tests: pkcs11-is-known: check that no flags enforce compare

1 files changed, 21 insertions, 4 deletions

diff --git a/tests/pkcs11/pkcs11-is-known.c b/tests/pkcs11/pkcs11-is-known.c
index 99e946aab7..62666abaf4 100644
--- a/tests/pkcs11/pkcs11-is-known.c
+++ b/tests/pkcs11/pkcs11-is-known.c
@@ -559,19 +559,36 @@ void doit(void)
 		exit(1);
 	}
 
-	/* we should find a certificate with the same DN */
-	ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_dn, 0);
+#if 0
+	/* test searching invalid certs. the distrusted flag disables any validity check except DN and serial number
+	 * matching so it should work - unfortunately works only under p11-kit */
+
+	ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_dn, GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED);
 	if (ret == 0) {
 		fail("error in gnutls_pkcs11_crt_is_known - did not get a known cert\n");
 		exit(1);
 	}
 
-	/* we should find a certificate with the same issuer DN + serial number */
-	ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_issuer, 0);
+	ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_issuer, GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED);
 	if (ret == 0) {
 		fail("error in gnutls_pkcs11_crt_is_known - did not get a known cert\n");
 		exit(1);
 	}
+#endif
+
+	/* we should find a certificate with the same DN */
+	ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_dn, 0);
+	if (ret != 0) {
+		fail("error in gnutls_pkcs11_crt_is_known - found a cert that doesn't match\n");
+		exit(1);
+	}
+
+	/* we should find a certificate with the same issuer DN + serial number */
+	ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_issuer, 0);
+	if (ret != 0) {
+		fail("error in gnutls_pkcs11_crt_is_known - found a cert that doesn't match\n");
+		exit(1);
+	}
 
 	/* these are invalid certificates but their key matches existing keys, the following should work */
 	ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_dn, GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);