c8a18e
From c2409e479df41620bceac314c76cabb1d35a4075 Mon Sep 17 00:00:00 2001
c8a18e
From: Daiki Ueno <ueno@gnu.org>
c8a18e
Date: Mon, 3 May 2021 16:35:43 +0200
c8a18e
Subject: [PATCH] x509/verify: treat SHA-1 signed CA in the trusted set
c8a18e
 differently
c8a18e
MIME-Version: 1.0
c8a18e
Content-Type: text/plain; charset=UTF-8
c8a18e
Content-Transfer-Encoding: 8bit
c8a18e
c8a18e
Suppose there is a certificate chain ending with an intermediate CA:
c8a18e
EE → ICA1 → ICA2.  If the system trust store contains a root CA
c8a18e
generated with the same key as ICA2 but signed with a prohibited
c8a18e
algorithm, such as SHA-1, the library previously reported a
c8a18e
verification failure, though the situation is not uncommon during a
c8a18e
transition period of root CA.
c8a18e
c8a18e
This changes the library behavior such that the check on signature
c8a18e
algorithm will be skipped when examining the trusted root CA.
c8a18e
c8a18e
Signed-off-by: Daiki Ueno <ueno@gnu.org>
c8a18e
---
c8a18e
 lib/x509/verify.c   |  26 ++++---
c8a18e
 tests/test-chains.h | 165 ++++++++++++++++++++++++++++++++++++++++++++
c8a18e
 2 files changed, 182 insertions(+), 9 deletions(-)
c8a18e
c8a18e
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
c8a18e
index fd7c6a164..a50b5ea44 100644
c8a18e
--- a/lib/x509/verify.c
c8a18e
+++ b/lib/x509/verify.c
c8a18e
@@ -415,14 +415,19 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
c8a18e
 #define CASE_SEC_PARAM(profile, level) \
c8a18e
 	case profile: \
c8a18e
 		sym_bits = gnutls_sec_param_to_symmetric_bits(level); \
c8a18e
-		hash = gnutls_sign_get_hash_algorithm(sigalg); \
c8a18e
-		entry = mac_to_entry(hash); \
c8a18e
-		if (hash <= 0 || entry == NULL) { \
c8a18e
+		se = _gnutls_sign_to_entry(sigalg); \
c8a18e
+		if (unlikely(se == NULL)) { \
c8a18e
+			_gnutls_cert_log("cert", crt); \
c8a18e
+			_gnutls_debug_log(#level": certificate's signature algorithm is unknown\n"); \
c8a18e
+			return gnutls_assert_val(0); \
c8a18e
+		} \
c8a18e
+		if (unlikely(se->hash == GNUTLS_DIG_UNKNOWN)) {	\
c8a18e
 			_gnutls_cert_log("cert", crt); \
c8a18e
 			_gnutls_debug_log(#level": certificate's signature hash is unknown\n"); \
c8a18e
 			return gnutls_assert_val(0); \
c8a18e
 		} \
c8a18e
-		if (_gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
c8a18e
+		if (!trusted && \
c8a18e
+		    _gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
c8a18e
 			_gnutls_cert_log("cert", crt); \
c8a18e
 			_gnutls_debug_log(#level": certificate's signature hash strength is unacceptable (is %u bits, needed %u)\n", _gnutls_sign_get_hash_strength(sigalg), sym_bits); \
c8a18e
 			return gnutls_assert_val(0); \
c8a18e
@@ -449,19 +454,22 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
c8a18e
  * @crt: a certificate
c8a18e
  * @issuer: the certificates issuer (allowed to be NULL)
c8a18e
  * @sigalg: the signature algorithm used
c8a18e
+ * @trusted: whether @crt is treated as trusted (e.g., present in the system
c8a18e
+ *           trust list); if it is true, the check on signature algorithm will
c8a18e
+ *           be skipped
c8a18e
  * @flags: the specified verification flags
c8a18e
  */
c8a18e
 static unsigned is_level_acceptable(
c8a18e
 	gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
c8a18e
-	gnutls_sign_algorithm_t sigalg, unsigned flags)
c8a18e
+	gnutls_sign_algorithm_t sigalg, bool trusted,
c8a18e
+	unsigned flags)
c8a18e
 {
c8a18e
 	gnutls_certificate_verification_profiles_t profile = GNUTLS_VFLAGS_TO_PROFILE(flags);
c8a18e
-	const mac_entry_st *entry;
c8a18e
 	int issuer_pkalg = 0, pkalg, ret;
c8a18e
 	unsigned bits = 0, issuer_bits = 0, sym_bits = 0;
c8a18e
 	gnutls_pk_params_st params;
c8a18e
 	gnutls_sec_param_t sp;
c8a18e
-	int hash;
c8a18e
+	const gnutls_sign_entry_st *se;
c8a18e
 	gnutls_certificate_verification_profiles_t min_profile;
c8a18e
 
c8a18e
 	min_profile = _gnutls_get_system_wide_verification_profile();
c8a18e
@@ -798,7 +806,7 @@ verify_crt(gnutls_x509_crt_t cert,
c8a18e
 	}
c8a18e
 
c8a18e
 	if (sigalg >= 0 && se) {
c8a18e
-		if (is_level_acceptable(cert, issuer, sigalg, flags) == 0) {
c8a18e
+		if (is_level_acceptable(cert, issuer, sigalg, false, flags) == 0) {
c8a18e
 			MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM);
c8a18e
 		}
c8a18e
 
c8a18e
@@ -893,7 +901,7 @@ unsigned check_ca_sanity(const gnutls_x509_crt_t issuer,
c8a18e
 
c8a18e
 	/* we explicitly allow CAs which we do not support their self-algorithms
c8a18e
 	 * to pass. */
c8a18e
-	if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, flags)) {
c8a18e
+	if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, true, flags)) {
c8a18e
 		status |= GNUTLS_CERT_INSECURE_ALGORITHM|GNUTLS_CERT_INVALID;
c8a18e
 	}
c8a18e
 
c8a18e
diff --git a/tests/test-chains.h b/tests/test-chains.h
c8a18e
index 9b06b85f5..64f50fabf 100644
c8a18e
--- a/tests/test-chains.h
c8a18e
+++ b/tests/test-chains.h
c8a18e
@@ -4106,6 +4106,163 @@ static const char *superseding_ca[] = {
c8a18e
 	NULL
c8a18e
 };
c8a18e
 
c8a18e
+static const char *rsa_sha1_in_trusted[] = {
c8a18e
+	"-----BEGIN CERTIFICATE-----\n"
c8a18e
+	"MIID0jCCAoqgAwIBAgIUezaBB7f4TW75oc3UV57oJvXmbBYwDQYJKoZIhvcNAQEL\n"
c8a18e
+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyNzIxWhcN\n"
c8a18e
+	"MjIwNTAzMTQyNzIxWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
c8a18e
+	"BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
c8a18e
+	"AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
c8a18e
+	"dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
c8a18e
+	"Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
c8a18e
+	"mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
c8a18e
+	"+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
c8a18e
+	"CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
c8a18e
+	"ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
c8a18e
+	"MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
c8a18e
+	"ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
c8a18e
+	"GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
c8a18e
+	"AAOCATEAXs8lOV231HQerhSGEjZJz0vBuA3biKYlu3cwCTKvF6EOyYMSWOnfqqD0\n"
c8a18e
+	"eDhpo1pzGtUa2zYLHagb+sU2NSTe0sqP+PK1giUg8X8/tRtWKk1p/m76yK/3iaty\n"
c8a18e
+	"flgz+eMai4xQu2FvAJzIASFjM9R+Pgpcf/zdvkiUPv8Rdm9FieyAZnJSo9hJHLxN\n"
c8a18e
+	"x60tfC5yyswdbGGW0GbJ2kr+xMfVZvxgO/x6AXlOaUGQ+jZAu9eJwFQMDW5h5/S1\n"
c8a18e
+	"PJkIt7f7jkU33cG+BawcjhT0GzxuvDnnCG0L7/z7bR+Sw2kNKqHbHorzv91R20Oh\n"
c8a18e
+	"CIISJPkiiP+mYcglTp1d9gw09GwSkGbldb9ibfc0hKyxiImFfIiTqDbXJcpKH98o\n"
c8a18e
+	"W8hWkb20QURlY+QM5MD49znfhPKMTQ==\n"
c8a18e
+	"-----END CERTIFICATE-----\n",
c8a18e
+	"-----BEGIN CERTIFICATE-----\n"
c8a18e
+	"MIID2TCCAkGgAwIBAgIUWsb4DATcefXbo0WrBfgqVMvPGawwDQYJKoZIhvcNAQEL\n"
c8a18e
+	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI2\n"
c8a18e
+	"MzVaFw0yMjA1MDMxNDI2MzVaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
c8a18e
+	"UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
c8a18e
+	"g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
c8a18e
+	"EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
c8a18e
+	"cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
c8a18e
+	"sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
c8a18e
+	"67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
c8a18e
+	"CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
c8a18e
+	"AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
c8a18e
+	"BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
c8a18e
+	"GctysPWxl+SfMA0GCSqGSIb3DQEBCwUAA4IBgQBbboeDr/rLT1tZWrdHq8FvflGm\n"
c8a18e
+	"EpxZIRU4DdDD/SUCWSPQvjBq0MvuKxs5FfJCKrDf2kS2qlZ1rO0AuWwREoDeTOEc\n"
c8a18e
+	"arjFoCry+JQ+USqS5F4gsp4XlYvli27iMp3dlnhFXEQQy7/y+gM5c9wnMi8v/LUz\n"
c8a18e
+	"AV6QHX0fkb4XeazeJ+Nq0EkjqiYxylN6mP+5LAEMBG/wGviAoviQ5tN9zdoQs/nT\n"
c8a18e
+	"3jTw3cOauuPjdcOTfo71+/MtBzhPchgNIyQo4aB40XVWsLAoruL/3CFFlTniihtd\n"
c8a18e
+	"zA2zA7JvbuuKx6BOv2IbWOUweb732ZpYbDgEcXp/6Cj/SIUGxidpEgdCJGqyqdC7\n"
c8a18e
+	"b58ujxclC6QTcicw+SX5LBox8WGLfj+x+V3uVBz9+EK608xphTj4kLh9peII9v3n\n"
c8a18e
+	"vBUoZRTiUTCvH4AJJgAfa3mYrSxzueuqBOwXcvZ+8OJ0J1CP21pmK5nxR7f1nm9Q\n"
c8a18e
+	"sYA1VHfC2dtyAYlByeF5iHl5hFR6vy1jJyzxg2M=\n"
c8a18e
+	"-----END CERTIFICATE-----\n",
c8a18e
+	NULL
c8a18e
+};
c8a18e
+
c8a18e
+static const char *rsa_sha1_in_trusted_ca[] = {
c8a18e
+	/* This CA is generated with the same key as rsa_sha1_in_trusted[1], but
c8a18e
+	 * self-signed using SHA-1.
c8a18e
+	 */
c8a18e
+	"-----BEGIN CERTIFICATE-----\n"
c8a18e
+	"MIIDYzCCAhugAwIBAgIUahO8CvYPHTAltKCC2rAIcXUiLlAwDQYJKoZIhvcNAQEF\n"
c8a18e
+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyMDM1WhcN\n"
c8a18e
+	"MjIwNTAzMTQyMDM1WjAZMRcwFQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCCAVIwDQYJ\n"
c8a18e
+	"KoZIhvcNAQEBBQADggE/ADCCAToCggExAJzkQrF9bp5f/38tnddOeF3biIP9wqlQ\n"
c8a18e
+	"Wk9x3GuuUhKA8IdCoj7UKDoGS3SmNnKGxrP6I2LTo3LNCp5T2HZrYxIelhIbiVPe\n"
c8a18e
+	"b+E0HQuDizIhOeniBqtudoWQGx6Ey/OENeA8UFhrs0CvN9Ippe328NlnCHEUPLxR\n"
c8a18e
+	"rPEs318Ot/jCOhauojAECKj9PFsxpkUcy+cLwoj4QlZKz5sG16AAbm+gALGMFjyQ\n"
c8a18e
+	"fdTPf5ceYBR+ZPf4j34t7NioNxfDDnKaahWI8Q0p7H4s+njIdfm2FSAKN+u7xlWB\n"
c8a18e
+	"4oFzBGQthXs5cCB2mc6RKBZWN2uyxSdNMq40PddK/FBPghDE2MxONA9KJQjKOxQP\n"
c8a18e
+	"UQo3jt21CKGGiHVU1BlhBh1knqMRnovRpJurvgEo/H/otI8XQ9ql7HsCAwEAAaND\n"
c8a18e
+	"MEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQe\n"
c8a18e
+	"dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQUFAAOCATEAYLm/4DfUp+mA\n"
c8a18e
+	"S/23a2bwybJoPCMzKZpi+veXkqoq/a/BCUkFpqnjpVjz0ujVKK121oeOPBAa/mG1\n"
c8a18e
+	"Y3fJYP+b3PloL/6xj/8680TveGirCr0Rp/8XWa8lt+Ge8DM3mfTGWFTWHa0lD9VK\n"
c8a18e
+	"gjV1oNZNLe5SKA6dJLAp/NjCxc/vuOkThQPeaoO5Iy/Z6m7CpTLO7T4syJFtDmSn\n"
c8a18e
+	"Pa/yFUDTgJYFlGVM+KC1r8bhZ6Ao1CAXTcT5Lcbe/aCcyk6B3J2AnYsqPMVNEVhb\n"
c8a18e
+	"9eMGO/WG24hMLy6eb1r/yL8uQ/uGi2rRlNJN8GTg09YR7l5fHrHxuHc/sme0jsnJ\n"
c8a18e
+	"wtqGLCJsrh7Ae1fKVUueO00Yx9BGuzLswMvnT5f0oYs0jrXgMrTbIWS/DjOcYIHb\n"
c8a18e
+	"w3SV1ZRcNg==\n"
c8a18e
+	"-----END CERTIFICATE-----\n",
c8a18e
+	NULL
c8a18e
+};
c8a18e
+
c8a18e
+static const char *rsa_sha1_not_in_trusted[] = {
c8a18e
+	"-----BEGIN CERTIFICATE-----\n"
c8a18e
+	"MIID0jCCAoqgAwIBAgIUNCvPV9OvyuVMtnkC3ZAvh959h4MwDQYJKoZIhvcNAQEL\n"
c8a18e
+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTA0MDg0NzAzWhcN\n"
c8a18e
+	"MjIwNTA0MDg0NzAzWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
c8a18e
+	"BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
c8a18e
+	"AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
c8a18e
+	"dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
c8a18e
+	"Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
c8a18e
+	"mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
c8a18e
+	"+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
c8a18e
+	"CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
c8a18e
+	"ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
c8a18e
+	"MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
c8a18e
+	"ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
c8a18e
+	"GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
c8a18e
+	"AAOCATEAWs/Qa1Ebydwo4Ke2KEdy5cUTSZjnoz93XpbrP9W60MJ4d2DIQPcYUcLF\n"
c8a18e
+	"+glez+mRtVXDRtH5V/4yZX1EdgrPVQGeVlO5HbNiYyYw/Yj3H6kzWtUbBxdOAOE/\n"
c8a18e
+	"/ul8RCKKMfvYBHCBgjBMW0aFm31Q1Z8m8nanBusyJ0DG1scBHu4/3vTCZthZAxc5\n"
c8a18e
+	"3l3t/jjsNRS+k5t6Ay8nEY1tAZSGVqN8qufzO2NBO06sQagp09FTfDh581OBcVtF\n"
c8a18e
+	"X7O0cffAWHk3JoywzEWFEAhVPqFlk07wG2O+k+fYZfavsJko5q+yWkxu8RDh4wAx\n"
c8a18e
+	"7UzKudGOQ+NhfYJ7N7V1/RFg1z75gE3GTUX7qmGZEVDOsMyiuUeYg8znyYpBV55Q\n"
c8a18e
+	"4BNr0ukwmwOdvUf+ksCu6PdOGaqThA==\n"
c8a18e
+	"-----END CERTIFICATE-----\n",
c8a18e
+	/* ICA with SHA1 signature */
c8a18e
+	"-----BEGIN CERTIFICATE-----\n"
c8a18e
+	"MIID2TCCAkGgAwIBAgIUYaKJkQft87M1TF+Jd30py3yIq4swDQYJKoZIhvcNAQEF\n"
c8a18e
+	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDQwODQ1\n"
c8a18e
+	"NDdaFw0yMjA1MDQwODQ1NDdaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
c8a18e
+	"UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
c8a18e
+	"g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
c8a18e
+	"EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
c8a18e
+	"cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
c8a18e
+	"sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
c8a18e
+	"67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
c8a18e
+	"CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
c8a18e
+	"AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
c8a18e
+	"BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
c8a18e
+	"GctysPWxl+SfMA0GCSqGSIb3DQEBBQUAA4IBgQAewBcAGUGX28I5PDtuJkxoHonD\n"
c8a18e
+	"muHdXpYnrz1YXN4b7odNXockz++Xovgj126fo+PeWgmaaCic98ZcGnyVTi9+3oqN\n"
c8a18e
+	"2Bf4NNfyzSccgZZTphzbwjMcnc983HLQgsLSAOVivPHj5GEN58EWWamc9yA0VjGn\n"
c8a18e
+	"cuYmFN2dlFA8/ClEbVGu3UXBe6OljR5zUr+6oiSp2J+Rl7SerVSHlst07iU2tkeB\n"
c8a18e
+	"dlfOD5CquUGSka3SKvEfvu5SwYrCQVfYB6eMLInm7A0/ca0Jn3Oh4fMf2rIg/E3K\n"
c8a18e
+	"qsopxsu8BXrLoGK4MxbxPA65JpczhZgilQQi3e3RIvxrvyD2qamjaNbyG5cr8mW4\n"
c8a18e
+	"VOLf3vUORbkTi5sE7uRMu2B3z3N7ajsuQM8RHB17hOCB2FO/8rermq/oeJNtx57L\n"
c8a18e
+	"5s5NxCHYTksQ4gkpR4gfTIO/zwXJSwGa/Zi2y2wIi/1qr7lppBsKV2rDWX7QiIeA\n"
c8a18e
+	"PxOxyJA2eSeqCorz9vk3aHXleSpxsWGgKiJVmV0=\n"
c8a18e
+	"-----END CERTIFICATE-----\n",
c8a18e
+	NULL
c8a18e
+};
c8a18e
+
c8a18e
+static const char *rsa_sha1_not_in_trusted_ca[] = {
c8a18e
+	"-----BEGIN CERTIFICATE-----\n"
c8a18e
+	"MIIEDTCCAnWgAwIBAgIUd5X8NZput+aNPEd9h92r4KAu16MwDQYJKoZIhvcNAQEL\n"
c8a18e
+	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI1\n"
c8a18e
+	"MDNaFw0yMjA1MDMxNDI1MDNaMB4xHDAaBgNVBAMTE0dudVRMUyB0ZXN0IHJvb3Qg\n"
c8a18e
+	"Q0EwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCsFAaMb/iRN+OFqQNh\n"
c8a18e
+	"OkkXGZlb+eLerLuB9ELnYwyLIh4MTXh0RjFZdCQLsQHfY/YFv0C50rmoXTA/d3Ef\n"
c8a18e
+	"K/P243KjX0XBWjO9TBuN0zth50eq94zf69yxA/a+kmT+O5YLfhi2ELM5F3IjOUoZ\n"
c8a18e
+	"lL0IGlFJwauAkaNylp/Evd5nW7g5DUJvMm4A3RXNfZt9gAD4lPRwryQq9jxT48Xu\n"
c8a18e
+	"fB0kAPEG/l/Izbz2rYin5+nySL+a0CSNuEbITxidtMhveB747oR0QS2sMQKji1ur\n"
c8a18e
+	"pRJ945SHiYJIgVuFAJc9StikSyIrxZgK45kAzcQAyRWWKiMNH5PprGFYJp+ypwhm\n"
c8a18e
+	"1t8Bphj2RFJAG3XRRZF/9uJIYc5mEHCsZFZ/IFRaKqyN30kAUijgNt+lW5mZXVFU\n"
c8a18e
+	"aqzV2zHjSG8jsGdia3cfBP46Z1q2eAh5jOCucTq1F7qZdVhOFmP9jFE6Uy5Kbwgc\n"
c8a18e
+	"kNAnsEllQeJQL2odVa7woKkZZ4M/c72X5tpBU38Rs3krn3sCAwEAAaNDMEEwDwYD\n"
c8a18e
+	"VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQgKVNENacW\n"
c8a18e
+	"S/gFtxnLcrD1sZfknzANBgkqhkiG9w0BAQsFAAOCAYEAaZMV71mZ9FYoVdpho61h\n"
c8a18e
+	"WWPs5GppQLJ1w70DNtGZ+lFrk/KopeDvOu1i61QLWRzcZCZMl+npiX1KH5kjVo3v\n"
c8a18e
+	"C9G8kdMW6EVRk5p6qCJMPFN2U+grMMp50aY5kmw+/v+Lhk5T/VG93l63P91FkUre\n"
c8a18e
+	"o8qhOudJExoUnR1uB9M6HMAxVn8Lm/N1LGPiP6A6Pboo716H7mg/A7pv9zoZ6jUp\n"
c8a18e
+	"7x693mA/b3I/QpDx/nJcmcdqxgEuW+aRlFXgnYZRFAawxi+5M9EwCWbkSTO4OMHP\n"
c8a18e
+	"Qlvak3tJO+wb92b0cICOOtzIPgQ+caiLg9d0FvesALmQzDmNmtqynoO85+Ia2Ywh\n"
c8a18e
+	"nxKPlpeImhLN9nGl9sOeW2m4mnA5r0h1vgML4v/MWL4TQhXallc31uFNj5HyFaTh\n"
c8a18e
+	"6Mr0g3GeQgN0jpT+aIOiKuW9fLts54+Ntj1NN40slqi3Y+/Yd6xhj+NgmbRvybZu\n"
c8a18e
+	"tnYFXKC0Q+QUf38horqG2Mc3/uh8MOm0eYUXwGJOdXYD\n"
c8a18e
+	"-----END CERTIFICATE-----\n",
c8a18e
+	NULL
c8a18e
+};
c8a18e
+
c8a18e
 #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
c8a18e
 #  pragma GCC diagnostic push
c8a18e
 #  pragma GCC diagnostic ignored "-Wunused-variable"
c8a18e
@@ -4275,6 +4432,14 @@ static struct
c8a18e
   { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
c8a18e
     0, NULL, 1584352960, 1},
c8a18e
   { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 },
c8a18e
+  { "rsa-sha1 in trusted - ok",
c8a18e
+    rsa_sha1_in_trusted, rsa_sha1_in_trusted_ca,
c8a18e
+    GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
c8a18e
+    0, NULL, 1620052390, 1},
c8a18e
+  { "rsa-sha1 not in trusted - not ok",
c8a18e
+    rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca,
c8a18e
+    GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
c8a18e
+    GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
c8a18e
   { NULL, NULL, NULL, 0, 0}
c8a18e
 };
c8a18e
 
c8a18e
-- 
c8a18e
2.31.1
c8a18e