MxbxPA65JpczhZgilQQi3e3RIvxrvyD2qamjaNbyG5cr8mW4\n"
0bb701
+	"VOLf3vUORbkTi5sE7uRMu2B3z3N7ajsuQM8RHB17hOCB2FO/8rermq/oeJNtx57L\n"
0bb701
+	"5s5NxCHYTksQ4gkpR4gfTIO/zwXJSwGa/Zi2y2wIi/1qr7lppBsKV2rDWX7QiIeA\n"
0bb701
+	"PxOxyJA2eSeqCorz9vk3aHXleSpxsWGgKiJVmV0=\n"
0bb701
+	"-----END CERTIFICATE-----\n",
0bb701
+	NULL
0bb701
+};
0bb701
+
0bb701
+static const char *rsa_sha1_not_in_trusted_ca[] = {
0bb701
+	"-----BEGIN CERTIFICATE-----\n"
0bb701
+	"MIIEDTCCAnWgAwIBAgIUd5X8NZput+aNPEd9h92r4KAu16MwDQYJKoZIhvcNAQEL\n"
0bb701
+	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI1\n"
0bb701
+	"MDNaFw0yMjA1MDMxNDI1MDNaMB4xHDAaBgNVBAMTE0dudVRMUyB0ZXN0IHJvb3Qg\n"
0bb701
+	"Q0EwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCsFAaMb/iRN+OFqQNh\n"
0bb701
+	"OkkXGZlb+eLerLuB9ELnYwyLIh4MTXh0RjFZdCQLsQHfY/YFv0C50rmoXTA/d3Ef\n"
0bb701
+	"K/P243KjX0XBWjO9TBuN0zth50eq94zf69yxA/a+kmT+O5YLfhi2ELM5F3IjOUoZ\n"
0bb701
+	"lL0IGlFJwauAkaNylp/Evd5nW7g5DUJvMm4A3RXNfZt9gAD4lPRwryQq9jxT48Xu\n"
0bb701
+	"fB0kAPEG/l/Izbz2rYin5+nySL+a0CSNuEbITxidtMhveB747oR0QS2sMQKji1ur\n"
0bb701
+	"pRJ945SHiYJIgVuFAJc9StikSyIrxZgK45kAzcQAyRWWKiMNH5PprGFYJp+ypwhm\n"
0bb701
+	"1t8Bphj2RFJAG3XRRZF/9uJIYc5mEHCsZFZ/IFRaKqyN30kAUijgNt+lW5mZXVFU\n"
0bb701
+	"aqzV2zHjSG8jsGdia3cfBP46Z1q2eAh5jOCucTq1F7qZdVhOFmP9jFE6Uy5Kbwgc\n"
0bb701
+	"kNAnsEllQeJQL2odVa7woKkZZ4M/c72X5tpBU38Rs3krn3sCAwEAAaNDMEEwDwYD\n"
0bb701
+	"VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQgKVNENacW\n"
0bb701
+	"S/gFtxnLcrD1sZfknzANBgkqhkiG9w0BAQsFAAOCAYEAaZMV71mZ9FYoVdpho61h\n"
0bb701
+	"WWPs5GppQLJ1w70DNtGZ+lFrk/KopeDvOu1i61QLWRzcZCZMl+npiX1KH5kjVo3v\n"
0bb701
+	"C9G8kdMW6EVRk5p6qCJMPFN2U+grMMp50aY5kmw+/v+Lhk5T/VG93l63P91FkUre\n"
0bb701
+	"o8qhOudJExoUnR1uB9M6HMAxVn8Lm/N1LGPiP6A6Pboo716H7mg/A7pv9zoZ6jUp\n"
0bb701
+	"7x693mA/b3I/QpDx/nJcmcdqxgEuW+aRlFXgnYZRFAawxi+5M9EwCWbkSTO4OMHP\n"
0bb701
+	"Qlvak3tJO+wb92b0cICOOtzIPgQ+caiLg9d0FvesALmQzDmNmtqynoO85+Ia2Ywh\n"
0bb701
+	"nxKPlpeImhLN9nGl9sOeW2m4mnA5r0h1vgML4v/MWL4TQhXallc31uFNj5HyFaTh\n"
0bb701
+	"6Mr0g3GeQgN0jpT+aIOiKuW9fLts54+Ntj1NN40slqi3Y+/Yd6xhj+NgmbRvybZu\n"
0bb701
+	"tnYFXKC0Q+QUf38horqG2Mc3/uh8MOm0eYUXwGJOdXYD\n"
0bb701
+	"-----END CERTIFICATE-----\n",
0bb701
+	NULL
0bb701
+};
0bb701
+
0bb701
 #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
0bb701
 #  pragma GCC diagnostic push
0bb701
 #  pragma GCC diagnostic ignored "-Wunused-variable"
0bb701
@@ -4275,6 +4432,14 @@ static struct
0bb701
   { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
0bb701
     0, NULL, 1584352960, 1},
0bb701
   { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 },
0bb701
+  { "rsa-sha1 in trusted - ok",
0bb701
+    rsa_sha1_in_trusted, rsa_sha1_in_trusted_ca,
0bb701
+    GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
0bb701
+    0, NULL, 1620052390, 1},
0bb701
+  { "rsa-sha1 not in trusted - not ok",
0bb701
+    rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca,
0bb701
+    GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
0bb701
+    GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
0bb701
   { NULL, NULL, NULL, 0, 0}
0bb701
 };
0bb701
 
0bb701
-- 
0bb701
2.31.1
0bb701