_gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements
This is a multi-update with few items:
- Introduces high level tests with certtool for profile levels; for that it enhances certtool with the --verify-profile option.
- If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level. This addresses the problem of accepting CAs which would have been marked as insecure otherwise.
Checklist
-
Commits have Signed-off-by:with name/author being identical to the commit author -
Code modified for feature -
Test suite updated with functionality tests -
Test suite updated with negative tests -
Documentation updated / NEWS entry present (for non-trivial changes) -
CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)
Reviewer's checklist:
-
Any issues marked for closing are addressed -
There is a test suite reasonably covering new functionality or modifications -
Function naming, parameters, return values, types, etc., are consistent and according to CONTRIBUTION.md -
This feature/change has adequate documentation added -
No obvious mistakes in the code