]> git.ipfire.org Git - thirdparty/strongswan.git/blob - testing/scripts/build-certs-chroot
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
testing: Copy keys and certs to swanctl/rw-newhope-bliss scenario
[thirdparty/strongswan.git] / testing / scripts / build-certs-chroot
1 #!/bin/bash
2
3 set -o errexit
4
5 echo "Building certificates"
6
7 # Disable leak detective when using pki as it produces warnings in tzset
8 export LEAK_DETECTIVE_DISABLE=1
9
10 # Determine testing directory
11 DIR="$(dirname `readlink -f $0`)/.."
12
13 # Define some global variables
14 PROJECT="strongSwan Project"
15 CA_DIR="${DIR}/hosts/winnetou/etc/ca"
16 CA_KEY="${CA_DIR}/strongswanKey.pem"
17 CA_CERT="${CA_DIR}/strongswanCert.pem"
18 CA_CERT_DER="${CA_DIR}/strongswanCert.der"
19 CA_CRL="${CA_DIR}/strongswan.crl"
20 CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
21 CA_CDP="http://crl.strongswan.org/strongswan.crl"
22 CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
23 CA_OCSP="http://ocsp.strongswan.org:8880"
24 #
25 START=`date -d "-2 day" "+%d.%m.%y %T"`
26 SH_END=`date -d "-1 day" "+%d.%m.%y %T"` # 1 day
27 CA_END=`date -d "+3651 day" "+%d.%m.%y %T"` # 10 years
28 IM_END=`date -d "+3286 day" "+%d.%m.%y %T"` # 9 years
29 EE_END=`date -d "+2920 day" "+%d.%m.%y %T"` # 8 years
30 SH_EXP=`date -d "-1 day" "+%y%m%d%H%M%SZ"` # 1 day
31 IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"` # 9 years
32 EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"` # 8 years
33 NOW=`date "+%y%m%d%H%M%SZ"`
34 #
35 RESEARCH_DIR="${CA_DIR}/research"
36 RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
37 RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
38 RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
39 RESEARCH_CDP="http://crl.strongswan.org/research.crl"
40 #
41 SALES_DIR="${CA_DIR}/sales"
42 SALES_KEY="${SALES_DIR}/salesKey.pem"
43 SALES_CERT="${SALES_DIR}/salesCert.pem"
44 SALES_CERT_DER="${SALES_DIR}/salesCert.der"
45 SALES_CDP="http://crl.strongswan.org/sales.crl"
46 #
47 DUCK_DIR="${CA_DIR}/duck"
48 DUCK_KEY="${DUCK_DIR}/duckKey.pem"
49 DUCK_CERT="${DUCK_DIR}/duckCert.pem"
50 #
51 ECDSA_DIR="${CA_DIR}/ecdsa"
52 ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
53 ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
54 ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
55 #
56 RFC3779_DIR="${CA_DIR}/rfc3779"
57 RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
58 RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
59 RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
60 #
61 SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
62 SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
63 SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
64 SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
65 #
66 ED25519_DIR="${CA_DIR}/ed25519"
67 ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
68 ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
69 ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
70 #
71 MONSTER_DIR="${CA_DIR}/monster"
72 MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
73 MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
74 MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
75 MONSTER_CA_RSA_SIZE="8192"
76 MONSTER_EE_RSA_SIZE="4096"
77 #
78 BLISS_DIR="${CA_DIR}/bliss"
79 BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
80 BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
81 BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
82 #
83 RSA_SIZE="3072"
84 IPSEC_DIR="etc/ipsec.d"
85 SWANCTL_DIR="etc/swanctl"
86 TKM_DIR="etc/tkm"
87 HOSTS="carol dave moon sun alice venus bob"
88 TEST_DIR="${DIR}/tests"
89
90 # Create directories
91 mkdir -p ${CA_DIR}/certs
92 mkdir -p ${CA_DIR}/keys
93 mkdir -p ${RESEARCH_DIR}/certs
94 mkdir -p ${RESEARCH_DIR}/keys
95 mkdir -p ${SALES_DIR}/certs
96 mkdir -p ${SALES_DIR}/keys
97 mkdir -p ${DUCK_DIR}/certs
98 mkdir -p ${ECDSA_DIR}/certs
99 mkdir -p ${RFC3779_DIR}/certs
100 mkdir -p ${SHA3_RSA_DIR}/certs
101 mkdir -p ${ED25519_DIR}/certs
102 mkdir -p ${MONSTER_DIR}/certs
103 mkdir -p ${BLISS_DIR}/certs
104
105 ################################################################################
106 # strongSwan Root CA #
107 ################################################################################
108
109 # Generate strongSwan Root CA
110 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
111 pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
112 --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
113 --outform pem > ${CA_CERT}
114
115 # Distribute strongSwan Root CA certificate
116 for h in ${HOSTS}
117 do
118 HOST_DIR="${DIR}/hosts/${h}"
119 mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
120 mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
121 cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
122 cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
123 done
124
125 # Put a copy onto the alice FreeRADIUS server
126 mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
127 cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
128
129 # Convert strongSwan Root CA certificate into DER format
130 openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
131
132 # Gernerate a stale CRL
133 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
134 --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
135
136 # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
137 TEST="${TEST_DIR}/ikev2/crl-ldap"
138 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
139 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
140 cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
141 cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
142
143 # Generate host keys
144 for h in ${HOSTS}
145 do
146 HOST_DIR="${DIR}/hosts/${h}"
147 HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
148 mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
149 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
150
151 # Put a copy into swanctl directory tree
152 mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
153 cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
154
155 # Convert host key into DER format
156 openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
157 2> /dev/null
158 done
159
160 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
161 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
162 net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
163 do
164 TEST="${TEST_DIR}/tkm/${t}"
165 mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
166 cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
167 done
168
169 # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
170 TEST="${TEST_DIR}/tkm/multiple-clients"
171 mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
172 cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
173
174 # Convert moon private key into unencrypted PKCS#8 format
175 TEST="${TEST_DIR}/ikev2/rw-pkcs8"
176 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
177 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
178 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
179 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
180
181 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
182 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
183 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
184 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
185 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
186 -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
187
188 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
189 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
190 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
191 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
192 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v2 aes128 \
193 -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
194
195 ################################################################################
196 # Public Key Extraction #
197 ################################################################################
198
199 # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
200 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
201 TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
202 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
203 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
204 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
205 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
206 cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
207
208 # Put a copy into the following ikev2 scenarios
209 for t in net2net-dnssec net2net-pubkey rw-dnssec
210 do
211 TEST="${TEST_DIR}/ikev2/${t}"
212 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
213 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
214 done
215
216 # Put a copy into the ikev2/net2net-pubkey scenario
217 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
218 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
219 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
220
221 # Put a copy into the swanctl/rw-dnssec scenario
222 TEST="${TEST_DIR}/swanctl/rw-dnssec"
223 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
224 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
225
226 # Put a copy into the following swanctl scenarios
227 for t in rw-pubkey-anon rw-pubkey-keyid
228 do
229 TEST="${TEST_DIR}/swanctl/${t}"
230 for h in moon carol dave
231 do
232 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
233 cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
234 done
235 done
236
237 # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
238 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
239 TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
240 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
241 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
242 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
243
244 # Put a copy into the ikev2/net2net-dnssec scenario
245 TEST="${TEST_DIR}/ikev2/net2net-dnssec"
246 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
247 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
248
249 # Put a copy into the ikev2/net2net-pubkey scenario
250 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
251 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
252 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
253
254 # Put a copy into the swanctl/rw-pubkey-anon scenario
255 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
256 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
257
258 # Extract the raw carol public key for the swanctl/rw-dnssec scenario
259 TEST="${TEST_DIR}/swanctl/rw-dnssec"
260 TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
261 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
262 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
263 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
264
265 # Put a copy into the swanctl/rw-pubkey-anon scenario
266 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
267 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
268 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
269
270 # Put a copy into the swanctl/rw-pubkey-keyid scenario
271 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
272 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
273 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
274
275 # Extract the raw dave public key for the swanctl/rw-dnssec scenario
276 TEST="${TEST_DIR}/swanctl/rw-dnssec"
277 TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
278 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
279 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
280 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
281
282 # Put a copy into the swanctl/rw-pubkey-anon scenario
283 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
284 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
285 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
286
287 # Put a copy into the swanctl/rw-pubkey-keyid scenario
288 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
289 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
290 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
291
292 ################################################################################
293 # Host Certificate Generation #
294 ################################################################################
295
296 # function issue_cert: serial host cn [ou]
297 issue_cert()
298 {
299 # does optional OU argument exist?
300 if [ -z "${4}" ]
301 then
302 OU=""
303 else
304 OU=" OU=${4},"
305 fi
306
307 HOST_DIR="${DIR}/hosts/${2}"
308 HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
309 HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
310 mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
311 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
312 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
313 --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
314 --outform pem > ${HOST_CERT}
315 cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
316
317 # Put a certificate copy into swanctl directory tree
318 mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
319 cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
320 }
321
322 # Generate host certificates
323 issue_cert 01 carol carol@strongswan.org Research
324 issue_cert 02 dave dave@strongswan.org Accounting
325 issue_cert 03 moon moon.strongswan.org
326 issue_cert 04 sun sun.strongswan.org
327 issue_cert 05 alice alice@strongswan.org Sales
328 issue_cert 06 venus venus.strongswan.org
329 issue_cert 07 bob bob@strongswan.org Research
330
331 # Create PKCS#12 file for moon
332 TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
333 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
334 HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
335 MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
336 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
337 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
338 -certfile ${CA_CERT} -caname "strongSwan Root CA" \
339 -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
340
341 # Create PKCS#12 file for sun
342 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
343 HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
344 SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
345 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
346 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
347 -certfile ${CA_CERT} -caname "strongSwan Root CA" \
348 -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
349
350 # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
351 for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
352 do
353 TEST="${TEST_DIR}/${t}"
354 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
355 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
356 cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
357 cp ${SUN_PKCS12} ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
358 done
359
360 ################################################################################
361 # DNSSEC Zone Files #
362 ################################################################################
363
364 # Store moon and sun certificates in strongswan.org zone
365 ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
366 echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
367 for h in moon sun
368 do
369 HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
370 cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
371 echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
372 done
373
374 # Store public keys in strongswan.org zone
375 echo ";" >> ${ZONE_FILE}
376 for h in moon sun carol dave
377 do
378 HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
379 pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
380 echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
381 done
382
383 # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
384 TEST="${TEST_DIR}/swanctl/crl-to-cache"
385 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
386 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
387 CN="carol@strongswan.org"
388 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
389 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
390 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
391 --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
392 --outform pem > ${TEST_CERT}
393
394 # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
395 TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
396 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
397 CN="moon.strongswan.org"
398 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
399 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
400 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
401 --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
402 --outform pem > ${TEST_CERT}
403
404 # Encrypt carolKey.pem
405 HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
406 KEY_PWD="nH5ZQEWtku0RJEZ6"
407 openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
408 2> /dev/null
409
410 # Put a copy into the ikev2/dynamic-initiator scenario
411 for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
412 do
413 TEST="${TEST_DIR}/${t}"
414 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
415 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
416 cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
417 cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
418 done
419
420 # Put a copy into the swanctl/rw-cert scenario
421 TEST="${TEST_DIR}/swanctl/rw-cert"
422 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
423 cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
424
425 # Generate another carol certificate and revoke it
426 TEST="${TEST_DIR}/ikev2/crl-revoked"
427 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
428 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
429 CN="carol@strongswan.org"
430 SERIAL="08"
431 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
432 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
433 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
434 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
435 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
436 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
437 --outform pem > ${TEST_CERT}
438 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
439 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
440 --serial ${SERIAL} > ${CA_CRL}
441 cp ${CA_CRL} ${CA_LAST_CRL}
442
443 # Put a copy into the ikev2/ocsp-revoked scenario
444 TEST="${TEST_DIR}/ikev2/ocsp-revoked"
445 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
446 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
447 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
448 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
449
450 # Generate another carol certificate with SN=002
451 TEST="${TEST_DIR}/ikev2/two-certs"
452 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
453 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
454 SERIAL="09"
455 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
456 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
457 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
458 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
459 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
460 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
461 --outform pem > ${TEST_CERT}
462 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
463
464 ################################################################################
465 # Research CA Certificate Generation #
466 ################################################################################
467
468 # Generate a Research CA certificate signed by the Root CA and revoke it
469 TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
470 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
471 SERIAL="0A"
472 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
473 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
474 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
475 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
476 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
477 --outform pem > ${TEST_CERT}
478 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
479 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
480 --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
481 rm ${CA_LAST_CRL}
482
483 # Generate Research CA with the same private key as above signed by Root CA
484 SERIAL="0B"
485 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
486 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
487 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
488 --outform pem > ${RESEARCH_CERT}
489 cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
490
491 # Put a certificate copy into the following scenarios
492 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
493 ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
494 ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
495 do
496 TEST="${TEST_DIR}/${t}"
497 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
498 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
499 done
500
501 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
502 ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
503 do
504 TEST="${TEST_DIR}/${t}"
505 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
506 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
507 done
508
509 for t in multi-level-ca ocsp-multi-level
510 do
511 TEST="${TEST_DIR}/swanctl/${t}"
512 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
513 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
514 done
515
516 # Convert Research CA certificate into DER format
517 openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
518
519 # Generate Research CA with the same private key as above but invalid CDP
520 TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
521 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
522 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
523 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
524 --crl "http://crl.strongswan.org/not-available.crl" \
525 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
526 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
527 --outform pem > ${TEST_CERT}
528
529 ################################################################################
530 # Sales CA Certificate Generation #
531 ################################################################################
532
533 # Generate Sales CA signed by Root CA
534 SERIAL="0C"
535 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
536 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
537 --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
538 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
539 --outform pem > ${SALES_CERT}
540 cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
541
542 # Put a certificate copy into the following scenarios
543 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
544 ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
545 ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
546 do
547 TEST="${TEST_DIR}/${t}"
548 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
549 done
550
551 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
552 ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
553 do
554 TEST="${TEST_DIR}/${t}"
555 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
556 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
557 done
558
559 for t in multi-level-ca ocsp-multi-level
560 do
561 TEST="${TEST_DIR}/swanctl/${t}"
562 cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
563 done
564
565 # Convert Sales CA certificate into DER format
566 openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
567
568 # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
569 TEST="${TEST_DIR}/ikev2/strong-keys-certs"
570 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
571 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
572 KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
573 CN="moon.strongswan.org"
574 SERIAL="0D"
575 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
576 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
577 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
578 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
579 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
580 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
581 --digest sha224 --outform pem > ${TEST_CERT}
582 openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
583 2> /dev/null
584 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
585
586 # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
587 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
588 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
589 KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
590 CN="carol@strongswan.org"
591 SERIAL="0E"
592 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
593 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
594 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
595 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
596 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
597 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
598 --digest sha384 --outform pem > ${TEST_CERT}
599 openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
600 2> /dev/null
601 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
602
603 # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
604 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
605 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
606 KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
607 CN="dave@strongswan.org"
608 SERIAL="0F"
609 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
610 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
611 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
612 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
613 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
614 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
615 --digest sha512 --outform pem > ${TEST_CERT}
616 openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
617 2> /dev/null
618 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
619
620 # Generate another carol certificate with an OCSP URI
621 TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
622 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
623 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
624 CN="carol@strongswan.org"
625 SERIAL="10"
626 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
627 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
628 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
629 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
630 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
631 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
632 --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
633 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
634
635 # Put a copy into the ikev2/ocsp-timeouts-good scenario
636 TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
637 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
638 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
639 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
640 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
641
642 # Put a copy into the swanctl/ocsp-signer-cert scenario
643 for t in ocsp-signer-cert ocsp-disabled
644 do
645 cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
646 mkdir -p rsa x509
647 cp ${TEST_KEY} rsa
648 cp ${TEST_CERT} x509
649 done
650
651 # Generate an OCSP Signing certificate for the strongSwan Root CA
652 TEST_KEY="${CA_DIR}/ocspKey.pem"
653 TEST_CERT="${CA_DIR}/ocspCert.pem"
654 CN="ocsp.strongswan.org"
655 OU="OCSP Signing Authority"
656 SERIAL="11"
657 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
658 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
659 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
660 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
661 --flag ocspSigning --outform pem > ${TEST_CERT}
662 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
663
664 # Generate a self-signed OCSP Signing certificate
665 TEST_KEY="${CA_DIR}/ocspKey-self.pem"
666 TEST_CERT="${CA_DIR}/ocspCert-self.pem"
667 OU="OCSP Self-Signed Authority"
668 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
669 pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
670 --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
671 --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
672 --outform pem > ${TEST_CERT}
673
674 # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
675 TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
676 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
677 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
678 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
679 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
680
681 # Generate mars virtual server certificate
682 TEST="${TEST_DIR}/ha/both-active"
683 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
684 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
685 CN="mars.strongswan.org"
686 OU="Virtual VPN Gateway"
687 SERIAL="12"
688 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
689 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
690 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
691 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
692 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
693 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
694 --flag serverAuth --outform pem > ${TEST_CERT}
695 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
696
697 # Put a copy into the mirrored gateway
698 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
699 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
700 cp ${TEST_KEY} ${TEST}/hosts/alice/${IPSEC_DIR}/private
701 cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
702
703 # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
704 for t in "ha/active-passive" "ikev2/redirect-active"
705 do
706 TEST="${TEST_DIR}/${t}"
707 for h in alice moon
708 do
709 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
710 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
711 cp ${TEST_KEY} ${TEST}/hosts/${h}/${IPSEC_DIR}/private
712 cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
713 done
714 done
715
716 # Generate moon certificate with an unsupported critical X.509 extension
717 TEST="${TEST_DIR}/ikev2/critical-extension"
718 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
719 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
720 CN="moon.strongswan.org"
721 SERIAL="13"
722 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
723 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
724 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
725 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
726 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
727 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
728 --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
729 --outform pem > ${TEST_CERT}
730 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
731
732 # Put a copy in the openssl-ikev2/critical extension scenario
733 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
734 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
735 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
736 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
737 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
738
739 # Generate sun certificate with an unsupported critical X.509 extension
740 TEST="${TEST_DIR}/ikev2/critical-extension"
741 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
742 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
743 CN="sun.strongswan.org"
744 SERIAL="14"
745 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
746 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
747 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
748 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
749 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
750 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
751 --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
752 --outform pem > ${TEST_CERT}
753 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
754
755 # Put a copy in the openssl-ikev2/critical extension scenario
756 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
757 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
758 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
759 cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
760 cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
761
762 # Generate winnetou server certificate
763 HOST_KEY="${CA_DIR}/winnetouKey.pem"
764 HOST_CERT="${CA_DIR}/winnetouCert.pem"
765 CN="winnetou.strongswan.org"
766 SERIAL="15"
767 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
768 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
769 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
770 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
771 --flag serverAuth --outform pem > ${HOST_CERT}
772 cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
773
774 # Generate AAA server certificate
775 TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
776 TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
777 TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
778 CN="aaa.strongswan.org"
779 SERIAL="16"
780 cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
781 mkdir -p rsa x509
782 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
783 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
784 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
785 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
786 --flag serverAuth --outform pem > ${TEST_CERT}
787 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
788
789 # Put a copy into various tnc scenarios
790 for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
791 do
792 cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
793 mkdir -p rsa x509
794 cp ${TEST_KEY} rsa
795 cp ${TEST_CERT} x509
796 done
797
798 # Put a copy into the alice FreeRADIUS server
799 cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
800
801 ################################################################################
802 # strongSwan Attribute Authority #
803 ################################################################################
804
805 # Generate Attritbute Authority certificate
806 TEST="${TEST_DIR}/ikev2/acert-cached"
807 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
808 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
809 CN="strongSwan Attribute Authority"
810 SERIAL="17"
811 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
812 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
813 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
814 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
815 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
816 --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
817 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
818 --outform pem > ${TEST_CERT}
819 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
820
821 # Generate carol's attribute certificate for sales and finance
822 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
823 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
824 --in ${CA_DIR}/certs/01.pem --group sales --group finance \
825 --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
826
827 # Generate dave's expired attribute certificate for sales
828 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
829 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
830 --in ${CA_DIR}/certs/02.pem --group sales \
831 --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
832
833 # Generate dave's attribute certificate for marketing
834 ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
835 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
836 --in ${CA_DIR}/certs/02.pem --group marketing \
837 --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
838
839 # Put a copy into the ikev2/acert-fallback scenario
840 TEST="${TEST_DIR}/ikev2/acert-fallback"
841 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
842 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
843 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
844 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
845 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
846
847 # Generate carol's expired attribute certificate for finance
848 ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
849 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
850 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
851 --in ${CA_DIR}/certs/01.pem --group finance \
852 --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
853
854 # Generate carol's valid attribute certificate for sales
855 ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
856 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
857 --in ${CA_DIR}/certs/01.pem --group sales \
858 --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
859
860 # Put a copy into the ikev2/acert-inline scenarion
861 TEST="${TEST_DIR}/ikev2/acert-inline"
862 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
863 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
864 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
865 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
866 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
867 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
868 cp ${ACERT_CS} ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
869 cp ${ACERT_DM} ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
870
871 # Generate a short-lived Attritbute Authority certificate
872 CN="strongSwan Legacy AA"
873 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
874 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
875 SERIAL="18"
876 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
877 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
878 --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
879 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
880 --outform pem > ${TEST_CERT}
881 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
882
883 # Genrate dave's attribute certificate for sales from expired AA
884 ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
885 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
886 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
887 --in ${CA_DIR}/certs/02.pem --group sales \
888 --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
889
890 ################################################################################
891 # strongSwan Root CA index for OCSP server #
892 ################################################################################
893
894 # generate index.txt file for Root OCSP server
895 cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
896 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
897 sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
898 sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
899 sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
900
901 ################################################################################
902 # Research CA #
903 ################################################################################
904
905 # Generate a carol research certificate
906 TEST="${TEST_DIR}/ikev2/multi-level-ca"
907 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
908 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
909 CN="carol@strongswan.org"
910 SERIAL="01"
911 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
912 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
913 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
914 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
915 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
916 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
917 --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
918 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
919
920 # Save a copy of the private key in DER format
921 openssl rsa -in ${TEST_KEY} -outform der \
922 -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
923
924 # Put a copy in the following scenarios
925 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
926 ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
927 ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
928 ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
929 ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
930 ikev1/multi-level-ca-cr-resp
931 do
932 TEST="${TEST_DIR}/${t}"
933 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
934 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
935 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
936 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
937 done
938
939 for t in multi-level-ca ocsp-multi-level
940 do
941 TEST="${TEST_DIR}/swanctl/${t}"
942 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
943 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
944 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
945 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
946 done
947
948 # Generate a carol research certificate without a CDP
949 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
950 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
951 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
952 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
953 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
954 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
955 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
956 --outform pem > ${TEST_CERT}
957 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
958
959 # Generate an OCSP Signing certificate for the Research CA
960 TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
961 TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
962 OU="Research OCSP Signing Authority"
963 CN="ocsp.research.strongswan.org"
964 SERIAL="02"
965 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
966 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
967 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
968 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
969 --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
970 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
971
972 # Generate a Sales CA certificate signed by the Research CA
973 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
974 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
975 SERIAL="03"
976 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
977 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
978 --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
979 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
980 --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
981 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
982
983 ################################################################################
984 # Duck Research CA #
985 ################################################################################
986
987 # Generate a Duck Research CA certificate signed by the Research CA
988 SERIAL="04"
989 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
990 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
991 --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
992 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
993 --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
994 cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
995
996 # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
997 TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
998 cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
999
1000 # Generate a carol certificate signed by the Duck Research CA
1001 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1002 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1003 CN="carol@strongswan.org"
1004 SERIAL="01"
1005 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1006 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1007 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1008 pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
1009 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1010 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
1011 --outform pem > ${TEST_CERT}
1012 cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
1013
1014 # Generate index.txt file for Research OCSP server
1015 cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
1016 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
1017
1018 ################################################################################
1019 # Sales CA #
1020 ################################################################################
1021
1022 # Generate a dave sales certificate
1023 TEST="${TEST_DIR}/ikev2/multi-level-ca"
1024 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
1025 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1026 CN="dave@strongswan.org"
1027 SERIAL="01"
1028 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1029 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1030 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1031 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1032 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1033 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1034 --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1035 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1036
1037 # Save a copy of the private key in DER format
1038 openssl rsa -in ${TEST_KEY} -outform der \
1039 -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
1040
1041 # Put a copy in the following scenarios
1042 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
1043 ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
1044 ikev2/ocsp-multi-level ikev1/multi-level-ca \
1045 ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
1046 do
1047 TEST="${TEST_DIR}/${t}"
1048 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1049 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1050 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1051 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1052 done
1053
1054 for t in multi-level-ca ocsp-multi-level
1055 do
1056 TEST="${TEST_DIR}/swanctl/${t}"
1057 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1058 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1059 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1060 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1061 done
1062
1063 # Generate a dave sales certificate with an inactive OCSP URI and no CDP
1064 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1065 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1066 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1067 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1068 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1069 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1070 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1071 --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
1072 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1073
1074 # Generate an OCSP Signing certificate for the Sales CA
1075 TEST_KEY="${SALES_DIR}/ocspKey.pem"
1076 TEST_CERT="${SALES_DIR}/ocspCert.pem"
1077 OU="Sales OCSP Signing Authority"
1078 CN="ocsp.sales.strongswan.org"
1079 SERIAL="02"
1080 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1081 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1082 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1083 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1084 --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1085 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1086
1087 # Generate a Research CA certificate signed by the Sales CA
1088 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1089 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
1090 SERIAL="03"
1091 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1092 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1093 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1094 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
1095 --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1096 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1097
1098 # generate index.txt file for Sales OCSP server
1099 cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
1100 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
1101
1102 ################################################################################
1103 # strongSwan EC Root CA #
1104 ################################################################################
1105
1106 # Generate strongSwan EC Root CA
1107 pki --gen --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
1108 pki --self --type ecdsa --in ${ECDSA_KEY} \
1109 --not-before "${START}" --not-after "${CA_END}" --ca \
1110 --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
1111 --outform pem > ${ECDSA_CERT}
1112
1113 # Put a copy in the openssl-ikev2/ecdsa-certs scenario
1114 for t in ecdsa-certs ecdsa-pkcs8
1115 do
1116 TEST="${TEST_DIR}/openssl-ikev2/${t}"
1117 for h in moon carol dave
1118 do
1119 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1120 cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1121 done
1122 done
1123
1124 # Generate a moon ECDSA 521 bit certificate
1125 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
1126 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
1127 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1128 CN="moon.strongswan.org"
1129 SERIAL="01"
1130 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
1131 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1132 pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
1133 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1134 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1135 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
1136 --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
1137 cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1138
1139 # Generate a carol ECDSA 256 bit certificate
1140 CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
1141 CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1142 CN="carol@strongswan.org"
1143 SERIAL="02"
1144 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
1145 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1146 pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
1147 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1148 --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1149 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
1150 --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
1151 cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1152
1153 # Generate a dave ECDSA 384 bit certificate
1154 DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
1155 DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1156 CN="dave@strongswan.org"
1157 SERIAL="03"
1158 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
1159 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1160 pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
1161 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1162 --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1163 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
1164 --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
1165 cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1166
1167 # Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
1168 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
1169 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1170 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1171 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1172 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1173 cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1174 cp ${DAVE_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1175
1176 # Convert moon private key into unencrypted PKCS#8 format
1177 TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1178 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1179 openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
1180
1181 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
1182 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1183 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1184 openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
1185 -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
1186
1187 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
1188 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1189 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1190 openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8 -v2 aes128 \
1191 -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
1192
1193 # Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
1194 TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
1195 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1196 mkdir -p ecdsa x509 x509ca
1197 cp ${MOON_KEY} ecdsa
1198 cp ${MOON_CERT} x509
1199 cp ${ECDSA_CERT} x509ca
1200 cd ${TEST}/hosts/carol/${SWANCTL_DIR}
1201 mkdir -p ecdsa x509 x509ca
1202 cp ${CAROL_KEY} ecdsa
1203 cp ${CAROL_CERT} x509
1204 cp ${ECDSA_CERT} x509ca
1205 cd ${TEST}/hosts/dave/${SWANCTL_DIR}
1206 mkdir -p ecdsa x509 x509ca
1207 cp ${DAVE_KEY} ecdsa
1208 cp ${DAVE_CERT} x509
1209 cp ${ECDSA_CERT} x509ca
1210
1211 ################################################################################
1212 # strongSwan RFC3779 Root CA #
1213 ################################################################################
1214
1215 # Generate strongSwan RFC3779 Root CA
1216 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
1217 pki --self --type rsa --in ${RFC3779_KEY} \
1218 --not-before "${START}" --not-after "${CA_END}" --ca \
1219 --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
1220 --addrblock "10.1.0.0-10.2.255.255" \
1221 --addrblock "10.3.0.1-10.3.3.232" \
1222 --addrblock "192.168.0.0/24" \
1223 --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
1224 --outform pem > ${RFC3779_CERT}
1225
1226 # Put a copy in the ikev2/net2net-rfc3779 scenario
1227 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1228 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1229 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1230 cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1231 cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1232
1233 # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
1234 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1235 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1236 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1237 cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1238 cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1239
1240 # Generate a moon RFC3779 certificate
1241 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1242 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1243 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1244 CN="moon.strongswan.org"
1245 SERIAL="01"
1246 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1247 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1248 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1249 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1250 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1251 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1252 --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
1253 --addrblock "fec0::1/128" --addrblock "fec1::/16" \
1254 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1255 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1256
1257 # Put a copy in the ipv6 scenarios
1258 for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
1259 do
1260 cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
1261 mkdir -p rsa x509 x509ca
1262 cp ${TEST_KEY} rsa
1263 cp ${TEST_CERT} x509
1264 cp ${RFC3779_CERT} x509ca
1265 done
1266
1267 # Generate a sun RFC3779 certificate
1268 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1269 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
1270 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
1271 CN="sun.strongswan.org"
1272 SERIAL="02"
1273 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
1274 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
1275 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1276 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1277 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1278 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1279 --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
1280 --addrblock "fec0::2/128" --addrblock "fec2::/16" \
1281 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1282 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1283
1284 # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
1285 cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
1286 mkdir -p rsa x509 x509ca
1287 cp ${TEST_KEY} rsa
1288 cp ${TEST_CERT} x509
1289 cp ${RFC3779_CERT} x509ca
1290
1291 # Generate a carol RFC3779 certificate
1292 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1293 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1294 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1295 CN="carol@strongswan.org"
1296 SERIAL="03"
1297 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1298 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1299 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1300 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1301 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1302 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1303 --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
1304 --addrblock "fec0::10/128" \
1305 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1306 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1307
1308 # Generate a carol RFC3779 certificate
1309 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1310 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1311 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1312 CN="dave@strongswan.org"
1313 SERIAL="04"
1314 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1315 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1316 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1317 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1318 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1319 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1320 --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
1321 --addrblock "fec0::20/128" \
1322 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1323 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1324
1325 ################################################################################
1326 # strongSwan SHA3-RSA Root CA #
1327 ################################################################################
1328
1329 # Use specific plugin configuration to issue certificates with SHA-3 signatures
1330 # as not all crypto plugins support them. To avoid entropy issues use the
1331 # default plugins to generate the keys.
1332 SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509"
1333
1334 # Generate strongSwan SHA3-RSA Root CA
1335 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
1336 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1337 pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
1338 --not-before "${START}" --not-after "${CA_END}" --ca \
1339 --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
1340 --outform pem > ${SHA3_RSA_CERT}
1341
1342 # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
1343 TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
1344 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1345 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1346 cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1347 cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1348
1349 # Generate a sun SHA3-RSA certificate
1350 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1351 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1352 CN="sun.strongswan.org"
1353 SERIAL="01"
1354 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
1355 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1356 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
1357 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1358 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1359 --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1360 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1361 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
1362 cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1363
1364 # Generate a moon SHA3-RSA certificate
1365 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1366 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1367 CN="moon.strongswan.org"
1368 SERIAL="02"
1369 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1370 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1371 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
1372 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1373 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1374 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1375 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1376 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
1377 cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1378
1379 # Put a copy in the botan/net2net-sha3-rsa-cert scenario
1380 TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
1381 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1382 mkdir -p rsa x509 x509ca
1383 cp ${MOON_KEY} rsa
1384 cp ${MOON_CERT} x509
1385 cp ${SHA3_RSA_CERT} x509ca
1386 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1387 mkdir -p rsa x509 x509ca
1388 cp ${SUN_KEY} rsa
1389 cp ${SUN_CERT} x509
1390 cp ${SHA3_RSA_CERT} x509ca
1391
1392 # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
1393 TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
1394 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1395 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1396 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1397 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1398
1399 # Generate a carol SHA3-RSA certificate
1400 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1401 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1402 CN="carol@strongswan.org"
1403 SERIAL="03"
1404 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1405 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1406 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1407 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1408 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1409 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1410 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1411 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1412 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1413
1414 # Generate a dave SHA3-RSA certificate
1415 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1416 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1417 CN="dave@strongswan.org"
1418 SERIAL="04"
1419 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1420 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1421 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1422 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1423 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1424 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1425 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1426 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1427 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1428
1429 for h in moon carol dave
1430 do
1431 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1432 cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1433 done
1434
1435 ################################################################################
1436 # strongSwan Ed25519 Root CA #
1437 ################################################################################
1438
1439 # Generate strongSwan Ed25519 Root CA
1440 pki --gen --type ed25519 --outform pem > ${ED25519_KEY}
1441 pki --self --type ed25519 --in ${ED25519_KEY} \
1442 --not-before "${START}" --not-after "${CA_END}" --ca \
1443 --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
1444 --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
1445 --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
1446 --outform pem > ${ED25519_CERT}
1447
1448 # Put a copy in the swanctl/net2net-ed25519 scenario
1449 TEST="${TEST_DIR}/swanctl/net2net-ed25519"
1450 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1451 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1452 cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1453 cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1454
1455 # Generate a sun Ed25519 certificate
1456 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
1457 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1458 CN="sun.strongswan.org"
1459 SERIAL="01"
1460 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
1461 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1462 pki --gen --type ed25519 --outform pem > ${SUN_KEY}
1463 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1464 --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1465 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1466 --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
1467 --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
1468 cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1469
1470 # Generate a moon Ed25519 certificate
1471 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1472 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1473 CN="moon.strongswan.org"
1474 SERIAL="02"
1475 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1476 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1477 pki --gen --type ed25519 --outform pem > ${MOON_KEY}
1478 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1479 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1480 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1481 --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
1482 --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
1483 cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1484
1485 # Put a copy in the botan/net2net-ed25519 scenario
1486 TEST="${TEST_DIR}/botan/net2net-ed25519"
1487 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1488 mkdir -p pkcs8 x509 x509ca
1489 cp ${MOON_KEY} pkcs8
1490 cp ${MOON_CERT} x509
1491 cp ${ED25519_CERT} x509ca
1492 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1493 mkdir -p pkcs8 x509 x509ca
1494 cp ${SUN_KEY} pkcs8
1495 cp ${SUN_CERT} x509
1496 cp ${ED25519_CERT} x509ca
1497
1498 # Put a copy in the ikev2/net2net-ed25519 scenario
1499 TEST="${TEST_DIR}/ikev2/net2net-ed25519"
1500 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
1501 cd ${TEST}/hosts/moon/${IPSEC_DIR}
1502 mkdir -p cacerts certs private
1503 cp ${MOON_KEY} private
1504 cp ${MOON_CERT} certs
1505 cp ${ED25519_CERT} cacerts
1506 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
1507 cd ${TEST}/hosts/sun/${IPSEC_DIR}
1508 mkdir -p cacerts certs private
1509 cp ${SUN_KEY} private
1510 cp ${SUN_CERT} certs
1511 cp ${ED25519_CERT} cacerts
1512
1513 # Put a copy in the swanctl/rw-ed25519-certpol scenario
1514 TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
1515 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1516 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1517 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1518 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1519
1520 for h in moon carol dave
1521 do
1522 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1523 cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1524 done
1525
1526 # Generate a carol Ed25519 certificate
1527 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1528 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1529 CN="carol@strongswan.org"
1530 SERIAL="03"
1531 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1532 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1533 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1534 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1535 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1536 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1537 --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
1538 --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1539 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1540
1541 # Generate a dave Ed25519 certificate
1542 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1543 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1544 CN="dave@strongswan.org"
1545 SERIAL="04"
1546 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1547 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1548 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1549 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1550 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1551 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1552 --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
1553 --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1554 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1555
1556 ################################################################################
1557 # strongSwan Monster Root CA #
1558 ################################################################################
1559
1560 # Generate strongSwan Monster Root CA
1561 pki --gen --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
1562 pki --self --type rsa --in ${MONSTER_KEY} \
1563 --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
1564 --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
1565 --outform pem > ${MONSTER_CERT}
1566
1567 # Put a copy in the ikev2/after-2038-certs scenario
1568 TEST="${TEST_DIR}/ikev2/after-2038-certs"
1569 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1570 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1571 cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1572 cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1573
1574 # Generate a moon Monster certificate
1575 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1576 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1577 CN="moon.strongswan.org"
1578 SERIAL="01"
1579 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1580 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1581 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1582 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1583 --in ${TEST_KEY} --san ${CN} \
1584 --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1585 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1586 --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1587 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1588
1589 # Generate a carol Monster certificate
1590 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1591 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1592 CN="carol@strongswan.org"
1593 SERIAL="02"
1594 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1595 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1596 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1597 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1598 --in ${TEST_KEY} --san ${CN} \
1599 --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1600 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1601 --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1602 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1603
1604 ################################################################################
1605 # Bliss CA #
1606 ################################################################################
1607
1608 # Generate BLISS Root CA with 192 bit security strength
1609 pki --gen --type bliss --size 4 > ${BLISS_KEY}
1610 pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
1611 --not-before "${START}" --not-after "${CA_END}" --ca \
1612 --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
1613
1614 # Put a copy in the following scenarios
1615 for t in rw-newhope-bliss rw-ntru-bliss
1616 do
1617 TEST="${TEST_DIR}/ikev2/${t}"
1618 for h in moon carol dave
1619 do
1620 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1621 cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1622 done
1623
1624 TEST="${TEST_DIR}/swanctl/${t}"
1625 for h in moon carol dave
1626 do
1627 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1628 cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1629 done
1630 done
1631
1632 # Generate a carol BLISS certificate with 128 bit security strength
1633 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1634 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
1635 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
1636 CN="carol@strongswan.org"
1637 SERIAL="01"
1638 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1639 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1640 pki --gen --type bliss --size 1 > ${TEST_KEY}
1641 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1642 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1643 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
1644 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1645 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1646
1647 # Put a copy in the ikev2/rw-ntru-bliss scenario
1648 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1649 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1650 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1651 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1652 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1653
1654 # Put a copy in the swanctl scenarios
1655 for t in rw-newhope-bliss rw-ntru-bliss
1656 do
1657 TEST="${TEST_DIR}/swanctl/${t}"
1658 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1659 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1660 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1661 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1662 done
1663
1664 # Generate a dave BLISS certificate with 160 bit security strength
1665 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1666 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
1667 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
1668 CN="dave@strongswan.org"
1669 SERIAL="02"
1670 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1671 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1672 pki --gen --type bliss --size 3 > ${TEST_KEY}
1673 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1674 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1675 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
1676 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1677 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1678
1679 # Put a copy in the ikev2/rw-ntru-bliss scenario
1680 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1681 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1682 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1683 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
1684 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
1685
1686 # Put a copy in the swanctl scenarios
1687 for t in rw-newhope-bliss rw-ntru-bliss
1688 do
1689 TEST="${TEST_DIR}/swanctl/${t}"
1690 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
1691 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1692 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
1693 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
1694 done
1695
1696 # Generate a moon BLISS certificate with 192 bit security strength
1697 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1698 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
1699 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
1700 CN="moon.strongswan.org"
1701 SERIAL="03"
1702 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1703 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1704 pki --gen --type bliss --size 4 > ${TEST_KEY}
1705 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1706 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1707 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
1708 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1709 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1710
1711 # Put a copy in the ikev2/rw-ntru-bliss scenario
1712 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1713 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1714 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1715 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
1716 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
1717
1718 # Put a copy in the swanctl scenarios
1719 for t in rw-newhope-bliss rw-ntru-bliss
1720 do
1721 TEST="${TEST_DIR}/swanctl/${t}"
1722 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
1723 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1724 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
1725 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
1726 done
1727
1728 ################################################################################
1729 # SQL Data #
1730 ################################################################################
1731
1732 CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
1733 CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
1734 CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1735 CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
1736 #
1737 MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1738 MOON_KEY="${CA_DIR}/keys/moonKey.der"
1739 MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1740 MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1741 MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1742 MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
1743 MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1744 MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1745 MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
1746 #
1747 SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1748 SUN_KEY="${CA_DIR}/keys/sunKey.der"
1749 SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1750 SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1751 SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
1752 SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
1753 SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1754 SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
1755 #
1756 CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1757 CAROL_KEY="${CA_DIR}/keys/carolKey.der"
1758 CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1759 CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
1760 CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1761 CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1762 #
1763 DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1764 DAVE_KEY="${CA_DIR}/keys/daveKey.der"
1765 DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1766 DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
1767 DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1768 DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1769 #
1770 ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
1771 ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
1772 ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
1773 ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
1774 ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1775 #
1776 VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
1777 VENUS_KEY="${CA_DIR}/keys/venusKey.der"
1778 VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
1779 VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
1780 VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1781 #
1782 RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
1783 RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
1784 RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1785 #
1786 CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
1787 CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
1788 CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
1789 CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
1790 CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1791 #
1792 SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
1793 SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
1794 SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1795 #
1796 DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
1797 DAVE_S_KEY="${SALES_DIR}/keys/01.der"
1798 DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
1799 DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
1800 DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1801 #
1802 for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
1803 ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
1804 rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
1805 do
1806 for h in carol dave moon
1807 do
1808 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1809 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1810 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1811 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1812 -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1813 -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1814 -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
1815 -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1816 -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
1817 -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
1818 -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
1819 -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
1820 -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
1821 -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
1822 -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
1823 -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
1824 -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
1825 -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
1826 -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
1827 -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
1828 -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
1829 -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
1830 -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
1831 -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
1832 -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
1833 -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
1834 -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
1835 -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
1836 ${TEST_DATA}.in > ${TEST_DATA}
1837 done
1838 done
1839 #
1840 for t in rw-eap-aka-rsa
1841 do
1842 for h in carol moon
1843 do
1844 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1845 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1846 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1847 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1848 -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1849 -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1850 -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1851 ${TEST_DATA}.in > ${TEST_DATA}
1852 done
1853 done
1854 #
1855 for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
1856 do
1857 for h in moon sun
1858 do
1859 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1860 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1861 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1862 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1863 -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
1864 -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
1865 -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1866 -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1867 -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1868 -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
1869 -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
1870 -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1871 -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1872 -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1873 -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
1874 ${TEST_DATA}.in > ${TEST_DATA}
1875 done
1876 done
1877 #
1878 for t in shunt-policies-nat-rw
1879 do
1880 for h in alice venus sun
1881 do
1882 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1883 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1884 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1885 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1886 -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
1887 -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
1888 -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
1889 -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
1890 -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
1891 -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
1892 -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1893 -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1894 -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1895 ${TEST_DATA}.in > ${TEST_DATA}
1896 done
1897 done
1898
1899 ################################################################################
1900 # Raw RSA keys #
1901 ################################################################################
1902
1903 MOON_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${MOON_KEY}`
1904 #
1905 SUN_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${SUN_KEY}`
1906 #
1907 for h in moon sun
1908 do
1909 TEST_DATA="${TEST_DIR}/ikev2/net2net-rsa/hosts/${h}/etc/ipsec.conf"
1910 sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \
1911 -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \
1912 ${TEST_DATA}.in > ${TEST_DATA}
1913 done
Unnamed repository; edit this file 'description' to name the repository.