From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 25 Aug 2014 17:02:03 +0000 (-0400)
Subject: Add test case for -keepold mkey re-encryption
X-Git-Tag: krb5-1.13-beta1~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc46bfbe660b2b057a5892dd95cbf53b6d46e44a;p=thirdparty%2Fkrb5.git

Add test case for -keepold mkey re-encryption

(cherry picked from commit 8ee40f56e6c789a87dc403bf70d524d2b3b21dbf)

ticket: 7995
version_fixed: 1.13
status: resolved
---

diff --git a/src/tests/t_mkey.py b/src/tests/t_mkey.py
index 477044e443..8a5b84e32a 100644
--- a/src/tests/t_mkey.py
+++ b/src/tests/t_mkey.py
@@ -279,11 +279,19 @@ update_princ_encryption(False, 3, nprincs - 1, 0)
 check_mkey_list((3, aes128, True, True), (2, defetype, True, False))
 check_mkvno(realm.user_princ, 3)
 
-# Regression test for #7994 (randkey does not update principal mkvno).
-add_mkey([])
+# Regression test for #7994 (randkey does not update principal mkvno)
+# and #7995 (-keepold does not re-encrypt old keys).
+add_mkey(['-s'])
 realm.run([kdb5_util, 'use_mkey', '4', 'now-1day'])
-realm.run_kadminl('cpw -randkey %s' % realm.user_princ)
+realm.run_kadminl('cpw -randkey -keepold %s' % realm.user_princ)
+# With #7994 unfixed, mkvno of user will still be 3.
 check_mkvno(realm.user_princ, 4)
+# With #7995 unfixed, old keys are still encrypted with mkvno 3.
+update_princ_encryption(False, 4, nprincs - 2, 1)
+realm.run([kdb5_util, 'purge_mkeys', '-f'])
+out = realm.run_kadminl('xst -norandkey %s' % realm.user_princ)
+if 'Decrypt integrity check failed' in out or 'added to keytab' not in out:
+    fail('Preserved old key data not updated to new master key')
 
 realm.stop()