]>
Commit | Line | Data |
---|---|---|
8db01c6a AS |
1 | #!/bin/bash |
2 | ||
3 | echo "Building certificates" | |
4 | ||
0136852f TB |
5 | # Disable leak detective when using pki as it produces warnings in tzset |
6 | export LEAK_DETECTIVE_DISABLE=1 | |
7 | ||
8db01c6a AS |
8 | # Determine testing directory |
9 | DIR="$(dirname `readlink -f $0`)/.." | |
10 | ||
11 | # Define some global variables | |
12 | PROJECT="strongSwan Project" | |
13 | CA_DIR="${DIR}/hosts/winnetou/etc/ca" | |
14 | CA_KEY="${CA_DIR}/strongswanKey.pem" | |
15 | CA_CERT="${CA_DIR}/strongswanCert.pem" | |
16 | CA_CRL="${CA_DIR}/strongswan.crl" | |
17 | CA_LAST_CRL="${CA_DIR}/strongswan_last.crl" | |
18 | CA_CDP="http://crl.strongswan.org/strongswan.crl" | |
19 | CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl" | |
20 | CA_OCSP="http://ocsp.strongswan.org:8880" | |
21 | # | |
22 | START=`date -d "-2 day" "+%d.%m.%y %T"` | |
23 | SH_END=`date -d "-1 day" "+%d.%m.%y %T"` # 1 day | |
24 | CA_END=`date -d "+3651 day" "+%d.%m.%y %T"` # 10 years | |
25 | IM_END=`date -d "+3286 day" "+%d.%m.%y %T"` # 9 years | |
26 | EE_END=`date -d "+2920 day" "+%d.%m.%y %T"` # 8 years | |
27 | SH_EXP=`date -d "-1 day" "+%y%m%d%H%M%SZ"` # 1 day | |
28 | IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"` # 9 years | |
29 | EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"` # 8 years | |
30 | NOW=`date "+%y%m%d%H%M%SZ"` | |
31 | # | |
32 | RESEARCH_DIR="${CA_DIR}/research" | |
33 | RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem" | |
34 | RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem" | |
35 | RESEARCH_CDP="http://crl.strongswan.org/research.crl" | |
36 | # | |
37 | SALES_DIR="${CA_DIR}/sales" | |
38 | SALES_KEY="${SALES_DIR}/salesKey.pem" | |
39 | SALES_CERT="${SALES_DIR}/salesCert.pem" | |
40 | SALES_CDP="http://crl.strongswan.org/sales.crl" | |
41 | # | |
42 | DUCK_DIR="${CA_DIR}/duck" | |
43 | DUCK_KEY="${DUCK_DIR}/duckKey.pem" | |
44 | DUCK_CERT="${DUCK_DIR}/duckCert.pem" | |
45 | # | |
46 | ECDSA_DIR="${CA_DIR}/ecdsa" | |
47 | ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem" | |
48 | ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem" | |
49 | ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl" | |
50 | # | |
51 | RFC3779_DIR="${CA_DIR}/rfc3779" | |
52 | RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem" | |
53 | RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem" | |
54 | RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl" | |
55 | # | |
56 | SHA3_RSA_DIR="${CA_DIR}/sha3-rsa" | |
57 | SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem" | |
58 | SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem" | |
59 | SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl" | |
60 | # | |
61 | ED25519_DIR="${CA_DIR}/ed25519" | |
62 | ED25519_KEY="${ED25519_DIR}/strongswanKey.pem" | |
63 | ED25519_CERT="${ED25519_DIR}/strongswanCert.pem" | |
64 | ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl" | |
65 | # | |
66 | MONSTER_DIR="${CA_DIR}/monster" | |
67 | MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem" | |
68 | MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem" | |
69 | MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl" | |
70 | MONSTER_CA_RSA_SIZE="8192" | |
71 | MONSTER_EE_RSA_SIZE="4096" | |
72 | # | |
73 | BLISS_DIR="${CA_DIR}/bliss" | |
74 | BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der" | |
75 | BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der" | |
76 | BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl" | |
77 | # | |
78 | RSA_SIZE="3072" | |
79 | IPSEC_DIR="etc/ipsec.d" | |
80 | SWANCTL_DIR="etc/swanctl" | |
81 | TKM_DIR="etc/tkm" | |
82 | HOSTS="carol dave moon sun alice venus bob" | |
83 | TEST_DIR="${DIR}/tests" | |
84 | ||
85 | # Create directories | |
86 | mkdir -p ${CA_DIR}/certs | |
87 | mkdir -p ${RESEARCH_DIR}/certs | |
88 | mkdir -p ${SALES_DIR}/certs | |
89 | mkdir -p ${DUCK_DIR}/certs | |
90 | mkdir -p ${ECDSA_DIR}/certs | |
91 | mkdir -p ${RFC3779_DIR}/certs | |
92 | mkdir -p ${SHA3_RSA_DIR}/certs | |
93 | mkdir -p ${ED25519_DIR}/certs | |
94 | mkdir -p ${MONSTER_DIR}/certs | |
95 | mkdir -p ${BLISS_DIR}/certs | |
96 | ||
97 | ################################################################################ | |
98 | # strongSwan Root CA # | |
99 | ################################################################################ | |
100 | ||
101 | # Generate strongSwan Root CA | |
102 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY} | |
103 | pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \ | |
104 | --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \ | |
105 | --outform pem > ${CA_CERT} | |
106 | ||
107 | # Distribute strongSwan Root CA certificate | |
108 | for h in ${HOSTS} | |
109 | do | |
110 | HOST_DIR="${DIR}/hosts/${h}" | |
111 | cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts | |
112 | cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca | |
113 | done | |
114 | ||
115 | # Put a copy onto the alice FreeRADIUS server | |
116 | cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs | |
117 | ||
118 | # Gernerate a stale CRL | |
119 | pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \ | |
120 | --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL} | |
121 | ||
122 | # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl | |
123 | TEST="${TEST_DIR}/ikev2/crl-ldap" | |
124 | cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl | |
125 | cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl | |
126 | ||
127 | # Generate host keys | |
128 | for h in ${HOSTS} | |
129 | do | |
130 | HOST_DIR="${DIR}/hosts/${h}" | |
131 | HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem" | |
132 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY} | |
133 | ||
134 | # Put a copy into swanctl directory tree | |
135 | cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa | |
136 | done | |
137 | ||
138 | # Convert moon private key and Root CA certificate into DER format | |
326bb5f2 TB |
139 | for t in host2host-initiator host2host-responder host2host-xfrmproxy \ |
140 | net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey | |
141 | do | |
142 | HOST_KEY=${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem | |
143 | TEST="${TEST_DIR}/tkm/${t}" | |
144 | TEST_KEY=${TEST}/hosts/moon/${TKM_DIR}/moonKey.der | |
145 | TEST_CERT=${TEST}/hosts/moon/${TKM_DIR}/strongswanCert.der | |
146 | openssl rsa -in ${HOST_KEY} -outform der -out ${TEST_KEY} 2> /dev/null | |
147 | openssl x509 -in ${CA_CERT} -outform der -out ${TEST_CERT} | |
148 | done | |
149 | ||
150 | # Convert sun private key and Root CA certificate into DER format | |
151 | for t in multiple-clients | |
152 | do | |
153 | HOST_KEY=${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem | |
154 | TEST="${TEST_DIR}/tkm/${t}" | |
155 | TEST_KEY=${TEST}/hosts/sun/${TKM_DIR}/sunKey.der | |
156 | TEST_CERT=${TEST}/hosts/sun/${TKM_DIR}/strongswanCert.der | |
157 | openssl rsa -in ${HOST_KEY} -outform der -out ${TEST_KEY} 2> /dev/null | |
158 | openssl x509 -in ${CA_CERT} -outform der -out ${TEST_CERT} | |
159 | done | |
8db01c6a AS |
160 | |
161 | # Put DER-encoded moon private key and Root CA certificate into tkm scenarios | |
162 | for t in host2host-initiator host2host-responder host2host-xfrmproxy \ | |
163 | net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey | |
164 | do | |
165 | TEST="${TEST_DIR}/tkm/${t}" | |
166 | mkdir -p ${TEST}/hosts/moon/${TKM_DIR} | |
167 | cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR} | |
168 | done | |
169 | ||
170 | # Put DER_encoded sun private key and Root CA certificate into tkm scenarios | |
171 | for t in multiple-clients | |
172 | do | |
173 | TEST="${TEST_DIR}/tkm/${t}" | |
174 | mkdir -p ${TEST}/hosts/sun/${TKM_DIR} | |
175 | cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR} | |
176 | done | |
177 | ||
178 | # Convert moon private key into unencrypted PKCS#8 format | |
179 | TEST="${TEST_DIR}/ikev2/rw-pkcs8" | |
180 | HOST_KEY=${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem | |
181 | TEST_KEY=${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem | |
182 | openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY} | |
183 | ||
184 | # Convert carol private key into v1.5 DES encrypted PKCS#8 format | |
185 | HOST_KEY=${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem | |
186 | TEST_KEY=${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem | |
187 | openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \ | |
188 | -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY} | |
189 | ||
190 | # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format | |
191 | HOST_KEY=${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem | |
192 | TEST_KEY=${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem | |
193 | openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v2 aes128 \ | |
194 | -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY} | |
195 | ||
196 | ################################################################################ | |
197 | # Public Key Extraction # | |
198 | ################################################################################ | |
199 | ||
200 | # Extract the raw moon public key for the swanctl/net2net-pubkey scenario | |
201 | TEST="${TEST_DIR}/swanctl/net2net-pubkey" | |
202 | TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem" | |
203 | HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" | |
204 | pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} | |
205 | cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey | |
206 | ||
05275905 TB |
207 | # Put a copy into the ikev2/net2net-dnssec scenario |
208 | TEST="${TEST_DIR}/ikev2/net2net-dnssec" | |
209 | cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs | |
210 | ||
8db01c6a AS |
211 | # Put a copy into the ikev2/net2net-pubkey scenario |
212 | TEST="${TEST_DIR}/ikev2/net2net-pubkey" | |
213 | cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs | |
214 | cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs | |
215 | ||
05275905 TB |
216 | # Put a copy into the ikev2/rw-dnssec scenario |
217 | TEST="${TEST_DIR}/ikev2/rw-dnssec" | |
218 | cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs | |
219 | ||
220 | # Put a copy into the swanctl/rw-dnssec scenario | |
221 | TEST="${TEST_DIR}/swanctl/rw-dnssec" | |
222 | cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey | |
223 | ||
8db01c6a AS |
224 | # Put a copy into the swanctl/rw-pubkey-anon scenario |
225 | TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" | |
226 | cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey | |
227 | cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey | |
228 | cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey | |
229 | ||
230 | # Put a copy into the swanctl/rw-pubkey-keyid scenario | |
231 | TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid" | |
232 | cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey | |
233 | cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey | |
234 | cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey | |
235 | ||
236 | # Extract the raw sun public key for the swanctl/net2net-pubkey scenario | |
237 | TEST="${TEST_DIR}/swanctl/net2net-pubkey" | |
238 | TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem" | |
239 | HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem" | |
240 | pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} | |
241 | cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey | |
242 | ||
05275905 TB |
243 | # Put a copy into the ikev2/net2net-dnssec scenario |
244 | TEST="${TEST_DIR}/ikev2/net2net-dnssec" | |
245 | cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs | |
246 | ||
8db01c6a AS |
247 | # Put a copy into the ikev2/net2net-pubkey scenario |
248 | TEST="${TEST_DIR}/ikev2/net2net-pubkey" | |
249 | cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs | |
250 | cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs | |
251 | ||
252 | # Put a copy into the swanctl/rw-pubkey-anon scenario | |
253 | TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" | |
254 | cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey | |
255 | ||
05275905 TB |
256 | # Extract the raw carol public key for the swanctl/rw-dnssec scenario |
257 | TEST="${TEST_DIR}/swanctl/rw-dnssec" | |
8db01c6a AS |
258 | TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem" |
259 | HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" | |
260 | pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} | |
05275905 TB |
261 | |
262 | # Put a copy into the swanctl/rw-pubkey-anon scenario | |
263 | TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" | |
264 | cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey | |
8db01c6a AS |
265 | cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey |
266 | ||
267 | # Put a copy into the swanctl/rw-pubkey-keyid scenario | |
268 | TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid" | |
269 | cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey | |
270 | cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey | |
271 | ||
05275905 TB |
272 | # Extract the raw dave public key for the swanctl/rw-dnssec scenario |
273 | TEST="${TEST_DIR}/swanctl/rw-dnssec" | |
8db01c6a AS |
274 | TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem" |
275 | HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem" | |
276 | pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} | |
05275905 TB |
277 | |
278 | # Put a copy into the swanctl/rw-pubkey-anon scenario | |
279 | TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" | |
280 | cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey | |
8db01c6a AS |
281 | cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey |
282 | ||
283 | # Put a copy into the swanctl/rw-pubkey-keyid scenario | |
284 | TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid" | |
285 | cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey | |
286 | cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey | |
287 | ||
288 | ################################################################################ | |
289 | # Host Certificate Generation # | |
290 | ################################################################################ | |
291 | ||
292 | # function issue_cert: serial host cn [ou] | |
293 | issue_cert() | |
294 | { | |
295 | # does optional OU argument exist? | |
296 | if [ -z "${4}" ] | |
297 | then | |
298 | OU="" | |
299 | else | |
300 | OU=" OU=${4}," | |
301 | fi | |
302 | ||
303 | HOST_DIR="${DIR}/hosts/${2}" | |
304 | HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem" | |
305 | HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem" | |
306 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
307 | --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \ | |
308 | --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \ | |
309 | --outform pem > ${HOST_CERT} | |
310 | cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem | |
311 | ||
312 | # Put a certificate copy into swanctl directory tree | |
313 | cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509 | |
314 | } | |
315 | ||
316 | # Generate host certificates | |
317 | issue_cert 01 carol carol@strongswan.org Research | |
318 | issue_cert 02 dave dave@strongswan.org Accounting | |
319 | issue_cert 03 moon moon.strongswan.org | |
320 | issue_cert 04 sun sun.strongswan.org | |
321 | issue_cert 05 alice alice@strongswan.org Sales | |
322 | issue_cert 06 venus venus.strongswan.org | |
323 | issue_cert 07 bob bob@strongswan.org Research | |
324 | ||
325 | # Create PKCS#12 file for moon | |
326 | TEST="${TEST_DIR}/ikev2/net2net-pkcs12" | |
327 | HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" | |
328 | HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" | |
329 | MOON_PKCS12="${TEST}/hosts/moon/etc/ipsec.d/private/moonCert.p12" | |
330 | openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \ | |
331 | -certfile ${CA_CERT} -caname "strongSwan Root CA" \ | |
332 | -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null | |
333 | ||
334 | # Create PKCS#12 file for sun | |
335 | HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem" | |
336 | HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem" | |
337 | SUN_PKCS12="${TEST}/hosts/sun/etc/ipsec.d/private/sunCert.p12" | |
338 | openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \ | |
339 | -certfile ${CA_CERT} -caname "strongSwan Root CA" \ | |
340 | -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null | |
341 | ||
342 | # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario | |
343 | TEST="${TEST_DIR}/botan/net2net-pkcs12" | |
344 | mkdir -p "${TEST}/hosts/moon/etc/swanctl/pkcs12" | |
345 | cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12" | |
346 | mkdir -p "${TEST}/hosts/sun/etc/swanctl/pkcs12" | |
347 | cp ${SUN_PKCS12} "${TEST}/hosts/sun/etc/swanctl/pkcs12" | |
348 | ||
349 | # Put a PKCS#12 copy into the openssl-ikev2/net2net-pkcs12 scenario | |
350 | TEST="${TEST_DIR}/openssl-ikev2/net2net-pkcs12" | |
351 | cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12" | |
352 | cp ${SUN_PKCS12} "${TEST}/hosts/sun/etc/swanctl/pkcs12" | |
353 | ||
05275905 TB |
354 | ################################################################################ |
355 | # DNSSEC Zone Files # | |
356 | ################################################################################ | |
357 | ||
358 | # Store moon and sun certificates in strongswan.org zone | |
359 | ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys" | |
360 | echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE} | |
361 | for h in moon sun | |
362 | do | |
363 | HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem | |
364 | cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/') | |
365 | echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE} | |
366 | done | |
367 | ||
368 | # Store public keys in strongswan.org zone | |
369 | echo ";" >> ${ZONE_FILE} | |
370 | for h in moon sun carol dave | |
371 | do | |
372 | HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem | |
373 | pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g') | |
374 | echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE} | |
375 | done | |
376 | ||
8db01c6a AS |
377 | # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP |
378 | TEST="${TEST_DIR}/swanctl/crl-to-cache" | |
379 | TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" | |
380 | HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" | |
381 | CN="carol@strongswan.org" | |
382 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \ | |
383 | --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
384 | --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \ | |
385 | --outform pem > ${TEST_CERT} | |
386 | ||
387 | # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP | |
388 | TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" | |
389 | HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" | |
390 | CN="moon.strongswan.org" | |
391 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \ | |
392 | --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
393 | --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \ | |
394 | --outform pem > ${TEST_CERT} | |
395 | ||
396 | # Encrypt carolKey.pem | |
397 | HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" | |
398 | KEY_PWD="nH5ZQEWtku0RJEZ6" | |
399 | openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \ | |
400 | 2> /dev/null | |
401 | ||
402 | # Put a copy into the ikev2/dynamic-initiator scenario | |
403 | TEST="${TEST_DIR}/ikev2/dynamic-initiator" | |
404 | cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private | |
405 | cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem | |
406 | ||
407 | # Put a copy into the ikev1/dynamic-initiator scenario | |
408 | TEST="${TEST_DIR}/ikev1/dynamic-initiator" | |
409 | cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private | |
410 | cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem | |
411 | ||
412 | # Put a copy into the ikev1/dynamic-responder scenario | |
413 | TEST="${TEST_DIR}/ikev1/dynamic-responder" | |
414 | cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private | |
415 | cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem | |
416 | ||
417 | # Put a copy into the swanctl/rw-cert scenario | |
418 | TEST="${TEST_DIR}/swanctl/rw-cert" | |
419 | cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa | |
420 | ||
421 | # Generate another carol certificate and revoke it | |
422 | TEST="${TEST_DIR}/ikev2/crl-revoked" | |
423 | TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" | |
424 | TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" | |
425 | CN="carol@strongswan.org" | |
426 | SERIAL="08" | |
427 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
428 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
429 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
430 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \ | |
431 | --outform pem > ${TEST_CERT} | |
432 | cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
433 | pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \ | |
434 | --serial ${SERIAL} > ${CA_CRL} | |
435 | cp ${CA_CRL} ${CA_LAST_CRL} | |
436 | ||
437 | # Put a copy into the ikev2/ocsp-revoked scenario | |
438 | TEST="${TEST_DIR}/ikev2/ocsp-revoked" | |
439 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
440 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs | |
441 | ||
442 | # Generate another carol certificate with SN=002 | |
443 | TEST="${TEST_DIR}/ikev2/two-certs" | |
444 | TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem" | |
445 | TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem" | |
446 | SERIAL="09" | |
447 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
448 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
449 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
450 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \ | |
451 | --outform pem > ${TEST_CERT} | |
452 | cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
453 | ||
454 | ################################################################################ | |
455 | # Research CA Certificate Generation # | |
456 | ################################################################################ | |
457 | ||
458 | # Generate a Research CA certificate signed by the Root CA and revoke it | |
459 | TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked" | |
460 | TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem" | |
461 | SERIAL="0A" | |
462 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY} | |
463 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
464 | --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \ | |
465 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \ | |
466 | --outform pem > ${TEST_CERT} | |
467 | cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
468 | pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \ | |
469 | --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL} | |
470 | rm ${CA_LAST_CRL} | |
471 | ||
472 | # Generate Research CA with the same private key as above signed by Root CA | |
473 | SERIAL="0B" | |
474 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
475 | --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \ | |
476 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \ | |
477 | --outform pem > ${RESEARCH_CERT} | |
478 | cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
479 | ||
480 | # Put a certificate copy into the ikev1/multi-level-ca scenario | |
481 | TEST="${TEST_DIR}/ikev1/multi-level-ca" | |
482 | cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
483 | ||
484 | # Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario | |
485 | TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init" | |
486 | cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts | |
487 | ||
488 | # Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario | |
489 | TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp" | |
490 | cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts | |
491 | ||
492 | # Put a certificate copy into the ikev2/multi-level-ca scenario | |
493 | TEST="${TEST_DIR}/ikev2/multi-level-ca" | |
494 | cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
495 | ||
496 | # Put a certificate copy into the ikev2/multi-level-ca-ldap scenario | |
497 | TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap" | |
498 | cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
499 | ||
500 | # Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario | |
501 | TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init" | |
502 | cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts | |
503 | ||
504 | # Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario | |
505 | TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp" | |
506 | cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts | |
507 | ||
508 | # Put a certificate copy into the ikev2/multi-level-ca-pathlen scenario | |
509 | TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen" | |
510 | cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
511 | ||
512 | # Put a certificate copy into the ikev2/multi-level-ca-strict scenario | |
513 | TEST="${TEST_DIR}/ikev2/multi-level-ca-strict" | |
514 | cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
515 | ||
516 | # Put a certificate copy into the ikev2/ocsp-multi-level scenario | |
517 | TEST="${TEST_DIR}/ikev2/ocsp-multi-level" | |
518 | cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
519 | ||
520 | # Put a certificate copy into the ikev2/ocsp-strict-ifuri scenario | |
521 | TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri" | |
522 | cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
523 | ||
524 | # Put a certificate copy into the swanctl/multi-level-ca scenario | |
525 | TEST="${TEST_DIR}/swanctl/multi-level-ca" | |
526 | cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca | |
527 | ||
528 | # Put a certificate copy into the swanctl/ocsp-multi-level scenario | |
529 | TEST="${TEST_DIR}/swanctl/ocsp-multi-level" | |
530 | cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca | |
531 | ||
532 | # Generate Research CA with the same private key as above but invalid CDP | |
533 | TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped" | |
534 | TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem" | |
535 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \ | |
536 | --crl "http://crl.strongswan.org/not-available.crl" \ | |
537 | --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \ | |
538 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \ | |
539 | --outform pem > ${TEST_CERT} | |
540 | ||
541 | ################################################################################ | |
542 | # Sales CA Certificate Generation # | |
543 | ################################################################################ | |
544 | ||
545 | # Generate Sales CA signed by Root CA | |
546 | SERIAL="0C" | |
547 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY} | |
548 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
549 | --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \ | |
550 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \ | |
551 | --outform pem > ${SALES_CERT} | |
552 | cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
553 | ||
554 | # Put a certificate copy into the ikev1/multi-level-ca scenario | |
555 | TEST="${TEST_DIR}/ikev1/multi-level-ca" | |
556 | cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
557 | ||
558 | # Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario | |
559 | TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init" | |
560 | cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts | |
561 | ||
562 | # Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario | |
563 | TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp" | |
564 | cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts | |
565 | ||
566 | # Put a certificate copy into the ikev2/multi-level-ca scenario | |
567 | TEST="${TEST_DIR}/ikev2/multi-level-ca" | |
568 | cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
569 | ||
570 | # Put a certificate copy into the ikev2/multi-level-ca-ldap scenario | |
571 | TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap" | |
572 | cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
573 | ||
574 | # Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario | |
575 | TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init" | |
576 | cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts | |
577 | ||
578 | # Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario | |
579 | TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp" | |
580 | cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts | |
581 | ||
582 | # Put a certificate copy into the ikev2/multi-level-ca-strict scenario | |
583 | TEST="${TEST_DIR}/ikev2/multi-level-ca-strict" | |
584 | cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
585 | ||
586 | # Put a certificate copy into the ikev2/ocsp-multi-level scenario | |
587 | TEST="${TEST_DIR}/ikev2/ocsp-multi-level" | |
588 | cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
589 | ||
590 | # Put a certificate copy into the ikev2/ocsp-struct.ifuri scenario | |
591 | TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri" | |
592 | cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
593 | ||
594 | # Put a certificate copy into the swanctl/multi-level-ca scenario | |
595 | TEST="${TEST_DIR}/swanctl/multi-level-ca" | |
596 | cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca | |
597 | ||
598 | # Put a certificate copy into the swanctl/ocsp-multi-level scenario | |
599 | TEST="${TEST_DIR}/swanctl/ocsp-multi-level" | |
600 | cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca | |
601 | ||
602 | # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate | |
603 | TEST="${TEST_DIR}/ikev2/strong-keys-certs" | |
604 | TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem" | |
605 | TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem" | |
606 | KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW" | |
607 | CN="moon.strongswan.org" | |
608 | SERIAL="0D" | |
609 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
610 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
611 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
612 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \ | |
613 | --digest sha224 --outform pem > ${TEST_CERT} | |
614 | openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \ | |
615 | 2> /dev/null | |
616 | cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
617 | ||
618 | # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate | |
619 | TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem" | |
620 | TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem" | |
621 | KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA" | |
622 | CN="carol@strongswan.org" | |
623 | SERIAL="0E" | |
624 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
625 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
626 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
627 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \ | |
628 | --digest sha384 --outform pem > ${TEST_CERT} | |
629 | openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \ | |
630 | 2> /dev/null | |
631 | cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
632 | ||
633 | # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate | |
634 | TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem" | |
635 | TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem" | |
636 | KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v" | |
637 | CN="dave@strongswan.org" | |
638 | SERIAL="0F" | |
639 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
640 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
641 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
642 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \ | |
643 | --digest sha512 --outform pem > ${TEST_CERT} | |
644 | openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \ | |
645 | 2> /dev/null | |
646 | cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
647 | ||
648 | # Generate another carol certificate with an OCSP URI | |
649 | TEST="${TEST_DIR}/ikev2/ocsp-signer-cert" | |
650 | TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" | |
651 | TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" | |
652 | CN="carol@strongswan.org" | |
653 | SERIAL="10" | |
654 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
655 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
656 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
657 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \ | |
658 | --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT} | |
659 | cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
660 | ||
661 | # Put a copy into the ikev2/ocsp-timeouts-good scenario | |
662 | TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good" | |
663 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
664 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs | |
665 | ||
666 | # Put a copy into the swanctl/ocsp-signer-cert scenario | |
667 | TEST="${TEST_DIR}/swanctl/ocsp-signer-cert" | |
668 | cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa | |
669 | cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 | |
670 | ||
671 | # Put a copy into the swanctl/ocsp-disabled scenario | |
672 | TEST="${TEST_DIR}/swanctl/ocsp-disabled" | |
673 | cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa | |
674 | cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 | |
675 | ||
676 | # Generate an OCSP Signing certificate for the strongSwan Root CA | |
677 | TEST_KEY="${CA_DIR}/ocspKey.pem" | |
678 | TEST_CERT="${CA_DIR}/ocspCert.pem" | |
679 | CN="ocsp.strongswan.org" | |
680 | OU="OCSP Signing Authority" | |
681 | SERIAL="11" | |
682 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
683 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
684 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
685 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \ | |
686 | --flag ocspSigning --outform pem > ${TEST_CERT} | |
687 | cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
688 | ||
689 | # Generate a self-signed OCSP Signing certificate | |
690 | TEST_KEY="${CA_DIR}/ocspKey-self.pem" | |
691 | TEST_CERT="${CA_DIR}/ocspCert-self.pem" | |
692 | OU="OCSP Self-Signed Authority" | |
693 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
694 | pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \ | |
695 | --not-before "${START}" --not-after "${CA_END}" --san ${CN} \ | |
696 | --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \ | |
697 | --outform pem > ${TEST_CERT} | |
698 | ||
699 | # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario | |
700 | TEST="${TEST_DIR}/ikev2/ocsp-local-cert" | |
701 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts | |
702 | cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts | |
703 | ||
704 | # Generate mars virtual server certificate | |
705 | TEST="${TEST_DIR}/ha/both-active" | |
706 | TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem" | |
707 | TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem" | |
708 | CN="mars.strongswan.org" | |
709 | OU="Virtual VPN Gateway" | |
710 | SERIAL="12" | |
711 | mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private | |
712 | mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs | |
713 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
714 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
715 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
716 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \ | |
717 | --flag serverAuth --outform pem > ${TEST_CERT} | |
718 | cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
719 | ||
720 | # Put a copy into the mirrored gateway | |
721 | mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private | |
722 | mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs | |
723 | cp ${TEST_KEY} ${TEST}/hosts/alice/${IPSEC_DIR}/private | |
724 | cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs | |
725 | ||
726 | # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios | |
727 | for t in "ha/active-passive" "ikev2/redirect-active" | |
728 | do | |
729 | TEST="${TEST_DIR}/${t}" | |
730 | for h in alice moon | |
731 | do | |
732 | mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private | |
733 | mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs | |
734 | cp ${TEST_KEY} ${TEST}/hosts/${h}/${IPSEC_DIR}/private | |
735 | cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs | |
736 | done | |
737 | done | |
738 | ||
739 | # Generate winnetou server certificate | |
740 | HOST_KEY="${CA_DIR}/winnetouKey.pem" | |
741 | HOST_CERT="${CA_DIR}/winnetouCert.pem" | |
742 | CN="winnetou.strongswan.org" | |
743 | SERIAL="13" | |
744 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY} | |
745 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
746 | --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
747 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \ | |
748 | --flag serverAuth --outform pem > ${HOST_CERT} | |
749 | cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
750 | ||
751 | # Generate AAA server certificate | |
752 | TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap" | |
753 | TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem" | |
754 | TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem" | |
755 | CN="aaa.strongswan.org" | |
756 | SERIAL="14" | |
757 | cd "${TEST}/hosts/alice/${SWANCTL_DIR}" | |
758 | mkdir -p rsa x509 | |
759 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
760 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
761 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
762 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \ | |
763 | --flag serverAuth --outform pem > ${TEST_CERT} | |
764 | cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
765 | ||
766 | # Put a copy into various tnc scenarios | |
767 | for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap | |
768 | do | |
769 | cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}" | |
770 | mkdir -p rsa x509 | |
771 | cp ${TEST_KEY} rsa | |
772 | cp ${TEST_CERT} x509 | |
773 | done | |
774 | ||
775 | # Put a copy into the alice FreeRADIUS server | |
776 | cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs | |
777 | ||
778 | ################################################################################ | |
779 | # strongSwan Attribute Authority # | |
780 | ################################################################################ | |
781 | ||
782 | # Generate Attritbute Authority certificate | |
783 | TEST="${TEST_DIR}/ikev2/acert-cached" | |
784 | TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem" | |
785 | TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem" | |
786 | CN="strongSwan Attribute Authority" | |
787 | SERIAL="15" | |
788 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
789 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
790 | --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \ | |
791 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \ | |
792 | --outform pem > ${TEST_CERT} | |
793 | cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
794 | ||
795 | # Generate carol's attribute certificate for sales and finance | |
796 | ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem | |
797 | pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ | |
798 | --in ${CA_DIR}/certs/01.pem --group sales --group finance \ | |
799 | --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT} | |
800 | ||
801 | # Generate dave's expired attribute certificate for sales | |
802 | ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem | |
803 | pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ | |
804 | --in ${CA_DIR}/certs/02.pem --group sales \ | |
805 | --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT} | |
806 | ||
807 | # Generate dave's attribute certificate for marketing | |
808 | ACERT_DM=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem | |
809 | pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ | |
810 | --in ${CA_DIR}/certs/02.pem --group marketing \ | |
811 | --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM} | |
812 | ||
813 | # Put a copy into the ikev2/acert-fallback scenario | |
814 | TEST="${TEST_DIR}/ikev2/acert-fallback" | |
815 | cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private | |
816 | cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts | |
817 | ||
818 | # Generate carol's expired attribute certificate for finance | |
819 | ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem | |
820 | pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ | |
821 | --in ${CA_DIR}/certs/01.pem --group finance \ | |
822 | --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT} | |
823 | ||
824 | # Generate carol's valid attribute certificate for sales | |
825 | ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem | |
826 | pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ | |
827 | --in ${CA_DIR}/certs/01.pem --group sales \ | |
828 | --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS} | |
829 | ||
830 | # Put a copy into the ikev2/acert-inline scenarion | |
831 | TEST="${TEST_DIR}/ikev2/acert-inline" | |
832 | cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private | |
833 | cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts | |
834 | cp ${ACERT_CS} ${TEST}/hosts/carol/${IPSEC_DIR}/acerts | |
835 | cp ${ACERT_DM} ${TEST}/hosts/dave/${IPSEC_DIR}/acerts | |
836 | ||
837 | # Generate a short-lived Attritbute Authority certificate | |
838 | CN="strongSwan Legacy AA" | |
839 | TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem" | |
840 | TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem" | |
841 | SERIAL="16" | |
842 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
843 | pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ | |
844 | --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \ | |
845 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \ | |
846 | --outform pem > ${TEST_CERT} | |
847 | cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem | |
848 | ||
849 | # Genrate dave's attribute certificate for sales from expired AA | |
850 | ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem | |
851 | pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \ | |
852 | --in ${CA_DIR}/certs/02.pem --group sales \ | |
853 | --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT} | |
854 | ||
855 | ################################################################################ | |
856 | # strongSwan Root CA index for OCSP server # | |
857 | ################################################################################ | |
858 | ||
859 | # generate index.txt file for Root OCSP server | |
860 | cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt | |
861 | sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt | |
862 | sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt | |
863 | sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt | |
864 | sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt | |
865 | ||
866 | ################################################################################ | |
867 | # Research CA # | |
868 | ################################################################################ | |
869 | ||
870 | # Generate a carol research certificate | |
871 | TEST="${TEST_DIR}/ikev2/multi-level-ca" | |
872 | TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" | |
873 | TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" | |
874 | CN="carol@strongswan.org" | |
875 | SERIAL="01" | |
876 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
877 | pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ | |
878 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
879 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \ | |
880 | --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT} | |
881 | cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem | |
882 | ||
883 | # Put a copy in the ikev2/multilevel-ca-cr-init scenario | |
884 | TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init" | |
885 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
886 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs | |
887 | ||
888 | # Put a copy in the ikev2/multilevel-ca-cr-resp scenario | |
889 | TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp" | |
890 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
891 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs | |
892 | ||
893 | # Put a copy in the ikev2/multilevel-ca-ldap scenario | |
894 | TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap" | |
895 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
896 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs | |
897 | ||
898 | # Put a copy in the ikev2/multilevel-ca-ldap scenario | |
899 | TEST="${TEST_DIR}/ikev2/multi-level-ca-loop" | |
900 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
901 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs | |
902 | ||
903 | # Put a copy in the ikev2/multilevel-ca-revoked scenario | |
904 | TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked" | |
905 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
906 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs | |
907 | ||
908 | # Put a copy in the ikev2/multilevel-ca-skipped scenario | |
909 | TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped" | |
910 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
911 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs | |
912 | ||
913 | # Put a copy in the ikev2/multilevel-ca-strict scenario | |
914 | TEST="${TEST_DIR}/ikev2/multi-level-ca-strict" | |
915 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
916 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs | |
917 | ||
918 | # Put a copy in the ikev2/ocsp-multilevel scenario | |
919 | TEST="${TEST_DIR}/ikev2/ocsp-multi-level" | |
920 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
921 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs | |
922 | ||
923 | # Put a copy in the ikev1/multilevel-ca scenario | |
924 | TEST="${TEST_DIR}/ikev1/multi-level-ca" | |
925 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
926 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs | |
927 | ||
928 | # Put a copy in the ikev1/multilevel-ca-cr-init scenario | |
929 | TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init" | |
930 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
931 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs | |
932 | ||
933 | # Put a copy in the ikev1/multilevel-ca-cr-resp scenario | |
934 | TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp" | |
935 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
936 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs | |
937 | ||
938 | # Put a copy in the swanctl/multilevel-ca scenario | |
939 | TEST="${TEST_DIR}/swanctl/multi-level-ca" | |
940 | cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa | |
941 | cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 | |
942 | ||
943 | # Put a copy in the swanctl/ocsp-multilevel scenario | |
944 | TEST="${TEST_DIR}/swanctl/ocsp-multi-level" | |
945 | cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa | |
946 | cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 | |
947 | ||
948 | # Generate a carol research certificate without a CDP | |
949 | TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri" | |
950 | TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" | |
951 | pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ | |
952 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
953 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \ | |
954 | --outform pem > ${TEST_CERT} | |
955 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private | |
956 | ||
957 | # Generate an OCSP Signing certificate for the Research CA | |
958 | TEST_KEY="${RESEARCH_DIR}/ocspKey.pem" | |
959 | TEST_CERT="${RESEARCH_DIR}/ocspCert.pem" | |
960 | OU="Research OCSP Signing Authority" | |
961 | CN="ocsp.research.strongswan.org" | |
962 | SERIAL="02" | |
963 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
964 | pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ | |
965 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
966 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \ | |
967 | --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT} | |
968 | cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem | |
969 | ||
970 | # Generate a Sales CA certificate signed by the Research CA | |
971 | TEST="${TEST_DIR}/ikev2/multi-level-ca-loop" | |
972 | TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem" | |
973 | SERIAL="03" | |
974 | pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ | |
975 | --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \ | |
976 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \ | |
977 | --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT} | |
978 | cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem | |
979 | ||
980 | ################################################################################ | |
981 | # Duck Research CA # | |
982 | ################################################################################ | |
983 | ||
984 | # Generate a Duck Research CA certificate signed by the Research CA | |
985 | SERIAL="04" | |
986 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY} | |
987 | pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \ | |
988 | --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \ | |
989 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \ | |
990 | --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT} | |
991 | cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem | |
992 | ||
993 | # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario | |
994 | TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen" | |
995 | cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
996 | ||
997 | # Generate a carol certificate signed by the Duck Research CA | |
998 | TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" | |
999 | TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" | |
1000 | CN="carol@strongswan.org" | |
1001 | SERIAL="01" | |
1002 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
1003 | pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \ | |
1004 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1005 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \ | |
1006 | --outform pem > ${TEST_CERT} | |
1007 | cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem | |
1008 | ||
1009 | # Generate index.txt file for Research OCSP server | |
1010 | cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt | |
1011 | sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt | |
1012 | ||
1013 | ################################################################################ | |
1014 | # Sales CA # | |
1015 | ################################################################################ | |
1016 | ||
1017 | # Generate a dave sales certificate | |
1018 | TEST="${TEST_DIR}/ikev2/multi-level-ca" | |
1019 | TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem" | |
1020 | TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem" | |
1021 | CN="dave@strongswan.org" | |
1022 | SERIAL="01" | |
1023 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
1024 | pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \ | |
1025 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1026 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \ | |
1027 | --crl ${SALES_CDP} --outform pem > ${TEST_CERT} | |
1028 | cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem | |
1029 | ||
1030 | # Put a copy in the ikev2/multilevel-ca-cr-init scenario | |
1031 | TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init" | |
1032 | cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private | |
1033 | cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs | |
1034 | ||
1035 | # Put a copy in the ikev2/multilevel-ca-cr-resp scenario | |
1036 | TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp" | |
1037 | cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private | |
1038 | cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs | |
1039 | ||
1040 | # Put a copy in the ikev2/multilevel-ca-ldap scenario | |
1041 | TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap" | |
1042 | cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private | |
1043 | cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs | |
1044 | ||
1045 | # Put a copy in the ikev2/multilevel-ca-strict scenario | |
1046 | TEST="${TEST_DIR}/ikev2/multi-level-ca-strict" | |
1047 | cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private | |
1048 | cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs | |
1049 | ||
1050 | # Put a copy in the ikev2/ocsp-multilevel scenario | |
1051 | TEST="${TEST_DIR}/ikev2/ocsp-multi-level" | |
1052 | cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private | |
1053 | cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs | |
1054 | ||
1055 | # Put a copy in the ikev1/multilevel-ca scenario | |
1056 | TEST="${TEST_DIR}/ikev1/multi-level-ca" | |
1057 | cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private | |
1058 | cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs | |
1059 | ||
1060 | # Put a copy in the ikev1/multilevel-ca-cr-init scenario | |
1061 | TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init" | |
1062 | cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private | |
1063 | cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs | |
1064 | ||
1065 | # Put a copy in the ikev1/multilevel-ca-cr-resp scenario | |
1066 | TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp" | |
1067 | cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private | |
1068 | cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs | |
1069 | ||
1070 | # Put a copy in the swanctl/multilevel-ca scenario | |
1071 | TEST="${TEST_DIR}/swanctl/multi-level-ca" | |
1072 | cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa | |
1073 | cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 | |
1074 | ||
1075 | # Put a copy in the swanctl/ocsp-multilevel scenario | |
1076 | TEST="${TEST_DIR}/swanctl/ocsp-multi-level" | |
1077 | cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa | |
1078 | cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 | |
1079 | ||
1080 | # Generate a dave sales certificate with an inactive OCSP URI and no CDP | |
1081 | TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri" | |
1082 | TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem" | |
1083 | pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \ | |
1084 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1085 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \ | |
1086 | --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT} | |
1087 | cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private | |
1088 | ||
1089 | # Generate an OCSP Signing certificate for the Sales CA | |
1090 | TEST_KEY="${SALES_DIR}/ocspKey.pem" | |
1091 | TEST_CERT="${SALES_DIR}/ocspCert.pem" | |
1092 | OU="Sales OCSP Signing Authority" | |
1093 | CN="ocsp.sales.strongswan.org" | |
1094 | SERIAL="02" | |
1095 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
1096 | pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \ | |
1097 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1098 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \ | |
1099 | --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT} | |
1100 | cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem | |
1101 | ||
1102 | # Generate a Research CA certificate signed by the Sales CA | |
1103 | TEST="${TEST_DIR}/ikev2/multi-level-ca-loop" | |
1104 | TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem" | |
1105 | SERIAL="03" | |
1106 | pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \ | |
1107 | --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \ | |
1108 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \ | |
1109 | --crl ${SALES_CDP} --outform pem > ${TEST_CERT} | |
1110 | cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem | |
1111 | ||
1112 | # generate index.txt file for Sales OCSP server | |
1113 | cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt | |
1114 | sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt | |
1115 | ||
1116 | ################################################################################ | |
1117 | # strongSwan EC Root CA # | |
1118 | ################################################################################ | |
1119 | ||
1120 | # Generate strongSwan EC Root CA | |
1121 | pki --gen --type ecdsa --size 521 --outform pem > ${ECDSA_KEY} | |
1122 | pki --self --type ecdsa --in ${ECDSA_KEY} \ | |
1123 | --not-before "${START}" --not-after "${CA_END}" --ca \ | |
1124 | --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \ | |
1125 | --outform pem > ${ECDSA_CERT} | |
1126 | ||
1127 | # Put a copy in the openssl-ikev2/ecdsa-certs scenario | |
1128 | TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs" | |
1129 | cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca | |
1130 | cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca | |
1131 | cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca | |
1132 | ||
1133 | # Generate a moon ECDSA 521 bit certificate | |
1134 | MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem" | |
1135 | MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" | |
1136 | CN="moon.strongswan.org" | |
1137 | SERIAL="01" | |
1138 | pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY} | |
1139 | pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \ | |
1140 | --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1141 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \ | |
1142 | --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT} | |
1143 | cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem | |
1144 | ||
1145 | # Generate a carol ECDSA 256 bit certificate | |
1146 | CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem" | |
1147 | CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" | |
1148 | CN="carol@strongswan.org" | |
1149 | SERIAL="02" | |
1150 | pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY} | |
1151 | pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \ | |
1152 | --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1153 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \ | |
1154 | --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT} | |
1155 | cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem | |
1156 | ||
1157 | # Generate a dave ECDSA 384 bit certificate | |
1158 | DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem" | |
1159 | DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem" | |
1160 | CN="dave@strongswan.org" | |
1161 | SERIAL="03" | |
1162 | pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY} | |
1163 | pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \ | |
1164 | --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1165 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \ | |
1166 | --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT} | |
1167 | cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem | |
1168 | ||
1169 | # Put CA and EE certificate copies in the openssl-ikev2/rw-ecdsa-pkcs8 scenario | |
1170 | TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8" | |
1171 | cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca | |
1172 | cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 | |
1173 | cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca | |
1174 | cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 | |
1175 | cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca | |
1176 | cp ${DAVE_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 | |
1177 | ||
1178 | # Convert moon private key into unencrypted PKCS#8 format | |
1179 | TEST_KEY=${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem | |
1180 | openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY} | |
1181 | ||
1182 | # Convert carol private key into v1.5 DES encrypted PKCS#8 format | |
1183 | TEST_KEY=${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem | |
1184 | openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \ | |
1185 | -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY} | |
1186 | ||
1187 | # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format | |
1188 | TEST_KEY=${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem | |
1189 | openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8 -v2 aes128 \ | |
1190 | -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY} | |
1191 | ||
1192 | # Put CA and EE certificate copies in the openssl-ikev1/rw-ecdsa-certs scenario | |
1193 | TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs" | |
1194 | cd ${TEST}/hosts/moon/${SWANCTL_DIR} | |
1195 | mkdir -p ecdsa x509 x509ca | |
1196 | cp ${MOON_KEY} ecdsa | |
1197 | cp ${MOON_CERT} x509 | |
1198 | cp ${ECDSA_CERT} x509ca | |
1199 | cd ${TEST}/hosts/carol/${SWANCTL_DIR} | |
1200 | mkdir -p ecdsa x509 x509ca | |
1201 | cp ${CAROL_KEY} ecdsa | |
1202 | cp ${CAROL_CERT} x509 | |
1203 | cp ${ECDSA_CERT} x509ca | |
1204 | cd ${TEST}/hosts/dave/${SWANCTL_DIR} | |
1205 | mkdir -p ecdsa x509 x509ca | |
1206 | cp ${DAVE_KEY} ecdsa | |
1207 | cp ${DAVE_CERT} x509 | |
1208 | cp ${ECDSA_CERT} x509ca | |
1209 | ||
1210 | ################################################################################ | |
1211 | # strongSwan RFC3779 Root CA # | |
1212 | ################################################################################ | |
1213 | ||
1214 | # Generate strongSwan RFC3779 Root CA | |
1215 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY} | |
1216 | pki --self --type rsa --in ${RFC3779_KEY} \ | |
1217 | --not-before "${START}" --not-after "${CA_END}" --ca \ | |
1218 | --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \ | |
1219 | --addrblock "10.1.0.0-10.2.255.255" \ | |
1220 | --addrblock "10.3.0.1-10.3.3.232" \ | |
1221 | --addrblock "192.168.0.0/24" \ | |
1222 | --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \ | |
1223 | --outform pem > ${RFC3779_CERT} | |
1224 | ||
1225 | # Put a copy in the ikev2/net2net-rfc3779 scenario | |
1226 | TEST="${TEST_DIR}/ikev2/net2net-rfc3779" | |
1227 | mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
1228 | mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts | |
1229 | cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts | |
1230 | cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts | |
1231 | ||
1232 | # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario | |
1233 | TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2" | |
1234 | mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca | |
1235 | mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca | |
1236 | cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca | |
1237 | cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca | |
1238 | ||
1239 | # Generate a moon RFC3779 certificate | |
1240 | TEST="${TEST_DIR}/ikev2/net2net-rfc3779" | |
1241 | TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem" | |
1242 | TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem" | |
1243 | CN="moon.strongswan.org" | |
1244 | SERIAL="01" | |
1245 | mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private | |
1246 | mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs | |
1247 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
1248 | pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \ | |
1249 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1250 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \ | |
1251 | --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \ | |
1252 | --addrblock "fec0::1/128" --addrblock "fec1::/16" \ | |
1253 | --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT} | |
1254 | cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem | |
1255 | ||
1256 | # Put a copy in the ipv6 scenarios | |
1257 | for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2 | |
1258 | do | |
1259 | cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}" | |
1260 | mkdir -p rsa x509 x509ca | |
1261 | cp ${TEST_KEY} rsa | |
1262 | cp ${TEST_CERT} x509 | |
1263 | cp ${RFC3779_CERT} x509ca | |
1264 | done | |
1265 | ||
1266 | # Generate a sun RFC3779 certificate | |
1267 | TEST="${TEST_DIR}/ikev2/net2net-rfc3779" | |
1268 | TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem" | |
1269 | TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem" | |
1270 | CN="sun.strongswan.org" | |
1271 | SERIAL="02" | |
1272 | mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private | |
1273 | mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs | |
1274 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
1275 | pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \ | |
1276 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1277 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \ | |
1278 | --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \ | |
1279 | --addrblock "fec0::2/128" --addrblock "fec2::/16" \ | |
1280 | --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT} | |
1281 | cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem | |
1282 | ||
1283 | # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario | |
1284 | cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}" | |
1285 | mkdir -p rsa x509 x509ca | |
1286 | cp ${TEST_KEY} rsa | |
1287 | cp ${TEST_CERT} x509 | |
1288 | cp ${RFC3779_CERT} x509ca | |
1289 | ||
1290 | # Generate a carol RFC3779 certificate | |
1291 | TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2" | |
1292 | TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" | |
1293 | TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" | |
1294 | CN="carol@strongswan.org" | |
1295 | SERIAL="03" | |
1296 | mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa | |
1297 | mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 | |
1298 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
1299 | pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \ | |
1300 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1301 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \ | |
1302 | --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \ | |
1303 | --addrblock "fec0::10/128" \ | |
1304 | --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT} | |
1305 | cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem | |
1306 | ||
1307 | # Generate a carol RFC3779 certificate | |
1308 | TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2" | |
1309 | TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem" | |
1310 | TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem" | |
1311 | CN="dave@strongswan.org" | |
1312 | SERIAL="04" | |
1313 | mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa | |
1314 | mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 | |
1315 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
1316 | pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \ | |
1317 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1318 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \ | |
1319 | --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \ | |
1320 | --addrblock "fec0::20/128" \ | |
1321 | --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT} | |
1322 | cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem | |
1323 | ||
1324 | ################################################################################ | |
1325 | # strongSwan SHA3-RSA Root CA # | |
1326 | ################################################################################ | |
1327 | ||
1328 | # Generate strongSwan SHA3-RSA Root CA | |
1329 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY} | |
1330 | pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \ | |
1331 | --not-before "${START}" --not-after "${CA_END}" --ca \ | |
1332 | --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \ | |
1333 | --outform pem > ${SHA3_RSA_CERT} | |
1334 | ||
1335 | # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario | |
1336 | TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert" | |
1337 | cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca | |
1338 | cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca | |
1339 | ||
1340 | # Generate a sun SHA3-RSA certificate | |
1341 | SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem" | |
1342 | SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem" | |
1343 | CN="sun.strongswan.org" | |
1344 | SERIAL="01" | |
1345 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY} | |
1346 | pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \ | |
1347 | --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1348 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \ | |
1349 | --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT} | |
1350 | cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem | |
1351 | ||
1352 | # Generate a moon SHA3-RSA certificate | |
1353 | MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" | |
1354 | MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" | |
1355 | CN="moon.strongswan.org" | |
1356 | SERIAL="02" | |
1357 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY} | |
1358 | pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \ | |
1359 | --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1360 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \ | |
1361 | --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT} | |
1362 | cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem | |
1363 | ||
1364 | # Put a copy in the botan/net2net-sha3-rsa-cert scenario | |
1365 | TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert" | |
1366 | cd ${TEST}/hosts/moon/${SWANCTL_DIR} | |
1367 | mkdir -p rsa x509 x509ca | |
1368 | cp ${MOON_KEY} rsa | |
1369 | cp ${MOON_CERT} x509 | |
1370 | cp ${SHA3_RSA_CERT} x509ca | |
1371 | cd ${TEST}/hosts/sun/${SWANCTL_DIR} | |
1372 | mkdir -p rsa x509 x509ca | |
1373 | cp ${SUN_KEY} rsa | |
1374 | cp ${SUN_CERT} x509 | |
1375 | cp ${SHA3_RSA_CERT} x509ca | |
1376 | ||
1377 | # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario | |
1378 | TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa" | |
1379 | cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa | |
1380 | cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 | |
1381 | cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca | |
1382 | cp ${SHA3_RSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca | |
1383 | cp ${SHA3_RSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca | |
1384 | ||
1385 | # Generate a carol SHA3-RSA certificate | |
1386 | TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" | |
1387 | TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" | |
1388 | CN="carol@strongswan.org" | |
1389 | SERIAL="03" | |
1390 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
1391 | pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \ | |
1392 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1393 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \ | |
1394 | --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT} | |
1395 | cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem | |
1396 | ||
1397 | # Generate a dave SHA3-RSA certificate | |
1398 | TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem" | |
1399 | TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem" | |
1400 | CN="dave@strongswan.org" | |
1401 | SERIAL="04" | |
1402 | pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} | |
1403 | pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \ | |
1404 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1405 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \ | |
1406 | --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT} | |
1407 | cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem | |
1408 | ||
1409 | ################################################################################ | |
1410 | # strongSwan Ed25519 Root CA # | |
1411 | ################################################################################ | |
1412 | ||
1413 | # Generate strongSwan Ed25519 Root CA | |
1414 | pki --gen --type ed25519 --outform pem > ${ED25519_KEY} | |
1415 | pki --self --type ed25519 --in ${ED25519_KEY} \ | |
1416 | --not-before "${START}" --not-after "${CA_END}" --ca \ | |
1417 | --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \ | |
1418 | --cert-policy "1.3.6.1.4.1.36906.1.1.1" \ | |
1419 | --cert-policy "1.3.6.1.4.1.36906.1.1.2" \ | |
1420 | --outform pem > ${ED25519_CERT} | |
1421 | ||
1422 | # Put a copy in the swanctl/net2net-ed25519 scenario | |
1423 | TEST="${TEST_DIR}/swanctl/net2net-ed25519" | |
1424 | cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca | |
1425 | cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca | |
1426 | ||
1427 | # Generate a sun Ed25519 certificate | |
1428 | SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem" | |
1429 | SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem" | |
1430 | CN="sun.strongswan.org" | |
1431 | SERIAL="01" | |
1432 | pki --gen --type ed25519 --outform pem > ${SUN_KEY} | |
1433 | pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \ | |
1434 | --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1435 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \ | |
1436 | --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \ | |
1437 | --crl ${ED25519_CDP} --outform pem > ${SUN_CERT} | |
1438 | cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem | |
1439 | ||
1440 | # Generate a moon Ed25519 certificate | |
1441 | MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem" | |
1442 | MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" | |
1443 | CN="moon.strongswan.org" | |
1444 | SERIAL="02" | |
1445 | pki --gen --type ed25519 --outform pem > ${MOON_KEY} | |
1446 | pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \ | |
1447 | --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1448 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \ | |
1449 | --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \ | |
1450 | --crl ${ED25519_CDP} --outform pem > ${MOON_CERT} | |
1451 | cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem | |
1452 | ||
1453 | # Put a copy in the botan/net2net-ed25519 scenario | |
1454 | TEST="${TEST_DIR}/botan/net2net-ed25519" | |
1455 | cd ${TEST}/hosts/moon/${SWANCTL_DIR} | |
1456 | mkdir -p pkcs8 x509 x509ca | |
1457 | cp ${MOON_KEY} pkcs8 | |
1458 | cp ${MOON_CERT} x509 | |
1459 | cp ${ED25519_CERT} x509ca | |
1460 | cd ${TEST}/hosts/sun/${SWANCTL_DIR} | |
1461 | mkdir -p pkcs8 x509 x509ca | |
1462 | cp ${SUN_KEY} pkcs8 | |
1463 | cp ${SUN_CERT} x509 | |
1464 | cp ${ED25519_CERT} x509ca | |
1465 | ||
1466 | # Put a copy in the ikev2/net2net-ed25519 scenario | |
1467 | TEST="${TEST_DIR}/ikev2/net2net-ed25519" | |
1468 | cd ${TEST}/hosts/moon/${IPSEC_DIR} | |
1469 | mkdir -p cacerts certs private | |
1470 | cp ${MOON_KEY} private | |
1471 | cp ${MOON_CERT} certs | |
1472 | cp ${ED25519_CERT} cacerts | |
1473 | cd ${TEST}/hosts/sun/${IPSEC_DIR} | |
1474 | mkdir -p cacerts certs private | |
1475 | cp ${SUN_KEY} private | |
1476 | cp ${SUN_CERT} certs | |
1477 | cp ${ED25519_CERT} cacerts | |
1478 | ||
1479 | # Put a copy in the swanctl/rw-ed25519-certpol scenario | |
1480 | TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol" | |
1481 | cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8 | |
1482 | cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 | |
1483 | cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca | |
1484 | cp ${ED25519_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca | |
1485 | cp ${ED25519_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca | |
1486 | ||
1487 | # Generate a carol Ed25519 certificate | |
1488 | TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem" | |
1489 | TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" | |
1490 | CN="carol@strongswan.org" | |
1491 | SERIAL="03" | |
1492 | pki --gen --type ed25519 --outform pem > ${TEST_KEY} | |
1493 | pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \ | |
1494 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1495 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \ | |
1496 | --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \ | |
1497 | --crl ${ED25519_CDP} --outform pem > ${TEST_CERT} | |
1498 | cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem | |
1499 | ||
1500 | # Generate a dave Ed25519 certificate | |
1501 | TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem" | |
1502 | TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem" | |
1503 | CN="dave@strongswan.org" | |
1504 | SERIAL="04" | |
1505 | pki --gen --type ed25519 --outform pem > ${TEST_KEY} | |
1506 | pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \ | |
1507 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1508 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \ | |
1509 | --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \ | |
1510 | --crl ${ED25519_CDP} --outform pem > ${TEST_CERT} | |
1511 | cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem | |
1512 | ||
1513 | ################################################################################ | |
1514 | # strongSwan Monster Root CA # | |
1515 | ################################################################################ | |
1516 | ||
1517 | # Generate strongSwan Monster Root CA | |
1518 | pki --gen --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY} | |
1519 | pki --self --type rsa --in ${MONSTER_KEY} \ | |
1520 | --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \ | |
1521 | --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \ | |
1522 | --outform pem > ${MONSTER_CERT} | |
1523 | ||
1524 | # Put a copy in the ikev2/after-2038-certs scenario | |
1525 | TEST="${TEST_DIR}/ikev2/after-2038-certs" | |
1526 | cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/ | |
1527 | cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/ | |
1528 | ||
1529 | # Generate a moon Monster certificate | |
1530 | TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem" | |
1531 | TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem" | |
1532 | CN="moon.strongswan.org" | |
1533 | SERIAL="01" | |
1534 | pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY} | |
1535 | pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \ | |
1536 | --in ${TEST_KEY} --san ${CN} \ | |
1537 | --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \ | |
1538 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \ | |
1539 | --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT} | |
1540 | cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem | |
1541 | ||
1542 | # Generate a carol Monster certificate | |
1543 | TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem" | |
1544 | TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem" | |
1545 | CN="carol@strongswan.org" | |
1546 | SERIAL="02" | |
1547 | pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY} | |
1548 | pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \ | |
1549 | --in ${TEST_KEY} --san ${CN} \ | |
1550 | --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \ | |
1551 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \ | |
1552 | --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT} | |
1553 | cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem | |
1554 | ||
1555 | ################################################################################ | |
1556 | # Bliss CA # | |
1557 | ################################################################################ | |
1558 | ||
1559 | # Generate BLISS Root CA with 192 bit security strength | |
1560 | pki --gen --type bliss --size 4 > ${BLISS_KEY} | |
1561 | pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \ | |
1562 | --not-before "${START}" --not-after "${CA_END}" --ca \ | |
1563 | --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT} | |
1564 | ||
1565 | # Put a copy in the ikev2/rw-newhope-bliss scenario | |
1566 | TEST="${TEST_DIR}/ikev2/rw-newhope-bliss" | |
1567 | cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/ | |
1568 | cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/ | |
1569 | cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/ | |
1570 | ||
1571 | # Put a copy in the ikev2/rw-ntru-bliss scenario | |
1572 | TEST="${TEST_DIR}/ikev2/rw-ntru-bliss" | |
1573 | cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/ | |
1574 | cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/ | |
1575 | cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/ | |
1576 | ||
1577 | # Put a copy in the swanctl/rw-ntru-bliss scenario | |
1578 | TEST="${TEST_DIR}/swanctl/rw-ntru-bliss" | |
1579 | cp ${BLISS_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca/ | |
1580 | cp ${BLISS_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca/ | |
1581 | cp ${BLISS_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/ | |
1582 | ||
1583 | # Generate a carol BLISS certificate with 128 bit security strength | |
1584 | TEST="${TEST_DIR}/ikev2/rw-newhope-bliss" | |
1585 | TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der" | |
1586 | TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der" | |
1587 | CN="carol@strongswan.org" | |
1588 | SERIAL="01" | |
1589 | pki --gen --type bliss --size 1 > ${TEST_KEY} | |
1590 | pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \ | |
1591 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1592 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \ | |
1593 | --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT} | |
1594 | cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der | |
1595 | ||
1596 | # Put a copy in the ikev2/rw-ntru-bliss scenario | |
1597 | TEST="${TEST_DIR}/ikev2/rw-ntru-bliss" | |
1598 | cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private/ | |
1599 | cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs/ | |
1600 | ||
1601 | # Put a copy in the swanctl/rw-ntru-bliss scenario | |
1602 | TEST="${TEST_DIR}/swanctl/rw-ntru-bliss" | |
1603 | cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss/ | |
1604 | cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509/ | |
1605 | ||
1606 | # Generate a dave BLISS certificate with 160 bit security strength | |
1607 | TEST="${TEST_DIR}/ikev2/rw-newhope-bliss" | |
1608 | TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der" | |
1609 | TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der" | |
1610 | CN="dave@strongswan.org" | |
1611 | SERIAL="02" | |
1612 | pki --gen --type bliss --size 3 > ${TEST_KEY} | |
1613 | pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \ | |
1614 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1615 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \ | |
1616 | --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT} | |
1617 | cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der | |
1618 | ||
1619 | # Put a copy in the ikev2/rw-ntru-bliss scenario | |
1620 | TEST="${TEST_DIR}/ikev2/rw-ntru-bliss" | |
1621 | cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/ | |
1622 | cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/ | |
1623 | ||
1624 | # Put a copy in the swanctl/rw-ntru-bliss scenario | |
1625 | TEST="${TEST_DIR}/swanctl/rw-ntru-bliss" | |
1626 | cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/ | |
1627 | cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/ | |
1628 | ||
1629 | # Generate a moon BLISS certificate with 192 bit security strength | |
1630 | TEST="${TEST_DIR}/ikev2/rw-newhope-bliss" | |
1631 | TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der" | |
1632 | TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der" | |
1633 | CN="moon.strongswan.org" | |
1634 | SERIAL="03" | |
1635 | pki --gen --type bliss --size 4 > ${TEST_KEY} | |
1636 | pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \ | |
1637 | --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ | |
1638 | --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \ | |
1639 | --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT} | |
1640 | cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der | |
1641 | ||
1642 | # Put a copy in the ikev2/rw-ntru-bliss scenario | |
1643 | TEST="${TEST_DIR}/ikev2/rw-ntru-bliss" | |
1644 | cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/ | |
1645 | cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/ | |
1646 | ||
1647 | # Put a copy in the swanctl/rw-ntru-bliss scenario | |
1648 | TEST="${TEST_DIR}/swanctl/rw-ntru-bliss" | |
1649 | cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/ | |
1650 | cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/ |