Annotation of embedaddon/strongswan/testing/scripts/build-certs-chroot, revision 1.1.1.1
1.1 misho 1: #!/bin/bash
2:
3: set -o errexit
4:
5: echo "Building certificates"
6:
7: # Disable leak detective when using pki as it produces warnings in tzset
8: export LEAK_DETECTIVE_DISABLE=1
9:
10: # Determine testing directory
11: DIR="$(dirname `readlink -f $0`)/.."
12:
13: # Define some global variables
14: PROJECT="strongSwan Project"
15: CA_DIR="${DIR}/hosts/winnetou/etc/ca"
16: CA_KEY="${CA_DIR}/strongswanKey.pem"
17: CA_CERT="${CA_DIR}/strongswanCert.pem"
18: CA_CERT_DER="${CA_DIR}/strongswanCert.der"
19: CA_CRL="${CA_DIR}/strongswan.crl"
20: CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
21: CA_CDP="http://crl.strongswan.org/strongswan.crl"
22: CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
23: CA_OCSP="http://ocsp.strongswan.org:8880"
24: #
25: START=`date -d "-2 day" "+%d.%m.%y %T"`
26: SH_END=`date -d "-1 day" "+%d.%m.%y %T"` # 1 day
27: CA_END=`date -d "+3651 day" "+%d.%m.%y %T"` # 10 years
28: IM_END=`date -d "+3286 day" "+%d.%m.%y %T"` # 9 years
29: EE_END=`date -d "+2920 day" "+%d.%m.%y %T"` # 8 years
30: SH_EXP=`date -d "-1 day" "+%y%m%d%H%M%SZ"` # 1 day
31: IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"` # 9 years
32: EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"` # 8 years
33: NOW=`date "+%y%m%d%H%M%SZ"`
34: #
35: RESEARCH_DIR="${CA_DIR}/research"
36: RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
37: RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
38: RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
39: RESEARCH_CDP="http://crl.strongswan.org/research.crl"
40: #
41: SALES_DIR="${CA_DIR}/sales"
42: SALES_KEY="${SALES_DIR}/salesKey.pem"
43: SALES_CERT="${SALES_DIR}/salesCert.pem"
44: SALES_CERT_DER="${SALES_DIR}/salesCert.der"
45: SALES_CDP="http://crl.strongswan.org/sales.crl"
46: #
47: DUCK_DIR="${CA_DIR}/duck"
48: DUCK_KEY="${DUCK_DIR}/duckKey.pem"
49: DUCK_CERT="${DUCK_DIR}/duckCert.pem"
50: #
51: ECDSA_DIR="${CA_DIR}/ecdsa"
52: ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
53: ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
54: ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
55: #
56: RFC3779_DIR="${CA_DIR}/rfc3779"
57: RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
58: RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
59: RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
60: #
61: SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
62: SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
63: SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
64: SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
65: #
66: ED25519_DIR="${CA_DIR}/ed25519"
67: ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
68: ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
69: ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
70: #
71: MONSTER_DIR="${CA_DIR}/monster"
72: MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
73: MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
74: MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
75: MONSTER_CA_RSA_SIZE="8192"
76: MONSTER_EE_RSA_SIZE="4096"
77: #
78: BLISS_DIR="${CA_DIR}/bliss"
79: BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
80: BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
81: BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
82: #
83: RSA_SIZE="3072"
84: IPSEC_DIR="etc/ipsec.d"
85: SWANCTL_DIR="etc/swanctl"
86: TKM_DIR="etc/tkm"
87: HOSTS="carol dave moon sun alice venus bob"
88: TEST_DIR="${DIR}/tests"
89:
90: # Create directories
91: mkdir -p ${CA_DIR}/certs
92: mkdir -p ${CA_DIR}/keys
93: mkdir -p ${RESEARCH_DIR}/certs
94: mkdir -p ${RESEARCH_DIR}/keys
95: mkdir -p ${SALES_DIR}/certs
96: mkdir -p ${SALES_DIR}/keys
97: mkdir -p ${DUCK_DIR}/certs
98: mkdir -p ${ECDSA_DIR}/certs
99: mkdir -p ${RFC3779_DIR}/certs
100: mkdir -p ${SHA3_RSA_DIR}/certs
101: mkdir -p ${ED25519_DIR}/certs
102: mkdir -p ${MONSTER_DIR}/certs
103: mkdir -p ${BLISS_DIR}/certs
104:
105: ################################################################################
106: # strongSwan Root CA #
107: ################################################################################
108:
109: # Generate strongSwan Root CA
110: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
111: pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
112: --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
113: --outform pem > ${CA_CERT}
114:
115: # Distribute strongSwan Root CA certificate
116: for h in ${HOSTS}
117: do
118: HOST_DIR="${DIR}/hosts/${h}"
119: mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
120: mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
121: cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
122: cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
123: done
124:
125: # Put a copy onto the alice FreeRADIUS server
126: mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
127: cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
128:
129: # Convert strongSwan Root CA certificate into DER format
130: openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
131:
132: # Generate a stale CRL
133: pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
134: --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
135:
136: # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
137: TEST="${TEST_DIR}/ikev2/crl-ldap"
138: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
139: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
140: cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
141: cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
142:
143: # Generate host keys
144: for h in ${HOSTS}
145: do
146: HOST_DIR="${DIR}/hosts/${h}"
147: HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
148: mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
149: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
150:
151: # Put a copy into swanctl directory tree
152: mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
153: cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
154:
155: # Convert host key into DER format
156: openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
157: 2> /dev/null
158: done
159:
160: # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
161: for t in host2host-initiator host2host-responder host2host-xfrmproxy \
162: net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
163: do
164: TEST="${TEST_DIR}/tkm/${t}"
165: mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
166: cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
167: done
168:
169: # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
170: TEST="${TEST_DIR}/tkm/multiple-clients"
171: mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
172: cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
173:
174: # Convert moon private key into unencrypted PKCS#8 format
175: TEST="${TEST_DIR}/ikev2/rw-pkcs8"
176: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
177: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
178: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
179: openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
180:
181: # Convert carol private key into v1.5 DES encrypted PKCS#8 format
182: HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
183: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
184: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
185: openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
186: -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
187:
188: # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
189: HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
190: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
191: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
192: openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v2 aes128 \
193: -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
194:
195: ################################################################################
196: # Public Key Extraction #
197: ################################################################################
198:
199: # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
200: TEST="${TEST_DIR}/swanctl/net2net-pubkey"
201: TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
202: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
203: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
204: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
205: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
206: cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
207:
208: # Put a copy into the following ikev2 scenarios
209: for t in net2net-dnssec net2net-pubkey rw-dnssec
210: do
211: TEST="${TEST_DIR}/ikev2/${t}"
212: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
213: cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
214: done
215:
216: # Put a copy into the ikev2/net2net-pubkey scenario
217: TEST="${TEST_DIR}/ikev2/net2net-pubkey"
218: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
219: cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
220:
221: # Put a copy into the swanctl/rw-dnssec scenario
222: TEST="${TEST_DIR}/swanctl/rw-dnssec"
223: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
224: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
225:
226: # Put a copy into the following swanctl scenarios
227: for t in rw-pubkey-anon rw-pubkey-keyid
228: do
229: TEST="${TEST_DIR}/swanctl/${t}"
230: for h in moon carol dave
231: do
232: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
233: cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
234: done
235: done
236:
237: # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
238: TEST="${TEST_DIR}/swanctl/net2net-pubkey"
239: TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
240: HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
241: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
242: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
243:
244: # Put a copy into the ikev2/net2net-dnssec scenario
245: TEST="${TEST_DIR}/ikev2/net2net-dnssec"
246: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
247: cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
248:
249: # Put a copy into the ikev2/net2net-pubkey scenario
250: TEST="${TEST_DIR}/ikev2/net2net-pubkey"
251: cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
252: cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
253:
254: # Put a copy into the swanctl/rw-pubkey-anon scenario
255: TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
256: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
257:
258: # Extract the raw carol public key for the swanctl/rw-dnssec scenario
259: TEST="${TEST_DIR}/swanctl/rw-dnssec"
260: TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
261: HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
262: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
263: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
264:
265: # Put a copy into the swanctl/rw-pubkey-anon scenario
266: TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
267: cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
268: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
269:
270: # Put a copy into the swanctl/rw-pubkey-keyid scenario
271: TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
272: cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
273: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
274:
275: # Extract the raw dave public key for the swanctl/rw-dnssec scenario
276: TEST="${TEST_DIR}/swanctl/rw-dnssec"
277: TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
278: HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
279: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
280: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
281:
282: # Put a copy into the swanctl/rw-pubkey-anon scenario
283: TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
284: cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
285: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
286:
287: # Put a copy into the swanctl/rw-pubkey-keyid scenario
288: TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
289: cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
290: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
291:
292: ################################################################################
293: # Host Certificate Generation #
294: ################################################################################
295:
296: # function issue_cert: serial host cn [ou]
297: issue_cert()
298: {
299: # does optional OU argument exist?
300: if [ -z "${4}" ]
301: then
302: OU=""
303: else
304: OU=" OU=${4},"
305: fi
306:
307: HOST_DIR="${DIR}/hosts/${2}"
308: HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
309: HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
310: mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
311: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
312: --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
313: --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
314: --outform pem > ${HOST_CERT}
315: cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
316:
317: # Put a certificate copy into swanctl directory tree
318: mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
319: cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
320: }
321:
322: # Generate host certificates
323: issue_cert 01 carol carol@strongswan.org Research
324: issue_cert 02 dave dave@strongswan.org Accounting
325: issue_cert 03 moon moon.strongswan.org
326: issue_cert 04 sun sun.strongswan.org
327: issue_cert 05 alice alice@strongswan.org Sales
328: issue_cert 06 venus venus.strongswan.org
329: issue_cert 07 bob bob@strongswan.org Research
330:
331: # Create PKCS#12 file for moon
332: TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
333: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
334: HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
335: MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
336: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
337: openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
338: -certfile ${CA_CERT} -caname "strongSwan Root CA" \
339: -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
340:
341: # Create PKCS#12 file for sun
342: HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
343: HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
344: SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
345: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
346: openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
347: -certfile ${CA_CERT} -caname "strongSwan Root CA" \
348: -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
349:
350: # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
351: for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
352: do
353: TEST="${TEST_DIR}/${t}"
354: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
355: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
356: cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
357: cp ${SUN_PKCS12} ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
358: done
359:
360: ################################################################################
361: # DNSSEC Zone Files #
362: ################################################################################
363:
364: # Store moon and sun certificates in strongswan.org zone
365: ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
366: echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
367: for h in moon sun
368: do
369: HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
370: cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
371: echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
372: done
373:
374: # Store public keys in strongswan.org zone
375: echo ";" >> ${ZONE_FILE}
376: for h in moon sun carol dave
377: do
378: HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
379: pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
380: echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
381: done
382:
383: # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
384: TEST="${TEST_DIR}/swanctl/crl-to-cache"
385: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
386: HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
387: CN="carol@strongswan.org"
388: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
389: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
390: --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
391: --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
392: --outform pem > ${TEST_CERT}
393:
394: # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
395: TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
396: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
397: CN="moon.strongswan.org"
398: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
399: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
400: --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
401: --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
402: --outform pem > ${TEST_CERT}
403:
404: # Encrypt carolKey.pem
405: HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
406: KEY_PWD="nH5ZQEWtku0RJEZ6"
407: openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
408: 2> /dev/null
409:
410: # Put a copy into the ikev2/dynamic-initiator scenario
411: for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
412: do
413: TEST="${TEST_DIR}/${t}"
414: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
415: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
416: cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
417: cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
418: done
419:
420: # Put a copy into the swanctl/rw-cert scenario
421: TEST="${TEST_DIR}/swanctl/rw-cert"
422: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
423: cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
424:
425: # Generate another carol certificate and revoke it
426: TEST="${TEST_DIR}/ikev2/crl-revoked"
427: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
428: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
429: CN="carol@strongswan.org"
430: SERIAL="08"
431: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
432: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
433: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
434: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
435: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
436: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
437: --outform pem > ${TEST_CERT}
438: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
439: pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
440: --serial ${SERIAL} > ${CA_CRL}
441: cp ${CA_CRL} ${CA_LAST_CRL}
442:
443: # Put a copy into the ikev2/ocsp-revoked scenario
444: TEST="${TEST_DIR}/ikev2/ocsp-revoked"
445: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
446: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
447: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
448: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
449:
450: # Generate another carol certificate with SN=002
451: TEST="${TEST_DIR}/ikev2/two-certs"
452: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
453: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
454: SERIAL="09"
455: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
456: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
457: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
458: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
459: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
460: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
461: --outform pem > ${TEST_CERT}
462: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
463:
464: ################################################################################
465: # Research CA Certificate Generation #
466: ################################################################################
467:
468: # Generate a Research CA certificate signed by the Root CA and revoke it
469: TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
470: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
471: SERIAL="0A"
472: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
473: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
474: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
475: --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
476: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
477: --outform pem > ${TEST_CERT}
478: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
479: pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
480: --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
481: rm ${CA_LAST_CRL}
482:
483: # Generate Research CA with the same private key as above signed by Root CA
484: SERIAL="0B"
485: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
486: --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
487: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
488: --outform pem > ${RESEARCH_CERT}
489: cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
490:
491: # Put a certificate copy into the following scenarios
492: for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
493: ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
494: ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
495: do
496: TEST="${TEST_DIR}/${t}"
497: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
498: cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
499: done
500:
501: for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
502: ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
503: do
504: TEST="${TEST_DIR}/${t}"
505: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
506: cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
507: done
508:
509: for t in multi-level-ca ocsp-multi-level
510: do
511: TEST="${TEST_DIR}/swanctl/${t}"
512: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
513: cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
514: done
515:
516: for t in rw-hash-and-url-multi-level
517: do
518: TEST="${TEST_DIR}/swanctl/${t}"
519: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
520: cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
521: done
522:
523: # Convert Research CA certificate into DER format
524: openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
525:
526: # Generate Research CA with the same private key as above but invalid CDP
527: TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
528: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
529: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
530: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
531: --crl "http://crl.strongswan.org/not-available.crl" \
532: --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
533: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
534: --outform pem > ${TEST_CERT}
535:
536: ################################################################################
537: # Sales CA Certificate Generation #
538: ################################################################################
539:
540: # Generate Sales CA signed by Root CA
541: SERIAL="0C"
542: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
543: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
544: --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
545: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
546: --outform pem > ${SALES_CERT}
547: cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
548:
549: # Put a certificate copy into the following scenarios
550: for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
551: ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
552: ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
553: do
554: TEST="${TEST_DIR}/${t}"
555: cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
556: done
557:
558: for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
559: ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
560: do
561: TEST="${TEST_DIR}/${t}"
562: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
563: cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
564: done
565:
566: for t in multi-level-ca ocsp-multi-level
567: do
568: TEST="${TEST_DIR}/swanctl/${t}"
569: cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
570: done
571:
572: for t in rw-hash-and-url-multi-level
573: do
574: TEST="${TEST_DIR}/swanctl/${t}"
575: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
576: cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
577: done
578:
579: # Convert Sales CA certificate into DER format
580: openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
581:
582: # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
583: TEST="${TEST_DIR}/ikev2/strong-keys-certs"
584: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
585: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
586: KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
587: CN="moon.strongswan.org"
588: SERIAL="0D"
589: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
590: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
591: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
592: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
593: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
594: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
595: --digest sha224 --outform pem > ${TEST_CERT}
596: openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
597: 2> /dev/null
598: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
599:
600: # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
601: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
602: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
603: KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
604: CN="carol@strongswan.org"
605: SERIAL="0E"
606: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
607: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
608: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
609: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
610: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
611: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
612: --digest sha384 --outform pem > ${TEST_CERT}
613: openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
614: 2> /dev/null
615: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
616:
617: # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
618: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
619: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
620: KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
621: CN="dave@strongswan.org"
622: SERIAL="0F"
623: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
624: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
625: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
626: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
627: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
628: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
629: --digest sha512 --outform pem > ${TEST_CERT}
630: openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
631: 2> /dev/null
632: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
633:
634: # Generate another carol certificate with an OCSP URI
635: TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
636: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
637: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
638: CN="carol@strongswan.org"
639: SERIAL="10"
640: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
641: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
642: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
643: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
644: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
645: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
646: --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
647: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
648:
649: # Put a copy into the ikev2/ocsp-timeouts-good scenario
650: TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
651: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
652: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
653: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
654: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
655:
656: # Put a copy into the swanctl/ocsp-signer-cert scenario
657: for t in ocsp-signer-cert ocsp-disabled
658: do
659: cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
660: mkdir -p rsa x509
661: cp ${TEST_KEY} rsa
662: cp ${TEST_CERT} x509
663: done
664:
665: # Generate an OCSP Signing certificate for the strongSwan Root CA
666: TEST_KEY="${CA_DIR}/ocspKey.pem"
667: TEST_CERT="${CA_DIR}/ocspCert.pem"
668: CN="ocsp.strongswan.org"
669: OU="OCSP Signing Authority"
670: SERIAL="11"
671: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
672: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
673: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
674: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
675: --flag ocspSigning --outform pem > ${TEST_CERT}
676: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
677:
678: # Generate a self-signed OCSP Signing certificate
679: TEST_KEY="${CA_DIR}/ocspKey-self.pem"
680: TEST_CERT="${CA_DIR}/ocspCert-self.pem"
681: OU="OCSP Self-Signed Authority"
682: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
683: pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
684: --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
685: --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
686: --outform pem > ${TEST_CERT}
687:
688: # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
689: TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
690: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
691: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
692: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
693: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
694:
695: # Generate mars virtual server certificate
696: TEST="${TEST_DIR}/ha/both-active"
697: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
698: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
699: CN="mars.strongswan.org"
700: OU="Virtual VPN Gateway"
701: SERIAL="12"
702: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
703: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
704: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
705: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
706: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
707: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
708: --flag serverAuth --outform pem > ${TEST_CERT}
709: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
710:
711: # Put a copy into the mirrored gateway
712: mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
713: mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
714: cp ${TEST_KEY} ${TEST}/hosts/alice/${IPSEC_DIR}/private
715: cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
716:
717: # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
718: for t in "ha/active-passive" "ikev2/redirect-active"
719: do
720: TEST="${TEST_DIR}/${t}"
721: for h in alice moon
722: do
723: mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
724: mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
725: cp ${TEST_KEY} ${TEST}/hosts/${h}/${IPSEC_DIR}/private
726: cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
727: done
728: done
729:
730: # Generate moon certificate with an unsupported critical X.509 extension
731: TEST="${TEST_DIR}/ikev2/critical-extension"
732: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
733: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
734: CN="moon.strongswan.org"
735: SERIAL="13"
736: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
737: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
738: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
739: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
740: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
741: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
742: --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
743: --outform pem > ${TEST_CERT}
744: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
745:
746: # Put a copy in the openssl-ikev2/critical extension scenario
747: TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
748: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
749: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
750: cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
751: cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
752:
753: # Generate sun certificate with an unsupported critical X.509 extension
754: TEST="${TEST_DIR}/ikev2/critical-extension"
755: TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
756: TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
757: CN="sun.strongswan.org"
758: SERIAL="14"
759: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
760: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
761: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
762: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
763: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
764: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
765: --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
766: --outform pem > ${TEST_CERT}
767: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
768:
769: # Put a copy in the openssl-ikev2/critical extension scenario
770: TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
771: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
772: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
773: cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
774: cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
775:
776: # Generate winnetou server certificate
777: HOST_KEY="${CA_DIR}/winnetouKey.pem"
778: HOST_CERT="${CA_DIR}/winnetouCert.pem"
779: CN="winnetou.strongswan.org"
780: SERIAL="15"
781: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
782: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
783: --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
784: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
785: --flag serverAuth --outform pem > ${HOST_CERT}
786: cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
787:
788: # Generate AAA server certificate
789: TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
790: TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
791: TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
792: CN="aaa.strongswan.org"
793: SERIAL="16"
794: cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
795: mkdir -p rsa x509
796: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
797: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
798: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
799: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
800: --flag serverAuth --outform pem > ${TEST_CERT}
801: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
802:
803: # Put a copy into various tnc scenarios
804: for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
805: do
806: cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
807: mkdir -p rsa x509
808: cp ${TEST_KEY} rsa
809: cp ${TEST_CERT} x509
810: done
811:
812: # Put a copy into the alice FreeRADIUS server
813: cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
814:
815: ################################################################################
816: # strongSwan Attribute Authority #
817: ################################################################################
818:
819: # Generate Attribute Authority certificate
820: TEST="${TEST_DIR}/ikev2/acert-cached"
821: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
822: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
823: CN="strongSwan Attribute Authority"
824: SERIAL="17"
825: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
826: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
827: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
828: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
829: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
830: --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
831: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
832: --outform pem > ${TEST_CERT}
833: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
834:
835: # Generate carol's attribute certificate for sales and finance
836: ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
837: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
838: --in ${CA_DIR}/certs/01.pem --group sales --group finance \
839: --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
840:
841: # Generate dave's expired attribute certificate for sales
842: ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
843: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
844: --in ${CA_DIR}/certs/02.pem --group sales \
845: --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
846:
847: # Generate dave's attribute certificate for marketing
848: ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
849: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
850: --in ${CA_DIR}/certs/02.pem --group marketing \
851: --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
852:
853: # Put a copy into the ikev2/acert-fallback scenario
854: TEST="${TEST_DIR}/ikev2/acert-fallback"
855: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
856: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
857: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
858: cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
859: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
860:
861: # Generate carol's expired attribute certificate for finance
862: ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
863: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
864: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
865: --in ${CA_DIR}/certs/01.pem --group finance \
866: --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
867:
868: # Generate carol's valid attribute certificate for sales
869: ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
870: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
871: --in ${CA_DIR}/certs/01.pem --group sales \
872: --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
873:
874: # Put a copy into the ikev2/acert-inline scenario
875: TEST="${TEST_DIR}/ikev2/acert-inline"
876: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
877: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
878: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
879: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
880: cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
881: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
882: cp ${ACERT_CS} ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
883: cp ${ACERT_DM} ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
884:
885: # Generate a short-lived Attribute Authority certificate
886: CN="strongSwan Legacy AA"
887: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
888: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
889: SERIAL="18"
890: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
891: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
892: --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
893: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
894: --outform pem > ${TEST_CERT}
895: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
896:
897: # Generate dave's attribute certificate for sales from expired AA
898: ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
899: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
900: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
901: --in ${CA_DIR}/certs/02.pem --group sales \
902: --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
903:
904: ################################################################################
905: # strongSwan Root CA index for OCSP server #
906: ################################################################################
907:
908: # generate index.txt file for Root OCSP server
909: cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
910: sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
911: sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
912: sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
913: sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
914:
915: ################################################################################
916: # Research CA #
917: ################################################################################
918:
919: # Generate a carol research certificate
920: TEST="${TEST_DIR}/ikev2/multi-level-ca"
921: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
922: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
923: CN="carol@strongswan.org"
924: SERIAL="01"
925: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
926: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
927: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
928: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
929: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
930: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
931: --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
932: cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
933:
934: # Save a copy of the private key in DER format
935: openssl rsa -in ${TEST_KEY} -outform der \
936: -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
937:
938: # Put a copy in the following scenarios
939: for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
940: ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
941: ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
942: ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
943: ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
944: ikev1/multi-level-ca-cr-resp
945: do
946: TEST="${TEST_DIR}/${t}"
947: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
948: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
949: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
950: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
951: done
952:
953: for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
954: do
955: TEST="${TEST_DIR}/swanctl/${t}"
956: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
957: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
958: cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
959: cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
960: done
961:
962: # Generate a carol research certificate without a CDP
963: TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
964: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
965: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
966: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
967: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
968: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
969: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
970: --outform pem > ${TEST_CERT}
971: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
972:
973: # Generate an OCSP Signing certificate for the Research CA
974: TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
975: TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
976: OU="Research OCSP Signing Authority"
977: CN="ocsp.research.strongswan.org"
978: SERIAL="02"
979: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
980: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
981: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
982: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
983: --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
984: cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
985:
986: # Generate a Sales CA certificate signed by the Research CA
987: TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
988: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
989: SERIAL="03"
990: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
991: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
992: --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
993: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
994: --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
995: cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
996:
997: ################################################################################
998: # Duck Research CA #
999: ################################################################################
1000:
1001: # Generate a Duck Research CA certificate signed by the Research CA
1002: SERIAL="04"
1003: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
1004: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1005: --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1006: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
1007: --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
1008: cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
1009:
1010: # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
1011: TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
1012: cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1013:
1014: # Generate a carol certificate signed by the Duck Research CA
1015: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1016: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1017: CN="carol@strongswan.org"
1018: SERIAL="01"
1019: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1020: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1021: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1022: pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
1023: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1024: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
1025: --outform pem > ${TEST_CERT}
1026: cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
1027:
1028: # Generate index.txt file for Research OCSP server
1029: cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
1030: sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
1031:
1032: ################################################################################
1033: # Sales CA #
1034: ################################################################################
1035:
1036: # Generate a dave sales certificate
1037: TEST="${TEST_DIR}/ikev2/multi-level-ca"
1038: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
1039: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1040: CN="dave@strongswan.org"
1041: SERIAL="01"
1042: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1043: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1044: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1045: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1046: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1047: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1048: --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1049: cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1050:
1051: # Save a copy of the private key in DER format
1052: openssl rsa -in ${TEST_KEY} -outform der \
1053: -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
1054:
1055: # Put a copy in the following scenarios
1056: for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
1057: ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
1058: ikev2/ocsp-multi-level ikev1/multi-level-ca \
1059: ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
1060: do
1061: TEST="${TEST_DIR}/${t}"
1062: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1063: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1064: cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1065: cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1066: done
1067:
1068: for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
1069: do
1070: TEST="${TEST_DIR}/swanctl/${t}"
1071: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1072: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1073: cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1074: cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1075: done
1076:
1077: # Generate a dave sales certificate with an inactive OCSP URI and no CDP
1078: TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1079: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1080: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1081: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1082: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1083: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1084: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1085: --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
1086: cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1087:
1088: # Generate an OCSP Signing certificate for the Sales CA
1089: TEST_KEY="${SALES_DIR}/ocspKey.pem"
1090: TEST_CERT="${SALES_DIR}/ocspCert.pem"
1091: OU="Sales OCSP Signing Authority"
1092: CN="ocsp.sales.strongswan.org"
1093: SERIAL="02"
1094: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1095: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1096: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1097: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1098: --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1099: cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1100:
1101: # Generate a Research CA certificate signed by the Sales CA
1102: TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1103: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
1104: SERIAL="03"
1105: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1106: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1107: --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1108: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
1109: --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1110: cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1111:
1112: # generate index.txt file for Sales OCSP server
1113: cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
1114: sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
1115:
1116: ################################################################################
1117: # strongSwan EC Root CA #
1118: ################################################################################
1119:
1120: # Generate strongSwan EC Root CA
1121: pki --gen --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
1122: pki --self --type ecdsa --in ${ECDSA_KEY} \
1123: --not-before "${START}" --not-after "${CA_END}" --ca \
1124: --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
1125: --outform pem > ${ECDSA_CERT}
1126:
1127: # Put a copy in the openssl-ikev2/ecdsa-certs scenario
1128: for t in ecdsa-certs ecdsa-pkcs8
1129: do
1130: TEST="${TEST_DIR}/openssl-ikev2/${t}"
1131: for h in moon carol dave
1132: do
1133: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1134: cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1135: done
1136: done
1137:
1138: # Generate a moon ECDSA 521 bit certificate
1139: TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
1140: MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
1141: MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1142: CN="moon.strongswan.org"
1143: SERIAL="01"
1144: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
1145: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1146: pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
1147: pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1148: --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1149: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
1150: --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
1151: cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1152:
1153: # Generate a carol ECDSA 256 bit certificate
1154: CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
1155: CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1156: CN="carol@strongswan.org"
1157: SERIAL="02"
1158: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
1159: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1160: pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
1161: pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1162: --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1163: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
1164: --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
1165: cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1166:
1167: # Generate a dave ECDSA 384 bit certificate
1168: DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
1169: DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1170: CN="dave@strongswan.org"
1171: SERIAL="03"
1172: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
1173: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1174: pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
1175: pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1176: --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1177: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
1178: --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
1179: cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1180:
1181: # Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
1182: TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
1183: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1184: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1185: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1186: cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1187: cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1188: cp ${DAVE_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1189:
1190: # Convert moon private key into unencrypted PKCS#8 format
1191: TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1192: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1193: openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
1194:
1195: # Convert carol private key into v1.5 DES encrypted PKCS#8 format
1196: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1197: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1198: openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
1199: -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
1200:
1201: # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
1202: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1203: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1204: openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8 -v2 aes128 \
1205: -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
1206:
1207: # Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
1208: TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
1209: cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1210: mkdir -p ecdsa x509 x509ca
1211: cp ${MOON_KEY} ecdsa
1212: cp ${MOON_CERT} x509
1213: cp ${ECDSA_CERT} x509ca
1214: cd ${TEST}/hosts/carol/${SWANCTL_DIR}
1215: mkdir -p ecdsa x509 x509ca
1216: cp ${CAROL_KEY} ecdsa
1217: cp ${CAROL_CERT} x509
1218: cp ${ECDSA_CERT} x509ca
1219: cd ${TEST}/hosts/dave/${SWANCTL_DIR}
1220: mkdir -p ecdsa x509 x509ca
1221: cp ${DAVE_KEY} ecdsa
1222: cp ${DAVE_CERT} x509
1223: cp ${ECDSA_CERT} x509ca
1224:
1225: ################################################################################
1226: # strongSwan RFC3779 Root CA #
1227: ################################################################################
1228:
1229: # Generate strongSwan RFC3779 Root CA
1230: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
1231: pki --self --type rsa --in ${RFC3779_KEY} \
1232: --not-before "${START}" --not-after "${CA_END}" --ca \
1233: --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
1234: --addrblock "10.1.0.0-10.2.255.255" \
1235: --addrblock "10.3.0.1-10.3.3.232" \
1236: --addrblock "192.168.0.0/24" \
1237: --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
1238: --outform pem > ${RFC3779_CERT}
1239:
1240: # Put a copy in the ikev2/net2net-rfc3779 scenario
1241: TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1242: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1243: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1244: cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1245: cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1246:
1247: # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
1248: TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1249: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1250: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1251: cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1252: cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1253:
1254: # Generate a moon RFC3779 certificate
1255: TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1256: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1257: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1258: CN="moon.strongswan.org"
1259: SERIAL="01"
1260: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1261: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1262: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1263: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1264: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1265: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1266: --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
1267: --addrblock "fec0::1/128" --addrblock "fec1::/16" \
1268: --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1269: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1270:
1271: # Put a copy in the ipv6 scenarios
1272: for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
1273: do
1274: cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
1275: mkdir -p rsa x509 x509ca
1276: cp ${TEST_KEY} rsa
1277: cp ${TEST_CERT} x509
1278: cp ${RFC3779_CERT} x509ca
1279: done
1280:
1281: # Generate a sun RFC3779 certificate
1282: TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1283: TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
1284: TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
1285: CN="sun.strongswan.org"
1286: SERIAL="02"
1287: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
1288: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
1289: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1290: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1291: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1292: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1293: --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
1294: --addrblock "fec0::2/128" --addrblock "fec2::/16" \
1295: --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1296: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1297:
1298: # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
1299: cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
1300: mkdir -p rsa x509 x509ca
1301: cp ${TEST_KEY} rsa
1302: cp ${TEST_CERT} x509
1303: cp ${RFC3779_CERT} x509ca
1304:
1305: # Generate a carol RFC3779 certificate
1306: TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1307: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1308: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1309: CN="carol@strongswan.org"
1310: SERIAL="03"
1311: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1312: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1313: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1314: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1315: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1316: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1317: --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
1318: --addrblock "fec0::10/128" \
1319: --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1320: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1321:
1322: # Generate a carol RFC3779 certificate
1323: TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1324: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1325: TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1326: CN="dave@strongswan.org"
1327: SERIAL="04"
1328: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1329: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1330: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1331: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1332: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1333: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1334: --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
1335: --addrblock "fec0::20/128" \
1336: --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1337: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1338:
1339: ################################################################################
1340: # strongSwan SHA3-RSA Root CA #
1341: ################################################################################
1342:
1343: # Use specific plugin configuration to issue certificates with SHA-3 signatures
1344: # as not all crypto plugins support them. To avoid entropy issues use the
1345: # default plugins to generate the keys.
1346: SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509"
1347:
1348: # Generate strongSwan SHA3-RSA Root CA
1349: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
1350: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1351: pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
1352: --not-before "${START}" --not-after "${CA_END}" --ca \
1353: --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
1354: --outform pem > ${SHA3_RSA_CERT}
1355:
1356: # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
1357: TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
1358: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1359: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1360: cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1361: cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1362:
1363: # Generate a sun SHA3-RSA certificate
1364: SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1365: SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1366: CN="sun.strongswan.org"
1367: SERIAL="01"
1368: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
1369: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1370: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
1371: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1372: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1373: --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1374: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1375: --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
1376: cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1377:
1378: # Generate a moon SHA3-RSA certificate
1379: MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1380: MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1381: CN="moon.strongswan.org"
1382: SERIAL="02"
1383: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1384: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1385: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
1386: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1387: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1388: --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1389: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1390: --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
1391: cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1392:
1393: # Put a copy in the botan/net2net-sha3-rsa-cert scenario
1394: TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
1395: cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1396: mkdir -p rsa x509 x509ca
1397: cp ${MOON_KEY} rsa
1398: cp ${MOON_CERT} x509
1399: cp ${SHA3_RSA_CERT} x509ca
1400: cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1401: mkdir -p rsa x509 x509ca
1402: cp ${SUN_KEY} rsa
1403: cp ${SUN_CERT} x509
1404: cp ${SHA3_RSA_CERT} x509ca
1405:
1406: # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
1407: TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
1408: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1409: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1410: cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1411: cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1412:
1413: # Generate a carol SHA3-RSA certificate
1414: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1415: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1416: CN="carol@strongswan.org"
1417: SERIAL="03"
1418: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1419: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1420: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1421: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1422: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1423: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1424: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1425: --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1426: cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1427:
1428: # Generate a dave SHA3-RSA certificate
1429: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1430: TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1431: CN="dave@strongswan.org"
1432: SERIAL="04"
1433: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1434: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1435: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1436: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1437: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1438: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1439: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1440: --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1441: cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1442:
1443: for h in moon carol dave
1444: do
1445: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1446: cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1447: done
1448:
1449: ################################################################################
1450: # strongSwan Ed25519 Root CA #
1451: ################################################################################
1452:
1453: # Generate strongSwan Ed25519 Root CA
1454: pki --gen --type ed25519 --outform pem > ${ED25519_KEY}
1455: pki --self --type ed25519 --in ${ED25519_KEY} \
1456: --not-before "${START}" --not-after "${CA_END}" --ca \
1457: --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
1458: --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
1459: --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
1460: --outform pem > ${ED25519_CERT}
1461:
1462: # Put a copy in the swanctl/net2net-ed25519 scenario
1463: TEST="${TEST_DIR}/swanctl/net2net-ed25519"
1464: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1465: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1466: cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1467: cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1468:
1469: # Generate a sun Ed25519 certificate
1470: SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
1471: SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1472: CN="sun.strongswan.org"
1473: SERIAL="01"
1474: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
1475: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1476: pki --gen --type ed25519 --outform pem > ${SUN_KEY}
1477: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1478: --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1479: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1480: --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
1481: --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
1482: cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1483:
1484: # Generate a moon Ed25519 certificate
1485: MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1486: MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1487: CN="moon.strongswan.org"
1488: SERIAL="02"
1489: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1490: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1491: pki --gen --type ed25519 --outform pem > ${MOON_KEY}
1492: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1493: --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1494: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1495: --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
1496: --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
1497: cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1498:
1499: # Put a copy in the botan/net2net-ed25519 scenario
1500: TEST="${TEST_DIR}/botan/net2net-ed25519"
1501: cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1502: mkdir -p pkcs8 x509 x509ca
1503: cp ${MOON_KEY} pkcs8
1504: cp ${MOON_CERT} x509
1505: cp ${ED25519_CERT} x509ca
1506: cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1507: mkdir -p pkcs8 x509 x509ca
1508: cp ${SUN_KEY} pkcs8
1509: cp ${SUN_CERT} x509
1510: cp ${ED25519_CERT} x509ca
1511:
1512: # Put a copy in the ikev2/net2net-ed25519 scenario
1513: TEST="${TEST_DIR}/ikev2/net2net-ed25519"
1514: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
1515: cd ${TEST}/hosts/moon/${IPSEC_DIR}
1516: mkdir -p cacerts certs private
1517: cp ${MOON_KEY} private
1518: cp ${MOON_CERT} certs
1519: cp ${ED25519_CERT} cacerts
1520: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
1521: cd ${TEST}/hosts/sun/${IPSEC_DIR}
1522: mkdir -p cacerts certs private
1523: cp ${SUN_KEY} private
1524: cp ${SUN_CERT} certs
1525: cp ${ED25519_CERT} cacerts
1526:
1527: # Put a copy in the swanctl/rw-ed25519-certpol scenario
1528: TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
1529: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1530: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1531: cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1532: cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1533:
1534: for h in moon carol dave
1535: do
1536: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1537: cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1538: done
1539:
1540: # Generate a carol Ed25519 certificate
1541: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1542: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1543: CN="carol@strongswan.org"
1544: SERIAL="03"
1545: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1546: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1547: pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1548: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1549: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1550: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1551: --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
1552: --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1553: cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1554:
1555: # Generate a dave Ed25519 certificate
1556: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1557: TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1558: CN="dave@strongswan.org"
1559: SERIAL="04"
1560: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1561: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1562: pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1563: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1564: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1565: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1566: --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
1567: --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1568: cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1569:
1570: ################################################################################
1571: # strongSwan Monster Root CA #
1572: ################################################################################
1573:
1574: # Generate strongSwan Monster Root CA
1575: pki --gen --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
1576: pki --self --type rsa --in ${MONSTER_KEY} \
1577: --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
1578: --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
1579: --outform pem > ${MONSTER_CERT}
1580:
1581: # Put a copy in the ikev2/after-2038-certs scenario
1582: TEST="${TEST_DIR}/ikev2/after-2038-certs"
1583: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1584: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1585: cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1586: cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1587:
1588: # Generate a moon Monster certificate
1589: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1590: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1591: CN="moon.strongswan.org"
1592: SERIAL="01"
1593: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1594: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1595: pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1596: pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1597: --in ${TEST_KEY} --san ${CN} \
1598: --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1599: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1600: --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1601: cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1602:
1603: # Generate a carol Monster certificate
1604: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1605: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1606: CN="carol@strongswan.org"
1607: SERIAL="02"
1608: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1609: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1610: pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1611: pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1612: --in ${TEST_KEY} --san ${CN} \
1613: --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1614: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1615: --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1616: cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1617:
1618: ################################################################################
1619: # Bliss CA #
1620: ################################################################################
1621:
1622: # Generate BLISS Root CA with 192 bit security strength
1623: pki --gen --type bliss --size 4 > ${BLISS_KEY}
1624: pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
1625: --not-before "${START}" --not-after "${CA_END}" --ca \
1626: --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
1627:
1628: # Put a copy in the following scenarios
1629: for t in rw-newhope-bliss rw-ntru-bliss
1630: do
1631: TEST="${TEST_DIR}/ikev2/${t}"
1632: for h in moon carol dave
1633: do
1634: mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1635: cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1636: done
1637:
1638: TEST="${TEST_DIR}/swanctl/${t}"
1639: for h in moon carol dave
1640: do
1641: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1642: cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1643: done
1644: done
1645:
1646: # Generate a carol BLISS certificate with 128 bit security strength
1647: TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1648: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
1649: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
1650: CN="carol@strongswan.org"
1651: SERIAL="01"
1652: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1653: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1654: pki --gen --type bliss --size 1 > ${TEST_KEY}
1655: pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1656: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1657: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
1658: --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1659: cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1660:
1661: # Put a copy in the ikev2/rw-ntru-bliss scenario
1662: TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1663: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1664: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1665: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1666: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1667:
1668: # Put a copy in the swanctl scenarios
1669: for t in rw-newhope-bliss rw-ntru-bliss
1670: do
1671: TEST="${TEST_DIR}/swanctl/${t}"
1672: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1673: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1674: cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1675: cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1676: done
1677:
1678: # Generate a dave BLISS certificate with 160 bit security strength
1679: TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1680: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
1681: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
1682: CN="dave@strongswan.org"
1683: SERIAL="02"
1684: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1685: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1686: pki --gen --type bliss --size 3 > ${TEST_KEY}
1687: pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1688: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1689: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
1690: --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1691: cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1692:
1693: # Put a copy in the ikev2/rw-ntru-bliss scenario
1694: TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1695: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1696: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1697: cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
1698: cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
1699:
1700: # Put a copy in the swanctl scenarios
1701: for t in rw-newhope-bliss rw-ntru-bliss
1702: do
1703: TEST="${TEST_DIR}/swanctl/${t}"
1704: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
1705: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1706: cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
1707: cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
1708: done
1709:
1710: # Generate a moon BLISS certificate with 192 bit security strength
1711: TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1712: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
1713: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
1714: CN="moon.strongswan.org"
1715: SERIAL="03"
1716: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1717: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1718: pki --gen --type bliss --size 4 > ${TEST_KEY}
1719: pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1720: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1721: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
1722: --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1723: cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1724:
1725: # Put a copy in the ikev2/rw-ntru-bliss scenario
1726: TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1727: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1728: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1729: cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
1730: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
1731:
1732: # Put a copy in the swanctl scenarios
1733: for t in rw-newhope-bliss rw-ntru-bliss
1734: do
1735: TEST="${TEST_DIR}/swanctl/${t}"
1736: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
1737: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1738: cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
1739: cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
1740: done
1741:
1742: ################################################################################
1743: # SQL Data #
1744: ################################################################################
1745:
1746: CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
1747: CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
1748: CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1749: CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
1750: #
1751: MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1752: MOON_KEY="${CA_DIR}/keys/moonKey.der"
1753: MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1754: MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1755: MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1756: MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
1757: MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1758: MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1759: MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
1760: #
1761: SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1762: SUN_KEY="${CA_DIR}/keys/sunKey.der"
1763: SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1764: SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1765: SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
1766: SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
1767: SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1768: SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
1769: #
1770: CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1771: CAROL_KEY="${CA_DIR}/keys/carolKey.der"
1772: CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1773: CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
1774: CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1775: CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1776: #
1777: DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1778: DAVE_KEY="${CA_DIR}/keys/daveKey.der"
1779: DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1780: DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
1781: DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1782: DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1783: #
1784: ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
1785: ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
1786: ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
1787: ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
1788: ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1789: #
1790: VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
1791: VENUS_KEY="${CA_DIR}/keys/venusKey.der"
1792: VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
1793: VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
1794: VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1795: #
1796: RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
1797: RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
1798: RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1799: #
1800: CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
1801: CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
1802: CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
1803: CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
1804: CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1805: #
1806: SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
1807: SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
1808: SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1809: #
1810: DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
1811: DAVE_S_KEY="${SALES_DIR}/keys/01.der"
1812: DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
1813: DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
1814: DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1815: #
1816: for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
1817: ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
1818: rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
1819: do
1820: for h in carol dave moon
1821: do
1822: TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1823: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1824: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1825: -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1826: -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1827: -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1828: -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
1829: -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1830: -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
1831: -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
1832: -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
1833: -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
1834: -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
1835: -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
1836: -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
1837: -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
1838: -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
1839: -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
1840: -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
1841: -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
1842: -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
1843: -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
1844: -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
1845: -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
1846: -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
1847: -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
1848: -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
1849: -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
1850: ${TEST_DATA}.in > ${TEST_DATA}
1851: done
1852: done
1853: #
1854: for t in rw-eap-aka-rsa
1855: do
1856: for h in carol moon
1857: do
1858: TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1859: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1860: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1861: -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1862: -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1863: -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1864: -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1865: ${TEST_DATA}.in > ${TEST_DATA}
1866: done
1867: done
1868: #
1869: for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
1870: do
1871: for h in moon sun
1872: do
1873: TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1874: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1875: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1876: -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1877: -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
1878: -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
1879: -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1880: -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1881: -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1882: -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
1883: -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
1884: -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1885: -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1886: -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1887: -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
1888: ${TEST_DATA}.in > ${TEST_DATA}
1889: done
1890: done
1891: #
1892: for t in shunt-policies-nat-rw
1893: do
1894: for h in alice venus sun
1895: do
1896: TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1897: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1898: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1899: -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1900: -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
1901: -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
1902: -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
1903: -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
1904: -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
1905: -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
1906: -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1907: -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1908: -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1909: ${TEST_DATA}.in > ${TEST_DATA}
1910: done
1911: done
1912:
1913: ################################################################################
1914: # Raw RSA keys #
1915: ################################################################################
1916:
1917: MOON_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${MOON_KEY}`
1918: #
1919: SUN_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${SUN_KEY}`
1920: #
1921: for h in moon sun
1922: do
1923: TEST_DATA="${TEST_DIR}/ikev2/net2net-rsa/hosts/${h}/etc/ipsec.conf"
1924: sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \
1925: -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \
1926: ${TEST_DATA}.in > ${TEST_DATA}
1927: done
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to build-certs-chroot CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / testing / scripts