]> git.ipfire.org Git - thirdparty/strongswan.git/blame - testing/scripts/build-certs
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
testing: Build CERT and IPSECKEY RRs for strongswan.org zone
[thirdparty/strongswan.git] / testing / scripts / build-certs
CommitLineData
8db01c6a
AS		 1#!/bin/bash
2
3echo "Building certificates"
4
0136852f
TB		 5# Disable leak detective when using pki as it produces warnings in tzset
6export LEAK_DETECTIVE_DISABLE=1
7
8db01c6a
AS		 8# Determine testing directory
9DIR="$(dirname `readlink -f $0`)/.."
10
11# Define some global variables
12PROJECT="strongSwan Project"
13CA_DIR="${DIR}/hosts/winnetou/etc/ca"
14CA_KEY="${CA_DIR}/strongswanKey.pem"
15CA_CERT="${CA_DIR}/strongswanCert.pem"
16CA_CRL="${CA_DIR}/strongswan.crl"
17CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
18CA_CDP="http://crl.strongswan.org/strongswan.crl"
19CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
20CA_OCSP="http://ocsp.strongswan.org:8880"
21#
22START=`date -d "-2 day" "+%d.%m.%y %T"`
23SH_END=`date -d "-1 day" "+%d.%m.%y %T"` # 1 day
24CA_END=`date -d "+3651 day" "+%d.%m.%y %T"` # 10 years
25IM_END=`date -d "+3286 day" "+%d.%m.%y %T"` # 9 years
26EE_END=`date -d "+2920 day" "+%d.%m.%y %T"` # 8 years
27SH_EXP=`date -d "-1 day" "+%y%m%d%H%M%SZ"` # 1 day
28IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"` # 9 years
29EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"` # 8 years
30NOW=`date "+%y%m%d%H%M%SZ"`
31#
32RESEARCH_DIR="${CA_DIR}/research"
33RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
34RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
35RESEARCH_CDP="http://crl.strongswan.org/research.crl"
36#
37SALES_DIR="${CA_DIR}/sales"
38SALES_KEY="${SALES_DIR}/salesKey.pem"
39SALES_CERT="${SALES_DIR}/salesCert.pem"
40SALES_CDP="http://crl.strongswan.org/sales.crl"
41#
42DUCK_DIR="${CA_DIR}/duck"
43DUCK_KEY="${DUCK_DIR}/duckKey.pem"
44DUCK_CERT="${DUCK_DIR}/duckCert.pem"
45#
46ECDSA_DIR="${CA_DIR}/ecdsa"
47ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
48ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
49ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
50#
51RFC3779_DIR="${CA_DIR}/rfc3779"
52RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
53RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
54RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
55#
56SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
57SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
58SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
59SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
60#
61ED25519_DIR="${CA_DIR}/ed25519"
62ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
63ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
64ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
65#
66MONSTER_DIR="${CA_DIR}/monster"
67MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
68MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
69MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
70MONSTER_CA_RSA_SIZE="8192"
71MONSTER_EE_RSA_SIZE="4096"
72#
73BLISS_DIR="${CA_DIR}/bliss"
74BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
75BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
76BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
77#
78RSA_SIZE="3072"
79IPSEC_DIR="etc/ipsec.d"
80SWANCTL_DIR="etc/swanctl"
81TKM_DIR="etc/tkm"
82HOSTS="carol dave moon sun alice venus bob"
83TEST_DIR="${DIR}/tests"
84
85# Create directories
86mkdir -p ${CA_DIR}/certs
87mkdir -p ${RESEARCH_DIR}/certs
88mkdir -p ${SALES_DIR}/certs
89mkdir -p ${DUCK_DIR}/certs
90mkdir -p ${ECDSA_DIR}/certs
91mkdir -p ${RFC3779_DIR}/certs
92mkdir -p ${SHA3_RSA_DIR}/certs
93mkdir -p ${ED25519_DIR}/certs
94mkdir -p ${MONSTER_DIR}/certs
95mkdir -p ${BLISS_DIR}/certs
96
97################################################################################
98# strongSwan Root CA #
99################################################################################
100
101# Generate strongSwan Root CA
102pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
103pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
104 --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
105 --outform pem > ${CA_CERT}
106
107# Distribute strongSwan Root CA certificate
108for h in ${HOSTS}
109do
110 HOST_DIR="${DIR}/hosts/${h}"
111 cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
112 cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
113done
114
115# Put a copy onto the alice FreeRADIUS server
116cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
117
118# Gernerate a stale CRL
119pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
120 --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
121
122# Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
123TEST="${TEST_DIR}/ikev2/crl-ldap"
124cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
125cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
126
127# Generate host keys
128for h in ${HOSTS}
129do
130 HOST_DIR="${DIR}/hosts/${h}"
131 HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
132 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
133
134 # Put a copy into swanctl directory tree
135 cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
136done
137
138# Convert moon private key and Root CA certificate into DER format
326bb5f2
TB		 139for t in host2host-initiator host2host-responder host2host-xfrmproxy \
140 net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
141do
142 HOST_KEY=${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem
143 TEST="${TEST_DIR}/tkm/${t}"
144 TEST_KEY=${TEST}/hosts/moon/${TKM_DIR}/moonKey.der
145 TEST_CERT=${TEST}/hosts/moon/${TKM_DIR}/strongswanCert.der
146 openssl rsa -in ${HOST_KEY} -outform der -out ${TEST_KEY} 2> /dev/null
147 openssl x509 -in ${CA_CERT} -outform der -out ${TEST_CERT}
148done
149
150# Convert sun private key and Root CA certificate into DER format
151for t in multiple-clients
152do
153 HOST_KEY=${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem
154 TEST="${TEST_DIR}/tkm/${t}"
155 TEST_KEY=${TEST}/hosts/sun/${TKM_DIR}/sunKey.der
156 TEST_CERT=${TEST}/hosts/sun/${TKM_DIR}/strongswanCert.der
157 openssl rsa -in ${HOST_KEY} -outform der -out ${TEST_KEY} 2> /dev/null
158 openssl x509 -in ${CA_CERT} -outform der -out ${TEST_CERT}
159done
8db01c6a
AS		 160
161# Put DER-encoded moon private key and Root CA certificate into tkm scenarios
162for t in host2host-initiator host2host-responder host2host-xfrmproxy \
163 net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
164do
165 TEST="${TEST_DIR}/tkm/${t}"
166 mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
167 cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
168done
169
170# Put DER_encoded sun private key and Root CA certificate into tkm scenarios
171for t in multiple-clients
172do
173 TEST="${TEST_DIR}/tkm/${t}"
174 mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
175 cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
176done
177
178# Convert moon private key into unencrypted PKCS#8 format
179TEST="${TEST_DIR}/ikev2/rw-pkcs8"
180HOST_KEY=${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem
181TEST_KEY=${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem
182openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
183
184# Convert carol private key into v1.5 DES encrypted PKCS#8 format
185HOST_KEY=${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem
186TEST_KEY=${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem
187openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
188 -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
189
190# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
191HOST_KEY=${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem
192TEST_KEY=${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem
193openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v2 aes128 \
194 -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
195
196################################################################################
197# Public Key Extraction #
198################################################################################
199
200# Extract the raw moon public key for the swanctl/net2net-pubkey scenario
201TEST="${TEST_DIR}/swanctl/net2net-pubkey"
202TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
203HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
204pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
205cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
206
05275905
TB		 207# Put a copy into the ikev2/net2net-dnssec scenario
208TEST="${TEST_DIR}/ikev2/net2net-dnssec"
209cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
210
8db01c6a
AS		 211# Put a copy into the ikev2/net2net-pubkey scenario
212TEST="${TEST_DIR}/ikev2/net2net-pubkey"
213cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
214cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
215
05275905
TB		 216# Put a copy into the ikev2/rw-dnssec scenario
217TEST="${TEST_DIR}/ikev2/rw-dnssec"
218cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
219
220# Put a copy into the swanctl/rw-dnssec scenario
221TEST="${TEST_DIR}/swanctl/rw-dnssec"
222cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
223
8db01c6a
AS		 224# Put a copy into the swanctl/rw-pubkey-anon scenario
225TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
226cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
227cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
228cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
229
230# Put a copy into the swanctl/rw-pubkey-keyid scenario
231TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
232cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
233cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
234cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
235
236# Extract the raw sun public key for the swanctl/net2net-pubkey scenario
237TEST="${TEST_DIR}/swanctl/net2net-pubkey"
238TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
239HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
240pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
241cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
242
05275905
TB		 243# Put a copy into the ikev2/net2net-dnssec scenario
244TEST="${TEST_DIR}/ikev2/net2net-dnssec"
245cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
246
8db01c6a
AS		 247# Put a copy into the ikev2/net2net-pubkey scenario
248TEST="${TEST_DIR}/ikev2/net2net-pubkey"
249cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
250cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
251
252# Put a copy into the swanctl/rw-pubkey-anon scenario
253TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
254cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
255
05275905
TB		 256# Extract the raw carol public key for the swanctl/rw-dnssec scenario
257TEST="${TEST_DIR}/swanctl/rw-dnssec"
8db01c6a
AS		 258TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
259HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
260pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
05275905
TB		 261
262# Put a copy into the swanctl/rw-pubkey-anon scenario
263TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
264cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
8db01c6a
AS		 265cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
266
267# Put a copy into the swanctl/rw-pubkey-keyid scenario
268TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
269cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
270cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
271
05275905
TB		 272# Extract the raw dave public key for the swanctl/rw-dnssec scenario
273TEST="${TEST_DIR}/swanctl/rw-dnssec"
8db01c6a
AS		 274TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
275HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
276pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
05275905
TB		 277
278# Put a copy into the swanctl/rw-pubkey-anon scenario
279TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
280cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
8db01c6a
AS		 281cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
282
283# Put a copy into the swanctl/rw-pubkey-keyid scenario
284TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
285cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
286cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
287
288################################################################################
289# Host Certificate Generation #
290################################################################################
291
292# function issue_cert: serial host cn [ou]
293issue_cert()
294{
295 # does optional OU argument exist?
296 if [ -z "${4}" ]
297 then
298 OU=""
299 else
300 OU=" OU=${4},"
301 fi
302
303 HOST_DIR="${DIR}/hosts/${2}"
304 HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
305 HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
306 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
307 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
308 --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
309 --outform pem > ${HOST_CERT}
310 cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
311
312 # Put a certificate copy into swanctl directory tree
313 cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
314}
315
316# Generate host certificates
317issue_cert 01 carol carol@strongswan.org Research
318issue_cert 02 dave dave@strongswan.org Accounting
319issue_cert 03 moon moon.strongswan.org
320issue_cert 04 sun sun.strongswan.org
321issue_cert 05 alice alice@strongswan.org Sales
322issue_cert 06 venus venus.strongswan.org
323issue_cert 07 bob bob@strongswan.org Research
324
325# Create PKCS#12 file for moon
326TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
327HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
328HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
329MOON_PKCS12="${TEST}/hosts/moon/etc/ipsec.d/private/moonCert.p12"
330openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
331 -certfile ${CA_CERT} -caname "strongSwan Root CA" \
332 -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
333
334# Create PKCS#12 file for sun
335HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
336HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
337SUN_PKCS12="${TEST}/hosts/sun/etc/ipsec.d/private/sunCert.p12"
338openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
339 -certfile ${CA_CERT} -caname "strongSwan Root CA" \
340 -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
341
342# Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
343TEST="${TEST_DIR}/botan/net2net-pkcs12"
344mkdir -p "${TEST}/hosts/moon/etc/swanctl/pkcs12"
345cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12"
346mkdir -p "${TEST}/hosts/sun/etc/swanctl/pkcs12"
347cp ${SUN_PKCS12} "${TEST}/hosts/sun/etc/swanctl/pkcs12"
348
349# Put a PKCS#12 copy into the openssl-ikev2/net2net-pkcs12 scenario
350TEST="${TEST_DIR}/openssl-ikev2/net2net-pkcs12"
351cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12"
352cp ${SUN_PKCS12} "${TEST}/hosts/sun/etc/swanctl/pkcs12"
353
05275905
TB		 354################################################################################
355# DNSSEC Zone Files #
356################################################################################
357
358# Store moon and sun certificates in strongswan.org zone
359ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
360echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
361for h in moon sun
362do
363 HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
364 cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
365 echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
366done
367
368# Store public keys in strongswan.org zone
369echo ";" >> ${ZONE_FILE}
370for h in moon sun carol dave
371do
372 HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
373 pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
374 echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
375done
376
8db01c6a
AS		 377# Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
378TEST="${TEST_DIR}/swanctl/crl-to-cache"
379TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
380HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
381CN="carol@strongswan.org"
382pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
383 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
384 --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
385 --outform pem > ${TEST_CERT}
386
387# Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
388TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
389HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
390CN="moon.strongswan.org"
391pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
392 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
393 --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
394 --outform pem > ${TEST_CERT}
395
396# Encrypt carolKey.pem
397HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
398KEY_PWD="nH5ZQEWtku0RJEZ6"
399openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
400 2> /dev/null
401
402# Put a copy into the ikev2/dynamic-initiator scenario
403TEST="${TEST_DIR}/ikev2/dynamic-initiator"
404cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
405cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
406
407# Put a copy into the ikev1/dynamic-initiator scenario
408TEST="${TEST_DIR}/ikev1/dynamic-initiator"
409cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
410cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
411
412# Put a copy into the ikev1/dynamic-responder scenario
413TEST="${TEST_DIR}/ikev1/dynamic-responder"
414cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
415cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
416
417# Put a copy into the swanctl/rw-cert scenario
418TEST="${TEST_DIR}/swanctl/rw-cert"
419cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
420
421# Generate another carol certificate and revoke it
422TEST="${TEST_DIR}/ikev2/crl-revoked"
423TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
424TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
425CN="carol@strongswan.org"
426SERIAL="08"
427pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
428pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
429 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
430 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
431 --outform pem > ${TEST_CERT}
432cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
433pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
434 --serial ${SERIAL} > ${CA_CRL}
435cp ${CA_CRL} ${CA_LAST_CRL}
436
437# Put a copy into the ikev2/ocsp-revoked scenario
438TEST="${TEST_DIR}/ikev2/ocsp-revoked"
439cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
440cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
441
442# Generate another carol certificate with SN=002
443TEST="${TEST_DIR}/ikev2/two-certs"
444TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
445TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
446SERIAL="09"
447pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
448pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
449 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
450 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
451 --outform pem > ${TEST_CERT}
452cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
453
454################################################################################
455# Research CA Certificate Generation #
456################################################################################
457
458# Generate a Research CA certificate signed by the Root CA and revoke it
459TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
460TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
461SERIAL="0A"
462pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
463pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
464 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
465 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
466 --outform pem > ${TEST_CERT}
467cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
468pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
469 --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
470rm ${CA_LAST_CRL}
471
472# Generate Research CA with the same private key as above signed by Root CA
473SERIAL="0B"
474pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
475 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
476 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
477 --outform pem > ${RESEARCH_CERT}
478cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
479
480# Put a certificate copy into the ikev1/multi-level-ca scenario
481TEST="${TEST_DIR}/ikev1/multi-level-ca"
482cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
483
484# Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario
485TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
486cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
487
488# Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario
489TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
490cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
491
492# Put a certificate copy into the ikev2/multi-level-ca scenario
493TEST="${TEST_DIR}/ikev2/multi-level-ca"
494cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
495
496# Put a certificate copy into the ikev2/multi-level-ca-ldap scenario
497TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
498cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
499
500# Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario
501TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
502cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
503
504# Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario
505TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
506cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
507
508# Put a certificate copy into the ikev2/multi-level-ca-pathlen scenario
509TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
510cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
511
512# Put a certificate copy into the ikev2/multi-level-ca-strict scenario
513TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
514cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
515
516# Put a certificate copy into the ikev2/ocsp-multi-level scenario
517TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
518cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
519
520# Put a certificate copy into the ikev2/ocsp-strict-ifuri scenario
521TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
522cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
523
524# Put a certificate copy into the swanctl/multi-level-ca scenario
525TEST="${TEST_DIR}/swanctl/multi-level-ca"
526cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
527
528# Put a certificate copy into the swanctl/ocsp-multi-level scenario
529TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
530cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
531
532# Generate Research CA with the same private key as above but invalid CDP
533TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
534TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
535pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
536 --crl "http://crl.strongswan.org/not-available.crl" \
537 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
538 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
539 --outform pem > ${TEST_CERT}
540
541################################################################################
542# Sales CA Certificate Generation #
543################################################################################
544
545# Generate Sales CA signed by Root CA
546SERIAL="0C"
547pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
548pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
549 --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
550 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
551 --outform pem > ${SALES_CERT}
552cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
553
554# Put a certificate copy into the ikev1/multi-level-ca scenario
555TEST="${TEST_DIR}/ikev1/multi-level-ca"
556cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
557
558# Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario
559TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
560cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
561
562# Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario
563TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
564cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
565
566# Put a certificate copy into the ikev2/multi-level-ca scenario
567TEST="${TEST_DIR}/ikev2/multi-level-ca"
568cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
569
570# Put a certificate copy into the ikev2/multi-level-ca-ldap scenario
571TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
572cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
573
574# Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario
575TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
576cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
577
578# Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario
579TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
580cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
581
582# Put a certificate copy into the ikev2/multi-level-ca-strict scenario
583TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
584cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
585
586# Put a certificate copy into the ikev2/ocsp-multi-level scenario
587TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
588cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
589
590# Put a certificate copy into the ikev2/ocsp-struct.ifuri scenario
591TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
592cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
593
594# Put a certificate copy into the swanctl/multi-level-ca scenario
595TEST="${TEST_DIR}/swanctl/multi-level-ca"
596cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
597
598# Put a certificate copy into the swanctl/ocsp-multi-level scenario
599TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
600cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
601
602# Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
603TEST="${TEST_DIR}/ikev2/strong-keys-certs"
604TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
605TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
606KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
607CN="moon.strongswan.org"
608SERIAL="0D"
609pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
610pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
611 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
612 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
613 --digest sha224 --outform pem > ${TEST_CERT}
614openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
615 2> /dev/null
616cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
617
618# Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
619TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
620TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
621KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
622CN="carol@strongswan.org"
623SERIAL="0E"
624pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
625pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
626 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
627 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
628 --digest sha384 --outform pem > ${TEST_CERT}
629openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
630 2> /dev/null
631cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
632
633# Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
634TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
635TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
636KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
637CN="dave@strongswan.org"
638SERIAL="0F"
639pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
640pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
641 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
642 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
643 --digest sha512 --outform pem > ${TEST_CERT}
644openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
645 2> /dev/null
646cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
647
648# Generate another carol certificate with an OCSP URI
649TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
650TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
651TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
652CN="carol@strongswan.org"
653SERIAL="10"
654pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
655pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
656 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
657 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
658 --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
659cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
660
661# Put a copy into the ikev2/ocsp-timeouts-good scenario
662TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
663cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
664cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
665
666# Put a copy into the swanctl/ocsp-signer-cert scenario
667TEST="${TEST_DIR}/swanctl/ocsp-signer-cert"
668cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
669cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
670
671# Put a copy into the swanctl/ocsp-disabled scenario
672TEST="${TEST_DIR}/swanctl/ocsp-disabled"
673cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
674cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
675
676# Generate an OCSP Signing certificate for the strongSwan Root CA
677TEST_KEY="${CA_DIR}/ocspKey.pem"
678TEST_CERT="${CA_DIR}/ocspCert.pem"
679CN="ocsp.strongswan.org"
680OU="OCSP Signing Authority"
681SERIAL="11"
682pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
683pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
684 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
685 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
686 --flag ocspSigning --outform pem > ${TEST_CERT}
687cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
688
689# Generate a self-signed OCSP Signing certificate
690TEST_KEY="${CA_DIR}/ocspKey-self.pem"
691TEST_CERT="${CA_DIR}/ocspCert-self.pem"
692OU="OCSP Self-Signed Authority"
693pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
694pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
695 --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
696 --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
697 --outform pem > ${TEST_CERT}
698
699# Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
700TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
701cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
702cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
703
704# Generate mars virtual server certificate
705TEST="${TEST_DIR}/ha/both-active"
706TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
707TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
708CN="mars.strongswan.org"
709OU="Virtual VPN Gateway"
710SERIAL="12"
711mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
712mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
713pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
714pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
715 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
716 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
717 --flag serverAuth --outform pem > ${TEST_CERT}
718cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
719
720# Put a copy into the mirrored gateway
721mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
722mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
723cp ${TEST_KEY} ${TEST}/hosts/alice/${IPSEC_DIR}/private
724cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
725
726# Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
727for t in "ha/active-passive" "ikev2/redirect-active"
728do
729 TEST="${TEST_DIR}/${t}"
730 for h in alice moon
731 do
732 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
733 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
734 cp ${TEST_KEY} ${TEST}/hosts/${h}/${IPSEC_DIR}/private
735 cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
736 done
737done
738
739# Generate winnetou server certificate
740HOST_KEY="${CA_DIR}/winnetouKey.pem"
741HOST_CERT="${CA_DIR}/winnetouCert.pem"
742CN="winnetou.strongswan.org"
743SERIAL="13"
744pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
745pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
746 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
747 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
748 --flag serverAuth --outform pem > ${HOST_CERT}
749cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
750
751# Generate AAA server certificate
752TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
753TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
754TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
755CN="aaa.strongswan.org"
756SERIAL="14"
757cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
758mkdir -p rsa x509
759pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
760pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
761--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
762 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
763 --flag serverAuth --outform pem > ${TEST_CERT}
764cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
765
766# Put a copy into various tnc scenarios
767for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
768do
769 cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
770 mkdir -p rsa x509
771 cp ${TEST_KEY} rsa
772 cp ${TEST_CERT} x509
773done
774
775# Put a copy into the alice FreeRADIUS server
776cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
777
778################################################################################
779# strongSwan Attribute Authority #
780################################################################################
781
782# Generate Attritbute Authority certificate
783TEST="${TEST_DIR}/ikev2/acert-cached"
784TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
785TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
786CN="strongSwan Attribute Authority"
787SERIAL="15"
788pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
789pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
790 --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
791 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
792 --outform pem > ${TEST_CERT}
793cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
794
795# Generate carol's attribute certificate for sales and finance
796ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem
797pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
798 --in ${CA_DIR}/certs/01.pem --group sales --group finance \
799 --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
800
801# Generate dave's expired attribute certificate for sales
802ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem
803pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
804 --in ${CA_DIR}/certs/02.pem --group sales \
805 --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
806
807# Generate dave's attribute certificate for marketing
808ACERT_DM=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem
809pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
810 --in ${CA_DIR}/certs/02.pem --group marketing \
811 --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
812
813# Put a copy into the ikev2/acert-fallback scenario
814TEST="${TEST_DIR}/ikev2/acert-fallback"
815cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
816cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
817
818# Generate carol's expired attribute certificate for finance
819ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
820pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
821 --in ${CA_DIR}/certs/01.pem --group finance \
822 --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
823
824# Generate carol's valid attribute certificate for sales
825ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
826pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
827 --in ${CA_DIR}/certs/01.pem --group sales \
828 --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
829
830# Put a copy into the ikev2/acert-inline scenarion
831TEST="${TEST_DIR}/ikev2/acert-inline"
832cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
833cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
834cp ${ACERT_CS} ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
835cp ${ACERT_DM} ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
836
837# Generate a short-lived Attritbute Authority certificate
838CN="strongSwan Legacy AA"
839TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
840TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
841SERIAL="16"
842pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
843pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
844 --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
845 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
846 --outform pem > ${TEST_CERT}
847cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
848
849# Genrate dave's attribute certificate for sales from expired AA
850ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
851pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
852 --in ${CA_DIR}/certs/02.pem --group sales \
853 --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
854
855################################################################################
856# strongSwan Root CA index for OCSP server #
857################################################################################
858
859# generate index.txt file for Root OCSP server
860cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
861sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
862sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
863sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
864sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
865
866################################################################################
867# Research CA #
868################################################################################
869
870# Generate a carol research certificate
871TEST="${TEST_DIR}/ikev2/multi-level-ca"
872TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
873TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
874CN="carol@strongswan.org"
875SERIAL="01"
876pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
877pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
878 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
879 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
880 --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
881cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
882
883# Put a copy in the ikev2/multilevel-ca-cr-init scenario
884TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
885cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
886cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
887
888# Put a copy in the ikev2/multilevel-ca-cr-resp scenario
889TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
890cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
891cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
892
893# Put a copy in the ikev2/multilevel-ca-ldap scenario
894TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
895cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
896cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
897
898# Put a copy in the ikev2/multilevel-ca-ldap scenario
899TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
900cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
901cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
902
903# Put a copy in the ikev2/multilevel-ca-revoked scenario
904TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
905cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
906cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
907
908# Put a copy in the ikev2/multilevel-ca-skipped scenario
909TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
910cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
911cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
912
913# Put a copy in the ikev2/multilevel-ca-strict scenario
914TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
915cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
916cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
917
918# Put a copy in the ikev2/ocsp-multilevel scenario
919TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
920cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
921cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
922
923# Put a copy in the ikev1/multilevel-ca scenario
924TEST="${TEST_DIR}/ikev1/multi-level-ca"
925cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
926cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
927
928# Put a copy in the ikev1/multilevel-ca-cr-init scenario
929TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
930cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
931cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
932
933# Put a copy in the ikev1/multilevel-ca-cr-resp scenario
934TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
935cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
936cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
937
938# Put a copy in the swanctl/multilevel-ca scenario
939TEST="${TEST_DIR}/swanctl/multi-level-ca"
940cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
941cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
942
943# Put a copy in the swanctl/ocsp-multilevel scenario
944TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
945cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
946cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
947
948# Generate a carol research certificate without a CDP
949TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
950TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
951pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
952 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
953 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
954 --outform pem > ${TEST_CERT}
955cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
956
957# Generate an OCSP Signing certificate for the Research CA
958TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
959TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
960OU="Research OCSP Signing Authority"
961CN="ocsp.research.strongswan.org"
962SERIAL="02"
963pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
964pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
965 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
966 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
967 --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
968cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
969
970# Generate a Sales CA certificate signed by the Research CA
971TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
972TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
973SERIAL="03"
974pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
975 --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
976 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
977 --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
978cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
979
980################################################################################
981# Duck Research CA #
982################################################################################
983
984# Generate a Duck Research CA certificate signed by the Research CA
985SERIAL="04"
986pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
987pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
988 --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
989 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
990 --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
991cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
992
993# Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
994TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
995cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
996
997# Generate a carol certificate signed by the Duck Research CA
998TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
999TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1000CN="carol@strongswan.org"
1001SERIAL="01"
1002pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1003pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
1004 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1005 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
1006 --outform pem > ${TEST_CERT}
1007cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
1008
1009# Generate index.txt file for Research OCSP server
1010cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
1011sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
1012
1013################################################################################
1014# Sales CA #
1015################################################################################
1016
1017# Generate a dave sales certificate
1018TEST="${TEST_DIR}/ikev2/multi-level-ca"
1019TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
1020TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1021CN="dave@strongswan.org"
1022SERIAL="01"
1023pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1024pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1025 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1026 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1027 --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1028cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1029
1030# Put a copy in the ikev2/multilevel-ca-cr-init scenario
1031TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
1032cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1033cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1034
1035# Put a copy in the ikev2/multilevel-ca-cr-resp scenario
1036TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
1037cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1038cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1039
1040# Put a copy in the ikev2/multilevel-ca-ldap scenario
1041TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
1042cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1043cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1044
1045# Put a copy in the ikev2/multilevel-ca-strict scenario
1046TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
1047cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1048cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1049
1050# Put a copy in the ikev2/ocsp-multilevel scenario
1051TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
1052cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1053cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1054
1055# Put a copy in the ikev1/multilevel-ca scenario
1056TEST="${TEST_DIR}/ikev1/multi-level-ca"
1057cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1058cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1059
1060# Put a copy in the ikev1/multilevel-ca-cr-init scenario
1061TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
1062cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1063cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1064
1065# Put a copy in the ikev1/multilevel-ca-cr-resp scenario
1066TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
1067cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1068cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1069
1070# Put a copy in the swanctl/multilevel-ca scenario
1071TEST="${TEST_DIR}/swanctl/multi-level-ca"
1072cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1073cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1074
1075# Put a copy in the swanctl/ocsp-multilevel scenario
1076TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
1077cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1078cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1079
1080# Generate a dave sales certificate with an inactive OCSP URI and no CDP
1081TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1082TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1083pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1084 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1085 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1086 --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
1087cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1088
1089# Generate an OCSP Signing certificate for the Sales CA
1090TEST_KEY="${SALES_DIR}/ocspKey.pem"
1091TEST_CERT="${SALES_DIR}/ocspCert.pem"
1092OU="Sales OCSP Signing Authority"
1093CN="ocsp.sales.strongswan.org"
1094SERIAL="02"
1095pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1096pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1097 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1098 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1099 --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1100cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1101
1102# Generate a Research CA certificate signed by the Sales CA
1103TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1104TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
1105SERIAL="03"
1106pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1107 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1108 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
1109 --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1110cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1111
1112# generate index.txt file for Sales OCSP server
1113cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
1114sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
1115
1116################################################################################
1117# strongSwan EC Root CA #
1118################################################################################
1119
1120# Generate strongSwan EC Root CA
1121pki --gen --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
1122pki --self --type ecdsa --in ${ECDSA_KEY} \
1123 --not-before "${START}" --not-after "${CA_END}" --ca \
1124 --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
1125 --outform pem > ${ECDSA_CERT}
1126
1127# Put a copy in the openssl-ikev2/ecdsa-certs scenario
1128TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
1129cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1130cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1131cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1132
1133# Generate a moon ECDSA 521 bit certificate
1134MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
1135MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1136CN="moon.strongswan.org"
1137SERIAL="01"
1138pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
1139pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1140 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1141 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
1142 --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
1143cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1144
1145# Generate a carol ECDSA 256 bit certificate
1146CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
1147CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1148CN="carol@strongswan.org"
1149SERIAL="02"
1150pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
1151pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1152 --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1153 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
1154 --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
1155cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1156
1157# Generate a dave ECDSA 384 bit certificate
1158DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
1159DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1160CN="dave@strongswan.org"
1161SERIAL="03"
1162pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
1163pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1164 --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1165 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
1166 --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
1167cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1168
1169# Put CA and EE certificate copies in the openssl-ikev2/rw-ecdsa-pkcs8 scenario
1170TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
1171cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1172cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1173cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1174cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1175cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1176cp ${DAVE_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1177
1178# Convert moon private key into unencrypted PKCS#8 format
1179TEST_KEY=${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem
1180openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
1181
1182# Convert carol private key into v1.5 DES encrypted PKCS#8 format
1183TEST_KEY=${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem
1184openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
1185 -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
1186
1187# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
1188TEST_KEY=${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem
1189openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8 -v2 aes128 \
1190 -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
1191
1192# Put CA and EE certificate copies in the openssl-ikev1/rw-ecdsa-certs scenario
1193TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
1194cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1195mkdir -p ecdsa x509 x509ca
1196cp ${MOON_KEY} ecdsa
1197cp ${MOON_CERT} x509
1198cp ${ECDSA_CERT} x509ca
1199cd ${TEST}/hosts/carol/${SWANCTL_DIR}
1200mkdir -p ecdsa x509 x509ca
1201cp ${CAROL_KEY} ecdsa
1202cp ${CAROL_CERT} x509
1203cp ${ECDSA_CERT} x509ca
1204cd ${TEST}/hosts/dave/${SWANCTL_DIR}
1205mkdir -p ecdsa x509 x509ca
1206cp ${DAVE_KEY} ecdsa
1207cp ${DAVE_CERT} x509
1208cp ${ECDSA_CERT} x509ca
1209
1210################################################################################
1211# strongSwan RFC3779 Root CA #
1212################################################################################
1213
1214# Generate strongSwan RFC3779 Root CA
1215pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
1216pki --self --type rsa --in ${RFC3779_KEY} \
1217 --not-before "${START}" --not-after "${CA_END}" --ca \
1218 --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
1219 --addrblock "10.1.0.0-10.2.255.255" \
1220 --addrblock "10.3.0.1-10.3.3.232" \
1221 --addrblock "192.168.0.0/24" \
1222 --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
1223 --outform pem > ${RFC3779_CERT}
1224
1225# Put a copy in the ikev2/net2net-rfc3779 scenario
1226TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1227mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1228mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1229cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1230cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1231
1232# Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
1233TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1234mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1235mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1236cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1237cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1238
1239# Generate a moon RFC3779 certificate
1240TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1241TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1242TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1243CN="moon.strongswan.org"
1244SERIAL="01"
1245mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1246mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1247pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1248pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1249 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1250 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1251 --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
1252 --addrblock "fec0::1/128" --addrblock "fec1::/16" \
1253 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1254cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1255
1256# Put a copy in the ipv6 scenarios
1257for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
1258do
1259 cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
1260 mkdir -p rsa x509 x509ca
1261 cp ${TEST_KEY} rsa
1262 cp ${TEST_CERT} x509
1263 cp ${RFC3779_CERT} x509ca
1264done
1265
1266# Generate a sun RFC3779 certificate
1267TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1268TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
1269TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
1270CN="sun.strongswan.org"
1271SERIAL="02"
1272mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
1273mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
1274pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1275pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1276 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1277 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1278 --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
1279 --addrblock "fec0::2/128" --addrblock "fec2::/16" \
1280 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1281cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1282
1283# Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
1284cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
1285mkdir -p rsa x509 x509ca
1286cp ${TEST_KEY} rsa
1287cp ${TEST_CERT} x509
1288cp ${RFC3779_CERT} x509ca
1289
1290# Generate a carol RFC3779 certificate
1291TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1292TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1293TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1294CN="carol@strongswan.org"
1295SERIAL="03"
1296mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1297mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1298pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1299pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1300 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1301 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1302 --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
1303 --addrblock "fec0::10/128" \
1304 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1305cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1306
1307# Generate a carol RFC3779 certificate
1308TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1309TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1310TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1311CN="dave@strongswan.org"
1312SERIAL="04"
1313mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1314mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1315pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1316pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1317 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1318 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1319 --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
1320 --addrblock "fec0::20/128" \
1321 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1322cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1323
1324################################################################################
1325# strongSwan SHA3-RSA Root CA #
1326################################################################################
1327
1328# Generate strongSwan SHA3-RSA Root CA
1329pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
1330pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
1331 --not-before "${START}" --not-after "${CA_END}" --ca \
1332 --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
1333 --outform pem > ${SHA3_RSA_CERT}
1334
1335# Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
1336TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
1337cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1338cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1339
1340# Generate a sun SHA3-RSA certificate
1341SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1342SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1343CN="sun.strongswan.org"
1344SERIAL="01"
1345pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
1346pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1347 --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1348 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1349 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
1350cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1351
1352# Generate a moon SHA3-RSA certificate
1353MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1354MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1355CN="moon.strongswan.org"
1356SERIAL="02"
1357pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
1358pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1359 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1360 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1361 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
1362cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1363
1364# Put a copy in the botan/net2net-sha3-rsa-cert scenario
1365TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
1366cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1367mkdir -p rsa x509 x509ca
1368cp ${MOON_KEY} rsa
1369cp ${MOON_CERT} x509
1370cp ${SHA3_RSA_CERT} x509ca
1371cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1372mkdir -p rsa x509 x509ca
1373cp ${SUN_KEY} rsa
1374cp ${SUN_CERT} x509
1375cp ${SHA3_RSA_CERT} x509ca
1376
1377# Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
1378TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
1379cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1380cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1381cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1382cp ${SHA3_RSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1383cp ${SHA3_RSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1384
1385# Generate a carol SHA3-RSA certificate
1386TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1387TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1388CN="carol@strongswan.org"
1389SERIAL="03"
1390pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1391pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1392 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1393 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1394 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1395cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1396
1397# Generate a dave SHA3-RSA certificate
1398TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1399TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1400CN="dave@strongswan.org"
1401SERIAL="04"
1402pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1403pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1404 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1405 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1406 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1407cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1408
1409################################################################################
1410# strongSwan Ed25519 Root CA #
1411################################################################################
1412
1413# Generate strongSwan Ed25519 Root CA
1414pki --gen --type ed25519 --outform pem > ${ED25519_KEY}
1415pki --self --type ed25519 --in ${ED25519_KEY} \
1416 --not-before "${START}" --not-after "${CA_END}" --ca \
1417 --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
1418 --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
1419 --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
1420 --outform pem > ${ED25519_CERT}
1421
1422# Put a copy in the swanctl/net2net-ed25519 scenario
1423TEST="${TEST_DIR}/swanctl/net2net-ed25519"
1424cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1425cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1426
1427# Generate a sun Ed25519 certificate
1428SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
1429SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1430CN="sun.strongswan.org"
1431SERIAL="01"
1432pki --gen --type ed25519 --outform pem > ${SUN_KEY}
1433pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1434 --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1435 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1436 --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
1437 --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
1438cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1439
1440# Generate a moon Ed25519 certificate
1441MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1442MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1443CN="moon.strongswan.org"
1444SERIAL="02"
1445pki --gen --type ed25519 --outform pem > ${MOON_KEY}
1446pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1447 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1448 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1449 --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
1450 --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
1451cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1452
1453# Put a copy in the botan/net2net-ed25519 scenario
1454TEST="${TEST_DIR}/botan/net2net-ed25519"
1455cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1456mkdir -p pkcs8 x509 x509ca
1457cp ${MOON_KEY} pkcs8
1458cp ${MOON_CERT} x509
1459cp ${ED25519_CERT} x509ca
1460cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1461mkdir -p pkcs8 x509 x509ca
1462cp ${SUN_KEY} pkcs8
1463cp ${SUN_CERT} x509
1464cp ${ED25519_CERT} x509ca
1465
1466# Put a copy in the ikev2/net2net-ed25519 scenario
1467TEST="${TEST_DIR}/ikev2/net2net-ed25519"
1468cd ${TEST}/hosts/moon/${IPSEC_DIR}
1469mkdir -p cacerts certs private
1470cp ${MOON_KEY} private
1471cp ${MOON_CERT} certs
1472cp ${ED25519_CERT} cacerts
1473cd ${TEST}/hosts/sun/${IPSEC_DIR}
1474mkdir -p cacerts certs private
1475cp ${SUN_KEY} private
1476cp ${SUN_CERT} certs
1477cp ${ED25519_CERT} cacerts
1478
1479# Put a copy in the swanctl/rw-ed25519-certpol scenario
1480TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
1481cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1482cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1483cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1484cp ${ED25519_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1485cp ${ED25519_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1486
1487# Generate a carol Ed25519 certificate
1488TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1489TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1490CN="carol@strongswan.org"
1491SERIAL="03"
1492pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1493pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1494 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1495 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1496 --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
1497 --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1498cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1499
1500# Generate a dave Ed25519 certificate
1501TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1502TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1503CN="dave@strongswan.org"
1504SERIAL="04"
1505pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1506pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1507 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1508 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1509 --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
1510 --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1511cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1512
1513################################################################################
1514# strongSwan Monster Root CA #
1515################################################################################
1516
1517# Generate strongSwan Monster Root CA
1518pki --gen --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
1519pki --self --type rsa --in ${MONSTER_KEY} \
1520 --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
1521 --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
1522 --outform pem > ${MONSTER_CERT}
1523
1524# Put a copy in the ikev2/after-2038-certs scenario
1525TEST="${TEST_DIR}/ikev2/after-2038-certs"
1526cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
1527cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
1528
1529# Generate a moon Monster certificate
1530TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1531TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1532CN="moon.strongswan.org"
1533SERIAL="01"
1534pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1535pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1536 --in ${TEST_KEY} --san ${CN} \
1537 --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1538 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1539 --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1540cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1541
1542# Generate a carol Monster certificate
1543TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1544TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1545CN="carol@strongswan.org"
1546SERIAL="02"
1547pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1548pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1549 --in ${TEST_KEY} --san ${CN} \
1550 --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1551 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1552 --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1553cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1554
1555################################################################################
1556# Bliss CA #
1557################################################################################
1558
1559# Generate BLISS Root CA with 192 bit security strength
1560pki --gen --type bliss --size 4 > ${BLISS_KEY}
1561pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
1562 --not-before "${START}" --not-after "${CA_END}" --ca \
1563 --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
1564
1565# Put a copy in the ikev2/rw-newhope-bliss scenario
1566TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1567cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
1568cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/
1569cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
1570
1571# Put a copy in the ikev2/rw-ntru-bliss scenario
1572TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1573cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
1574cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/
1575cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
1576
1577# Put a copy in the swanctl/rw-ntru-bliss scenario
1578TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1579cp ${BLISS_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca/
1580cp ${BLISS_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca/
1581cp ${BLISS_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/
1582
1583# Generate a carol BLISS certificate with 128 bit security strength
1584TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1585TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
1586TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
1587CN="carol@strongswan.org"
1588SERIAL="01"
1589pki --gen --type bliss --size 1 > ${TEST_KEY}
1590pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1591 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1592 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
1593 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1594cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1595
1596# Put a copy in the ikev2/rw-ntru-bliss scenario
1597TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1598cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private/
1599cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs/
1600
1601# Put a copy in the swanctl/rw-ntru-bliss scenario
1602TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1603cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss/
1604cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509/
1605
1606# Generate a dave BLISS certificate with 160 bit security strength
1607TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1608TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
1609TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
1610CN="dave@strongswan.org"
1611SERIAL="02"
1612pki --gen --type bliss --size 3 > ${TEST_KEY}
1613pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1614 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1615 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
1616 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1617cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1618
1619# Put a copy in the ikev2/rw-ntru-bliss scenario
1620TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1621cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
1622cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
1623
1624# Put a copy in the swanctl/rw-ntru-bliss scenario
1625TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1626cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
1627cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
1628
1629# Generate a moon BLISS certificate with 192 bit security strength
1630TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1631TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
1632TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
1633CN="moon.strongswan.org"
1634SERIAL="03"
1635pki --gen --type bliss --size 4 > ${TEST_KEY}
1636pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1637 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1638 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
1639 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1640cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1641
1642# Put a copy in the ikev2/rw-ntru-bliss scenario
1643TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1644cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
1645cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
1646
1647# Put a copy in the swanctl/rw-ntru-bliss scenario
1648TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1649cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
1650cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
Unnamed repository; edit this file 'description' to name the repository.