From 0e3d9acafc4cc06f6ab8d62b2510a57e8df852d6 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Tue, 27 Dec 2016 16:40:02 -0500 Subject: Increase Path_Validation_Restrictions default min strength to 110 Effectively disables 1024 bit RSA as well as SHA-1. Edit the tests where required to enable it again. --- src/tests/test_name_constraint.cpp | 4 ++-- src/tests/test_x509_path.cpp | 8 +++++--- src/tests/unit_x509.cpp | 4 ++-- 3 files changed, 9 insertions(+), 7 deletions(-) (limited to 'src/tests') diff --git a/src/tests/test_name_constraint.cpp b/src/tests/test_name_constraint.cpp index 01bdfc3ef..95cb9f229 100644 --- a/src/tests/test_name_constraint.cpp +++ b/src/tests/test_name_constraint.cpp @@ -63,7 +63,7 @@ class Name_Constraint_Tests : public Test "Certificate does not pass name constraint"), }; std::vector results; - const Botan::Path_Validation_Restrictions default_restrictions; + const Botan::Path_Validation_Restrictions restrictions(false, 80); for(const auto& t: test_cases) { @@ -74,7 +74,7 @@ class Name_Constraint_Tests : public Test trusted.add_certificate(root); Botan::Path_Validation_Result path_result = Botan::x509_path_validate( - sub, default_restrictions, trusted, std::get<2>(t), Botan::Usage_Type::TLS_SERVER_AUTH); + sub, restrictions, trusted, std::get<2>(t), Botan::Usage_Type::TLS_SERVER_AUTH); if(path_result.successful_validation() && path_result.trust_root() != root) path_result = Botan::Path_Validation_Result(Botan::Certificate_Status_Code::CANNOT_ESTABLISH_TRUST); diff --git a/src/tests/test_x509_path.cpp b/src/tests/test_x509_path.cpp index e897d3e01..ff402bfa4 100644 --- a/src/tests/test_x509_path.cpp +++ b/src/tests/test_x509_path.cpp @@ -65,7 +65,8 @@ class X509test_Path_Validation_Tests : public Test std::map expected = read_results(Test::data_file("x509test/expected.txt")); - const Botan::Path_Validation_Restrictions default_restrictions; + // Current tests use SHA-1 + const Botan::Path_Validation_Restrictions restrictions(false, 80); Botan::X509_Certificate root(Test::data_file("x509test/root.pem")); Botan::Certificate_Store_In_Memory trusted; @@ -87,7 +88,7 @@ class X509test_Path_Validation_Tests : public Test throw Test_Error("Failed to read certs from " + filename); Botan::Path_Validation_Result path_result = Botan::x509_path_validate( - certs, default_restrictions, trusted, + certs, restrictions, trusted, "www.tls.test", Botan::Usage_Type::TLS_SERVER_AUTH, validation_time); @@ -205,7 +206,8 @@ std::vector NIST_Path_Validation_Tests::run() Botan::X509_Certificate end_user(test_dir + "/end.crt"); - Botan::Path_Validation_Restrictions restrictions(true); + // 1024 bit root cert + Botan::Path_Validation_Restrictions restrictions(true, 80); Botan::Path_Validation_Result validation_result = Botan::x509_path_validate(end_user, diff --git a/src/tests/unit_x509.cpp b/src/tests/unit_x509.cpp index 26ccfedc0..28cd46db7 100644 --- a/src/tests/unit_x509.cpp +++ b/src/tests/unit_x509.cpp @@ -359,7 +359,7 @@ Test::Result test_x509_cert(const std::string& sig_algo, const std::string& hash Botan::X509_CRL crl1 = ca.new_crl(Test::rng()); /* Verify the certs */ - Botan::Path_Validation_Restrictions restrictions(false); + Botan::Path_Validation_Restrictions restrictions(false, 80); Botan::Certificate_Store_In_Memory store; // First try with an empty store @@ -558,7 +558,7 @@ Test::Result test_self_issued(const std::string& sig_algo, const std::string& ha // check that this chain can can be verified successfully Botan::Certificate_Store_In_Memory trusted(ca.ca_certificate()); - Botan::Path_Validation_Restrictions restrictions; + Botan::Path_Validation_Restrictions restrictions(false, 80); Botan::Path_Validation_Result validation_result = Botan::x509_path_validate(self_issued_cert, -- cgit v1.2.3