false, false, NULL, NULL,
0, 0,
};
- /* Key usage:dig-sig:not-critical */
- static struct testTLSCertReq cacert5req = {
- NULL, NULL, "cacert5.pem", "UK",
- "libvirt CA 5", NULL, NULL, NULL, NULL,
- true, true, true,
- true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
- false, false, NULL, NULL,
- 0, 0,
- };
DO_CTX_TEST(true, cacert1req, servercertreq, false);
DO_CTX_TEST(true, cacert2req, servercertreq, false);
DO_CTX_TEST(true, cacert3req, servercertreq, false);
# endif
DO_CTX_TEST(true, cacert4req, servercertreq, false);
- DO_CTX_TEST(true, cacert5req, servercertreq, false);
/* Now some bad certs */
+ /* Key usage:dig-sig:not-critical */
+ static struct testTLSCertReq cacert5req = {
+ NULL, NULL, "cacert5.pem", "UK",
+ "libvirt CA 5", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ false, false, NULL, NULL,
+ 0, 0,
+ };
/* no-basic */
static struct testTLSCertReq cacert6req = {
NULL, NULL, "cacert6.pem", "UK",
0, 0,
};
+ /* Technically a CA cert with basic constraints
+ * key purpose == key signing + non-critical should
+ * be rejected. GNUTLS < 3 does not reject it and
+ * we don't anticipate them changing this behaviour
+ */
+ DO_CTX_TEST(true, cacert5req, servercertreq, GNUTLS_VERSION_MAJOR >= 3);
DO_CTX_TEST(true, cacert6req, servercertreq, true);
DO_CTX_TEST(true, cacert7req, servercertreq, true);
projects / libvirt.git / commitdiff