diffstat for gnutls28-3.4.10 gnutls28-3.4.10

 changelog                                                                          |    9 
 patches/0001-gnutls_x509_trust_list_verify_crt2-treat-signers-wit.patch            |  104 ++++
 patches/0001-tests-modified-pkcs1-pad-to-account-for-alt-path-sea.patch            |   23 +
 patches/44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch |  220 ++++++++++
 patches/44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch |   39 +
 patches/44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch |  125 +++++
 patches/series                                                                     |    5 
 7 files changed, 525 insertions(+)

diff -Nru gnutls28-3.4.10/debian/changelog gnutls28-3.4.10/debian/changelog
--- gnutls28-3.4.10/debian/changelog	2020-06-17 21:06:13.000000000 +0000
+++ gnutls28-3.4.10/debian/changelog	2021-08-27 13:19:17.000000000 +0000
@@ -1,3 +1,12 @@
+gnutls28 (3.4.10-4ubuntu1.9) xenial; urgency=medium
+
+  * Backport patches from Upstream/Debian to check validity against system
+    certs. This is to allow correctly validating default letsencrypt
+    chains that now also include a redundant expired certficate. LP:
+    #1928648
+
+ -- Dimitri John Ledkov <dimitri.ledkov@canonical.com>  Fri, 27 Aug 2021 14:19:17 +0100
+
 gnutls28 (3.4.10-4ubuntu1.8) xenial; urgency=medium
 
   * d/p/50_Update-session_ticket.c-to-add-support-for-zero-leng.patch:
diff -Nru gnutls28-3.4.10/debian/patches/0001-gnutls_x509_trust_list_verify_crt2-treat-signers-wit.patch gnutls28-3.4.10/debian/patches/0001-gnutls_x509_trust_list_verify_crt2-treat-signers-wit.patch
--- gnutls28-3.4.10/debian/patches/0001-gnutls_x509_trust_list_verify_crt2-treat-signers-wit.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnutls28-3.4.10/debian/patches/0001-gnutls_x509_trust_list_verify_crt2-treat-signers-wit.patch	2021-08-27 12:41:10.000000000 +0000
@@ -0,0 +1,104 @@
+From fe3453be9032e94940e1b9cfb1ece35d0d822d06 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Mon, 8 May 2017 06:43:28 +0200
+Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: treat signers with
+ insecure algorithms as unknown
+
+The reason is that many servers utilize a legacy chain to improve compatibility
+with old clients and that chain often contains insecure algorithm. In that case
+try to construct alternative paths. To maintain compatibility with previous
+versions, we ensure that the same error code (verification status) is returned
+in these cases as before by sending the cached error if the alternative path fails
+too.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+---
+ lib/x509/verify-high.c | 30 ++++++++++++++++++++++++------
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+
+Index: gnutls28-3.5.18/lib/x509/verify-high.c
+===================================================================
+--- gnutls28-3.5.18.orig/lib/x509/verify-high.c
++++ gnutls28-3.5.18/lib/x509/verify-high.c
+@@ -52,7 +52,6 @@ struct node_st {
+ 	/* The trusted CRLs */
+ 	gnutls_x509_crl_t *crls;
+ 	unsigned int crl_size;
+-
+ };
+ 
+ struct gnutls_x509_trust_list_iter {
+@@ -1175,6 +1174,15 @@ gnutls_x509_trust_list_verify_crt(gnutls
+ 						  NULL, 0, flags, voutput, func);
+ }
+ 
++#define LAST_DN cert_list[cert_list_size-1]->raw_dn
++#define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn
++/* This macro is introduced to detect a verification output
++ * which indicates an unknown signer, or a signer which uses
++ * an insecure algorithm (e.g., sha1), something that indicates
++ * a superceded signer */
++#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM))
++#define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND))
++
+ /**
+  * gnutls_x509_trust_list_verify_crt2:
+  * @list: The list
+@@ -1237,6 +1245,7 @@ gnutls_x509_trust_list_verify_crt2(gnutl
+ 	gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
+ 	const char *hostname = NULL, *purpose = NULL, *email = NULL;
+ 	unsigned hostname_size = 0;
++	unsigned saved_output;
+ 
+ 	if (cert_list == NULL || cert_list_size < 1)
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -1299,11 +1308,9 @@ gnutls_x509_trust_list_verify_crt2(gnutl
+ 					    list->
+ 					    node[hash].trusted_ca_size,
+ 					    flags, purpose, func);
++	saved_output = *voutput;
+ 
+-#define LAST_DN cert_list[cert_list_size-1]->raw_dn
+-#define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn
+-
+-	if ((*voutput) & GNUTLS_CERT_SIGNER_NOT_FOUND &&
++	if (SIGNER_OLD_OR_UNKNOWN(*voutput) &&
+ 		(LAST_DN.size != LAST_IDN.size ||
+ 		 memcmp(LAST_DN.data, LAST_IDN.data, LAST_IDN.size) != 0)) {
+ 
+@@ -1315,16 +1322,25 @@ gnutls_x509_trust_list_verify_crt2(gnutl
+ 			  data, cert_list[cert_list_size - 1]->raw_dn.size);
+ 		hash %= list->size;
+ 
++		 _gnutls_debug_log("issuer in verification was not found or insecure; trying against trust list\n");
++
+ 		*voutput =
+ 		    _gnutls_verify_crt_status(cert_list, cert_list_size,
+ 					    list->node[hash].trusted_cas,
+ 					    list->
+ 					    node[hash].trusted_ca_size,
+ 					    flags, purpose, func);
++		if (*voutput != 0) {
++			if (SIGNER_WAS_KNOWN(saved_output))
++				*voutput = saved_output;
++			gnutls_assert();
++		}
+ 	}
+ 
++	saved_output = *voutput;
++
+ #ifdef ENABLE_PKCS11
+-	if ((*voutput & GNUTLS_CERT_SIGNER_NOT_FOUND) && list->pkcs11_token) {
++	if (SIGNER_OLD_OR_UNKNOWN(*voutput) && list->pkcs11_token) {
+ 		/* use the token for verification */
+ 
+ 		*voutput = _gnutls_pkcs11_verify_crt_status(list->pkcs11_token,
+@@ -1332,6 +1348,8 @@ gnutls_x509_trust_list_verify_crt2(gnutl
+ 								purpose,
+ 								flags, func);
+ 		if (*voutput != 0) {
++			if (SIGNER_WAS_KNOWN(saved_output))
++				*voutput = saved_output;
+ 			gnutls_assert();
+ 		}
+ 	}
diff -Nru gnutls28-3.4.10/debian/patches/0001-tests-modified-pkcs1-pad-to-account-for-alt-path-sea.patch gnutls28-3.4.10/debian/patches/0001-tests-modified-pkcs1-pad-to-account-for-alt-path-sea.patch
--- gnutls28-3.4.10/debian/patches/0001-tests-modified-pkcs1-pad-to-account-for-alt-path-sea.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnutls28-3.4.10/debian/patches/0001-tests-modified-pkcs1-pad-to-account-for-alt-path-sea.patch	2021-08-27 13:19:17.000000000 +0000
@@ -0,0 +1,23 @@
+From b2c39e8ca1bfb44ff951028eedb41446ed668ec8 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Tue, 9 May 2017 21:24:36 +0200
+Subject: [PATCH] tests: modified pkcs1-pad to account for alt path search
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+---
+ tests/cert-tests/pkcs1-pad | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: gnutls28-3.4.10/tests/pkcs1-padding/pkcs1-pad
+===================================================================
+--- gnutls28-3.4.10.orig/tests/pkcs1-padding/pkcs1-pad
++++ gnutls28-3.4.10/tests/pkcs1-padding/pkcs1-pad
+@@ -85,7 +85,7 @@ echo "PKCS1-PAD2 OK"
+ # by Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann.
+ 
+ 
+-EXPECT3=02
++EXPECT3=03
+ 
+ datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/pkcs1-pad-broken3.pem" | tee out1 >/dev/null 2>&1
+ 
diff -Nru gnutls28-3.4.10/debian/patches/44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch gnutls28-3.4.10/debian/patches/44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
--- gnutls28-3.4.10/debian/patches/44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnutls28-3.4.10/debian/patches/44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch	2021-08-27 13:16:01.000000000 +0000
@@ -0,0 +1,220 @@
+From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Sun, 31 May 2020 12:39:14 +0200
+Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against
+ system cert
+
+To verify a certificate chain, this function replaces known
+certificates with the ones in the system trust store if possible.
+
+However, if it is found, the function checks the validity of the
+original certificate rather than the certificate found in the trust
+store.  That reveals a problem in a scenario that (1) a certificate is
+signed by multiple issuers and (2) one of the issuers' certificate has
+expired and included in the input chain.
+
+This patch makes it a little robuster by actually retrieving the
+certificate from the trust store and perform check against it.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/pkcs11.c      | 98 +++++++++++++++++++++++++++++++++--------------
+ lib/pkcs11_int.h  |  5 +++
+ lib/x509/verify.c |  7 +++-
+ 3 files changed, 80 insertions(+), 30 deletions(-)
+
+Index: gnutls28-3.4.10/lib/pkcs11.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/pkcs11.c
++++ gnutls28-3.4.10/lib/pkcs11.c
+@@ -3903,34 +3903,9 @@ int gnutls_pkcs11_get_raw_issuer_by_subj
+ 	return ret;
+ }
+ 
+-/**
+- * gnutls_pkcs11_crt_is_known:
+- * @url: A PKCS 11 url identifying a token
+- * @cert: is the certificate to find issuer for
+- * @issuer: Will hold the issuer if any in an allocated buffer.
+- * @fmt: The format of the exported issuer.
+- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
+- *
+- * This function will check whether the provided certificate is stored
+- * in the specified token. This is useful in combination with 
+- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
+- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
+- * to check whether a CA is present or a certificate is blacklisted in
+- * a trust PKCS #11 module.
+- *
+- * This function can be used with a @url of "pkcs11:", and in that case all modules
+- * will be searched. To restrict the modules to the marked as trusted in p11-kit
+- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
+- *
+- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
+- * specific to p11-kit trust modules.
+- *
+- * Returns: If the certificate exists non-zero is returned, otherwise zero.
+- *
+- * Since: 3.3.0
+- **/
+-int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
+-				 unsigned int flags)
++int _gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
++				unsigned int flags,
++				gnutls_x509_crt_t *trusted_cert)
+ {
+ 	int ret;
+ 	struct find_cert_st priv;
+@@ -3944,6 +3919,15 @@ int gnutls_pkcs11_crt_is_known(const cha
+ 
+ 	memset(&priv, 0, sizeof(priv));
+ 
++	if (trusted_cert) {
++		ret = gnutls_pkcs11_obj_init(&priv.obj);
++		if (ret < 0) {
++			gnutls_assert();
++			goto cleanup;
++		}
++		priv.need_import = 1;
++	}
++
+ 	if (url == NULL || url[0] == 0) {
+ 		url = "pkcs11:";
+ 	}
+@@ -3996,7 +3980,17 @@ int gnutls_pkcs11_crt_is_known(const cha
+ 	if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ 		/* attempt searching with the subject DN only */
+ 		gnutls_assert();
++		if (priv.obj)
++			gnutls_pkcs11_obj_deinit(priv.obj);
+ 		memset(&priv, 0, sizeof(priv));
++		if (trusted_cert) {
++			ret = gnutls_pkcs11_obj_init(&priv.obj);
++			if (ret < 0) {
++				gnutls_assert();
++				goto cleanup;
++			}
++			priv.need_import = 1;
++		}
+ 		priv.crt = cert;
+ 		priv.flags = flags;
+ 
+@@ -4012,9 +4006,26 @@ int gnutls_pkcs11_crt_is_known(const cha
+ 		goto cleanup;
+ 	}
+ 
++	if (trusted_cert) {
++		ret = gnutls_x509_crt_init(trusted_cert);
++		if (ret < 0) {
++			gnutls_assert();
++			ret = 0;
++			goto cleanup;
++		}
++		ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj);
++		if (ret < 0) {
++			gnutls_assert();
++			gnutls_x509_crt_deinit(*trusted_cert);
++			ret = 0;
++			goto cleanup;
++		}
++	}
+ 	ret = 1;
+ 
+       cleanup:
++	if (priv.obj)
++		gnutls_pkcs11_obj_deinit(priv.obj);
+ 	if (info)
+ 		p11_kit_uri_free(info);
+ 
+@@ -4022,6 +4033,38 @@ int gnutls_pkcs11_crt_is_known(const cha
+ }
+ 
+ /**
++ * gnutls_pkcs11_crt_is_known:
++ * @url: A PKCS 11 url identifying a token
++ * @cert: is the certificate to find issuer for
++ * @issuer: Will hold the issuer if any in an allocated buffer.
++ * @fmt: The format of the exported issuer.
++ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
++ *
++ * This function will check whether the provided certificate is stored
++ * in the specified token. This is useful in combination with
++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
++ * to check whether a CA is present or a certificate is blacklisted in
++ * a trust PKCS #11 module.
++ *
++ * This function can be used with a @url of "pkcs11:", and in that case all modules
++ * will be searched. To restrict the modules to the marked as trusted in p11-kit
++ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
++ *
++ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
++ * specific to p11-kit trust modules.
++ *
++ * Returns: If the certificate exists non-zero is returned, otherwise zero.
++ *
++ * Since: 3.3.0
++ **/
++int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
++			       unsigned int flags)
++{
++	return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL);
++}
++
++/**
+  * gnutls_pkcs11_obj_get_flags:
+  * @obj: The pkcs11 object
+  * @oflags: Will hold the output flags
+Index: gnutls28-3.4.10/lib/pkcs11_int.h
+===================================================================
+--- gnutls28-3.4.10.orig/lib/pkcs11_int.h
++++ gnutls28-3.4.10/lib/pkcs11_int.h
+@@ -349,6 +349,11 @@ inline static bool is_object_pkcs11_url(
+ 	return 0;
+ }
+ 
++int
++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
++			    unsigned int flags,
++			    gnutls_x509_crt_t *trusted_cert);
++
+ #endif				/* ENABLE_PKCS11 */
+ 
+ #endif
+Index: gnutls28-3.4.10/lib/x509/verify.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/x509/verify.c
++++ gnutls28-3.4.10/lib/x509/verify.c
+@@ -34,6 +34,7 @@
+ #include <gnutls_sig.h>
+ #include <gnutls_str.h>
+ #include <gnutls_datum.h>
++#include <pkcs11_int.h>
+ #include <x509_int.h>
+ #include <common.h>
+ #include <gnutls_pk.h>
+@@ -1093,6 +1094,7 @@ _gnutls_pkcs11_verify_crt_status(const c
+ 
+ 	for (; i < clist_size; i++) {
+ 		unsigned vflags;
++		gnutls_x509_crt_t trusted_cert;
+ 
+ 		if (i == 0) /* in the end certificate do full comparison */
+ 			vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
+@@ -1101,12 +1103,14 @@ _gnutls_pkcs11_verify_crt_status(const c
+ 			vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
+ 				GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED;
+ 
+-		if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) {
++		if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) {
+ 
+ 			if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) &&
+ 				!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) {
+ 				status |=
+-				    check_time_status(certificate_list[i], now);
++				    check_time_status(trusted_cert, now);
++				gnutls_x509_crt_deinit(trusted_cert);
++				
+ 				if (status != 0) {
+ 					if (func)
+ 						func(certificate_list[i], certificate_list[i], NULL, status);
diff -Nru gnutls28-3.4.10/debian/patches/44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch gnutls28-3.4.10/debian/patches/44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch
--- gnutls28-3.4.10/debian/patches/44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnutls28-3.4.10/debian/patches/44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch	2021-08-27 13:17:57.000000000 +0000
@@ -0,0 +1,39 @@
+From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Sun, 31 May 2020 13:59:53 +0200
+Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is
+ expired
+
+gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN
+to trigger the fallback verification path if the signer of the last
+certificate is not in the trust store.  Previously, it doesn't take
+into account of the condition where the certificate is expired.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/x509/verify-high.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+Index: gnutls28-3.4.10/lib/x509/verify-high.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/x509/verify-high.c
++++ gnutls28-3.4.10/lib/x509/verify-high.c
+@@ -1172,11 +1172,13 @@ gnutls_x509_trust_list_verify_crt(gnutls
+ 
+ #define LAST_DN cert_list[cert_list_size-1]->raw_dn
+ #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn
+-/* This macro is introduced to detect a verification output
+- * which indicates an unknown signer, or a signer which uses
+- * an insecure algorithm (e.g., sha1), something that indicates
+- * a superceded signer */
+-#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM))
++/* This macro is introduced to detect a verification output which
++ * indicates an unknown signer, a signer which uses an insecure
++ * algorithm (e.g., sha1), a signer has expired, or something that
++ * indicates a superseded signer */
++#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \
++				       (output & GNUTLS_CERT_EXPIRED) || \
++				       (output & GNUTLS_CERT_INSECURE_ALGORITHM))
+ #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND))
+ 
+ /**
diff -Nru gnutls28-3.4.10/debian/patches/44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch gnutls28-3.4.10/debian/patches/44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch
--- gnutls28-3.4.10/debian/patches/44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnutls28-3.4.10/debian/patches/44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch	2021-08-27 13:18:51.000000000 +0000
@@ -0,0 +1,125 @@
+From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Sun, 31 May 2020 14:28:48 +0200
+Subject: [PATCH 3/3] tests: add test case for certificate chain superseding
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 97 insertions(+)
+
+Index: gnutls28-3.4.10/tests/test-chains.h
+===================================================================
+--- gnutls28-3.4.10.orig/tests/test-chains.h
++++ gnutls28-3.4.10/tests/test-chains.h
+@@ -1682,6 +1682,102 @@ static const char *name_constraints_but_
+     NULL
+ };
+ 
++/* This contains an expired intermediate CA, which should be superseded. */
++static const char *superseding[] = {
++	"-----BEGIN CERTIFICATE-----"
++	"MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL"
++	"BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw"
++	"MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu"
++	"dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI"
++	"hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9"
++	"yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa"
++	"w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B"
++	"TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz"
++	"fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB"
++	"oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw"
++	"DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l"
++	"BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq"
++	"Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw"
++	"DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I"
++	"DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99"
++	"/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR"
++	"CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb"
++	"KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E"
++	"fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l"
++	"X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU="
++	"-----END CERTIFICATE-----",
++	"-----BEGIN CERTIFICATE-----"
++	"MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL"
++	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN"
++	"MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh"
++	"dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K"
++	"sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W"
++	"yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc"
++	"lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7"
++	"oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy"
++	"rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+"
++	"G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh"
++	"KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE"
++	"ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj"
++	"bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF"
++	"Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc"
++	"mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs"
++	"I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv"
++	"5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9"
++	"COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1"
++	"5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH"
++	"iJwOKIk="
++	"-----END CERTIFICATE-----",
++	NULL
++};
++
++static const char *superseding_ca[] = {
++	"-----BEGIN CERTIFICATE-----"
++	"MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL"
++	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP"
++	"OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk"
++	"aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/"
++	"HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8"
++	"vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI"
++	"hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl"
++	"WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp"
++	"kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl"
++	"zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2"
++	"N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD"
++	"BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe"
++	"dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW"
++	"aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA"
++	"ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7"
++	"9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE"
++	"Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP"
++	"SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi"
++	"hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9"
++	"izchzb9eow=="
++	"-----END CERTIFICATE-----",
++	"-----BEGIN CERTIFICATE-----"
++	"MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL"
++	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP"
++	"OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN"
++	"BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C"
++	"qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ"
++	"U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8"
++	"vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW"
++	"PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG"
++	"VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7"
++	"FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB"
++	"o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE"
++	"FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy"
++	"FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4"
++	"Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S"
++	"WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8"
++	"w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw"
++	"IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2"
++	"p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt"
++	"eh1COrLsOJo+"
++	"-----END CERTIFICATE-----",
++	NULL
++};
++
+ static struct
+ {
+   const char *name;
+@@ -1798,6 +1894,7 @@ static struct
+   { "kp-fin", kp_fail2, &kp_fail2[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_PURPOSE_MISMATCH, GNUTLS_KP_TLS_WWW_SERVER, 1412850586},
+   { "kp-ok", kp_ok, &kp_ok[3], 0, 0, GNUTLS_KP_OCSP_SIGNING, 1412850586},
+   { "name constraints no name", name_constraints_but_no_name, &name_constraints_but_no_name[2], 0, 0, 0, 1427270515},
++  { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 },
+   { NULL, NULL, NULL, 0, 0}
+ };
+ /* *INDENT-ON* */
diff -Nru gnutls28-3.4.10/debian/patches/series gnutls28-3.4.10/debian/patches/series
--- gnutls28-3.4.10/debian/patches/series	2020-06-17 21:06:13.000000000 +0000
+++ gnutls28-3.4.10/debian/patches/series	2021-08-27 13:19:17.000000000 +0000
@@ -41,3 +41,8 @@
 allow_broken_priority_string.patch
 allow_sha1_priority_string.patch
 50_Update-session_ticket.c-to-add-support-for-zero-leng.patch
+0001-gnutls_x509_trust_list_verify_crt2-treat-signers-wit.patch
+44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
+44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch
+44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch
+0001-tests-modified-pkcs1-pad-to-account-for-alt-path-sea.patch