Annotation of embedaddon/strongswan/testing/scripts/build-certs-chroot, revision 1.1.1.2

1.1       misho       1: #!/bin/bash
                      2: 
                      3: set -o errexit
                      4: 
                      5: echo "Building certificates"
                      6: 
                      7: # Disable leak detective when using pki as it produces warnings in tzset
                      8: export LEAK_DETECTIVE_DISABLE=1
                      9: 
                     10: # Determine testing directory
                     11: DIR="$(dirname `readlink -f $0`)/.."
                     12: 
                     13: # Define some global variables
                     14: PROJECT="strongSwan Project"
                     15: CA_DIR="${DIR}/hosts/winnetou/etc/ca"
                     16: CA_KEY="${CA_DIR}/strongswanKey.pem"
                     17: CA_CERT="${CA_DIR}/strongswanCert.pem"
                     18: CA_CERT_DER="${CA_DIR}/strongswanCert.der"
                     19: CA_CRL="${CA_DIR}/strongswan.crl"
                     20: CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
                     21: CA_CDP="http://crl.strongswan.org/strongswan.crl"
                     22: CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
                     23: CA_OCSP="http://ocsp.strongswan.org:8880"
                     24: #
                     25: START=`date  -d "-2 day"    "+%d.%m.%y %T"`
                     26: SH_END=`date -d "-1 day"    "+%d.%m.%y %T"`    #  1 day
                     27: CA_END=`date -d "+3651 day" "+%d.%m.%y %T"`    # 10 years
                     28: IM_END=`date -d "+3286 day" "+%d.%m.%y %T"`    #  9 years
                     29: EE_END=`date -d "+2920 day" "+%d.%m.%y %T"`    #  8 years
                     30: SH_EXP=`date -d "-1 day"    "+%y%m%d%H%M%SZ"`  #  1 day
                     31: IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"`  #  9 years
                     32: EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"`  #  8 years
                     33: NOW=`date "+%y%m%d%H%M%SZ"`
                     34: #
                     35: RESEARCH_DIR="${CA_DIR}/research"
                     36: RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
                     37: RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
                     38: RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
                     39: RESEARCH_CDP="http://crl.strongswan.org/research.crl"
                     40: #
                     41: SALES_DIR="${CA_DIR}/sales"
                     42: SALES_KEY="${SALES_DIR}/salesKey.pem"
                     43: SALES_CERT="${SALES_DIR}/salesCert.pem"
                     44: SALES_CERT_DER="${SALES_DIR}/salesCert.der"
                     45: SALES_CDP="http://crl.strongswan.org/sales.crl"
                     46: #
1.1.1.2 ! misho      47: LEVELS_DIR="${CA_DIR}/levels"
        !            48: LEVELS_KEY="${LEVELS_DIR}/levelsKey.pem"
        !            49: LEVELS_CERT="${LEVELS_DIR}/levelsCert.pem"
        !            50: LEVELS_CDP="http://crl.strongswan.org/levels.crl"
        !            51: LEVELS_L2_KEY="${LEVELS_DIR}/levelsKey_l2.pem"
        !            52: LEVELS_L2_CERT="${LEVELS_DIR}/levelsCert_l2.pem"
        !            53: LEVELS_L2_CDP="http://crl.strongswan.org/levels_l2.crl"
        !            54: LEVELS_L3_KEY="${LEVELS_DIR}/levelsKey_l3.pem"
        !            55: LEVELS_L3_CERT="${LEVELS_DIR}/levelsCert_l3.pem"
        !            56: LEVELS_L3_CDP="http://crl.strongswan.org/levels_l3.crl"
        !            57: #
1.1       misho      58: DUCK_DIR="${CA_DIR}/duck"
                     59: DUCK_KEY="${DUCK_DIR}/duckKey.pem"
                     60: DUCK_CERT="${DUCK_DIR}/duckCert.pem"
                     61: #
                     62: ECDSA_DIR="${CA_DIR}/ecdsa"
                     63: ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
                     64: ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
                     65: ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
                     66: #
                     67: RFC3779_DIR="${CA_DIR}/rfc3779"
                     68: RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
                     69: RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
                     70: RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
                     71: #
                     72: SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
                     73: SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
                     74: SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
                     75: SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
                     76: #
                     77: ED25519_DIR="${CA_DIR}/ed25519"
                     78: ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
                     79: ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
                     80: ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
                     81: #
                     82: MONSTER_DIR="${CA_DIR}/monster"
                     83: MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
                     84: MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
                     85: MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
                     86: MONSTER_CA_RSA_SIZE="8192"
                     87: MONSTER_EE_RSA_SIZE="4096"
                     88: #
                     89: BLISS_DIR="${CA_DIR}/bliss"
                     90: BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
                     91: BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
                     92: BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
                     93: #
                     94: RSA_SIZE="3072"
                     95: IPSEC_DIR="etc/ipsec.d"
                     96: SWANCTL_DIR="etc/swanctl"
                     97: TKM_DIR="etc/tkm"
                     98: HOSTS="carol dave moon sun alice venus bob"
                     99: TEST_DIR="${DIR}/tests"
                    100: 
                    101: # Create directories
                    102: mkdir -p ${CA_DIR}/certs
                    103: mkdir -p ${CA_DIR}/keys
                    104: mkdir -p ${RESEARCH_DIR}/certs
                    105: mkdir -p ${RESEARCH_DIR}/keys
                    106: mkdir -p ${SALES_DIR}/certs
                    107: mkdir -p ${SALES_DIR}/keys
1.1.1.2 ! misho     108: mkdir -p ${LEVELS_DIR}/certs
1.1       misho     109: mkdir -p ${DUCK_DIR}/certs
                    110: mkdir -p ${ECDSA_DIR}/certs
                    111: mkdir -p ${RFC3779_DIR}/certs
                    112: mkdir -p ${SHA3_RSA_DIR}/certs
                    113: mkdir -p ${ED25519_DIR}/certs
                    114: mkdir -p ${MONSTER_DIR}/certs
                    115: mkdir -p ${BLISS_DIR}/certs
                    116: 
                    117: ################################################################################
                    118: # strongSwan Root CA                                                           #
                    119: ################################################################################
                    120: 
                    121: # Generate strongSwan Root CA
                    122: pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
                    123: pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
                    124:     --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
                    125:     --outform pem > ${CA_CERT}
                    126: 
                    127: # Distribute strongSwan Root CA certificate
                    128: for h in ${HOSTS}
                    129: do
                    130:   HOST_DIR="${DIR}/hosts/${h}"
                    131:   mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
                    132:   mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
                    133:   cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
                    134:   cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
                    135: done
                    136: 
                    137: # Put a copy onto the alice FreeRADIUS server
                    138: mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
                    139: cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
                    140: 
                    141: # Convert strongSwan Root CA certificate into DER format
                    142: openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
                    143: 
                    144: # Generate a stale CRL
                    145: pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
                    146:     --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
                    147: 
                    148: # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
                    149: TEST="${TEST_DIR}/ikev2/crl-ldap"
                    150: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
                    151: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
                    152: cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
                    153: cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
                    154: 
                    155: # Generate host keys
                    156: for h in ${HOSTS}
                    157: do
                    158:   HOST_DIR="${DIR}/hosts/${h}"
                    159:   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
                    160:   mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
                    161:   pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
                    162: 
                    163:   # Put a copy into swanctl directory tree
                    164:   mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
                    165:   cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
                    166: 
                    167:   # Convert host key into DER format
                    168:   openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
                    169:           2> /dev/null
                    170: done
                    171: 
                    172: # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
                    173: for t in host2host-initiator host2host-responder host2host-xfrmproxy \
1.1.1.2 ! misho     174:          multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
        !           175:          xfrmproxy-rekey
1.1       misho     176: do
                    177:   TEST="${TEST_DIR}/tkm/${t}"
                    178:   mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
                    179:   cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
                    180: done
                    181: 
                    182: # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
                    183: TEST="${TEST_DIR}/tkm/multiple-clients"
                    184: mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
                    185: cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
                    186: 
                    187: # Convert moon private key into unencrypted PKCS#8 format
                    188: TEST="${TEST_DIR}/ikev2/rw-pkcs8"
                    189: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
                    190: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
                    191: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
                    192: openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
                    193: 
                    194: # Convert carol private key into v1.5 DES encrypted PKCS#8 format
                    195: HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
                    196: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
                    197: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                    198: openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
                    199:               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
                    200: 
                    201: # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
                    202: HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
                    203: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
                    204: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
                    205: openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8  -v2 aes128 \
                    206:               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
                    207: 
                    208: ################################################################################
                    209: # Public Key Extraction                                                        #
                    210: ################################################################################
                    211: 
                    212: # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
                    213: TEST="${TEST_DIR}/swanctl/net2net-pubkey"
                    214: TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
                    215: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
                    216: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
                    217: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
                    218: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
                    219: cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
                    220: 
                    221: # Put a copy into the  following ikev2 scenarios
                    222: for t in net2net-dnssec net2net-pubkey rw-dnssec
                    223: do
                    224:   TEST="${TEST_DIR}/ikev2/${t}"
                    225:   mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
                    226:   cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
                    227: done
                    228: 
                    229: # Put a copy into the ikev2/net2net-pubkey scenario
                    230: TEST="${TEST_DIR}/ikev2/net2net-pubkey"
                    231: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
                    232: cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
                    233: 
                    234: # Put a copy into the swanctl/rw-dnssec scenario
                    235: TEST="${TEST_DIR}/swanctl/rw-dnssec"
                    236: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
                    237: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
                    238: 
                    239: # Put a copy into the following swanctl scenarios
                    240: for t in rw-pubkey-anon rw-pubkey-keyid
                    241: do
                    242:   TEST="${TEST_DIR}/swanctl/${t}"
                    243:   for h in moon carol dave
                    244:   do
                    245:     mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
                    246:     cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
                    247:   done
                    248: done
                    249: 
                    250: # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
                    251: TEST="${TEST_DIR}/swanctl/net2net-pubkey"
                    252: TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
                    253: HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
                    254: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
                    255: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
                    256: 
                    257: # Put a copy into the ikev2/net2net-dnssec scenario
                    258: TEST="${TEST_DIR}/ikev2/net2net-dnssec"
                    259: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
                    260: cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
                    261: 
                    262: # Put a copy into the ikev2/net2net-pubkey scenario
                    263: TEST="${TEST_DIR}/ikev2/net2net-pubkey"
                    264: cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
                    265: cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
                    266: 
                    267: # Put a copy into the swanctl/rw-pubkey-anon scenario
                    268: TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
                    269: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
                    270: 
                    271: # Extract the raw carol public key for the swanctl/rw-dnssec scenario
                    272: TEST="${TEST_DIR}/swanctl/rw-dnssec"
                    273: TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
                    274: HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
                    275: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
                    276: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
                    277: 
                    278: # Put a copy into the swanctl/rw-pubkey-anon scenario
                    279: TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
                    280: cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
                    281: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
                    282: 
                    283: # Put a copy into the swanctl/rw-pubkey-keyid scenario
                    284: TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
                    285: cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
                    286: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
                    287: 
                    288: # Extract the raw dave public key for the swanctl/rw-dnssec scenario
                    289: TEST="${TEST_DIR}/swanctl/rw-dnssec"
                    290: TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
                    291: HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
                    292: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
                    293: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
                    294: 
                    295: # Put a copy into the swanctl/rw-pubkey-anon scenario
                    296: TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
                    297: cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
                    298: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
                    299: 
                    300: # Put a copy into the swanctl/rw-pubkey-keyid scenario
                    301: TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
                    302: cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
                    303: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
                    304: 
                    305: ################################################################################
                    306: # Host Certificate Generation                                                  #
                    307: ################################################################################
                    308: 
                    309: # function issue_cert: serial host cn [ou]
                    310: issue_cert()
                    311: {
                    312:   # does optional OU argument exist?
                    313:   if [ -z "${4}" ]
                    314:   then
                    315:     OU=""
                    316:   else
                    317:     OU=" OU=${4},"
                    318:   fi
                    319: 
                    320:   HOST_DIR="${DIR}/hosts/${2}"
                    321:   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
                    322:   HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
                    323:   mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
                    324:   pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    325:       --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
                    326:       --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
                    327:       --outform pem > ${HOST_CERT}
                    328:   cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
                    329: 
                    330:   # Put a certificate copy into swanctl directory tree
                    331:   mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
                    332:   cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
                    333: }
                    334: 
                    335: # Generate host certificates
                    336: issue_cert 01 carol carol@strongswan.org Research
                    337: issue_cert 02 dave dave@strongswan.org Accounting
                    338: issue_cert 03 moon moon.strongswan.org
                    339: issue_cert 04 sun sun.strongswan.org
                    340: issue_cert 05 alice alice@strongswan.org Sales
                    341: issue_cert 06 venus venus.strongswan.org
                    342: issue_cert 07 bob bob@strongswan.org Research
                    343: 
                    344: # Create PKCS#12 file for moon
                    345: TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
                    346: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
                    347: HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
                    348: MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
                    349: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
                    350: openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
                    351:         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
                    352:         -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
                    353: 
                    354: # Create PKCS#12 file for sun
                    355: HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
                    356: HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
                    357: SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
                    358: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
                    359: openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
                    360:         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
                    361:         -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
                    362: 
                    363: # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
                    364: for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
                    365: do
                    366:   TEST="${TEST_DIR}/${t}"
                    367:   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
                    368:   mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
                    369:   cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
                    370:   cp ${SUN_PKCS12}  ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
                    371: done
                    372: 
                    373: ################################################################################
                    374: # DNSSEC Zone Files                                                            #
                    375: ################################################################################
                    376: 
                    377: # Store moon and sun certificates in strongswan.org zone
                    378: ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
                    379: echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
                    380: for h in moon sun
                    381: do
                    382:   HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
                    383:   cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
                    384:   echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
                    385: done
                    386: 
                    387: # Store public keys in strongswan.org zone
                    388: echo ";" >> ${ZONE_FILE}
                    389: for h in moon sun carol dave
                    390: do
                    391:   HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
                    392:   pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
                    393:   echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
                    394: done
                    395: 
                    396: # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
                    397: TEST="${TEST_DIR}/swanctl/crl-to-cache"
                    398: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
                    399: HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
                    400: CN="carol@strongswan.org"
                    401: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
                    402: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
                    403:     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    404:     --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
                    405:     --outform pem > ${TEST_CERT}
                    406: 
                    407: # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
                    408: TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
                    409: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
                    410: CN="moon.strongswan.org"
                    411: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
                    412: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
                    413:     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    414:     --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
                    415:     --outform pem > ${TEST_CERT}
                    416: 
                    417: # Encrypt carolKey.pem
                    418: HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
                    419: KEY_PWD="nH5ZQEWtku0RJEZ6"
                    420: openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
                    421:         2> /dev/null
                    422: 
                    423: # Put a copy into the ikev2/dynamic-initiator scenario
                    424: for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
                    425: do
                    426:   TEST="${TEST_DIR}/${t}"
                    427:   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
                    428:   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
                    429:   cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
                    430:   cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
                    431: done
                    432: 
                    433: # Put a copy into the swanctl/rw-cert scenario
                    434: TEST="${TEST_DIR}/swanctl/rw-cert"
                    435: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
                    436: cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
                    437: 
                    438: # Generate another carol certificate and revoke it
                    439: TEST="${TEST_DIR}/ikev2/crl-revoked"
                    440: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
                    441: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
                    442: CN="carol@strongswan.org"
                    443: SERIAL="08"
                    444: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                    445: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                    446: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    447: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    448:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    449:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
                    450:     --outform pem > ${TEST_CERT}
                    451: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    452: pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
                    453:     --serial ${SERIAL} > ${CA_CRL}
                    454: cp ${CA_CRL} ${CA_LAST_CRL}
                    455: 
                    456: # Put a copy into the ikev2/ocsp-revoked scenario
                    457: TEST="${TEST_DIR}/ikev2/ocsp-revoked"
                    458: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                    459: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                    460: cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
                    461: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                    462: 
1.1.1.2 ! misho     463: # Generate another carol certificate with serialNumber=002
1.1       misho     464: TEST="${TEST_DIR}/ikev2/two-certs"
                    465: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
                    466: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
                    467: SERIAL="09"
                    468: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                    469: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                    470: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    471: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    472:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1.1.1.2 ! misho     473:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, serialNumber=002, CN=${CN}" \
1.1       misho     474:     --outform pem > ${TEST_CERT}
                    475: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    476: 
                    477: ################################################################################
                    478: # Research CA Certificate Generation                                           #
                    479: ################################################################################
                    480: 
                    481: # Generate a Research CA certificate signed by the Root CA and revoke it
                    482: TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
                    483: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
                    484: SERIAL="0A"
                    485: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
                    486: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
                    487: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    488:     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
                    489:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
                    490:     --outform pem > ${TEST_CERT}
                    491: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    492: pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
                    493:     --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
                    494: rm ${CA_LAST_CRL}
                    495: 
                    496: # Generate Research CA with the same private key as above signed by Root CA
                    497: SERIAL="0B"
                    498: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    499:     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
                    500:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
                    501:     --outform pem > ${RESEARCH_CERT}
                    502: cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    503: 
                    504: # Put a certificate copy into the following scenarios
                    505: for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
                    506:          ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
                    507:          ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
                    508: do
                    509:   TEST="${TEST_DIR}/${t}"
                    510:   mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
                    511:   cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
                    512: done
                    513: 
                    514: for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
                    515:          ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
                    516: do
                    517:   TEST="${TEST_DIR}/${t}"
                    518:   mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
                    519:   cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
                    520: done
                    521: 
                    522: for t in multi-level-ca ocsp-multi-level
                    523: do
                    524:   TEST="${TEST_DIR}/swanctl/${t}"
                    525:   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
                    526:   cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
                    527: done
                    528: 
                    529: for t in rw-hash-and-url-multi-level
                    530: do
                    531:   TEST="${TEST_DIR}/swanctl/${t}"
                    532:   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
                    533:   cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
                    534: done
                    535: 
                    536: # Convert Research CA certificate into DER format
                    537: openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
                    538: 
                    539: # Generate Research CA with the same private key as above but invalid CDP
                    540: TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
                    541: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
                    542: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
                    543: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
                    544:     --crl "http://crl.strongswan.org/not-available.crl" \
                    545:     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
                    546:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
                    547:     --outform pem > ${TEST_CERT}
                    548: 
                    549: ################################################################################
                    550: # Sales CA Certificate Generation                                              #
                    551: ################################################################################
                    552: 
                    553: # Generate Sales CA signed by Root CA
                    554: SERIAL="0C"
                    555: pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
                    556: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    557:     --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
                    558:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
                    559:     --outform pem > ${SALES_CERT}
                    560: cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    561: 
                    562: # Put a certificate copy into the following scenarios
                    563: for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
                    564:          ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
                    565:          ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
                    566: do
                    567:   TEST="${TEST_DIR}/${t}"
                    568:   cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
                    569: done
                    570: 
                    571: for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
                    572:          ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
                    573: do
                    574:   TEST="${TEST_DIR}/${t}"
                    575:   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
                    576:   cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
                    577: done
                    578: 
                    579: for t in multi-level-ca ocsp-multi-level
                    580: do
                    581:   TEST="${TEST_DIR}/swanctl/${t}"
                    582:   cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
                    583: done
                    584: 
                    585: for t in rw-hash-and-url-multi-level
                    586: do
                    587:   TEST="${TEST_DIR}/swanctl/${t}"
                    588:   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
                    589:   cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
                    590: done
                    591: 
                    592: # Convert Sales CA certificate into DER format
                    593: openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
                    594: 
1.1.1.2 ! misho     595: ################################################################################
        !           596: # Multi-level CA Certificate Generation                                        #
        !           597: ################################################################################
        !           598: 
        !           599: # Generate Levels Root CA (pathlen is higher than the regular root)
        !           600: pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_KEY}
        !           601: pki --self --type rsa --in ${LEVELS_KEY} --not-before "${START}" --not-after "${CA_END}" \
        !           602:     --ca --pathlen 2 --dn "C=CH, O=${PROJECT}, CN=strongSwan Levels Root CA" \
        !           603:     --outform pem > ${LEVELS_CERT}
        !           604: 
        !           605: # For TKM's CA ID mapping
        !           606: LEVELS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${LEVELS_KEY}`
        !           607: 
        !           608: # Generate Levels L2 CA signed by Levels Root CA
        !           609: pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L2_KEY}
        !           610: pki --issue --cakey ${LEVELS_KEY} --cacert ${LEVELS_CERT} --crl ${LEVELS_CDP} \
        !           611:     --type rsa --in ${LEVELS_L2_KEY} --not-before "${START}" --not-after "${IM_END}" \
        !           612:     --ca --dn "C=CH, O=${PROJECT}, OU=L2, CN=Levels L2 CA" \
        !           613:     --outform pem > ${LEVELS_L2_CERT}
        !           614: 
        !           615: # Generate Levels L3 CA signed by Levels L2 CA
        !           616: pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L3_KEY}
        !           617: pki --issue --cakey ${LEVELS_L2_KEY} --cacert ${LEVELS_L2_CERT} --crl ${LEVELS_L2_CDP} \
        !           618:     --type rsa --in ${LEVELS_L3_KEY} --not-before "${START}" --not-after "${IM_END}" \
        !           619:     --ca --dn "C=CH, O=${PROJECT}, OU=L3, CN=Levels L3 CA" \
        !           620:     --outform pem > ${LEVELS_L3_CERT}
        !           621: 
        !           622: for t in swanctl/multi-level-ca-l3 tkm/multi-level-ca
        !           623: do
        !           624:   TEST="${TEST_DIR}/${t}"
        !           625:   for h in moon carol
        !           626:   do
        !           627:     mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
        !           628:     cp ${LEVELS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
        !           629:   done
        !           630:   cp ${LEVELS_L2_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
        !           631:   cp ${LEVELS_L3_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
        !           632: done
        !           633: 
        !           634: # Put DER-encoded Levels CA certificate into tkm scenario
        !           635: TEST="${TEST_DIR}/tkm/multi-level-ca"
        !           636: mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
        !           637: openssl x509 -in ${LEVELS_CERT} -outform der -out ${TEST}/hosts/moon/${TKM_DIR}/levelsCert.der
        !           638: 
        !           639: ################################################################################
        !           640: 
1.1       misho     641: # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
                    642: TEST="${TEST_DIR}/ikev2/strong-keys-certs"
                    643: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
                    644: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
                    645: KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
                    646: CN="moon.strongswan.org"
                    647: SERIAL="0D"
                    648: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
                    649: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
                    650: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    651: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    652:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    653:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
                    654:     --digest sha224 --outform pem > ${TEST_CERT}
                    655: openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
                    656:         2> /dev/null
                    657: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    658: 
                    659: # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
                    660: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
                    661: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
                    662: KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
                    663: CN="carol@strongswan.org"
                    664: SERIAL="0E"
                    665: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                    666: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                    667: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    668: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    669:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    670:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
                    671:     --digest sha384 --outform pem > ${TEST_CERT}
                    672: openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
                    673:         2> /dev/null
                    674: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    675: 
                    676: # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
                    677: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
                    678: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
                    679: KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
                    680: CN="dave@strongswan.org"
                    681: SERIAL="0F"
                    682: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
                    683: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
                    684: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    685: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    686:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    687:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
                    688:     --digest sha512 --outform pem > ${TEST_CERT}
                    689: openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
                    690:         2> /dev/null
                    691: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    692: 
                    693: # Generate another carol certificate with an OCSP URI
                    694: TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
                    695: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
                    696: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
                    697: CN="carol@strongswan.org"
                    698: SERIAL="10"
                    699: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                    700: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                    701: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    702: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    703:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    704:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
                    705:     --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
                    706: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    707: 
                    708: # Put a copy into the ikev2/ocsp-timeouts-good scenario
                    709: TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
                    710: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                    711: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                    712: cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
                    713: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                    714: 
                    715: # Put a copy into the swanctl/ocsp-signer-cert scenario
                    716: for t in ocsp-signer-cert ocsp-disabled
                    717: do
                    718:   cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
                    719:   mkdir -p rsa x509
                    720:   cp ${TEST_KEY} rsa
                    721:   cp ${TEST_CERT} x509
                    722: done
                    723: 
                    724: # Generate an OCSP Signing certificate for the strongSwan Root CA
                    725: TEST_KEY="${CA_DIR}/ocspKey.pem"
                    726: TEST_CERT="${CA_DIR}/ocspCert.pem"
                    727: CN="ocsp.strongswan.org"
                    728: OU="OCSP Signing Authority"
                    729: SERIAL="11"
                    730: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    731: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    732:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    733:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
                    734:     --flag ocspSigning --outform pem > ${TEST_CERT}
                    735: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    736: 
                    737: # Generate a self-signed OCSP Signing certificate
                    738: TEST_KEY="${CA_DIR}/ocspKey-self.pem"
                    739: TEST_CERT="${CA_DIR}/ocspCert-self.pem"
                    740: OU="OCSP Self-Signed Authority"
                    741: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    742: pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
                    743:     --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
                    744:     --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
                    745:     --outform pem > ${TEST_CERT}
                    746: 
                    747: # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
                    748: TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
                    749: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
                    750: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
                    751: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
                    752: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
                    753: 
                    754: # Generate mars virtual server certificate
                    755: TEST="${TEST_DIR}/ha/both-active"
                    756: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
                    757: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
                    758: CN="mars.strongswan.org"
                    759: OU="Virtual VPN Gateway"
                    760: SERIAL="12"
                    761: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
                    762: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
                    763: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    764: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    765:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    766:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
                    767:     --flag serverAuth --outform pem > ${TEST_CERT}
                    768: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    769: 
                    770: # Put a copy into the mirrored gateway
                    771: mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
                    772: mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
                    773: cp ${TEST_KEY}  ${TEST}/hosts/alice/${IPSEC_DIR}/private
                    774: cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
                    775: 
                    776: # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
                    777: for t in "ha/active-passive" "ikev2/redirect-active"
                    778: do
                    779:   TEST="${TEST_DIR}/${t}"
                    780:   for h in alice moon
                    781:   do
                    782:     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
                    783:     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
                    784:     cp ${TEST_KEY}  ${TEST}/hosts/${h}/${IPSEC_DIR}/private
                    785:     cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
                    786:   done
                    787: done
                    788: 
                    789: # Generate moon certificate with an unsupported critical X.509 extension
                    790: TEST="${TEST_DIR}/ikev2/critical-extension"
                    791: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
                    792: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
                    793: CN="moon.strongswan.org"
                    794: SERIAL="13"
                    795: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
                    796: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
                    797: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    798: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    799:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    800:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
                    801:     --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
                    802:     --outform pem > ${TEST_CERT}
                    803: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    804: 
                    805: # Put a copy in the openssl-ikev2/critical extension scenario
                    806: TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
                    807: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
                    808: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
                    809: cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
                    810: cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
                    811: 
                    812: # Generate sun certificate with an unsupported critical X.509 extension
                    813: TEST="${TEST_DIR}/ikev2/critical-extension"
                    814: TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
                    815: TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
                    816: CN="sun.strongswan.org"
                    817: SERIAL="14"
                    818: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
                    819: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
                    820: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    821: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    822:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    823:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
                    824:     --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
                    825:     --outform pem > ${TEST_CERT}
                    826: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    827: 
                    828: # Put a copy in the openssl-ikev2/critical extension scenario
                    829: TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
                    830: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
                    831: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
                    832: cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
                    833: cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
                    834: 
                    835: # Generate winnetou server certificate
                    836: HOST_KEY="${CA_DIR}/winnetouKey.pem"
                    837: HOST_CERT="${CA_DIR}/winnetouCert.pem"
                    838: CN="winnetou.strongswan.org"
                    839: SERIAL="15"
                    840: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
                    841: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    842:     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    843:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
                    844:     --flag serverAuth --outform pem > ${HOST_CERT}
                    845: cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    846: 
                    847: # Generate AAA server certificate
                    848: TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
                    849: TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
                    850: TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
                    851: CN="aaa.strongswan.org"
                    852: SERIAL="16"
                    853: cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
                    854: mkdir -p rsa x509
                    855: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    856: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    857: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    858:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
                    859:     --flag serverAuth --outform pem > ${TEST_CERT}
                    860: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    861: 
                    862: # Put a copy into various tnc scenarios
                    863: for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
                    864: do
                    865:   cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
                    866:   mkdir -p rsa x509
                    867:   cp ${TEST_KEY}  rsa
                    868:   cp ${TEST_CERT} x509
                    869: done
                    870: 
                    871: # Put a copy into the alice FreeRADIUS server
                    872: cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
                    873: 
                    874: ################################################################################
                    875: # strongSwan Attribute Authority                                               #
                    876: ################################################################################
                    877: 
                    878: # Generate Attribute Authority certificate
                    879: TEST="${TEST_DIR}/ikev2/acert-cached"
                    880: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
                    881: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
                    882: CN="strongSwan Attribute Authority"
                    883: SERIAL="17"
                    884: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
                    885: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
                    886: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
                    887: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    888: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    889:     --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
                    890:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
                    891:     --outform pem > ${TEST_CERT}
                    892: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    893: 
                    894: # Generate carol's attribute certificate for sales and finance
                    895: ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
                    896: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
                    897:     --in ${CA_DIR}/certs/01.pem --group sales --group finance \
                    898:     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
                    899: 
                    900: # Generate dave's expired attribute certificate for sales
                    901: ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
                    902: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
                    903:     --in ${CA_DIR}/certs/02.pem --group sales \
                    904:     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
                    905: 
                    906: # Generate dave's attribute certificate for marketing
                    907: ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
                    908: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
                    909:     --in ${CA_DIR}/certs/02.pem --group marketing \
                    910:     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
                    911: 
                    912: # Put a copy into the ikev2/acert-fallback scenario
                    913: TEST="${TEST_DIR}/ikev2/acert-fallback"
                    914: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
                    915: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
                    916: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
                    917: cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
                    918: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
                    919: 
                    920: # Generate carol's expired attribute certificate for finance
                    921: ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
                    922: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
                    923: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
                    924:     --in ${CA_DIR}/certs/01.pem --group finance \
                    925:     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
                    926: 
                    927: # Generate carol's valid attribute certificate for sales
                    928: ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
                    929: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
                    930:     --in ${CA_DIR}/certs/01.pem --group sales \
                    931:     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
                    932: 
                    933: # Put a copy into the ikev2/acert-inline scenario
                    934: TEST="${TEST_DIR}/ikev2/acert-inline"
                    935: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
                    936: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
                    937: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
                    938: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
                    939: cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
                    940: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
                    941: cp ${ACERT_CS}  ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
                    942: cp ${ACERT_DM}  ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
                    943: 
                    944: # Generate a short-lived Attribute Authority certificate
                    945: CN="strongSwan Legacy AA"
                    946: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
                    947: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
                    948: SERIAL="18"
                    949: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    950: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
                    951:     --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
                    952:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
                    953:     --outform pem > ${TEST_CERT}
                    954: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
                    955: 
                    956: # Generate dave's attribute certificate for sales from expired AA
                    957: ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
                    958: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
                    959: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
                    960:     --in ${CA_DIR}/certs/02.pem --group sales \
                    961:     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
                    962: 
                    963: ################################################################################
                    964: # strongSwan Root CA index for OCSP server                                     #
                    965: ################################################################################
                    966: 
                    967: # generate index.txt file for Root OCSP server
                    968: cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
                    969: sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
                    970: sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
                    971: sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
                    972: sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
                    973: 
                    974: ################################################################################
                    975: # Research CA                                                                  #
                    976: ################################################################################
                    977: 
                    978: # Generate a carol research certificate
                    979: TEST="${TEST_DIR}/ikev2/multi-level-ca"
                    980: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
                    981: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
                    982: CN="carol@strongswan.org"
                    983: SERIAL="01"
                    984: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                    985: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                    986: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                    987: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
                    988:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                    989:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
                    990:     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
                    991: cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
                    992: 
                    993: # Save a copy of the private key in DER format
                    994: openssl rsa -in ${TEST_KEY} -outform der \
                    995:             -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
                    996: 
                    997: # Put a copy in the following scenarios
                    998: for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
                    999:          ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
                   1000:          ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
                   1001:          ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
                   1002:          ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
                   1003:          ikev1/multi-level-ca-cr-resp
                   1004: do
                   1005:   TEST="${TEST_DIR}/${t}"
                   1006:   mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                   1007:   mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                   1008:   cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
                   1009:   cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                   1010: done
                   1011: 
                   1012: for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
                   1013: do
                   1014:   TEST="${TEST_DIR}/swanctl/${t}"
                   1015:   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
                   1016:   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
                   1017:   cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
                   1018:   cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
                   1019: done
                   1020: 
                   1021: # Generate a carol research certificate without a CDP
                   1022: TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
                   1023: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
                   1024: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                   1025: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                   1026: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
                   1027:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1028:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
                   1029:     --outform pem > ${TEST_CERT}
                   1030: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
                   1031: 
                   1032: # Generate an OCSP Signing certificate for the Research CA
                   1033: TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
                   1034: TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
                   1035: OU="Research OCSP Signing Authority"
                   1036: CN="ocsp.research.strongswan.org"
                   1037: SERIAL="02"
                   1038: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                   1039: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
                   1040:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1041:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
                   1042:     --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
                   1043: cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
                   1044: 
                   1045: # Generate a Sales CA certificate signed by the Research CA
                   1046: TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
                   1047: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
                   1048: SERIAL="03"
                   1049: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
                   1050: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
                   1051:     --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
                   1052:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
                   1053:     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
                   1054: cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
                   1055: 
                   1056: ################################################################################
                   1057: # Duck Research CA                                                                     #
                   1058: ################################################################################
                   1059: 
                   1060: # Generate a Duck Research CA certificate signed by the Research CA
                   1061: SERIAL="04"
                   1062: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
                   1063: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
                   1064:     --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
                   1065:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
                   1066:     --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
                   1067: cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
                   1068: 
                   1069: # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
                   1070: TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
                   1071: cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
                   1072: 
                   1073: # Generate a carol certificate signed by the Duck Research CA
                   1074: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
                   1075: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
                   1076: CN="carol@strongswan.org"
                   1077: SERIAL="01"
                   1078: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                   1079: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                   1080: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                   1081: pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
                   1082:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1083:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
                   1084:     --outform pem > ${TEST_CERT}
                   1085: cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
                   1086: 
                   1087: # Generate index.txt file for Research OCSP server
                   1088: cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
                   1089: sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
                   1090: 
                   1091: ################################################################################
                   1092: # Sales CA                                                                     #
                   1093: ################################################################################
                   1094: 
                   1095: # Generate a dave sales certificate
                   1096: TEST="${TEST_DIR}/ikev2/multi-level-ca"
                   1097: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
                   1098: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
                   1099: CN="dave@strongswan.org"
                   1100: SERIAL="01"
                   1101: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
                   1102: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
                   1103: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                   1104: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
                   1105:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1106:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
                   1107:     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
                   1108: cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
                   1109: 
                   1110: # Save a copy of the private key in DER format
                   1111: openssl rsa -in ${TEST_KEY} -outform der \
                   1112:             -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
                   1113: 
                   1114: # Put a copy in the following scenarios
                   1115: for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
                   1116:          ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
                   1117:          ikev2/ocsp-multi-level ikev1/multi-level-ca \
                   1118:          ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
                   1119: do
                   1120:   TEST="${TEST_DIR}/${t}"
                   1121:   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
                   1122:   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
                   1123:   cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
                   1124:   cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
                   1125: done
                   1126: 
                   1127: for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
                   1128: do
                   1129:   TEST="${TEST_DIR}/swanctl/${t}"
                   1130:   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
                   1131:   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
                   1132:   cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
                   1133:   cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
                   1134: done
                   1135: 
                   1136: # Generate a dave sales certificate with an inactive OCSP URI and no CDP
                   1137: TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
                   1138: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
                   1139: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
                   1140: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
                   1141: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
                   1142:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1143:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
                   1144:     --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
                   1145: cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
                   1146: 
                   1147: # Generate an OCSP Signing certificate for the Sales CA
                   1148: TEST_KEY="${SALES_DIR}/ocspKey.pem"
                   1149: TEST_CERT="${SALES_DIR}/ocspCert.pem"
                   1150: OU="Sales OCSP Signing Authority"
                   1151: CN="ocsp.sales.strongswan.org"
                   1152: SERIAL="02"
                   1153: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                   1154: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
                   1155:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1156:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
                   1157:     --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
                   1158: cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
                   1159: 
                   1160: # Generate a Research CA certificate signed by the Sales CA
                   1161: TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
                   1162: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
                   1163: SERIAL="03"
                   1164: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
                   1165: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
                   1166:     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
                   1167:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
                   1168:     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
                   1169: cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
                   1170: 
                   1171: # generate index.txt file for Sales OCSP server
                   1172: cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
                   1173: sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
                   1174: 
                   1175: ################################################################################
1.1.1.2 ! misho    1176: # Levels L3 CA                                                                 #
        !          1177: ################################################################################
        !          1178: 
        !          1179: # Generate a carol l3 certificate
        !          1180: TEST="${TEST_DIR}/swanctl/multi-level-ca-l3"
        !          1181: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
        !          1182: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
        !          1183: CN="carol@strongswan.org"
        !          1184: SERIAL="01"
        !          1185: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
        !          1186: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
        !          1187: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
        !          1188: pki --issue --cakey ${LEVELS_L3_KEY} --cacert ${LEVELS_L3_CERT} --type rsa \
        !          1189:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
        !          1190:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=L3, CN=${CN}" \
        !          1191:     --crl ${LEVELS_L3_CDP} --outform pem > ${TEST_CERT}
        !          1192: cp ${TEST_CERT} ${LEVELS_DIR}/certs/${SERIAL}.pem
        !          1193: 
        !          1194: for t in tkm/multi-level-ca
        !          1195: do
        !          1196:   TEST="${TEST_DIR}/${t}"
        !          1197:   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
        !          1198:   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
        !          1199:   cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
        !          1200:   cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
        !          1201: done
        !          1202: 
        !          1203: ################################################################################
1.1       misho    1204: # strongSwan EC Root CA                                                        #
                   1205: ################################################################################
                   1206: 
                   1207: # Generate strongSwan EC Root CA
                   1208: pki --gen  --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
                   1209: pki --self --type ecdsa --in ${ECDSA_KEY} \
                   1210:     --not-before "${START}" --not-after "${CA_END}" --ca \
                   1211:     --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
                   1212:     --outform pem > ${ECDSA_CERT}
                   1213: 
                   1214: # Put a copy in the openssl-ikev2/ecdsa-certs scenario
                   1215: for t in ecdsa-certs ecdsa-pkcs8
                   1216: do
                   1217:   TEST="${TEST_DIR}/openssl-ikev2/${t}"
                   1218:   for h in moon carol dave
                   1219:   do
                   1220:     mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
                   1221:     cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
                   1222:   done
                   1223: done
                   1224: 
                   1225: # Generate a moon ECDSA 521 bit certificate
                   1226: TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
                   1227: MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
                   1228: MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
                   1229: CN="moon.strongswan.org"
                   1230: SERIAL="01"
                   1231: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
                   1232: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
                   1233: pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
                   1234: pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
                   1235:     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1236:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
                   1237:     --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
                   1238: cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
                   1239: 
                   1240: # Generate a carol ECDSA 256 bit certificate
                   1241: CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
                   1242: CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
                   1243: CN="carol@strongswan.org"
                   1244: SERIAL="02"
                   1245: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
                   1246: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
                   1247: pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
                   1248: pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
                   1249:     --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1250:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
                   1251:     --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
                   1252: cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
                   1253: 
                   1254: # Generate a dave ECDSA 384 bit certificate
                   1255: DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
                   1256: DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
                   1257: CN="dave@strongswan.org"
                   1258: SERIAL="03"
                   1259: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
                   1260: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
                   1261: pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
                   1262: pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
                   1263:     --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1264:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
                   1265:     --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
                   1266: cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
                   1267: 
                   1268: # Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
                   1269: TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
                   1270: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
                   1271: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
                   1272: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
                   1273: cp ${MOON_CERT}  ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
                   1274: cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
                   1275: cp ${DAVE_CERT}  ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
                   1276: 
                   1277: # Convert moon private key into unencrypted PKCS#8 format
                   1278: TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
                   1279: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
                   1280: openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
                   1281: 
                   1282: # Convert carol private key into v1.5 DES encrypted PKCS#8 format
                   1283: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
                   1284: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
                   1285: openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
                   1286:               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
                   1287: 
                   1288: # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
                   1289: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
                   1290: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
                   1291: openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8  -v2 aes128 \
                   1292:               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
                   1293: 
                   1294: # Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
                   1295: TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
                   1296: cd ${TEST}/hosts/moon/${SWANCTL_DIR}
                   1297: mkdir -p ecdsa x509 x509ca
                   1298: cp ${MOON_KEY}   ecdsa
                   1299: cp ${MOON_CERT}  x509
                   1300: cp ${ECDSA_CERT} x509ca
                   1301: cd ${TEST}/hosts/carol/${SWANCTL_DIR}
                   1302: mkdir -p ecdsa x509 x509ca
                   1303: cp ${CAROL_KEY}  ecdsa
                   1304: cp ${CAROL_CERT} x509
                   1305: cp ${ECDSA_CERT} x509ca
                   1306: cd ${TEST}/hosts/dave/${SWANCTL_DIR}
                   1307: mkdir -p ecdsa x509 x509ca
                   1308: cp ${DAVE_KEY}   ecdsa
                   1309: cp ${DAVE_CERT}  x509
                   1310: cp ${ECDSA_CERT} x509ca
                   1311: 
                   1312: ################################################################################
                   1313: # strongSwan RFC3779 Root CA                                                   #
                   1314: ################################################################################
                   1315: 
                   1316: # Generate strongSwan RFC3779 Root CA
                   1317: pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
                   1318: pki --self --type rsa --in ${RFC3779_KEY} \
                   1319:     --not-before "${START}" --not-after "${CA_END}" --ca \
                   1320:     --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
                   1321:     --addrblock "10.1.0.0-10.2.255.255" \
                   1322:     --addrblock "10.3.0.1-10.3.3.232" \
                   1323:     --addrblock "192.168.0.0/24" \
                   1324:     --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
                   1325:     --outform pem > ${RFC3779_CERT}
                   1326: 
                   1327: # Put a copy in the ikev2/net2net-rfc3779 scenario
                   1328: TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
                   1329: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
                   1330: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
                   1331: cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
                   1332: cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
                   1333: 
                   1334: # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
                   1335: TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
                   1336: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
                   1337: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
                   1338: cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
                   1339: cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
                   1340: 
                   1341: # Generate a moon RFC3779 certificate
                   1342: TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
                   1343: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
                   1344: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
                   1345: CN="moon.strongswan.org"
                   1346: SERIAL="01"
                   1347: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
                   1348: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
                   1349: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                   1350: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
                   1351:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1352:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
                   1353:     --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
                   1354:     --addrblock "fec0::1/128" --addrblock "fec1::/16" \
                   1355:     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
                   1356: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
                   1357: 
                   1358: # Put a copy in the ipv6 scenarios
                   1359: for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
                   1360: do
                   1361:   cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
                   1362:   mkdir -p rsa x509 x509ca
                   1363:   cp ${TEST_KEY}  rsa
                   1364:   cp ${TEST_CERT} x509
                   1365:   cp ${RFC3779_CERT} x509ca
                   1366: done
                   1367: 
                   1368: # Generate a sun RFC3779 certificate
                   1369: TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
                   1370: TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
                   1371: TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
                   1372: CN="sun.strongswan.org"
                   1373: SERIAL="02"
                   1374: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
                   1375: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
                   1376: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                   1377: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
                   1378:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1379:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
                   1380:     --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
                   1381:     --addrblock "fec0::2/128" --addrblock "fec2::/16" \
                   1382:     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
                   1383: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
                   1384: 
                   1385: # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
                   1386: cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
                   1387: mkdir -p rsa x509 x509ca
                   1388: cp ${TEST_KEY} rsa
                   1389: cp ${TEST_CERT} x509
                   1390: cp ${RFC3779_CERT} x509ca
                   1391: 
                   1392: # Generate a carol RFC3779 certificate
                   1393: TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
                   1394: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
                   1395: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
                   1396: CN="carol@strongswan.org"
                   1397: SERIAL="03"
                   1398: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
                   1399: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
                   1400: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                   1401: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
                   1402:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1403:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
                   1404:     --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
                   1405:     --addrblock "fec0::10/128" \
                   1406:     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
                   1407: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
                   1408: 
                   1409: # Generate a carol RFC3779 certificate
                   1410: TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
                   1411: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
                   1412: TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
                   1413: CN="dave@strongswan.org"
                   1414: SERIAL="04"
                   1415: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
                   1416: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
                   1417: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                   1418: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
                   1419:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1420:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
                   1421:     --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
                   1422:     --addrblock "fec0::20/128" \
                   1423:     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
                   1424: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
                   1425: 
                   1426: ################################################################################
                   1427: # strongSwan SHA3-RSA Root CA                                                  #
                   1428: ################################################################################
                   1429: 
                   1430: # Use specific plugin configuration to issue certificates with SHA-3 signatures
                   1431: # as not all crypto plugins support them.  To avoid entropy issues use the
                   1432: # default plugins to generate the keys.
                   1433: SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509"
                   1434: 
                   1435: # Generate strongSwan SHA3-RSA Root CA
                   1436: pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
                   1437: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
                   1438: pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
                   1439:     --not-before "${START}" --not-after "${CA_END}" --ca \
                   1440:     --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
                   1441:     --outform pem > ${SHA3_RSA_CERT}
                   1442: 
                   1443: # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
                   1444: TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
                   1445: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
                   1446: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
                   1447: cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
                   1448: cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
                   1449: 
                   1450: # Generate a sun SHA3-RSA certificate
                   1451: SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
                   1452: SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
                   1453: CN="sun.strongswan.org"
                   1454: SERIAL="01"
                   1455: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
                   1456: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
                   1457: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
                   1458: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
                   1459: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
                   1460:     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1461:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
                   1462:     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
                   1463: cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
                   1464: 
                   1465: # Generate a moon SHA3-RSA certificate
                   1466: MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
                   1467: MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
                   1468: CN="moon.strongswan.org"
                   1469: SERIAL="02"
                   1470: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
                   1471: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
                   1472: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
                   1473: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
                   1474: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
                   1475:     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1476:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
                   1477:     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
                   1478: cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
                   1479: 
                   1480: # Put a copy in the botan/net2net-sha3-rsa-cert scenario
                   1481: TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
                   1482: cd ${TEST}/hosts/moon/${SWANCTL_DIR}
                   1483: mkdir -p rsa x509 x509ca
                   1484: cp ${MOON_KEY}      rsa
                   1485: cp ${MOON_CERT}     x509
                   1486: cp ${SHA3_RSA_CERT} x509ca
                   1487: cd ${TEST}/hosts/sun/${SWANCTL_DIR}
                   1488: mkdir -p rsa x509 x509ca
                   1489: cp ${SUN_KEY}       rsa
                   1490: cp ${SUN_CERT}      x509
                   1491: cp ${SHA3_RSA_CERT} x509ca
                   1492: 
                   1493: # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
                   1494: TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
                   1495: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
                   1496: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
                   1497: cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
                   1498: cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
                   1499: 
                   1500: # Generate a carol SHA3-RSA certificate
                   1501: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
                   1502: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
                   1503: CN="carol@strongswan.org"
                   1504: SERIAL="03"
                   1505: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
                   1506: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
                   1507: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                   1508: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
                   1509: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
                   1510:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1511:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
                   1512:     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
                   1513: cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
                   1514: 
                   1515: # Generate a dave SHA3-RSA certificate
                   1516: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
                   1517: TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
                   1518: CN="dave@strongswan.org"
                   1519: SERIAL="04"
                   1520: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
                   1521: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
                   1522: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
                   1523: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
                   1524: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
                   1525:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1526:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
                   1527:     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
                   1528: cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
                   1529: 
                   1530: for h in moon carol dave
                   1531: do
                   1532:   mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
                   1533:   cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
                   1534: done
                   1535: 
                   1536: ################################################################################
                   1537: # strongSwan Ed25519 Root CA                                                   #
                   1538: ################################################################################
                   1539: 
                   1540: # Generate strongSwan Ed25519 Root CA
                   1541: pki --gen  --type ed25519 --outform pem > ${ED25519_KEY}
                   1542: pki --self --type ed25519 --in ${ED25519_KEY} \
                   1543:     --not-before "${START}" --not-after "${CA_END}" --ca \
                   1544:     --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
                   1545:     --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
                   1546:     --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
                   1547:     --outform pem > ${ED25519_CERT}
                   1548: 
                   1549: # Put a copy in the swanctl/net2net-ed25519 scenario
                   1550: TEST="${TEST_DIR}/swanctl/net2net-ed25519"
                   1551: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
                   1552: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
                   1553: cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
                   1554: cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
                   1555: 
                   1556: # Generate a sun Ed25519 certificate
                   1557: SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
                   1558: SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
                   1559: CN="sun.strongswan.org"
                   1560: SERIAL="01"
                   1561: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
                   1562: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
                   1563: pki --gen --type ed25519 --outform pem > ${SUN_KEY}
                   1564: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
                   1565:     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1566:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
                   1567:     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
                   1568:     --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
                   1569: cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
                   1570: 
                   1571: # Generate a moon Ed25519 certificate
                   1572: MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
                   1573: MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
                   1574: CN="moon.strongswan.org"
                   1575: SERIAL="02"
                   1576: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
                   1577: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
                   1578: pki --gen --type ed25519 --outform pem > ${MOON_KEY}
                   1579: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
                   1580:     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1581:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
                   1582:     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
                   1583:     --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
                   1584: cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
                   1585: 
                   1586: # Put a copy in the botan/net2net-ed25519 scenario
                   1587: TEST="${TEST_DIR}/botan/net2net-ed25519"
                   1588: cd ${TEST}/hosts/moon/${SWANCTL_DIR}
                   1589: mkdir -p pkcs8 x509 x509ca
                   1590: cp ${MOON_KEY}     pkcs8
                   1591: cp ${MOON_CERT}    x509
                   1592: cp ${ED25519_CERT} x509ca
                   1593: cd ${TEST}/hosts/sun/${SWANCTL_DIR}
                   1594: mkdir -p pkcs8 x509 x509ca
                   1595: cp ${SUN_KEY}      pkcs8
                   1596: cp ${SUN_CERT}     x509
                   1597: cp ${ED25519_CERT} x509ca
                   1598: 
                   1599: # Put a copy in the ikev2/net2net-ed25519 scenario
                   1600: TEST="${TEST_DIR}/ikev2/net2net-ed25519"
                   1601: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
                   1602: cd ${TEST}/hosts/moon/${IPSEC_DIR}
                   1603: mkdir -p cacerts certs private
                   1604: cp ${MOON_KEY}     private
                   1605: cp ${MOON_CERT}    certs
                   1606: cp ${ED25519_CERT} cacerts
                   1607: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
                   1608: cd ${TEST}/hosts/sun/${IPSEC_DIR}
                   1609: mkdir -p cacerts certs private
                   1610: cp ${SUN_KEY}      private
                   1611: cp ${SUN_CERT}     certs
                   1612: cp ${ED25519_CERT} cacerts
                   1613: 
                   1614: # Put a copy in the swanctl/rw-ed25519-certpol scenario
                   1615: TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
                   1616: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
                   1617: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
                   1618: cp ${MOON_KEY}  ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
                   1619: cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
                   1620: 
                   1621: for h in moon carol dave
                   1622: do
                   1623:   mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
                   1624:   cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
                   1625: done
                   1626: 
                   1627: # Generate a carol Ed25519 certificate
                   1628: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
                   1629: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
                   1630: CN="carol@strongswan.org"
                   1631: SERIAL="03"
                   1632: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
                   1633: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
                   1634: pki --gen --type ed25519 --outform pem > ${TEST_KEY}
                   1635: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
                   1636:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1637:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
                   1638:     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
                   1639:     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
                   1640: cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
                   1641: 
                   1642: # Generate a dave Ed25519 certificate
                   1643: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
                   1644: TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
                   1645: CN="dave@strongswan.org"
                   1646: SERIAL="04"
                   1647: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
                   1648: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
                   1649: pki --gen --type ed25519 --outform pem > ${TEST_KEY}
                   1650: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
                   1651:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1652:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
                   1653:     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
                   1654:     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
                   1655: cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
                   1656: 
                   1657: ################################################################################
                   1658: # strongSwan Monster Root CA                                                   #
                   1659: ################################################################################
                   1660: 
                   1661: # Generate strongSwan Monster Root CA
                   1662: pki --gen  --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
                   1663: pki --self --type rsa --in ${MONSTER_KEY} \
                   1664:     --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
                   1665:     --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
                   1666:     --outform pem > ${MONSTER_CERT}
                   1667: 
                   1668: # Put a copy in the ikev2/after-2038-certs scenario
                   1669: TEST="${TEST_DIR}/ikev2/after-2038-certs"
                   1670: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
                   1671: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
                   1672: cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
                   1673: cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
                   1674: 
                   1675: # Generate a moon Monster certificate
                   1676: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
                   1677: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
                   1678: CN="moon.strongswan.org"
                   1679: SERIAL="01"
                   1680: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
                   1681: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
                   1682: pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
                   1683: pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
                   1684:     --in ${TEST_KEY} --san ${CN} \
                   1685:     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
                   1686:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
                   1687:     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
                   1688: cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
                   1689: 
                   1690: # Generate a carol Monster certificate
                   1691: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
                   1692: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
                   1693: CN="carol@strongswan.org"
                   1694: SERIAL="02"
                   1695: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                   1696: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                   1697: pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
                   1698: pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
                   1699:     --in ${TEST_KEY} --san ${CN} \
                   1700:     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
                   1701:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
                   1702:     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
                   1703: cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
                   1704: 
                   1705: ################################################################################
                   1706: # Bliss CA                                                                     #
                   1707: ################################################################################
                   1708: 
                   1709: # Generate BLISS Root CA with 192 bit security strength
                   1710: pki --gen  --type bliss --size 4 > ${BLISS_KEY}
                   1711: pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
                   1712:     --not-before "${START}" --not-after "${CA_END}" --ca \
                   1713:     --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
                   1714: 
                   1715: # Put a copy in the following scenarios
                   1716: for t in rw-newhope-bliss rw-ntru-bliss
                   1717: do
                   1718:   TEST="${TEST_DIR}/ikev2/${t}"
                   1719:   for h in moon carol dave
                   1720:   do
                   1721:     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
                   1722:     cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
                   1723:   done
                   1724: 
                   1725:   TEST="${TEST_DIR}/swanctl/${t}"
                   1726:   for h in moon carol dave
                   1727:   do
                   1728:     mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
                   1729:     cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
                   1730:   done
                   1731: done
                   1732: 
                   1733: # Generate a carol BLISS certificate with 128 bit security strength
                   1734: TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
                   1735: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
                   1736: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
                   1737: CN="carol@strongswan.org"
                   1738: SERIAL="01"
                   1739: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                   1740: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                   1741: pki --gen --type bliss --size 1 > ${TEST_KEY}
                   1742: pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
                   1743:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1744:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
                   1745:     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
                   1746: cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
                   1747: 
                   1748: # Put a copy in the ikev2/rw-ntru-bliss scenario
                   1749: TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
                   1750: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
                   1751: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                   1752: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
                   1753: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
                   1754: 
                   1755: # Put a copy in the swanctl scenarios
                   1756: for t in rw-newhope-bliss rw-ntru-bliss
                   1757: do
                   1758:   TEST="${TEST_DIR}/swanctl/${t}"
                   1759:   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
                   1760:   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
                   1761:   cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
                   1762:   cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
                   1763: done
                   1764: 
                   1765: # Generate a dave BLISS certificate with 160 bit security strength
                   1766: TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
                   1767: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
                   1768: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
                   1769: CN="dave@strongswan.org"
                   1770: SERIAL="02"
                   1771: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
                   1772: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
                   1773: pki --gen --type bliss --size 3 > ${TEST_KEY}
                   1774: pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
                   1775:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1776:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
                   1777:     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
                   1778: cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
                   1779: 
                   1780: # Put a copy in the ikev2/rw-ntru-bliss scenario
                   1781: TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
                   1782: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
                   1783: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
                   1784: cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
                   1785: cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
                   1786: 
                   1787: # Put a copy in the swanctl scenarios
                   1788: for t in rw-newhope-bliss rw-ntru-bliss
                   1789: do
                   1790:   TEST="${TEST_DIR}/swanctl/${t}"
                   1791:   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
                   1792:   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
                   1793:   cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
                   1794:   cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
                   1795: done
                   1796: 
                   1797: # Generate a moon BLISS certificate with 192 bit security strength
                   1798: TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
                   1799: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
                   1800: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
                   1801: CN="moon.strongswan.org"
                   1802: SERIAL="03"
                   1803: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
                   1804: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
                   1805: pki --gen --type bliss --size 4 > ${TEST_KEY}
                   1806: pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
                   1807:     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
                   1808:     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
                   1809:     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
                   1810: cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
                   1811: 
                   1812: # Put a copy in the ikev2/rw-ntru-bliss scenario
                   1813: TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
                   1814: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
                   1815: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
                   1816: cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
                   1817: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
                   1818: 
                   1819: # Put a copy in the swanctl scenarios
                   1820: for t in rw-newhope-bliss rw-ntru-bliss
                   1821: do
                   1822:   TEST="${TEST_DIR}/swanctl/${t}"
                   1823:   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
                   1824:   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
                   1825:   cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
                   1826:   cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
                   1827: done
                   1828: 
                   1829: ################################################################################
                   1830: # SQL Data                                                                     #
                   1831: ################################################################################
                   1832: 
                   1833: CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
                   1834: CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
                   1835: CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
                   1836: CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
                   1837: #
                   1838: MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
                   1839: MOON_KEY="${CA_DIR}/keys/moonKey.der"
                   1840: MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
                   1841: MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
                   1842: MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
                   1843: MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
                   1844: MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
                   1845: MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
                   1846: MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
                   1847: #
                   1848: SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
                   1849: SUN_KEY="${CA_DIR}/keys/sunKey.der"
                   1850: SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
                   1851: SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
                   1852: SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
                   1853: SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
                   1854: SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
                   1855: SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
                   1856: #
                   1857: CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
                   1858: CAROL_KEY="${CA_DIR}/keys/carolKey.der"
                   1859: CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
                   1860: CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
                   1861: CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
                   1862: CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
                   1863: #
                   1864: DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
                   1865: DAVE_KEY="${CA_DIR}/keys/daveKey.der"
                   1866: DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
                   1867: DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
                   1868: DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
                   1869: DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
                   1870: #
                   1871: ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
                   1872: ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
                   1873: ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
                   1874: ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
                   1875: ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
                   1876: #
                   1877: VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
                   1878: VENUS_KEY="${CA_DIR}/keys/venusKey.der"
                   1879: VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
                   1880: VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
                   1881: VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
                   1882: #
                   1883: RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
                   1884: RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
                   1885: RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
                   1886: #
                   1887: CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
                   1888: CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
                   1889: CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
                   1890: CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
                   1891: CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
                   1892: #
                   1893: SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
                   1894: SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
                   1895: SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
                   1896: #
                   1897: DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
                   1898: DAVE_S_KEY="${SALES_DIR}/keys/01.der"
                   1899: DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
                   1900: DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
                   1901: DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
                   1902: #
                   1903: for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
                   1904:          ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
                   1905:          rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
                   1906: do
                   1907:   for h in carol dave moon
                   1908:   do
                   1909:     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
                   1910:     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
                   1911:         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
                   1912:         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
                   1913:         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
                   1914:         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
                   1915:         -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
                   1916:         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
                   1917:         -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
                   1918:         -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
                   1919:         -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
                   1920:         -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
                   1921:         -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
                   1922:         -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
                   1923:         -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
                   1924:         -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
                   1925:         -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
                   1926:         -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
                   1927:         -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
                   1928:         -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
                   1929:         -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
                   1930:         -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
                   1931:         -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
                   1932:         -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
                   1933:         -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
                   1934:         -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
                   1935:         -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
                   1936:         -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
                   1937:         ${TEST_DATA}.in > ${TEST_DATA}
                   1938:   done
                   1939: done
                   1940: #
                   1941: for t in rw-eap-aka-rsa
                   1942: do
                   1943:   for h in carol moon
                   1944:   do
                   1945:     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
                   1946:     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
                   1947:         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
                   1948:         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
                   1949:         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
                   1950:         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
                   1951:         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
                   1952:         ${TEST_DATA}.in > ${TEST_DATA}
                   1953:   done
                   1954: done
                   1955: #
                   1956: for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
                   1957: do
                   1958:   for h in moon sun
                   1959:   do
                   1960:     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
                   1961:     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
                   1962:         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
                   1963:         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
                   1964:         -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
                   1965:         -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
                   1966:         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
                   1967:         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
                   1968:         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
                   1969:         -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
                   1970:         -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
                   1971:         -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
                   1972:         -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
                   1973:         -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
                   1974:         -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
                   1975:                ${TEST_DATA}.in > ${TEST_DATA}
                   1976:   done
                   1977: done
                   1978: #
                   1979: for t in shunt-policies-nat-rw
                   1980: do
                   1981:   for h in alice venus sun
                   1982:   do
                   1983:     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
                   1984:     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
                   1985:         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
                   1986:         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
                   1987:         -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
                   1988:         -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
                   1989:         -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
                   1990:         -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
                   1991:         -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
                   1992:         -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
                   1993:         -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
                   1994:         -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
                   1995:         -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
                   1996:         ${TEST_DATA}.in > ${TEST_DATA}
                   1997:   done
                   1998: done
                   1999: 
                   2000: ################################################################################
                   2001: # Raw RSA keys                                                                 #
                   2002: ################################################################################
                   2003: 
                   2004: MOON_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${MOON_KEY}`
                   2005: #
                   2006: SUN_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${SUN_KEY}`
                   2007: #
                   2008: for h in moon sun
                   2009: do
                   2010:   TEST_DATA="${TEST_DIR}/ikev2/net2net-rsa/hosts/${h}/etc/ipsec.conf"
                   2011:   sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \
                   2012:       -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \
                   2013:       ${TEST_DATA}.in > ${TEST_DATA}
                   2014: done
1.1.1.2 ! misho    2015: 
        !          2016: ################################################################################
        !          2017: # TKM CA ID mapping                                                            #
        !          2018: ################################################################################
        !          2019: 
        !          2020: for t in host2host-initiator host2host-responder host2host-xfrmproxy \
        !          2021:          multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
        !          2022:          xfrmproxy-rekey
        !          2023: do
        !          2024:   for h in moon
        !          2025:   do
        !          2026:     TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/moon/etc/strongswan.conf"
        !          2027:     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
        !          2028:         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
        !          2029:         -e "s/LEVELS_SPK_HEX/${LEVELS_SPK_HEX}/g" \
        !          2030:         ${TEST_DATA}.in > ${TEST_DATA}
        !          2031:   done
        !          2032: done
        !          2033: 
        !          2034: for t in multiple-clients
        !          2035: do
        !          2036:   for h in sun
        !          2037:   do
        !          2038:     TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/${h}/etc/strongswan.conf"
        !          2039:     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
        !          2040:         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
        !          2041:         ${TEST_DATA}.in > ${TEST_DATA}
        !          2042:   done
        !          2043: done

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>