# strongSwan SHA3-RSA Root CA #
################################################################################
+# Use specific plugin configuration to issue certificates with SHA-3 signatures
+# as not all crypto plugins support them. To avoid entropy issues use the
+# default plugins to generate the keys.
+SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509"
+
# Generate strongSwan SHA3-RSA Root CA
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
+PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
--not-before "${START}" --not-after "${CA_END}" --ca \
--dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
+PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
--in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
+PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
--in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \