fix the pkcs12 wrapping test for openssl 3.2

Openssl 3.2 has two problems with this test.  The first is that it
will no longer use a CA certificate unless it has the CA constraint
set and the second is that it seems the pkcs12 required parameters are
incompatible with the local openssl.cnf.  Fix both by not using the
local openssl.cnf when generating non-TPM openssl files and use the
v3_ca section of the global openssl.cnf to add the CA constraint.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

1 files changed, 7 insertions, 2 deletions

diff --git a/tests/wrap_pkcs12.sh b/tests/wrap_pkcs12.sh
index 60f04ef..9186155 100755
--- a/tests/wrap_pkcs12.sh
+++ b/tests/wrap_pkcs12.sh
@@ -10,8 +10,13 @@
 
 openssl ecparam -genkey -name prime256v1 > tmp.param || exit 1
 openssl genpkey -paramfile tmp.param -out key.priv || exit 1
-openssl req -new -x509 -subj '/CN=test CA/' -key key.priv -out tmp.crt || exit 1
-openssl pkcs12 -out tmp.p12 -passout pass: -export -inkey key.priv -in tmp.crt
+# warning: openssl 3.2 bug; subshell execution with standard openssl.cnf
+# to work around
+(
+    unset OPENSSL_CONF
+    openssl req -new -x509 -subj '/CN=test CA/' -key key.priv --extensions v3_ca -out tmp.crt || exit 1
+    openssl pkcs12 -out tmp.p12 -passout pass: -export -inkey key.priv -in tmp.crt
+)
 
 ${bindir}/create_tpm2_key -w tmp.p12 key.tpm || exit 1