test: make sure the dummy CA certificate is marked as such

With OpenSSL 3.2.0+ this is necessary, otherwise the verification of such CA certificate fails badly: $ openssl s_client -CAfile /run/systemd/remote-pki/ca.crt -connect localhost:19532 ... Connecting to ::1 CONNECTED(00000003) Can't use SSL_get_servername depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA verify error:num=79:invalid CA certificate verify return:1 depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA verify error:num=26:unsuitable certificate purpose verify return:1 ... --- SSL handshake has read 1566 bytes and written 409 bytes Verification error: unsuitable certificate purpose --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 26 (unsuitable certificate purpose)
2024-12-22 17:35:35 +03:00 · 2023-12-23 13:33:11 +01:00 · 2023-12-23 13:33:11 +01:00 · 4e5984f027
commit 4e5984f027
parent 338ed5bea4
1 changed files with 7 additions and 0 deletions
--- a/test/units/testsuite-04.journal-remote.sh
+++ b/test/units/testsuite-04.journal-remote.sh
@ -109,6 +109,11 @@ L = Brno
 O = Foo
 OU = Bar
 CN = Test CA
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = CA:true
 EOF
 cat >/run/systemd/remote-pki/client.conf <<EOF
 [ req ]
@ -136,9 +141,11 @@ CN = localhost
 EOF
 # Generate a dummy CA
 openssl req -x509 -nodes -newkey rsa:2048 -sha256 -days 7 \
+            -extensions v3_ca \
            -config /run/systemd/remote-pki/ca.conf \
            -keyout /run/systemd/remote-pki/ca.key \
            -out /run/systemd/remote-pki/ca.crt
+openssl x509 -in /run/systemd/remote-pki/ca.crt -noout -text
 echo 01 >/run/systemd/remote-pki/ca.srl
 # Generate a client key and signing request
 openssl req -nodes -newkey rsa:2048 -sha256 \