From 338ed5bea4fcd0b5b1cdcfb96a789edf6251bbdd Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Sat, 23 Dec 2023 12:20:03 +0100 Subject: [PATCH 1/2] ukify: make the test happy with the latest OpenSSL Which dropped some whitespaces in the output: $ openssl version OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023) $ openssl x509 -in cert.pem -text -noout | grep Issuer Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd $ openssl version OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023) $ openssl x509 -in cert.pem -text -noout | grep Issuer Issuer: C = XX, L = Default City, O = Default Company Ltd Making test-ukify unhappy: > assert 'Issuer: CN = SecureBoot signing key on host' in out E AssertionError: assert 'Issuer: CN = SecureBoot signing key on host' in '<...snip...>Issuer: CN=SecureBoot signing key on host archlinux2\n...' --- src/ukify/test/test_ukify.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py index 7db7c6ba61a..0a0a9024e96 100755 --- a/src/ukify/test/test_ukify.py +++ b/src/ukify/test/test_ukify.py @@ -859,7 +859,7 @@ def test_key_cert_generation(tmp_path): '-noout', ], text = True) assert 'Certificate' in out - assert 'Issuer: CN = SecureBoot signing key on host' in out + assert re.search('Issuer: CN\s?=\s?SecureBoot signing key on host', out) if __name__ == '__main__': sys.exit(pytest.main(sys.argv)) From 4e5984f0271dd14d24aa25ff1d5401378acaa7c4 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Sat, 23 Dec 2023 13:33:11 +0100 Subject: [PATCH 2/2] test: make sure the dummy CA certificate is marked as such With OpenSSL 3.2.0+ this is necessary, otherwise the verification of such CA certificate fails badly: $ openssl s_client -CAfile /run/systemd/remote-pki/ca.crt -connect localhost:19532 ... Connecting to ::1 CONNECTED(00000003) Can't use SSL_get_servername depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA verify error:num=79:invalid CA certificate verify return:1 depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA verify error:num=26:unsuitable certificate purpose verify return:1 ... --- SSL handshake has read 1566 bytes and written 409 bytes Verification error: unsuitable certificate purpose --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 26 (unsuitable certificate purpose) --- test/units/testsuite-04.journal-remote.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/test/units/testsuite-04.journal-remote.sh b/test/units/testsuite-04.journal-remote.sh index b7d9cbd81ba..c7b99b11fbb 100755 --- a/test/units/testsuite-04.journal-remote.sh +++ b/test/units/testsuite-04.journal-remote.sh @@ -109,6 +109,11 @@ L = Brno O = Foo OU = Bar CN = Test CA + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true EOF cat >/run/systemd/remote-pki/client.conf </run/systemd/remote-pki/ca.srl # Generate a client key and signing request openssl req -nodes -newkey rsa:2048 -sha256 \