forked from gentoo/gentoo
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
dev-libs/xmlsec: support SHA-1 signed certificates with gnutls-3.6
Signed-off-by: Alon Bar-Lev <[email protected]> Package-Manager: Portage-2.3.62, Repoman-2.3.11 RepoMan-Options: --force
- Loading branch information
Showing
2 changed files
with
51 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
From 321e62add243cf8f024d6278da4c5ff030bae3b9 Mon Sep 17 00:00:00 2001 | ||
From: Alon Bar-Lev <[email protected]> | ||
Date: Mon, 1 Apr 2019 01:28:18 +0300 | ||
Subject: [PATCH] gnutls: allow SHA-1 signed certificate when not in strict | ||
checks (#250) (#251) | ||
|
||
This is required for gnutls-3.6.x. | ||
|
||
Allow tests to use no strict checks until all certificates will be converted | ||
to stronger signature than SHA-1. | ||
|
||
Signed-off-by: Alon Bar-Lev <[email protected]> | ||
--- | ||
src/gnutls/x509vfy.c | 3 +++ | ||
tests/testrun.sh | 2 +- | ||
2 files changed, 4 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/src/gnutls/x509vfy.c b/src/gnutls/x509vfy.c | ||
index a9c956a3..4c753344 100644 | ||
--- a/src/gnutls/x509vfy.c | ||
+++ b/src/gnutls/x509vfy.c | ||
@@ -295,6 +295,9 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store, | ||
if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS) != 0) { | ||
flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2; | ||
flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5; | ||
+#if GNUTLS_VERSION_NUMBER >= 0x030600 | ||
+ flags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1; | ||
+#endif | ||
} | ||
|
||
/* We are going to build all possible cert chains and try to verify them */ | ||
diff --git a/tests/testrun.sh b/tests/testrun.sh | ||
index 02484d09..ea65802b 100755 | ||
--- a/tests/testrun.sh | ||
+++ b/tests/testrun.sh | ||
@@ -59,7 +59,7 @@ if [ "z$XMLSEC_DEFAULT_CRYPTO" != "z" ] ; then | ||
elif [ "z$crypto" != "z" ] ; then | ||
xmlsec_params="$xmlsec_params --crypto $crypto" | ||
fi | ||
-xmlsec_params="$xmlsec_params --crypto-config $crypto_config" | ||
+xmlsec_params="$xmlsec_params --X509-skip-strict-checks --crypto-config $crypto_config" | ||
|
||
# | ||
# Setup keys config | ||
-- | ||
2.21.0 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters