@@ -120,7 +120,7 @@ impl RestrictableKeyType for Asymmetric {
120120
121121#[ cfg( test) ]
122122mod tests {
123- use crate :: keytypes:: { AsymmetricRestriction , User } ;
123+ use crate :: keytypes:: { Asymmetric , AsymmetricRestriction , User } ;
124124 use crate :: tests:: utils;
125125 use crate :: KeyRestriction ;
126126
@@ -179,4 +179,67 @@ mod tests {
179179 assert_eq ! ( restriction. restriction( ) , expected. as_ref( ) ) ;
180180 }
181181 }
182+
183+ #[ test]
184+ fn test_restrict_keyring_chain ( ) {
185+ let mut keyring = utils:: new_test_keyring ( ) ;
186+
187+ // Create and populate a keyring for root certificates.
188+ let mut root = keyring. add_keyring ( "root-certs" ) . unwrap ( ) ;
189+ let root1_certificate = & include_bytes ! ( "data/ca/ca-1.root.crt.der" ) [ ..] ;
190+ let root2_certificate = & include_bytes ! ( "data/ca/ca-2.root.crt.der" ) [ ..] ;
191+ root. add_key :: < Asymmetric , _ , _ > ( "root1" , root1_certificate)
192+ . unwrap ( ) ;
193+ root. add_key :: < Asymmetric , _ , _ > ( "root1" , root2_certificate)
194+ . unwrap ( ) ;
195+
196+ // Create a keyring to restrict.
197+ let mut chain = keyring. add_keyring ( "chain" ) . unwrap ( ) ;
198+ let restriction = AsymmetricRestriction :: Keyring {
199+ keyring : root,
200+ chained : true ,
201+ } ;
202+ chain
203+ . restrict_by_type :: < Asymmetric , _ > ( restriction)
204+ . unwrap ( ) ;
205+
206+ // Add certificates in order.
207+ let intermediate_a = & include_bytes ! ( "data/ca/ca.intermediate.crt.der" ) [ ..] ;
208+ chain
209+ . add_key :: < Asymmetric , _ , _ > ( "intermediate_a" , intermediate_a)
210+ . unwrap ( ) ;
211+ let intermediate_b = & include_bytes ! ( "data/ca/intermediate.term.crt.der" ) [ ..] ;
212+ chain
213+ . add_key :: < Asymmetric , _ , _ > ( "intermediate_b" , intermediate_b)
214+ . unwrap ( ) ;
215+ let terminal = & include_bytes ! ( "data/ca/ca-1.term.crt.der" ) [ ..] ;
216+ chain
217+ . add_key :: < Asymmetric , _ , _ > ( "terminal" , terminal)
218+ . unwrap ( ) ;
219+ }
220+
221+ #[ test]
222+ fn test_restrict_keyring_fail ( ) {
223+ let mut keyring = utils:: new_test_keyring ( ) ;
224+
225+ // Create and populate a keyring for root certificates.
226+ let root = keyring. add_keyring ( "root-certs" ) . unwrap ( ) ;
227+
228+ // Create a keyring to restrict.
229+ let mut chain = keyring. add_keyring ( "chain" ) . unwrap ( ) ;
230+ let restriction = AsymmetricRestriction :: Keyring {
231+ keyring : root,
232+ chained : true ,
233+ } ;
234+ chain
235+ . restrict_by_type :: < Asymmetric , _ > ( restriction)
236+ . unwrap ( ) ;
237+
238+ // Add certificates in order.
239+ let terminal = & include_bytes ! ( "data/ca/self.term.crt.der" ) [ ..] ;
240+ let err = chain
241+ . add_key :: < Asymmetric , _ , _ > ( "self" , terminal)
242+ . unwrap_err ( ) ;
243+ assert_eq ! ( err, errno:: Errno ( libc:: EINVAL ) ) ;
244+ }
182245}
0 commit comments