test: make sure the dummy CA certificate is marked as such

mrc0mmand · bluca · commit 5d712cf21925 · 2023-12-24T12:18:13.000+01:00
With OpenSSL 3.2.0+ this is necessary, otherwise the verification of such CA certificate fails badly: $ openssl s_client -CAfile /run/systemd/remote-pki/ca.crt -connect localhost:19532 ... Connecting to ::1 CONNECTED(00000003) Can't use SSL_get_servername depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA verify error:num=79:invalid CA certificate verify return:1 depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA verify error:num=26:unsuitable certificate purpose verify return:1 ... --- SSL handshake has read 1566 bytes and written 409 bytes Verification error: unsuitable certificate purpose --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 26 (unsuitable certificate purpose) (cherry picked from commit 4e5984f) (cherry picked from commit 2ea5ddf)
diff --git a/test/units/testsuite-04.journal-remote.sh b/test/units/testsuite-04.journal-remote.sh
@@ -109,6 +109,11 @@ L = Brno
 O = Foo
 OU = Bar
 CN = Test CA
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = CA:true
 EOF
 cat >/run/systemd/remote-pki/client.conf <<EOF
 [ req ]
@@ -136,9 +141,11 @@ CN = localhost
 EOF
 # Generate a dummy CA
 openssl req -x509 -nodes -newkey rsa:2048 -sha256 -days 7 \
+            -extensions v3_ca \
             -config /run/systemd/remote-pki/ca.conf \
             -keyout /run/systemd/remote-pki/ca.key \
             -out /run/systemd/remote-pki/ca.crt
+openssl x509 -in /run/systemd/remote-pki/ca.crt -noout -text
 echo 01 >/run/systemd/remote-pki/ca.srl
 # Generate a client key and signing request
 openssl req -nodes -newkey rsa:2048 -sha256 \
