tests: Pass --verify-profile=medium to certtool if supported

certtool emits the following message if --verify-profile is not
passed:

Note that no verification profile was selected. In the future the medium profile will be enabled by default.
Use --verify-profile low to apply the default verification of NORMAL priority string.

Pass the --verify-profile option if certtool supports it (since ~3.6.12).

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

diff --git a/tests/test_tpm2_swtpm_localca b/tests/test_tpm2_swtpm_localca
index 0d6e1439580ab5cd8af73ca1d7a16c19690ff7c2..b6ff56a8988182d7925e18abca09ce985e8cd4ee 100755 (executable)
--- a/tests/test_tpm2_swtpm_localca
+++ b/tests/test_tpm2_swtpm_localca
@@ -24,6 +24,10 @@ PATH=${TOPBUILD}/src/swtpm_cert:$PATH
 
 source ${TESTDIR}/common
 
+if [ -n "$(${CERTTOOL} --help | grep -E "\-\-verify-profile")" ]; then
+       verify_profile="--verify-profile=medium"
+fi
+
 trap "cleanup" SIGTERM EXIT
 
 function cleanup()
@@ -125,6 +129,7 @@ do
 
   ${CERTTOOL} \
     --verify \
+    ${verify_profile} \
     --load-ca-certificate "${ISSUERCERT}" \
     --infile "${workdir}/ek.pem"
   if [ $? -ne 0 ]; then

diff --git a/tests/test_tpm2_swtpm_localca_pkcs11.test b/tests/test_tpm2_swtpm_localca_pkcs11.test
index c81989d85e33c787c4eb4ab4d6b82b4f3935f674..f5f7f0c2318a0a4008cb1d5acd91db096b99c06e 100755 (executable)
--- a/tests/test_tpm2_swtpm_localca_pkcs11.test
+++ b/tests/test_tpm2_swtpm_localca_pkcs11.test
@@ -35,6 +35,10 @@ PATH=${TOPBUILD}/src/swtpm_cert:$PATH
 
 source ${TESTDIR}/common
 
+if [ -n "$(${CERTTOOL} --help | grep -E "\-\-verify-profile")" ]; then
+       verify_profile="--verify-profile=medium"
+fi
+
 trap "cleanup" SIGTERM EXIT
 
 function cleanup()
@@ -214,6 +218,7 @@ do
 
   GNUTLS_PIN=${PIN} ${CERTTOOL} \
     --verify \
+    ${verify_profile} \
     --load-ca-certificate ${ISSUERCERT} \
     --infile ${workdir}/ek.pem
   if [ $? -ne 0 ]; then