SecurityTests/clxutils/certcrl/testSubjects/pkinitPolicy/pkinitPolicy.scr

   1 #
   2 # verify PKINIT policy
   3 # The certs noCA.cer and noBC.cer must be in your trusted KDC keychain or otherwise
   4 # be trusted somehow. You can add them using the pkinitTool (tech/dmitch/Misc/pkinitTool/)
   5 # like so:
   6 #
   7 #       % pkinitTool t noCA.cer
   8 #       ...KDC cert trust assignment successful
   9 #       % pkinitTool t noBC.cer
  10 #       ...KDC cert trust assignment successful
  11 #
  12 globals
  13 certNetFetchEnable = false
  14 useSystemAnchors = true
  15 allowUnverified = true
  16 end
  17
  18 test = "Client, root cert, expect fail"
  19 policy = pkinitClient
  20 cert = noCA.cer
  21 error = CSSMERR_TP_INVALID_ANCHOR_CERT
  22 end
  23
  24 test = "Server, CA, expect fail"
  25 policy = pkinitServer
  26 cert = CA.cer
  27 error = CSSMERR_TP_INVALID_ANCHOR_CERT
  28 end
  29
  30 test = "Server, !CA, success"
  31 policy = pkinitServer
  32 cert = noCA.cer
  33 end
  34
  35 test = "Server, !BC, success"
  36 policy = pkinitServer
  37 cert = noBC.cer
  38 end