[apple/security.git] / SecurityTests / clxutils / certcrl / testSubjects / pkinitPolicy / pkinitPolicy.scr

# 
# verify PKINIT policy
# The certs noCA.cer and noBC.cer must be in your trusted KDC keychain or otherwise
# be trusted somehow. You can add them using the pkinitTool (tech/dmitch/Misc/pkinitTool/)
# like so:
#
#       % pkinitTool t noCA.cer
#       ...KDC cert trust assignment successful
#       % pkinitTool t noBC.cer
#       ...KDC cert trust assignment successful
#
globals
certNetFetchEnable = false
useSystemAnchors = true
allowUnverified = true
end

test = "Client, root cert, expect fail"
policy = pkinitClient
cert = noCA.cer
error = CSSMERR_TP_INVALID_ANCHOR_CERT
end

test = "Server, CA, expect fail"
policy = pkinitServer
cert = CA.cer
error = CSSMERR_TP_INVALID_ANCHOR_CERT
end

test = "Server, !CA, success"
policy = pkinitServer
cert = noCA.cer
end

test = "Server, !BC, success"
policy = pkinitServer
cert = noBC.cer
end
Commit	Line	Data
d8f41ccd A	1	#
	2	# verify PKINIT policy
	3	# The certs noCA.cer and noBC.cer must be in your trusted KDC keychain or otherwise
	4	# be trusted somehow. You can add them using the pkinitTool (tech/dmitch/Misc/pkinitTool/)
	5	# like so:
	6	#
	7	# % pkinitTool t noCA.cer
	8	# ...KDC cert trust assignment successful
	9	# % pkinitTool t noBC.cer
	10	# ...KDC cert trust assignment successful
	11	#
	12	globals
	13	certNetFetchEnable = false
	14	useSystemAnchors = true
	15	allowUnverified = true
	16	end
	17
	18	test = "Client, root cert, expect fail"
	19	policy = pkinitClient
	20	cert = noCA.cer
	21	error = CSSMERR_TP_INVALID_ANCHOR_CERT
	22	end
	23
	24	test = "Server, CA, expect fail"
	25	policy = pkinitServer
	26	cert = CA.cer
	27	error = CSSMERR_TP_INVALID_ANCHOR_CERT
	28	end
	29
	30	test = "Server, !CA, success"
	31	policy = pkinitServer
	32	cert = noCA.cer
	33	end
	34
	35	test = "Server, !BC, success"
	36	policy = pkinitServer
	37	cert = noBC.cer
	38	end