From 338ed5bea4fcd0b5b1cdcfb96a789edf6251bbdd Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Sat, 23 Dec 2023 12:20:03 +0100
Subject: [PATCH 1/2] ukify: make the test happy with the latest OpenSSL

Which dropped some whitespaces in the output:

$ openssl version
OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
$ openssl x509 -in cert.pem -text -noout | grep Issuer
        Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd

$ openssl version
OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
$ openssl x509 -in cert.pem -text -noout | grep Issuer
        Issuer: C = XX, L = Default City, O = Default Company Ltd

Making test-ukify unhappy:

>       assert 'Issuer: CN = SecureBoot signing key on host' in out
E       AssertionError: assert 'Issuer: CN = SecureBoot signing key on host' in '<...snip...>Issuer: CN=SecureBoot signing key on host archlinux2\n...'
---
 src/ukify/test/test_ukify.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
index 7db7c6ba61a..0a0a9024e96 100755
--- a/src/ukify/test/test_ukify.py
+++ b/src/ukify/test/test_ukify.py
@@ -859,7 +859,7 @@ def test_key_cert_generation(tmp_path):
         '-noout',
     ], text = True)
     assert 'Certificate' in out
-    assert 'Issuer: CN = SecureBoot signing key on host' in out
+    assert re.search('Issuer: CN\s?=\s?SecureBoot signing key on host', out)
 
 if __name__ == '__main__':
     sys.exit(pytest.main(sys.argv))

From 4e5984f0271dd14d24aa25ff1d5401378acaa7c4 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Sat, 23 Dec 2023 13:33:11 +0100
Subject: [PATCH 2/2] test: make sure the dummy CA certificate is marked as
 such

With OpenSSL 3.2.0+ this is necessary, otherwise the verification
of such CA certificate fails badly:

$ openssl s_client -CAfile /run/systemd/remote-pki/ca.crt -connect localhost:19532
...
Connecting to ::1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA
verify error:num=79:invalid CA certificate
verify return:1
depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA
verify error:num=26:unsuitable certificate purpose
verify return:1
...
---
SSL handshake has read 1566 bytes and written 409 bytes
Verification error: unsuitable certificate purpose
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 26 (unsuitable certificate purpose)
---
 test/units/testsuite-04.journal-remote.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/test/units/testsuite-04.journal-remote.sh b/test/units/testsuite-04.journal-remote.sh
index b7d9cbd81ba..c7b99b11fbb 100755
--- a/test/units/testsuite-04.journal-remote.sh
+++ b/test/units/testsuite-04.journal-remote.sh
@@ -109,6 +109,11 @@ L = Brno
 O = Foo
 OU = Bar
 CN = Test CA
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = CA:true
 EOF
 cat >/run/systemd/remote-pki/client.conf <<EOF
 [ req ]
@@ -136,9 +141,11 @@ CN = localhost
 EOF
 # Generate a dummy CA
 openssl req -x509 -nodes -newkey rsa:2048 -sha256 -days 7 \
+            -extensions v3_ca \
             -config /run/systemd/remote-pki/ca.conf \
             -keyout /run/systemd/remote-pki/ca.key \
             -out /run/systemd/remote-pki/ca.crt
+openssl x509 -in /run/systemd/remote-pki/ca.crt -noout -text
 echo 01 >/run/systemd/remote-pki/ca.srl
 # Generate a client key and signing request
 openssl req -nodes -newkey rsa:2048 -sha256 \