From: Nikos Mavrogiannopoulos Date: Thu, 23 Jun 2016 21:24:19 +0000 (+0200) Subject: tests: pkcs11-is-known: check that no flags enforce compare X-Git-Tag: gnutls_3_5_2~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=da45b950f7c864256cd2bd3d087e78bcd998cd8d;p=thirdparty%2Fgnutls.git tests: pkcs11-is-known: check that no flags enforce compare --- diff --git a/tests/pkcs11/pkcs11-is-known.c b/tests/pkcs11/pkcs11-is-known.c index 99e946aab7..62666abaf4 100644 --- a/tests/pkcs11/pkcs11-is-known.c +++ b/tests/pkcs11/pkcs11-is-known.c @@ -559,19 +559,36 @@ void doit(void) exit(1); } - /* we should find a certificate with the same DN */ - ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_dn, 0); +#if 0 + /* test searching invalid certs. the distrusted flag disables any validity check except DN and serial number + * matching so it should work - unfortunately works only under p11-kit */ + + ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_dn, GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED); if (ret == 0) { fail("error in gnutls_pkcs11_crt_is_known - did not get a known cert\n"); exit(1); } - /* we should find a certificate with the same issuer DN + serial number */ - ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_issuer, 0); + ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_issuer, GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED); if (ret == 0) { fail("error in gnutls_pkcs11_crt_is_known - did not get a known cert\n"); exit(1); } +#endif + + /* we should find a certificate with the same DN */ + ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_dn, 0); + if (ret != 0) { + fail("error in gnutls_pkcs11_crt_is_known - found a cert that doesn't match\n"); + exit(1); + } + + /* we should find a certificate with the same issuer DN + serial number */ + ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_issuer, 0); + if (ret != 0) { + fail("error in gnutls_pkcs11_crt_is_known - found a cert that doesn't match\n"); + exit(1); + } /* these are invalid certificates but their key matches existing keys, the following should work */ ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, same_dn, GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);