5 echo "Building certificates"
7 # Disable leak detective when using pki as it produces warnings in tzset
8 export LEAK_DETECTIVE_DISABLE=1
10 # Determine testing directory
11 DIR="$(dirname `readlink -f $0`)/.."
13 # Define some global variables
14 PROJECT="strongSwan Project"
15 CA_DIR="${DIR}/hosts/winnetou/etc/ca"
16 CA_KEY="${CA_DIR}/strongswanKey.pem"
17 CA_CERT="${CA_DIR}/strongswanCert.pem"
18 CA_CERT_DER="${CA_DIR}/strongswanCert.der"
19 CA_CRL="${CA_DIR}/strongswan.crl"
20 CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
21 CA_CDP="http://crl.strongswan.org/strongswan.crl"
22 CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
23 CA_OCSP="http://ocsp.strongswan.org:8880"
25 START=`date -d "-2 day" "+%d.%m.%y %T"`
26 SH_END=`date -d "-1 day" "+%d.%m.%y %T"` # 1 day
27 CA_END=`date -d "+3651 day" "+%d.%m.%y %T"` # 10 years
28 IM_END=`date -d "+3286 day" "+%d.%m.%y %T"` # 9 years
29 EE_END=`date -d "+2920 day" "+%d.%m.%y %T"` # 8 years
30 SH_EXP=`date -d "-1 day" "+%y%m%d%H%M%SZ"` # 1 day
31 IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"` # 9 years
32 EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"` # 8 years
33 NOW=`date "+%y%m%d%H%M%SZ"`
35 RESEARCH_DIR="${CA_DIR}/research"
36 RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
37 RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
38 RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
39 RESEARCH_CDP="http://crl.strongswan.org/research.crl"
41 SALES_DIR="${CA_DIR}/sales"
42 SALES_KEY="${SALES_DIR}/salesKey.pem"
43 SALES_CERT="${SALES_DIR}/salesCert.pem"
44 SALES_CERT_DER="${SALES_DIR}/salesCert.der"
45 SALES_CDP="http://crl.strongswan.org/sales.crl"
47 LEVELS_DIR="${CA_DIR}/levels"
48 LEVELS_KEY="${LEVELS_DIR}/levelsKey.pem"
49 LEVELS_CERT="${LEVELS_DIR}/levelsCert.pem"
50 LEVELS_CDP="http://crl.strongswan.org/levels.crl"
51 LEVELS_L2_KEY="${LEVELS_DIR}/levelsKey_l2.pem"
52 LEVELS_L2_CERT="${LEVELS_DIR}/levelsCert_l2.pem"
53 LEVELS_L2_CDP="http://crl.strongswan.org/levels_l2.crl"
54 LEVELS_L3_KEY="${LEVELS_DIR}/levelsKey_l3.pem"
55 LEVELS_L3_CERT="${LEVELS_DIR}/levelsCert_l3.pem"
56 LEVELS_L3_CDP="http://crl.strongswan.org/levels_l3.crl"
58 DUCK_DIR="${CA_DIR}/duck"
59 DUCK_KEY="${DUCK_DIR}/duckKey.pem"
60 DUCK_CERT="${DUCK_DIR}/duckCert.pem"
62 ECDSA_DIR="${CA_DIR}/ecdsa"
63 ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
64 ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
65 ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
67 RFC3779_DIR="${CA_DIR}/rfc3779"
68 RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
69 RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
70 RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
72 SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
73 SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
74 SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
75 SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
77 ED25519_DIR="${CA_DIR}/ed25519"
78 ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
79 ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
80 ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
82 MONSTER_DIR="${CA_DIR}/monster"
83 MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
84 MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
85 MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
86 MONSTER_CA_RSA_SIZE="8192"
87 MONSTER_EE_RSA_SIZE="4096"
89 BLISS_DIR="${CA_DIR}/bliss"
90 BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
91 BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
92 BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
95 IPSEC_DIR="etc/ipsec.d"
96 SWANCTL_DIR="etc/swanctl"
98 HOSTS="carol dave moon sun alice venus bob"
99 TEST_DIR="${DIR}/tests"
102 mkdir -p ${CA_DIR}/certs
103 mkdir -p ${CA_DIR}/keys
104 mkdir -p ${RESEARCH_DIR}/certs
105 mkdir -p ${RESEARCH_DIR}/keys
106 mkdir -p ${SALES_DIR}/certs
107 mkdir -p ${SALES_DIR}/keys
108 mkdir -p ${LEVELS_DIR}/certs
109 mkdir -p ${DUCK_DIR}/certs
110 mkdir -p ${ECDSA_DIR}/certs
111 mkdir -p ${RFC3779_DIR}/certs
112 mkdir -p ${SHA3_RSA_DIR}/certs
113 mkdir -p ${ED25519_DIR}/certs
114 mkdir -p ${MONSTER_DIR}/certs
115 mkdir -p ${BLISS_DIR}/certs
117 ################################################################################
118 # strongSwan Root CA #
119 ################################################################################
121 # Generate strongSwan Root CA
122 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
123 pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
124 --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
125 --outform pem > ${CA_CERT}
127 # Distribute strongSwan Root CA certificate
130 HOST_DIR="${DIR}/hosts/${h}"
131 mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
132 mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
133 cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
134 cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
137 # Put a copy onto the alice FreeRADIUS server
138 mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
139 cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
141 # Convert strongSwan Root CA certificate into DER format
142 openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
144 # Generate a stale CRL
145 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
146 --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
148 # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
149 TEST="${TEST_DIR}/ikev2/crl-ldap"
150 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
151 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
152 cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
153 cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
158 HOST_DIR="${DIR}/hosts/${h}"
159 HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
160 mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
161 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
163 # Put a copy into swanctl directory tree
164 mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
165 cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
167 # Convert host key into DER format
168 openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
172 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
173 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
174 multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
177 TEST="${TEST_DIR}/tkm/${t}"
178 mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
179 cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
182 # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
183 TEST="${TEST_DIR}/tkm/multiple-clients"
184 mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
185 cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
187 # Convert moon private key into unencrypted PKCS#8 format
188 TEST="${TEST_DIR}/ikev2/rw-pkcs8"
189 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
190 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
191 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
192 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
194 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
195 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
196 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
197 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
198 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
199 -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
201 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
202 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
203 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
204 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
205 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v2 aes128 \
206 -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
208 ################################################################################
209 # Public Key Extraction #
210 ################################################################################
212 # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
213 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
214 TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
215 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
216 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
217 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
218 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
219 cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
221 # Put a copy into the following ikev2 scenarios
222 for t in net2net-dnssec net2net-pubkey rw-dnssec
224 TEST="${TEST_DIR}/ikev2/${t}"
225 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
226 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
229 # Put a copy into the ikev2/net2net-pubkey scenario
230 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
231 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
232 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
234 # Put a copy into the swanctl/rw-dnssec scenario
235 TEST="${TEST_DIR}/swanctl/rw-dnssec"
236 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
237 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
239 # Put a copy into the following swanctl scenarios
240 for t in rw-pubkey-anon rw-pubkey-keyid
242 TEST="${TEST_DIR}/swanctl/${t}"
243 for h in moon carol dave
245 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
246 cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
250 # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
251 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
252 TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
253 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
254 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
255 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
257 # Put a copy into the ikev2/net2net-dnssec scenario
258 TEST="${TEST_DIR}/ikev2/net2net-dnssec"
259 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
260 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
262 # Put a copy into the ikev2/net2net-pubkey scenario
263 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
264 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
265 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
267 # Put a copy into the swanctl/rw-pubkey-anon scenario
268 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
269 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
271 # Extract the raw carol public key for the swanctl/rw-dnssec scenario
272 TEST="${TEST_DIR}/swanctl/rw-dnssec"
273 TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
274 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
275 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
276 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
278 # Put a copy into the swanctl/rw-pubkey-anon scenario
279 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
280 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
281 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
283 # Put a copy into the swanctl/rw-pubkey-keyid scenario
284 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
285 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
286 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
288 # Extract the raw dave public key for the swanctl/rw-dnssec scenario
289 TEST="${TEST_DIR}/swanctl/rw-dnssec"
290 TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
291 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
292 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
293 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
295 # Put a copy into the swanctl/rw-pubkey-anon scenario
296 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
297 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
298 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
300 # Put a copy into the swanctl/rw-pubkey-keyid scenario
301 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
302 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
303 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
305 ################################################################################
306 # Host Certificate Generation #
307 ################################################################################
309 # function issue_cert: serial host cn [ou]
312 # does optional OU argument exist?
320 HOST_DIR="${DIR}/hosts/${2}"
321 HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
322 HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
323 mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
324 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
325 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
326 --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
327 --outform pem > ${HOST_CERT}
328 cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
330 # Put a certificate copy into swanctl directory tree
331 mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
332 cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
335 # Generate host certificates
336 issue_cert 01 carol carol@strongswan.org Research
337 issue_cert 02 dave dave@strongswan.org Accounting
338 issue_cert 03 moon moon.strongswan.org
339 issue_cert 04 sun sun.strongswan.org
340 issue_cert 05 alice alice@strongswan.org Sales
341 issue_cert 06 venus venus.strongswan.org
342 issue_cert 07 bob bob@strongswan.org Research
344 # Create PKCS#12 file for moon
345 TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
346 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
347 HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
348 MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
349 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
350 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
351 -certfile ${CA_CERT} -caname "strongSwan Root CA" \
352 -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
354 # Create PKCS#12 file for sun
355 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
356 HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
357 SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
358 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
359 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
360 -certfile ${CA_CERT} -caname "strongSwan Root CA" \
361 -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
363 # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
364 for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
366 TEST="${TEST_DIR}/${t}"
367 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
368 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
369 cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
370 cp ${SUN_PKCS12} ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
373 ################################################################################
374 # DNSSEC Zone Files #
375 ################################################################################
377 # Store moon and sun certificates in strongswan.org zone
378 ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
379 echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
382 HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
383 cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
384 echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
387 # Store public keys in strongswan.org zone
388 echo ";" >> ${ZONE_FILE}
389 for h in moon sun carol dave
391 HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
392 pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
393 echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
396 # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
397 TEST="${TEST_DIR}/swanctl/crl-to-cache"
398 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
399 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
400 CN="carol@strongswan.org"
401 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
402 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
403 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
404 --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
405 --outform pem > ${TEST_CERT}
407 # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
408 TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
409 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
410 CN="moon.strongswan.org"
411 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
412 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
413 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
414 --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
415 --outform pem > ${TEST_CERT}
417 # Encrypt carolKey.pem
418 HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
419 KEY_PWD="nH5ZQEWtku0RJEZ6"
420 openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
423 # Put a copy into the ikev2/dynamic-initiator scenario
424 for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
426 TEST="${TEST_DIR}/${t}"
427 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
428 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
429 cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
430 cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
433 # Put a copy into the swanctl/rw-cert scenario
434 TEST="${TEST_DIR}/swanctl/rw-cert"
435 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
436 cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
438 # Generate another carol certificate and revoke it
439 TEST="${TEST_DIR}/ikev2/crl-revoked"
440 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
441 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
442 CN="carol@strongswan.org"
444 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
445 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
446 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
447 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
448 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
449 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
450 --outform pem > ${TEST_CERT}
451 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
452 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
453 --serial ${SERIAL} > ${CA_CRL}
454 cp ${CA_CRL} ${CA_LAST_CRL}
456 # Put a copy into the ikev2/ocsp-revoked scenario
457 TEST="${TEST_DIR}/ikev2/ocsp-revoked"
458 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
459 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
460 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
461 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
463 # Generate another carol certificate with SN=002
464 TEST="${TEST_DIR}/ikev2/two-certs"
465 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
466 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
468 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
469 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
470 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
471 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
472 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
473 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
474 --outform pem > ${TEST_CERT}
475 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
477 ################################################################################
478 # Research CA Certificate Generation #
479 ################################################################################
481 # Generate a Research CA certificate signed by the Root CA and revoke it
482 TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
483 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
485 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
486 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
487 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
488 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
489 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
490 --outform pem > ${TEST_CERT}
491 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
492 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
493 --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
496 # Generate Research CA with the same private key as above signed by Root CA
498 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
499 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
500 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
501 --outform pem > ${RESEARCH_CERT}
502 cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
504 # Put a certificate copy into the following scenarios
505 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
506 ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
507 ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
509 TEST="${TEST_DIR}/${t}"
510 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
511 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
514 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
515 ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
517 TEST="${TEST_DIR}/${t}"
518 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
519 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
522 for t in multi-level-ca ocsp-multi-level
524 TEST="${TEST_DIR}/swanctl/${t}"
525 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
526 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
529 for t in rw-hash-and-url-multi-level
531 TEST="${TEST_DIR}/swanctl/${t}"
532 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
533 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
536 # Convert Research CA certificate into DER format
537 openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
539 # Generate Research CA with the same private key as above but invalid CDP
540 TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
541 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
542 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
543 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
544 --crl "http://crl.strongswan.org/not-available.crl" \
545 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
546 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
547 --outform pem > ${TEST_CERT}
549 ################################################################################
550 # Sales CA Certificate Generation #
551 ################################################################################
553 # Generate Sales CA signed by Root CA
555 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
556 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
557 --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
558 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
559 --outform pem > ${SALES_CERT}
560 cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
562 # Put a certificate copy into the following scenarios
563 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
564 ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
565 ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
567 TEST="${TEST_DIR}/${t}"
568 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
571 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
572 ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
574 TEST="${TEST_DIR}/${t}"
575 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
576 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
579 for t in multi-level-ca ocsp-multi-level
581 TEST="${TEST_DIR}/swanctl/${t}"
582 cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
585 for t in rw-hash-and-url-multi-level
587 TEST="${TEST_DIR}/swanctl/${t}"
588 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
589 cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
592 # Convert Sales CA certificate into DER format
593 openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
595 ################################################################################
596 # Multi-level CA Certificate Generation #
597 ################################################################################
599 # Generate Levels Root CA (pathlen is higher than the regular root)
600 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_KEY}
601 pki --self --type rsa --in ${LEVELS_KEY} --not-before "${START}" --not-after "${CA_END}" \
602 --ca --pathlen 2 --dn "C=CH, O=${PROJECT}, CN=strongSwan Levels Root CA" \
603 --outform pem > ${LEVELS_CERT}
605 # For TKM's CA ID mapping
606 LEVELS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${LEVELS_KEY}`
608 # Generate Levels L2 CA signed by Levels Root CA
609 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L2_KEY}
610 pki --issue --cakey ${LEVELS_KEY} --cacert ${LEVELS_CERT} --crl ${LEVELS_CDP} \
611 --type rsa --in ${LEVELS_L2_KEY} --not-before "${START}" --not-after "${IM_END}" \
612 --ca --dn "C=CH, O=${PROJECT}, OU=L2, CN=Levels L2 CA" \
613 --outform pem > ${LEVELS_L2_CERT}
615 # Generate Levels L3 CA signed by Levels L2 CA
616 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L3_KEY}
617 pki --issue --cakey ${LEVELS_L2_KEY} --cacert ${LEVELS_L2_CERT} --crl ${LEVELS_L2_CDP} \
618 --type rsa --in ${LEVELS_L3_KEY} --not-before "${START}" --not-after "${IM_END}" \
619 --ca --dn "C=CH, O=${PROJECT}, OU=L3, CN=Levels L3 CA" \
620 --outform pem > ${LEVELS_L3_CERT}
622 for t in swanctl/multi-level-ca-l3 tkm/multi-level-ca
624 TEST="${TEST_DIR}/${t}"
627 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
628 cp ${LEVELS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
630 cp ${LEVELS_L2_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
631 cp ${LEVELS_L3_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
634 # Put DER-encoded Levels CA certificate into tkm scenario
635 TEST="${TEST_DIR}/tkm/multi-level-ca"
636 mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
637 openssl x509 -in ${LEVELS_CERT} -outform der -out ${TEST}/hosts/moon/${TKM_DIR}/levelsCert.der
639 ################################################################################
641 # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
642 TEST="${TEST_DIR}/ikev2/strong-keys-certs"
643 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
644 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
645 KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
646 CN="moon.strongswan.org"
648 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
649 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
650 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
651 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
652 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
653 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
654 --digest sha224 --outform pem > ${TEST_CERT}
655 openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
657 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
659 # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
660 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
661 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
662 KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
663 CN="carol@strongswan.org"
665 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
666 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
667 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
668 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
669 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
670 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
671 --digest sha384 --outform pem > ${TEST_CERT}
672 openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
674 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
676 # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
677 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
678 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
679 KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
680 CN="dave@strongswan.org"
682 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
683 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
684 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
685 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
686 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
687 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
688 --digest sha512 --outform pem > ${TEST_CERT}
689 openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
691 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
693 # Generate another carol certificate with an OCSP URI
694 TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
695 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
696 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
697 CN="carol@strongswan.org"
699 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
700 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
701 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
702 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
703 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
704 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
705 --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
706 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
708 # Put a copy into the ikev2/ocsp-timeouts-good scenario
709 TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
710 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
711 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
712 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
713 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
715 # Put a copy into the swanctl/ocsp-signer-cert scenario
716 for t in ocsp-signer-cert ocsp-disabled
718 cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
724 # Generate an OCSP Signing certificate for the strongSwan Root CA
725 TEST_KEY="${CA_DIR}/ocspKey.pem"
726 TEST_CERT="${CA_DIR}/ocspCert.pem"
727 CN="ocsp.strongswan.org"
728 OU="OCSP Signing Authority"
730 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
731 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
732 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
733 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
734 --flag ocspSigning --outform pem > ${TEST_CERT}
735 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
737 # Generate a self-signed OCSP Signing certificate
738 TEST_KEY="${CA_DIR}/ocspKey-self.pem"
739 TEST_CERT="${CA_DIR}/ocspCert-self.pem"
740 OU="OCSP Self-Signed Authority"
741 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
742 pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
743 --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
744 --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
745 --outform pem > ${TEST_CERT}
747 # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
748 TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
749 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
750 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
751 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
752 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
754 # Generate mars virtual server certificate
755 TEST="${TEST_DIR}/ha/both-active"
756 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
757 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
758 CN="mars.strongswan.org"
759 OU="Virtual VPN Gateway"
761 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
762 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
763 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
764 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
765 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
766 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
767 --flag serverAuth --outform pem > ${TEST_CERT}
768 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
770 # Put a copy into the mirrored gateway
771 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
772 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
773 cp ${TEST_KEY} ${TEST}/hosts/alice/${IPSEC_DIR}/private
774 cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
776 # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
777 for t in "ha/active-passive" "ikev2/redirect-active"
779 TEST="${TEST_DIR}/${t}"
782 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
783 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
784 cp ${TEST_KEY} ${TEST}/hosts/${h}/${IPSEC_DIR}/private
785 cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
789 # Generate moon certificate with an unsupported critical X.509 extension
790 TEST="${TEST_DIR}/ikev2/critical-extension"
791 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
792 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
793 CN="moon.strongswan.org"
795 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
796 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
797 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
798 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
799 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
800 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
801 --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
802 --outform pem > ${TEST_CERT}
803 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
805 # Put a copy in the openssl-ikev2/critical extension scenario
806 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
807 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
808 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
809 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
810 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
812 # Generate sun certificate with an unsupported critical X.509 extension
813 TEST="${TEST_DIR}/ikev2/critical-extension"
814 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
815 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
816 CN="sun.strongswan.org"
818 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
819 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
820 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
821 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
822 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
823 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
824 --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
825 --outform pem > ${TEST_CERT}
826 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
828 # Put a copy in the openssl-ikev2/critical extension scenario
829 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
830 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
831 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
832 cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
833 cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
835 # Generate winnetou server certificate
836 HOST_KEY="${CA_DIR}/winnetouKey.pem"
837 HOST_CERT="${CA_DIR}/winnetouCert.pem"
838 CN="winnetou.strongswan.org"
840 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
841 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
842 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
843 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
844 --flag serverAuth --outform pem > ${HOST_CERT}
845 cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
847 # Generate AAA server certificate
848 TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
849 TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
850 TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
851 CN="aaa.strongswan.org"
853 cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
855 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
856 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
857 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
858 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
859 --flag serverAuth --outform pem > ${TEST_CERT}
860 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
862 # Put a copy into various tnc scenarios
863 for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
865 cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
871 # Put a copy into the alice FreeRADIUS server
872 cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
874 ################################################################################
875 # strongSwan Attribute Authority #
876 ################################################################################
878 # Generate Attribute Authority certificate
879 TEST="${TEST_DIR}/ikev2/acert-cached"
880 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
881 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
882 CN="strongSwan Attribute Authority"
884 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
885 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
886 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
887 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
888 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
889 --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
890 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
891 --outform pem > ${TEST_CERT}
892 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
894 # Generate carol's attribute certificate for sales and finance
895 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
896 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
897 --in ${CA_DIR}/certs/01.pem --group sales --group finance \
898 --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
900 # Generate dave's expired attribute certificate for sales
901 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
902 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
903 --in ${CA_DIR}/certs/02.pem --group sales \
904 --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
906 # Generate dave's attribute certificate for marketing
907 ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
908 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
909 --in ${CA_DIR}/certs/02.pem --group marketing \
910 --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
912 # Put a copy into the ikev2/acert-fallback scenario
913 TEST="${TEST_DIR}/ikev2/acert-fallback"
914 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
915 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
916 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
917 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
918 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
920 # Generate carol's expired attribute certificate for finance
921 ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
922 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
923 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
924 --in ${CA_DIR}/certs/01.pem --group finance \
925 --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
927 # Generate carol's valid attribute certificate for sales
928 ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
929 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
930 --in ${CA_DIR}/certs/01.pem --group sales \
931 --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
933 # Put a copy into the ikev2/acert-inline scenario
934 TEST="${TEST_DIR}/ikev2/acert-inline"
935 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
936 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
937 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
938 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
939 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
940 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
941 cp ${ACERT_CS} ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
942 cp ${ACERT_DM} ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
944 # Generate a short-lived Attribute Authority certificate
945 CN="strongSwan Legacy AA"
946 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
947 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
949 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
950 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
951 --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
952 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
953 --outform pem > ${TEST_CERT}
954 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
956 # Generate dave's attribute certificate for sales from expired AA
957 ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
958 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
959 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
960 --in ${CA_DIR}/certs/02.pem --group sales \
961 --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
963 ################################################################################
964 # strongSwan Root CA index for OCSP server #
965 ################################################################################
967 # generate index.txt file for Root OCSP server
968 cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
969 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
970 sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
971 sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
972 sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
974 ################################################################################
976 ################################################################################
978 # Generate a carol research certificate
979 TEST="${TEST_DIR}/ikev2/multi-level-ca"
980 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
981 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
982 CN="carol@strongswan.org"
984 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
985 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
986 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
987 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
988 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
989 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
990 --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
991 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
993 # Save a copy of the private key in DER format
994 openssl rsa -in ${TEST_KEY} -outform der \
995 -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
997 # Put a copy in the following scenarios
998 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
999 ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
1000 ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
1001 ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
1002 ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
1003 ikev1/multi-level-ca-cr-resp
1005 TEST="${TEST_DIR}/${t}"
1006 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1007 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1008 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1009 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1012 for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
1014 TEST="${TEST_DIR}/swanctl/${t}"
1015 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1016 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1017 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1018 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1021 # Generate a carol research certificate without a CDP
1022 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1023 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1024 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1025 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1026 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1027 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1028 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
1029 --outform pem > ${TEST_CERT}
1030 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1032 # Generate an OCSP Signing certificate for the Research CA
1033 TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
1034 TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
1035 OU="Research OCSP Signing Authority"
1036 CN="ocsp.research.strongswan.org"
1038 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1039 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1040 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1041 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1042 --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1043 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
1045 # Generate a Sales CA certificate signed by the Research CA
1046 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1047 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
1049 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1050 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1051 --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1052 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
1053 --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
1054 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
1056 ################################################################################
1057 # Duck Research CA #
1058 ################################################################################
1060 # Generate a Duck Research CA certificate signed by the Research CA
1062 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
1063 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1064 --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1065 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
1066 --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
1067 cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
1069 # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
1070 TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
1071 cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1073 # Generate a carol certificate signed by the Duck Research CA
1074 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1075 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1076 CN="carol@strongswan.org"
1078 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1079 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1080 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1081 pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
1082 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1083 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
1084 --outform pem > ${TEST_CERT}
1085 cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
1087 # Generate index.txt file for Research OCSP server
1088 cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
1089 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
1091 ################################################################################
1093 ################################################################################
1095 # Generate a dave sales certificate
1096 TEST="${TEST_DIR}/ikev2/multi-level-ca"
1097 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
1098 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1099 CN="dave@strongswan.org"
1101 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1102 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1103 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1104 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1105 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1106 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1107 --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1108 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1110 # Save a copy of the private key in DER format
1111 openssl rsa -in ${TEST_KEY} -outform der \
1112 -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
1114 # Put a copy in the following scenarios
1115 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
1116 ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
1117 ikev2/ocsp-multi-level ikev1/multi-level-ca \
1118 ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
1120 TEST="${TEST_DIR}/${t}"
1121 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1122 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1123 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1124 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1127 for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
1129 TEST="${TEST_DIR}/swanctl/${t}"
1130 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1131 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1132 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1133 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1136 # Generate a dave sales certificate with an inactive OCSP URI and no CDP
1137 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1138 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1139 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1140 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1141 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1142 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1143 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1144 --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
1145 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1147 # Generate an OCSP Signing certificate for the Sales CA
1148 TEST_KEY="${SALES_DIR}/ocspKey.pem"
1149 TEST_CERT="${SALES_DIR}/ocspCert.pem"
1150 OU="Sales OCSP Signing Authority"
1151 CN="ocsp.sales.strongswan.org"
1153 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1154 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1155 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1156 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1157 --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1158 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1160 # Generate a Research CA certificate signed by the Sales CA
1161 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1162 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
1164 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1165 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1166 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1167 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
1168 --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1169 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1171 # generate index.txt file for Sales OCSP server
1172 cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
1173 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
1175 ################################################################################
1177 ################################################################################
1179 # Generate a carol l3 certificate
1180 TEST="${TEST_DIR}/swanctl/multi-level-ca-l3"
1181 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1182 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1183 CN="carol@strongswan.org"
1185 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1186 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1187 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1188 pki --issue --cakey ${LEVELS_L3_KEY} --cacert ${LEVELS_L3_CERT} --type rsa \
1189 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1190 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=L3, CN=${CN}" \
1191 --crl ${LEVELS_L3_CDP} --outform pem > ${TEST_CERT}
1192 cp ${TEST_CERT} ${LEVELS_DIR}/certs/${SERIAL}.pem
1194 for t in tkm/multi-level-ca
1196 TEST="${TEST_DIR}/${t}"
1197 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1198 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1199 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1200 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1203 ################################################################################
1204 # strongSwan EC Root CA #
1205 ################################################################################
1207 # Generate strongSwan EC Root CA
1208 pki --gen --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
1209 pki --self --type ecdsa --in ${ECDSA_KEY} \
1210 --not-before "${START}" --not-after "${CA_END}" --ca \
1211 --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
1212 --outform pem > ${ECDSA_CERT}
1214 # Put a copy in the openssl-ikev2/ecdsa-certs scenario
1215 for t in ecdsa-certs ecdsa-pkcs8
1217 TEST="${TEST_DIR}/openssl-ikev2/${t}"
1218 for h in moon carol dave
1220 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1221 cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1225 # Generate a moon ECDSA 521 bit certificate
1226 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
1227 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
1228 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1229 CN="moon.strongswan.org"
1231 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
1232 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1233 pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
1234 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1235 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1236 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
1237 --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
1238 cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1240 # Generate a carol ECDSA 256 bit certificate
1241 CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
1242 CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1243 CN="carol@strongswan.org"
1245 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
1246 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1247 pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
1248 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1249 --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1250 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
1251 --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
1252 cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1254 # Generate a dave ECDSA 384 bit certificate
1255 DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
1256 DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1257 CN="dave@strongswan.org"
1259 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
1260 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1261 pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
1262 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1263 --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1264 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
1265 --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
1266 cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1268 # Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
1269 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
1270 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1271 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1272 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1273 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1274 cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1275 cp ${DAVE_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1277 # Convert moon private key into unencrypted PKCS#8 format
1278 TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1279 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1280 openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
1282 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
1283 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1284 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1285 openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
1286 -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
1288 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
1289 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1290 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1291 openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8 -v2 aes128 \
1292 -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
1294 # Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
1295 TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
1296 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1297 mkdir -p ecdsa x509 x509ca
1298 cp ${MOON_KEY} ecdsa
1299 cp ${MOON_CERT} x509
1300 cp ${ECDSA_CERT} x509ca
1301 cd ${TEST}/hosts/carol/${SWANCTL_DIR}
1302 mkdir -p ecdsa x509 x509ca
1303 cp ${CAROL_KEY} ecdsa
1304 cp ${CAROL_CERT} x509
1305 cp ${ECDSA_CERT} x509ca
1306 cd ${TEST}/hosts/dave/${SWANCTL_DIR}
1307 mkdir -p ecdsa x509 x509ca
1308 cp ${DAVE_KEY} ecdsa
1309 cp ${DAVE_CERT} x509
1310 cp ${ECDSA_CERT} x509ca
1312 ################################################################################
1313 # strongSwan RFC3779 Root CA #
1314 ################################################################################
1316 # Generate strongSwan RFC3779 Root CA
1317 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
1318 pki --self --type rsa --in ${RFC3779_KEY} \
1319 --not-before "${START}" --not-after "${CA_END}" --ca \
1320 --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
1321 --addrblock "10.1.0.0-10.2.255.255" \
1322 --addrblock "10.3.0.1-10.3.3.232" \
1323 --addrblock "192.168.0.0/24" \
1324 --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
1325 --outform pem > ${RFC3779_CERT}
1327 # Put a copy in the ikev2/net2net-rfc3779 scenario
1328 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1329 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1330 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1331 cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1332 cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1334 # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
1335 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1336 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1337 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1338 cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1339 cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1341 # Generate a moon RFC3779 certificate
1342 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1343 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1344 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1345 CN="moon.strongswan.org"
1347 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1348 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1349 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1350 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1351 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1352 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1353 --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
1354 --addrblock "fec0::1/128" --addrblock "fec1::/16" \
1355 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1356 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1358 # Put a copy in the ipv6 scenarios
1359 for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
1361 cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
1362 mkdir -p rsa x509 x509ca
1364 cp ${TEST_CERT} x509
1365 cp ${RFC3779_CERT} x509ca
1368 # Generate a sun RFC3779 certificate
1369 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1370 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
1371 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
1372 CN="sun.strongswan.org"
1374 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
1375 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
1376 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1377 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1378 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1379 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1380 --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
1381 --addrblock "fec0::2/128" --addrblock "fec2::/16" \
1382 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1383 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1385 # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
1386 cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
1387 mkdir -p rsa x509 x509ca
1389 cp ${TEST_CERT} x509
1390 cp ${RFC3779_CERT} x509ca
1392 # Generate a carol RFC3779 certificate
1393 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1394 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1395 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1396 CN="carol@strongswan.org"
1398 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1399 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1400 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1401 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1402 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1403 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1404 --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
1405 --addrblock "fec0::10/128" \
1406 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1407 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1409 # Generate a carol RFC3779 certificate
1410 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1411 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1412 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1413 CN="dave@strongswan.org"
1415 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1416 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1417 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1418 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1419 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1420 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1421 --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
1422 --addrblock "fec0::20/128" \
1423 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1424 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1426 ################################################################################
1427 # strongSwan SHA3-RSA Root CA #
1428 ################################################################################
1430 # Use specific plugin configuration to issue certificates with SHA-3 signatures
1431 # as not all crypto plugins support them. To avoid entropy issues use the
1432 # default plugins to generate the keys.
1433 SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509"
1435 # Generate strongSwan SHA3-RSA Root CA
1436 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
1437 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1438 pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
1439 --not-before "${START}" --not-after "${CA_END}" --ca \
1440 --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
1441 --outform pem > ${SHA3_RSA_CERT}
1443 # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
1444 TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
1445 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1446 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1447 cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1448 cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1450 # Generate a sun SHA3-RSA certificate
1451 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1452 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1453 CN="sun.strongswan.org"
1455 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
1456 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1457 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
1458 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1459 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1460 --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1461 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1462 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
1463 cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1465 # Generate a moon SHA3-RSA certificate
1466 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1467 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1468 CN="moon.strongswan.org"
1470 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1471 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1472 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
1473 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1474 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1475 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1476 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1477 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
1478 cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1480 # Put a copy in the botan/net2net-sha3-rsa-cert scenario
1481 TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
1482 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1483 mkdir -p rsa x509 x509ca
1485 cp ${MOON_CERT} x509
1486 cp ${SHA3_RSA_CERT} x509ca
1487 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1488 mkdir -p rsa x509 x509ca
1491 cp ${SHA3_RSA_CERT} x509ca
1493 # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
1494 TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
1495 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1496 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1497 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1498 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1500 # Generate a carol SHA3-RSA certificate
1501 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1502 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1503 CN="carol@strongswan.org"
1505 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1506 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1507 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1508 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1509 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1510 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1511 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1512 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1513 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1515 # Generate a dave SHA3-RSA certificate
1516 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1517 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1518 CN="dave@strongswan.org"
1520 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1521 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1522 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1523 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1524 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1525 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1526 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1527 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1528 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1530 for h in moon carol dave
1532 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1533 cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1536 ################################################################################
1537 # strongSwan Ed25519 Root CA #
1538 ################################################################################
1540 # Generate strongSwan Ed25519 Root CA
1541 pki --gen --type ed25519 --outform pem > ${ED25519_KEY}
1542 pki --self --type ed25519 --in ${ED25519_KEY} \
1543 --not-before "${START}" --not-after "${CA_END}" --ca \
1544 --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
1545 --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
1546 --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
1547 --outform pem > ${ED25519_CERT}
1549 # Put a copy in the swanctl/net2net-ed25519 scenario
1550 TEST="${TEST_DIR}/swanctl/net2net-ed25519"
1551 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1552 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1553 cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1554 cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1556 # Generate a sun Ed25519 certificate
1557 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
1558 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1559 CN="sun.strongswan.org"
1561 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
1562 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1563 pki --gen --type ed25519 --outform pem > ${SUN_KEY}
1564 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1565 --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1566 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1567 --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
1568 --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
1569 cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1571 # Generate a moon Ed25519 certificate
1572 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1573 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1574 CN="moon.strongswan.org"
1576 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1577 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1578 pki --gen --type ed25519 --outform pem > ${MOON_KEY}
1579 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1580 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1581 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1582 --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
1583 --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
1584 cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1586 # Put a copy in the botan/net2net-ed25519 scenario
1587 TEST="${TEST_DIR}/botan/net2net-ed25519"
1588 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1589 mkdir -p pkcs8 x509 x509ca
1590 cp ${MOON_KEY} pkcs8
1591 cp ${MOON_CERT} x509
1592 cp ${ED25519_CERT} x509ca
1593 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1594 mkdir -p pkcs8 x509 x509ca
1597 cp ${ED25519_CERT} x509ca
1599 # Put a copy in the ikev2/net2net-ed25519 scenario
1600 TEST="${TEST_DIR}/ikev2/net2net-ed25519"
1601 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
1602 cd ${TEST}/hosts/moon/${IPSEC_DIR}
1603 mkdir -p cacerts certs private
1604 cp ${MOON_KEY} private
1605 cp ${MOON_CERT} certs
1606 cp ${ED25519_CERT} cacerts
1607 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
1608 cd ${TEST}/hosts/sun/${IPSEC_DIR}
1609 mkdir -p cacerts certs private
1610 cp ${SUN_KEY} private
1611 cp ${SUN_CERT} certs
1612 cp ${ED25519_CERT} cacerts
1614 # Put a copy in the swanctl/rw-ed25519-certpol scenario
1615 TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
1616 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1617 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1618 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1619 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1621 for h in moon carol dave
1623 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1624 cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1627 # Generate a carol Ed25519 certificate
1628 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1629 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1630 CN="carol@strongswan.org"
1632 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1633 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1634 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1635 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1636 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1637 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1638 --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
1639 --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1640 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1642 # Generate a dave Ed25519 certificate
1643 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1644 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1645 CN="dave@strongswan.org"
1647 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1648 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1649 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1650 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1651 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1652 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1653 --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
1654 --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1655 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1657 ################################################################################
1658 # strongSwan Monster Root CA #
1659 ################################################################################
1661 # Generate strongSwan Monster Root CA
1662 pki --gen --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
1663 pki --self --type rsa --in ${MONSTER_KEY} \
1664 --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
1665 --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
1666 --outform pem > ${MONSTER_CERT}
1668 # Put a copy in the ikev2/after-2038-certs scenario
1669 TEST="${TEST_DIR}/ikev2/after-2038-certs"
1670 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1671 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1672 cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1673 cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1675 # Generate a moon Monster certificate
1676 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1677 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1678 CN="moon.strongswan.org"
1680 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1681 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1682 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1683 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1684 --in ${TEST_KEY} --san ${CN} \
1685 --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1686 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1687 --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1688 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1690 # Generate a carol Monster certificate
1691 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1692 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1693 CN="carol@strongswan.org"
1695 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1696 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1697 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1698 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1699 --in ${TEST_KEY} --san ${CN} \
1700 --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1701 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1702 --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1703 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1705 ################################################################################
1707 ################################################################################
1709 # Generate BLISS Root CA with 192 bit security strength
1710 pki --gen --type bliss --size 4 > ${BLISS_KEY}
1711 pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
1712 --not-before "${START}" --not-after "${CA_END}" --ca \
1713 --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
1715 # Put a copy in the following scenarios
1716 for t in rw-newhope-bliss rw-ntru-bliss
1718 TEST="${TEST_DIR}/ikev2/${t}"
1719 for h in moon carol dave
1721 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1722 cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1725 TEST="${TEST_DIR}/swanctl/${t}"
1726 for h in moon carol dave
1728 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1729 cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1733 # Generate a carol BLISS certificate with 128 bit security strength
1734 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1735 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
1736 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
1737 CN="carol@strongswan.org"
1739 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1740 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1741 pki --gen --type bliss --size 1 > ${TEST_KEY}
1742 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1743 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1744 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
1745 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1746 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1748 # Put a copy in the ikev2/rw-ntru-bliss scenario
1749 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1750 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1751 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1752 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1753 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1755 # Put a copy in the swanctl scenarios
1756 for t in rw-newhope-bliss rw-ntru-bliss
1758 TEST="${TEST_DIR}/swanctl/${t}"
1759 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1760 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1761 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1762 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1765 # Generate a dave BLISS certificate with 160 bit security strength
1766 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1767 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
1768 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
1769 CN="dave@strongswan.org"
1771 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1772 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1773 pki --gen --type bliss --size 3 > ${TEST_KEY}
1774 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1775 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1776 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
1777 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1778 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1780 # Put a copy in the ikev2/rw-ntru-bliss scenario
1781 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1782 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1783 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1784 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
1785 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
1787 # Put a copy in the swanctl scenarios
1788 for t in rw-newhope-bliss rw-ntru-bliss
1790 TEST="${TEST_DIR}/swanctl/${t}"
1791 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
1792 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1793 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
1794 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
1797 # Generate a moon BLISS certificate with 192 bit security strength
1798 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1799 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
1800 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
1801 CN="moon.strongswan.org"
1803 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1804 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1805 pki --gen --type bliss --size 4 > ${TEST_KEY}
1806 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1807 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1808 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
1809 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1810 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1812 # Put a copy in the ikev2/rw-ntru-bliss scenario
1813 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1814 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1815 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1816 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
1817 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
1819 # Put a copy in the swanctl scenarios
1820 for t in rw-newhope-bliss rw-ntru-bliss
1822 TEST="${TEST_DIR}/swanctl/${t}"
1823 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
1824 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1825 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
1826 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
1829 ################################################################################
1831 ################################################################################
1833 CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
1834 CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
1835 CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1836 CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
1838 MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1839 MOON_KEY="${CA_DIR}/keys/moonKey.der"
1840 MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1841 MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1842 MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1843 MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
1844 MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1845 MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1846 MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
1848 SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1849 SUN_KEY="${CA_DIR}/keys/sunKey.der"
1850 SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1851 SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1852 SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
1853 SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
1854 SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1855 SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
1857 CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1858 CAROL_KEY="${CA_DIR}/keys/carolKey.der"
1859 CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1860 CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
1861 CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1862 CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1864 DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1865 DAVE_KEY="${CA_DIR}/keys/daveKey.der"
1866 DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1867 DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
1868 DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1869 DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1871 ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
1872 ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
1873 ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
1874 ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
1875 ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1877 VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
1878 VENUS_KEY="${CA_DIR}/keys/venusKey.der"
1879 VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
1880 VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
1881 VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1883 RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
1884 RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
1885 RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1887 CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
1888 CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
1889 CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
1890 CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
1891 CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1893 SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
1894 SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
1895 SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1897 DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
1898 DAVE_S_KEY="${SALES_DIR}/keys/01.der"
1899 DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
1900 DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
1901 DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1903 for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
1904 ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
1905 rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
1907 for h in carol dave moon
1909 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1910 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1911 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1912 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1913 -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1914 -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1915 -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
1916 -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1917 -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
1918 -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
1919 -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
1920 -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
1921 -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
1922 -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
1923 -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
1924 -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
1925 -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
1926 -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
1927 -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
1928 -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
1929 -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
1930 -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
1931 -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
1932 -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
1933 -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
1934 -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
1935 -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
1936 -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
1937 ${TEST_DATA}.in > ${TEST_DATA}
1941 for t in rw-eap-aka-rsa
1945 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1946 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1947 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1948 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1949 -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1950 -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1951 -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1952 ${TEST_DATA}.in > ${TEST_DATA}
1956 for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
1960 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1961 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1962 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1963 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1964 -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
1965 -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
1966 -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1967 -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1968 -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1969 -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
1970 -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
1971 -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1972 -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1973 -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1974 -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
1975 ${TEST_DATA}.in > ${TEST_DATA}
1979 for t in shunt-policies-nat-rw
1981 for h in alice venus sun
1983 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1984 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1985 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1986 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1987 -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
1988 -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
1989 -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
1990 -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
1991 -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
1992 -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
1993 -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1994 -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1995 -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1996 ${TEST_DATA}.in > ${TEST_DATA}
2000 ################################################################################
2002 ################################################################################
2004 MOON_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${MOON_KEY}`
2006 SUN_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${SUN_KEY}`
2010 TEST_DATA="${TEST_DIR}/ikev2/net2net-rsa/hosts/${h}/etc/ipsec.conf"
2011 sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \
2012 -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \
2013 ${TEST_DATA}.in > ${TEST_DATA}
2016 ################################################################################
2017 # TKM CA ID mapping #
2018 ################################################################################
2020 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
2021 multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
2026 TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/moon/etc/strongswan.conf"
2027 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
2028 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
2029 -e "s/LEVELS_SPK_HEX/${LEVELS_SPK_HEX}/g" \
2030 ${TEST_DATA}.in > ${TEST_DATA}
2034 for t in multiple-clients
2038 TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/${h}/etc/strongswan.conf"
2039 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
2040 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
2041 ${TEST_DATA}.in > ${TEST_DATA}