From: Tobias Brunner Date: Tue, 15 Dec 2020 17:07:28 +0000 (+0100) Subject: testing: Add scenarios that use a CA with two intermediate CA certificates X-Git-Tag: 5.9.2dr2~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5ef10ec32624aadc34ce4ced3f4202fbc06fa86d;p=thirdparty%2Fstrongswan.git testing: Add scenarios that use a CA with two intermediate CA certificates Mainly to test TKM's ability for handling multiple CAs and that the received intermediate CA certificates are passed in the right order. But also added a regular scenario where two intermediate CA certificates are sent by one of the clients. --- diff --git a/testing/hosts/winnetou/etc/ca/generate-crl b/testing/hosts/winnetou/etc/ca/generate-crl index a59245d212..ab6558f987 100755 --- a/testing/hosts/winnetou/etc/ca/generate-crl +++ b/testing/hosts/winnetou/etc/ca/generate-crl @@ -82,6 +82,18 @@ do mv ${CERTS_DIR}/cert.der ${CERTS_DIR}/`sha1sum ${CERTS_DIR}/cert.der | head -c 40` done +## +# Levels CA and sub-CAs +cd /etc/ca/levels + +# generate CRLs for Levels CA and sub-CAs +pki --signcrl --cakey levelsKey.pem --cacert levelsCert.pem \ + > ${ROOT}/levels.crl +pki --signcrl --cakey levelsKey_l2.pem --cacert levelsCert_l2.pem \ + > ${ROOT}/levels_l2.crl +pki --signcrl --cakey levelsKey_l3.pem --cacert levelsCert_l3.pem \ + > ${ROOT}/levels_l3.crl + ## # strongSwan EC Root CA cd /etc/ca/ecdsa diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot index 7d464c3681..714afdbd7a 100755 --- a/testing/scripts/build-certs-chroot +++ b/testing/scripts/build-certs-chroot @@ -44,6 +44,17 @@ SALES_CERT="${SALES_DIR}/salesCert.pem" SALES_CERT_DER="${SALES_DIR}/salesCert.der" SALES_CDP="http://crl.strongswan.org/sales.crl" # +LEVELS_DIR="${CA_DIR}/levels" +LEVELS_KEY="${LEVELS_DIR}/levelsKey.pem" +LEVELS_CERT="${LEVELS_DIR}/levelsCert.pem" +LEVELS_CDP="http://crl.strongswan.org/levels.crl" +LEVELS_L2_KEY="${LEVELS_DIR}/levelsKey_l2.pem" +LEVELS_L2_CERT="${LEVELS_DIR}/levelsCert_l2.pem" +LEVELS_L2_CDP="http://crl.strongswan.org/levels_l2.crl" +LEVELS_L3_KEY="${LEVELS_DIR}/levelsKey_l3.pem" +LEVELS_L3_CERT="${LEVELS_DIR}/levelsCert_l3.pem" +LEVELS_L3_CDP="http://crl.strongswan.org/levels_l3.crl" +# DUCK_DIR="${CA_DIR}/duck" DUCK_KEY="${DUCK_DIR}/duckKey.pem" DUCK_CERT="${DUCK_DIR}/duckCert.pem" @@ -94,6 +105,7 @@ mkdir -p ${RESEARCH_DIR}/certs mkdir -p ${RESEARCH_DIR}/keys mkdir -p ${SALES_DIR}/certs mkdir -p ${SALES_DIR}/keys +mkdir -p ${LEVELS_DIR}/certs mkdir -p ${DUCK_DIR}/certs mkdir -p ${ECDSA_DIR}/certs mkdir -p ${RFC3779_DIR}/certs @@ -159,7 +171,8 @@ done # Put DER-encoded moon private key and Root CA certificate into tkm scenarios for t in host2host-initiator host2host-responder host2host-xfrmproxy \ - net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey + multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \ + xfrmproxy-rekey do TEST="${TEST_DIR}/tkm/${t}" mkdir -p ${TEST}/hosts/moon/${TKM_DIR} @@ -579,6 +592,52 @@ done # Convert Sales CA certificate into DER format openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER} +################################################################################ +# Multi-level CA Certificate Generation # +################################################################################ + +# Generate Levels Root CA (pathlen is higher than the regular root) +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_KEY} +pki --self --type rsa --in ${LEVELS_KEY} --not-before "${START}" --not-after "${CA_END}" \ + --ca --pathlen 2 --dn "C=CH, O=${PROJECT}, CN=strongSwan Levels Root CA" \ + --outform pem > ${LEVELS_CERT} + +# For TKM's CA ID mapping +LEVELS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${LEVELS_KEY}` + +# Generate Levels L2 CA signed by Levels Root CA +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L2_KEY} +pki --issue --cakey ${LEVELS_KEY} --cacert ${LEVELS_CERT} --crl ${LEVELS_CDP} \ + --type rsa --in ${LEVELS_L2_KEY} --not-before "${START}" --not-after "${IM_END}" \ + --ca --dn "C=CH, O=${PROJECT}, OU=L2, CN=Levels L2 CA" \ + --outform pem > ${LEVELS_L2_CERT} + +# Generate Levels L3 CA signed by Levels L2 CA +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L3_KEY} +pki --issue --cakey ${LEVELS_L2_KEY} --cacert ${LEVELS_L2_CERT} --crl ${LEVELS_L2_CDP} \ + --type rsa --in ${LEVELS_L3_KEY} --not-before "${START}" --not-after "${IM_END}" \ + --ca --dn "C=CH, O=${PROJECT}, OU=L3, CN=Levels L3 CA" \ + --outform pem > ${LEVELS_L3_CERT} + +for t in swanctl/multi-level-ca-l3 tkm/multi-level-ca +do + TEST="${TEST_DIR}/${t}" + for h in moon carol + do + mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca + cp ${LEVELS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca + done + cp ${LEVELS_L2_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca + cp ${LEVELS_L3_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca +done + +# Put DER-encoded Levels CA certificate into tkm scenario +TEST="${TEST_DIR}/tkm/multi-level-ca" +mkdir -p ${TEST}/hosts/moon/${TKM_DIR} +openssl x509 -in ${LEVELS_CERT} -outform der -out ${TEST}/hosts/moon/${TKM_DIR}/levelsCert.der + +################################################################################ + # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate TEST="${TEST_DIR}/ikev2/strong-keys-certs" TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem" @@ -1113,6 +1172,34 @@ cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt +################################################################################ +# Levels L3 CA # +################################################################################ + +# Generate a carol l3 certificate +TEST="${TEST_DIR}/swanctl/multi-level-ca-l3" +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" +CN="carol@strongswan.org" +SERIAL="01" +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${LEVELS_L3_KEY} --cacert ${LEVELS_L3_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=L3, CN=${CN}" \ + --crl ${LEVELS_L3_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${LEVELS_DIR}/certs/${SERIAL}.pem + +for t in tkm/multi-level-ca +do + TEST="${TEST_DIR}/${t}" + mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa + mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 + cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa + cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 +done + ################################################################################ # strongSwan EC Root CA # ################################################################################ @@ -1931,13 +2018,15 @@ done ################################################################################ for t in host2host-initiator host2host-responder host2host-xfrmproxy \ - net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey + multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \ + xfrmproxy-rekey do for h in moon do TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/moon/etc/strongswan.conf" sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \ -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \ + -e "s/LEVELS_SPK_HEX/${LEVELS_SPK_HEX}/g" \ ${TEST_DATA}.in > ${TEST_DATA} done done diff --git a/testing/tests/swanctl/multi-level-ca-l3/description.txt b/testing/tests/swanctl/multi-level-ca-l3/description.txt new file mode 100644 index 0000000000..6ddfc371e9 --- /dev/null +++ b/testing/tests/swanctl/multi-level-ca-l3/description.txt @@ -0,0 +1,9 @@ +The VPN gateway moon controls the access to the hosts alice and +venus by means of two different PKIs. Access to alice is granted +to users presenting a certificate issued by the Levels Root CA (or any of its +intermediate CAs) whereas venus can only be reached with a certificate +issued by the regular strongSwan Root CA. +The roadwarriors carol and dave have certificates from the +Levels CA (actually from an second level intermediate CA) and strongSwan CA, +respectively. Therefore carol can access alice and dave +can reach venus. diff --git a/testing/tests/swanctl/multi-level-ca-l3/evaltest.dat b/testing/tests/swanctl/multi-level-ca-l3/evaltest.dat new file mode 100644 index 0000000000..10898f6bca --- /dev/null +++ b/testing/tests/swanctl/multi-level-ca-l3/evaltest.dat @@ -0,0 +1,21 @@ +moon:: cat /var/log/daemon.log::fetching crl from.*http.*levels.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Levels Root CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*levels_l2.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Levels L2 CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*levels_l3.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Levels L3 CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::levels.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO +dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES +moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Levels Root CA::YES +moon:: cat /var/log/daemon.log::selected peer config.*levels.*unacceptable::YES +moon:: cat /var/log/daemon.log::switching to peer config.*rw::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO +moon:: swanctl --list-sas --raw 2> /dev/null::levels.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..857bc16eff --- /dev/null +++ b/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..eb52ea5c9e --- /dev/null +++ b/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + cacerts = strongswanCert.pem + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..f3b571a1b4 --- /dev/null +++ b/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici +} diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..38145cfc50 --- /dev/null +++ b/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,48 @@ +connections { + + levels { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = levelsCert.pem + revocation = ifuri + } + children { + alice { + local_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + cacerts = strongswanCert.pem + revocation = ifuri + } + children { + venus { + local_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/multi-level-ca-l3/posttest.dat b/testing/tests/swanctl/multi-level-ca-l3/posttest.dat new file mode 100644 index 0000000000..90f6e12732 --- /dev/null +++ b/testing/tests/swanctl/multi-level-ca-l3/posttest.dat @@ -0,0 +1,7 @@ +carol::swanctl --terminate --ike home 2> /dev/null +dave::swanctl --terminate --ike home 2> /dev/null +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* diff --git a/testing/tests/swanctl/multi-level-ca-l3/pretest.dat b/testing/tests/swanctl/multi-level-ca-l3/pretest.dat new file mode 100644 index 0000000000..456938cc47 --- /dev/null +++ b/testing/tests/swanctl/multi-level-ca-l3/pretest.dat @@ -0,0 +1,10 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection research +carol::expect-connection alice +carol::swanctl --initiate --child alice 2> /dev/null +carol::swanctl --initiate --child venus 2> /dev/null +dave::expect-connection alice +dave::swanctl --initiate --child alice 2> /dev/null +dave::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/swanctl/multi-level-ca-l3/test.conf b/testing/tests/swanctl/multi-level-ca-l3/test.conf new file mode 100644 index 0000000000..c295cf019c --- /dev/null +++ b/testing/tests/swanctl/multi-level-ca-l3/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tkm/.gitignore b/testing/tests/tkm/.gitignore index 7fce40b548..86d75283bb 100644 --- a/testing/tests/tkm/.gitignore +++ b/testing/tests/tkm/.gitignore @@ -1,2 +1,3 @@ *.der +*.pem strongswan.conf diff --git a/testing/tests/tkm/multi-level-ca/description.txt b/testing/tests/tkm/multi-level-ca/description.txt new file mode 100644 index 0000000000..e9b9aa1922 --- /dev/null +++ b/testing/tests/tkm/multi-level-ca/description.txt @@ -0,0 +1,6 @@ +Two transport connections to gateway moon are set up, one from client +carol and the other from client dave. The gateway moon uses +the Trusted Key Manager (TKM) and is the responder for both connections. The +authentication is based on X.509 certificates, where carol uses a +certificate issued by a multi-level CA. In order to test the connections, +both carol and dave ping gateway moon. diff --git a/testing/tests/tkm/multi-level-ca/evaltest.dat b/testing/tests/tkm/multi-level-ca/evaltest.dat new file mode 100644 index 0000000000..0c1794fd25 --- /dev/null +++ b/testing/tests/tkm/multi-level-ca/evaltest.dat @@ -0,0 +1,19 @@ +moon:: swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::conn2.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn2.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.200/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.100/32] remote-ts=\[192.168.0.1/32]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.200/32] remote-ts=\[192.168.0.1/32]::YES +carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES +dave::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES +carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES +moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.100 \]::YES +moon::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.1 <-> 192.168.0.200 \]::YES +moon::cat /tmp/tkm.log::Linked CC context 1 with CA certificate 2::YES +moon::cat /tmp/tkm.log::Linked CC context 1 with CA certificate 1::YES +moon::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::2 +moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES +moon::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES +moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES diff --git a/testing/tests/tkm/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tkm/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..28cbb854b3 --- /dev/null +++ b/testing/tests/tkm/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + host-host { + local_addrs = PH_IP_CAROL + remote_addrs = PH_IP_MOON + + proposals = aes256-sha512-modp4096 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + esp_proposals = aes256-sha512-modp4096 + } + } + } +} diff --git a/testing/tests/tkm/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tkm/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..4e714128be --- /dev/null +++ b/testing/tests/tkm/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + host-host { + local_addrs = PH_IP_DAVE + remote_addrs = PH_IP_MOON + + proposals = aes256-sha512-modp4096 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + esp_proposals = aes256-sha512-modp4096 + } + } + } +} diff --git a/testing/tests/tkm/multi-level-ca/hosts/moon/etc/strongswan.conf.in b/testing/tests/tkm/multi-level-ca/hosts/moon/etc/strongswan.conf.in new file mode 100644 index 0000000000..6cbb3ba582 --- /dev/null +++ b/testing/tests/tkm/multi-level-ca/hosts/moon/etc/strongswan.conf.in @@ -0,0 +1,21 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-tkm { + dh_mapping { + 15 = 1 + 16 = 2 + } + ca_mapping { + strongswan_ca { + id = 1 + fingerprint = CA_SPK_HEX + } + levels_ca { + id = 2 + fingerprint = LEVELS_SPK_HEX + } + } + start-scripts { + swanctl = /usr/local/sbin/swanctl --load-all --noprompt + } +} diff --git a/testing/tests/tkm/multi-level-ca/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/multi-level-ca/hosts/moon/etc/tkm/tkm.conf new file mode 100644 index 0000000000..209cd857ff --- /dev/null +++ b/testing/tests/tkm/multi-level-ca/hosts/moon/etc/tkm/tkm.conf @@ -0,0 +1,36 @@ + + + moon.strongswan.org + moonCert.pem + + + transport + + 1 + 192.168.0.1 + + + carol@strongswan.org + 192.168.0.100 + + + 30 + 60 + + + + transport + + 1 + 192.168.0.1 + + + dave@strongswan.org + 192.168.0.200 + + + 30 + 60 + + + diff --git a/testing/tests/tkm/multi-level-ca/posttest.dat b/testing/tests/tkm/multi-level-ca/posttest.dat new file mode 100644 index 0000000000..7064a5d48d --- /dev/null +++ b/testing/tests/tkm/multi-level-ca/posttest.dat @@ -0,0 +1,7 @@ +moon::service charon-tkm stop +moon::killall tkm_keymanager +moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::rm /etc/swanctl/x509ca/* +carol::rm /etc/swanctl/x509ca/* diff --git a/testing/tests/tkm/multi-level-ca/pretest.dat b/testing/tests/tkm/multi-level-ca/pretest.dat new file mode 100644 index 0000000000..8e748323a1 --- /dev/null +++ b/testing/tests/tkm/multi-level-ca/pretest.dat @@ -0,0 +1,14 @@ +moon::rm /etc/swanctl/rsa/* +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/swanctl/swanctl.conf +moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1,/etc/tkm/levelsCert.der:2 >/tmp/tkm.log 2>&1 & +moon::expect-file /tmp/tkm.rpc.ike +moon::service charon-tkm start +carol::systemctl start strongswan +carol::expect-connection host-host +dave::systemctl start strongswan +dave::expect-connection host-host +moon::expect-connection conn1 +moon::expect-connection conn2 +carol::swanctl --initiate --child host-host 2> /dev/null +dave::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/tkm/multi-level-ca/test.conf b/testing/tests/tkm/multi-level-ca/test.conf new file mode 100644 index 0000000000..6e3b942186 --- /dev/null +++ b/testing/tests/tkm/multi-level-ca/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="carol dave moon winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="carol dave" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="carol dave moon" + +# charon controlled by swanctl +# +SWANCTL=1