[BACK]Return to build-certs-chroot CVS log [TXT] [DIR] Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / testing / scripts

Diff for /embedaddon/strongswan/testing/scripts/build-certs-chroot between versions 1.1 and 1.1.1.2

version 1.1, 2020/06/03 09:46:49 version 1.1.1.2, 2021/03/17 00:20:15
Line 44  SALES_CERT="${SALES_DIR}/salesCert.pem" Line 44  SALES_CERT="${SALES_DIR}/salesCert.pem"
 SALES_CERT_DER="${SALES_DIR}/salesCert.der"  SALES_CERT_DER="${SALES_DIR}/salesCert.der"
 SALES_CDP="http://crl.strongswan.org/sales.crl"  SALES_CDP="http://crl.strongswan.org/sales.crl"
 #  #
   LEVELS_DIR="${CA_DIR}/levels"
   LEVELS_KEY="${LEVELS_DIR}/levelsKey.pem"
   LEVELS_CERT="${LEVELS_DIR}/levelsCert.pem"
   LEVELS_CDP="http://crl.strongswan.org/levels.crl"
   LEVELS_L2_KEY="${LEVELS_DIR}/levelsKey_l2.pem"
   LEVELS_L2_CERT="${LEVELS_DIR}/levelsCert_l2.pem"
   LEVELS_L2_CDP="http://crl.strongswan.org/levels_l2.crl"
   LEVELS_L3_KEY="${LEVELS_DIR}/levelsKey_l3.pem"
   LEVELS_L3_CERT="${LEVELS_DIR}/levelsCert_l3.pem"
   LEVELS_L3_CDP="http://crl.strongswan.org/levels_l3.crl"
   #
 DUCK_DIR="${CA_DIR}/duck"  DUCK_DIR="${CA_DIR}/duck"
 DUCK_KEY="${DUCK_DIR}/duckKey.pem"  DUCK_KEY="${DUCK_DIR}/duckKey.pem"
 DUCK_CERT="${DUCK_DIR}/duckCert.pem"  DUCK_CERT="${DUCK_DIR}/duckCert.pem"
Line 94  mkdir -p ${RESEARCH_DIR}/certs Line 105  mkdir -p ${RESEARCH_DIR}/certs
 mkdir -p ${RESEARCH_DIR}/keys  mkdir -p ${RESEARCH_DIR}/keys
 mkdir -p ${SALES_DIR}/certs  mkdir -p ${SALES_DIR}/certs
 mkdir -p ${SALES_DIR}/keys  mkdir -p ${SALES_DIR}/keys
   mkdir -p ${LEVELS_DIR}/certs
 mkdir -p ${DUCK_DIR}/certs  mkdir -p ${DUCK_DIR}/certs
 mkdir -p ${ECDSA_DIR}/certs  mkdir -p ${ECDSA_DIR}/certs
 mkdir -p ${RFC3779_DIR}/certs  mkdir -p ${RFC3779_DIR}/certs
Line 159  done Line 171  done
   
 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios  # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
 for t in host2host-initiator host2host-responder host2host-xfrmproxy \  for t in host2host-initiator host2host-responder host2host-xfrmproxy \
         net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey         multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
          xfrmproxy-rekey
 do  do
   TEST="${TEST_DIR}/tkm/${t}"    TEST="${TEST_DIR}/tkm/${t}"
   mkdir -p ${TEST}/hosts/moon/${TKM_DIR}    mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
Line 447  mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs Line 460  mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
 cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private  cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs  cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
   
# Generate another carol certificate with SN=002# Generate another carol certificate with serialNumber=002
 TEST="${TEST_DIR}/ikev2/two-certs"  TEST="${TEST_DIR}/ikev2/two-certs"
 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"  TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"  TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
Line 457  mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs Line 470  mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \      --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, serialNumber=002, CN=${CN}" \
     --outform pem > ${TEST_CERT}      --outform pem > ${TEST_CERT}
 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem  cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
   
Line 579  done Line 592  done
 # Convert Sales CA certificate into DER format  # Convert Sales CA certificate into DER format
 openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}  openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
   
   ################################################################################
   # Multi-level CA Certificate Generation                                        #
   ################################################################################
   
   # Generate Levels Root CA (pathlen is higher than the regular root)
   pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_KEY}
   pki --self --type rsa --in ${LEVELS_KEY} --not-before "${START}" --not-after "${CA_END}" \
       --ca --pathlen 2 --dn "C=CH, O=${PROJECT}, CN=strongSwan Levels Root CA" \
       --outform pem > ${LEVELS_CERT}
   
   # For TKM's CA ID mapping
   LEVELS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${LEVELS_KEY}`
   
   # Generate Levels L2 CA signed by Levels Root CA
   pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L2_KEY}
   pki --issue --cakey ${LEVELS_KEY} --cacert ${LEVELS_CERT} --crl ${LEVELS_CDP} \
       --type rsa --in ${LEVELS_L2_KEY} --not-before "${START}" --not-after "${IM_END}" \
       --ca --dn "C=CH, O=${PROJECT}, OU=L2, CN=Levels L2 CA" \
       --outform pem > ${LEVELS_L2_CERT}
   
   # Generate Levels L3 CA signed by Levels L2 CA
   pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L3_KEY}
   pki --issue --cakey ${LEVELS_L2_KEY} --cacert ${LEVELS_L2_CERT} --crl ${LEVELS_L2_CDP} \
       --type rsa --in ${LEVELS_L3_KEY} --not-before "${START}" --not-after "${IM_END}" \
       --ca --dn "C=CH, O=${PROJECT}, OU=L3, CN=Levels L3 CA" \
       --outform pem > ${LEVELS_L3_CERT}
   
   for t in swanctl/multi-level-ca-l3 tkm/multi-level-ca
   do
     TEST="${TEST_DIR}/${t}"
     for h in moon carol
     do
       mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
       cp ${LEVELS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
     done
     cp ${LEVELS_L2_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
     cp ${LEVELS_L3_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
   done
   
   # Put DER-encoded Levels CA certificate into tkm scenario
   TEST="${TEST_DIR}/tkm/multi-level-ca"
   mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
   openssl x509 -in ${LEVELS_CERT} -outform der -out ${TEST}/hosts/moon/${TKM_DIR}/levelsCert.der
   
   ################################################################################
   
 # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate  # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
 TEST="${TEST_DIR}/ikev2/strong-keys-certs"  TEST="${TEST_DIR}/ikev2/strong-keys-certs"
 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"  TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
Line 1114  cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index. Line 1173  cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.
 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt  sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
   
 ################################################################################  ################################################################################
   # Levels L3 CA                                                                 #
   ################################################################################
   
   # Generate a carol l3 certificate
   TEST="${TEST_DIR}/swanctl/multi-level-ca-l3"
   TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
   TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
   CN="carol@strongswan.org"
   SERIAL="01"
   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
   pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
   pki --issue --cakey ${LEVELS_L3_KEY} --cacert ${LEVELS_L3_CERT} --type rsa \
       --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
       --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=L3, CN=${CN}" \
       --crl ${LEVELS_L3_CDP} --outform pem > ${TEST_CERT}
   cp ${TEST_CERT} ${LEVELS_DIR}/certs/${SERIAL}.pem
   
   for t in tkm/multi-level-ca
   do
     TEST="${TEST_DIR}/${t}"
     mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
     mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
     cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
     cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
   done
   
   ################################################################################
 # strongSwan EC Root CA                                                        #  # strongSwan EC Root CA                                                        #
 ################################################################################  ################################################################################
   
Line 1924  do Line 2011  do
   sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \    sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \
       -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \        -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \
       ${TEST_DATA}.in > ${TEST_DATA}        ${TEST_DATA}.in > ${TEST_DATA}
   done
   
   ################################################################################
   # TKM CA ID mapping                                                            #
   ################################################################################
   
   for t in host2host-initiator host2host-responder host2host-xfrmproxy \
            multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
            xfrmproxy-rekey
   do
     for h in moon
     do
       TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/moon/etc/strongswan.conf"
       sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
           -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
           -e "s/LEVELS_SPK_HEX/${LEVELS_SPK_HEX}/g" \
           ${TEST_DATA}.in > ${TEST_DATA}
     done
   done
   
   for t in multiple-clients
   do
     for h in sun
     do
       TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/${h}/etc/strongswan.conf"
       sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
           -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
           ${TEST_DATA}.in > ${TEST_DATA}
     done
 done  done
Removed from v.1.1  
changed lines
  Added in v.1.1.1.2

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>