From e89378d5853d9bd0136b95aade37e23762ad9290 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Mon, 17 Oct 2022 15:27:37 +0200
Subject: [PATCH] Fix removal of duplicate certs during verification

Co-authored-by: Daiki Ueno <ueno@gnu.org>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
 .gitignore                    |   1 +
 lib/x509/verify-high.c        | 101 ++++---------------
 tests/Makefile.am             |   2 +-
 tests/x509-verify-duplicate.c | 181 ++++++++++++++++++++++++++++++++++
 4 files changed, 203 insertions(+), 82 deletions(-)
 create mode 100644 tests/x509-verify-duplicate.c

diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 3b9a1011d0..0c46881398 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -31,14 +31,16 @@
 #include <datum.h>
 #include <hash-pjw-bare.h>
 #include "x509_int.h"
 #include <common.h>
 #include <gnutls/x509-ext.h>
 #include "verify-high.h"
 #include "intprops.h"
+#include "gl_linkedhash_list.h"
+#include "gl_list.h"
 
 struct named_cert_st {
 	gnutls_x509_crt_t cert;
 	uint8_t name[MAX_SERVER_NAME_SIZE];
 	unsigned int name_size;
 };
 
@@ -64,90 +66,27 @@ struct gnutls_x509_trust_list_iter {
 	unsigned int pkcs11_index;
 	unsigned int pkcs11_size;
 #endif
 };
 
 #define DEFAULT_SIZE 127
 
-struct cert_set_node_st {
-	gnutls_x509_crt_t *certs;
-	unsigned int size;
-};
-
-struct cert_set_st {
-	struct cert_set_node_st *node;
-	unsigned int size;
-};
-
-static int
-cert_set_init(struct cert_set_st *set, unsigned int size)
-{
-	memset(set, 0, sizeof(*set));
-
-	set->size = size;
-	set->node = gnutls_calloc(size, sizeof(*set->node));
-	if (!set->node) {
-		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-	}
-
-	return 0;
-}
-
-static void
-cert_set_deinit(struct cert_set_st *set)
-{
-	size_t i;
-
-	for (i = 0; i < set->size; i++) {
-		gnutls_free(set->node[i].certs);
-	}
-
-	gnutls_free(set->node);
-}
-
 static bool
-cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
+cert_eq(const void *cert1, const void *cert2)
 {
-	size_t hash, i;
-
-	hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
-	hash %= set->size;
-
-	for (i = 0; i < set->node[hash].size; i++) {
-		if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
-			return true;
-		}
-	}
-
-	return false;
+	const gnutls_x509_crt_t c1 = (const gnutls_x509_crt_t)cert1;
+	const gnutls_x509_crt_t c2 = (const gnutls_x509_crt_t)cert2;
+	return gnutls_x509_crt_equals(c1, c2);
 }
 
-static int
-cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
+static size_t
+cert_hashcode(const void *cert)
 {
-	size_t hash;
-
-	hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
-	hash %= set->size;
-
-	if (unlikely(INT_ADD_OVERFLOW(set->node[hash].size, 1))) {
-		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-	}
-
-	set->node[hash].certs =
-		_gnutls_reallocarray_fast(set->node[hash].certs,
-					  set->node[hash].size + 1,
-					  sizeof(*set->node[hash].certs));
-	if (!set->node[hash].certs) {
-		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-	}
-	set->node[hash].certs[set->node[hash].size] = cert;
-	set->node[hash].size++;
-
-	return 0;
+	const gnutls_x509_crt_t c = (const gnutls_x509_crt_t)cert;
+	return hash_pjw_bare(c->raw_dn.data, c->raw_dn.size) % DEFAULT_MAX_VERIFY_DEPTH;
 }
 
 /**
  * gnutls_x509_trust_list_init:
  * @list: A pointer to the type to be initialized
  * @size: The size of the internal hash table. Use (0) for default size.
  *
@@ -1422,15 +1361,15 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 	gnutls_x509_crt_t retrieved[DEFAULT_MAX_VERIFY_DEPTH];
 	unsigned int retrieved_size = 0;
 	const char *hostname = NULL, *purpose = NULL, *email = NULL;
 	unsigned hostname_size = 0;
 	unsigned have_set_name = 0;
 	unsigned saved_output;
 	gnutls_datum_t ip = {NULL, 0};
-	struct cert_set_st cert_set = { NULL, 0 };
+	gl_list_t records;
 
 	if (cert_list == NULL || cert_list_size < 1)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
 	for (i=0;i<elements;i++) {
 		if (data[i].type == GNUTLS_DT_DNS_HOSTNAME) {
 			hostname = (void*)data[i].data;
@@ -1471,34 +1410,33 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 			return 0;
 		}
 	}
 
 	memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
 	cert_list = sorted;
 
-	ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
-	if (ret < 0) {
-		return ret;
-	}
+	records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false);
+	if (records == NULL)
+		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 
 	for (i = 0; i < cert_list_size &&
 		     cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
 		unsigned int sorted_size = 1;
 		unsigned int j;
 		gnutls_x509_crt_t issuer;
 
 		if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
 			sorted_size = _gnutls_sort_clist(&cert_list[i],
 							 cert_list_size - i);
 		}
 
 		/* Remove duplicates. Start with index 1, as the first element
 		 * may be re-checked after issuer retrieval. */
-		for (j = 1; j < sorted_size; j++) {
-			if (cert_set_contains(&cert_set, cert_list[i + j])) {
+		for (j = 0; j < sorted_size; j++) {
+			if (gl_list_search(records, cert_list[i + j])) {
 				if (i + j < cert_list_size - 1) {
 					memmove(&cert_list[i + j],
 						&cert_list[i + j + 1],
 						sizeof(cert_list[i]));
 				}
 				cert_list_size--;
 				break;
@@ -1507,16 +1445,16 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 		/* Found a duplicate, try again with the same index. */
 		if (j < sorted_size) {
 			continue;
 		}
 
 		/* Record the certificates seen. */
 		for (j = 0; j < sorted_size; j++, i++) {
-			ret = cert_set_add(&cert_set, cert_list[i]);
-			if (ret < 0) {
+			if (!gl_list_nx_add_last(records, cert_list[i])) {
+				ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 				goto cleanup;
 			}
 		}
 
 		/* If the issuer of the certificate is known, no need
 		 * for further processing. */
 		if (gnutls_x509_trust_list_get_issuer(list,
@@ -1555,14 +1493,15 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 			       &retrieved[retrieved_size],
 			       ret * sizeof(gnutls_x509_crt_t));
 			retrieved_size += ret;
 			cert_list_size += ret;
 
 			/* Start again from the end of the previous segment. */
 			i--;
+			gl_list_remove(records, cert_list[i]);
 		}
 	}
 
 	cert_list_size = shorten_clist(list, cert_list, cert_list_size);
 	if (cert_list_size <= 0)
 		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
 
@@ -1714,15 +1653,15 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 		}
 	}
 
  cleanup:
 	for (i = 0; i < retrieved_size; i++) {
 		gnutls_x509_crt_deinit(retrieved[i]);
 	}
-	cert_set_deinit(&cert_set);
+	gl_list_free(records);
 	return ret;
 }
 
 /**
  * gnutls_x509_trust_list_verify_named_crt:
  * @list: The list
  * @cert: is the certificate to be verified
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 9d89a8282a..b6c3536a92 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -175,15 +175,15 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
 	 mini-record mini-dtls-record handshake-timeout mini-record-range \
 	 cert-status fips-mode-pthread rsa-psk global-init sec-params sign-verify-data \
 	 fips-test fips-override-test mini-global-load name-constraints x509-extensions \
 	 long-session-id mini-x509-callbacks-intr mini-dtls-lowmtu set_x509_key_file-late \
 	 crlverify mini-dtls-discard mini-record-failure openconnect-dtls12 \
 	 tls12-rehandshake-cert-2 custom-urls set_x509_key_mem set_x509_key_file \
 	 tls12-rehandshake-cert-auto tls12-rehandshake-set-prio \
-	 mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
+	 mini-chain-unsorted x509-verify-duplicate x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
 	 mini-dtls-record-asym key-import-export priority-set priority-set2 \
 	 pubkey-import-export sign-is-secure spki spki-abstract rsa-rsa-pss \
 	 mini-dtls-fork dtls-pthread mini-key-material x509cert-invalid \
 	 tls-ext-register tls-supplemental mini-dtls0-9 duplicate-extensions \
 	 record-retvals mini-server-name tls-etm tls-force-etm x509-cert-callback alerts \
 	 client-sign-md5-rep tls12-invalid-key-exchanges session-rdn-read \
 	 tls13-cert-key-exchange x509-cert-callback-ocsp gnutls_ocsp_resp_list_import2 \
diff --git a/tests/x509-verify-duplicate.c b/tests/x509-verify-duplicate.c
new file mode 100644
index 0000000000..f47a8b2d81
--- /dev/null
+++ b/tests/x509-verify-duplicate.c
@@ -0,0 +1,181 @@
+/*
+ * Copyright (C) 2022 Red Hat, Inc.
+ *
+ * Author: Zoltan Fridrich
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <gnutls/x509.h>
+
+#include "utils.h"
+
+#define CHECK(X)\
+{\
+	r = X;\
+	if (r < 0)\
+		fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\
+}\
+
+static char cert_pem[] =
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIFLzCCBBegAwIBAgISAycvItcPAZ5yClzMOYYcod4cMA0GCSqGSIb3DQEBCwUA\n"
+	"MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n"
+	"EwJSMzAeFw0yMjA4MjMwNjMzMjlaFw0yMjExMjEwNjMzMjhaMBcxFTATBgNVBAMT\n"
+	"DHZvaWRwb2ludC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSt\n"
+	"AazUWttuU/swyEdt70bpod6knYDJavnFUwicpT4ZfPh84Y2ci9Ay9oTVR8LzVq+o\n"
+	"3FIGxXlBFhCtoGA5k5Soao/JB40+gsY+O8LgcNAdejU78m5W4e2qXq4eu/4tFUCw\n"
+	"GkcRmqitnc5Jy0bEM+wCZKa42Lx0+WAhNRd/70yWIbzXOrXDnLgGc221JeYJ4it0\n"
+	"ajYcf3AZuSHhL3qsTLLzuYorPqWmDy27psUiDDJOIjxVbBCRL+AY40TsQm7CZZhZ\n"
+	"8sCkZU7rIvuDv7nf3QpUsF9Zqk9B3F4tTg0vsVuYeL1XCHGwpVeUS83MsZiLP8Zj\n"
+	"XGQTM6GiWuOAZ9JJjrsCAwEAAaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAdBgNV\n"
+	"HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E\n"
+	"FgQUlw1h3ZwSMKRwkrQ+F4XT3QV/tn8wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA\n"
+	"5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu\n"
+	"by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w\n"
+	"JwYDVR0RBCAwHoIOKi52b2lkcG9pbnQuaW+CDHZvaWRwb2ludC5pbzBMBgNVHSAE\n"
+	"RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw\n"
+	"Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2\n"
+	"AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgsme4hAAAAQDAEcw\n"
+	"RQIhAP6sPHv1PJez/VRMw5xmAAkNU/q9ydq1mTgp7j5uBB9AAiAxm+teG9utZCLP\n"
+	"TTTv89FHwFV9omfZzDNAiNgg8METHwB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4\n"
+	"+U1dJlwlXceEAAABgsme4gUAAAQDAEgwRgIhAPKWJ7WeuBUSnDqabTAVLKU+PpzA\n"
+	"bJJ9sehaCKW9AicZAiEAqphpC0lF4/iz2Gkxgd/DEkl9SyyAmR/lEJ7cWDMFhz8w\n"
+	"DQYJKoZIhvcNAQELBQADggEBAC0aCscObAdTerzGUrDsuQR5FuCTAmvdk3Isqjw1\n"
+	"dG3WuiwW1Z4ecpqCdvDSIv3toQDWVk6g/oa3fHDnY0/tu//vCwdneDdjK3gCM6cj\n"
+	"/q0cwj+rGFx/bEVz8PR5kc3DOHGKkmHPN1BNxeLBVpk4jxziXryAVbIvxq9JrGTE\n"
+	"SfWbWcMkHHw/QzpUfyD3B/GI8qw6XhdaNNkLDEDNV0sCPCuZYc5FBZzU4ExB2vMG\n"
+	"QVnPfxzKWmxHs10uxXyRZJlOrrbTGU8gi0vnOQZK290dtLzEyU2sdkic1ZSn+fCo\n"
+	"k++37mNDkiTnIQa3olRqHkypWqGfj8OyqU4XBV2Mmu4UATc=\n"
+	"-----END CERTIFICATE-----\n"
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIFLzCCBBegAwIBAgISAycvItcPAZ5yClzMOYYcod4cMA0GCSqGSIb3DQEBCwUA\n"
+	"MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n"
+	"EwJSMzAeFw0yMjA4MjMwNjMzMjlaFw0yMjExMjEwNjMzMjhaMBcxFTATBgNVBAMT\n"
+	"DHZvaWRwb2ludC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSt\n"
+	"AazUWttuU/swyEdt70bpod6knYDJavnFUwicpT4ZfPh84Y2ci9Ay9oTVR8LzVq+o\n"
+	"3FIGxXlBFhCtoGA5k5Soao/JB40+gsY+O8LgcNAdejU78m5W4e2qXq4eu/4tFUCw\n"
+	"GkcRmqitnc5Jy0bEM+wCZKa42Lx0+WAhNRd/70yWIbzXOrXDnLgGc221JeYJ4it0\n"
+	"ajYcf3AZuSHhL3qsTLLzuYorPqWmDy27psUiDDJOIjxVbBCRL+AY40TsQm7CZZhZ\n"
+	"8sCkZU7rIvuDv7nf3QpUsF9Zqk9B3F4tTg0vsVuYeL1XCHGwpVeUS83MsZiLP8Zj\n"
+	"XGQTM6GiWuOAZ9JJjrsCAwEAAaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAdBgNV\n"
+	"HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E\n"
+	"FgQUlw1h3ZwSMKRwkrQ+F4XT3QV/tn8wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA\n"
+	"5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu\n"
+	"by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w\n"
+	"JwYDVR0RBCAwHoIOKi52b2lkcG9pbnQuaW+CDHZvaWRwb2ludC5pbzBMBgNVHSAE\n"
+	"RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw\n"
+	"Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2\n"
+	"AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgsme4hAAAAQDAEcw\n"
+	"RQIhAP6sPHv1PJez/VRMw5xmAAkNU/q9ydq1mTgp7j5uBB9AAiAxm+teG9utZCLP\n"
+	"TTTv89FHwFV9omfZzDNAiNgg8METHwB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4\n"
+	"+U1dJlwlXceEAAABgsme4gUAAAQDAEgwRgIhAPKWJ7WeuBUSnDqabTAVLKU+PpzA\n"
+	"bJJ9sehaCKW9AicZAiEAqphpC0lF4/iz2Gkxgd/DEkl9SyyAmR/lEJ7cWDMFhz8w\n"
+	"DQYJKoZIhvcNAQELBQADggEBAC0aCscObAdTerzGUrDsuQR5FuCTAmvdk3Isqjw1\n"
+	"dG3WuiwW1Z4ecpqCdvDSIv3toQDWVk6g/oa3fHDnY0/tu//vCwdneDdjK3gCM6cj\n"
+	"/q0cwj+rGFx/bEVz8PR5kc3DOHGKkmHPN1BNxeLBVpk4jxziXryAVbIvxq9JrGTE\n"
+	"SfWbWcMkHHw/QzpUfyD3B/GI8qw6XhdaNNkLDEDNV0sCPCuZYc5FBZzU4ExB2vMG\n"
+	"QVnPfxzKWmxHs10uxXyRZJlOrrbTGU8gi0vnOQZK290dtLzEyU2sdkic1ZSn+fCo\n"
+	"k++37mNDkiTnIQa3olRqHkypWqGfj8OyqU4XBV2Mmu4UATc=\n"
+	"-----END CERTIFICATE-----\n"
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\n"
+	"TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n"
+	"cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\n"
+	"WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\n"
+	"RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
+	"AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\n"
+	"R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\n"
+	"sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\n"
+	"NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\n"
+	"Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n"
+	"/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\n"
+	"AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\n"
+	"Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\n"
+	"FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\n"
+	"AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\n"
+	"Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\n"
+	"gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\n"
+	"PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\n"
+	"ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\n"
+	"CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\n"
+	"lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\n"
+	"avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\n"
+	"yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\n"
+	"yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\n"
+	"hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\n"
+	"HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\n"
+	"MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\n"
+	"nLRbwHOoq7hHwg==\n"
+	"-----END CERTIFICATE-----\n"
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\n"
+	"MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n"
+	"DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\n"
+	"TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n"
+	"cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\n"
+	"AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\n"
+	"ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\n"
+	"wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\n"
+	"LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n"
+	"4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\n"
+	"bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\n"
+	"sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\n"
+	"Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\n"
+	"FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\n"
+	"SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\n"
+	"PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\n"
+	"TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
+	"SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\n"
+	"c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n"
+	"+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\n"
+	"ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\n"
+	"b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\n"
+	"U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\n"
+	"MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n"
+	"5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n"
+	"9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\n"
+	"WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\n"
+	"he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\n"
+	"Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n"
+	"-----END CERTIFICATE-----\n";
+
+void doit(void)
+{
+	int r;
+	unsigned i, certs_size, out;
+	unsigned flags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME | GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
+	gnutls_x509_trust_list_t tl;
+	gnutls_x509_crt_t *certs = NULL;
+	gnutls_datum_t cert = { (unsigned char *)cert_pem, sizeof(cert_pem) - 1 };
+
+	CHECK(gnutls_x509_crt_list_import2(&certs, &certs_size, &cert, GNUTLS_X509_FMT_PEM, 0));
+	CHECK(gnutls_x509_trust_list_init(&tl, 0));
+	CHECK(gnutls_x509_trust_list_add_cas(tl, certs + certs_size - 1, 1, 0));
+	CHECK(gnutls_x509_trust_list_verify_crt(tl, certs, certs_size, flags, &out, NULL));
+
+	if (out)
+		fail("Not verified\n");
+
+	gnutls_x509_trust_list_deinit(tl, 0);
+	for (i = 0; i < certs_size; ++i)
+		gnutls_x509_crt_deinit(certs[i]);
+	gnutls_free(certs);
+}
-- 
2.35.1