testing: Add scenarios that use a CA with two intermediate CA certificates
[strongswan.git] / testing / scripts / build-certs-chroot
1 #!/bin/bash
2
3 set -o errexit
4
5 echo "Building certificates"
6
7 # Disable leak detective when using pki as it produces warnings in tzset
8 export LEAK_DETECTIVE_DISABLE=1
9
10 # Determine testing directory
11 DIR="$(dirname `readlink -f $0`)/.."
12
13 # Define some global variables
14 PROJECT="strongSwan Project"
15 CA_DIR="${DIR}/hosts/winnetou/etc/ca"
16 CA_KEY="${CA_DIR}/strongswanKey.pem"
17 CA_CERT="${CA_DIR}/strongswanCert.pem"
18 CA_CERT_DER="${CA_DIR}/strongswanCert.der"
19 CA_CRL="${CA_DIR}/strongswan.crl"
20 CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
21 CA_CDP="http://crl.strongswan.org/strongswan.crl"
22 CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
23 CA_OCSP="http://ocsp.strongswan.org:8880"
24 #
25 START=`date  -d "-2 day"    "+%d.%m.%y %T"`
26 SH_END=`date -d "-1 day"    "+%d.%m.%y %T"`    #  1 day
27 CA_END=`date -d "+3651 day" "+%d.%m.%y %T"`    # 10 years
28 IM_END=`date -d "+3286 day" "+%d.%m.%y %T"`    #  9 years
29 EE_END=`date -d "+2920 day" "+%d.%m.%y %T"`    #  8 years
30 SH_EXP=`date -d "-1 day"    "+%y%m%d%H%M%SZ"`  #  1 day
31 IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"`  #  9 years
32 EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"`  #  8 years
33 NOW=`date "+%y%m%d%H%M%SZ"`
34 #
35 RESEARCH_DIR="${CA_DIR}/research"
36 RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
37 RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
38 RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
39 RESEARCH_CDP="http://crl.strongswan.org/research.crl"
40 #
41 SALES_DIR="${CA_DIR}/sales"
42 SALES_KEY="${SALES_DIR}/salesKey.pem"
43 SALES_CERT="${SALES_DIR}/salesCert.pem"
44 SALES_CERT_DER="${SALES_DIR}/salesCert.der"
45 SALES_CDP="http://crl.strongswan.org/sales.crl"
46 #
47 LEVELS_DIR="${CA_DIR}/levels"
48 LEVELS_KEY="${LEVELS_DIR}/levelsKey.pem"
49 LEVELS_CERT="${LEVELS_DIR}/levelsCert.pem"
50 LEVELS_CDP="http://crl.strongswan.org/levels.crl"
51 LEVELS_L2_KEY="${LEVELS_DIR}/levelsKey_l2.pem"
52 LEVELS_L2_CERT="${LEVELS_DIR}/levelsCert_l2.pem"
53 LEVELS_L2_CDP="http://crl.strongswan.org/levels_l2.crl"
54 LEVELS_L3_KEY="${LEVELS_DIR}/levelsKey_l3.pem"
55 LEVELS_L3_CERT="${LEVELS_DIR}/levelsCert_l3.pem"
56 LEVELS_L3_CDP="http://crl.strongswan.org/levels_l3.crl"
57 #
58 DUCK_DIR="${CA_DIR}/duck"
59 DUCK_KEY="${DUCK_DIR}/duckKey.pem"
60 DUCK_CERT="${DUCK_DIR}/duckCert.pem"
61 #
62 ECDSA_DIR="${CA_DIR}/ecdsa"
63 ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
64 ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
65 ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
66 #
67 RFC3779_DIR="${CA_DIR}/rfc3779"
68 RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
69 RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
70 RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
71 #
72 SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
73 SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
74 SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
75 SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
76 #
77 ED25519_DIR="${CA_DIR}/ed25519"
78 ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
79 ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
80 ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
81 #
82 MONSTER_DIR="${CA_DIR}/monster"
83 MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
84 MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
85 MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
86 MONSTER_CA_RSA_SIZE="8192"
87 MONSTER_EE_RSA_SIZE="4096"
88 #
89 BLISS_DIR="${CA_DIR}/bliss"
90 BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
91 BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
92 BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
93 #
94 RSA_SIZE="3072"
95 IPSEC_DIR="etc/ipsec.d"
96 SWANCTL_DIR="etc/swanctl"
97 TKM_DIR="etc/tkm"
98 HOSTS="carol dave moon sun alice venus bob"
99 TEST_DIR="${DIR}/tests"
100
101 # Create directories
102 mkdir -p ${CA_DIR}/certs
103 mkdir -p ${CA_DIR}/keys
104 mkdir -p ${RESEARCH_DIR}/certs
105 mkdir -p ${RESEARCH_DIR}/keys
106 mkdir -p ${SALES_DIR}/certs
107 mkdir -p ${SALES_DIR}/keys
108 mkdir -p ${LEVELS_DIR}/certs
109 mkdir -p ${DUCK_DIR}/certs
110 mkdir -p ${ECDSA_DIR}/certs
111 mkdir -p ${RFC3779_DIR}/certs
112 mkdir -p ${SHA3_RSA_DIR}/certs
113 mkdir -p ${ED25519_DIR}/certs
114 mkdir -p ${MONSTER_DIR}/certs
115 mkdir -p ${BLISS_DIR}/certs
116
117 ################################################################################
118 # strongSwan Root CA                                                           #
119 ################################################################################
120
121 # Generate strongSwan Root CA
122 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
123 pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
124     --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
125     --outform pem > ${CA_CERT}
126
127 # Distribute strongSwan Root CA certificate
128 for h in ${HOSTS}
129 do
130   HOST_DIR="${DIR}/hosts/${h}"
131   mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
132   mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
133   cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
134   cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
135 done
136
137 # Put a copy onto the alice FreeRADIUS server
138 mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
139 cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
140
141 # Convert strongSwan Root CA certificate into DER format
142 openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
143
144 # Generate a stale CRL
145 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
146     --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
147
148 # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
149 TEST="${TEST_DIR}/ikev2/crl-ldap"
150 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
151 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
152 cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
153 cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
154
155 # Generate host keys
156 for h in ${HOSTS}
157 do
158   HOST_DIR="${DIR}/hosts/${h}"
159   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
160   mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
161   pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
162
163   # Put a copy into swanctl directory tree
164   mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
165   cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
166
167   # Convert host key into DER format
168   openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
169           2> /dev/null
170 done
171
172 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
173 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
174          multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
175          xfrmproxy-rekey
176 do
177   TEST="${TEST_DIR}/tkm/${t}"
178   mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
179   cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
180 done
181
182 # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
183 TEST="${TEST_DIR}/tkm/multiple-clients"
184 mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
185 cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
186
187 # Convert moon private key into unencrypted PKCS#8 format
188 TEST="${TEST_DIR}/ikev2/rw-pkcs8"
189 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
190 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
191 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
192 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
193
194 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
195 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
196 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
197 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
198 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
199               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
200
201 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
202 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
203 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
204 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
205 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8  -v2 aes128 \
206               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
207
208 ################################################################################
209 # Public Key Extraction                                                        #
210 ################################################################################
211
212 # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
213 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
214 TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
215 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
216 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
217 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
218 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
219 cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
220
221 # Put a copy into the  following ikev2 scenarios
222 for t in net2net-dnssec net2net-pubkey rw-dnssec
223 do
224   TEST="${TEST_DIR}/ikev2/${t}"
225   mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
226   cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
227 done
228
229 # Put a copy into the ikev2/net2net-pubkey scenario
230 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
231 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
232 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
233
234 # Put a copy into the swanctl/rw-dnssec scenario
235 TEST="${TEST_DIR}/swanctl/rw-dnssec"
236 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
237 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
238
239 # Put a copy into the following swanctl scenarios
240 for t in rw-pubkey-anon rw-pubkey-keyid
241 do
242   TEST="${TEST_DIR}/swanctl/${t}"
243   for h in moon carol dave
244   do
245     mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
246     cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
247   done
248 done
249
250 # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
251 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
252 TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
253 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
254 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
255 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
256
257 # Put a copy into the ikev2/net2net-dnssec scenario
258 TEST="${TEST_DIR}/ikev2/net2net-dnssec"
259 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
260 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
261
262 # Put a copy into the ikev2/net2net-pubkey scenario
263 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
264 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
265 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
266
267 # Put a copy into the swanctl/rw-pubkey-anon scenario
268 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
269 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
270
271 # Extract the raw carol public key for the swanctl/rw-dnssec scenario
272 TEST="${TEST_DIR}/swanctl/rw-dnssec"
273 TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
274 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
275 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
276 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
277
278 # Put a copy into the swanctl/rw-pubkey-anon scenario
279 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
280 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
281 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
282
283 # Put a copy into the swanctl/rw-pubkey-keyid scenario
284 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
285 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
286 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
287
288 # Extract the raw dave public key for the swanctl/rw-dnssec scenario
289 TEST="${TEST_DIR}/swanctl/rw-dnssec"
290 TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
291 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
292 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
293 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
294
295 # Put a copy into the swanctl/rw-pubkey-anon scenario
296 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
297 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
298 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
299
300 # Put a copy into the swanctl/rw-pubkey-keyid scenario
301 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
302 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
303 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
304
305 ################################################################################
306 # Host Certificate Generation                                                  #
307 ################################################################################
308
309 # function issue_cert: serial host cn [ou]
310 issue_cert()
311 {
312   # does optional OU argument exist?
313   if [ -z "${4}" ]
314   then
315     OU=""
316   else
317     OU=" OU=${4},"
318   fi
319
320   HOST_DIR="${DIR}/hosts/${2}"
321   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
322   HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
323   mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
324   pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
325       --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
326       --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
327       --outform pem > ${HOST_CERT}
328   cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
329
330   # Put a certificate copy into swanctl directory tree
331   mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
332   cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
333 }
334
335 # Generate host certificates
336 issue_cert 01 carol carol@strongswan.org Research
337 issue_cert 02 dave dave@strongswan.org Accounting
338 issue_cert 03 moon moon.strongswan.org
339 issue_cert 04 sun sun.strongswan.org
340 issue_cert 05 alice alice@strongswan.org Sales
341 issue_cert 06 venus venus.strongswan.org
342 issue_cert 07 bob bob@strongswan.org Research
343
344 # Create PKCS#12 file for moon
345 TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
346 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
347 HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
348 MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
349 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
350 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
351         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
352         -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
353
354 # Create PKCS#12 file for sun
355 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
356 HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
357 SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
358 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
359 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
360         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
361         -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
362
363 # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
364 for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
365 do
366   TEST="${TEST_DIR}/${t}"
367   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
368   mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
369   cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
370   cp ${SUN_PKCS12}  ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
371 done
372
373 ################################################################################
374 # DNSSEC Zone Files                                                            #
375 ################################################################################
376
377 # Store moon and sun certificates in strongswan.org zone
378 ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
379 echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
380 for h in moon sun
381 do
382   HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
383   cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
384   echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
385 done
386
387 # Store public keys in strongswan.org zone
388 echo ";" >> ${ZONE_FILE}
389 for h in moon sun carol dave
390 do
391   HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
392   pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
393   echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
394 done
395
396 # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
397 TEST="${TEST_DIR}/swanctl/crl-to-cache"
398 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
399 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
400 CN="carol@strongswan.org"
401 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
402 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
403     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
404     --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
405     --outform pem > ${TEST_CERT}
406
407 # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
408 TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
409 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
410 CN="moon.strongswan.org"
411 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
412 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
413     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
414     --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
415     --outform pem > ${TEST_CERT}
416
417 # Encrypt carolKey.pem
418 HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
419 KEY_PWD="nH5ZQEWtku0RJEZ6"
420 openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
421         2> /dev/null
422
423 # Put a copy into the ikev2/dynamic-initiator scenario
424 for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
425 do
426   TEST="${TEST_DIR}/${t}"
427   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
428   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
429   cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
430   cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
431 done
432
433 # Put a copy into the swanctl/rw-cert scenario
434 TEST="${TEST_DIR}/swanctl/rw-cert"
435 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
436 cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
437
438 # Generate another carol certificate and revoke it
439 TEST="${TEST_DIR}/ikev2/crl-revoked"
440 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
441 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
442 CN="carol@strongswan.org"
443 SERIAL="08"
444 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
445 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
446 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
447 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
448     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
449     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
450     --outform pem > ${TEST_CERT}
451 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
452 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
453     --serial ${SERIAL} > ${CA_CRL}
454 cp ${CA_CRL} ${CA_LAST_CRL}
455
456 # Put a copy into the ikev2/ocsp-revoked scenario
457 TEST="${TEST_DIR}/ikev2/ocsp-revoked"
458 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
459 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
460 cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
461 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
462
463 # Generate another carol certificate with SN=002
464 TEST="${TEST_DIR}/ikev2/two-certs"
465 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
466 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
467 SERIAL="09"
468 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
469 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
470 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
471 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
472     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
473     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
474     --outform pem > ${TEST_CERT}
475 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
476
477 ################################################################################
478 # Research CA Certificate Generation                                           #
479 ################################################################################
480
481 # Generate a Research CA certificate signed by the Root CA and revoke it
482 TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
483 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
484 SERIAL="0A"
485 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
486 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
487 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
488     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
489     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
490     --outform pem > ${TEST_CERT}
491 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
492 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
493     --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
494 rm ${CA_LAST_CRL}
495
496 # Generate Research CA with the same private key as above signed by Root CA
497 SERIAL="0B"
498 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
499     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
500     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
501     --outform pem > ${RESEARCH_CERT}
502 cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
503
504 # Put a certificate copy into the following scenarios
505 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
506          ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
507          ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
508 do
509   TEST="${TEST_DIR}/${t}"
510   mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
511   cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
512 done
513
514 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
515          ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
516 do
517   TEST="${TEST_DIR}/${t}"
518   mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
519   cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
520 done
521
522 for t in multi-level-ca ocsp-multi-level
523 do
524   TEST="${TEST_DIR}/swanctl/${t}"
525   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
526   cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
527 done
528
529 for t in rw-hash-and-url-multi-level
530 do
531   TEST="${TEST_DIR}/swanctl/${t}"
532   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
533   cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
534 done
535
536 # Convert Research CA certificate into DER format
537 openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
538
539 # Generate Research CA with the same private key as above but invalid CDP
540 TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
541 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
542 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
543 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
544     --crl "http://crl.strongswan.org/not-available.crl" \
545     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
546     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
547     --outform pem > ${TEST_CERT}
548
549 ################################################################################
550 # Sales CA Certificate Generation                                              #
551 ################################################################################
552
553 # Generate Sales CA signed by Root CA
554 SERIAL="0C"
555 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
556 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
557     --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
558     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
559     --outform pem > ${SALES_CERT}
560 cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
561
562 # Put a certificate copy into the following scenarios
563 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
564          ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
565          ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
566 do
567   TEST="${TEST_DIR}/${t}"
568   cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
569 done
570
571 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
572          ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
573 do
574   TEST="${TEST_DIR}/${t}"
575   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
576   cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
577 done
578
579 for t in multi-level-ca ocsp-multi-level
580 do
581   TEST="${TEST_DIR}/swanctl/${t}"
582   cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
583 done
584
585 for t in rw-hash-and-url-multi-level
586 do
587   TEST="${TEST_DIR}/swanctl/${t}"
588   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
589   cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
590 done
591
592 # Convert Sales CA certificate into DER format
593 openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
594
595 ################################################################################
596 # Multi-level CA Certificate Generation                                        #
597 ################################################################################
598
599 # Generate Levels Root CA (pathlen is higher than the regular root)
600 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_KEY}
601 pki --self --type rsa --in ${LEVELS_KEY} --not-before "${START}" --not-after "${CA_END}" \
602     --ca --pathlen 2 --dn "C=CH, O=${PROJECT}, CN=strongSwan Levels Root CA" \
603     --outform pem > ${LEVELS_CERT}
604
605 # For TKM's CA ID mapping
606 LEVELS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${LEVELS_KEY}`
607
608 # Generate Levels L2 CA signed by Levels Root CA
609 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L2_KEY}
610 pki --issue --cakey ${LEVELS_KEY} --cacert ${LEVELS_CERT} --crl ${LEVELS_CDP} \
611     --type rsa --in ${LEVELS_L2_KEY} --not-before "${START}" --not-after "${IM_END}" \
612     --ca --dn "C=CH, O=${PROJECT}, OU=L2, CN=Levels L2 CA" \
613     --outform pem > ${LEVELS_L2_CERT}
614
615 # Generate Levels L3 CA signed by Levels L2 CA
616 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L3_KEY}
617 pki --issue --cakey ${LEVELS_L2_KEY} --cacert ${LEVELS_L2_CERT} --crl ${LEVELS_L2_CDP} \
618     --type rsa --in ${LEVELS_L3_KEY} --not-before "${START}" --not-after "${IM_END}" \
619     --ca --dn "C=CH, O=${PROJECT}, OU=L3, CN=Levels L3 CA" \
620     --outform pem > ${LEVELS_L3_CERT}
621
622 for t in swanctl/multi-level-ca-l3 tkm/multi-level-ca
623 do
624   TEST="${TEST_DIR}/${t}"
625   for h in moon carol
626   do
627     mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
628     cp ${LEVELS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
629   done
630   cp ${LEVELS_L2_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
631   cp ${LEVELS_L3_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
632 done
633
634 # Put DER-encoded Levels CA certificate into tkm scenario
635 TEST="${TEST_DIR}/tkm/multi-level-ca"
636 mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
637 openssl x509 -in ${LEVELS_CERT} -outform der -out ${TEST}/hosts/moon/${TKM_DIR}/levelsCert.der
638
639 ################################################################################
640
641 # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
642 TEST="${TEST_DIR}/ikev2/strong-keys-certs"
643 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
644 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
645 KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
646 CN="moon.strongswan.org"
647 SERIAL="0D"
648 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
649 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
650 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
651 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
652     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
653     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
654     --digest sha224 --outform pem > ${TEST_CERT}
655 openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
656         2> /dev/null
657 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
658
659 # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
660 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
661 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
662 KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
663 CN="carol@strongswan.org"
664 SERIAL="0E"
665 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
666 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
667 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
668 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
669     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
670     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
671     --digest sha384 --outform pem > ${TEST_CERT}
672 openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
673         2> /dev/null
674 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
675
676 # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
677 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
678 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
679 KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
680 CN="dave@strongswan.org"
681 SERIAL="0F"
682 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
683 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
684 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
685 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
686     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
687     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
688     --digest sha512 --outform pem > ${TEST_CERT}
689 openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
690         2> /dev/null
691 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
692
693 # Generate another carol certificate with an OCSP URI
694 TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
695 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
696 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
697 CN="carol@strongswan.org"
698 SERIAL="10"
699 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
700 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
701 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
702 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
703     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
704     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
705     --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
706 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
707
708 # Put a copy into the ikev2/ocsp-timeouts-good scenario
709 TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
710 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
711 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
712 cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
713 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
714
715 # Put a copy into the swanctl/ocsp-signer-cert scenario
716 for t in ocsp-signer-cert ocsp-disabled
717 do
718   cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
719   mkdir -p rsa x509
720   cp ${TEST_KEY} rsa
721   cp ${TEST_CERT} x509
722 done
723
724 # Generate an OCSP Signing certificate for the strongSwan Root CA
725 TEST_KEY="${CA_DIR}/ocspKey.pem"
726 TEST_CERT="${CA_DIR}/ocspCert.pem"
727 CN="ocsp.strongswan.org"
728 OU="OCSP Signing Authority"
729 SERIAL="11"
730 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
731 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
732     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
733     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
734     --flag ocspSigning --outform pem > ${TEST_CERT}
735 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
736
737 # Generate a self-signed OCSP Signing certificate
738 TEST_KEY="${CA_DIR}/ocspKey-self.pem"
739 TEST_CERT="${CA_DIR}/ocspCert-self.pem"
740 OU="OCSP Self-Signed Authority"
741 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
742 pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
743     --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
744     --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
745     --outform pem > ${TEST_CERT}
746
747 # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
748 TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
749 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
750 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
751 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
752 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
753
754 # Generate mars virtual server certificate
755 TEST="${TEST_DIR}/ha/both-active"
756 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
757 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
758 CN="mars.strongswan.org"
759 OU="Virtual VPN Gateway"
760 SERIAL="12"
761 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
762 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
763 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
764 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
765     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
766     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
767     --flag serverAuth --outform pem > ${TEST_CERT}
768 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
769
770 # Put a copy into the mirrored gateway
771 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
772 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
773 cp ${TEST_KEY}  ${TEST}/hosts/alice/${IPSEC_DIR}/private
774 cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
775
776 # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
777 for t in "ha/active-passive" "ikev2/redirect-active"
778 do
779   TEST="${TEST_DIR}/${t}"
780   for h in alice moon
781   do
782     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
783     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
784     cp ${TEST_KEY}  ${TEST}/hosts/${h}/${IPSEC_DIR}/private
785     cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
786   done
787 done
788
789 # Generate moon certificate with an unsupported critical X.509 extension
790 TEST="${TEST_DIR}/ikev2/critical-extension"
791 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
792 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
793 CN="moon.strongswan.org"
794 SERIAL="13"
795 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
796 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
797 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
798 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
799     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
800     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
801     --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
802     --outform pem > ${TEST_CERT}
803 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
804
805 # Put a copy in the openssl-ikev2/critical extension scenario
806 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
807 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
808 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
809 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
810 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
811
812 # Generate sun certificate with an unsupported critical X.509 extension
813 TEST="${TEST_DIR}/ikev2/critical-extension"
814 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
815 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
816 CN="sun.strongswan.org"
817 SERIAL="14"
818 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
819 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
820 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
821 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
822     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
823     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
824     --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
825     --outform pem > ${TEST_CERT}
826 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
827
828 # Put a copy in the openssl-ikev2/critical extension scenario
829 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
830 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
831 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
832 cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
833 cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
834
835 # Generate winnetou server certificate
836 HOST_KEY="${CA_DIR}/winnetouKey.pem"
837 HOST_CERT="${CA_DIR}/winnetouCert.pem"
838 CN="winnetou.strongswan.org"
839 SERIAL="15"
840 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
841 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
842     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
843     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
844     --flag serverAuth --outform pem > ${HOST_CERT}
845 cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
846
847 # Generate AAA server certificate
848 TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
849 TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
850 TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
851 CN="aaa.strongswan.org"
852 SERIAL="16"
853 cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
854 mkdir -p rsa x509
855 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
856 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
857 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
858     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
859     --flag serverAuth --outform pem > ${TEST_CERT}
860 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
861
862 # Put a copy into various tnc scenarios
863 for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
864 do
865   cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
866   mkdir -p rsa x509
867   cp ${TEST_KEY}  rsa
868   cp ${TEST_CERT} x509
869 done
870
871 # Put a copy into the alice FreeRADIUS server
872 cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
873
874 ################################################################################
875 # strongSwan Attribute Authority                                               #
876 ################################################################################
877
878 # Generate Attribute Authority certificate
879 TEST="${TEST_DIR}/ikev2/acert-cached"
880 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
881 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
882 CN="strongSwan Attribute Authority"
883 SERIAL="17"
884 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
885 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
886 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
887 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
888 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
889     --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
890     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
891     --outform pem > ${TEST_CERT}
892 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
893
894 # Generate carol's attribute certificate for sales and finance
895 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
896 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
897     --in ${CA_DIR}/certs/01.pem --group sales --group finance \
898     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
899
900 # Generate dave's expired attribute certificate for sales
901 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
902 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
903     --in ${CA_DIR}/certs/02.pem --group sales \
904     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
905
906 # Generate dave's attribute certificate for marketing
907 ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
908 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
909     --in ${CA_DIR}/certs/02.pem --group marketing \
910     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
911
912 # Put a copy into the ikev2/acert-fallback scenario
913 TEST="${TEST_DIR}/ikev2/acert-fallback"
914 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
915 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
916 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
917 cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
918 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
919
920 # Generate carol's expired attribute certificate for finance
921 ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
922 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
923 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
924     --in ${CA_DIR}/certs/01.pem --group finance \
925     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
926
927 # Generate carol's valid attribute certificate for sales
928 ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
929 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
930     --in ${CA_DIR}/certs/01.pem --group sales \
931     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
932
933 # Put a copy into the ikev2/acert-inline scenario
934 TEST="${TEST_DIR}/ikev2/acert-inline"
935 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
936 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
937 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
938 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
939 cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
940 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
941 cp ${ACERT_CS}  ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
942 cp ${ACERT_DM}  ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
943
944 # Generate a short-lived Attribute Authority certificate
945 CN="strongSwan Legacy AA"
946 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
947 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
948 SERIAL="18"
949 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
950 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
951     --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
952     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
953     --outform pem > ${TEST_CERT}
954 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
955
956 # Generate dave's attribute certificate for sales from expired AA
957 ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
958 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
959 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
960     --in ${CA_DIR}/certs/02.pem --group sales \
961     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
962
963 ################################################################################
964 # strongSwan Root CA index for OCSP server                                     #
965 ################################################################################
966
967 # generate index.txt file for Root OCSP server
968 cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
969 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
970 sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
971 sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
972 sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
973
974 ################################################################################
975 # Research CA                                                                  #
976 ################################################################################
977
978 # Generate a carol research certificate
979 TEST="${TEST_DIR}/ikev2/multi-level-ca"
980 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
981 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
982 CN="carol@strongswan.org"
983 SERIAL="01"
984 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
985 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
986 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
987 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
988     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
989     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
990     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
991 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
992
993 # Save a copy of the private key in DER format
994 openssl rsa -in ${TEST_KEY} -outform der \
995             -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
996
997 # Put a copy in the following scenarios
998 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
999          ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
1000          ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
1001          ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
1002          ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
1003          ikev1/multi-level-ca-cr-resp
1004 do
1005   TEST="${TEST_DIR}/${t}"
1006   mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1007   mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1008   cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1009   cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1010 done
1011
1012 for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
1013 do
1014   TEST="${TEST_DIR}/swanctl/${t}"
1015   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1016   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1017   cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1018   cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1019 done
1020
1021 # Generate a carol research certificate without a CDP
1022 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1023 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1024 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1025 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1026 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1027     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1028     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
1029     --outform pem > ${TEST_CERT}
1030 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1031
1032 # Generate an OCSP Signing certificate for the Research CA
1033 TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
1034 TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
1035 OU="Research OCSP Signing Authority"
1036 CN="ocsp.research.strongswan.org"
1037 SERIAL="02"
1038 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1039 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1040     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1041     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1042     --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1043 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
1044
1045 # Generate a Sales CA certificate signed by the Research CA
1046 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1047 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
1048 SERIAL="03"
1049 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1050 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1051     --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1052     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
1053     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
1054 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
1055
1056 ################################################################################
1057 # Duck Research CA                                                                     #
1058 ################################################################################
1059
1060 # Generate a Duck Research CA certificate signed by the Research CA
1061 SERIAL="04"
1062 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
1063 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1064     --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1065     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
1066     --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
1067 cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
1068
1069 # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
1070 TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
1071 cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1072
1073 # Generate a carol certificate signed by the Duck Research CA
1074 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1075 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1076 CN="carol@strongswan.org"
1077 SERIAL="01"
1078 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1079 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1080 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1081 pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
1082     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1083     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
1084     --outform pem > ${TEST_CERT}
1085 cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
1086
1087 # Generate index.txt file for Research OCSP server
1088 cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
1089 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
1090
1091 ################################################################################
1092 # Sales CA                                                                     #
1093 ################################################################################
1094
1095 # Generate a dave sales certificate
1096 TEST="${TEST_DIR}/ikev2/multi-level-ca"
1097 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
1098 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1099 CN="dave@strongswan.org"
1100 SERIAL="01"
1101 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1102 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1103 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1104 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1105     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1106     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1107     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1108 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1109
1110 # Save a copy of the private key in DER format
1111 openssl rsa -in ${TEST_KEY} -outform der \
1112             -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
1113
1114 # Put a copy in the following scenarios
1115 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
1116          ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
1117          ikev2/ocsp-multi-level ikev1/multi-level-ca \
1118          ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
1119 do
1120   TEST="${TEST_DIR}/${t}"
1121   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1122   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1123   cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1124   cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1125 done
1126
1127 for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
1128 do
1129   TEST="${TEST_DIR}/swanctl/${t}"
1130   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1131   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1132   cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1133   cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1134 done
1135
1136 # Generate a dave sales certificate with an inactive OCSP URI and no CDP
1137 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1138 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1139 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1140 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1141 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1142     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1143     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1144     --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
1145 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1146
1147 # Generate an OCSP Signing certificate for the Sales CA
1148 TEST_KEY="${SALES_DIR}/ocspKey.pem"
1149 TEST_CERT="${SALES_DIR}/ocspCert.pem"
1150 OU="Sales OCSP Signing Authority"
1151 CN="ocsp.sales.strongswan.org"
1152 SERIAL="02"
1153 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1154 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1155     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1156     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1157     --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1158 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1159
1160 # Generate a Research CA certificate signed by the Sales CA
1161 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1162 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
1163 SERIAL="03"
1164 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1165 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1166     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1167     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
1168     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1169 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1170
1171 # generate index.txt file for Sales OCSP server
1172 cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
1173 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
1174
1175 ################################################################################
1176 # Levels L3 CA                                                                 #
1177 ################################################################################
1178
1179 # Generate a carol l3 certificate
1180 TEST="${TEST_DIR}/swanctl/multi-level-ca-l3"
1181 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1182 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1183 CN="carol@strongswan.org"
1184 SERIAL="01"
1185 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1186 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1187 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1188 pki --issue --cakey ${LEVELS_L3_KEY} --cacert ${LEVELS_L3_CERT} --type rsa \
1189     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1190     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=L3, CN=${CN}" \
1191     --crl ${LEVELS_L3_CDP} --outform pem > ${TEST_CERT}
1192 cp ${TEST_CERT} ${LEVELS_DIR}/certs/${SERIAL}.pem
1193
1194 for t in tkm/multi-level-ca
1195 do
1196   TEST="${TEST_DIR}/${t}"
1197   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1198   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1199   cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1200   cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1201 done
1202
1203 ################################################################################
1204 # strongSwan EC Root CA                                                        #
1205 ################################################################################
1206
1207 # Generate strongSwan EC Root CA
1208 pki --gen  --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
1209 pki --self --type ecdsa --in ${ECDSA_KEY} \
1210     --not-before "${START}" --not-after "${CA_END}" --ca \
1211     --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
1212     --outform pem > ${ECDSA_CERT}
1213
1214 # Put a copy in the openssl-ikev2/ecdsa-certs scenario
1215 for t in ecdsa-certs ecdsa-pkcs8
1216 do
1217   TEST="${TEST_DIR}/openssl-ikev2/${t}"
1218   for h in moon carol dave
1219   do
1220     mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1221     cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1222   done
1223 done
1224
1225 # Generate a moon ECDSA 521 bit certificate
1226 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
1227 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
1228 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1229 CN="moon.strongswan.org"
1230 SERIAL="01"
1231 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
1232 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1233 pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
1234 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1235     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1236     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
1237     --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
1238 cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1239
1240 # Generate a carol ECDSA 256 bit certificate
1241 CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
1242 CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1243 CN="carol@strongswan.org"
1244 SERIAL="02"
1245 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
1246 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1247 pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
1248 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1249     --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1250     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
1251     --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
1252 cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1253
1254 # Generate a dave ECDSA 384 bit certificate
1255 DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
1256 DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1257 CN="dave@strongswan.org"
1258 SERIAL="03"
1259 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
1260 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1261 pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
1262 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1263     --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1264     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
1265     --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
1266 cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1267
1268 # Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
1269 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
1270 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1271 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1272 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1273 cp ${MOON_CERT}  ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1274 cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1275 cp ${DAVE_CERT}  ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1276
1277 # Convert moon private key into unencrypted PKCS#8 format
1278 TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1279 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1280 openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
1281
1282 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
1283 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1284 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1285 openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
1286               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
1287
1288 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
1289 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1290 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1291 openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8  -v2 aes128 \
1292               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
1293
1294 # Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
1295 TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
1296 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1297 mkdir -p ecdsa x509 x509ca
1298 cp ${MOON_KEY}   ecdsa
1299 cp ${MOON_CERT}  x509
1300 cp ${ECDSA_CERT} x509ca
1301 cd ${TEST}/hosts/carol/${SWANCTL_DIR}
1302 mkdir -p ecdsa x509 x509ca
1303 cp ${CAROL_KEY}  ecdsa
1304 cp ${CAROL_CERT} x509
1305 cp ${ECDSA_CERT} x509ca
1306 cd ${TEST}/hosts/dave/${SWANCTL_DIR}
1307 mkdir -p ecdsa x509 x509ca
1308 cp ${DAVE_KEY}   ecdsa
1309 cp ${DAVE_CERT}  x509
1310 cp ${ECDSA_CERT} x509ca
1311
1312 ################################################################################
1313 # strongSwan RFC3779 Root CA                                                   #
1314 ################################################################################
1315
1316 # Generate strongSwan RFC3779 Root CA
1317 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
1318 pki --self --type rsa --in ${RFC3779_KEY} \
1319     --not-before "${START}" --not-after "${CA_END}" --ca \
1320     --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
1321     --addrblock "10.1.0.0-10.2.255.255" \
1322     --addrblock "10.3.0.1-10.3.3.232" \
1323     --addrblock "192.168.0.0/24" \
1324     --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
1325     --outform pem > ${RFC3779_CERT}
1326
1327 # Put a copy in the ikev2/net2net-rfc3779 scenario
1328 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1329 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1330 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1331 cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1332 cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1333
1334 # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
1335 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1336 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1337 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1338 cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1339 cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1340
1341 # Generate a moon RFC3779 certificate
1342 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1343 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1344 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1345 CN="moon.strongswan.org"
1346 SERIAL="01"
1347 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1348 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1349 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1350 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1351     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1352     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1353     --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
1354     --addrblock "fec0::1/128" --addrblock "fec1::/16" \
1355     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1356 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1357
1358 # Put a copy in the ipv6 scenarios
1359 for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
1360 do
1361   cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
1362   mkdir -p rsa x509 x509ca
1363   cp ${TEST_KEY}  rsa
1364   cp ${TEST_CERT} x509
1365   cp ${RFC3779_CERT} x509ca
1366 done
1367
1368 # Generate a sun RFC3779 certificate
1369 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1370 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
1371 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
1372 CN="sun.strongswan.org"
1373 SERIAL="02"
1374 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
1375 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
1376 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1377 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1378     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1379     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1380     --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
1381     --addrblock "fec0::2/128" --addrblock "fec2::/16" \
1382     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1383 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1384
1385 # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
1386 cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
1387 mkdir -p rsa x509 x509ca
1388 cp ${TEST_KEY} rsa
1389 cp ${TEST_CERT} x509
1390 cp ${RFC3779_CERT} x509ca
1391
1392 # Generate a carol RFC3779 certificate
1393 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1394 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1395 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1396 CN="carol@strongswan.org"
1397 SERIAL="03"
1398 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1399 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1400 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1401 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1402     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1403     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1404     --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
1405     --addrblock "fec0::10/128" \
1406     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1407 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1408
1409 # Generate a carol RFC3779 certificate
1410 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1411 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1412 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1413 CN="dave@strongswan.org"
1414 SERIAL="04"
1415 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1416 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1417 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1418 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1419     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1420     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1421     --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
1422     --addrblock "fec0::20/128" \
1423     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1424 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1425
1426 ################################################################################
1427 # strongSwan SHA3-RSA Root CA                                                  #
1428 ################################################################################
1429
1430 # Use specific plugin configuration to issue certificates with SHA-3 signatures
1431 # as not all crypto plugins support them.  To avoid entropy issues use the
1432 # default plugins to generate the keys.
1433 SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509"
1434
1435 # Generate strongSwan SHA3-RSA Root CA
1436 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
1437 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1438 pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
1439     --not-before "${START}" --not-after "${CA_END}" --ca \
1440     --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
1441     --outform pem > ${SHA3_RSA_CERT}
1442
1443 # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
1444 TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
1445 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1446 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1447 cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1448 cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1449
1450 # Generate a sun SHA3-RSA certificate
1451 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1452 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1453 CN="sun.strongswan.org"
1454 SERIAL="01"
1455 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
1456 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1457 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
1458 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1459 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1460     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1461     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1462     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
1463 cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1464
1465 # Generate a moon SHA3-RSA certificate
1466 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1467 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1468 CN="moon.strongswan.org"
1469 SERIAL="02"
1470 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1471 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1472 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
1473 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1474 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1475     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1476     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1477     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
1478 cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1479
1480 # Put a copy in the botan/net2net-sha3-rsa-cert scenario
1481 TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
1482 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1483 mkdir -p rsa x509 x509ca
1484 cp ${MOON_KEY}      rsa
1485 cp ${MOON_CERT}     x509
1486 cp ${SHA3_RSA_CERT} x509ca
1487 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1488 mkdir -p rsa x509 x509ca
1489 cp ${SUN_KEY}       rsa
1490 cp ${SUN_CERT}      x509
1491 cp ${SHA3_RSA_CERT} x509ca
1492
1493 # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
1494 TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
1495 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1496 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1497 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1498 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1499
1500 # Generate a carol SHA3-RSA certificate
1501 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1502 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1503 CN="carol@strongswan.org"
1504 SERIAL="03"
1505 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1506 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1507 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1508 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1509 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1510     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1511     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1512     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1513 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1514
1515 # Generate a dave SHA3-RSA certificate
1516 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1517 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1518 CN="dave@strongswan.org"
1519 SERIAL="04"
1520 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1521 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1522 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1523 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1524 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1525     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1526     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1527     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1528 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1529
1530 for h in moon carol dave
1531 do
1532   mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1533   cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1534 done
1535
1536 ################################################################################
1537 # strongSwan Ed25519 Root CA                                                   #
1538 ################################################################################
1539
1540 # Generate strongSwan Ed25519 Root CA
1541 pki --gen  --type ed25519 --outform pem > ${ED25519_KEY}
1542 pki --self --type ed25519 --in ${ED25519_KEY} \
1543     --not-before "${START}" --not-after "${CA_END}" --ca \
1544     --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
1545     --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
1546     --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
1547     --outform pem > ${ED25519_CERT}
1548
1549 # Put a copy in the swanctl/net2net-ed25519 scenario
1550 TEST="${TEST_DIR}/swanctl/net2net-ed25519"
1551 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1552 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1553 cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1554 cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1555
1556 # Generate a sun Ed25519 certificate
1557 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
1558 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1559 CN="sun.strongswan.org"
1560 SERIAL="01"
1561 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
1562 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1563 pki --gen --type ed25519 --outform pem > ${SUN_KEY}
1564 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1565     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1566     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1567     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
1568     --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
1569 cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1570
1571 # Generate a moon Ed25519 certificate
1572 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1573 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1574 CN="moon.strongswan.org"
1575 SERIAL="02"
1576 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1577 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1578 pki --gen --type ed25519 --outform pem > ${MOON_KEY}
1579 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1580     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1581     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1582     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
1583     --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
1584 cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1585
1586 # Put a copy in the botan/net2net-ed25519 scenario
1587 TEST="${TEST_DIR}/botan/net2net-ed25519"
1588 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1589 mkdir -p pkcs8 x509 x509ca
1590 cp ${MOON_KEY}     pkcs8
1591 cp ${MOON_CERT}    x509
1592 cp ${ED25519_CERT} x509ca
1593 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1594 mkdir -p pkcs8 x509 x509ca
1595 cp ${SUN_KEY}      pkcs8
1596 cp ${SUN_CERT}     x509
1597 cp ${ED25519_CERT} x509ca
1598
1599 # Put a copy in the ikev2/net2net-ed25519 scenario
1600 TEST="${TEST_DIR}/ikev2/net2net-ed25519"
1601 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
1602 cd ${TEST}/hosts/moon/${IPSEC_DIR}
1603 mkdir -p cacerts certs private
1604 cp ${MOON_KEY}     private
1605 cp ${MOON_CERT}    certs
1606 cp ${ED25519_CERT} cacerts
1607 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
1608 cd ${TEST}/hosts/sun/${IPSEC_DIR}
1609 mkdir -p cacerts certs private
1610 cp ${SUN_KEY}      private
1611 cp ${SUN_CERT}     certs
1612 cp ${ED25519_CERT} cacerts
1613
1614 # Put a copy in the swanctl/rw-ed25519-certpol scenario
1615 TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
1616 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1617 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1618 cp ${MOON_KEY}  ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1619 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1620
1621 for h in moon carol dave
1622 do
1623   mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1624   cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1625 done
1626
1627 # Generate a carol Ed25519 certificate
1628 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1629 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1630 CN="carol@strongswan.org"
1631 SERIAL="03"
1632 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1633 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1634 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1635 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1636     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1637     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1638     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
1639     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1640 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1641
1642 # Generate a dave Ed25519 certificate
1643 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1644 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1645 CN="dave@strongswan.org"
1646 SERIAL="04"
1647 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1648 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1649 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1650 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1651     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1652     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1653     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
1654     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1655 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1656
1657 ################################################################################
1658 # strongSwan Monster Root CA                                                   #
1659 ################################################################################
1660
1661 # Generate strongSwan Monster Root CA
1662 pki --gen  --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
1663 pki --self --type rsa --in ${MONSTER_KEY} \
1664     --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
1665     --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
1666     --outform pem > ${MONSTER_CERT}
1667
1668 # Put a copy in the ikev2/after-2038-certs scenario
1669 TEST="${TEST_DIR}/ikev2/after-2038-certs"
1670 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1671 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1672 cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1673 cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1674
1675 # Generate a moon Monster certificate
1676 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1677 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1678 CN="moon.strongswan.org"
1679 SERIAL="01"
1680 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1681 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1682 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1683 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1684     --in ${TEST_KEY} --san ${CN} \
1685     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1686     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1687     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1688 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1689
1690 # Generate a carol Monster certificate
1691 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1692 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1693 CN="carol@strongswan.org"
1694 SERIAL="02"
1695 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1696 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1697 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1698 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1699     --in ${TEST_KEY} --san ${CN} \
1700     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1701     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1702     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1703 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1704
1705 ################################################################################
1706 # Bliss CA                                                                     #
1707 ################################################################################
1708
1709 # Generate BLISS Root CA with 192 bit security strength
1710 pki --gen  --type bliss --size 4 > ${BLISS_KEY}
1711 pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
1712     --not-before "${START}" --not-after "${CA_END}" --ca \
1713     --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
1714
1715 # Put a copy in the following scenarios
1716 for t in rw-newhope-bliss rw-ntru-bliss
1717 do
1718   TEST="${TEST_DIR}/ikev2/${t}"
1719   for h in moon carol dave
1720   do
1721     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1722     cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1723   done
1724
1725   TEST="${TEST_DIR}/swanctl/${t}"
1726   for h in moon carol dave
1727   do
1728     mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1729     cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1730   done
1731 done
1732
1733 # Generate a carol BLISS certificate with 128 bit security strength
1734 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1735 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
1736 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
1737 CN="carol@strongswan.org"
1738 SERIAL="01"
1739 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1740 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1741 pki --gen --type bliss --size 1 > ${TEST_KEY}
1742 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1743     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1744     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
1745     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1746 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1747
1748 # Put a copy in the ikev2/rw-ntru-bliss scenario
1749 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1750 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1751 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1752 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1753 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1754
1755 # Put a copy in the swanctl scenarios
1756 for t in rw-newhope-bliss rw-ntru-bliss
1757 do
1758   TEST="${TEST_DIR}/swanctl/${t}"
1759   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1760   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1761   cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1762   cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1763 done
1764
1765 # Generate a dave BLISS certificate with 160 bit security strength
1766 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1767 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
1768 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
1769 CN="dave@strongswan.org"
1770 SERIAL="02"
1771 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1772 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1773 pki --gen --type bliss --size 3 > ${TEST_KEY}
1774 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1775     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1776     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
1777     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1778 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1779
1780 # Put a copy in the ikev2/rw-ntru-bliss scenario
1781 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1782 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1783 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1784 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
1785 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
1786
1787 # Put a copy in the swanctl scenarios
1788 for t in rw-newhope-bliss rw-ntru-bliss
1789 do
1790   TEST="${TEST_DIR}/swanctl/${t}"
1791   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
1792   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1793   cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
1794   cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
1795 done
1796
1797 # Generate a moon BLISS certificate with 192 bit security strength
1798 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1799 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
1800 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
1801 CN="moon.strongswan.org"
1802 SERIAL="03"
1803 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1804 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1805 pki --gen --type bliss --size 4 > ${TEST_KEY}
1806 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1807     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1808     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
1809     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1810 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1811
1812 # Put a copy in the ikev2/rw-ntru-bliss scenario
1813 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1814 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1815 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1816 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
1817 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
1818
1819 # Put a copy in the swanctl scenarios
1820 for t in rw-newhope-bliss rw-ntru-bliss
1821 do
1822   TEST="${TEST_DIR}/swanctl/${t}"
1823   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
1824   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1825   cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
1826   cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
1827 done
1828
1829 ################################################################################
1830 # SQL Data                                                                     #
1831 ################################################################################
1832
1833 CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
1834 CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
1835 CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1836 CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
1837 #
1838 MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1839 MOON_KEY="${CA_DIR}/keys/moonKey.der"
1840 MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1841 MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1842 MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1843 MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
1844 MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1845 MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1846 MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
1847 #
1848 SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1849 SUN_KEY="${CA_DIR}/keys/sunKey.der"
1850 SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1851 SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1852 SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
1853 SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
1854 SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1855 SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
1856 #
1857 CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1858 CAROL_KEY="${CA_DIR}/keys/carolKey.der"
1859 CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1860 CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
1861 CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1862 CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1863 #
1864 DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1865 DAVE_KEY="${CA_DIR}/keys/daveKey.der"
1866 DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1867 DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
1868 DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1869 DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1870 #
1871 ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
1872 ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
1873 ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
1874 ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
1875 ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1876 #
1877 VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
1878 VENUS_KEY="${CA_DIR}/keys/venusKey.der"
1879 VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
1880 VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
1881 VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1882 #
1883 RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
1884 RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
1885 RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1886 #
1887 CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
1888 CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
1889 CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
1890 CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
1891 CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1892 #
1893 SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
1894 SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
1895 SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1896 #
1897 DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
1898 DAVE_S_KEY="${SALES_DIR}/keys/01.der"
1899 DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
1900 DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
1901 DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1902 #
1903 for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
1904          ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
1905          rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
1906 do
1907   for h in carol dave moon
1908   do
1909     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1910     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1911         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1912         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1913         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1914         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1915         -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
1916         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1917         -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
1918         -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
1919         -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
1920         -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
1921         -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
1922         -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
1923         -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
1924         -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
1925         -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
1926         -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
1927         -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
1928         -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
1929         -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
1930         -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
1931         -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
1932         -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
1933         -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
1934         -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
1935         -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
1936         -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
1937         ${TEST_DATA}.in > ${TEST_DATA}
1938   done
1939 done
1940 #
1941 for t in rw-eap-aka-rsa
1942 do
1943   for h in carol moon
1944   do
1945     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1946     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1947         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1948         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1949         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1950         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1951         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1952         ${TEST_DATA}.in > ${TEST_DATA}
1953   done
1954 done
1955 #
1956 for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
1957 do
1958   for h in moon sun
1959   do
1960     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1961     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1962         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1963         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1964         -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
1965         -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
1966         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1967         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1968         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1969         -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
1970         -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
1971         -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1972         -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1973         -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1974         -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
1975                ${TEST_DATA}.in > ${TEST_DATA}
1976   done
1977 done
1978 #
1979 for t in shunt-policies-nat-rw
1980 do
1981   for h in alice venus sun
1982   do
1983     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1984     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1985         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1986         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1987         -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
1988         -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
1989         -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
1990         -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
1991         -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
1992         -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
1993         -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1994         -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1995         -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1996         ${TEST_DATA}.in > ${TEST_DATA}
1997   done
1998 done
1999
2000 ################################################################################
2001 # Raw RSA keys                                                                 #
2002 ################################################################################
2003
2004 MOON_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${MOON_KEY}`
2005 #
2006 SUN_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${SUN_KEY}`
2007 #
2008 for h in moon sun
2009 do
2010   TEST_DATA="${TEST_DIR}/ikev2/net2net-rsa/hosts/${h}/etc/ipsec.conf"
2011   sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \
2012       -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \
2013       ${TEST_DATA}.in > ${TEST_DATA}
2014 done
2015
2016 ################################################################################
2017 # TKM CA ID mapping                                                            #
2018 ################################################################################
2019
2020 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
2021          multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
2022          xfrmproxy-rekey
2023 do
2024   for h in moon
2025   do
2026     TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/moon/etc/strongswan.conf"
2027     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
2028         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
2029         -e "s/LEVELS_SPK_HEX/${LEVELS_SPK_HEX}/g" \
2030         ${TEST_DATA}.in > ${TEST_DATA}
2031   done
2032 done
2033
2034 for t in multiple-clients
2035 do
2036   for h in sun
2037   do
2038     TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/${h}/etc/strongswan.conf"
2039     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
2040         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
2041         ${TEST_DATA}.in > ${TEST_DATA}
2042   done
2043 done