diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-06-23 23:24:19 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-06-23 23:38:11 +0200 |
commit | da45b950f7c864256cd2bd3d087e78bcd998cd8d (patch) | |
tree | 3edc1bd685a900f9aee20977dc7b703179a31c2e | |
parent | a90b2e85142cc27c1b6fbf468bcb62252453c6fa (diff) | |
download | gnutls-da45b950f7c864256cd2bd3d087e78bcd998cd8d.tar.gz |
tests: pkcs11-is-known: check that no flags enforce compare
-rw-r--r-- | tests/pkcs11/pkcs11-is-known.c | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/tests/pkcs11/pkcs11-is-known.c b/tests/pkcs11/pkcs11-is-known.c index 99e946aab7..62666abaf4 100644 --- a/tests/pkcs11/pkcs11-is-known.c +++ b/tests/pkcs11/pkcs11-is-known.c @@ -559,19 +559,36 @@ void doit(void) exit(1); } - /* we should find a certificate with the same DN */ - ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_dn, 0); +#if 0 + /* test searching invalid certs. the distrusted flag disables any validity check except DN and serial number + * matching so it should work - unfortunately works only under p11-kit */ + + ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_dn, GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED); if (ret == 0) { fail("error in gnutls_pkcs11_crt_is_known - did not get a known cert\n"); exit(1); } - /* we should find a certificate with the same issuer DN + serial number */ - ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_issuer, 0); + ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_issuer, GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED); if (ret == 0) { fail("error in gnutls_pkcs11_crt_is_known - did not get a known cert\n"); exit(1); } +#endif + + /* we should find a certificate with the same DN */ + ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_dn, 0); + if (ret != 0) { + fail("error in gnutls_pkcs11_crt_is_known - found a cert that doesn't match\n"); + exit(1); + } + + /* we should find a certificate with the same issuer DN + serial number */ + ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_issuer, 0); + if (ret != 0) { + fail("error in gnutls_pkcs11_crt_is_known - found a cert that doesn't match\n"); + exit(1); + } /* these are invalid certificates but their key matches existing keys, the following should work */ ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_dn, GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); |