]> git.saurik.com Git - apple/security.git/blob - SecurityTests/clxutils/certcrl/testSubjects/pkinitPolicy/pkinitPolicy.scr
Security-57031.1.35.tar.gz
[apple/security.git] / SecurityTests / clxutils / certcrl / testSubjects / pkinitPolicy / pkinitPolicy.scr
1 #
2 # verify PKINIT policy
3 # The certs noCA.cer and noBC.cer must be in your trusted KDC keychain or otherwise
4 # be trusted somehow. You can add them using the pkinitTool (tech/dmitch/Misc/pkinitTool/)
5 # like so:
6 #
7 # % pkinitTool t noCA.cer
8 # ...KDC cert trust assignment successful
9 # % pkinitTool t noBC.cer
10 # ...KDC cert trust assignment successful
11 #
12 globals
13 certNetFetchEnable = false
14 useSystemAnchors = true
15 allowUnverified = true
16 end
17
18 test = "Client, root cert, expect fail"
19 policy = pkinitClient
20 cert = noCA.cer
21 error = CSSMERR_TP_INVALID_ANCHOR_CERT
22 end
23
24 test = "Server, CA, expect fail"
25 policy = pkinitServer
26 cert = CA.cer
27 error = CSSMERR_TP_INVALID_ANCHOR_CERT
28 end
29
30 test = "Server, !CA, success"
31 policy = pkinitServer
32 cert = noCA.cer
33 end
34
35 test = "Server, !BC, success"
36 policy = pkinitServer
37 cert = noBC.cer
38 end