test: make sure the dummy CA certificate is marked as such

With OpenSSL 3.2.0+ this is necessary, otherwise the verification
of such CA certificate fails badly:

$ openssl s_client -CAfile /run/systemd/remote-pki/ca.crt -connect localhost:19532
...
Connecting to ::1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA
verify error:num=79:invalid CA certificate
verify return:1
depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA
verify error:num=26:unsuitable certificate purpose
verify return:1
...
---
SSL handshake has read 1566 bytes and written 409 bytes
Verification error: unsuitable certificate purpose
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 26 (unsuitable certificate purpose)

diff --git a/test/units/testsuite-04.journal-remote.sh b/test/units/testsuite-04.journal-remote.sh
index b7d9cbd81ba9650f65daae2095aa9ddaf6869c6f..c7b99b11fbb7ffdcab8f00740168a5c879163e32 100755 (executable)
--- a/test/units/testsuite-04.journal-remote.sh
+++ b/test/units/testsuite-04.journal-remote.sh
@@ -109,6 +109,11 @@ L = Brno
 O = Foo
 OU = Bar
 CN = Test CA
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = CA:true
 EOF
 cat >/run/systemd/remote-pki/client.conf <<EOF
 [ req ]
@@ -136,9 +141,11 @@ CN = localhost
 EOF
 # Generate a dummy CA
 openssl req -x509 -nodes -newkey rsa:2048 -sha256 -days 7 \
+            -extensions v3_ca \
             -config /run/systemd/remote-pki/ca.conf \
             -keyout /run/systemd/remote-pki/ca.key \
             -out /run/systemd/remote-pki/ca.crt
+openssl x509 -in /run/systemd/remote-pki/ca.crt -noout -text
 echo 01 >/run/systemd/remote-pki/ca.srl
 # Generate a client key and signing request
 openssl req -nodes -newkey rsa:2048 -sha256 \