From: Tobias Brunner Date: Mon, 15 Apr 2019 16:25:13 +0000 (+0200) Subject: testing: Build CERT and IPSECKEY RRs for strongswan.org zone X-Git-Tag: 5.8.0rc1~5^2~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05275905ef82102afc174e4227ef29324eae10c2;p=thirdparty%2Fstrongswan.git testing: Build CERT and IPSECKEY RRs for strongswan.org zone Also copy generated keys to DNSSEC test cases. --- diff --git a/testing/hosts/winnetou/etc/bind/db.strongswan.org b/testing/hosts/winnetou/etc/bind/db.strongswan.org index f838d2f1c8..ac0d1340e7 100644 --- a/testing/hosts/winnetou/etc/bind/db.strongswan.org +++ b/testing/hosts/winnetou/etc/bind/db.strongswan.org @@ -31,89 +31,8 @@ crl IN CNAME winnetou.strongswan.org. ldap IN CNAME winnetou.strongswan.org. ocsp IN CNAME winnetou.strongswan.org. ; -moon IN CERT ( 1 0 0 - MIIEIjCCAwqgAwIBAgIBKzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ - MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS - b290IENBMB4XDTE0MDgyNzE0NDQ1NloXDTE5MDgyNjE0NDQ1NlowRjELMAkGA1UE - BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u - c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCk - fAX6xRdB0f5bBjN08zOmO7CEYa8eCyYFqHUhCw+x10v2BnKB6vOlMzW+9DiRtG68 - TdJlYt/24oRuJBX0gAGvzsv0kC9rnoQcgCJQy4bxaLNVsgoiFCVlzxLaYjABbQlz - oSaegm/2PoX+1UP37rG8wlvAcuLSHsFQ720FUs/LvZh4Y0FjoKhvgKs64U4nIAJ7 - MnuL29n5fM5+dem7uovQOBg/+faZo8QkYSK9MW6eQkP+YnwN5zItNBxyGwKPbXXw - Ey5/aqNWfhRY8IEG6HJgrnCwBMHUA14C2UV+Af7Cy4eNnC1Mmu7TmUYcFncXaFn0 - 87ryFUdshlmPpIHxfjufAgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQE - AwIDqDAdBgNVHQ4EFgQU2CY9Iex8275aOQxbcMsDgCHerhMwbQYDVR0jBGYwZIAU - XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK - ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC - AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggr - BgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u - b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCpnj6Nc+PuPLPi - 4E3g5hyJkr5VZy7SSglcs1uyVP2mfwj6JR9SLd5+JOsL1aCTm0y9qLcqdbHBxG8i - LNLtwVKU3s1hV4EIO3saHe4XUEjxN9bDtLWEoeq5ipmYX8RJ/fXKR8/8vurBARP2 - xu1+wqwEhymp4jBmF0LVovT1+o+GhH66zIJnx3zR9BtfMkaeL6804hrx2ygeopeo - buGvMDQ8HcnMB9OU7Y8fK0oY1kULl6hf36K5ApPA6766sRRKRvBSKlmViKSQTq5a - 4c8gCWAZbtdT+N/fa8hKDlZt5q10EgjTqDfGTj50xKvAneq7XdfKmYYGnIWoNLY9 - ga8NOzX8 - ) -sun IN CERT ( 1 0 0 - MIIEIDCCAwigAwIBAgIBKjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ - MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS - b290IENBMB4XDTE0MDgyNzE0NDI0NVoXDTE5MDgyNjE0NDI0NVowRTELMAkGA1UE - BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z - dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMci - IAR9SlszDJhGEtRq9eCFAYNdtL3bC7jcELs7ttqiB51iAUgdi9JZCzgWNAGHd8Iv - RDV529DDiUxXxOWCdYKUmQp0t5vR6oE5pmHmd5lcUguEyVrtqFSr6LMUqOXwFb41 - VUNPPR7YyLMdgUf9Ki0PZWdnVLVEp/ZKIY1OaqZLTnyfV7k0I/XQX2uW6UDCaC1A - QBljzEfrD2gUcG9+FLpb5qDsiGUyhhLB+nM1GNPnZvIlCppD+0t3xEI87+eg5N86 - yXBcu4o/O7rvVpP17GrhwKuYx0RHDBScBDo/WRNEOrn8/Q9jQUlry06+0ChVYY+R - 328lHABkaoH/rB65JSECAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD - AgOoMB0GA1UdDgQWBBTtzWNHzdEvtjAAtgVDBxNUTJ0xijBtBgNVHSMEZjBkgBRd - p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT - EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB - ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB - BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y - Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAVne/5HKpkbv75eHk - x44aMVWT0DB6SF6nXrOQSzF7OV1FyNj2vibA9gAaiVnBXP+r798MDtwD/0N33TQl - QIR2rGJqkocsCTcUiQW6xLDO6AmJCBAaJbc5REjNT+HndjjMsQjn1NyY8hQbyow1 - ZOQ543zCY+Al7A3YcUtISLLH4EMIP3On1PFM2rWMUq1HoSo2kl7Awv+okvoqx6Sf - 7/S2mj3dYGv+5eAVogkBL3mRCXEpGHC+6e6VW5nGYSYIRPkBRD2F4imB4+KYUR74 - GRopoaetH/TFRbDqiSWBf2L3Po2tXEPifIvkgavUXIn+tdgMhQ9BpVN8yEgPXLM5 - WdafVg== - ) -; -moon IN IPSECKEY ( 10 1 2 192.168.0.1 - AwEAAaR8BfrFF0HR/lsGM3TzM6Y7sIRhrx4LJgWodSELD7HXS/YGcoHq86UzNb70 - OJG0brxN0mVi3/bihG4kFfSAAa/Oy/SQL2uehByAIlDLhvFos1WyCiIUJWXPEtpi - MAFtCXOhJp6Cb/Y+hf7VQ/fusbzCW8By4tIewVDvbQVSz8u9mHhjQWOgqG+Aqzrh - TicgAnsye4vb2fl8zn516bu6i9A4GD/59pmjxCRhIr0xbp5CQ/5ifA3nMi00HHIb - Ao9tdfATLn9qo1Z+FFjwgQbocmCucLAEwdQDXgLZRX4B/sLLh42cLUya7tOZRhwW - dxdoWfTzuvIVR2yGWY+kgfF+O58= - ) -sun IN IPSECKEY ( 10 1 2 192.168.0.2 - AwEAAcciIAR9SlszDJhGEtRq9eCFAYNdtL3bC7jcELs7ttqiB51iAUgdi9JZCzgW - NAGHd8IvRDV529DDiUxXxOWCdYKUmQp0t5vR6oE5pmHmd5lcUguEyVrtqFSr6LMU - qOXwFb41VUNPPR7YyLMdgUf9Ki0PZWdnVLVEp/ZKIY1OaqZLTnyfV7k0I/XQX2uW - 6UDCaC1AQBljzEfrD2gUcG9+FLpb5qDsiGUyhhLB+nM1GNPnZvIlCppD+0t3xEI8 - 7+eg5N86yXBcu4o/O7rvVpP17GrhwKuYx0RHDBScBDo/WRNEOrn8/Q9jQUlry06+ - 0ChVYY+R328lHABkaoH/rB65JSE= - ) -carol IN IPSECKEY ( 10 1 2 192.168.0.100 - AwEAAbfz1DcXyt/sOALi1IZ/RcuPa5m+4fiSST2wVWWrlw3hUjeiwLfgoLrtKaGX - 4i+At82Zol2mdbEXFpO+9qxXliP2u0fexqP4mBuZus3ELA82EOL0lQ2ahAi8O3qa - fkDMBSgvoeJpEwNe00Ugh53g7hT7dw8tSgcPGqQkWutIIKT9T6e/HbHNjRtYlw9Z - lHsp8gSYjg/Q6vV6ofttueMUD9NRv8w2Y76rnRRmUGf3GlNFFmgxZntCJRuYltnx - V7VcCFoppyauYt/fPmjAxbPRuhHKacnzIzq83Ixf5fSjMTlluGCfWFX/NGENXamB - qChkRLHmuCHNexxRp9s2F1S10hE= - ) -dave IN IPSECKEY ( 10 1 2 192.168.0.200 - AwEAAdY83E3FhM1fteIFrdHSQhMPGWKX1gg+JU89IK174X/k/YDB8fb8d0ombwKv - ggU7k5KbAcnaVBG0AvRmb+qkXdRZiEAlJOqR2YrflB+OMN7bnPmDQekI09TzDJt9 - a1C19eIxmUJ2h2DeDAEnxrpp1wsKnWBd48MeYhjkAErRhx8A8ZlBbkdyGQJD+y8G - tp0iWS4rz8aiGQ0vYS+P9DVkMJbbGhl2aqwVY+F335//LVG244+yzXTf1o8aLwPl - 1+PHcgavN+M766Y3bqI5YHgh2CEJTCaBf4zooTBSQ6Tr1cQ5B//V519J1x/uh//2 - CpEQXbFYFiU3kLmTTPz9pcmeVkM= - ) +; Generated certificates and keys +$INCLUDE /etc/ca/db.strongswan.org.certs-and-keys ; ; This is a zone-signing key, keyid 9396, for strongswan.org. strongswan.org. IN DNSKEY 256 3 8 ( diff --git a/testing/scripts/build-certs b/testing/scripts/build-certs index b505ee1d78..9e3031c9de 100755 --- a/testing/scripts/build-certs +++ b/testing/scripts/build-certs @@ -204,11 +204,23 @@ HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey +# Put a copy into the ikev2/net2net-dnssec scenario +TEST="${TEST_DIR}/ikev2/net2net-dnssec" +cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs + # Put a copy into the ikev2/net2net-pubkey scenario TEST="${TEST_DIR}/ikev2/net2net-pubkey" cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs +# Put a copy into the ikev2/rw-dnssec scenario +TEST="${TEST_DIR}/ikev2/rw-dnssec" +cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs + +# Put a copy into the swanctl/rw-dnssec scenario +TEST="${TEST_DIR}/swanctl/rw-dnssec" +cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey + # Put a copy into the swanctl/rw-pubkey-anon scenario TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey @@ -228,6 +240,10 @@ HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem" pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey +# Put a copy into the ikev2/net2net-dnssec scenario +TEST="${TEST_DIR}/ikev2/net2net-dnssec" +cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs + # Put a copy into the ikev2/net2net-pubkey scenario TEST="${TEST_DIR}/ikev2/net2net-pubkey" cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs @@ -237,11 +253,15 @@ cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey -# Extract the raw carol public key for the swanctl/rw-pubkey-anon scenario -TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" +# Extract the raw carol public key for the swanctl/rw-dnssec scenario +TEST="${TEST_DIR}/swanctl/rw-dnssec" TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem" HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} + +# Put a copy into the swanctl/rw-pubkey-anon scenario +TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" +cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey # Put a copy into the swanctl/rw-pubkey-keyid scenario @@ -249,11 +269,15 @@ TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid" cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey -# Extract the raw dave public key for the swanctl/rw-pubkey-anon scenario -TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" +# Extract the raw dave public key for the swanctl/rw-dnssec scenario +TEST="${TEST_DIR}/swanctl/rw-dnssec" TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem" HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem" pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB} + +# Put a copy into the swanctl/rw-pubkey-anon scenario +TEST="${TEST_DIR}/swanctl/rw-pubkey-anon" +cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey # Put a copy into the swanctl/rw-pubkey-keyid scenario @@ -327,6 +351,29 @@ TEST="${TEST_DIR}/openssl-ikev2/net2net-pkcs12" cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12" cp ${SUN_PKCS12} "${TEST}/hosts/sun/etc/swanctl/pkcs12" +################################################################################ +# DNSSEC Zone Files # +################################################################################ + +# Store moon and sun certificates in strongswan.org zone +ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys" +echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE} +for h in moon sun +do + HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem + cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/') + echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE} +done + +# Store public keys in strongswan.org zone +echo ";" >> ${ZONE_FILE} +for h in moon sun carol dave +do + HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem + pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g') + echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE} +done + # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP TEST="${TEST_DIR}/swanctl/crl-to-cache" TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"