Commit 23c1595b authored by Daniel P. Berrangé's avatar Daniel P. Berrangé
Browse files

crypto: fix test cert generation to not use SHA1 algorithm 



GNUTLS 3.6.0 marked SHA1 as untrusted for certificates.
Unfortunately the gnutls_x509_crt_sign() method we are
using to create certificates in the test suite is fixed
to always use SHA1. We must switch to a different method
and explicitly ask for SHA256.

Reviewed-by: default avatarEric Blake <eblake@redhat.com>
Signed-off-by: default avatarDaniel P. Berrange <berrange@redhat.com>
parent 8c0a6dc9

tests/crypto-tls-x509-helpers.c

+2 −1
Original line number Diff line number Diff line
@@ -406,7 +406,8 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req, 
     * If no 'ca' is set then we are self signing

     * the cert. This is done for the root CA certs

     */

    err = gnutls_x509_crt_sign(crt, ca ? ca : crt, privkey);

    err = gnutls_x509_crt_sign2(crt, ca ? ca : crt, privkey,

                                GNUTLS_DIG_SHA256, 0);

    if (err < 0) {

        g_critical("Failed to sign certificate %s",

                   gnutls_strerror(err));