1: #!/bin/bash
2:
3: set -o errexit
4:
5: echo "Building certificates"
6:
7: # Disable leak detective when using pki as it produces warnings in tzset
8: export LEAK_DETECTIVE_DISABLE=1
9:
10: # Determine testing directory
11: DIR="$(dirname `readlink -f $0`)/.."
12:
13: # Define some global variables
14: PROJECT="strongSwan Project"
15: CA_DIR="${DIR}/hosts/winnetou/etc/ca"
16: CA_KEY="${CA_DIR}/strongswanKey.pem"
17: CA_CERT="${CA_DIR}/strongswanCert.pem"
18: CA_CERT_DER="${CA_DIR}/strongswanCert.der"
19: CA_CRL="${CA_DIR}/strongswan.crl"
20: CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
21: CA_CDP="http://crl.strongswan.org/strongswan.crl"
22: CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
23: CA_OCSP="http://ocsp.strongswan.org:8880"
24: #
25: START=`date -d "-2 day" "+%d.%m.%y %T"`
26: SH_END=`date -d "-1 day" "+%d.%m.%y %T"` # 1 day
27: CA_END=`date -d "+3651 day" "+%d.%m.%y %T"` # 10 years
28: IM_END=`date -d "+3286 day" "+%d.%m.%y %T"` # 9 years
29: EE_END=`date -d "+2920 day" "+%d.%m.%y %T"` # 8 years
30: SH_EXP=`date -d "-1 day" "+%y%m%d%H%M%SZ"` # 1 day
31: IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"` # 9 years
32: EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"` # 8 years
33: NOW=`date "+%y%m%d%H%M%SZ"`
34: #
35: RESEARCH_DIR="${CA_DIR}/research"
36: RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
37: RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
38: RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
39: RESEARCH_CDP="http://crl.strongswan.org/research.crl"
40: #
41: SALES_DIR="${CA_DIR}/sales"
42: SALES_KEY="${SALES_DIR}/salesKey.pem"
43: SALES_CERT="${SALES_DIR}/salesCert.pem"
44: SALES_CERT_DER="${SALES_DIR}/salesCert.der"
45: SALES_CDP="http://crl.strongswan.org/sales.crl"
46: #
47: LEVELS_DIR="${CA_DIR}/levels"
48: LEVELS_KEY="${LEVELS_DIR}/levelsKey.pem"
49: LEVELS_CERT="${LEVELS_DIR}/levelsCert.pem"
50: LEVELS_CDP="http://crl.strongswan.org/levels.crl"
51: LEVELS_L2_KEY="${LEVELS_DIR}/levelsKey_l2.pem"
52: LEVELS_L2_CERT="${LEVELS_DIR}/levelsCert_l2.pem"
53: LEVELS_L2_CDP="http://crl.strongswan.org/levels_l2.crl"
54: LEVELS_L3_KEY="${LEVELS_DIR}/levelsKey_l3.pem"
55: LEVELS_L3_CERT="${LEVELS_DIR}/levelsCert_l3.pem"
56: LEVELS_L3_CDP="http://crl.strongswan.org/levels_l3.crl"
57: #
58: DUCK_DIR="${CA_DIR}/duck"
59: DUCK_KEY="${DUCK_DIR}/duckKey.pem"
60: DUCK_CERT="${DUCK_DIR}/duckCert.pem"
61: #
62: ECDSA_DIR="${CA_DIR}/ecdsa"
63: ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
64: ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
65: ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
66: #
67: RFC3779_DIR="${CA_DIR}/rfc3779"
68: RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
69: RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
70: RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
71: #
72: SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
73: SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
74: SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
75: SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
76: #
77: ED25519_DIR="${CA_DIR}/ed25519"
78: ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
79: ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
80: ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
81: #
82: MONSTER_DIR="${CA_DIR}/monster"
83: MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
84: MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
85: MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
86: MONSTER_CA_RSA_SIZE="8192"
87: MONSTER_EE_RSA_SIZE="4096"
88: #
89: BLISS_DIR="${CA_DIR}/bliss"
90: BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
91: BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
92: BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
93: #
94: RSA_SIZE="3072"
95: IPSEC_DIR="etc/ipsec.d"
96: SWANCTL_DIR="etc/swanctl"
97: TKM_DIR="etc/tkm"
98: HOSTS="carol dave moon sun alice venus bob"
99: TEST_DIR="${DIR}/tests"
100:
101: # Create directories
102: mkdir -p ${CA_DIR}/certs
103: mkdir -p ${CA_DIR}/keys
104: mkdir -p ${RESEARCH_DIR}/certs
105: mkdir -p ${RESEARCH_DIR}/keys
106: mkdir -p ${SALES_DIR}/certs
107: mkdir -p ${SALES_DIR}/keys
108: mkdir -p ${LEVELS_DIR}/certs
109: mkdir -p ${DUCK_DIR}/certs
110: mkdir -p ${ECDSA_DIR}/certs
111: mkdir -p ${RFC3779_DIR}/certs
112: mkdir -p ${SHA3_RSA_DIR}/certs
113: mkdir -p ${ED25519_DIR}/certs
114: mkdir -p ${MONSTER_DIR}/certs
115: mkdir -p ${BLISS_DIR}/certs
116:
117: ################################################################################
118: # strongSwan Root CA #
119: ################################################################################
120:
121: # Generate strongSwan Root CA
122: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
123: pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
124: --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
125: --outform pem > ${CA_CERT}
126:
127: # Distribute strongSwan Root CA certificate
128: for h in ${HOSTS}
129: do
130: HOST_DIR="${DIR}/hosts/${h}"
131: mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
132: mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
133: cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
134: cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
135: done
136:
137: # Put a copy onto the alice FreeRADIUS server
138: mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
139: cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
140:
141: # Convert strongSwan Root CA certificate into DER format
142: openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
143:
144: # Generate a stale CRL
145: pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
146: --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
147:
148: # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
149: TEST="${TEST_DIR}/ikev2/crl-ldap"
150: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
151: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
152: cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
153: cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
154:
155: # Generate host keys
156: for h in ${HOSTS}
157: do
158: HOST_DIR="${DIR}/hosts/${h}"
159: HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
160: mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
161: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
162:
163: # Put a copy into swanctl directory tree
164: mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
165: cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
166:
167: # Convert host key into DER format
168: openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
169: 2> /dev/null
170: done
171:
172: # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
173: for t in host2host-initiator host2host-responder host2host-xfrmproxy \
174: multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
175: xfrmproxy-rekey
176: do
177: TEST="${TEST_DIR}/tkm/${t}"
178: mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
179: cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
180: done
181:
182: # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
183: TEST="${TEST_DIR}/tkm/multiple-clients"
184: mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
185: cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
186:
187: # Convert moon private key into unencrypted PKCS#8 format
188: TEST="${TEST_DIR}/ikev2/rw-pkcs8"
189: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
190: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
191: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
192: openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
193:
194: # Convert carol private key into v1.5 DES encrypted PKCS#8 format
195: HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
196: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
197: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
198: openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
199: -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
200:
201: # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
202: HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
203: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
204: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
205: openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v2 aes128 \
206: -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
207:
208: ################################################################################
209: # Public Key Extraction #
210: ################################################################################
211:
212: # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
213: TEST="${TEST_DIR}/swanctl/net2net-pubkey"
214: TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
215: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
216: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
217: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
218: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
219: cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
220:
221: # Put a copy into the following ikev2 scenarios
222: for t in net2net-dnssec net2net-pubkey rw-dnssec
223: do
224: TEST="${TEST_DIR}/ikev2/${t}"
225: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
226: cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
227: done
228:
229: # Put a copy into the ikev2/net2net-pubkey scenario
230: TEST="${TEST_DIR}/ikev2/net2net-pubkey"
231: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
232: cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
233:
234: # Put a copy into the swanctl/rw-dnssec scenario
235: TEST="${TEST_DIR}/swanctl/rw-dnssec"
236: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
237: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
238:
239: # Put a copy into the following swanctl scenarios
240: for t in rw-pubkey-anon rw-pubkey-keyid
241: do
242: TEST="${TEST_DIR}/swanctl/${t}"
243: for h in moon carol dave
244: do
245: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
246: cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
247: done
248: done
249:
250: # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
251: TEST="${TEST_DIR}/swanctl/net2net-pubkey"
252: TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
253: HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
254: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
255: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
256:
257: # Put a copy into the ikev2/net2net-dnssec scenario
258: TEST="${TEST_DIR}/ikev2/net2net-dnssec"
259: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
260: cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
261:
262: # Put a copy into the ikev2/net2net-pubkey scenario
263: TEST="${TEST_DIR}/ikev2/net2net-pubkey"
264: cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
265: cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
266:
267: # Put a copy into the swanctl/rw-pubkey-anon scenario
268: TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
269: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
270:
271: # Extract the raw carol public key for the swanctl/rw-dnssec scenario
272: TEST="${TEST_DIR}/swanctl/rw-dnssec"
273: TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
274: HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
275: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
276: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
277:
278: # Put a copy into the swanctl/rw-pubkey-anon scenario
279: TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
280: cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
281: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
282:
283: # Put a copy into the swanctl/rw-pubkey-keyid scenario
284: TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
285: cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
286: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
287:
288: # Extract the raw dave public key for the swanctl/rw-dnssec scenario
289: TEST="${TEST_DIR}/swanctl/rw-dnssec"
290: TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
291: HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
292: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
293: pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
294:
295: # Put a copy into the swanctl/rw-pubkey-anon scenario
296: TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
297: cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
298: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
299:
300: # Put a copy into the swanctl/rw-pubkey-keyid scenario
301: TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
302: cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
303: cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
304:
305: ################################################################################
306: # Host Certificate Generation #
307: ################################################################################
308:
309: # function issue_cert: serial host cn [ou]
310: issue_cert()
311: {
312: # does optional OU argument exist?
313: if [ -z "${4}" ]
314: then
315: OU=""
316: else
317: OU=" OU=${4},"
318: fi
319:
320: HOST_DIR="${DIR}/hosts/${2}"
321: HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
322: HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
323: mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
324: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
325: --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
326: --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
327: --outform pem > ${HOST_CERT}
328: cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
329:
330: # Put a certificate copy into swanctl directory tree
331: mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
332: cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
333: }
334:
335: # Generate host certificates
336: issue_cert 01 carol carol@strongswan.org Research
337: issue_cert 02 dave dave@strongswan.org Accounting
338: issue_cert 03 moon moon.strongswan.org
339: issue_cert 04 sun sun.strongswan.org
340: issue_cert 05 alice alice@strongswan.org Sales
341: issue_cert 06 venus venus.strongswan.org
342: issue_cert 07 bob bob@strongswan.org Research
343:
344: # Create PKCS#12 file for moon
345: TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
346: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
347: HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
348: MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
349: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
350: openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
351: -certfile ${CA_CERT} -caname "strongSwan Root CA" \
352: -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
353:
354: # Create PKCS#12 file for sun
355: HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
356: HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
357: SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
358: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
359: openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
360: -certfile ${CA_CERT} -caname "strongSwan Root CA" \
361: -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
362:
363: # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
364: for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
365: do
366: TEST="${TEST_DIR}/${t}"
367: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
368: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
369: cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
370: cp ${SUN_PKCS12} ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
371: done
372:
373: ################################################################################
374: # DNSSEC Zone Files #
375: ################################################################################
376:
377: # Store moon and sun certificates in strongswan.org zone
378: ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
379: echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
380: for h in moon sun
381: do
382: HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
383: cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
384: echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
385: done
386:
387: # Store public keys in strongswan.org zone
388: echo ";" >> ${ZONE_FILE}
389: for h in moon sun carol dave
390: do
391: HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
392: pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
393: echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
394: done
395:
396: # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
397: TEST="${TEST_DIR}/swanctl/crl-to-cache"
398: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
399: HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
400: CN="carol@strongswan.org"
401: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
402: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
403: --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
404: --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
405: --outform pem > ${TEST_CERT}
406:
407: # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
408: TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
409: HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
410: CN="moon.strongswan.org"
411: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
412: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
413: --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
414: --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
415: --outform pem > ${TEST_CERT}
416:
417: # Encrypt carolKey.pem
418: HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
419: KEY_PWD="nH5ZQEWtku0RJEZ6"
420: openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
421: 2> /dev/null
422:
423: # Put a copy into the ikev2/dynamic-initiator scenario
424: for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
425: do
426: TEST="${TEST_DIR}/${t}"
427: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
428: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
429: cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
430: cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
431: done
432:
433: # Put a copy into the swanctl/rw-cert scenario
434: TEST="${TEST_DIR}/swanctl/rw-cert"
435: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
436: cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
437:
438: # Generate another carol certificate and revoke it
439: TEST="${TEST_DIR}/ikev2/crl-revoked"
440: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
441: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
442: CN="carol@strongswan.org"
443: SERIAL="08"
444: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
445: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
446: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
447: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
448: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
449: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
450: --outform pem > ${TEST_CERT}
451: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
452: pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
453: --serial ${SERIAL} > ${CA_CRL}
454: cp ${CA_CRL} ${CA_LAST_CRL}
455:
456: # Put a copy into the ikev2/ocsp-revoked scenario
457: TEST="${TEST_DIR}/ikev2/ocsp-revoked"
458: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
459: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
460: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
461: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
462:
463: # Generate another carol certificate with serialNumber=002
464: TEST="${TEST_DIR}/ikev2/two-certs"
465: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
466: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
467: SERIAL="09"
468: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
469: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
470: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
471: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
472: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
473: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, serialNumber=002, CN=${CN}" \
474: --outform pem > ${TEST_CERT}
475: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
476:
477: ################################################################################
478: # Research CA Certificate Generation #
479: ################################################################################
480:
481: # Generate a Research CA certificate signed by the Root CA and revoke it
482: TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
483: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
484: SERIAL="0A"
485: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
486: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
487: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
488: --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
489: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
490: --outform pem > ${TEST_CERT}
491: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
492: pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
493: --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
494: rm ${CA_LAST_CRL}
495:
496: # Generate Research CA with the same private key as above signed by Root CA
497: SERIAL="0B"
498: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
499: --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
500: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
501: --outform pem > ${RESEARCH_CERT}
502: cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
503:
504: # Put a certificate copy into the following scenarios
505: for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
506: ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
507: ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
508: do
509: TEST="${TEST_DIR}/${t}"
510: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
511: cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
512: done
513:
514: for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
515: ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
516: do
517: TEST="${TEST_DIR}/${t}"
518: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
519: cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
520: done
521:
522: for t in multi-level-ca ocsp-multi-level
523: do
524: TEST="${TEST_DIR}/swanctl/${t}"
525: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
526: cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
527: done
528:
529: for t in rw-hash-and-url-multi-level
530: do
531: TEST="${TEST_DIR}/swanctl/${t}"
532: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
533: cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
534: done
535:
536: # Convert Research CA certificate into DER format
537: openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
538:
539: # Generate Research CA with the same private key as above but invalid CDP
540: TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
541: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
542: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
543: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
544: --crl "http://crl.strongswan.org/not-available.crl" \
545: --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
546: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
547: --outform pem > ${TEST_CERT}
548:
549: ################################################################################
550: # Sales CA Certificate Generation #
551: ################################################################################
552:
553: # Generate Sales CA signed by Root CA
554: SERIAL="0C"
555: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
556: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
557: --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
558: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
559: --outform pem > ${SALES_CERT}
560: cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
561:
562: # Put a certificate copy into the following scenarios
563: for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
564: ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
565: ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
566: do
567: TEST="${TEST_DIR}/${t}"
568: cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
569: done
570:
571: for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
572: ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
573: do
574: TEST="${TEST_DIR}/${t}"
575: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
576: cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
577: done
578:
579: for t in multi-level-ca ocsp-multi-level
580: do
581: TEST="${TEST_DIR}/swanctl/${t}"
582: cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
583: done
584:
585: for t in rw-hash-and-url-multi-level
586: do
587: TEST="${TEST_DIR}/swanctl/${t}"
588: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
589: cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
590: done
591:
592: # Convert Sales CA certificate into DER format
593: openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
594:
595: ################################################################################
596: # Multi-level CA Certificate Generation #
597: ################################################################################
598:
599: # Generate Levels Root CA (pathlen is higher than the regular root)
600: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_KEY}
601: pki --self --type rsa --in ${LEVELS_KEY} --not-before "${START}" --not-after "${CA_END}" \
602: --ca --pathlen 2 --dn "C=CH, O=${PROJECT}, CN=strongSwan Levels Root CA" \
603: --outform pem > ${LEVELS_CERT}
604:
605: # For TKM's CA ID mapping
606: LEVELS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${LEVELS_KEY}`
607:
608: # Generate Levels L2 CA signed by Levels Root CA
609: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L2_KEY}
610: pki --issue --cakey ${LEVELS_KEY} --cacert ${LEVELS_CERT} --crl ${LEVELS_CDP} \
611: --type rsa --in ${LEVELS_L2_KEY} --not-before "${START}" --not-after "${IM_END}" \
612: --ca --dn "C=CH, O=${PROJECT}, OU=L2, CN=Levels L2 CA" \
613: --outform pem > ${LEVELS_L2_CERT}
614:
615: # Generate Levels L3 CA signed by Levels L2 CA
616: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L3_KEY}
617: pki --issue --cakey ${LEVELS_L2_KEY} --cacert ${LEVELS_L2_CERT} --crl ${LEVELS_L2_CDP} \
618: --type rsa --in ${LEVELS_L3_KEY} --not-before "${START}" --not-after "${IM_END}" \
619: --ca --dn "C=CH, O=${PROJECT}, OU=L3, CN=Levels L3 CA" \
620: --outform pem > ${LEVELS_L3_CERT}
621:
622: for t in swanctl/multi-level-ca-l3 tkm/multi-level-ca
623: do
624: TEST="${TEST_DIR}/${t}"
625: for h in moon carol
626: do
627: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
628: cp ${LEVELS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
629: done
630: cp ${LEVELS_L2_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
631: cp ${LEVELS_L3_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
632: done
633:
634: # Put DER-encoded Levels CA certificate into tkm scenario
635: TEST="${TEST_DIR}/tkm/multi-level-ca"
636: mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
637: openssl x509 -in ${LEVELS_CERT} -outform der -out ${TEST}/hosts/moon/${TKM_DIR}/levelsCert.der
638:
639: ################################################################################
640:
641: # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
642: TEST="${TEST_DIR}/ikev2/strong-keys-certs"
643: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
644: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
645: KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
646: CN="moon.strongswan.org"
647: SERIAL="0D"
648: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
649: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
650: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
651: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
652: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
653: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
654: --digest sha224 --outform pem > ${TEST_CERT}
655: openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
656: 2> /dev/null
657: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
658:
659: # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
660: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
661: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
662: KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
663: CN="carol@strongswan.org"
664: SERIAL="0E"
665: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
666: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
667: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
668: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
669: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
670: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
671: --digest sha384 --outform pem > ${TEST_CERT}
672: openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
673: 2> /dev/null
674: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
675:
676: # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
677: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
678: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
679: KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
680: CN="dave@strongswan.org"
681: SERIAL="0F"
682: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
683: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
684: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
685: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
686: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
687: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
688: --digest sha512 --outform pem > ${TEST_CERT}
689: openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
690: 2> /dev/null
691: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
692:
693: # Generate another carol certificate with an OCSP URI
694: TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
695: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
696: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
697: CN="carol@strongswan.org"
698: SERIAL="10"
699: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
700: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
701: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
702: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
703: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
704: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
705: --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
706: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
707:
708: # Put a copy into the ikev2/ocsp-timeouts-good scenario
709: TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
710: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
711: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
712: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
713: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
714:
715: # Put a copy into the swanctl/ocsp-signer-cert scenario
716: for t in ocsp-signer-cert ocsp-disabled
717: do
718: cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
719: mkdir -p rsa x509
720: cp ${TEST_KEY} rsa
721: cp ${TEST_CERT} x509
722: done
723:
724: # Generate an OCSP Signing certificate for the strongSwan Root CA
725: TEST_KEY="${CA_DIR}/ocspKey.pem"
726: TEST_CERT="${CA_DIR}/ocspCert.pem"
727: CN="ocsp.strongswan.org"
728: OU="OCSP Signing Authority"
729: SERIAL="11"
730: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
731: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
732: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
733: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
734: --flag ocspSigning --outform pem > ${TEST_CERT}
735: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
736:
737: # Generate a self-signed OCSP Signing certificate
738: TEST_KEY="${CA_DIR}/ocspKey-self.pem"
739: TEST_CERT="${CA_DIR}/ocspCert-self.pem"
740: OU="OCSP Self-Signed Authority"
741: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
742: pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
743: --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
744: --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
745: --outform pem > ${TEST_CERT}
746:
747: # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
748: TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
749: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
750: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
751: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
752: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
753:
754: # Generate mars virtual server certificate
755: TEST="${TEST_DIR}/ha/both-active"
756: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
757: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
758: CN="mars.strongswan.org"
759: OU="Virtual VPN Gateway"
760: SERIAL="12"
761: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
762: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
763: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
764: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
765: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
766: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
767: --flag serverAuth --outform pem > ${TEST_CERT}
768: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
769:
770: # Put a copy into the mirrored gateway
771: mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
772: mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
773: cp ${TEST_KEY} ${TEST}/hosts/alice/${IPSEC_DIR}/private
774: cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
775:
776: # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
777: for t in "ha/active-passive" "ikev2/redirect-active"
778: do
779: TEST="${TEST_DIR}/${t}"
780: for h in alice moon
781: do
782: mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
783: mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
784: cp ${TEST_KEY} ${TEST}/hosts/${h}/${IPSEC_DIR}/private
785: cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
786: done
787: done
788:
789: # Generate moon certificate with an unsupported critical X.509 extension
790: TEST="${TEST_DIR}/ikev2/critical-extension"
791: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
792: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
793: CN="moon.strongswan.org"
794: SERIAL="13"
795: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
796: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
797: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
798: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
799: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
800: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
801: --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
802: --outform pem > ${TEST_CERT}
803: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
804:
805: # Put a copy in the openssl-ikev2/critical extension scenario
806: TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
807: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
808: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
809: cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
810: cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
811:
812: # Generate sun certificate with an unsupported critical X.509 extension
813: TEST="${TEST_DIR}/ikev2/critical-extension"
814: TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
815: TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
816: CN="sun.strongswan.org"
817: SERIAL="14"
818: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
819: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
820: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
821: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
822: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
823: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
824: --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
825: --outform pem > ${TEST_CERT}
826: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
827:
828: # Put a copy in the openssl-ikev2/critical extension scenario
829: TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
830: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
831: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
832: cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
833: cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
834:
835: # Generate winnetou server certificate
836: HOST_KEY="${CA_DIR}/winnetouKey.pem"
837: HOST_CERT="${CA_DIR}/winnetouCert.pem"
838: CN="winnetou.strongswan.org"
839: SERIAL="15"
840: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
841: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
842: --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
843: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
844: --flag serverAuth --outform pem > ${HOST_CERT}
845: cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
846:
847: # Generate AAA server certificate
848: TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
849: TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
850: TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
851: CN="aaa.strongswan.org"
852: SERIAL="16"
853: cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
854: mkdir -p rsa x509
855: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
856: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
857: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
858: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
859: --flag serverAuth --outform pem > ${TEST_CERT}
860: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
861:
862: # Put a copy into various tnc scenarios
863: for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
864: do
865: cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
866: mkdir -p rsa x509
867: cp ${TEST_KEY} rsa
868: cp ${TEST_CERT} x509
869: done
870:
871: # Put a copy into the alice FreeRADIUS server
872: cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
873:
874: ################################################################################
875: # strongSwan Attribute Authority #
876: ################################################################################
877:
878: # Generate Attribute Authority certificate
879: TEST="${TEST_DIR}/ikev2/acert-cached"
880: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
881: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
882: CN="strongSwan Attribute Authority"
883: SERIAL="17"
884: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
885: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
886: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
887: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
888: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
889: --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
890: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
891: --outform pem > ${TEST_CERT}
892: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
893:
894: # Generate carol's attribute certificate for sales and finance
895: ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
896: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
897: --in ${CA_DIR}/certs/01.pem --group sales --group finance \
898: --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
899:
900: # Generate dave's expired attribute certificate for sales
901: ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
902: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
903: --in ${CA_DIR}/certs/02.pem --group sales \
904: --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
905:
906: # Generate dave's attribute certificate for marketing
907: ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
908: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
909: --in ${CA_DIR}/certs/02.pem --group marketing \
910: --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
911:
912: # Put a copy into the ikev2/acert-fallback scenario
913: TEST="${TEST_DIR}/ikev2/acert-fallback"
914: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
915: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
916: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
917: cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
918: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
919:
920: # Generate carol's expired attribute certificate for finance
921: ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
922: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
923: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
924: --in ${CA_DIR}/certs/01.pem --group finance \
925: --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
926:
927: # Generate carol's valid attribute certificate for sales
928: ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
929: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
930: --in ${CA_DIR}/certs/01.pem --group sales \
931: --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
932:
933: # Put a copy into the ikev2/acert-inline scenario
934: TEST="${TEST_DIR}/ikev2/acert-inline"
935: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
936: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
937: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
938: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
939: cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
940: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
941: cp ${ACERT_CS} ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
942: cp ${ACERT_DM} ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
943:
944: # Generate a short-lived Attribute Authority certificate
945: CN="strongSwan Legacy AA"
946: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
947: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
948: SERIAL="18"
949: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
950: pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
951: --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
952: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
953: --outform pem > ${TEST_CERT}
954: cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
955:
956: # Generate dave's attribute certificate for sales from expired AA
957: ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
958: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
959: pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
960: --in ${CA_DIR}/certs/02.pem --group sales \
961: --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
962:
963: ################################################################################
964: # strongSwan Root CA index for OCSP server #
965: ################################################################################
966:
967: # generate index.txt file for Root OCSP server
968: cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
969: sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
970: sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
971: sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
972: sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
973:
974: ################################################################################
975: # Research CA #
976: ################################################################################
977:
978: # Generate a carol research certificate
979: TEST="${TEST_DIR}/ikev2/multi-level-ca"
980: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
981: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
982: CN="carol@strongswan.org"
983: SERIAL="01"
984: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
985: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
986: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
987: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
988: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
989: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
990: --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
991: cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
992:
993: # Save a copy of the private key in DER format
994: openssl rsa -in ${TEST_KEY} -outform der \
995: -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
996:
997: # Put a copy in the following scenarios
998: for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
999: ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
1000: ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
1001: ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
1002: ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
1003: ikev1/multi-level-ca-cr-resp
1004: do
1005: TEST="${TEST_DIR}/${t}"
1006: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1007: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1008: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1009: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1010: done
1011:
1012: for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
1013: do
1014: TEST="${TEST_DIR}/swanctl/${t}"
1015: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1016: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1017: cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1018: cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1019: done
1020:
1021: # Generate a carol research certificate without a CDP
1022: TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1023: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1024: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1025: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1026: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1027: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1028: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
1029: --outform pem > ${TEST_CERT}
1030: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1031:
1032: # Generate an OCSP Signing certificate for the Research CA
1033: TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
1034: TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
1035: OU="Research OCSP Signing Authority"
1036: CN="ocsp.research.strongswan.org"
1037: SERIAL="02"
1038: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1039: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1040: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1041: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1042: --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1043: cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
1044:
1045: # Generate a Sales CA certificate signed by the Research CA
1046: TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1047: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
1048: SERIAL="03"
1049: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1050: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1051: --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1052: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
1053: --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
1054: cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
1055:
1056: ################################################################################
1057: # Duck Research CA #
1058: ################################################################################
1059:
1060: # Generate a Duck Research CA certificate signed by the Research CA
1061: SERIAL="04"
1062: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
1063: pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1064: --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1065: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
1066: --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
1067: cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
1068:
1069: # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
1070: TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
1071: cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1072:
1073: # Generate a carol certificate signed by the Duck Research CA
1074: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1075: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1076: CN="carol@strongswan.org"
1077: SERIAL="01"
1078: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1079: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1080: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1081: pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
1082: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1083: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
1084: --outform pem > ${TEST_CERT}
1085: cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
1086:
1087: # Generate index.txt file for Research OCSP server
1088: cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
1089: sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
1090:
1091: ################################################################################
1092: # Sales CA #
1093: ################################################################################
1094:
1095: # Generate a dave sales certificate
1096: TEST="${TEST_DIR}/ikev2/multi-level-ca"
1097: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
1098: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1099: CN="dave@strongswan.org"
1100: SERIAL="01"
1101: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1102: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1103: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1104: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1105: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1106: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1107: --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1108: cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1109:
1110: # Save a copy of the private key in DER format
1111: openssl rsa -in ${TEST_KEY} -outform der \
1112: -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
1113:
1114: # Put a copy in the following scenarios
1115: for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
1116: ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
1117: ikev2/ocsp-multi-level ikev1/multi-level-ca \
1118: ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
1119: do
1120: TEST="${TEST_DIR}/${t}"
1121: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1122: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1123: cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1124: cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1125: done
1126:
1127: for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
1128: do
1129: TEST="${TEST_DIR}/swanctl/${t}"
1130: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1131: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1132: cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1133: cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1134: done
1135:
1136: # Generate a dave sales certificate with an inactive OCSP URI and no CDP
1137: TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1138: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1139: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1140: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1141: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1142: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1143: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1144: --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
1145: cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1146:
1147: # Generate an OCSP Signing certificate for the Sales CA
1148: TEST_KEY="${SALES_DIR}/ocspKey.pem"
1149: TEST_CERT="${SALES_DIR}/ocspCert.pem"
1150: OU="Sales OCSP Signing Authority"
1151: CN="ocsp.sales.strongswan.org"
1152: SERIAL="02"
1153: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1154: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1155: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1156: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1157: --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1158: cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1159:
1160: # Generate a Research CA certificate signed by the Sales CA
1161: TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1162: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
1163: SERIAL="03"
1164: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1165: pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1166: --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1167: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
1168: --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1169: cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1170:
1171: # generate index.txt file for Sales OCSP server
1172: cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
1173: sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
1174:
1175: ################################################################################
1176: # Levels L3 CA #
1177: ################################################################################
1178:
1179: # Generate a carol l3 certificate
1180: TEST="${TEST_DIR}/swanctl/multi-level-ca-l3"
1181: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1182: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1183: CN="carol@strongswan.org"
1184: SERIAL="01"
1185: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1186: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1187: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1188: pki --issue --cakey ${LEVELS_L3_KEY} --cacert ${LEVELS_L3_CERT} --type rsa \
1189: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1190: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=L3, CN=${CN}" \
1191: --crl ${LEVELS_L3_CDP} --outform pem > ${TEST_CERT}
1192: cp ${TEST_CERT} ${LEVELS_DIR}/certs/${SERIAL}.pem
1193:
1194: for t in tkm/multi-level-ca
1195: do
1196: TEST="${TEST_DIR}/${t}"
1197: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1198: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1199: cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1200: cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1201: done
1202:
1203: ################################################################################
1204: # strongSwan EC Root CA #
1205: ################################################################################
1206:
1207: # Generate strongSwan EC Root CA
1208: pki --gen --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
1209: pki --self --type ecdsa --in ${ECDSA_KEY} \
1210: --not-before "${START}" --not-after "${CA_END}" --ca \
1211: --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
1212: --outform pem > ${ECDSA_CERT}
1213:
1214: # Put a copy in the openssl-ikev2/ecdsa-certs scenario
1215: for t in ecdsa-certs ecdsa-pkcs8
1216: do
1217: TEST="${TEST_DIR}/openssl-ikev2/${t}"
1218: for h in moon carol dave
1219: do
1220: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1221: cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1222: done
1223: done
1224:
1225: # Generate a moon ECDSA 521 bit certificate
1226: TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
1227: MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
1228: MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1229: CN="moon.strongswan.org"
1230: SERIAL="01"
1231: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
1232: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1233: pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
1234: pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1235: --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1236: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
1237: --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
1238: cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1239:
1240: # Generate a carol ECDSA 256 bit certificate
1241: CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
1242: CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1243: CN="carol@strongswan.org"
1244: SERIAL="02"
1245: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
1246: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1247: pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
1248: pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1249: --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1250: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
1251: --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
1252: cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1253:
1254: # Generate a dave ECDSA 384 bit certificate
1255: DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
1256: DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1257: CN="dave@strongswan.org"
1258: SERIAL="03"
1259: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
1260: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1261: pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
1262: pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1263: --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1264: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
1265: --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
1266: cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1267:
1268: # Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
1269: TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
1270: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1271: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1272: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1273: cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1274: cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1275: cp ${DAVE_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1276:
1277: # Convert moon private key into unencrypted PKCS#8 format
1278: TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1279: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1280: openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
1281:
1282: # Convert carol private key into v1.5 DES encrypted PKCS#8 format
1283: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1284: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1285: openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
1286: -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
1287:
1288: # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
1289: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1290: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1291: openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8 -v2 aes128 \
1292: -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
1293:
1294: # Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
1295: TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
1296: cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1297: mkdir -p ecdsa x509 x509ca
1298: cp ${MOON_KEY} ecdsa
1299: cp ${MOON_CERT} x509
1300: cp ${ECDSA_CERT} x509ca
1301: cd ${TEST}/hosts/carol/${SWANCTL_DIR}
1302: mkdir -p ecdsa x509 x509ca
1303: cp ${CAROL_KEY} ecdsa
1304: cp ${CAROL_CERT} x509
1305: cp ${ECDSA_CERT} x509ca
1306: cd ${TEST}/hosts/dave/${SWANCTL_DIR}
1307: mkdir -p ecdsa x509 x509ca
1308: cp ${DAVE_KEY} ecdsa
1309: cp ${DAVE_CERT} x509
1310: cp ${ECDSA_CERT} x509ca
1311:
1312: ################################################################################
1313: # strongSwan RFC3779 Root CA #
1314: ################################################################################
1315:
1316: # Generate strongSwan RFC3779 Root CA
1317: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
1318: pki --self --type rsa --in ${RFC3779_KEY} \
1319: --not-before "${START}" --not-after "${CA_END}" --ca \
1320: --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
1321: --addrblock "10.1.0.0-10.2.255.255" \
1322: --addrblock "10.3.0.1-10.3.3.232" \
1323: --addrblock "192.168.0.0/24" \
1324: --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
1325: --outform pem > ${RFC3779_CERT}
1326:
1327: # Put a copy in the ikev2/net2net-rfc3779 scenario
1328: TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1329: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1330: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1331: cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1332: cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1333:
1334: # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
1335: TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1336: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1337: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1338: cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1339: cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1340:
1341: # Generate a moon RFC3779 certificate
1342: TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1343: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1344: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1345: CN="moon.strongswan.org"
1346: SERIAL="01"
1347: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1348: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1349: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1350: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1351: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1352: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1353: --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
1354: --addrblock "fec0::1/128" --addrblock "fec1::/16" \
1355: --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1356: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1357:
1358: # Put a copy in the ipv6 scenarios
1359: for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
1360: do
1361: cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
1362: mkdir -p rsa x509 x509ca
1363: cp ${TEST_KEY} rsa
1364: cp ${TEST_CERT} x509
1365: cp ${RFC3779_CERT} x509ca
1366: done
1367:
1368: # Generate a sun RFC3779 certificate
1369: TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1370: TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
1371: TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
1372: CN="sun.strongswan.org"
1373: SERIAL="02"
1374: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
1375: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
1376: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1377: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1378: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1379: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1380: --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
1381: --addrblock "fec0::2/128" --addrblock "fec2::/16" \
1382: --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1383: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1384:
1385: # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
1386: cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
1387: mkdir -p rsa x509 x509ca
1388: cp ${TEST_KEY} rsa
1389: cp ${TEST_CERT} x509
1390: cp ${RFC3779_CERT} x509ca
1391:
1392: # Generate a carol RFC3779 certificate
1393: TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1394: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1395: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1396: CN="carol@strongswan.org"
1397: SERIAL="03"
1398: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1399: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1400: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1401: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1402: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1403: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1404: --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
1405: --addrblock "fec0::10/128" \
1406: --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1407: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1408:
1409: # Generate a carol RFC3779 certificate
1410: TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1411: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1412: TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1413: CN="dave@strongswan.org"
1414: SERIAL="04"
1415: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1416: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1417: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1418: pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1419: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1420: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1421: --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
1422: --addrblock "fec0::20/128" \
1423: --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1424: cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1425:
1426: ################################################################################
1427: # strongSwan SHA3-RSA Root CA #
1428: ################################################################################
1429:
1430: # Use specific plugin configuration to issue certificates with SHA-3 signatures
1431: # as not all crypto plugins support them. To avoid entropy issues use the
1432: # default plugins to generate the keys.
1433: SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509"
1434:
1435: # Generate strongSwan SHA3-RSA Root CA
1436: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
1437: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1438: pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
1439: --not-before "${START}" --not-after "${CA_END}" --ca \
1440: --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
1441: --outform pem > ${SHA3_RSA_CERT}
1442:
1443: # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
1444: TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
1445: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1446: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1447: cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1448: cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1449:
1450: # Generate a sun SHA3-RSA certificate
1451: SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1452: SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1453: CN="sun.strongswan.org"
1454: SERIAL="01"
1455: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
1456: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1457: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
1458: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1459: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1460: --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1461: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1462: --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
1463: cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1464:
1465: # Generate a moon SHA3-RSA certificate
1466: MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1467: MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1468: CN="moon.strongswan.org"
1469: SERIAL="02"
1470: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1471: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1472: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
1473: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1474: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1475: --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1476: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1477: --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
1478: cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1479:
1480: # Put a copy in the botan/net2net-sha3-rsa-cert scenario
1481: TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
1482: cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1483: mkdir -p rsa x509 x509ca
1484: cp ${MOON_KEY} rsa
1485: cp ${MOON_CERT} x509
1486: cp ${SHA3_RSA_CERT} x509ca
1487: cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1488: mkdir -p rsa x509 x509ca
1489: cp ${SUN_KEY} rsa
1490: cp ${SUN_CERT} x509
1491: cp ${SHA3_RSA_CERT} x509ca
1492:
1493: # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
1494: TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
1495: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1496: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1497: cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1498: cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1499:
1500: # Generate a carol SHA3-RSA certificate
1501: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1502: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1503: CN="carol@strongswan.org"
1504: SERIAL="03"
1505: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1506: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1507: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1508: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1509: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1510: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1511: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1512: --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1513: cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1514:
1515: # Generate a dave SHA3-RSA certificate
1516: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1517: TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1518: CN="dave@strongswan.org"
1519: SERIAL="04"
1520: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1521: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1522: pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1523: PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1524: pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1525: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1526: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1527: --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1528: cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1529:
1530: for h in moon carol dave
1531: do
1532: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1533: cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1534: done
1535:
1536: ################################################################################
1537: # strongSwan Ed25519 Root CA #
1538: ################################################################################
1539:
1540: # Generate strongSwan Ed25519 Root CA
1541: pki --gen --type ed25519 --outform pem > ${ED25519_KEY}
1542: pki --self --type ed25519 --in ${ED25519_KEY} \
1543: --not-before "${START}" --not-after "${CA_END}" --ca \
1544: --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
1545: --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
1546: --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
1547: --outform pem > ${ED25519_CERT}
1548:
1549: # Put a copy in the swanctl/net2net-ed25519 scenario
1550: TEST="${TEST_DIR}/swanctl/net2net-ed25519"
1551: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1552: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1553: cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1554: cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1555:
1556: # Generate a sun Ed25519 certificate
1557: SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
1558: SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1559: CN="sun.strongswan.org"
1560: SERIAL="01"
1561: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
1562: mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1563: pki --gen --type ed25519 --outform pem > ${SUN_KEY}
1564: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1565: --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1566: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1567: --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
1568: --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
1569: cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1570:
1571: # Generate a moon Ed25519 certificate
1572: MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1573: MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1574: CN="moon.strongswan.org"
1575: SERIAL="02"
1576: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1577: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1578: pki --gen --type ed25519 --outform pem > ${MOON_KEY}
1579: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1580: --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1581: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1582: --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
1583: --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
1584: cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1585:
1586: # Put a copy in the botan/net2net-ed25519 scenario
1587: TEST="${TEST_DIR}/botan/net2net-ed25519"
1588: cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1589: mkdir -p pkcs8 x509 x509ca
1590: cp ${MOON_KEY} pkcs8
1591: cp ${MOON_CERT} x509
1592: cp ${ED25519_CERT} x509ca
1593: cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1594: mkdir -p pkcs8 x509 x509ca
1595: cp ${SUN_KEY} pkcs8
1596: cp ${SUN_CERT} x509
1597: cp ${ED25519_CERT} x509ca
1598:
1599: # Put a copy in the ikev2/net2net-ed25519 scenario
1600: TEST="${TEST_DIR}/ikev2/net2net-ed25519"
1601: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
1602: cd ${TEST}/hosts/moon/${IPSEC_DIR}
1603: mkdir -p cacerts certs private
1604: cp ${MOON_KEY} private
1605: cp ${MOON_CERT} certs
1606: cp ${ED25519_CERT} cacerts
1607: mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
1608: cd ${TEST}/hosts/sun/${IPSEC_DIR}
1609: mkdir -p cacerts certs private
1610: cp ${SUN_KEY} private
1611: cp ${SUN_CERT} certs
1612: cp ${ED25519_CERT} cacerts
1613:
1614: # Put a copy in the swanctl/rw-ed25519-certpol scenario
1615: TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
1616: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1617: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1618: cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1619: cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1620:
1621: for h in moon carol dave
1622: do
1623: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1624: cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1625: done
1626:
1627: # Generate a carol Ed25519 certificate
1628: TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1629: TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1630: CN="carol@strongswan.org"
1631: SERIAL="03"
1632: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1633: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1634: pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1635: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1636: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1637: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1638: --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
1639: --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1640: cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1641:
1642: # Generate a dave Ed25519 certificate
1643: TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1644: TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1645: CN="dave@strongswan.org"
1646: SERIAL="04"
1647: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1648: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1649: pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1650: pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1651: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1652: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1653: --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
1654: --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1655: cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1656:
1657: ################################################################################
1658: # strongSwan Monster Root CA #
1659: ################################################################################
1660:
1661: # Generate strongSwan Monster Root CA
1662: pki --gen --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
1663: pki --self --type rsa --in ${MONSTER_KEY} \
1664: --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
1665: --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
1666: --outform pem > ${MONSTER_CERT}
1667:
1668: # Put a copy in the ikev2/after-2038-certs scenario
1669: TEST="${TEST_DIR}/ikev2/after-2038-certs"
1670: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1671: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1672: cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1673: cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1674:
1675: # Generate a moon Monster certificate
1676: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1677: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1678: CN="moon.strongswan.org"
1679: SERIAL="01"
1680: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1681: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1682: pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1683: pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1684: --in ${TEST_KEY} --san ${CN} \
1685: --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1686: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1687: --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1688: cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1689:
1690: # Generate a carol Monster certificate
1691: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1692: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1693: CN="carol@strongswan.org"
1694: SERIAL="02"
1695: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1696: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1697: pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1698: pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1699: --in ${TEST_KEY} --san ${CN} \
1700: --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1701: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1702: --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1703: cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1704:
1705: ################################################################################
1706: # Bliss CA #
1707: ################################################################################
1708:
1709: # Generate BLISS Root CA with 192 bit security strength
1710: pki --gen --type bliss --size 4 > ${BLISS_KEY}
1711: pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
1712: --not-before "${START}" --not-after "${CA_END}" --ca \
1713: --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
1714:
1715: # Put a copy in the following scenarios
1716: for t in rw-newhope-bliss rw-ntru-bliss
1717: do
1718: TEST="${TEST_DIR}/ikev2/${t}"
1719: for h in moon carol dave
1720: do
1721: mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1722: cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1723: done
1724:
1725: TEST="${TEST_DIR}/swanctl/${t}"
1726: for h in moon carol dave
1727: do
1728: mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1729: cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1730: done
1731: done
1732:
1733: # Generate a carol BLISS certificate with 128 bit security strength
1734: TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1735: TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
1736: TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
1737: CN="carol@strongswan.org"
1738: SERIAL="01"
1739: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1740: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1741: pki --gen --type bliss --size 1 > ${TEST_KEY}
1742: pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1743: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1744: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
1745: --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1746: cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1747:
1748: # Put a copy in the ikev2/rw-ntru-bliss scenario
1749: TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1750: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1751: mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1752: cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1753: cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1754:
1755: # Put a copy in the swanctl scenarios
1756: for t in rw-newhope-bliss rw-ntru-bliss
1757: do
1758: TEST="${TEST_DIR}/swanctl/${t}"
1759: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1760: mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1761: cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1762: cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1763: done
1764:
1765: # Generate a dave BLISS certificate with 160 bit security strength
1766: TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1767: TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
1768: TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
1769: CN="dave@strongswan.org"
1770: SERIAL="02"
1771: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1772: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1773: pki --gen --type bliss --size 3 > ${TEST_KEY}
1774: pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1775: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1776: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
1777: --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1778: cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1779:
1780: # Put a copy in the ikev2/rw-ntru-bliss scenario
1781: TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1782: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1783: mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1784: cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
1785: cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
1786:
1787: # Put a copy in the swanctl scenarios
1788: for t in rw-newhope-bliss rw-ntru-bliss
1789: do
1790: TEST="${TEST_DIR}/swanctl/${t}"
1791: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
1792: mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1793: cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
1794: cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
1795: done
1796:
1797: # Generate a moon BLISS certificate with 192 bit security strength
1798: TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1799: TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
1800: TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
1801: CN="moon.strongswan.org"
1802: SERIAL="03"
1803: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1804: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1805: pki --gen --type bliss --size 4 > ${TEST_KEY}
1806: pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1807: --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1808: --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
1809: --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1810: cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1811:
1812: # Put a copy in the ikev2/rw-ntru-bliss scenario
1813: TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1814: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1815: mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1816: cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
1817: cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
1818:
1819: # Put a copy in the swanctl scenarios
1820: for t in rw-newhope-bliss rw-ntru-bliss
1821: do
1822: TEST="${TEST_DIR}/swanctl/${t}"
1823: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
1824: mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1825: cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
1826: cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
1827: done
1828:
1829: ################################################################################
1830: # SQL Data #
1831: ################################################################################
1832:
1833: CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
1834: CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
1835: CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1836: CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
1837: #
1838: MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1839: MOON_KEY="${CA_DIR}/keys/moonKey.der"
1840: MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1841: MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1842: MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1843: MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
1844: MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1845: MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1846: MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
1847: #
1848: SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1849: SUN_KEY="${CA_DIR}/keys/sunKey.der"
1850: SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1851: SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1852: SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
1853: SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
1854: SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1855: SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
1856: #
1857: CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1858: CAROL_KEY="${CA_DIR}/keys/carolKey.der"
1859: CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1860: CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
1861: CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1862: CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1863: #
1864: DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1865: DAVE_KEY="${CA_DIR}/keys/daveKey.der"
1866: DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1867: DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
1868: DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1869: DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1870: #
1871: ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
1872: ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
1873: ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
1874: ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
1875: ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1876: #
1877: VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
1878: VENUS_KEY="${CA_DIR}/keys/venusKey.der"
1879: VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
1880: VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
1881: VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1882: #
1883: RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
1884: RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
1885: RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1886: #
1887: CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
1888: CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
1889: CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
1890: CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
1891: CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1892: #
1893: SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
1894: SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
1895: SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1896: #
1897: DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
1898: DAVE_S_KEY="${SALES_DIR}/keys/01.der"
1899: DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
1900: DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
1901: DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1902: #
1903: for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
1904: ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
1905: rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
1906: do
1907: for h in carol dave moon
1908: do
1909: TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1910: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1911: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1912: -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1913: -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1914: -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1915: -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
1916: -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1917: -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
1918: -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
1919: -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
1920: -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
1921: -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
1922: -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
1923: -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
1924: -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
1925: -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
1926: -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
1927: -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
1928: -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
1929: -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
1930: -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
1931: -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
1932: -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
1933: -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
1934: -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
1935: -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
1936: -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
1937: ${TEST_DATA}.in > ${TEST_DATA}
1938: done
1939: done
1940: #
1941: for t in rw-eap-aka-rsa
1942: do
1943: for h in carol moon
1944: do
1945: TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1946: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1947: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1948: -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1949: -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1950: -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1951: -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1952: ${TEST_DATA}.in > ${TEST_DATA}
1953: done
1954: done
1955: #
1956: for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
1957: do
1958: for h in moon sun
1959: do
1960: TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1961: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1962: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1963: -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1964: -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
1965: -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
1966: -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1967: -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1968: -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1969: -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
1970: -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
1971: -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1972: -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1973: -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1974: -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
1975: ${TEST_DATA}.in > ${TEST_DATA}
1976: done
1977: done
1978: #
1979: for t in shunt-policies-nat-rw
1980: do
1981: for h in alice venus sun
1982: do
1983: TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1984: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1985: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1986: -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1987: -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
1988: -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
1989: -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
1990: -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
1991: -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
1992: -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
1993: -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1994: -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1995: -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1996: ${TEST_DATA}.in > ${TEST_DATA}
1997: done
1998: done
1999:
2000: ################################################################################
2001: # Raw RSA keys #
2002: ################################################################################
2003:
2004: MOON_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${MOON_KEY}`
2005: #
2006: SUN_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${SUN_KEY}`
2007: #
2008: for h in moon sun
2009: do
2010: TEST_DATA="${TEST_DIR}/ikev2/net2net-rsa/hosts/${h}/etc/ipsec.conf"
2011: sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \
2012: -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \
2013: ${TEST_DATA}.in > ${TEST_DATA}
2014: done
2015:
2016: ################################################################################
2017: # TKM CA ID mapping #
2018: ################################################################################
2019:
2020: for t in host2host-initiator host2host-responder host2host-xfrmproxy \
2021: multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
2022: xfrmproxy-rekey
2023: do
2024: for h in moon
2025: do
2026: TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/moon/etc/strongswan.conf"
2027: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
2028: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
2029: -e "s/LEVELS_SPK_HEX/${LEVELS_SPK_HEX}/g" \
2030: ${TEST_DATA}.in > ${TEST_DATA}
2031: done
2032: done
2033:
2034: for t in multiple-clients
2035: do
2036: for h in sun
2037: do
2038: TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/${h}/etc/strongswan.conf"
2039: sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
2040: -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
2041: ${TEST_DATA}.in > ${TEST_DATA}
2042: done
2043: done
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to build-certs-chroot CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / testing / scripts