From: Tobias Brunner Date: Thu, 31 Oct 2019 14:18:17 +0000 (+0100) Subject: testing: Add scenario with hash-and-URL encoding for intermediate CA certificates X-Git-Tag: 5.8.2dr2~1^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=91dabace1137c28c4848de367fc9ab665b8f8d28;p=thirdparty%2Fstrongswan.git testing: Add scenario with hash-and-URL encoding for intermediate CA certificates --- diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot index acc742e378..f49a163bb3 100755 --- a/testing/scripts/build-certs-chroot +++ b/testing/scripts/build-certs-chroot @@ -513,6 +513,13 @@ do cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca done +for t in rw-hash-and-url-multi-level +do + TEST="${TEST_DIR}/swanctl/${t}" + mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca + cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca +done + # Convert Research CA certificate into DER format openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER} @@ -562,6 +569,13 @@ do cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca done +for t in rw-hash-and-url-multi-level +do + TEST="${TEST_DIR}/swanctl/${t}" + mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca + cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca +done + # Convert Sales CA certificate into DER format openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER} @@ -936,7 +950,7 @@ do cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs done -for t in multi-level-ca ocsp-multi-level +for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level do TEST="${TEST_DIR}/swanctl/${t}" mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa @@ -1051,7 +1065,7 @@ do cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs done -for t in multi-level-ca ocsp-multi-level +for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level do TEST="${TEST_DIR}/swanctl/${t}" mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/description.txt b/testing/tests/swanctl/rw-hash-and-url-multi-level/description.txt new file mode 100644 index 0000000000..062c4f0e90 --- /dev/null +++ b/testing/tests/swanctl/rw-hash-and-url-multi-level/description.txt @@ -0,0 +1,12 @@ +The VPN gateway moon controls the access to the hosts alice and +venus by means of two different Intermediate CAs. Access to +alice is granted to users presenting a certificate issued by the Research CA +whereas venus can only be reached with a certificate issued by the +Sales CA. The roadwarriors carol and dave have certificates from +the Research CA and Sales CA, respectively. Therefore carol can access +alice and dave can reach venus. +

+The gateway moon doesn't have the intermediate CA certificate installed +and instead of sending the actual certificates, the two clients send "Hash and URL" +certificate payloads. The gateway fetches the certificates via HTTP from server +winnetou. diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/evaltest.dat b/testing/tests/swanctl/rw-hash-and-url-multi-level/evaltest.dat new file mode 100644 index 0000000000..5e16338c00 --- /dev/null +++ b/testing/tests/swanctl/rw-hash-and-url-multi-level/evaltest.dat @@ -0,0 +1,22 @@ +carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES +dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES +moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::fetched certificate.*CN=Research CA::YES +moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES +moon:: cat /var/log/daemon.log::fetched certificate.*CN=Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO +moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO +dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO +moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Sales, CN=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Sales, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..178fa2e7c1 --- /dev/null +++ b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici + + hash_and_url = yes +} diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..fdf6ca55f1 --- /dev/null +++ b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,41 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} + +authorities { + + strongswan { + cacert = strongswanCert.pem + cert_uri_base = http://winnetou.strongswan.org/certs/ + } + + research { + cacert = researchCert.pem + cert_uri_base = http://winnetou.strongswan.org/certs/research/ + } +} diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..178fa2e7c1 --- /dev/null +++ b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici + + hash_and_url = yes +} diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..b1158690be --- /dev/null +++ b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,41 @@ +connections { + + home { + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + alice { + remote_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + venus { + remote_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} + +authorities { + + strongswan { + cacert = strongswanCert.pem + cert_uri_base = http://winnetou.strongswan.org/certs/ + } + + sales { + cacert = salesCert.pem + cert_uri_base = http://winnetou.strongswan.org/certs/sales/ + } +} diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..178fa2e7c1 --- /dev/null +++ b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici + + hash_and_url = yes +} diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..334ecb62fc --- /dev/null +++ b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,54 @@ +connections { + + research { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = "C=CH, O=strongSwan Project, OU=Research, CN=*" + } + children { + alice { + local_ts = 10.1.0.10/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } + + sales { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = "C=CH, O=strongSwan Project, OU=Sales, CN=*" + } + children { + venus { + local_ts = 10.1.0.20/32 + esp_proposals = aes128-sha256-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} + +authorities { + + strongswan { + cacert = strongswanCert.pem + cert_uri_base = http://winnetou.strongswan.org/certs/ + } +} diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/posttest.dat b/testing/tests/swanctl/rw-hash-and-url-multi-level/posttest.dat new file mode 100644 index 0000000000..18e43bf301 --- /dev/null +++ b/testing/tests/swanctl/rw-hash-and-url-multi-level/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home 2> /dev/null +dave::swanctl --terminate --ike home 2> /dev/null +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* \ No newline at end of file diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/pretest.dat b/testing/tests/swanctl/rw-hash-and-url-multi-level/pretest.dat new file mode 100644 index 0000000000..456938cc47 --- /dev/null +++ b/testing/tests/swanctl/rw-hash-and-url-multi-level/pretest.dat @@ -0,0 +1,10 @@ +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection research +carol::expect-connection alice +carol::swanctl --initiate --child alice 2> /dev/null +carol::swanctl --initiate --child venus 2> /dev/null +dave::expect-connection alice +dave::swanctl --initiate --child alice 2> /dev/null +dave::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/test.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/test.conf new file mode 100644 index 0000000000..b8048b4a0a --- /dev/null +++ b/testing/tests/swanctl/rw-hash-and-url-multi-level/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1