Skip to content

Commit

Permalink
dev-libs/xmlsec: support SHA-1 signed certificates with gnutls-3.6
Browse files Browse the repository at this point in the history
Signed-off-by: Alon Bar-Lev <[email protected]>
Package-Manager: Portage-2.3.62, Repoman-2.3.11
RepoMan-Options: --force
  • Loading branch information
alonbl committed Apr 1, 2019
1 parent a4d1092 commit 4ee1e63
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 0 deletions.
47 changes: 47 additions & 0 deletions dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
From 321e62add243cf8f024d6278da4c5ff030bae3b9 Mon Sep 17 00:00:00 2001
From: Alon Bar-Lev <[email protected]>
Date: Mon, 1 Apr 2019 01:28:18 +0300
Subject: [PATCH] gnutls: allow SHA-1 signed certificate when not in strict
checks (#250) (#251)

This is required for gnutls-3.6.x.

Allow tests to use no strict checks until all certificates will be converted
to stronger signature than SHA-1.

Signed-off-by: Alon Bar-Lev <[email protected]>
---
src/gnutls/x509vfy.c | 3 +++
tests/testrun.sh | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/gnutls/x509vfy.c b/src/gnutls/x509vfy.c
index a9c956a3..4c753344 100644
--- a/src/gnutls/x509vfy.c
+++ b/src/gnutls/x509vfy.c
@@ -295,6 +295,9 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store,
if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS) != 0) {
flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2;
flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5;
+#if GNUTLS_VERSION_NUMBER >= 0x030600
+ flags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1;
+#endif
}

/* We are going to build all possible cert chains and try to verify them */
diff --git a/tests/testrun.sh b/tests/testrun.sh
index 02484d09..ea65802b 100755
--- a/tests/testrun.sh
+++ b/tests/testrun.sh
@@ -59,7 +59,7 @@ if [ "z$XMLSEC_DEFAULT_CRYPTO" != "z" ] ; then
elif [ "z$crypto" != "z" ] ; then
xmlsec_params="$xmlsec_params --crypto $crypto"
fi
-xmlsec_params="$xmlsec_params --crypto-config $crypto_config"
+xmlsec_params="$xmlsec_params --X509-skip-strict-checks --crypto-config $crypto_config"

#
# Setup keys config
--
2.21.0

Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ BDEPEND="virtual/pkgconfig

S="${WORKDIR}/${PN}1-${PV}"

PATCHES=(
"${FILESDIR}/${P}-gnutls.patch"
)

src_prepare() {
default
# conditionally install extra documentation
Expand Down

0 comments on commit 4ee1e63

Please sign in to comment.