From 5d99216f5944ab5a430c14b5afd058c1cab0fafa Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: May 15 2015 20:53:33 +0000
Subject: Extend a post-0.77 test case for that last change


Add a case to test36 where we go back and make sure that in
non-preserving mode, the number of private keys we have _doesn't_ grow
in the tried-to-rekey-but-the-CA-reused-an-old-key case.

---

diff --git a/tests/036-getcert/expected.out b/tests/036-getcert/expected.out
index 203a6de..c1a13c8 100644
--- a/tests/036-getcert/expected.out
+++ b/tests/036-getcert/expected.out
@@ -64,4 +64,11 @@ keys:3
 pk12util: PKCS12 EXPORT SUCCESSFUL
 cert:1
 key:1
+[Database, rekey with jerk CA, nonpreserving]
+Resubmitting "first" to "jerkca".
+certs:1
+keys:3
+pk12util: PKCS12 EXPORT SUCCESSFUL
+cert:1
+key:1
 OK
diff --git a/tests/036-getcert/run.sh b/tests/036-getcert/run.sh
index 42d4f63..1c99803 100755
--- a/tests/036-getcert/run.sh
+++ b/tests/036-getcert/run.sh
@@ -155,7 +155,7 @@ extract "$tmpdir"/files
 # exists where we expect it to be.
 cmp -s "$tmpdir"/files/key "$tmpdir"/backup/key && echo ERROR: keys were not changed on rekey
 cmp -s "$tmpdir"/files/cert "$tmpdir"/backup/cert && echo ERROR: cert was not changed on rekey
-certutil -K -d "$tmpdir"/db -n 'first (serial 1235)' -f "$tmpdir"/db/pinfile | grep -v Checking | grep -v '^$' | awk '{print $3}' > "$tmpdir"/files/id.old
+certutil -K -d "$tmpdir"/db -f "$tmpdir"/db/pinfile | grep -v Checking | grep -v first | grep -v '^$' | awk '{print $3}' > "$tmpdir"/files/id.old
 cmp -s "$tmpdir"/backup/id "$tmpdir"/files/id.old || echo ERROR: old keys were not saved on rekey
 
 # Save the key and cert we just generated.
@@ -172,4 +172,19 @@ extract "$tmpdir"/files
 cmp -s "$tmpdir"/files/key "$tmpdir"/backup/key || echo ERROR: keys were changed on failed rekey
 cmp -s "$tmpdir"/files/cert "$tmpdir"/backup/cert || echo ERROR: cert was not changed on failed rekey
 
+echo key_preserve=0 >> "$tmpdir"/requests/*
+# Save the key and cert we just generated.
+cp "$tmpdir"/files/cert "$tmpdir"/files/key "$tmpdir"/backup
+# ID is based on a hash of the public key, so use that for comparison, since
+# pk12util can't export a key that doesn't have a certificate to go with it.
+certutil -K -d "$tmpdir"/db -f "$tmpdir"/db/pinfile | grep -v Checking | grep -v '^$' | awk '{print $3}' > "$tmpdir"/backup/id
+# Try to generate a new key and certificate.
+echo '[Database, rekey with jerk CA, nonpreserving]'
+run "$builddir"/../src/getcert rekey -c jerkca -w --wait-timeout=$timeout -d "$tmpdir"/db -n first
+listdb
+extract "$tmpdir"/files
+# Make sure we didn't nuke the old key.
+cmp -s "$tmpdir"/files/key "$tmpdir"/backup/key || echo ERROR: keys were changed on failed rekey
+cmp -s "$tmpdir"/files/cert "$tmpdir"/backup/cert || echo ERROR: cert was not changed on failed rekey
+
 echo OK