summaryrefslogtreecommitdiffstats
path: root/debian/patches/50_Fix-removal-of-duplicate-certs-during-verification.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/50_Fix-removal-of-duplicate-certs-during-verification.patch')
-rw-r--r--debian/patches/50_Fix-removal-of-duplicate-certs-during-verification.patch455
1 files changed, 455 insertions, 0 deletions
diff --git a/debian/patches/50_Fix-removal-of-duplicate-certs-during-verification.patch b/debian/patches/50_Fix-removal-of-duplicate-certs-during-verification.patch
new file mode 100644
index 0000000..d8250cf
--- /dev/null
+++ b/debian/patches/50_Fix-removal-of-duplicate-certs-during-verification.patch
@@ -0,0 +1,455 @@
+From e89378d5853d9bd0136b95aade37e23762ad9290 Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Mon, 17 Oct 2022 15:27:37 +0200
+Subject: [PATCH] Fix removal of duplicate certs during verification
+
+Co-authored-by: Daiki Ueno <ueno@gnu.org>
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+---
+ .gitignore | 1 +
+ lib/x509/verify-high.c | 101 ++++---------------
+ tests/Makefile.am | 2 +-
+ tests/x509-verify-duplicate.c | 181 ++++++++++++++++++++++++++++++++++
+ 4 files changed, 203 insertions(+), 82 deletions(-)
+ create mode 100644 tests/x509-verify-duplicate.c
+
+diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
+index 3b9a1011d0..0c46881398 100644
+--- a/lib/x509/verify-high.c
++++ b/lib/x509/verify-high.c
+@@ -31,14 +31,16 @@
+ #include <datum.h>
+ #include <hash-pjw-bare.h>
+ #include "x509_int.h"
+ #include <common.h>
+ #include <gnutls/x509-ext.h>
+ #include "verify-high.h"
+ #include "intprops.h"
++#include "gl_linkedhash_list.h"
++#include "gl_list.h"
+
+ struct named_cert_st {
+ gnutls_x509_crt_t cert;
+ uint8_t name[MAX_SERVER_NAME_SIZE];
+ unsigned int name_size;
+ };
+
+@@ -64,90 +66,27 @@ struct gnutls_x509_trust_list_iter {
+ unsigned int pkcs11_index;
+ unsigned int pkcs11_size;
+ #endif
+ };
+
+ #define DEFAULT_SIZE 127
+
+-struct cert_set_node_st {
+- gnutls_x509_crt_t *certs;
+- unsigned int size;
+-};
+-
+-struct cert_set_st {
+- struct cert_set_node_st *node;
+- unsigned int size;
+-};
+-
+-static int
+-cert_set_init(struct cert_set_st *set, unsigned int size)
+-{
+- memset(set, 0, sizeof(*set));
+-
+- set->size = size;
+- set->node = gnutls_calloc(size, sizeof(*set->node));
+- if (!set->node) {
+- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+- }
+-
+- return 0;
+-}
+-
+-static void
+-cert_set_deinit(struct cert_set_st *set)
+-{
+- size_t i;
+-
+- for (i = 0; i < set->size; i++) {
+- gnutls_free(set->node[i].certs);
+- }
+-
+- gnutls_free(set->node);
+-}
+-
+ static bool
+-cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
++cert_eq(const void *cert1, const void *cert2)
+ {
+- size_t hash, i;
+-
+- hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
+- hash %= set->size;
+-
+- for (i = 0; i < set->node[hash].size; i++) {
+- if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
+- return true;
+- }
+- }
+-
+- return false;
++ const gnutls_x509_crt_t c1 = (const gnutls_x509_crt_t)cert1;
++ const gnutls_x509_crt_t c2 = (const gnutls_x509_crt_t)cert2;
++ return gnutls_x509_crt_equals(c1, c2);
+ }
+
+-static int
+-cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
++static size_t
++cert_hashcode(const void *cert)
+ {
+- size_t hash;
+-
+- hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
+- hash %= set->size;
+-
+- if (unlikely(INT_ADD_OVERFLOW(set->node[hash].size, 1))) {
+- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+- }
+-
+- set->node[hash].certs =
+- _gnutls_reallocarray_fast(set->node[hash].certs,
+- set->node[hash].size + 1,
+- sizeof(*set->node[hash].certs));
+- if (!set->node[hash].certs) {
+- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+- }
+- set->node[hash].certs[set->node[hash].size] = cert;
+- set->node[hash].size++;
+-
+- return 0;
++ const gnutls_x509_crt_t c = (const gnutls_x509_crt_t)cert;
++ return hash_pjw_bare(c->raw_dn.data, c->raw_dn.size) % DEFAULT_MAX_VERIFY_DEPTH;
+ }
+
+ /**
+ * gnutls_x509_trust_list_init:
+ * @list: A pointer to the type to be initialized
+ * @size: The size of the internal hash table. Use (0) for default size.
+ *
+@@ -1422,15 +1361,15 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ gnutls_x509_crt_t retrieved[DEFAULT_MAX_VERIFY_DEPTH];
+ unsigned int retrieved_size = 0;
+ const char *hostname = NULL, *purpose = NULL, *email = NULL;
+ unsigned hostname_size = 0;
+ unsigned have_set_name = 0;
+ unsigned saved_output;
+ gnutls_datum_t ip = {NULL, 0};
+- struct cert_set_st cert_set = { NULL, 0 };
++ gl_list_t records;
+
+ if (cert_list == NULL || cert_list_size < 1)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+ for (i=0;i<elements;i++) {
+ if (data[i].type == GNUTLS_DT_DNS_HOSTNAME) {
+ hostname = (void*)data[i].data;
+@@ -1471,34 +1410,33 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ return 0;
+ }
+ }
+
+ memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
+ cert_list = sorted;
+
+- ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
+- if (ret < 0) {
+- return ret;
+- }
++ records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false);
++ if (records == NULL)
++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ for (i = 0; i < cert_list_size &&
+ cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
+ unsigned int sorted_size = 1;
+ unsigned int j;
+ gnutls_x509_crt_t issuer;
+
+ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
+ sorted_size = _gnutls_sort_clist(&cert_list[i],
+ cert_list_size - i);
+ }
+
+ /* Remove duplicates. Start with index 1, as the first element
+ * may be re-checked after issuer retrieval. */
+- for (j = 1; j < sorted_size; j++) {
+- if (cert_set_contains(&cert_set, cert_list[i + j])) {
++ for (j = 0; j < sorted_size; j++) {
++ if (gl_list_search(records, cert_list[i + j])) {
+ if (i + j < cert_list_size - 1) {
+ memmove(&cert_list[i + j],
+ &cert_list[i + j + 1],
+ sizeof(cert_list[i]));
+ }
+ cert_list_size--;
+ break;
+@@ -1507,16 +1445,16 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ /* Found a duplicate, try again with the same index. */
+ if (j < sorted_size) {
+ continue;
+ }
+
+ /* Record the certificates seen. */
+ for (j = 0; j < sorted_size; j++, i++) {
+- ret = cert_set_add(&cert_set, cert_list[i]);
+- if (ret < 0) {
++ if (!gl_list_nx_add_last(records, cert_list[i])) {
++ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ goto cleanup;
+ }
+ }
+
+ /* If the issuer of the certificate is known, no need
+ * for further processing. */
+ if (gnutls_x509_trust_list_get_issuer(list,
+@@ -1555,14 +1493,15 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ &retrieved[retrieved_size],
+ ret * sizeof(gnutls_x509_crt_t));
+ retrieved_size += ret;
+ cert_list_size += ret;
+
+ /* Start again from the end of the previous segment. */
+ i--;
++ gl_list_remove(records, cert_list[i]);
+ }
+ }
+
+ cert_list_size = shorten_clist(list, cert_list, cert_list_size);
+ if (cert_list_size <= 0)
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+@@ -1714,15 +1653,15 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ }
+ }
+
+ cleanup:
+ for (i = 0; i < retrieved_size; i++) {
+ gnutls_x509_crt_deinit(retrieved[i]);
+ }
+- cert_set_deinit(&cert_set);
++ gl_list_free(records);
+ return ret;
+ }
+
+ /**
+ * gnutls_x509_trust_list_verify_named_crt:
+ * @list: The list
+ * @cert: is the certificate to be verified
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 9d89a8282a..b6c3536a92 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -175,15 +175,15 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
+ mini-record mini-dtls-record handshake-timeout mini-record-range \
+ cert-status fips-mode-pthread rsa-psk global-init sec-params sign-verify-data \
+ fips-test fips-override-test mini-global-load name-constraints x509-extensions \
+ long-session-id mini-x509-callbacks-intr mini-dtls-lowmtu set_x509_key_file-late \
+ crlverify mini-dtls-discard mini-record-failure openconnect-dtls12 \
+ tls12-rehandshake-cert-2 custom-urls set_x509_key_mem set_x509_key_file \
+ tls12-rehandshake-cert-auto tls12-rehandshake-set-prio \
+- mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
++ mini-chain-unsorted x509-verify-duplicate x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
+ mini-dtls-record-asym key-import-export priority-set priority-set2 \
+ pubkey-import-export sign-is-secure spki spki-abstract rsa-rsa-pss \
+ mini-dtls-fork dtls-pthread mini-key-material x509cert-invalid \
+ tls-ext-register tls-supplemental mini-dtls0-9 duplicate-extensions \
+ record-retvals mini-server-name tls-etm tls-force-etm x509-cert-callback alerts \
+ client-sign-md5-rep tls12-invalid-key-exchanges session-rdn-read \
+ tls13-cert-key-exchange x509-cert-callback-ocsp gnutls_ocsp_resp_list_import2 \
+diff --git a/tests/x509-verify-duplicate.c b/tests/x509-verify-duplicate.c
+new file mode 100644
+index 0000000000..f47a8b2d81
+--- /dev/null
++++ b/tests/x509-verify-duplicate.c
+@@ -0,0 +1,181 @@
++/*
++ * Copyright (C) 2022 Red Hat, Inc.
++ *
++ * Author: Zoltan Fridrich
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>.
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <gnutls/x509.h>
++
++#include "utils.h"
++
++#define CHECK(X)\
++{\
++ r = X;\
++ if (r < 0)\
++ fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\
++}\
++
++static char cert_pem[] =
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIIFLzCCBBegAwIBAgISAycvItcPAZ5yClzMOYYcod4cMA0GCSqGSIb3DQEBCwUA\n"
++ "MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n"
++ "EwJSMzAeFw0yMjA4MjMwNjMzMjlaFw0yMjExMjEwNjMzMjhaMBcxFTATBgNVBAMT\n"
++ "DHZvaWRwb2ludC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSt\n"
++ "AazUWttuU/swyEdt70bpod6knYDJavnFUwicpT4ZfPh84Y2ci9Ay9oTVR8LzVq+o\n"
++ "3FIGxXlBFhCtoGA5k5Soao/JB40+gsY+O8LgcNAdejU78m5W4e2qXq4eu/4tFUCw\n"
++ "GkcRmqitnc5Jy0bEM+wCZKa42Lx0+WAhNRd/70yWIbzXOrXDnLgGc221JeYJ4it0\n"
++ "ajYcf3AZuSHhL3qsTLLzuYorPqWmDy27psUiDDJOIjxVbBCRL+AY40TsQm7CZZhZ\n"
++ "8sCkZU7rIvuDv7nf3QpUsF9Zqk9B3F4tTg0vsVuYeL1XCHGwpVeUS83MsZiLP8Zj\n"
++ "XGQTM6GiWuOAZ9JJjrsCAwEAAaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAdBgNV\n"
++ "HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E\n"
++ "FgQUlw1h3ZwSMKRwkrQ+F4XT3QV/tn8wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA\n"
++ "5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu\n"
++ "by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w\n"
++ "JwYDVR0RBCAwHoIOKi52b2lkcG9pbnQuaW+CDHZvaWRwb2ludC5pbzBMBgNVHSAE\n"
++ "RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw\n"
++ "Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2\n"
++ "AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgsme4hAAAAQDAEcw\n"
++ "RQIhAP6sPHv1PJez/VRMw5xmAAkNU/q9ydq1mTgp7j5uBB9AAiAxm+teG9utZCLP\n"
++ "TTTv89FHwFV9omfZzDNAiNgg8METHwB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4\n"
++ "+U1dJlwlXceEAAABgsme4gUAAAQDAEgwRgIhAPKWJ7WeuBUSnDqabTAVLKU+PpzA\n"
++ "bJJ9sehaCKW9AicZAiEAqphpC0lF4/iz2Gkxgd/DEkl9SyyAmR/lEJ7cWDMFhz8w\n"
++ "DQYJKoZIhvcNAQELBQADggEBAC0aCscObAdTerzGUrDsuQR5FuCTAmvdk3Isqjw1\n"
++ "dG3WuiwW1Z4ecpqCdvDSIv3toQDWVk6g/oa3fHDnY0/tu//vCwdneDdjK3gCM6cj\n"
++ "/q0cwj+rGFx/bEVz8PR5kc3DOHGKkmHPN1BNxeLBVpk4jxziXryAVbIvxq9JrGTE\n"
++ "SfWbWcMkHHw/QzpUfyD3B/GI8qw6XhdaNNkLDEDNV0sCPCuZYc5FBZzU4ExB2vMG\n"
++ "QVnPfxzKWmxHs10uxXyRZJlOrrbTGU8gi0vnOQZK290dtLzEyU2sdkic1ZSn+fCo\n"
++ "k++37mNDkiTnIQa3olRqHkypWqGfj8OyqU4XBV2Mmu4UATc=\n"
++ "-----END CERTIFICATE-----\n"
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIIFLzCCBBegAwIBAgISAycvItcPAZ5yClzMOYYcod4cMA0GCSqGSIb3DQEBCwUA\n"
++ "MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n"
++ "EwJSMzAeFw0yMjA4MjMwNjMzMjlaFw0yMjExMjEwNjMzMjhaMBcxFTATBgNVBAMT\n"
++ "DHZvaWRwb2ludC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSt\n"
++ "AazUWttuU/swyEdt70bpod6knYDJavnFUwicpT4ZfPh84Y2ci9Ay9oTVR8LzVq+o\n"
++ "3FIGxXlBFhCtoGA5k5Soao/JB40+gsY+O8LgcNAdejU78m5W4e2qXq4eu/4tFUCw\n"
++ "GkcRmqitnc5Jy0bEM+wCZKa42Lx0+WAhNRd/70yWIbzXOrXDnLgGc221JeYJ4it0\n"
++ "ajYcf3AZuSHhL3qsTLLzuYorPqWmDy27psUiDDJOIjxVbBCRL+AY40TsQm7CZZhZ\n"
++ "8sCkZU7rIvuDv7nf3QpUsF9Zqk9B3F4tTg0vsVuYeL1XCHGwpVeUS83MsZiLP8Zj\n"
++ "XGQTM6GiWuOAZ9JJjrsCAwEAAaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAdBgNV\n"
++ "HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E\n"
++ "FgQUlw1h3ZwSMKRwkrQ+F4XT3QV/tn8wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA\n"
++ "5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu\n"
++ "by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w\n"
++ "JwYDVR0RBCAwHoIOKi52b2lkcG9pbnQuaW+CDHZvaWRwb2ludC5pbzBMBgNVHSAE\n"
++ "RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw\n"
++ "Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2\n"
++ "AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgsme4hAAAAQDAEcw\n"
++ "RQIhAP6sPHv1PJez/VRMw5xmAAkNU/q9ydq1mTgp7j5uBB9AAiAxm+teG9utZCLP\n"
++ "TTTv89FHwFV9omfZzDNAiNgg8METHwB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4\n"
++ "+U1dJlwlXceEAAABgsme4gUAAAQDAEgwRgIhAPKWJ7WeuBUSnDqabTAVLKU+PpzA\n"
++ "bJJ9sehaCKW9AicZAiEAqphpC0lF4/iz2Gkxgd/DEkl9SyyAmR/lEJ7cWDMFhz8w\n"
++ "DQYJKoZIhvcNAQELBQADggEBAC0aCscObAdTerzGUrDsuQR5FuCTAmvdk3Isqjw1\n"
++ "dG3WuiwW1Z4ecpqCdvDSIv3toQDWVk6g/oa3fHDnY0/tu//vCwdneDdjK3gCM6cj\n"
++ "/q0cwj+rGFx/bEVz8PR5kc3DOHGKkmHPN1BNxeLBVpk4jxziXryAVbIvxq9JrGTE\n"
++ "SfWbWcMkHHw/QzpUfyD3B/GI8qw6XhdaNNkLDEDNV0sCPCuZYc5FBZzU4ExB2vMG\n"
++ "QVnPfxzKWmxHs10uxXyRZJlOrrbTGU8gi0vnOQZK290dtLzEyU2sdkic1ZSn+fCo\n"
++ "k++37mNDkiTnIQa3olRqHkypWqGfj8OyqU4XBV2Mmu4UATc=\n"
++ "-----END CERTIFICATE-----\n"
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\n"
++ "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n"
++ "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\n"
++ "WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\n"
++ "RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
++ "AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\n"
++ "R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\n"
++ "sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\n"
++ "NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\n"
++ "Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n"
++ "/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\n"
++ "AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\n"
++ "Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\n"
++ "FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\n"
++ "AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\n"
++ "Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\n"
++ "gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\n"
++ "PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\n"
++ "ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\n"
++ "CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\n"
++ "lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\n"
++ "avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\n"
++ "yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\n"
++ "yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\n"
++ "hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\n"
++ "HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\n"
++ "MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\n"
++ "nLRbwHOoq7hHwg==\n"
++ "-----END CERTIFICATE-----\n"
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\n"
++ "MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n"
++ "DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\n"
++ "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n"
++ "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\n"
++ "AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\n"
++ "ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\n"
++ "wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\n"
++ "LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n"
++ "4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\n"
++ "bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\n"
++ "sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\n"
++ "Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\n"
++ "FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\n"
++ "SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\n"
++ "PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\n"
++ "TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
++ "SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\n"
++ "c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n"
++ "+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\n"
++ "ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\n"
++ "b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\n"
++ "U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\n"
++ "MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n"
++ "5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n"
++ "9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\n"
++ "WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\n"
++ "he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\n"
++ "Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n"
++ "-----END CERTIFICATE-----\n";
++
++void doit(void)
++{
++ int r;
++ unsigned i, certs_size, out;
++ unsigned flags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME | GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
++ gnutls_x509_trust_list_t tl;
++ gnutls_x509_crt_t *certs = NULL;
++ gnutls_datum_t cert = { (unsigned char *)cert_pem, sizeof(cert_pem) - 1 };
++
++ CHECK(gnutls_x509_crt_list_import2(&certs, &certs_size, &cert, GNUTLS_X509_FMT_PEM, 0));
++ CHECK(gnutls_x509_trust_list_init(&tl, 0));
++ CHECK(gnutls_x509_trust_list_add_cas(tl, certs + certs_size - 1, 1, 0));
++ CHECK(gnutls_x509_trust_list_verify_crt(tl, certs, certs_size, flags, &out, NULL));
++
++ if (out)
++ fail("Not verified\n");
++
++ gnutls_x509_trust_list_deinit(tl, 0);
++ for (i = 0; i < certs_size; ++i)
++ gnutls_x509_crt_deinit(certs[i]);
++ gnutls_free(certs);
++}
+--
+2.35.1
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 04:00:34 +0000