From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Mon, 23 Dec 2019 19:15:49 +0000 (+0100)
Subject: Make x509 -force_pubkey test case with self-issued cert more realistic
X-Git-Tag: openssl-3.0.0-alpha5~129
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4acd484d55ac3c86091e42f81479f514d0cf8b17;p=thirdparty%2Fopenssl.git

Make x509 -force_pubkey test case with self-issued cert more realistic
by adding CA basic constraints, CA key usage, and key IDs to the cert
and by add -partial_chain to the verify call that trusts this cert

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)
---

diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index 427c6b7fea1..250738487a5 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -41,6 +41,7 @@ SKIP: {
     # producing and checking self-issued (but not self-signed) cert
     my @path = qw(test certs);
     my $subj = "/CN=CA"; # using same DN as in issuer of ee-cert.pem
+    my $extfile = srctop_file("test", "v3_ca_exts.cnf");
     my $pkey = srctop_file(@path, "ca-key.pem"); #  issuer private key
     my $pubkey = "ca-pubkey.pem"; # the corresponding issuer public key
     # use any (different) key for signing our self-issued cert:
@@ -50,10 +51,13 @@ SKIP: {
     ok(run(app(["openssl", "pkey", "-in", $pkey, "-pubout", "-out", $pubkey]))
        &&
        run(app(["openssl", "x509", "-new", "-force_pubkey", $pubkey,
-                "-subj", $subj, "-signkey", $signkey, "-out", $selfout]))
+                "-subj", $subj, "-extfile", $extfile,
+                "-signkey", $signkey, "-out", $selfout]))
        &&
        run(app(["openssl", "verify", "-no_check_time",
-                "-trusted", $selfout, $testcert])));
+                "-trusted", $selfout, "-partial_chain", $testcert])));
+    unlink $pubkey;
+    unlink $selfout;
 }
 
 subtest 'x509 -- x.509 v1 certificate' => sub {
diff --git a/test/v3_ca_exts.cnf b/test/v3_ca_exts.cnf
new file mode 100644
index 00000000000..a6d3245fb4e
--- /dev/null
+++ b/test/v3_ca_exts.cnf
@@ -0,0 +1,5 @@
+basicConstraints = CA:true
+keyUsage = cRLSign, keyCertSign
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+