Make x509 -force_pubkey test case with self-issued cert more realistic

by adding CA basic constraints, CA key usage, and key IDs to the cert
and by add -partial_chain to the verify call that trusts this cert

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index 427c6b7fea1279b71a42650ff9b8330a53fbb56b..250738487a56d4514a95a8510183937203e6f4c8 100644 (file)
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -41,6 +41,7 @@ SKIP: {
     # producing and checking self-issued (but not self-signed) cert
     my @path = qw(test certs);
     my $subj = "/CN=CA"; # using same DN as in issuer of ee-cert.pem
+    my $extfile = srctop_file("test", "v3_ca_exts.cnf");
     my $pkey = srctop_file(@path, "ca-key.pem"); #  issuer private key
     my $pubkey = "ca-pubkey.pem"; # the corresponding issuer public key
     # use any (different) key for signing our self-issued cert:
@@ -50,10 +51,13 @@ SKIP: {
     ok(run(app(["openssl", "pkey", "-in", $pkey, "-pubout", "-out", $pubkey]))
        &&
        run(app(["openssl", "x509", "-new", "-force_pubkey", $pubkey,
-                "-subj", $subj, "-signkey", $signkey, "-out", $selfout]))
+                "-subj", $subj, "-extfile", $extfile,
+                "-signkey", $signkey, "-out", $selfout]))
        &&
        run(app(["openssl", "verify", "-no_check_time",
-                "-trusted", $selfout, $testcert])));
+                "-trusted", $selfout, "-partial_chain", $testcert])));
+    unlink $pubkey;
+    unlink $selfout;
 }
 
 subtest 'x509 -- x.509 v1 certificate' => sub {

diff --git a/test/v3_ca_exts.cnf b/test/v3_ca_exts.cnf
new file mode 100644 (file)
index 0000000..a6d3245
--- /dev/null
+++ b/test/v3_ca_exts.cnf
@@ -0,0 +1,5 @@
+basicConstraints = CA:true
+keyUsage = cRLSign, keyCertSign
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+