tests: Pass --verify-profile=medium to certtool if supported

certtool emits the following message if --verify-profile is not passed: Note that no verification profile was selected. In the future the medium profile will be enabled by default. Use --verify-profile low to apply the default verification of NORMAL priority string. Pass the --verify-profile option if certtool supports it (since ~3.6.12). Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger · Nov 2, 2022 · 22e975d · 22e975d
1 parent a2abd3b
commit 22e975d
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/tests/test_tpm2_swtpm_localca b/tests/test_tpm2_swtpm_localca
@@ -24,6 +24,10 @@ PATH=${TOPBUILD}/src/swtpm_cert:$PATH
 
 source ${TESTDIR}/common
 
+if [ -n "$(${CERTTOOL} --help | grep -E "\-\-verify-profile")" ]; then
+	verify_profile="--verify-profile=medium"
+fi
+
 trap "cleanup" SIGTERM EXIT
 
 function cleanup()
@@ -125,6 +129,7 @@ do
 
   ${CERTTOOL} \
     --verify \
+    ${verify_profile} \
     --load-ca-certificate "${ISSUERCERT}" \
     --infile "${workdir}/ek.pem"
   if [ $? -ne 0 ]; then

diff --git a/tests/test_tpm2_swtpm_localca_pkcs11.test b/tests/test_tpm2_swtpm_localca_pkcs11.test
@@ -35,6 +35,10 @@ PATH=${TOPBUILD}/src/swtpm_cert:$PATH
 
 source ${TESTDIR}/common
 
+if [ -n "$(${CERTTOOL} --help | grep -E "\-\-verify-profile")" ]; then
+	verify_profile="--verify-profile=medium"
+fi
+
 trap "cleanup" SIGTERM EXIT
 
 function cleanup()
@@ -214,6 +218,7 @@ do
 
   GNUTLS_PIN=${PIN} ${CERTTOOL} \
     --verify \
+    ${verify_profile} \
     --load-ca-certificate ${ISSUERCERT} \
     --infile ${workdir}/ek.pem
   if [ $? -ne 0 ]; then