]> git.ipfire.org Git - thirdparty/strongswan.git/blob - testing/scripts/build-certs-chroot
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
testing: Add wrapper script to build certificates in root image
[thirdparty/strongswan.git] / testing / scripts / build-certs-chroot
1 #!/bin/bash
2
3 echo "Building certificates"
4
5 # Disable leak detective when using pki as it produces warnings in tzset
6 export LEAK_DETECTIVE_DISABLE=1
7
8 # Determine testing directory
9 DIR="$(dirname `readlink -f $0`)/.."
10
11 # Define some global variables
12 PROJECT="strongSwan Project"
13 CA_DIR="${DIR}/hosts/winnetou/etc/ca"
14 CA_KEY="${CA_DIR}/strongswanKey.pem"
15 CA_CERT="${CA_DIR}/strongswanCert.pem"
16 CA_CERT_DER="${CA_DIR}/strongswanCert.der"
17 CA_CRL="${CA_DIR}/strongswan.crl"
18 CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
19 CA_CDP="http://crl.strongswan.org/strongswan.crl"
20 CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
21 CA_OCSP="http://ocsp.strongswan.org:8880"
22 #
23 START=`date -d "-2 day" "+%d.%m.%y %T"`
24 SH_END=`date -d "-1 day" "+%d.%m.%y %T"` # 1 day
25 CA_END=`date -d "+3651 day" "+%d.%m.%y %T"` # 10 years
26 IM_END=`date -d "+3286 day" "+%d.%m.%y %T"` # 9 years
27 EE_END=`date -d "+2920 day" "+%d.%m.%y %T"` # 8 years
28 SH_EXP=`date -d "-1 day" "+%y%m%d%H%M%SZ"` # 1 day
29 IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"` # 9 years
30 EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"` # 8 years
31 NOW=`date "+%y%m%d%H%M%SZ"`
32 #
33 RESEARCH_DIR="${CA_DIR}/research"
34 RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
35 RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
36 RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
37 RESEARCH_CDP="http://crl.strongswan.org/research.crl"
38 #
39 SALES_DIR="${CA_DIR}/sales"
40 SALES_KEY="${SALES_DIR}/salesKey.pem"
41 SALES_CERT="${SALES_DIR}/salesCert.pem"
42 SALES_CERT_DER="${SALES_DIR}/salesCert.der"
43 SALES_CDP="http://crl.strongswan.org/sales.crl"
44 #
45 DUCK_DIR="${CA_DIR}/duck"
46 DUCK_KEY="${DUCK_DIR}/duckKey.pem"
47 DUCK_CERT="${DUCK_DIR}/duckCert.pem"
48 #
49 ECDSA_DIR="${CA_DIR}/ecdsa"
50 ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
51 ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
52 ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
53 #
54 RFC3779_DIR="${CA_DIR}/rfc3779"
55 RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
56 RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
57 RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
58 #
59 SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
60 SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
61 SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
62 SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
63 #
64 ED25519_DIR="${CA_DIR}/ed25519"
65 ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
66 ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
67 ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
68 #
69 MONSTER_DIR="${CA_DIR}/monster"
70 MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
71 MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
72 MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
73 MONSTER_CA_RSA_SIZE="8192"
74 MONSTER_EE_RSA_SIZE="4096"
75 #
76 BLISS_DIR="${CA_DIR}/bliss"
77 BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
78 BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
79 BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
80 #
81 RSA_SIZE="3072"
82 IPSEC_DIR="etc/ipsec.d"
83 SWANCTL_DIR="etc/swanctl"
84 TKM_DIR="etc/tkm"
85 HOSTS="carol dave moon sun alice venus bob"
86 TEST_DIR="${DIR}/tests"
87
88 # Create directories
89 mkdir -p ${CA_DIR}/certs
90 mkdir -p ${CA_DIR}/keys
91 mkdir -p ${RESEARCH_DIR}/certs
92 mkdir -p ${RESEARCH_DIR}/keys
93 mkdir -p ${SALES_DIR}/certs
94 mkdir -p ${SALES_DIR}/keys
95 mkdir -p ${DUCK_DIR}/certs
96 mkdir -p ${ECDSA_DIR}/certs
97 mkdir -p ${RFC3779_DIR}/certs
98 mkdir -p ${SHA3_RSA_DIR}/certs
99 mkdir -p ${ED25519_DIR}/certs
100 mkdir -p ${MONSTER_DIR}/certs
101 mkdir -p ${BLISS_DIR}/certs
102
103 ################################################################################
104 # strongSwan Root CA #
105 ################################################################################
106
107 # Generate strongSwan Root CA
108 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
109 pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
110 --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
111 --outform pem > ${CA_CERT}
112
113 # Distribute strongSwan Root CA certificate
114 for h in ${HOSTS}
115 do
116 HOST_DIR="${DIR}/hosts/${h}"
117 mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
118 mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
119 cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
120 cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
121 done
122
123 # Put a copy onto the alice FreeRADIUS server
124 mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
125 cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
126
127 # Convert strongSwan Root CA certificate into DER format
128 openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
129
130 # Gernerate a stale CRL
131 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
132 --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
133
134 # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
135 TEST="${TEST_DIR}/ikev2/crl-ldap"
136 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
137 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
138 cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
139 cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
140
141 # Generate host keys
142 for h in ${HOSTS}
143 do
144 HOST_DIR="${DIR}/hosts/${h}"
145 HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
146 mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
147 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
148
149 # Put a copy into swanctl directory tree
150 mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
151 cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
152
153 # Convert host key into DER format
154 openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
155 2> /dev/null
156 done
157
158 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
159 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
160 net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
161 do
162 TEST="${TEST_DIR}/tkm/${t}"
163 mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
164 cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
165 done
166
167 # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
168 TEST="${TEST_DIR}/tkm/multiple-clients"
169 mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
170 cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
171
172 # Convert moon private key into unencrypted PKCS#8 format
173 TEST="${TEST_DIR}/ikev2/rw-pkcs8"
174 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
175 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
176 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
177 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
178
179 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
180 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
181 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
182 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
183 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
184 -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
185
186 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
187 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
188 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
189 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
190 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v2 aes128 \
191 -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
192
193 ################################################################################
194 # Public Key Extraction #
195 ################################################################################
196
197 # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
198 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
199 TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
200 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
201 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
202 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
203 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
204 cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
205
206 # Put a copy into the following ikev2 scenarios
207 for t in net2net-dnssec net2net-pubkey rw-dnssec
208 do
209 TEST="${TEST_DIR}/ikev2/${t}"
210 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
211 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
212 done
213
214 # Put a copy into the ikev2/net2net-pubkey scenario
215 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
216 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
217 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
218
219 # Put a copy into the swanctl/rw-dnssec scenario
220 TEST="${TEST_DIR}/swanctl/rw-dnssec"
221 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
222 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
223
224 # Put a copy into the following swanctl scenarios
225 for t in rw-pubkey-anon rw-pubkey-keyid
226 do
227 TEST="${TEST_DIR}/swanctl/${t}"
228 for h in moon carol dave
229 do
230 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
231 cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
232 done
233 done
234
235 # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
236 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
237 TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
238 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
239 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
240 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
241
242 # Put a copy into the ikev2/net2net-dnssec scenario
243 TEST="${TEST_DIR}/ikev2/net2net-dnssec"
244 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
245 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
246
247 # Put a copy into the ikev2/net2net-pubkey scenario
248 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
249 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
250 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
251
252 # Put a copy into the swanctl/rw-pubkey-anon scenario
253 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
254 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
255
256 # Extract the raw carol public key for the swanctl/rw-dnssec scenario
257 TEST="${TEST_DIR}/swanctl/rw-dnssec"
258 TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
259 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
260 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
261 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
262
263 # Put a copy into the swanctl/rw-pubkey-anon scenario
264 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
265 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
266 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
267
268 # Put a copy into the swanctl/rw-pubkey-keyid scenario
269 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
270 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
271 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
272
273 # Extract the raw dave public key for the swanctl/rw-dnssec scenario
274 TEST="${TEST_DIR}/swanctl/rw-dnssec"
275 TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
276 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
277 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
278 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
279
280 # Put a copy into the swanctl/rw-pubkey-anon scenario
281 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
282 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
283 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
284
285 # Put a copy into the swanctl/rw-pubkey-keyid scenario
286 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
287 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
288 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
289
290 ################################################################################
291 # Host Certificate Generation #
292 ################################################################################
293
294 # function issue_cert: serial host cn [ou]
295 issue_cert()
296 {
297 # does optional OU argument exist?
298 if [ -z "${4}" ]
299 then
300 OU=""
301 else
302 OU=" OU=${4},"
303 fi
304
305 HOST_DIR="${DIR}/hosts/${2}"
306 HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
307 HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
308 mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
309 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
310 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
311 --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
312 --outform pem > ${HOST_CERT}
313 cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
314
315 # Put a certificate copy into swanctl directory tree
316 mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
317 cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
318 }
319
320 # Generate host certificates
321 issue_cert 01 carol carol@strongswan.org Research
322 issue_cert 02 dave dave@strongswan.org Accounting
323 issue_cert 03 moon moon.strongswan.org
324 issue_cert 04 sun sun.strongswan.org
325 issue_cert 05 alice alice@strongswan.org Sales
326 issue_cert 06 venus venus.strongswan.org
327 issue_cert 07 bob bob@strongswan.org Research
328
329 # Create PKCS#12 file for moon
330 TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
331 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
332 HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
333 MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
334 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
335 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
336 -certfile ${CA_CERT} -caname "strongSwan Root CA" \
337 -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
338
339 # Create PKCS#12 file for sun
340 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
341 HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
342 SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
343 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
344 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
345 -certfile ${CA_CERT} -caname "strongSwan Root CA" \
346 -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
347
348 # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
349 for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
350 do
351 TEST="${TEST_DIR}/${t}"
352 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
353 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
354 cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
355 cp ${SUN_PKCS12} ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
356 done
357
358 ################################################################################
359 # DNSSEC Zone Files #
360 ################################################################################
361
362 # Store moon and sun certificates in strongswan.org zone
363 ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
364 echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
365 for h in moon sun
366 do
367 HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
368 cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
369 echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
370 done
371
372 # Store public keys in strongswan.org zone
373 echo ";" >> ${ZONE_FILE}
374 for h in moon sun carol dave
375 do
376 HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
377 pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
378 echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
379 done
380
381 # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
382 TEST="${TEST_DIR}/swanctl/crl-to-cache"
383 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
384 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
385 CN="carol@strongswan.org"
386 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
387 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
388 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
389 --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
390 --outform pem > ${TEST_CERT}
391
392 # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
393 TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
394 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
395 CN="moon.strongswan.org"
396 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
397 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
398 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
399 --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
400 --outform pem > ${TEST_CERT}
401
402 # Encrypt carolKey.pem
403 HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
404 KEY_PWD="nH5ZQEWtku0RJEZ6"
405 openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
406 2> /dev/null
407
408 # Put a copy into the ikev2/dynamic-initiator scenario
409 for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
410 do
411 TEST="${TEST_DIR}/${t}"
412 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
413 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
414 cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
415 cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
416 done
417
418 # Put a copy into the swanctl/rw-cert scenario
419 TEST="${TEST_DIR}/swanctl/rw-cert"
420 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
421 cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
422
423 # Generate another carol certificate and revoke it
424 TEST="${TEST_DIR}/ikev2/crl-revoked"
425 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
426 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
427 CN="carol@strongswan.org"
428 SERIAL="08"
429 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
430 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
431 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
432 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
433 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
434 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
435 --outform pem > ${TEST_CERT}
436 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
437 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
438 --serial ${SERIAL} > ${CA_CRL}
439 cp ${CA_CRL} ${CA_LAST_CRL}
440
441 # Put a copy into the ikev2/ocsp-revoked scenario
442 TEST="${TEST_DIR}/ikev2/ocsp-revoked"
443 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
444 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
445 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
446 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
447
448 # Generate another carol certificate with SN=002
449 TEST="${TEST_DIR}/ikev2/two-certs"
450 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
451 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
452 SERIAL="09"
453 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
454 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
455 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
456 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
457 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
458 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
459 --outform pem > ${TEST_CERT}
460 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
461
462 ################################################################################
463 # Research CA Certificate Generation #
464 ################################################################################
465
466 # Generate a Research CA certificate signed by the Root CA and revoke it
467 TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
468 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
469 SERIAL="0A"
470 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
471 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
472 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
473 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
474 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
475 --outform pem > ${TEST_CERT}
476 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
477 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
478 --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
479 rm ${CA_LAST_CRL}
480
481 # Generate Research CA with the same private key as above signed by Root CA
482 SERIAL="0B"
483 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
484 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
485 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
486 --outform pem > ${RESEARCH_CERT}
487 cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
488
489 # Put a certificate copy into the following scenarios
490 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
491 ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
492 ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
493 do
494 TEST="${TEST_DIR}/${t}"
495 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
496 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
497 done
498
499 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
500 ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
501 do
502 TEST="${TEST_DIR}/${t}"
503 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
504 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
505 done
506
507 for t in multi-level-ca ocsp-multi-level
508 do
509 TEST="${TEST_DIR}/swanctl/${t}"
510 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
511 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
512 done
513
514 # Convert Research CA certificate into DER format
515 openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
516
517 # Generate Research CA with the same private key as above but invalid CDP
518 TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
519 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
520 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
521 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
522 --crl "http://crl.strongswan.org/not-available.crl" \
523 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
524 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
525 --outform pem > ${TEST_CERT}
526
527 ################################################################################
528 # Sales CA Certificate Generation #
529 ################################################################################
530
531 # Generate Sales CA signed by Root CA
532 SERIAL="0C"
533 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
534 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
535 --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
536 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
537 --outform pem > ${SALES_CERT}
538 cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
539
540 # Put a certificate copy into the following scenarios
541 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
542 ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
543 ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
544 do
545 TEST="${TEST_DIR}/${t}"
546 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
547 done
548
549 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
550 ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
551 do
552 TEST="${TEST_DIR}/${t}"
553 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
554 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
555 done
556
557 for t in multi-level-ca ocsp-multi-level
558 do
559 TEST="${TEST_DIR}/swanctl/${t}"
560 cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
561 done
562
563 # Convert Sales CA certificate into DER format
564 openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
565
566 # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
567 TEST="${TEST_DIR}/ikev2/strong-keys-certs"
568 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
569 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
570 KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
571 CN="moon.strongswan.org"
572 SERIAL="0D"
573 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
574 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
575 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
576 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
577 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
578 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
579 --digest sha224 --outform pem > ${TEST_CERT}
580 openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
581 2> /dev/null
582 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
583
584 # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
585 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
586 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
587 KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
588 CN="carol@strongswan.org"
589 SERIAL="0E"
590 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
591 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
592 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
593 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
594 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
595 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
596 --digest sha384 --outform pem > ${TEST_CERT}
597 openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
598 2> /dev/null
599 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
600
601 # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
602 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
603 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
604 KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
605 CN="dave@strongswan.org"
606 SERIAL="0F"
607 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
608 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
609 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
610 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
611 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
612 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
613 --digest sha512 --outform pem > ${TEST_CERT}
614 openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
615 2> /dev/null
616 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
617
618 # Generate another carol certificate with an OCSP URI
619 TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
620 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
621 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
622 CN="carol@strongswan.org"
623 SERIAL="10"
624 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
625 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
626 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
627 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
628 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
629 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
630 --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
631 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
632
633 # Put a copy into the ikev2/ocsp-timeouts-good scenario
634 TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
635 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
636 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
637 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
638 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
639
640 # Put a copy into the swanctl/ocsp-signer-cert scenario
641 for t in ocsp-signer-cert ocsp-disabled
642 do
643 cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
644 mkdir -p rsa x509
645 cp ${TEST_KEY} rsa
646 cp ${TEST_CERT} x509
647 done
648
649 # Generate an OCSP Signing certificate for the strongSwan Root CA
650 TEST_KEY="${CA_DIR}/ocspKey.pem"
651 TEST_CERT="${CA_DIR}/ocspCert.pem"
652 CN="ocsp.strongswan.org"
653 OU="OCSP Signing Authority"
654 SERIAL="11"
655 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
656 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
657 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
658 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
659 --flag ocspSigning --outform pem > ${TEST_CERT}
660 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
661
662 # Generate a self-signed OCSP Signing certificate
663 TEST_KEY="${CA_DIR}/ocspKey-self.pem"
664 TEST_CERT="${CA_DIR}/ocspCert-self.pem"
665 OU="OCSP Self-Signed Authority"
666 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
667 pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
668 --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
669 --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
670 --outform pem > ${TEST_CERT}
671
672 # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
673 TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
674 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
675 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
676 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
677 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
678
679 # Generate mars virtual server certificate
680 TEST="${TEST_DIR}/ha/both-active"
681 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
682 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
683 CN="mars.strongswan.org"
684 OU="Virtual VPN Gateway"
685 SERIAL="12"
686 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
687 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
688 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
689 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
690 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
691 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
692 --flag serverAuth --outform pem > ${TEST_CERT}
693 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
694
695 # Put a copy into the mirrored gateway
696 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
697 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
698 cp ${TEST_KEY} ${TEST}/hosts/alice/${IPSEC_DIR}/private
699 cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
700
701 # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
702 for t in "ha/active-passive" "ikev2/redirect-active"
703 do
704 TEST="${TEST_DIR}/${t}"
705 for h in alice moon
706 do
707 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
708 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
709 cp ${TEST_KEY} ${TEST}/hosts/${h}/${IPSEC_DIR}/private
710 cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
711 done
712 done
713
714 # Generate moon certificate with an unsupported critical X.509 extension
715 TEST="${TEST_DIR}/ikev2/critical-extension"
716 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
717 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
718 CN="moon.strongswan.org"
719 SERIAL="13"
720 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
721 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
722 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
723 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
724 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
725 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
726 --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
727 --outform pem > ${TEST_CERT}
728 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
729
730 # Put a copy in the openssl-ikev2/critical extension scenario
731 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
732 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
733 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
734 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
735 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
736
737 # Generate sun certificate with an unsupported critical X.509 extension
738 TEST="${TEST_DIR}/ikev2/critical-extension"
739 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
740 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
741 CN="sun.strongswan.org"
742 SERIAL="14"
743 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
744 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
745 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
746 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
747 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
748 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
749 --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
750 --outform pem > ${TEST_CERT}
751 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
752
753 # Put a copy in the openssl-ikev2/critical extension scenario
754 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
755 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
756 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
757 cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
758 cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
759
760 # Generate winnetou server certificate
761 HOST_KEY="${CA_DIR}/winnetouKey.pem"
762 HOST_CERT="${CA_DIR}/winnetouCert.pem"
763 CN="winnetou.strongswan.org"
764 SERIAL="15"
765 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
766 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
767 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
768 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
769 --flag serverAuth --outform pem > ${HOST_CERT}
770 cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
771
772 # Generate AAA server certificate
773 TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
774 TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
775 TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
776 CN="aaa.strongswan.org"
777 SERIAL="16"
778 cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
779 mkdir -p rsa x509
780 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
781 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
782 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
783 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
784 --flag serverAuth --outform pem > ${TEST_CERT}
785 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
786
787 # Put a copy into various tnc scenarios
788 for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
789 do
790 cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
791 mkdir -p rsa x509
792 cp ${TEST_KEY} rsa
793 cp ${TEST_CERT} x509
794 done
795
796 # Put a copy into the alice FreeRADIUS server
797 cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
798
799 ################################################################################
800 # strongSwan Attribute Authority #
801 ################################################################################
802
803 # Generate Attritbute Authority certificate
804 TEST="${TEST_DIR}/ikev2/acert-cached"
805 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
806 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
807 CN="strongSwan Attribute Authority"
808 SERIAL="17"
809 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
810 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
811 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
812 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
813 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
814 --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
815 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
816 --outform pem > ${TEST_CERT}
817 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
818
819 # Generate carol's attribute certificate for sales and finance
820 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
821 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
822 --in ${CA_DIR}/certs/01.pem --group sales --group finance \
823 --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
824
825 # Generate dave's expired attribute certificate for sales
826 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
827 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
828 --in ${CA_DIR}/certs/02.pem --group sales \
829 --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
830
831 # Generate dave's attribute certificate for marketing
832 ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
833 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
834 --in ${CA_DIR}/certs/02.pem --group marketing \
835 --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
836
837 # Put a copy into the ikev2/acert-fallback scenario
838 TEST="${TEST_DIR}/ikev2/acert-fallback"
839 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
840 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
841 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
842 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
843 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
844
845 # Generate carol's expired attribute certificate for finance
846 ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
847 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
848 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
849 --in ${CA_DIR}/certs/01.pem --group finance \
850 --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
851
852 # Generate carol's valid attribute certificate for sales
853 ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
854 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
855 --in ${CA_DIR}/certs/01.pem --group sales \
856 --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
857
858 # Put a copy into the ikev2/acert-inline scenarion
859 TEST="${TEST_DIR}/ikev2/acert-inline"
860 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
861 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
862 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
863 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
864 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
865 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
866 cp ${ACERT_CS} ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
867 cp ${ACERT_DM} ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
868
869 # Generate a short-lived Attritbute Authority certificate
870 CN="strongSwan Legacy AA"
871 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
872 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
873 SERIAL="18"
874 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
875 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
876 --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
877 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
878 --outform pem > ${TEST_CERT}
879 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
880
881 # Genrate dave's attribute certificate for sales from expired AA
882 ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
883 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
884 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
885 --in ${CA_DIR}/certs/02.pem --group sales \
886 --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
887
888 ################################################################################
889 # strongSwan Root CA index for OCSP server #
890 ################################################################################
891
892 # generate index.txt file for Root OCSP server
893 cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
894 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
895 sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
896 sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
897 sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
898
899 ################################################################################
900 # Research CA #
901 ################################################################################
902
903 # Generate a carol research certificate
904 TEST="${TEST_DIR}/ikev2/multi-level-ca"
905 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
906 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
907 CN="carol@strongswan.org"
908 SERIAL="01"
909 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
910 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
911 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
912 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
913 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
914 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
915 --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
916 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
917
918 # Save a copy of the private key in DER format
919 openssl rsa -in ${TEST_KEY} -outform der \
920 -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
921
922 # Put a copy in the following scenarios
923 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
924 ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
925 ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
926 ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
927 ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
928 ikev1/multi-level-ca-cr-resp
929 do
930 TEST="${TEST_DIR}/${t}"
931 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
932 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
933 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
934 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
935 done
936
937 for t in multi-level-ca ocsp-multi-level
938 do
939 TEST="${TEST_DIR}/swanctl/${t}"
940 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
941 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
942 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
943 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
944 done
945
946 # Generate a carol research certificate without a CDP
947 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
948 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
949 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
950 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
951 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
952 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
953 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
954 --outform pem > ${TEST_CERT}
955 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
956
957 # Generate an OCSP Signing certificate for the Research CA
958 TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
959 TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
960 OU="Research OCSP Signing Authority"
961 CN="ocsp.research.strongswan.org"
962 SERIAL="02"
963 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
964 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
965 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
966 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
967 --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
968 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
969
970 # Generate a Sales CA certificate signed by the Research CA
971 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
972 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
973 SERIAL="03"
974 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
975 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
976 --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
977 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
978 --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
979 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
980
981 ################################################################################
982 # Duck Research CA #
983 ################################################################################
984
985 # Generate a Duck Research CA certificate signed by the Research CA
986 SERIAL="04"
987 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
988 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
989 --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
990 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
991 --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
992 cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
993
994 # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
995 TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
996 cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
997
998 # Generate a carol certificate signed by the Duck Research CA
999 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1000 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1001 CN="carol@strongswan.org"
1002 SERIAL="01"
1003 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1004 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1005 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1006 pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
1007 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1008 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
1009 --outform pem > ${TEST_CERT}
1010 cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
1011
1012 # Generate index.txt file for Research OCSP server
1013 cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
1014 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
1015
1016 ################################################################################
1017 # Sales CA #
1018 ################################################################################
1019
1020 # Generate a dave sales certificate
1021 TEST="${TEST_DIR}/ikev2/multi-level-ca"
1022 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
1023 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1024 CN="dave@strongswan.org"
1025 SERIAL="01"
1026 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1027 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1028 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1029 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1030 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1031 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1032 --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1033 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1034
1035 # Save a copy of the private key in DER format
1036 openssl rsa -in ${TEST_KEY} -outform der \
1037 -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
1038
1039 # Put a copy in the following scenarios
1040 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
1041 ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
1042 ikev2/ocsp-multi-level ikev1/multi-level-ca \
1043 ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
1044 do
1045 TEST="${TEST_DIR}/${t}"
1046 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1047 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1048 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1049 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1050 done
1051
1052 for t in multi-level-ca ocsp-multi-level
1053 do
1054 TEST="${TEST_DIR}/swanctl/${t}"
1055 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1056 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1057 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1058 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1059 done
1060
1061 # Generate a dave sales certificate with an inactive OCSP URI and no CDP
1062 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1063 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1064 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1065 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1066 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1067 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1068 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1069 --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
1070 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1071
1072 # Generate an OCSP Signing certificate for the Sales CA
1073 TEST_KEY="${SALES_DIR}/ocspKey.pem"
1074 TEST_CERT="${SALES_DIR}/ocspCert.pem"
1075 OU="Sales OCSP Signing Authority"
1076 CN="ocsp.sales.strongswan.org"
1077 SERIAL="02"
1078 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1079 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1080 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1081 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1082 --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1083 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1084
1085 # Generate a Research CA certificate signed by the Sales CA
1086 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1087 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
1088 SERIAL="03"
1089 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1090 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1091 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1092 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
1093 --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1094 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1095
1096 # generate index.txt file for Sales OCSP server
1097 cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
1098 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
1099
1100 ################################################################################
1101 # strongSwan EC Root CA #
1102 ################################################################################
1103
1104 # Generate strongSwan EC Root CA
1105 pki --gen --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
1106 pki --self --type ecdsa --in ${ECDSA_KEY} \
1107 --not-before "${START}" --not-after "${CA_END}" --ca \
1108 --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
1109 --outform pem > ${ECDSA_CERT}
1110
1111 # Put a copy in the openssl-ikev2/ecdsa-certs scenario
1112 for t in ecdsa-certs ecdsa-pkcs8
1113 do
1114 TEST="${TEST_DIR}/openssl-ikev2/${t}"
1115 for h in moon carol dave
1116 do
1117 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1118 cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1119 done
1120 done
1121
1122 # Generate a moon ECDSA 521 bit certificate
1123 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
1124 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
1125 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1126 CN="moon.strongswan.org"
1127 SERIAL="01"
1128 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
1129 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1130 pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
1131 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1132 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1133 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
1134 --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
1135 cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1136
1137 # Generate a carol ECDSA 256 bit certificate
1138 CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
1139 CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1140 CN="carol@strongswan.org"
1141 SERIAL="02"
1142 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
1143 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1144 pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
1145 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1146 --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1147 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
1148 --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
1149 cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1150
1151 # Generate a dave ECDSA 384 bit certificate
1152 DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
1153 DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1154 CN="dave@strongswan.org"
1155 SERIAL="03"
1156 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
1157 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1158 pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
1159 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1160 --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1161 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
1162 --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
1163 cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1164
1165 # Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
1166 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
1167 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1168 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1169 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1170 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1171 cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1172 cp ${DAVE_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1173
1174 # Convert moon private key into unencrypted PKCS#8 format
1175 TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1176 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1177 openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
1178
1179 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
1180 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1181 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1182 openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
1183 -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
1184
1185 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
1186 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1187 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1188 openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8 -v2 aes128 \
1189 -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
1190
1191 # Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
1192 TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
1193 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1194 mkdir -p ecdsa x509 x509ca
1195 cp ${MOON_KEY} ecdsa
1196 cp ${MOON_CERT} x509
1197 cp ${ECDSA_CERT} x509ca
1198 cd ${TEST}/hosts/carol/${SWANCTL_DIR}
1199 mkdir -p ecdsa x509 x509ca
1200 cp ${CAROL_KEY} ecdsa
1201 cp ${CAROL_CERT} x509
1202 cp ${ECDSA_CERT} x509ca
1203 cd ${TEST}/hosts/dave/${SWANCTL_DIR}
1204 mkdir -p ecdsa x509 x509ca
1205 cp ${DAVE_KEY} ecdsa
1206 cp ${DAVE_CERT} x509
1207 cp ${ECDSA_CERT} x509ca
1208
1209 ################################################################################
1210 # strongSwan RFC3779 Root CA #
1211 ################################################################################
1212
1213 # Generate strongSwan RFC3779 Root CA
1214 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
1215 pki --self --type rsa --in ${RFC3779_KEY} \
1216 --not-before "${START}" --not-after "${CA_END}" --ca \
1217 --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
1218 --addrblock "10.1.0.0-10.2.255.255" \
1219 --addrblock "10.3.0.1-10.3.3.232" \
1220 --addrblock "192.168.0.0/24" \
1221 --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
1222 --outform pem > ${RFC3779_CERT}
1223
1224 # Put a copy in the ikev2/net2net-rfc3779 scenario
1225 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1226 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1227 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1228 cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1229 cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1230
1231 # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
1232 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1233 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1234 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1235 cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1236 cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1237
1238 # Generate a moon RFC3779 certificate
1239 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1240 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1241 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1242 CN="moon.strongswan.org"
1243 SERIAL="01"
1244 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1245 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1246 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1247 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1248 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1249 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1250 --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
1251 --addrblock "fec0::1/128" --addrblock "fec1::/16" \
1252 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1253 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1254
1255 # Put a copy in the ipv6 scenarios
1256 for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
1257 do
1258 cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
1259 mkdir -p rsa x509 x509ca
1260 cp ${TEST_KEY} rsa
1261 cp ${TEST_CERT} x509
1262 cp ${RFC3779_CERT} x509ca
1263 done
1264
1265 # Generate a sun RFC3779 certificate
1266 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1267 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
1268 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
1269 CN="sun.strongswan.org"
1270 SERIAL="02"
1271 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
1272 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
1273 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1274 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1275 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1276 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1277 --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
1278 --addrblock "fec0::2/128" --addrblock "fec2::/16" \
1279 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1280 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1281
1282 # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
1283 cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
1284 mkdir -p rsa x509 x509ca
1285 cp ${TEST_KEY} rsa
1286 cp ${TEST_CERT} x509
1287 cp ${RFC3779_CERT} x509ca
1288
1289 # Generate a carol RFC3779 certificate
1290 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1291 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1292 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1293 CN="carol@strongswan.org"
1294 SERIAL="03"
1295 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1296 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1297 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1298 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1299 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1300 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1301 --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
1302 --addrblock "fec0::10/128" \
1303 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1304 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1305
1306 # Generate a carol RFC3779 certificate
1307 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1308 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1309 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1310 CN="dave@strongswan.org"
1311 SERIAL="04"
1312 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1313 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1314 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1315 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1316 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1317 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1318 --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
1319 --addrblock "fec0::20/128" \
1320 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1321 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1322
1323 ################################################################################
1324 # strongSwan SHA3-RSA Root CA #
1325 ################################################################################
1326
1327 # Generate strongSwan SHA3-RSA Root CA
1328 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
1329 pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
1330 --not-before "${START}" --not-after "${CA_END}" --ca \
1331 --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
1332 --outform pem > ${SHA3_RSA_CERT}
1333
1334 # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
1335 TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
1336 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1337 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1338 cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1339 cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1340
1341 # Generate a sun SHA3-RSA certificate
1342 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1343 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1344 CN="sun.strongswan.org"
1345 SERIAL="01"
1346 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
1347 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1348 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
1349 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1350 --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1351 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1352 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
1353 cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1354
1355 # Generate a moon SHA3-RSA certificate
1356 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1357 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1358 CN="moon.strongswan.org"
1359 SERIAL="02"
1360 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1361 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1362 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
1363 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1364 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1365 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1366 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
1367 cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1368
1369 # Put a copy in the botan/net2net-sha3-rsa-cert scenario
1370 TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
1371 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1372 mkdir -p rsa x509 x509ca
1373 cp ${MOON_KEY} rsa
1374 cp ${MOON_CERT} x509
1375 cp ${SHA3_RSA_CERT} x509ca
1376 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1377 mkdir -p rsa x509 x509ca
1378 cp ${SUN_KEY} rsa
1379 cp ${SUN_CERT} x509
1380 cp ${SHA3_RSA_CERT} x509ca
1381
1382 # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
1383 TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
1384 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1385 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1386 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1387 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1388
1389 # Generate a carol SHA3-RSA certificate
1390 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1391 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1392 CN="carol@strongswan.org"
1393 SERIAL="03"
1394 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1395 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1396 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1397 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1398 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1399 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1400 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1401 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1402
1403 # Generate a dave SHA3-RSA certificate
1404 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1405 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1406 CN="dave@strongswan.org"
1407 SERIAL="04"
1408 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1409 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1410 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1411 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1412 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1413 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1414 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1415 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1416
1417 for h in moon carol dave
1418 do
1419 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1420 cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1421 done
1422
1423 ################################################################################
1424 # strongSwan Ed25519 Root CA #
1425 ################################################################################
1426
1427 # Generate strongSwan Ed25519 Root CA
1428 pki --gen --type ed25519 --outform pem > ${ED25519_KEY}
1429 pki --self --type ed25519 --in ${ED25519_KEY} \
1430 --not-before "${START}" --not-after "${CA_END}" --ca \
1431 --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
1432 --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
1433 --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
1434 --outform pem > ${ED25519_CERT}
1435
1436 # Put a copy in the swanctl/net2net-ed25519 scenario
1437 TEST="${TEST_DIR}/swanctl/net2net-ed25519"
1438 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1439 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1440 cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1441 cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1442
1443 # Generate a sun Ed25519 certificate
1444 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
1445 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1446 CN="sun.strongswan.org"
1447 SERIAL="01"
1448 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
1449 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1450 pki --gen --type ed25519 --outform pem > ${SUN_KEY}
1451 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1452 --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1453 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1454 --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
1455 --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
1456 cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1457
1458 # Generate a moon Ed25519 certificate
1459 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1460 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1461 CN="moon.strongswan.org"
1462 SERIAL="02"
1463 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1464 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1465 pki --gen --type ed25519 --outform pem > ${MOON_KEY}
1466 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1467 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1468 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1469 --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
1470 --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
1471 cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1472
1473 # Put a copy in the botan/net2net-ed25519 scenario
1474 TEST="${TEST_DIR}/botan/net2net-ed25519"
1475 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1476 mkdir -p pkcs8 x509 x509ca
1477 cp ${MOON_KEY} pkcs8
1478 cp ${MOON_CERT} x509
1479 cp ${ED25519_CERT} x509ca
1480 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1481 mkdir -p pkcs8 x509 x509ca
1482 cp ${SUN_KEY} pkcs8
1483 cp ${SUN_CERT} x509
1484 cp ${ED25519_CERT} x509ca
1485
1486 # Put a copy in the ikev2/net2net-ed25519 scenario
1487 TEST="${TEST_DIR}/ikev2/net2net-ed25519"
1488 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
1489 cd ${TEST}/hosts/moon/${IPSEC_DIR}
1490 mkdir -p cacerts certs private
1491 cp ${MOON_KEY} private
1492 cp ${MOON_CERT} certs
1493 cp ${ED25519_CERT} cacerts
1494 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
1495 cd ${TEST}/hosts/sun/${IPSEC_DIR}
1496 mkdir -p cacerts certs private
1497 cp ${SUN_KEY} private
1498 cp ${SUN_CERT} certs
1499 cp ${ED25519_CERT} cacerts
1500
1501 # Put a copy in the swanctl/rw-ed25519-certpol scenario
1502 TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
1503 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1504 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1505 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1506 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1507
1508 for h in moon carol dave
1509 do
1510 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1511 cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1512 done
1513
1514 # Generate a carol Ed25519 certificate
1515 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1516 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1517 CN="carol@strongswan.org"
1518 SERIAL="03"
1519 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1520 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1521 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1522 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1523 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1524 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1525 --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
1526 --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1527 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1528
1529 # Generate a dave Ed25519 certificate
1530 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1531 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1532 CN="dave@strongswan.org"
1533 SERIAL="04"
1534 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1535 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1536 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1537 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1538 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1539 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1540 --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
1541 --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1542 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1543
1544 ################################################################################
1545 # strongSwan Monster Root CA #
1546 ################################################################################
1547
1548 # Generate strongSwan Monster Root CA
1549 pki --gen --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
1550 pki --self --type rsa --in ${MONSTER_KEY} \
1551 --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
1552 --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
1553 --outform pem > ${MONSTER_CERT}
1554
1555 # Put a copy in the ikev2/after-2038-certs scenario
1556 TEST="${TEST_DIR}/ikev2/after-2038-certs"
1557 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1558 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1559 cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1560 cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1561
1562 # Generate a moon Monster certificate
1563 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1564 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1565 CN="moon.strongswan.org"
1566 SERIAL="01"
1567 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1568 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1569 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1570 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1571 --in ${TEST_KEY} --san ${CN} \
1572 --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1573 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1574 --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1575 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1576
1577 # Generate a carol Monster certificate
1578 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1579 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1580 CN="carol@strongswan.org"
1581 SERIAL="02"
1582 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1583 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1584 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1585 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1586 --in ${TEST_KEY} --san ${CN} \
1587 --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1588 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1589 --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1590 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1591
1592 ################################################################################
1593 # Bliss CA #
1594 ################################################################################
1595
1596 # Generate BLISS Root CA with 192 bit security strength
1597 pki --gen --type bliss --size 4 > ${BLISS_KEY}
1598 pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
1599 --not-before "${START}" --not-after "${CA_END}" --ca \
1600 --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
1601
1602 # Put a copy in the following scenarios
1603 for t in rw-newhope-bliss rw-ntru-bliss
1604 do
1605 TEST="${TEST_DIR}/ikev2/${t}"
1606 for h in moon carol dave
1607 do
1608 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1609 cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1610 done
1611 done
1612
1613 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1614 for h in moon carol dave
1615 do
1616 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1617 cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1618 done
1619
1620 # Generate a carol BLISS certificate with 128 bit security strength
1621 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1622 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
1623 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
1624 CN="carol@strongswan.org"
1625 SERIAL="01"
1626 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1627 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1628 pki --gen --type bliss --size 1 > ${TEST_KEY}
1629 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1630 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1631 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
1632 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1633 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1634
1635 # Put a copy in the ikev2/rw-ntru-bliss scenario
1636 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1637 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1638 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1639 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1640 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1641
1642 # Put a copy in the swanctl/rw-ntru-bliss scenario
1643 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1644 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1645 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1646 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1647 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1648
1649 # Generate a dave BLISS certificate with 160 bit security strength
1650 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1651 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
1652 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
1653 CN="dave@strongswan.org"
1654 SERIAL="02"
1655 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1656 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1657 pki --gen --type bliss --size 3 > ${TEST_KEY}
1658 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1659 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1660 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
1661 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1662 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1663
1664 # Put a copy in the ikev2/rw-ntru-bliss scenario
1665 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1666 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1667 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1668 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
1669 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
1670
1671 # Put a copy in the swanctl/rw-ntru-bliss scenario
1672 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1673 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
1674 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1675 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
1676 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
1677
1678 # Generate a moon BLISS certificate with 192 bit security strength
1679 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1680 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
1681 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
1682 CN="moon.strongswan.org"
1683 SERIAL="03"
1684 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1685 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1686 pki --gen --type bliss --size 4 > ${TEST_KEY}
1687 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1688 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1689 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
1690 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1691 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1692
1693 # Put a copy in the ikev2/rw-ntru-bliss scenario
1694 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1695 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1696 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1697 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
1698 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
1699
1700 # Put a copy in the swanctl/rw-ntru-bliss scenario
1701 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1702 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
1703 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1704 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
1705 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
1706
1707 ################################################################################
1708 # SQL Data #
1709 ################################################################################
1710
1711 CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
1712 CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
1713 CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1714 CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
1715 #
1716 MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1717 MOON_KEY="${CA_DIR}/keys/moonKey.der"
1718 MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1719 MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1720 MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1721 MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
1722 MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1723 MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1724 MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
1725 #
1726 SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1727 SUN_KEY="${CA_DIR}/keys/sunKey.der"
1728 SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1729 SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1730 SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
1731 SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
1732 SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1733 SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
1734 #
1735 CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1736 CAROL_KEY="${CA_DIR}/keys/carolKey.der"
1737 CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1738 CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
1739 CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1740 CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1741 #
1742 DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1743 DAVE_KEY="${CA_DIR}/keys/daveKey.der"
1744 DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1745 DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
1746 DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1747 DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1748 #
1749 ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
1750 ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
1751 ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
1752 ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
1753 ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1754 #
1755 VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
1756 VENUS_KEY="${CA_DIR}/keys/venusKey.der"
1757 VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
1758 VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
1759 VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1760 #
1761 RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
1762 RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
1763 RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1764 #
1765 CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
1766 CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
1767 CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
1768 CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
1769 CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1770 #
1771 SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
1772 SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
1773 SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1774 #
1775 DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
1776 DAVE_S_KEY="${SALES_DIR}/keys/01.der"
1777 DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
1778 DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
1779 DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1780 #
1781 for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
1782 ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
1783 rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
1784 do
1785 for h in carol dave moon
1786 do
1787 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1788 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1789 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1790 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1791 -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1792 -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1793 -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
1794 -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1795 -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
1796 -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
1797 -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
1798 -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
1799 -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
1800 -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
1801 -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
1802 -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
1803 -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
1804 -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
1805 -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
1806 -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
1807 -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
1808 -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
1809 -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
1810 -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
1811 -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
1812 -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
1813 -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
1814 -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
1815 ${TEST_DATA}.in > ${TEST_DATA}
1816 done
1817 done
1818 #
1819 for t in rw-eap-aka-rsa
1820 do
1821 for h in carol moon
1822 do
1823 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1824 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1825 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1826 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1827 -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1828 -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1829 -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1830 ${TEST_DATA}.in > ${TEST_DATA}
1831 done
1832 done
1833 #
1834 for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
1835 do
1836 for h in moon sun
1837 do
1838 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1839 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1840 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1841 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1842 -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
1843 -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
1844 -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1845 -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1846 -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1847 -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
1848 -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
1849 -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1850 -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1851 -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1852 -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
1853 ${TEST_DATA}.in > ${TEST_DATA}
1854 done
1855 done
1856 #
1857 for t in shunt-policies-nat-rw
1858 do
1859 for h in alice venus sun
1860 do
1861 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1862 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1863 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1864 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1865 -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
1866 -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
1867 -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
1868 -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
1869 -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
1870 -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
1871 -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1872 -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1873 -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1874 ${TEST_DATA}.in > ${TEST_DATA}
1875 done
1876 done
Unnamed repository; edit this file 'description' to name the repository.