Annotation of embedaddon/strongswan/testing/scripts/build-certs-chroot, revision 1.1
1.1 ! misho 1: #!/bin/bash
! 2:
! 3: set -o errexit
! 4:
! 5: echo "Building certificates"
! 6:
! 7: # Disable leak detective when using pki as it produces warnings in tzset
! 8: export LEAK_DETECTIVE_DISABLE=1
! 9:
! 10: # Determine testing directory
! 11: DIR="$(dirname `readlink -f $0`)/.."
! 12:
! 13: # Define some global variables
! 14: PROJECT="strongSwan Project"
! 15: CA_DIR="${DIR}/hosts/winnetou/etc/ca"
! 16: CA_KEY="${CA_DIR}/strongswanKey.pem"
! 17: CA_CERT="${CA_DIR}/strongswanCert.pem"
! 18: CA_CERT_DER="${CA_DIR}/strongswanCert.der"
! 19: CA_CRL="${CA_DIR}/strongswan.crl"
! 20: CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
! 21: CA_CDP="http://crl.strongswan.org/strongswan.crl"
! 22: CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
! 23: CA_OCSP="http://ocsp.strongswan.org:8880"
! 24: #
! 25: START=`date -d "-2 day" "+%d.%m.%y %T"`
! 26: SH_END=`date -d "-1 day" "+%d.%m.%y %T"` # 1 day
! 27: CA_END=`date -d "+3651 day" "+%d.%m.%y %T"` # 10 years
! 28: IM_END=`date -d "+3286 day" "+%d.%m.%y %T"` # 9 years
! 29: EE_END=`date -d "+2920 day" "+%d.%m.%y %T"` # 8 years
! 30: SH_EXP=`date -d "-1 day" "+%y%m%d%H%M%SZ"` # 1 day
! 31: IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"` # 9 years
! 32: EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"` # 8 years
! 33: NOW=`date "+%y%m%d%H%M%SZ"`
! 34: #
! 35: RESEARCH_DIR="${CA_DIR}/research"
! 36: RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
! 37: RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
! 38: RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
! 39: RESEARCH_CDP="http://crl.strongswan.org/research.crl"
! 40: #
! 41: SALES_DIR="${CA_DIR}/sales"
! 42: SALES_KEY="${SALES_DIR}/salesKey.pem"
! 43: SALES_CERT="${SALES_DIR}/salesCert.pem"
! 44: SALES_CERT_DER="${SALES_DIR}/salesCert.der"
! 45: SALES_CDP="http://crl.strongswan.org/sales.crl"
! 46: #
! 47: DUCK_DIR="${CA_DIR}/duck"
! 48: DUCK_KEY="${DUCK_DIR}/duckKey.pem"
! 49: DUCK_CERT="${DUCK_DIR}/duckCert.pem"
! 50: #
! 51: ECDSA_DIR="${CA_DIR}/ecdsa"
! 52: ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
! 53: ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
! 54: ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
! 55: #
! 56: RFC3779_DIR="${CA_DIR}/rfc3779"
! 57: RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
! 58: RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
! 59: RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
! 60: #
! 61: SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
! 62: SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
! 63: SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
! 64: SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
! 65: #
! 66: ED25519_DIR="${CA_DIR}/ed25519"
! 67: ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
! 68: ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
! 69: ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
! 70: #
! 71: MONSTER_DIR="${CA_DIR}/monster"
! 72: MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
! 73: MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
! 74: MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
! 75: MONSTER_CA_RSA_SIZE="8192"
! 76: MONSTER_EE_RSA_SIZE="4096"
! 77: #
! 78: BLISS_DIR="${CA_DIR}/bliss"
! 79: BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
! 80: BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
! 81: BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
! 82: #
! 83: RSA_SIZE="3072"
! 84: IPSEC_DIR="etc/ipsec.d"
! 85: SWANCTL_DIR="etc/swanctl"
! 86: TKM_DIR="etc/tkm"
! 87: HOSTS="carol dave moon sun alice venus bob"
! 88: TEST_DIR="${DIR}/tests"
! 89:
! 90: # Create directories
! 91: mkdir -p ${CA_DIR}/certs
! 92: mkdir -p ${CA_DIR}/keys
! 93: mkdir -p ${RESEARCH_DIR}/certs
! 94: mkdir -p ${RESEARCH_DIR}/keys
! 95: mkdir -p ${SALES_DIR}/certs
! 96: mkdir -p ${SALES_DIR}/keys
! 97: mkdir -p ${DUCK_DIR}/certs
! 98: mkdir -p ${ECDSA_DIR}/certs
! 99: mkdir -p ${RFC3779_DIR}/certs
! 100: mkdir -p ${SHA3_RSA_DIR}/certs
! 101: mkdir -p ${ED25519_DIR}/certs
! 102: mkdir -p ${MONSTER_DIR}/certs
! 103: mkdir -p ${BLISS_DIR}/certs
! 104:
! 105: ################################################################################
! 106: # strongSwan Root CA #
! 107: ################################################################################
! 108:
! 109: # Generate strongSwan Root CA
! 110: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
! 111: pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
! 112: --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
! 113: --outform pem > ${CA_CERT}
! 114:
! 115: # Distribute strongSwan Root CA certificate
! 116: for h in ${HOSTS}
! 117: do
! 118: HOST_DIR="${DIR}/hosts/${h}"
! 119: mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
! 120: mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
! 121: cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
! 122: cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
! 123: done
! 124:
! 125: # Put a copy onto the alice FreeRADIUS server
! 126: mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
! 127: cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
! 128:
! 129: # Convert strongSwan Root CA certificate into DER format
! 130: openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
! 131:
! 132: # Generate a stale CRL
! 133: pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
! 134: --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
! 135:
! 136: # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
! 137: TEST="${TEST_DIR}/ikev2/crl-ldap"
! 138: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
! 139: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
! 140: cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
! 141: cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
! 142:
! 143: # Generate host keys
! 144: for h in ${HOSTS}
! 145: do
! 146: HOST_DIR="${DIR}/hosts/${h}"
! 147: HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
! 148: mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
! 149: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
! 150:
! 151: # Put a copy into swanctl directory tree
! 152: mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
! 153: cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
! 154:
! 155: # Convert host key into DER format
! 156: openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
! 157: 2> /dev/null
! 158: done
! 159:
! 160: # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
! 161: for t in host2host-initiator host2host-responder host2host-xfrmproxy \
! 162: net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
! 163: do
! 164: TEST="${TEST_DIR}/tkm/${t}"
! 165: mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
! 166: cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
! 167: done
! 168:
! 169: # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
! 170: TEST="${TEST_DIR}/tkm/multiple-clients"
! 171: mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
! 172: cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
! 173:
! 174: # Convert moon private key into unencrypted PKCS#8 format
! 175: TEST="${TEST_DIR}/ikev2/rw-pkcs8"
! 176: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
! 177: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
! 178: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 179: openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
! 180:
! 181: # Convert carol private key into v1.5 DES encrypted PKCS#8 format
! 182: HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
! 183: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
! 184: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 185: openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
! 186: -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
! 187:
! 188: # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
! 189: HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
! 190: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
! 191: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
! 192: openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v2 aes128 \
! 193: -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
! 194:
! 195: ################################################################################
! 196: # Public Key Extraction #
! 197: ################################################################################
! 198:
! 199: # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
! 200: TEST="${TEST_DIR}/swanctl/net2net-pubkey"
! 201: TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
! 202: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
! 203: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
! 204: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
! 205: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
! 206: cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
! 207:
! 208: # Put a copy into the following ikev2 scenarios
! 209: for t in net2net-dnssec net2net-pubkey rw-dnssec
! 210: do
! 211: TEST="${TEST_DIR}/ikev2/${t}"
! 212: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
! 213: cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
! 214: done
! 215:
! 216: # Put a copy into the ikev2/net2net-pubkey scenario
! 217: TEST="${TEST_DIR}/ikev2/net2net-pubkey"
! 218: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
! 219: cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
! 220:
! 221: # Put a copy into the swanctl/rw-dnssec scenario
! 222: TEST="${TEST_DIR}/swanctl/rw-dnssec"
! 223: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
! 224: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
! 225:
! 226: # Put a copy into the following swanctl scenarios
! 227: for t in rw-pubkey-anon rw-pubkey-keyid
! 228: do
! 229: TEST="${TEST_DIR}/swanctl/${t}"
! 230: for h in moon carol dave
! 231: do
! 232: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
! 233: cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
! 234: done
! 235: done
! 236:
! 237: # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
! 238: TEST="${TEST_DIR}/swanctl/net2net-pubkey"
! 239: TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
! 240: HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
! 241: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
! 242: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
! 243:
! 244: # Put a copy into the ikev2/net2net-dnssec scenario
! 245: TEST="${TEST_DIR}/ikev2/net2net-dnssec"
! 246: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
! 247: cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
! 248:
! 249: # Put a copy into the ikev2/net2net-pubkey scenario
! 250: TEST="${TEST_DIR}/ikev2/net2net-pubkey"
! 251: cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
! 252: cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
! 253:
! 254: # Put a copy into the swanctl/rw-pubkey-anon scenario
! 255: TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
! 256: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
! 257:
! 258: # Extract the raw carol public key for the swanctl/rw-dnssec scenario
! 259: TEST="${TEST_DIR}/swanctl/rw-dnssec"
! 260: TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
! 261: HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
! 262: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
! 263: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
! 264:
! 265: # Put a copy into the swanctl/rw-pubkey-anon scenario
! 266: TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
! 267: cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
! 268: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
! 269:
! 270: # Put a copy into the swanctl/rw-pubkey-keyid scenario
! 271: TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
! 272: cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
! 273: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
! 274:
! 275: # Extract the raw dave public key for the swanctl/rw-dnssec scenario
! 276: TEST="${TEST_DIR}/swanctl/rw-dnssec"
! 277: TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
! 278: HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
! 279: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
! 280: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
! 281:
! 282: # Put a copy into the swanctl/rw-pubkey-anon scenario
! 283: TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
! 284: cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
! 285: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
! 286:
! 287: # Put a copy into the swanctl/rw-pubkey-keyid scenario
! 288: TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
! 289: cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
! 290: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
! 291:
! 292: ################################################################################
! 293: # Host Certificate Generation #
! 294: ################################################################################
! 295:
! 296: # function issue_cert: serial host cn [ou]
! 297: issue_cert()
! 298: {
! 299: # does optional OU argument exist?
! 300: if [ -z "${4}" ]
! 301: then
! 302: OU=""
! 303: else
! 304: OU=" OU=${4},"
! 305: fi
! 306:
! 307: HOST_DIR="${DIR}/hosts/${2}"
! 308: HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
! 309: HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
! 310: mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
! 311: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 312: --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
! 313: --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
! 314: --outform pem > ${HOST_CERT}
! 315: cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
! 316:
! 317: # Put a certificate copy into swanctl directory tree
! 318: mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
! 319: cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
! 320: }
! 321:
! 322: # Generate host certificates
! 323: issue_cert 01 carol carol@strongswan.org Research
! 324: issue_cert 02 dave dave@strongswan.org Accounting
! 325: issue_cert 03 moon moon.strongswan.org
! 326: issue_cert 04 sun sun.strongswan.org
! 327: issue_cert 05 alice alice@strongswan.org Sales
! 328: issue_cert 06 venus venus.strongswan.org
! 329: issue_cert 07 bob bob@strongswan.org Research
! 330:
! 331: # Create PKCS#12 file for moon
! 332: TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
! 333: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
! 334: HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
! 335: MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
! 336: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 337: openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
! 338: -certfile ${CA_CERT} -caname "strongSwan Root CA" \
! 339: -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
! 340:
! 341: # Create PKCS#12 file for sun
! 342: HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
! 343: HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
! 344: SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
! 345: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
! 346: openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
! 347: -certfile ${CA_CERT} -caname "strongSwan Root CA" \
! 348: -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
! 349:
! 350: # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
! 351: for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
! 352: do
! 353: TEST="${TEST_DIR}/${t}"
! 354: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
! 355: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
! 356: cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
! 357: cp ${SUN_PKCS12} ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
! 358: done
! 359:
! 360: ################################################################################
! 361: # DNSSEC Zone Files #
! 362: ################################################################################
! 363:
! 364: # Store moon and sun certificates in strongswan.org zone
! 365: ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
! 366: echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
! 367: for h in moon sun
! 368: do
! 369: HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
! 370: cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
! 371: echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
! 372: done
! 373:
! 374: # Store public keys in strongswan.org zone
! 375: echo ";" >> ${ZONE_FILE}
! 376: for h in moon sun carol dave
! 377: do
! 378: HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
! 379: pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
! 380: echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
! 381: done
! 382:
! 383: # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
! 384: TEST="${TEST_DIR}/swanctl/crl-to-cache"
! 385: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
! 386: HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
! 387: CN="carol@strongswan.org"
! 388: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
! 389: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
! 390: --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 391: --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
! 392: --outform pem > ${TEST_CERT}
! 393:
! 394: # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
! 395: TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
! 396: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
! 397: CN="moon.strongswan.org"
! 398: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
! 399: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
! 400: --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 401: --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
! 402: --outform pem > ${TEST_CERT}
! 403:
! 404: # Encrypt carolKey.pem
! 405: HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
! 406: KEY_PWD="nH5ZQEWtku0RJEZ6"
! 407: openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
! 408: 2> /dev/null
! 409:
! 410: # Put a copy into the ikev2/dynamic-initiator scenario
! 411: for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
! 412: do
! 413: TEST="${TEST_DIR}/${t}"
! 414: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
! 415: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
! 416: cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
! 417: cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
! 418: done
! 419:
! 420: # Put a copy into the swanctl/rw-cert scenario
! 421: TEST="${TEST_DIR}/swanctl/rw-cert"
! 422: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
! 423: cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
! 424:
! 425: # Generate another carol certificate and revoke it
! 426: TEST="${TEST_DIR}/ikev2/crl-revoked"
! 427: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
! 428: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
! 429: CN="carol@strongswan.org"
! 430: SERIAL="08"
! 431: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 432: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 433: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 434: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 435: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 436: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
! 437: --outform pem > ${TEST_CERT}
! 438: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 439: pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
! 440: --serial ${SERIAL} > ${CA_CRL}
! 441: cp ${CA_CRL} ${CA_LAST_CRL}
! 442:
! 443: # Put a copy into the ikev2/ocsp-revoked scenario
! 444: TEST="${TEST_DIR}/ikev2/ocsp-revoked"
! 445: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 446: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 447: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 448: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 449:
! 450: # Generate another carol certificate with SN=002
! 451: TEST="${TEST_DIR}/ikev2/two-certs"
! 452: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
! 453: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
! 454: SERIAL="09"
! 455: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 456: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 457: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 458: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 459: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 460: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
! 461: --outform pem > ${TEST_CERT}
! 462: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 463:
! 464: ################################################################################
! 465: # Research CA Certificate Generation #
! 466: ################################################################################
! 467:
! 468: # Generate a Research CA certificate signed by the Root CA and revoke it
! 469: TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
! 470: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
! 471: SERIAL="0A"
! 472: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
! 473: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
! 474: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 475: --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
! 476: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
! 477: --outform pem > ${TEST_CERT}
! 478: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 479: pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
! 480: --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
! 481: rm ${CA_LAST_CRL}
! 482:
! 483: # Generate Research CA with the same private key as above signed by Root CA
! 484: SERIAL="0B"
! 485: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 486: --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
! 487: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
! 488: --outform pem > ${RESEARCH_CERT}
! 489: cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 490:
! 491: # Put a certificate copy into the following scenarios
! 492: for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
! 493: ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
! 494: ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
! 495: do
! 496: TEST="${TEST_DIR}/${t}"
! 497: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
! 498: cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
! 499: done
! 500:
! 501: for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
! 502: ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
! 503: do
! 504: TEST="${TEST_DIR}/${t}"
! 505: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
! 506: cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
! 507: done
! 508:
! 509: for t in multi-level-ca ocsp-multi-level
! 510: do
! 511: TEST="${TEST_DIR}/swanctl/${t}"
! 512: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
! 513: cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
! 514: done
! 515:
! 516: for t in rw-hash-and-url-multi-level
! 517: do
! 518: TEST="${TEST_DIR}/swanctl/${t}"
! 519: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
! 520: cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
! 521: done
! 522:
! 523: # Convert Research CA certificate into DER format
! 524: openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
! 525:
! 526: # Generate Research CA with the same private key as above but invalid CDP
! 527: TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
! 528: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
! 529: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
! 530: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
! 531: --crl "http://crl.strongswan.org/not-available.crl" \
! 532: --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
! 533: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
! 534: --outform pem > ${TEST_CERT}
! 535:
! 536: ################################################################################
! 537: # Sales CA Certificate Generation #
! 538: ################################################################################
! 539:
! 540: # Generate Sales CA signed by Root CA
! 541: SERIAL="0C"
! 542: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
! 543: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 544: --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
! 545: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
! 546: --outform pem > ${SALES_CERT}
! 547: cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 548:
! 549: # Put a certificate copy into the following scenarios
! 550: for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
! 551: ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
! 552: ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
! 553: do
! 554: TEST="${TEST_DIR}/${t}"
! 555: cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
! 556: done
! 557:
! 558: for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
! 559: ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
! 560: do
! 561: TEST="${TEST_DIR}/${t}"
! 562: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
! 563: cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
! 564: done
! 565:
! 566: for t in multi-level-ca ocsp-multi-level
! 567: do
! 568: TEST="${TEST_DIR}/swanctl/${t}"
! 569: cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
! 570: done
! 571:
! 572: for t in rw-hash-and-url-multi-level
! 573: do
! 574: TEST="${TEST_DIR}/swanctl/${t}"
! 575: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
! 576: cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
! 577: done
! 578:
! 579: # Convert Sales CA certificate into DER format
! 580: openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
! 581:
! 582: # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
! 583: TEST="${TEST_DIR}/ikev2/strong-keys-certs"
! 584: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
! 585: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
! 586: KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
! 587: CN="moon.strongswan.org"
! 588: SERIAL="0D"
! 589: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 590: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
! 591: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 592: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 593: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 594: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
! 595: --digest sha224 --outform pem > ${TEST_CERT}
! 596: openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
! 597: 2> /dev/null
! 598: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 599:
! 600: # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
! 601: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
! 602: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
! 603: KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
! 604: CN="carol@strongswan.org"
! 605: SERIAL="0E"
! 606: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 607: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 608: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 609: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 610: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 611: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
! 612: --digest sha384 --outform pem > ${TEST_CERT}
! 613: openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
! 614: 2> /dev/null
! 615: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 616:
! 617: # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
! 618: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
! 619: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
! 620: KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
! 621: CN="dave@strongswan.org"
! 622: SERIAL="0F"
! 623: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
! 624: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
! 625: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 626: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 627: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 628: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
! 629: --digest sha512 --outform pem > ${TEST_CERT}
! 630: openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
! 631: 2> /dev/null
! 632: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 633:
! 634: # Generate another carol certificate with an OCSP URI
! 635: TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
! 636: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
! 637: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
! 638: CN="carol@strongswan.org"
! 639: SERIAL="10"
! 640: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 641: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 642: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 643: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 644: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 645: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
! 646: --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
! 647: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 648:
! 649: # Put a copy into the ikev2/ocsp-timeouts-good scenario
! 650: TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
! 651: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 652: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 653: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 654: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 655:
! 656: # Put a copy into the swanctl/ocsp-signer-cert scenario
! 657: for t in ocsp-signer-cert ocsp-disabled
! 658: do
! 659: cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
! 660: mkdir -p rsa x509
! 661: cp ${TEST_KEY} rsa
! 662: cp ${TEST_CERT} x509
! 663: done
! 664:
! 665: # Generate an OCSP Signing certificate for the strongSwan Root CA
! 666: TEST_KEY="${CA_DIR}/ocspKey.pem"
! 667: TEST_CERT="${CA_DIR}/ocspCert.pem"
! 668: CN="ocsp.strongswan.org"
! 669: OU="OCSP Signing Authority"
! 670: SERIAL="11"
! 671: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 672: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 673: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 674: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
! 675: --flag ocspSigning --outform pem > ${TEST_CERT}
! 676: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 677:
! 678: # Generate a self-signed OCSP Signing certificate
! 679: TEST_KEY="${CA_DIR}/ocspKey-self.pem"
! 680: TEST_CERT="${CA_DIR}/ocspCert-self.pem"
! 681: OU="OCSP Self-Signed Authority"
! 682: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 683: pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
! 684: --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
! 685: --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
! 686: --outform pem > ${TEST_CERT}
! 687:
! 688: # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
! 689: TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
! 690: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
! 691: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
! 692: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
! 693: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
! 694:
! 695: # Generate mars virtual server certificate
! 696: TEST="${TEST_DIR}/ha/both-active"
! 697: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
! 698: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
! 699: CN="mars.strongswan.org"
! 700: OU="Virtual VPN Gateway"
! 701: SERIAL="12"
! 702: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 703: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
! 704: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 705: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 706: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 707: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
! 708: --flag serverAuth --outform pem > ${TEST_CERT}
! 709: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 710:
! 711: # Put a copy into the mirrored gateway
! 712: mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
! 713: mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
! 714: cp ${TEST_KEY} ${TEST}/hosts/alice/${IPSEC_DIR}/private
! 715: cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
! 716:
! 717: # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
! 718: for t in "ha/active-passive" "ikev2/redirect-active"
! 719: do
! 720: TEST="${TEST_DIR}/${t}"
! 721: for h in alice moon
! 722: do
! 723: mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
! 724: mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
! 725: cp ${TEST_KEY} ${TEST}/hosts/${h}/${IPSEC_DIR}/private
! 726: cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
! 727: done
! 728: done
! 729:
! 730: # Generate moon certificate with an unsupported critical X.509 extension
! 731: TEST="${TEST_DIR}/ikev2/critical-extension"
! 732: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
! 733: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
! 734: CN="moon.strongswan.org"
! 735: SERIAL="13"
! 736: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 737: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
! 738: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 739: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 740: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 741: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
! 742: --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
! 743: --outform pem > ${TEST_CERT}
! 744: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 745:
! 746: # Put a copy in the openssl-ikev2/critical extension scenario
! 747: TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
! 748: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
! 749: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
! 750: cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
! 751: cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
! 752:
! 753: # Generate sun certificate with an unsupported critical X.509 extension
! 754: TEST="${TEST_DIR}/ikev2/critical-extension"
! 755: TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
! 756: TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
! 757: CN="sun.strongswan.org"
! 758: SERIAL="14"
! 759: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
! 760: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
! 761: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 762: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 763: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 764: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
! 765: --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
! 766: --outform pem > ${TEST_CERT}
! 767: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 768:
! 769: # Put a copy in the openssl-ikev2/critical extension scenario
! 770: TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
! 771: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
! 772: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
! 773: cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
! 774: cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
! 775:
! 776: # Generate winnetou server certificate
! 777: HOST_KEY="${CA_DIR}/winnetouKey.pem"
! 778: HOST_CERT="${CA_DIR}/winnetouCert.pem"
! 779: CN="winnetou.strongswan.org"
! 780: SERIAL="15"
! 781: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
! 782: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 783: --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 784: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
! 785: --flag serverAuth --outform pem > ${HOST_CERT}
! 786: cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 787:
! 788: # Generate AAA server certificate
! 789: TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
! 790: TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
! 791: TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
! 792: CN="aaa.strongswan.org"
! 793: SERIAL="16"
! 794: cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
! 795: mkdir -p rsa x509
! 796: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 797: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 798: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 799: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
! 800: --flag serverAuth --outform pem > ${TEST_CERT}
! 801: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 802:
! 803: # Put a copy into various tnc scenarios
! 804: for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
! 805: do
! 806: cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
! 807: mkdir -p rsa x509
! 808: cp ${TEST_KEY} rsa
! 809: cp ${TEST_CERT} x509
! 810: done
! 811:
! 812: # Put a copy into the alice FreeRADIUS server
! 813: cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
! 814:
! 815: ################################################################################
! 816: # strongSwan Attribute Authority #
! 817: ################################################################################
! 818:
! 819: # Generate Attribute Authority certificate
! 820: TEST="${TEST_DIR}/ikev2/acert-cached"
! 821: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
! 822: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
! 823: CN="strongSwan Attribute Authority"
! 824: SERIAL="17"
! 825: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 826: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
! 827: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
! 828: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 829: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 830: --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
! 831: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
! 832: --outform pem > ${TEST_CERT}
! 833: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 834:
! 835: # Generate carol's attribute certificate for sales and finance
! 836: ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
! 837: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
! 838: --in ${CA_DIR}/certs/01.pem --group sales --group finance \
! 839: --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
! 840:
! 841: # Generate dave's expired attribute certificate for sales
! 842: ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
! 843: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
! 844: --in ${CA_DIR}/certs/02.pem --group sales \
! 845: --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
! 846:
! 847: # Generate dave's attribute certificate for marketing
! 848: ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
! 849: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
! 850: --in ${CA_DIR}/certs/02.pem --group marketing \
! 851: --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
! 852:
! 853: # Put a copy into the ikev2/acert-fallback scenario
! 854: TEST="${TEST_DIR}/ikev2/acert-fallback"
! 855: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 856: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
! 857: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
! 858: cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 859: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
! 860:
! 861: # Generate carol's expired attribute certificate for finance
! 862: ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
! 863: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
! 864: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
! 865: --in ${CA_DIR}/certs/01.pem --group finance \
! 866: --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
! 867:
! 868: # Generate carol's valid attribute certificate for sales
! 869: ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
! 870: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
! 871: --in ${CA_DIR}/certs/01.pem --group sales \
! 872: --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
! 873:
! 874: # Put a copy into the ikev2/acert-inline scenario
! 875: TEST="${TEST_DIR}/ikev2/acert-inline"
! 876: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 877: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
! 878: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
! 879: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
! 880: cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 881: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
! 882: cp ${ACERT_CS} ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
! 883: cp ${ACERT_DM} ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
! 884:
! 885: # Generate a short-lived Attribute Authority certificate
! 886: CN="strongSwan Legacy AA"
! 887: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
! 888: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
! 889: SERIAL="18"
! 890: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 891: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
! 892: --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
! 893: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
! 894: --outform pem > ${TEST_CERT}
! 895: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
! 896:
! 897: # Generate dave's attribute certificate for sales from expired AA
! 898: ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
! 899: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
! 900: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
! 901: --in ${CA_DIR}/certs/02.pem --group sales \
! 902: --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
! 903:
! 904: ################################################################################
! 905: # strongSwan Root CA index for OCSP server #
! 906: ################################################################################
! 907:
! 908: # generate index.txt file for Root OCSP server
! 909: cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
! 910: sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
! 911: sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
! 912: sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
! 913: sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
! 914:
! 915: ################################################################################
! 916: # Research CA #
! 917: ################################################################################
! 918:
! 919: # Generate a carol research certificate
! 920: TEST="${TEST_DIR}/ikev2/multi-level-ca"
! 921: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
! 922: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
! 923: CN="carol@strongswan.org"
! 924: SERIAL="01"
! 925: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 926: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 927: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 928: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
! 929: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 930: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
! 931: --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
! 932: cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
! 933:
! 934: # Save a copy of the private key in DER format
! 935: openssl rsa -in ${TEST_KEY} -outform der \
! 936: -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
! 937:
! 938: # Put a copy in the following scenarios
! 939: for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
! 940: ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
! 941: ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
! 942: ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
! 943: ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
! 944: ikev1/multi-level-ca-cr-resp
! 945: do
! 946: TEST="${TEST_DIR}/${t}"
! 947: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 948: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 949: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 950: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 951: done
! 952:
! 953: for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
! 954: do
! 955: TEST="${TEST_DIR}/swanctl/${t}"
! 956: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
! 957: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
! 958: cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
! 959: cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
! 960: done
! 961:
! 962: # Generate a carol research certificate without a CDP
! 963: TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
! 964: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
! 965: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 966: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 967: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
! 968: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 969: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
! 970: --outform pem > ${TEST_CERT}
! 971: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 972:
! 973: # Generate an OCSP Signing certificate for the Research CA
! 974: TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
! 975: TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
! 976: OU="Research OCSP Signing Authority"
! 977: CN="ocsp.research.strongswan.org"
! 978: SERIAL="02"
! 979: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 980: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
! 981: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 982: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
! 983: --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
! 984: cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
! 985:
! 986: # Generate a Sales CA certificate signed by the Research CA
! 987: TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
! 988: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
! 989: SERIAL="03"
! 990: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
! 991: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
! 992: --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
! 993: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
! 994: --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
! 995: cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
! 996:
! 997: ################################################################################
! 998: # Duck Research CA #
! 999: ################################################################################
! 1000:
! 1001: # Generate a Duck Research CA certificate signed by the Research CA
! 1002: SERIAL="04"
! 1003: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
! 1004: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
! 1005: --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
! 1006: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
! 1007: --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
! 1008: cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
! 1009:
! 1010: # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
! 1011: TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
! 1012: cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
! 1013:
! 1014: # Generate a carol certificate signed by the Duck Research CA
! 1015: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
! 1016: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
! 1017: CN="carol@strongswan.org"
! 1018: SERIAL="01"
! 1019: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 1020: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 1021: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 1022: pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
! 1023: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1024: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
! 1025: --outform pem > ${TEST_CERT}
! 1026: cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
! 1027:
! 1028: # Generate index.txt file for Research OCSP server
! 1029: cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
! 1030: sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
! 1031:
! 1032: ################################################################################
! 1033: # Sales CA #
! 1034: ################################################################################
! 1035:
! 1036: # Generate a dave sales certificate
! 1037: TEST="${TEST_DIR}/ikev2/multi-level-ca"
! 1038: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
! 1039: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
! 1040: CN="dave@strongswan.org"
! 1041: SERIAL="01"
! 1042: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
! 1043: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
! 1044: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 1045: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
! 1046: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1047: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
! 1048: --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
! 1049: cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
! 1050:
! 1051: # Save a copy of the private key in DER format
! 1052: openssl rsa -in ${TEST_KEY} -outform der \
! 1053: -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
! 1054:
! 1055: # Put a copy in the following scenarios
! 1056: for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
! 1057: ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
! 1058: ikev2/ocsp-multi-level ikev1/multi-level-ca \
! 1059: ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
! 1060: do
! 1061: TEST="${TEST_DIR}/${t}"
! 1062: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
! 1063: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
! 1064: cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
! 1065: cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
! 1066: done
! 1067:
! 1068: for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
! 1069: do
! 1070: TEST="${TEST_DIR}/swanctl/${t}"
! 1071: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
! 1072: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
! 1073: cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
! 1074: cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
! 1075: done
! 1076:
! 1077: # Generate a dave sales certificate with an inactive OCSP URI and no CDP
! 1078: TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
! 1079: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
! 1080: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
! 1081: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
! 1082: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
! 1083: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1084: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
! 1085: --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
! 1086: cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
! 1087:
! 1088: # Generate an OCSP Signing certificate for the Sales CA
! 1089: TEST_KEY="${SALES_DIR}/ocspKey.pem"
! 1090: TEST_CERT="${SALES_DIR}/ocspCert.pem"
! 1091: OU="Sales OCSP Signing Authority"
! 1092: CN="ocsp.sales.strongswan.org"
! 1093: SERIAL="02"
! 1094: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 1095: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
! 1096: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1097: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
! 1098: --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
! 1099: cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
! 1100:
! 1101: # Generate a Research CA certificate signed by the Sales CA
! 1102: TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
! 1103: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
! 1104: SERIAL="03"
! 1105: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
! 1106: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
! 1107: --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
! 1108: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
! 1109: --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
! 1110: cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
! 1111:
! 1112: # generate index.txt file for Sales OCSP server
! 1113: cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
! 1114: sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
! 1115:
! 1116: ################################################################################
! 1117: # strongSwan EC Root CA #
! 1118: ################################################################################
! 1119:
! 1120: # Generate strongSwan EC Root CA
! 1121: pki --gen --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
! 1122: pki --self --type ecdsa --in ${ECDSA_KEY} \
! 1123: --not-before "${START}" --not-after "${CA_END}" --ca \
! 1124: --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
! 1125: --outform pem > ${ECDSA_CERT}
! 1126:
! 1127: # Put a copy in the openssl-ikev2/ecdsa-certs scenario
! 1128: for t in ecdsa-certs ecdsa-pkcs8
! 1129: do
! 1130: TEST="${TEST_DIR}/openssl-ikev2/${t}"
! 1131: for h in moon carol dave
! 1132: do
! 1133: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
! 1134: cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
! 1135: done
! 1136: done
! 1137:
! 1138: # Generate a moon ECDSA 521 bit certificate
! 1139: TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
! 1140: MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
! 1141: MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
! 1142: CN="moon.strongswan.org"
! 1143: SERIAL="01"
! 1144: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
! 1145: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
! 1146: pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
! 1147: pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
! 1148: --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1149: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
! 1150: --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
! 1151: cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
! 1152:
! 1153: # Generate a carol ECDSA 256 bit certificate
! 1154: CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
! 1155: CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
! 1156: CN="carol@strongswan.org"
! 1157: SERIAL="02"
! 1158: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
! 1159: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
! 1160: pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
! 1161: pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
! 1162: --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1163: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
! 1164: --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
! 1165: cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
! 1166:
! 1167: # Generate a dave ECDSA 384 bit certificate
! 1168: DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
! 1169: DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
! 1170: CN="dave@strongswan.org"
! 1171: SERIAL="03"
! 1172: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
! 1173: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
! 1174: pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
! 1175: pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
! 1176: --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1177: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
! 1178: --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
! 1179: cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
! 1180:
! 1181: # Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
! 1182: TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
! 1183: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
! 1184: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
! 1185: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
! 1186: cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
! 1187: cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
! 1188: cp ${DAVE_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
! 1189:
! 1190: # Convert moon private key into unencrypted PKCS#8 format
! 1191: TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
! 1192: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
! 1193: openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
! 1194:
! 1195: # Convert carol private key into v1.5 DES encrypted PKCS#8 format
! 1196: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
! 1197: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
! 1198: openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
! 1199: -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
! 1200:
! 1201: # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
! 1202: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
! 1203: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
! 1204: openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8 -v2 aes128 \
! 1205: -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
! 1206:
! 1207: # Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
! 1208: TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
! 1209: cd ${TEST}/hosts/moon/${SWANCTL_DIR}
! 1210: mkdir -p ecdsa x509 x509ca
! 1211: cp ${MOON_KEY} ecdsa
! 1212: cp ${MOON_CERT} x509
! 1213: cp ${ECDSA_CERT} x509ca
! 1214: cd ${TEST}/hosts/carol/${SWANCTL_DIR}
! 1215: mkdir -p ecdsa x509 x509ca
! 1216: cp ${CAROL_KEY} ecdsa
! 1217: cp ${CAROL_CERT} x509
! 1218: cp ${ECDSA_CERT} x509ca
! 1219: cd ${TEST}/hosts/dave/${SWANCTL_DIR}
! 1220: mkdir -p ecdsa x509 x509ca
! 1221: cp ${DAVE_KEY} ecdsa
! 1222: cp ${DAVE_CERT} x509
! 1223: cp ${ECDSA_CERT} x509ca
! 1224:
! 1225: ################################################################################
! 1226: # strongSwan RFC3779 Root CA #
! 1227: ################################################################################
! 1228:
! 1229: # Generate strongSwan RFC3779 Root CA
! 1230: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
! 1231: pki --self --type rsa --in ${RFC3779_KEY} \
! 1232: --not-before "${START}" --not-after "${CA_END}" --ca \
! 1233: --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
! 1234: --addrblock "10.1.0.0-10.2.255.255" \
! 1235: --addrblock "10.3.0.1-10.3.3.232" \
! 1236: --addrblock "192.168.0.0/24" \
! 1237: --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
! 1238: --outform pem > ${RFC3779_CERT}
! 1239:
! 1240: # Put a copy in the ikev2/net2net-rfc3779 scenario
! 1241: TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
! 1242: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
! 1243: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
! 1244: cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
! 1245: cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
! 1246:
! 1247: # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
! 1248: TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
! 1249: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
! 1250: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
! 1251: cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
! 1252: cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
! 1253:
! 1254: # Generate a moon RFC3779 certificate
! 1255: TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
! 1256: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
! 1257: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
! 1258: CN="moon.strongswan.org"
! 1259: SERIAL="01"
! 1260: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 1261: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
! 1262: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 1263: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
! 1264: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1265: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
! 1266: --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
! 1267: --addrblock "fec0::1/128" --addrblock "fec1::/16" \
! 1268: --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
! 1269: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
! 1270:
! 1271: # Put a copy in the ipv6 scenarios
! 1272: for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
! 1273: do
! 1274: cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
! 1275: mkdir -p rsa x509 x509ca
! 1276: cp ${TEST_KEY} rsa
! 1277: cp ${TEST_CERT} x509
! 1278: cp ${RFC3779_CERT} x509ca
! 1279: done
! 1280:
! 1281: # Generate a sun RFC3779 certificate
! 1282: TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
! 1283: TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
! 1284: TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
! 1285: CN="sun.strongswan.org"
! 1286: SERIAL="02"
! 1287: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
! 1288: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
! 1289: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 1290: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
! 1291: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1292: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
! 1293: --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
! 1294: --addrblock "fec0::2/128" --addrblock "fec2::/16" \
! 1295: --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
! 1296: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
! 1297:
! 1298: # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
! 1299: cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
! 1300: mkdir -p rsa x509 x509ca
! 1301: cp ${TEST_KEY} rsa
! 1302: cp ${TEST_CERT} x509
! 1303: cp ${RFC3779_CERT} x509ca
! 1304:
! 1305: # Generate a carol RFC3779 certificate
! 1306: TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
! 1307: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
! 1308: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
! 1309: CN="carol@strongswan.org"
! 1310: SERIAL="03"
! 1311: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
! 1312: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
! 1313: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 1314: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
! 1315: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1316: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
! 1317: --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
! 1318: --addrblock "fec0::10/128" \
! 1319: --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
! 1320: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
! 1321:
! 1322: # Generate a carol RFC3779 certificate
! 1323: TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
! 1324: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
! 1325: TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
! 1326: CN="dave@strongswan.org"
! 1327: SERIAL="04"
! 1328: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
! 1329: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
! 1330: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 1331: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
! 1332: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1333: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
! 1334: --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
! 1335: --addrblock "fec0::20/128" \
! 1336: --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
! 1337: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
! 1338:
! 1339: ################################################################################
! 1340: # strongSwan SHA3-RSA Root CA #
! 1341: ################################################################################
! 1342:
! 1343: # Use specific plugin configuration to issue certificates with SHA-3 signatures
! 1344: # as not all crypto plugins support them. To avoid entropy issues use the
! 1345: # default plugins to generate the keys.
! 1346: SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509"
! 1347:
! 1348: # Generate strongSwan SHA3-RSA Root CA
! 1349: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
! 1350: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
! 1351: pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
! 1352: --not-before "${START}" --not-after "${CA_END}" --ca \
! 1353: --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
! 1354: --outform pem > ${SHA3_RSA_CERT}
! 1355:
! 1356: # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
! 1357: TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
! 1358: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
! 1359: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
! 1360: cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
! 1361: cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
! 1362:
! 1363: # Generate a sun SHA3-RSA certificate
! 1364: SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
! 1365: SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
! 1366: CN="sun.strongswan.org"
! 1367: SERIAL="01"
! 1368: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
! 1369: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
! 1370: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
! 1371: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
! 1372: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
! 1373: --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1374: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
! 1375: --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
! 1376: cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
! 1377:
! 1378: # Generate a moon SHA3-RSA certificate
! 1379: MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
! 1380: MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
! 1381: CN="moon.strongswan.org"
! 1382: SERIAL="02"
! 1383: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
! 1384: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
! 1385: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
! 1386: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
! 1387: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
! 1388: --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1389: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
! 1390: --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
! 1391: cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
! 1392:
! 1393: # Put a copy in the botan/net2net-sha3-rsa-cert scenario
! 1394: TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
! 1395: cd ${TEST}/hosts/moon/${SWANCTL_DIR}
! 1396: mkdir -p rsa x509 x509ca
! 1397: cp ${MOON_KEY} rsa
! 1398: cp ${MOON_CERT} x509
! 1399: cp ${SHA3_RSA_CERT} x509ca
! 1400: cd ${TEST}/hosts/sun/${SWANCTL_DIR}
! 1401: mkdir -p rsa x509 x509ca
! 1402: cp ${SUN_KEY} rsa
! 1403: cp ${SUN_CERT} x509
! 1404: cp ${SHA3_RSA_CERT} x509ca
! 1405:
! 1406: # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
! 1407: TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
! 1408: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
! 1409: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
! 1410: cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
! 1411: cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
! 1412:
! 1413: # Generate a carol SHA3-RSA certificate
! 1414: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
! 1415: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
! 1416: CN="carol@strongswan.org"
! 1417: SERIAL="03"
! 1418: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
! 1419: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
! 1420: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 1421: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
! 1422: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
! 1423: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1424: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
! 1425: --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
! 1426: cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
! 1427:
! 1428: # Generate a dave SHA3-RSA certificate
! 1429: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
! 1430: TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
! 1431: CN="dave@strongswan.org"
! 1432: SERIAL="04"
! 1433: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
! 1434: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
! 1435: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
! 1436: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
! 1437: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
! 1438: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1439: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
! 1440: --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
! 1441: cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
! 1442:
! 1443: for h in moon carol dave
! 1444: do
! 1445: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
! 1446: cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
! 1447: done
! 1448:
! 1449: ################################################################################
! 1450: # strongSwan Ed25519 Root CA #
! 1451: ################################################################################
! 1452:
! 1453: # Generate strongSwan Ed25519 Root CA
! 1454: pki --gen --type ed25519 --outform pem > ${ED25519_KEY}
! 1455: pki --self --type ed25519 --in ${ED25519_KEY} \
! 1456: --not-before "${START}" --not-after "${CA_END}" --ca \
! 1457: --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
! 1458: --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
! 1459: --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
! 1460: --outform pem > ${ED25519_CERT}
! 1461:
! 1462: # Put a copy in the swanctl/net2net-ed25519 scenario
! 1463: TEST="${TEST_DIR}/swanctl/net2net-ed25519"
! 1464: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
! 1465: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
! 1466: cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
! 1467: cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
! 1468:
! 1469: # Generate a sun Ed25519 certificate
! 1470: SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
! 1471: SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
! 1472: CN="sun.strongswan.org"
! 1473: SERIAL="01"
! 1474: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
! 1475: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
! 1476: pki --gen --type ed25519 --outform pem > ${SUN_KEY}
! 1477: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
! 1478: --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1479: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
! 1480: --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
! 1481: --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
! 1482: cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
! 1483:
! 1484: # Generate a moon Ed25519 certificate
! 1485: MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
! 1486: MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
! 1487: CN="moon.strongswan.org"
! 1488: SERIAL="02"
! 1489: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
! 1490: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
! 1491: pki --gen --type ed25519 --outform pem > ${MOON_KEY}
! 1492: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
! 1493: --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1494: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
! 1495: --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
! 1496: --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
! 1497: cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
! 1498:
! 1499: # Put a copy in the botan/net2net-ed25519 scenario
! 1500: TEST="${TEST_DIR}/botan/net2net-ed25519"
! 1501: cd ${TEST}/hosts/moon/${SWANCTL_DIR}
! 1502: mkdir -p pkcs8 x509 x509ca
! 1503: cp ${MOON_KEY} pkcs8
! 1504: cp ${MOON_CERT} x509
! 1505: cp ${ED25519_CERT} x509ca
! 1506: cd ${TEST}/hosts/sun/${SWANCTL_DIR}
! 1507: mkdir -p pkcs8 x509 x509ca
! 1508: cp ${SUN_KEY} pkcs8
! 1509: cp ${SUN_CERT} x509
! 1510: cp ${ED25519_CERT} x509ca
! 1511:
! 1512: # Put a copy in the ikev2/net2net-ed25519 scenario
! 1513: TEST="${TEST_DIR}/ikev2/net2net-ed25519"
! 1514: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
! 1515: cd ${TEST}/hosts/moon/${IPSEC_DIR}
! 1516: mkdir -p cacerts certs private
! 1517: cp ${MOON_KEY} private
! 1518: cp ${MOON_CERT} certs
! 1519: cp ${ED25519_CERT} cacerts
! 1520: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
! 1521: cd ${TEST}/hosts/sun/${IPSEC_DIR}
! 1522: mkdir -p cacerts certs private
! 1523: cp ${SUN_KEY} private
! 1524: cp ${SUN_CERT} certs
! 1525: cp ${ED25519_CERT} cacerts
! 1526:
! 1527: # Put a copy in the swanctl/rw-ed25519-certpol scenario
! 1528: TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
! 1529: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
! 1530: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
! 1531: cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
! 1532: cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
! 1533:
! 1534: for h in moon carol dave
! 1535: do
! 1536: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
! 1537: cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
! 1538: done
! 1539:
! 1540: # Generate a carol Ed25519 certificate
! 1541: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
! 1542: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
! 1543: CN="carol@strongswan.org"
! 1544: SERIAL="03"
! 1545: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
! 1546: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
! 1547: pki --gen --type ed25519 --outform pem > ${TEST_KEY}
! 1548: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
! 1549: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1550: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
! 1551: --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
! 1552: --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
! 1553: cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
! 1554:
! 1555: # Generate a dave Ed25519 certificate
! 1556: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
! 1557: TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
! 1558: CN="dave@strongswan.org"
! 1559: SERIAL="04"
! 1560: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
! 1561: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
! 1562: pki --gen --type ed25519 --outform pem > ${TEST_KEY}
! 1563: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
! 1564: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1565: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
! 1566: --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
! 1567: --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
! 1568: cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
! 1569:
! 1570: ################################################################################
! 1571: # strongSwan Monster Root CA #
! 1572: ################################################################################
! 1573:
! 1574: # Generate strongSwan Monster Root CA
! 1575: pki --gen --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
! 1576: pki --self --type rsa --in ${MONSTER_KEY} \
! 1577: --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
! 1578: --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
! 1579: --outform pem > ${MONSTER_CERT}
! 1580:
! 1581: # Put a copy in the ikev2/after-2038-certs scenario
! 1582: TEST="${TEST_DIR}/ikev2/after-2038-certs"
! 1583: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
! 1584: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
! 1585: cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
! 1586: cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
! 1587:
! 1588: # Generate a moon Monster certificate
! 1589: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
! 1590: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
! 1591: CN="moon.strongswan.org"
! 1592: SERIAL="01"
! 1593: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 1594: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
! 1595: pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
! 1596: pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
! 1597: --in ${TEST_KEY} --san ${CN} \
! 1598: --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
! 1599: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
! 1600: --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
! 1601: cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
! 1602:
! 1603: # Generate a carol Monster certificate
! 1604: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
! 1605: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
! 1606: CN="carol@strongswan.org"
! 1607: SERIAL="02"
! 1608: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 1609: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 1610: pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
! 1611: pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
! 1612: --in ${TEST_KEY} --san ${CN} \
! 1613: --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
! 1614: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
! 1615: --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
! 1616: cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
! 1617:
! 1618: ################################################################################
! 1619: # Bliss CA #
! 1620: ################################################################################
! 1621:
! 1622: # Generate BLISS Root CA with 192 bit security strength
! 1623: pki --gen --type bliss --size 4 > ${BLISS_KEY}
! 1624: pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
! 1625: --not-before "${START}" --not-after "${CA_END}" --ca \
! 1626: --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
! 1627:
! 1628: # Put a copy in the following scenarios
! 1629: for t in rw-newhope-bliss rw-ntru-bliss
! 1630: do
! 1631: TEST="${TEST_DIR}/ikev2/${t}"
! 1632: for h in moon carol dave
! 1633: do
! 1634: mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
! 1635: cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
! 1636: done
! 1637:
! 1638: TEST="${TEST_DIR}/swanctl/${t}"
! 1639: for h in moon carol dave
! 1640: do
! 1641: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
! 1642: cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
! 1643: done
! 1644: done
! 1645:
! 1646: # Generate a carol BLISS certificate with 128 bit security strength
! 1647: TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
! 1648: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
! 1649: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
! 1650: CN="carol@strongswan.org"
! 1651: SERIAL="01"
! 1652: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 1653: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 1654: pki --gen --type bliss --size 1 > ${TEST_KEY}
! 1655: pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
! 1656: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1657: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
! 1658: --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
! 1659: cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
! 1660:
! 1661: # Put a copy in the ikev2/rw-ntru-bliss scenario
! 1662: TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
! 1663: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 1664: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 1665: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
! 1666: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
! 1667:
! 1668: # Put a copy in the swanctl scenarios
! 1669: for t in rw-newhope-bliss rw-ntru-bliss
! 1670: do
! 1671: TEST="${TEST_DIR}/swanctl/${t}"
! 1672: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
! 1673: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
! 1674: cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
! 1675: cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
! 1676: done
! 1677:
! 1678: # Generate a dave BLISS certificate with 160 bit security strength
! 1679: TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
! 1680: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
! 1681: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
! 1682: CN="dave@strongswan.org"
! 1683: SERIAL="02"
! 1684: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
! 1685: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
! 1686: pki --gen --type bliss --size 3 > ${TEST_KEY}
! 1687: pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
! 1688: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1689: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
! 1690: --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
! 1691: cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
! 1692:
! 1693: # Put a copy in the ikev2/rw-ntru-bliss scenario
! 1694: TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
! 1695: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
! 1696: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
! 1697: cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
! 1698: cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
! 1699:
! 1700: # Put a copy in the swanctl scenarios
! 1701: for t in rw-newhope-bliss rw-ntru-bliss
! 1702: do
! 1703: TEST="${TEST_DIR}/swanctl/${t}"
! 1704: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
! 1705: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
! 1706: cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
! 1707: cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
! 1708: done
! 1709:
! 1710: # Generate a moon BLISS certificate with 192 bit security strength
! 1711: TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
! 1712: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
! 1713: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
! 1714: CN="moon.strongswan.org"
! 1715: SERIAL="03"
! 1716: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 1717: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
! 1718: pki --gen --type bliss --size 4 > ${TEST_KEY}
! 1719: pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
! 1720: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
! 1721: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
! 1722: --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
! 1723: cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
! 1724:
! 1725: # Put a copy in the ikev2/rw-ntru-bliss scenario
! 1726: TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
! 1727: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
! 1728: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
! 1729: cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
! 1730: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
! 1731:
! 1732: # Put a copy in the swanctl scenarios
! 1733: for t in rw-newhope-bliss rw-ntru-bliss
! 1734: do
! 1735: TEST="${TEST_DIR}/swanctl/${t}"
! 1736: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
! 1737: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
! 1738: cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
! 1739: cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
! 1740: done
! 1741:
! 1742: ################################################################################
! 1743: # SQL Data #
! 1744: ################################################################################
! 1745:
! 1746: CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
! 1747: CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
! 1748: CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
! 1749: CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
! 1750: #
! 1751: MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
! 1752: MOON_KEY="${CA_DIR}/keys/moonKey.der"
! 1753: MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
! 1754: MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
! 1755: MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
! 1756: MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
! 1757: MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
! 1758: MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
! 1759: MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
! 1760: #
! 1761: SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
! 1762: SUN_KEY="${CA_DIR}/keys/sunKey.der"
! 1763: SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
! 1764: SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
! 1765: SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
! 1766: SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
! 1767: SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
! 1768: SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
! 1769: #
! 1770: CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
! 1771: CAROL_KEY="${CA_DIR}/keys/carolKey.der"
! 1772: CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
! 1773: CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
! 1774: CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
! 1775: CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
! 1776: #
! 1777: DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
! 1778: DAVE_KEY="${CA_DIR}/keys/daveKey.der"
! 1779: DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
! 1780: DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
! 1781: DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
! 1782: DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
! 1783: #
! 1784: ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
! 1785: ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
! 1786: ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
! 1787: ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
! 1788: ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
! 1789: #
! 1790: VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
! 1791: VENUS_KEY="${CA_DIR}/keys/venusKey.der"
! 1792: VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
! 1793: VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
! 1794: VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
! 1795: #
! 1796: RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
! 1797: RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
! 1798: RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
! 1799: #
! 1800: CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
! 1801: CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
! 1802: CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
! 1803: CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
! 1804: CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
! 1805: #
! 1806: SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
! 1807: SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
! 1808: SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
! 1809: #
! 1810: DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
! 1811: DAVE_S_KEY="${SALES_DIR}/keys/01.der"
! 1812: DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
! 1813: DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
! 1814: DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
! 1815: #
! 1816: for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
! 1817: ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
! 1818: rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
! 1819: do
! 1820: for h in carol dave moon
! 1821: do
! 1822: TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
! 1823: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
! 1824: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
! 1825: -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
! 1826: -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
! 1827: -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
! 1828: -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
! 1829: -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
! 1830: -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
! 1831: -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
! 1832: -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
! 1833: -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
! 1834: -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
! 1835: -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
! 1836: -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
! 1837: -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
! 1838: -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
! 1839: -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
! 1840: -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
! 1841: -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
! 1842: -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
! 1843: -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
! 1844: -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
! 1845: -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
! 1846: -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
! 1847: -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
! 1848: -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
! 1849: -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
! 1850: ${TEST_DATA}.in > ${TEST_DATA}
! 1851: done
! 1852: done
! 1853: #
! 1854: for t in rw-eap-aka-rsa
! 1855: do
! 1856: for h in carol moon
! 1857: do
! 1858: TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
! 1859: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
! 1860: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
! 1861: -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
! 1862: -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
! 1863: -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
! 1864: -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
! 1865: ${TEST_DATA}.in > ${TEST_DATA}
! 1866: done
! 1867: done
! 1868: #
! 1869: for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
! 1870: do
! 1871: for h in moon sun
! 1872: do
! 1873: TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
! 1874: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
! 1875: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
! 1876: -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
! 1877: -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
! 1878: -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
! 1879: -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
! 1880: -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
! 1881: -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
! 1882: -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
! 1883: -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
! 1884: -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
! 1885: -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
! 1886: -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
! 1887: -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
! 1888: ${TEST_DATA}.in > ${TEST_DATA}
! 1889: done
! 1890: done
! 1891: #
! 1892: for t in shunt-policies-nat-rw
! 1893: do
! 1894: for h in alice venus sun
! 1895: do
! 1896: TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
! 1897: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
! 1898: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
! 1899: -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
! 1900: -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
! 1901: -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
! 1902: -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
! 1903: -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
! 1904: -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
! 1905: -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
! 1906: -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
! 1907: -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
! 1908: -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
! 1909: ${TEST_DATA}.in > ${TEST_DATA}
! 1910: done
! 1911: done
! 1912:
! 1913: ################################################################################
! 1914: # Raw RSA keys #
! 1915: ################################################################################
! 1916:
! 1917: MOON_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${MOON_KEY}`
! 1918: #
! 1919: SUN_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${SUN_KEY}`
! 1920: #
! 1921: for h in moon sun
! 1922: do
! 1923: TEST_DATA="${TEST_DIR}/ikev2/net2net-rsa/hosts/${h}/etc/ipsec.conf"
! 1924: sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \
! 1925: -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \
! 1926: ${TEST_DATA}.in > ${TEST_DATA}
! 1927: done
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>