Merge branch 'tmp-check-same-certs' into 'master'

_gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements

Closes #877

See merge request gnutls/gnutls!1140

14 files changed, 396 insertions, 9 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index d3ae2a5df7..74c74b93d0 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -38,7 +38,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \
 	certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \
 	certs/ecc521.pem certs/rsa-2432.pem x509cert-dir/ca.pem psk.passwd \
 	certs/rawpk_priv.pem certs/rawpk_pub.pem \
-	certs/ed25519.pem certs/cert-ed25519.pem \
+	certs/ed25519.pem certs/cert-ed25519.pem certs/rsa-512.pem \
 	system.prio pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c gnutls-asan.supp \
 	rsa-md5-collision/README safe-renegotiation/README starttls-smtp.txt starttls-ftp.txt \
 	starttls-lmtp.txt starttls-pop3.txt starttls-xmpp.txt starttls-nntp.txt starttls-sieve.txt \
@@ -179,7 +179,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
 	 fallback-scsv pkcs8-key-decode urls dtls-rehandshake-cert rfc7633-ok \
 	 key-usage-rsa key-usage-ecdhe-rsa mini-session-verify-function auto-verify \
 	 record-timeouts mini-dtls-hello-verify-48 set-default-prio \
-	 tls12-anon-upgrade tlsext-decoding rsa-psk-cb \
+	 tls12-anon-upgrade tlsext-decoding rsa-psk-cb gnutls-ids \
 	 rehandshake-switch-cert rehandshake-switch-cert-allow rehandshake-switch-cert-client \
 	 rehandshake-switch-cert-client-allow handshake-versions dtls-handshake-versions \
 	 dtls-max-record tls12-max-record alpn-server-prec ocsp-filename-memleak \
@@ -502,7 +502,8 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start
 	ocsp-tests/ocsp-test cipher-listings.sh sni-hostname.sh server-multi-keys.sh \
 	psktool.sh ocsp-tests/ocsp-load-chain gnutls-cli-save-data.sh gnutls-cli-debug.sh \
 	sni-resume.sh ocsp-tests/ocsptool cert-reencoding.sh pkcs7-cat.sh long-crl.sh \
-	serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh
+	serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh \
+	server-weak-keys.sh
 
 if !DISABLE_SYSTEM_CONFIG
 dist_check_SCRIPTS += system-override-sig-hash.sh system-override-versions.sh system-override-invalid.sh \
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index e0b4b68201..76765889c6 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -98,7 +98,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/key-gost01.p8 data/key-gost01-2.p8 data/key-gost01-2-enc.p8 \
 	data/key-gost12-256.p8 data/key-gost12-256-2.p8 data/key-gost12-256-2-enc.p8 \
 	data/key-gost12-512.p8 data/grfc.crt data/gost-cert-ca.pem data/gost-cert-new.pem \
-	data/cert-with-non-digits-time-ca.pem data/cert-with-non-digits-time.pem
+	data/cert-with-non-digits-time-ca.pem data/cert-with-non-digits-time.pem \
+	data/chain-512-leaf.pem data/chain-512-subca.pem data/chain-512-ca.pem
 
 dist_check_SCRIPTS = pathlen aki invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
@@ -108,7 +109,7 @@ dist_check_SCRIPTS = pathlen aki invalid-sig email \
 	pkcs12 certtool-crl-decoding pkcs12-encode pkcs12-corner-cases inhibit-anypolicy \
 	smime cert-time alt-chain pkcs7-list-sign pkcs7-eddsa certtool-ecdsa \
 	key-id pkcs8 pkcs8-decode ecdsa illegal-rsa pkcs8-invalid key-invalid \
-	pkcs8-eddsa certtool-subca cert-non-digits-time
+	pkcs8-eddsa certtool-subca cert-non-digits-time certtool-verify-profiles
 
 dist_check_SCRIPTS += key-id ecdsa pkcs8-invalid key-invalid pkcs8-decode pkcs8 pkcs8-eddsa \
 	certtool-utf8 crq
@@ -148,6 +149,7 @@ TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) \
 	ac_cv_sizeof_time_t="$(ac_cv_sizeof_time_t)" \
 	ASAN_OPTIONS="detect_leaks=0:exitcode=6" \
 	GNUTLS_TEST_SUITE_RUN=1			\
+	GNUTLS_SYSTEM_PRIORITY_FILE=$(srcdir)/../system.prio \
 	srcdir="$(srcdir)"
 
 if ENABLE_FIPS140
diff --git a/tests/cert-tests/certtool-verify-profiles b/tests/cert-tests/certtool-verify-profiles
new file mode 100755
index 0000000000..a7ebd711ea
--- /dev/null
+++ b/tests/cert-tests/certtool-verify-profiles
@@ -0,0 +1,78 @@
+#!/bin/sh
+
+# Copyright (C) 2017 Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+DIFF="${DIFF:-diff -b -B}"
+
+if ! test -x "${CERTTOOL}"; then
+	exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+OUTFILE=out-pkcs7.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+check_for_datefudge
+
+echo "Checking chain with insecure leaf"
+datefudge -s "2019-12-19" \
+${VALGRIND} "${CERTTOOL}" --verify-chain --verify-profile=medium --infile "${srcdir}/data/chain-512-leaf.pem" >${OUTFILE}
+rc=$?
+
+if test "${rc}" != "1"; then
+	echo "insecure chain succeeded verification (1)"
+	cat $OUTFILE
+	exit ${rc}
+fi
+
+echo "Checking chain with insecure subca"
+datefudge -s "2019-12-19" \
+${VALGRIND} "${CERTTOOL}" --verify-chain --verify-profile=medium --infile "${srcdir}/data/chain-512-subca.pem" >${OUTFILE}
+rc=$?
+
+if test "${rc}" != "1"; then
+	echo "insecure chain succeeded verification (2)"
+	cat $OUTFILE
+	exit ${rc}
+fi
+
+
+echo "Checking chain with insecure ca"
+datefudge -s "2019-12-19" \
+${VALGRIND} "${CERTTOOL}" --verify-chain --verify-profile=medium --infile "${srcdir}/data/chain-512-ca.pem" >${OUTFILE}
+rc=$?
+
+if test "${rc}" != "1"; then
+	echo "insecure chain succeeded verification (3)"
+	cat $OUTFILE
+	exit ${rc}
+fi
+
+
+rm -f "${OUTFILE}"
+
+exit 0
diff --git a/tests/cert-tests/data/chain-512-ca.pem b/tests/cert-tests/data/chain-512-ca.pem
new file mode 100644
index 0000000000..57b9850fae
--- /dev/null
+++ b/tests/cert-tests/data/chain-512-ca.pem
@@ -0,0 +1,45 @@
+-----BEGIN CERTIFICATE-----
+MIIDATCCAbmgAwIBAgIUf62L1YAmuKuNR4Bnwn4FEjFDpOcwPQYJKoZIhvcNAQEK
+MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC
+AUAwDzENMAsGA1UEAxMEQ0EtMTAgFw0xOTEyMTgxMjUyMjZaGA85OTk5MTIzMTIz
+NTk1OVowEzERMA8GA1UEAxMIc2VydmVyLTIwgZswEAYHKoZIzj0CAQYFK4EEACMD
+gYYABAGxhmDvIvu97o66LrAU40sO9Mqh78UpxNpdsDD8tD0aDhOivP2WK/9LqSBJ
+uaIIzY4pQyNAHdp8WFnmwiutiMnXHgGcps4Mw7gEKMlQKDP8zS2GSkJt9r0ct6jY
++39JQ+fM0PPcxlyFMQlLTMwcFKPAH+stA3MqxroPLHpeds9u1HcrXaN3MHUwDAYD
+VR0TAQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDwYDVR0PAQH/BAUDAweA
+ADAdBgNVHQ4EFgQUjYaF/lZImEi+LQtLIh9y035UucAwHwYDVR0jBBgwFoAUmoMA
+sMqoL0N4sF0RT5M2mxyQrs8wPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGh
+GjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEBAJ+FXZz9F6ie8EJc
+OMA55zOr+SPgSqf/6E1xLNQqf/s44oyXkl3FfYXYitHc6vAp1LOD3WjXCDgSSM1R
+Vp0qBKDO+7ESYVCIYdzoSC4OFwVSTID+rH1bv0m9ZMiPQB97vAzXJq0bGyijPZGb
+TSUHjFNImGJdZq3B/uB0c/tQBLUi9YrVT1vYZ+lpOyMYaN21zFuDB6lc5sA6/k08
+I9J369z7iVCuibvXBo4roRL7wj+Cww5l6wjeFEo3Oj8wDoRHlxTk9ym40yvZinSY
+PAESEyNkpLo6Ctyjz3HVxLmTZE/TyG/hNXionRXQ1uJZJOtdIMXouGCHStx2iFcL
+2PSL3ng=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICgDCCAiqgAwIBAgIUZ91YTLTnOoGdoBoMZrk6sdNguM0wDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTEyMTgxMjUyMjZaGA85OTk5MTIzMTIz
+NTk1OVowDzENMAsGA1UEAxMEQ0EtMTCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg
+hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC
+AQoCggEBALYQaHpuXl4jEi7KpErGCCcQ0c50NuEnUzfU92tGJzXNLnOdKQVxW7ma
+ptJ1Lb+f2D+utL61/eyG32DLosaPiTDi8R7P8O/ivXEhwHe8ScH/B1DAHfbnRNv8
+MC4nTq8MavMIm/9UE7j19C+uhLFFPExnRohaFZXLqKbAiadMYyEqROjibpmBcyxY
+StdQNOQ0qBC/NkPRh+kSA6vN+ZIsqizl/PNfgd7am7c793fAb42U36q3ymUpCtkM
+GhCoVx625sVYOKIHdtzGOwTV277TcVnflg+BwK97p0FRUh0envFENI1uzz4Et5Mn
+swTDE/KoYVM8EIDeQcFAnF5tVxZfSosCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB
+/zAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBSagwCwyqgvQ3iwXRFPkzabHJCu
+zzAfBgNVHSMEGDAWgBS4/wLP/kals1V+CMMSsHiF9p0QajANBgkqhkiG9w0BAQsF
+AANBAGmYNtQ0MIrtLCUs+WHJUE6nTC4DQHjNJ9eiFDQtDiup7FOZlLPWuxBv8IG+
+zXVfCc9BxrAQSAGiwyx4gKDT95I=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBZzCCARGgAwIBAgIUR3WhmgKRJu05fANwlblt/s9l6jQwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTEyMTgxMjUyMjZaGA85OTk5MTIzMTIz
+NTk1OVowDzENMAsGA1UEAxMEQ0EtMDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDK
+s7lICbgRDeRXEPqZagrNUi5TjJkMB4NfU9gb0OUi3Vsna8Vi/2CLqJQ+jttINcS6
+knobMwssEAnkLe+V+KTzAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P
+AQH/BAUDAwcGADAdBgNVHQ4EFgQUuP8Cz/5GpbNVfgjDErB4hfadEGowDQYJKoZI
+hvcNAQELBQADQQAFKda31c8Dsue9JpR4med450ZroHT5WrGkH6T7XwczXfNc8W9w
+nKPMoJLZK47HSWqUdniMRPX9XydqxaVug5Rj
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/chain-512-leaf.pem b/tests/cert-tests/data/chain-512-leaf.pem
new file mode 100644
index 0000000000..f8a4ce1c9b
--- /dev/null
+++ b/tests/cert-tests/data/chain-512-leaf.pem
@@ -0,0 +1,52 @@
+-----BEGIN CERTIFICATE-----
+MIICYTCCAUmgAwIBAgIUGaahqSHZnDisEpq7NdDyajix8GgwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAxMEQ0EtMTAgFw0xOTEyMTgxMjU0MzVaGA85OTk5MTIzMTIz
+NTk1OVowEzERMA8GA1UEAxMIc2VydmVyLTIwXDANBgkqhkiG9w0BAQEFAANLADBI
+AkEAmmMomDw6UyEVGsCdhWB3BbgJNP+T4bFMnovfcwl5GBI9htuMataGBWB202Nf
+ICItBqPCI7Mu8kO4xsz44ejRNQIDAQABo3cwdTAMBgNVHRMBAf8EAjAAMBQGA1Ud
+EQQNMAuCCWxvY2FsaG9zdDAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBSuKggm
+nzHbFCskfAJqxOV+hLlfLDAfBgNVHSMEGDAWgBS0Hn5aBNJdFPII6ad0f/eSfxEL
+MjANBgkqhkiG9w0BAQsFAAOCAQEAQZR/tbDYzzDo3CL/lFmk/dXs6/qMo3B/9xLV
+HGhj2IqjRNY4Qo4V05a+Xw9bUxvmuae+BrNGOK4ouwhsmZerTPIhE6u1PWZclcQm
+Ean6r8uXWKsCdUd1zMP/oZUuWiQga/7+Ej2MT/E7dxhfHoAQin9B6NGIJB8pG0KX
+FU74gSlsA+bQFBEyIYDgJXj6Oht0ggyIzzy6nPzi+7cRgzmqhfCyoZoZd8vn1fi3
+Lvqt3XbfDITTBhr9FtBr0LQNbe5/j74nXKUiIYiu8EkDC0hTMK+s2q9qNi43+naR
+8h0irt/ZBUIJrJWtPSJsVDHKXkEtwYaI+HNNGE/Zjk4wS3ydBg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDEjCCAfqgAwIBAgIUTJoYUgrAGOyE94h5R67I+cbdBtYwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTEyMTgxMjU0MzRaGA85OTk5MTIzMTIz
+NTk1OVowDzENMAsGA1UEAxMEQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAM+nUak8iG8Ff5u08dsTvdQsb+xVnHiL+cPOrAaDN76VpifZKE5fHMcy
+LYJi3cXZHgIUMTTHqU0X9wef5GbRDdmH82073OHE4XTaf0NJckGLegqxt7xRN24b
+bUQquy1Xr1mSBoVGPOZXkS75nZ0vLFXcP4hF8J4M2y8veCnJJZB/y110F+j8g2uJ
+guXozXXk9/64obxycy/k6JSzCr/WjEhg0dL5t/rnpUxxMkqJqd8P5YpCabhP0mjh
+gCb0R0UX5B4R3MqeQ4TwXbf9pI4EtEIGtYBmgWczEV300oe+CixiKABvxF6Q37Eg
+N+c8Yjyod10M55YcOttIYrO/dAGOfOcCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB
+/zAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBS0Hn5aBNJdFPII6ad0f/eSfxEL
+MjAfBgNVHSMEGDAWgBSCt0sRc+AtcCAfvZZvqd9gBkYnyTANBgkqhkiG9w0BAQsF
+AAOCAQEAKvrBV31kz41qjkk2QQ6DR2COVfOmc9LHbeJMr/s1vFxyNJ1htsfHh2HW
+lvYyqzS0m36RApCJXT1Z1dzvEp45GoCtaISVq9jenKSm7nLCqnhbPWFr3nMDWPPG
+c9lV7PlPB8myeHhZpGK7df1VcTIJN2u/SI7P4RnaUck2176yJVyU4StOUcmbd+Yn
+I7LWpxwVmNkcOwI5IR0zdbVWcLP9+2kL8Kju8koql1lrlqTnucRY+2sD1sjaTTIz
+kQVrELO0l9EAAC5La6u9dACkOhppYFZIw++hbtEXxgkEYnoGzvptsNi3w+CrQ/g8
+7cuIfQFBCX/9C6APbz1o4FHJCKsDVw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUMPdFIRYbJUlkWLtbOqcbIE9nbkkwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTEyMTgxMjU0MzRaGA85OTk5MTIzMTIz
+NTk1OVowDzENMAsGA1UEAxMEQ0EtMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALS9CFlh0IrSuEjuiDRnznblJiTWXuojqTp61CZkJzEt3mTAbAuvJGZa
+wG6gQxMIIYwxtbdjC58wP9ZucJgFxVgD4211QBcwACxDCbGyUsxTZZrQkCMun6Y/
+YMUSu8Og6twIx++vAO+N0Eaa/FrUcYa0Hj8XxUgL8/CT40OJC/i49OuA9Bs3L6zj
+aMEADZ/f3/33oo6jgOdRmUmVOuovNg02h4NjBk3OlKD03vZ2ygVzmXme0YBM0o3Z
+SmMqhut96fI8taqcCV5ccNNsp6HHIg0GGuWtBB7rTkEFBhQg53AMrzgOpQ64Pueg
+LXLdRdOVKRkX1lLvboRMbjlM5HtOTX8CAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB
+/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBSCt0sRc+AtcCAfvZZvqd9gBkYn
+yTANBgkqhkiG9w0BAQsFAAOCAQEAEjS+iRmeALeQIVvU4VztUmqp7FtkdD1P92xu
+yuvPTKGmhRRwDNB1GleHUt4BFKF9EPTW9PK9VJTjNiivPcm9u6zjRENb95l7NOsY
+5AYMZFyR+jRT7cxbDYGuQ9yc8nRF1mH6L0osfgMIub/Z7noMgSGhzQx5E56Q2CPj
+QVLUH37Hkj0hAWsccFuiicZSeAsxSWAr7+qRKHWJKgJ1sBiDkXlsfuoUYJCFd4Q7
+LQraLxDpVfB44E+rxFRJoLYzExeTXhDvCJYNPd7OUd6WIOeq0yjaj1v8dn5pV6Vh
+kockuY1rAy2fNlOoIEG9qVvWJ/vj+Uq9wUomW3wfyF8es74V2A==
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/chain-512-subca.pem b/tests/cert-tests/data/chain-512-subca.pem
new file mode 100644
index 0000000000..261137b28a
--- /dev/null
+++ b/tests/cert-tests/data/chain-512-subca.pem
@@ -0,0 +1,46 @@
+-----BEGIN CERTIFICATE-----
+MIIB3zCCAYmgAwIBAgIUJCiWOylfZcYmHICa+LwzULsEY5swDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAxMEQ0EtMTAgFw0xOTEyMTgxMjUzMjdaGA85OTk5MTIzMTIz
+NTk1OVowEzERMA8GA1UEAxMIc2VydmVyLTIwgZswEAYHKoZIzj0CAQYFK4EEACMD
+gYYABAEkG+6EOxALvWgJfPPfTj6aM++G/Clb6qYKb7EKHKArIngKFB9jLmGCC9Nh
++2Fg75z9GjP1UNqdlwcuTYsFzIdFfgD7POQCoU/mQKGHCHrNgTd+yhbpkjIzMf94
+Pd37B3KWoMwpt42vi5oEv1wMaMT/9bgZtiTh5cFdYc53MpVqj9GAiaN3MHUwDAYD
+VR0TAQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDwYDVR0PAQH/BAUDAweA
+ADAdBgNVHQ4EFgQUbktH02YQyE/FHx+/fWGUBEXQYxwwHwYDVR0jBBgwFoAUTXqT
+trlGUSx93s8ATWGeoEDKrqcwDQYJKoZIhvcNAQELBQADQQAFHfmevmaYUZcMZLDY
++BrwecSLCxPWHd6T1QDhn6x7P8aVsY/8cLIn7ACURxR+ia2fG/px0o2+wV+bT+A5
+sDIv
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICSjCCATKgAwIBAgIUA6RF1rEvvPbBSliyFqD77roShB0wDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTEyMTgxMjUzMjdaGA85OTk5MTIzMTIz
+NTk1OVowDzENMAsGA1UEAxMEQ0EtMTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDl
+cI6PmIU+IFbj7ykZkLWuGIlR8uF3CAyj2fq4iBeEk10hEA+d5Oz2Yp7YwmnTJvb6
+oO2XLPyLyE3htVmbaEj5AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P
+AQH/BAUDAweEADAdBgNVHQ4EFgQUTXqTtrlGUSx93s8ATWGeoEDKrqcwHwYDVR0j
+BBgwFoAUCWYWUmG4wYva7UCkhcdTRTJXTIQwDQYJKoZIhvcNAQELBQADggEBABeg
+Ev6JXb78IRCeK11I/B30HW17ejR+wFBereGpuIxu6HtDHVl2Au1+vJ+ddK7hVvL5
+Z18RozUyvwpCAQ5DqC9SzabAfIszM7PvEZ7/j5xd11L+YEicd9g72jVKwP2VSIJL
+9dfHBFvIlh7NrspwVipPSp5bDCbrTTOpNPHHQuTNO51dw9178UfmQhg4hIrMnGsW
+edT5KswtixFekzW36giJ673tnz/amcDJxJC78sXFnpYsIrTRFqU2/rrd7Yd9Fmwv
+4D2vvBVmRKVYTEz9W5tgMEQWvzSomQj5ejzHzcomXXp/W96XDKWVjHE43EmqquTE
+rlIkVCK/Yf1h99U2+Ag=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUWV9HK/UEiOT8ZpQq2w2glOshGeUwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTEyMTgxMjUzMjdaGA85OTk5MTIzMTIz
+NTk1OVowDzENMAsGA1UEAxMEQ0EtMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMVYMEUmPcAGVgJkwMSser5bJWUEzD7PtXUzzeu3UAUl5D/B5I7vlZ3A
+1T0ZlSdTB0N73HHg/FFE90jUrVoj/yI6Ml1otPZ1tYjH2eLGN+/NCkFVKSzxuNo3
+DURRRFoWMpk4kpmaCYkWoKMTYZtkcserm+Lv0kpBFT12+iT/GCPBmaqmcbMK8sbS
+Pz45BVdRFwln8oyLKSunXyYrBd2LHlLkhag0YivojAxuE8IyEE2SkndGO1JC8WFB
+DMwGrllrkAiZSZKdTEI4377r5LrgYXv7w9tr5jgkrABUohie8SpJOlJqcjzfaF/1
+QJrxZSwSUvOl4EZVziEBSnlwzrfk6G0CAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB
+/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBQJZhZSYbjBi9rtQKSFx1NFMldM
+hDANBgkqhkiG9w0BAQsFAAOCAQEAXTYMg/3eQ46E+s6OoZ3wb4diYXfblgvdAlL4
+LYLGeQJ+Jys5iJ6cou+Ck3xsSpXr5+6ElwyP/T8DieHdZHYy/JC/EhU8O+nxsszr
+zjxJGQWVBqlzsVSsELhJcH6OC5xhUw8F1Xpy95trpRTSQB7fkxrqWnEIgacKUuns
+s5ntL3BJzOhNnxZM7dydFL3citM1lrfDLr2pErrXPFpLbul0yCT4sWZeriKbj4vh
+7N/1CQ2cvChOSHAbB9KMUeCBDJgWP7u4zqVLQv/mTfjB0tXRWYMLsr2koyCOhcWj
+MA5NnUuEfXtLLcCUbekk26SgYLKz+AGk6gAMN7ofsYLPOtTShw==
+-----END CERTIFICATE-----
diff --git a/tests/certs/rsa-512.pem b/tests/certs/rsa-512.pem
new file mode 100644
index 0000000000..46fbe62589
--- /dev/null
+++ b/tests/certs/rsa-512.pem
@@ -0,0 +1,20 @@
+-----BEGIN PRIVATE KEY-----
+MIIBVwIBADANBgkqhkiG9w0BAQEFAASCAUEwggE9AgEAAkEAwZFO/Vz94lR3/TKz
+76qRCV2skqthX7PB6YxeLHH3ifWSYR2qCYTBikaASm6PGDvAliviIjGjKTkdDdqZ
+X2S94QIDAQABAkEAsV+L+FN8OieZBCWwCNBNsz1pY8Uzp1S7Pl3n9eZBJOKNc/tI
+Tr0/zwAR+5C7IE7xjfuYHZDWN+yXg0LhH+GYgQIhAP0rzSdsjuPJ9XA9wpnYLN4O
+fqXnA7mzW5QKzYuzy3RJAiEAw7sCwUSi7030NszYd7A63o2WrzqWRoX1V1vt6FMd
+zNkCIQDmsytXaY0r9bU6eo0CNANutjaiZ0j1x4MD/HQhgc08QQIhALdYYLZF4xKj
+RRZoQIWtURfULciq6sXZCf7xICQ2Z33RAiEA/M/OnKZijdWg13dchmdaXLgNGxJO
+N90VucFVWK8nXzo=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIBTjCB+aADAgECAhQcc65I8jSxWRjcS1czw4MRLIc8qDANBgkqhkiG9w0BAQsF
+ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTkxMjE1MDI1NTU4WhcNMjkxMjEy
+MDI1NTU4WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
+ADBIAkEAwZFO/Vz94lR3/TKz76qRCV2skqthX7PB6YxeLHH3ifWSYR2qCYTBikaA
+Sm6PGDvAliviIjGjKTkdDdqZX2S94QIDAQABoyMwITAJBgNVHRMEAjAAMBQGA1Ud
+EQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAANBAHslvfVxod5p+Gt7l4LV
+M2HBxOt4YM8mRCtyNSmJEGAe+aIzXaiSiRnVkVvjQvdxacu2D4yP52BUo1vzNnCq
+2UI=
+-----END CERTIFICATE-----
diff --git a/tests/gnutls-ids.c b/tests/gnutls-ids.c
new file mode 100644
index 0000000000..f1ee91232f
--- /dev/null
+++ b/tests/gnutls-ids.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2017 Red Hat
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/dane.h>
+#include <assert.h>
+
+#include "utils.h"
+
+void doit(void)
+{
+	assert(gnutls_certificate_verification_profile_get_id("very weak") == GNUTLS_PROFILE_VERY_WEAK);
+	assert(gnutls_certificate_verification_profile_get_id("low") == GNUTLS_PROFILE_LOW);
+	assert(gnutls_certificate_verification_profile_get_id("legacy") == GNUTLS_PROFILE_LEGACY);
+	assert(gnutls_certificate_verification_profile_get_id("MedIum") == GNUTLS_PROFILE_MEDIUM);
+	assert(gnutls_certificate_verification_profile_get_id("ultra") == GNUTLS_PROFILE_ULTRA);
+	assert(gnutls_certificate_verification_profile_get_id("future") == GNUTLS_PROFILE_FUTURE);
+	assert(gnutls_certificate_verification_profile_get_id("xxx") == GNUTLS_PROFILE_UNKNOWN);
+}
diff --git a/tests/gnutls-strcodes.c b/tests/gnutls-strcodes.c
index 294fcac203..0d3f14b600 100644
--- a/tests/gnutls-strcodes.c
+++ b/tests/gnutls-strcodes.c
@@ -115,6 +115,13 @@ void doit(void)
 		check_non_null(gnutls_sec_param_get_name(i));
 	}
 
+	check_non_null(gnutls_certificate_verification_profile_get_name(GNUTLS_PROFILE_VERY_WEAK));
+	check_non_null(gnutls_certificate_verification_profile_get_name(GNUTLS_PROFILE_LOW));
+	check_non_null(gnutls_certificate_verification_profile_get_name(GNUTLS_PROFILE_LEGACY));
+	check_non_null(gnutls_certificate_verification_profile_get_name(GNUTLS_PROFILE_MEDIUM));
+	check_non_null(gnutls_certificate_verification_profile_get_name(GNUTLS_PROFILE_HIGH));
+	check_non_null(gnutls_certificate_verification_profile_get_name(GNUTLS_PROFILE_ULTRA));
+
 	for (i=GNUTLS_ECC_CURVE_INVALID+1;i<=GNUTLS_ECC_CURVE_MAX;i++) {
 		if (_gnutls_ecc_curve_is_supported(i) == 0)
 			continue;
diff --git a/tests/server-weak-keys.sh b/tests/server-weak-keys.sh
new file mode 100755
index 0000000000..31c51a80bc
--- /dev/null
+++ b/tests/server-weak-keys.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+# Copyright (C) 2017 Nikos Mavrogiannopoulos
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+SERV="${SERV:-../src/gnutls-serv${EXEEXT}}"
+CLI="${CLI:-../src/gnutls-cli${EXEEXT}}"
+unset RETCODE
+
+if ! test -x "${SERV}"; then
+	exit 77
+fi
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+if test "${WINDIR}" != ""; then
+	exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+
+SERV="${SERV} -q"
+
+. "${srcdir}/scripts/common.sh"
+
+check_for_datefudge
+
+echo "Checking whether a client will refuse weak but trusted keys"
+
+KEY1=${srcdir}/certs/rsa-512.pem
+CERT1=${srcdir}/certs/rsa-512.pem
+
+eval "${GETPORT}"
+launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+timeout 1800 datefudge "2019-12-20" \
+"${CLI}" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 </dev/null && \
+	fail ${PID} "1. handshake with RSA should have failed!"
+
+timeout 1800 datefudge "2019-12-20" \
+"${CLI}" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL </dev/null && \
+	fail ${PID} "2. handshake with RSA should have failed!"
+
+kill ${PID}
+wait
+
+exit 0
diff --git a/tests/slow/Makefile.am b/tests/slow/Makefile.am
index b4c43c6aa3..9418985d97 100644
--- a/tests/slow/Makefile.am
+++ b/tests/slow/Makefile.am
@@ -67,6 +67,7 @@ TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) \
 	LSAN_OPTIONS=suppressions=gnutls-asan.supp		\
 	GNUTLS_TEST_SUITE_RUN=1					\
 	OPENSSL_ia32cap=0x00000000				\
+	GNUTLS_SYSTEM_PRIORITY_FILE=$(srcdir)/../system.prio	\
 	top_builddir="$(top_builddir)"				\
 	srcdir="$(srcdir)"
 
diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am
index 21966ac898..fd8fac7919 100644
--- a/tests/suite/Makefile.am
+++ b/tests/suite/Makefile.am
@@ -103,6 +103,7 @@ TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) \
 	srcdir="$(srcdir)"		\
 	ASAN_OPTIONS="detect_leaks=0"	\
 	GNUTLS_TEST_SUITE_RUN=1		\
+	GNUTLS_SYSTEM_PRIORITY_FILE=$(srcdir)/../system.prio \
 	OPENSSL_ia32cap=0x00000000
 
 if ENABLE_NON_SUITEB_CURVES
diff --git a/tests/test-chains.h b/tests/test-chains.h
index cf4d0c442a..fe118717d4 100644
--- a/tests/test-chains.h
+++ b/tests/test-chains.h
@@ -3981,6 +3981,20 @@ static const char *gost12_512[] = {
 };
 #endif
 
+static const char *rsa_512[] = {
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIBTjCB+aADAgECAhQcc65I8jSxWRjcS1czw4MRLIc8qDANBgkqhkiG9w0BAQsF\n"
+	"ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTkxMjE1MDI1NTU4WhcNMjkxMjEy\n"
+	"MDI1NTU4WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL\n"
+	"ADBIAkEAwZFO/Vz94lR3/TKz76qRCV2skqthX7PB6YxeLHH3ifWSYR2qCYTBikaA\n"
+	"Sm6PGDvAliviIjGjKTkdDdqZX2S94QIDAQABoyMwITAJBgNVHRMEAjAAMBQGA1Ud\n"
+	"EQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAANBAHslvfVxod5p+Gt7l4LV\n"
+	"M2HBxOt4YM8mRCtyNSmJEGAe+aIzXaiSiRnVkVvjQvdxacu2D4yP52BUo1vzNnCq\n"
+	"2UI=\n"
+	"-----END CERTIFICATE-----\n",
+	NULL
+};
+
 #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
 #  pragma GCC diagnostic push
 #  pragma GCC diagnostic ignored "-Wunused-variable"
@@ -4141,10 +4155,12 @@ static struct
 #ifdef ENABLE_GOST
   { "gost 34.10-01 - ok", gost01, &gost01[2], 0, 0, 0, 1466612070, 1},
   { "gost 34.10-01 - not ok (due to profile)", gost01, &gost01[2], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
-	GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1466612070, 1},
+    GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1466612070, 1},
   { "gost 34.10-12-256 - ok", gost12_256, &gost12_256[0], 0, 0, 0, 1466612070, 1},
   { "gost 34.10-12-512 - ok", gost12_512, &gost12_512[0], 0, 0, 0, 1466612070, 1},
 #endif
+  { "rsa-512 - not ok (due to profile)", rsa_512, &rsa_512[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
+    GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1},
   { NULL, NULL, NULL, 0, 0}
 };
 
diff --git a/tests/windows/Makefile.am b/tests/windows/Makefile.am
index 5a81043772..1d238d23f2 100644
--- a/tests/windows/Makefile.am
+++ b/tests/windows/Makefile.am
@@ -68,8 +68,9 @@ TESTS = $(ctests) $(dist_check_SCRIPTS)
 
 TESTS_ENVIRONMENT =						\
 	WINEDLLOVERRIDES="crypt32=n,ncrypt=n"			\
-	LC_ALL="C"						\
+	LC_ALL="C"				\
 	GNUTLS_TEST_SUITE_RUN=1			\
-	EXEEXT=$(EXEEXT)					\
-	top_builddir="$(top_builddir)"				\
+	EXEEXT=$(EXEEXT)			\
+	GNUTLS_SYSTEM_PRIORITY_FILE=$(srcdir)/../system.prio \
+	top_builddir="$(top_builddir)"		\
 	srcdir="$(srcdir)"