7d464c36819f3818dade6e3de48d77e51b292534
[strongswan.git] / testing / scripts / build-certs-chroot
1 #!/bin/bash
2
3 set -o errexit
4
5 echo "Building certificates"
6
7 # Disable leak detective when using pki as it produces warnings in tzset
8 export LEAK_DETECTIVE_DISABLE=1
9
10 # Determine testing directory
11 DIR="$(dirname `readlink -f $0`)/.."
12
13 # Define some global variables
14 PROJECT="strongSwan Project"
15 CA_DIR="${DIR}/hosts/winnetou/etc/ca"
16 CA_KEY="${CA_DIR}/strongswanKey.pem"
17 CA_CERT="${CA_DIR}/strongswanCert.pem"
18 CA_CERT_DER="${CA_DIR}/strongswanCert.der"
19 CA_CRL="${CA_DIR}/strongswan.crl"
20 CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
21 CA_CDP="http://crl.strongswan.org/strongswan.crl"
22 CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
23 CA_OCSP="http://ocsp.strongswan.org:8880"
24 #
25 START=`date  -d "-2 day"    "+%d.%m.%y %T"`
26 SH_END=`date -d "-1 day"    "+%d.%m.%y %T"`    #  1 day
27 CA_END=`date -d "+3651 day" "+%d.%m.%y %T"`    # 10 years
28 IM_END=`date -d "+3286 day" "+%d.%m.%y %T"`    #  9 years
29 EE_END=`date -d "+2920 day" "+%d.%m.%y %T"`    #  8 years
30 SH_EXP=`date -d "-1 day"    "+%y%m%d%H%M%SZ"`  #  1 day
31 IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"`  #  9 years
32 EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"`  #  8 years
33 NOW=`date "+%y%m%d%H%M%SZ"`
34 #
35 RESEARCH_DIR="${CA_DIR}/research"
36 RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
37 RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
38 RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
39 RESEARCH_CDP="http://crl.strongswan.org/research.crl"
40 #
41 SALES_DIR="${CA_DIR}/sales"
42 SALES_KEY="${SALES_DIR}/salesKey.pem"
43 SALES_CERT="${SALES_DIR}/salesCert.pem"
44 SALES_CERT_DER="${SALES_DIR}/salesCert.der"
45 SALES_CDP="http://crl.strongswan.org/sales.crl"
46 #
47 DUCK_DIR="${CA_DIR}/duck"
48 DUCK_KEY="${DUCK_DIR}/duckKey.pem"
49 DUCK_CERT="${DUCK_DIR}/duckCert.pem"
50 #
51 ECDSA_DIR="${CA_DIR}/ecdsa"
52 ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
53 ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
54 ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
55 #
56 RFC3779_DIR="${CA_DIR}/rfc3779"
57 RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
58 RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
59 RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
60 #
61 SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
62 SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
63 SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
64 SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
65 #
66 ED25519_DIR="${CA_DIR}/ed25519"
67 ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
68 ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
69 ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
70 #
71 MONSTER_DIR="${CA_DIR}/monster"
72 MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
73 MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
74 MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
75 MONSTER_CA_RSA_SIZE="8192"
76 MONSTER_EE_RSA_SIZE="4096"
77 #
78 BLISS_DIR="${CA_DIR}/bliss"
79 BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
80 BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
81 BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
82 #
83 RSA_SIZE="3072"
84 IPSEC_DIR="etc/ipsec.d"
85 SWANCTL_DIR="etc/swanctl"
86 TKM_DIR="etc/tkm"
87 HOSTS="carol dave moon sun alice venus bob"
88 TEST_DIR="${DIR}/tests"
89
90 # Create directories
91 mkdir -p ${CA_DIR}/certs
92 mkdir -p ${CA_DIR}/keys
93 mkdir -p ${RESEARCH_DIR}/certs
94 mkdir -p ${RESEARCH_DIR}/keys
95 mkdir -p ${SALES_DIR}/certs
96 mkdir -p ${SALES_DIR}/keys
97 mkdir -p ${DUCK_DIR}/certs
98 mkdir -p ${ECDSA_DIR}/certs
99 mkdir -p ${RFC3779_DIR}/certs
100 mkdir -p ${SHA3_RSA_DIR}/certs
101 mkdir -p ${ED25519_DIR}/certs
102 mkdir -p ${MONSTER_DIR}/certs
103 mkdir -p ${BLISS_DIR}/certs
104
105 ################################################################################
106 # strongSwan Root CA                                                           #
107 ################################################################################
108
109 # Generate strongSwan Root CA
110 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
111 pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
112     --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
113     --outform pem > ${CA_CERT}
114
115 # Distribute strongSwan Root CA certificate
116 for h in ${HOSTS}
117 do
118   HOST_DIR="${DIR}/hosts/${h}"
119   mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
120   mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
121   cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
122   cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
123 done
124
125 # Put a copy onto the alice FreeRADIUS server
126 mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
127 cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
128
129 # Convert strongSwan Root CA certificate into DER format
130 openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
131
132 # Generate a stale CRL
133 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
134     --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
135
136 # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
137 TEST="${TEST_DIR}/ikev2/crl-ldap"
138 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
139 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
140 cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
141 cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
142
143 # Generate host keys
144 for h in ${HOSTS}
145 do
146   HOST_DIR="${DIR}/hosts/${h}"
147   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
148   mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
149   pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
150
151   # Put a copy into swanctl directory tree
152   mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
153   cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
154
155   # Convert host key into DER format
156   openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
157           2> /dev/null
158 done
159
160 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
161 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
162          net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
163 do
164   TEST="${TEST_DIR}/tkm/${t}"
165   mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
166   cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
167 done
168
169 # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
170 TEST="${TEST_DIR}/tkm/multiple-clients"
171 mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
172 cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
173
174 # Convert moon private key into unencrypted PKCS#8 format
175 TEST="${TEST_DIR}/ikev2/rw-pkcs8"
176 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
177 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
178 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
179 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
180
181 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
182 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
183 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
184 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
185 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
186               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
187
188 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
189 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
190 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
191 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
192 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8  -v2 aes128 \
193               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
194
195 ################################################################################
196 # Public Key Extraction                                                        #
197 ################################################################################
198
199 # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
200 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
201 TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
202 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
203 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
204 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
205 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
206 cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
207
208 # Put a copy into the  following ikev2 scenarios
209 for t in net2net-dnssec net2net-pubkey rw-dnssec
210 do
211   TEST="${TEST_DIR}/ikev2/${t}"
212   mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
213   cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
214 done
215
216 # Put a copy into the ikev2/net2net-pubkey scenario
217 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
218 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
219 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
220
221 # Put a copy into the swanctl/rw-dnssec scenario
222 TEST="${TEST_DIR}/swanctl/rw-dnssec"
223 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
224 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
225
226 # Put a copy into the following swanctl scenarios
227 for t in rw-pubkey-anon rw-pubkey-keyid
228 do
229   TEST="${TEST_DIR}/swanctl/${t}"
230   for h in moon carol dave
231   do
232     mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
233     cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
234   done
235 done
236
237 # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
238 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
239 TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
240 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
241 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
242 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
243
244 # Put a copy into the ikev2/net2net-dnssec scenario
245 TEST="${TEST_DIR}/ikev2/net2net-dnssec"
246 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
247 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
248
249 # Put a copy into the ikev2/net2net-pubkey scenario
250 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
251 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
252 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
253
254 # Put a copy into the swanctl/rw-pubkey-anon scenario
255 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
256 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
257
258 # Extract the raw carol public key for the swanctl/rw-dnssec scenario
259 TEST="${TEST_DIR}/swanctl/rw-dnssec"
260 TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
261 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
262 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
263 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
264
265 # Put a copy into the swanctl/rw-pubkey-anon scenario
266 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
267 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
268 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
269
270 # Put a copy into the swanctl/rw-pubkey-keyid scenario
271 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
272 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
273 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
274
275 # Extract the raw dave public key for the swanctl/rw-dnssec scenario
276 TEST="${TEST_DIR}/swanctl/rw-dnssec"
277 TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
278 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
279 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
280 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
281
282 # Put a copy into the swanctl/rw-pubkey-anon scenario
283 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
284 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
285 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
286
287 # Put a copy into the swanctl/rw-pubkey-keyid scenario
288 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
289 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
290 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
291
292 ################################################################################
293 # Host Certificate Generation                                                  #
294 ################################################################################
295
296 # function issue_cert: serial host cn [ou]
297 issue_cert()
298 {
299   # does optional OU argument exist?
300   if [ -z "${4}" ]
301   then
302     OU=""
303   else
304     OU=" OU=${4},"
305   fi
306
307   HOST_DIR="${DIR}/hosts/${2}"
308   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
309   HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
310   mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
311   pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
312       --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
313       --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
314       --outform pem > ${HOST_CERT}
315   cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
316
317   # Put a certificate copy into swanctl directory tree
318   mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
319   cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
320 }
321
322 # Generate host certificates
323 issue_cert 01 carol carol@strongswan.org Research
324 issue_cert 02 dave dave@strongswan.org Accounting
325 issue_cert 03 moon moon.strongswan.org
326 issue_cert 04 sun sun.strongswan.org
327 issue_cert 05 alice alice@strongswan.org Sales
328 issue_cert 06 venus venus.strongswan.org
329 issue_cert 07 bob bob@strongswan.org Research
330
331 # Create PKCS#12 file for moon
332 TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
333 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
334 HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
335 MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
336 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
337 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
338         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
339         -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
340
341 # Create PKCS#12 file for sun
342 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
343 HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
344 SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
345 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
346 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
347         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
348         -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
349
350 # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
351 for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
352 do
353   TEST="${TEST_DIR}/${t}"
354   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
355   mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
356   cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
357   cp ${SUN_PKCS12}  ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
358 done
359
360 ################################################################################
361 # DNSSEC Zone Files                                                            #
362 ################################################################################
363
364 # Store moon and sun certificates in strongswan.org zone
365 ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
366 echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
367 for h in moon sun
368 do
369   HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
370   cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
371   echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
372 done
373
374 # Store public keys in strongswan.org zone
375 echo ";" >> ${ZONE_FILE}
376 for h in moon sun carol dave
377 do
378   HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
379   pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
380   echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
381 done
382
383 # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
384 TEST="${TEST_DIR}/swanctl/crl-to-cache"
385 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
386 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
387 CN="carol@strongswan.org"
388 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
389 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
390     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
391     --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
392     --outform pem > ${TEST_CERT}
393
394 # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
395 TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
396 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
397 CN="moon.strongswan.org"
398 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
399 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
400     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
401     --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
402     --outform pem > ${TEST_CERT}
403
404 # Encrypt carolKey.pem
405 HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
406 KEY_PWD="nH5ZQEWtku0RJEZ6"
407 openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
408         2> /dev/null
409
410 # Put a copy into the ikev2/dynamic-initiator scenario
411 for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
412 do
413   TEST="${TEST_DIR}/${t}"
414   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
415   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
416   cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
417   cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
418 done
419
420 # Put a copy into the swanctl/rw-cert scenario
421 TEST="${TEST_DIR}/swanctl/rw-cert"
422 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
423 cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
424
425 # Generate another carol certificate and revoke it
426 TEST="${TEST_DIR}/ikev2/crl-revoked"
427 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
428 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
429 CN="carol@strongswan.org"
430 SERIAL="08"
431 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
432 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
433 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
434 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
435     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
436     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
437     --outform pem > ${TEST_CERT}
438 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
439 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
440     --serial ${SERIAL} > ${CA_CRL}
441 cp ${CA_CRL} ${CA_LAST_CRL}
442
443 # Put a copy into the ikev2/ocsp-revoked scenario
444 TEST="${TEST_DIR}/ikev2/ocsp-revoked"
445 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
446 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
447 cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
448 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
449
450 # Generate another carol certificate with SN=002
451 TEST="${TEST_DIR}/ikev2/two-certs"
452 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
453 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
454 SERIAL="09"
455 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
456 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
457 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
458 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
459     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
460     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
461     --outform pem > ${TEST_CERT}
462 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
463
464 ################################################################################
465 # Research CA Certificate Generation                                           #
466 ################################################################################
467
468 # Generate a Research CA certificate signed by the Root CA and revoke it
469 TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
470 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
471 SERIAL="0A"
472 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
473 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
474 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
475     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
476     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
477     --outform pem > ${TEST_CERT}
478 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
479 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
480     --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
481 rm ${CA_LAST_CRL}
482
483 # Generate Research CA with the same private key as above signed by Root CA
484 SERIAL="0B"
485 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
486     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
487     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
488     --outform pem > ${RESEARCH_CERT}
489 cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
490
491 # Put a certificate copy into the following scenarios
492 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
493          ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
494          ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
495 do
496   TEST="${TEST_DIR}/${t}"
497   mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
498   cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
499 done
500
501 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
502          ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
503 do
504   TEST="${TEST_DIR}/${t}"
505   mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
506   cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
507 done
508
509 for t in multi-level-ca ocsp-multi-level
510 do
511   TEST="${TEST_DIR}/swanctl/${t}"
512   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
513   cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
514 done
515
516 for t in rw-hash-and-url-multi-level
517 do
518   TEST="${TEST_DIR}/swanctl/${t}"
519   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
520   cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
521 done
522
523 # Convert Research CA certificate into DER format
524 openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
525
526 # Generate Research CA with the same private key as above but invalid CDP
527 TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
528 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
529 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
530 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
531     --crl "http://crl.strongswan.org/not-available.crl" \
532     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
533     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
534     --outform pem > ${TEST_CERT}
535
536 ################################################################################
537 # Sales CA Certificate Generation                                              #
538 ################################################################################
539
540 # Generate Sales CA signed by Root CA
541 SERIAL="0C"
542 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
543 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
544     --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
545     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
546     --outform pem > ${SALES_CERT}
547 cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
548
549 # Put a certificate copy into the following scenarios
550 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
551          ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
552          ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
553 do
554   TEST="${TEST_DIR}/${t}"
555   cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
556 done
557
558 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
559          ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
560 do
561   TEST="${TEST_DIR}/${t}"
562   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
563   cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
564 done
565
566 for t in multi-level-ca ocsp-multi-level
567 do
568   TEST="${TEST_DIR}/swanctl/${t}"
569   cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
570 done
571
572 for t in rw-hash-and-url-multi-level
573 do
574   TEST="${TEST_DIR}/swanctl/${t}"
575   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
576   cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
577 done
578
579 # Convert Sales CA certificate into DER format
580 openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
581
582 # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
583 TEST="${TEST_DIR}/ikev2/strong-keys-certs"
584 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
585 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
586 KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
587 CN="moon.strongswan.org"
588 SERIAL="0D"
589 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
590 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
591 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
592 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
593     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
594     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
595     --digest sha224 --outform pem > ${TEST_CERT}
596 openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
597         2> /dev/null
598 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
599
600 # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
601 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
602 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
603 KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
604 CN="carol@strongswan.org"
605 SERIAL="0E"
606 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
607 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
608 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
609 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
610     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
611     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
612     --digest sha384 --outform pem > ${TEST_CERT}
613 openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
614         2> /dev/null
615 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
616
617 # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
618 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
619 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
620 KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
621 CN="dave@strongswan.org"
622 SERIAL="0F"
623 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
624 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
625 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
626 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
627     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
628     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
629     --digest sha512 --outform pem > ${TEST_CERT}
630 openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
631         2> /dev/null
632 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
633
634 # Generate another carol certificate with an OCSP URI
635 TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
636 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
637 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
638 CN="carol@strongswan.org"
639 SERIAL="10"
640 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
641 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
642 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
643 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
644     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
645     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
646     --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
647 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
648
649 # Put a copy into the ikev2/ocsp-timeouts-good scenario
650 TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
651 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
652 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
653 cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
654 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
655
656 # Put a copy into the swanctl/ocsp-signer-cert scenario
657 for t in ocsp-signer-cert ocsp-disabled
658 do
659   cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
660   mkdir -p rsa x509
661   cp ${TEST_KEY} rsa
662   cp ${TEST_CERT} x509
663 done
664
665 # Generate an OCSP Signing certificate for the strongSwan Root CA
666 TEST_KEY="${CA_DIR}/ocspKey.pem"
667 TEST_CERT="${CA_DIR}/ocspCert.pem"
668 CN="ocsp.strongswan.org"
669 OU="OCSP Signing Authority"
670 SERIAL="11"
671 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
672 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
673     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
674     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
675     --flag ocspSigning --outform pem > ${TEST_CERT}
676 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
677
678 # Generate a self-signed OCSP Signing certificate
679 TEST_KEY="${CA_DIR}/ocspKey-self.pem"
680 TEST_CERT="${CA_DIR}/ocspCert-self.pem"
681 OU="OCSP Self-Signed Authority"
682 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
683 pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
684     --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
685     --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
686     --outform pem > ${TEST_CERT}
687
688 # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
689 TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
690 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
691 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
692 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
693 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
694
695 # Generate mars virtual server certificate
696 TEST="${TEST_DIR}/ha/both-active"
697 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
698 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
699 CN="mars.strongswan.org"
700 OU="Virtual VPN Gateway"
701 SERIAL="12"
702 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
703 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
704 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
705 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
706     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
707     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
708     --flag serverAuth --outform pem > ${TEST_CERT}
709 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
710
711 # Put a copy into the mirrored gateway
712 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
713 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
714 cp ${TEST_KEY}  ${TEST}/hosts/alice/${IPSEC_DIR}/private
715 cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
716
717 # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
718 for t in "ha/active-passive" "ikev2/redirect-active"
719 do
720   TEST="${TEST_DIR}/${t}"
721   for h in alice moon
722   do
723     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
724     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
725     cp ${TEST_KEY}  ${TEST}/hosts/${h}/${IPSEC_DIR}/private
726     cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
727   done
728 done
729
730 # Generate moon certificate with an unsupported critical X.509 extension
731 TEST="${TEST_DIR}/ikev2/critical-extension"
732 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
733 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
734 CN="moon.strongswan.org"
735 SERIAL="13"
736 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
737 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
738 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
739 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
740     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
741     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
742     --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
743     --outform pem > ${TEST_CERT}
744 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
745
746 # Put a copy in the openssl-ikev2/critical extension scenario
747 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
748 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
749 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
750 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
751 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
752
753 # Generate sun certificate with an unsupported critical X.509 extension
754 TEST="${TEST_DIR}/ikev2/critical-extension"
755 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
756 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
757 CN="sun.strongswan.org"
758 SERIAL="14"
759 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
760 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
761 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
762 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
763     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
764     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
765     --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
766     --outform pem > ${TEST_CERT}
767 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
768
769 # Put a copy in the openssl-ikev2/critical extension scenario
770 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
771 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
772 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
773 cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
774 cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
775
776 # Generate winnetou server certificate
777 HOST_KEY="${CA_DIR}/winnetouKey.pem"
778 HOST_CERT="${CA_DIR}/winnetouCert.pem"
779 CN="winnetou.strongswan.org"
780 SERIAL="15"
781 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
782 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
783     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
784     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
785     --flag serverAuth --outform pem > ${HOST_CERT}
786 cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
787
788 # Generate AAA server certificate
789 TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
790 TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
791 TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
792 CN="aaa.strongswan.org"
793 SERIAL="16"
794 cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
795 mkdir -p rsa x509
796 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
797 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
798 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
799     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
800     --flag serverAuth --outform pem > ${TEST_CERT}
801 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
802
803 # Put a copy into various tnc scenarios
804 for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
805 do
806   cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
807   mkdir -p rsa x509
808   cp ${TEST_KEY}  rsa
809   cp ${TEST_CERT} x509
810 done
811
812 # Put a copy into the alice FreeRADIUS server
813 cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
814
815 ################################################################################
816 # strongSwan Attribute Authority                                               #
817 ################################################################################
818
819 # Generate Attribute Authority certificate
820 TEST="${TEST_DIR}/ikev2/acert-cached"
821 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
822 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
823 CN="strongSwan Attribute Authority"
824 SERIAL="17"
825 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
826 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
827 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
828 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
829 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
830     --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
831     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
832     --outform pem > ${TEST_CERT}
833 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
834
835 # Generate carol's attribute certificate for sales and finance
836 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
837 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
838     --in ${CA_DIR}/certs/01.pem --group sales --group finance \
839     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
840
841 # Generate dave's expired attribute certificate for sales
842 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
843 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
844     --in ${CA_DIR}/certs/02.pem --group sales \
845     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
846
847 # Generate dave's attribute certificate for marketing
848 ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
849 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
850     --in ${CA_DIR}/certs/02.pem --group marketing \
851     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
852
853 # Put a copy into the ikev2/acert-fallback scenario
854 TEST="${TEST_DIR}/ikev2/acert-fallback"
855 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
856 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
857 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
858 cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
859 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
860
861 # Generate carol's expired attribute certificate for finance
862 ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
863 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
864 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
865     --in ${CA_DIR}/certs/01.pem --group finance \
866     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
867
868 # Generate carol's valid attribute certificate for sales
869 ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
870 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
871     --in ${CA_DIR}/certs/01.pem --group sales \
872     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
873
874 # Put a copy into the ikev2/acert-inline scenario
875 TEST="${TEST_DIR}/ikev2/acert-inline"
876 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
877 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
878 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
879 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
880 cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
881 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
882 cp ${ACERT_CS}  ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
883 cp ${ACERT_DM}  ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
884
885 # Generate a short-lived Attribute Authority certificate
886 CN="strongSwan Legacy AA"
887 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
888 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
889 SERIAL="18"
890 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
891 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
892     --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
893     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
894     --outform pem > ${TEST_CERT}
895 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
896
897 # Generate dave's attribute certificate for sales from expired AA
898 ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
899 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
900 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
901     --in ${CA_DIR}/certs/02.pem --group sales \
902     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
903
904 ################################################################################
905 # strongSwan Root CA index for OCSP server                                     #
906 ################################################################################
907
908 # generate index.txt file for Root OCSP server
909 cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
910 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
911 sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
912 sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
913 sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
914
915 ################################################################################
916 # Research CA                                                                  #
917 ################################################################################
918
919 # Generate a carol research certificate
920 TEST="${TEST_DIR}/ikev2/multi-level-ca"
921 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
922 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
923 CN="carol@strongswan.org"
924 SERIAL="01"
925 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
926 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
927 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
928 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
929     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
930     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
931     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
932 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
933
934 # Save a copy of the private key in DER format
935 openssl rsa -in ${TEST_KEY} -outform der \
936             -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
937
938 # Put a copy in the following scenarios
939 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
940          ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
941          ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
942          ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
943          ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
944          ikev1/multi-level-ca-cr-resp
945 do
946   TEST="${TEST_DIR}/${t}"
947   mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
948   mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
949   cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
950   cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
951 done
952
953 for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
954 do
955   TEST="${TEST_DIR}/swanctl/${t}"
956   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
957   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
958   cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
959   cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
960 done
961
962 # Generate a carol research certificate without a CDP
963 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
964 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
965 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
966 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
967 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
968     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
969     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
970     --outform pem > ${TEST_CERT}
971 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
972
973 # Generate an OCSP Signing certificate for the Research CA
974 TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
975 TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
976 OU="Research OCSP Signing Authority"
977 CN="ocsp.research.strongswan.org"
978 SERIAL="02"
979 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
980 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
981     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
982     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
983     --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
984 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
985
986 # Generate a Sales CA certificate signed by the Research CA
987 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
988 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
989 SERIAL="03"
990 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
991 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
992     --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
993     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
994     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
995 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
996
997 ################################################################################
998 # Duck Research CA                                                                     #
999 ################################################################################
1000
1001 # Generate a Duck Research CA certificate signed by the Research CA
1002 SERIAL="04"
1003 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
1004 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1005     --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1006     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
1007     --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
1008 cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
1009
1010 # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
1011 TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
1012 cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1013
1014 # Generate a carol certificate signed by the Duck Research CA
1015 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1016 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1017 CN="carol@strongswan.org"
1018 SERIAL="01"
1019 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1020 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1021 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1022 pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
1023     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1024     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
1025     --outform pem > ${TEST_CERT}
1026 cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
1027
1028 # Generate index.txt file for Research OCSP server
1029 cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
1030 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
1031
1032 ################################################################################
1033 # Sales CA                                                                     #
1034 ################################################################################
1035
1036 # Generate a dave sales certificate
1037 TEST="${TEST_DIR}/ikev2/multi-level-ca"
1038 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
1039 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1040 CN="dave@strongswan.org"
1041 SERIAL="01"
1042 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1043 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1044 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1045 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1046     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1047     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1048     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1049 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1050
1051 # Save a copy of the private key in DER format
1052 openssl rsa -in ${TEST_KEY} -outform der \
1053             -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
1054
1055 # Put a copy in the following scenarios
1056 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
1057          ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
1058          ikev2/ocsp-multi-level ikev1/multi-level-ca \
1059          ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
1060 do
1061   TEST="${TEST_DIR}/${t}"
1062   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1063   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1064   cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1065   cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1066 done
1067
1068 for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
1069 do
1070   TEST="${TEST_DIR}/swanctl/${t}"
1071   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1072   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1073   cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1074   cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1075 done
1076
1077 # Generate a dave sales certificate with an inactive OCSP URI and no CDP
1078 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1079 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1080 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1081 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1082 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1083     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1084     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1085     --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
1086 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1087
1088 # Generate an OCSP Signing certificate for the Sales CA
1089 TEST_KEY="${SALES_DIR}/ocspKey.pem"
1090 TEST_CERT="${SALES_DIR}/ocspCert.pem"
1091 OU="Sales OCSP Signing Authority"
1092 CN="ocsp.sales.strongswan.org"
1093 SERIAL="02"
1094 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1095 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1096     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1097     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1098     --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1099 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1100
1101 # Generate a Research CA certificate signed by the Sales CA
1102 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1103 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
1104 SERIAL="03"
1105 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1106 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1107     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1108     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
1109     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1110 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1111
1112 # generate index.txt file for Sales OCSP server
1113 cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
1114 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
1115
1116 ################################################################################
1117 # strongSwan EC Root CA                                                        #
1118 ################################################################################
1119
1120 # Generate strongSwan EC Root CA
1121 pki --gen  --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
1122 pki --self --type ecdsa --in ${ECDSA_KEY} \
1123     --not-before "${START}" --not-after "${CA_END}" --ca \
1124     --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
1125     --outform pem > ${ECDSA_CERT}
1126
1127 # Put a copy in the openssl-ikev2/ecdsa-certs scenario
1128 for t in ecdsa-certs ecdsa-pkcs8
1129 do
1130   TEST="${TEST_DIR}/openssl-ikev2/${t}"
1131   for h in moon carol dave
1132   do
1133     mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1134     cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1135   done
1136 done
1137
1138 # Generate a moon ECDSA 521 bit certificate
1139 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
1140 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
1141 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1142 CN="moon.strongswan.org"
1143 SERIAL="01"
1144 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
1145 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1146 pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
1147 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1148     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1149     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
1150     --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
1151 cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1152
1153 # Generate a carol ECDSA 256 bit certificate
1154 CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
1155 CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1156 CN="carol@strongswan.org"
1157 SERIAL="02"
1158 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
1159 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1160 pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
1161 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1162     --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1163     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
1164     --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
1165 cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1166
1167 # Generate a dave ECDSA 384 bit certificate
1168 DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
1169 DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1170 CN="dave@strongswan.org"
1171 SERIAL="03"
1172 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
1173 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1174 pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
1175 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1176     --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1177     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
1178     --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
1179 cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1180
1181 # Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
1182 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
1183 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1184 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1185 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1186 cp ${MOON_CERT}  ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1187 cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1188 cp ${DAVE_CERT}  ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1189
1190 # Convert moon private key into unencrypted PKCS#8 format
1191 TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1192 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1193 openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
1194
1195 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
1196 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1197 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1198 openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
1199               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
1200
1201 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
1202 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1203 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1204 openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8  -v2 aes128 \
1205               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
1206
1207 # Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
1208 TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
1209 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1210 mkdir -p ecdsa x509 x509ca
1211 cp ${MOON_KEY}   ecdsa
1212 cp ${MOON_CERT}  x509
1213 cp ${ECDSA_CERT} x509ca
1214 cd ${TEST}/hosts/carol/${SWANCTL_DIR}
1215 mkdir -p ecdsa x509 x509ca
1216 cp ${CAROL_KEY}  ecdsa
1217 cp ${CAROL_CERT} x509
1218 cp ${ECDSA_CERT} x509ca
1219 cd ${TEST}/hosts/dave/${SWANCTL_DIR}
1220 mkdir -p ecdsa x509 x509ca
1221 cp ${DAVE_KEY}   ecdsa
1222 cp ${DAVE_CERT}  x509
1223 cp ${ECDSA_CERT} x509ca
1224
1225 ################################################################################
1226 # strongSwan RFC3779 Root CA                                                   #
1227 ################################################################################
1228
1229 # Generate strongSwan RFC3779 Root CA
1230 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
1231 pki --self --type rsa --in ${RFC3779_KEY} \
1232     --not-before "${START}" --not-after "${CA_END}" --ca \
1233     --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
1234     --addrblock "10.1.0.0-10.2.255.255" \
1235     --addrblock "10.3.0.1-10.3.3.232" \
1236     --addrblock "192.168.0.0/24" \
1237     --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
1238     --outform pem > ${RFC3779_CERT}
1239
1240 # Put a copy in the ikev2/net2net-rfc3779 scenario
1241 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1242 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1243 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1244 cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1245 cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1246
1247 # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
1248 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1249 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1250 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1251 cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1252 cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1253
1254 # Generate a moon RFC3779 certificate
1255 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1256 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1257 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1258 CN="moon.strongswan.org"
1259 SERIAL="01"
1260 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1261 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1262 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1263 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1264     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1265     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1266     --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
1267     --addrblock "fec0::1/128" --addrblock "fec1::/16" \
1268     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1269 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1270
1271 # Put a copy in the ipv6 scenarios
1272 for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
1273 do
1274   cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
1275   mkdir -p rsa x509 x509ca
1276   cp ${TEST_KEY}  rsa
1277   cp ${TEST_CERT} x509
1278   cp ${RFC3779_CERT} x509ca
1279 done
1280
1281 # Generate a sun RFC3779 certificate
1282 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1283 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
1284 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
1285 CN="sun.strongswan.org"
1286 SERIAL="02"
1287 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
1288 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
1289 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1290 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1291     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1292     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1293     --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
1294     --addrblock "fec0::2/128" --addrblock "fec2::/16" \
1295     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1296 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1297
1298 # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
1299 cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
1300 mkdir -p rsa x509 x509ca
1301 cp ${TEST_KEY} rsa
1302 cp ${TEST_CERT} x509
1303 cp ${RFC3779_CERT} x509ca
1304
1305 # Generate a carol RFC3779 certificate
1306 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1307 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1308 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1309 CN="carol@strongswan.org"
1310 SERIAL="03"
1311 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1312 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1313 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1314 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1315     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1316     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1317     --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
1318     --addrblock "fec0::10/128" \
1319     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1320 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1321
1322 # Generate a carol RFC3779 certificate
1323 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1324 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1325 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1326 CN="dave@strongswan.org"
1327 SERIAL="04"
1328 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1329 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1330 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1331 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1332     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1333     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1334     --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
1335     --addrblock "fec0::20/128" \
1336     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1337 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1338
1339 ################################################################################
1340 # strongSwan SHA3-RSA Root CA                                                  #
1341 ################################################################################
1342
1343 # Use specific plugin configuration to issue certificates with SHA-3 signatures
1344 # as not all crypto plugins support them.  To avoid entropy issues use the
1345 # default plugins to generate the keys.
1346 SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509"
1347
1348 # Generate strongSwan SHA3-RSA Root CA
1349 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
1350 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1351 pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
1352     --not-before "${START}" --not-after "${CA_END}" --ca \
1353     --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
1354     --outform pem > ${SHA3_RSA_CERT}
1355
1356 # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
1357 TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
1358 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1359 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1360 cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1361 cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1362
1363 # Generate a sun SHA3-RSA certificate
1364 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1365 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1366 CN="sun.strongswan.org"
1367 SERIAL="01"
1368 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
1369 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1370 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
1371 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1372 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1373     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1374     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1375     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
1376 cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1377
1378 # Generate a moon SHA3-RSA certificate
1379 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1380 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1381 CN="moon.strongswan.org"
1382 SERIAL="02"
1383 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1384 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1385 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
1386 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1387 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1388     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1389     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1390     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
1391 cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1392
1393 # Put a copy in the botan/net2net-sha3-rsa-cert scenario
1394 TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
1395 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1396 mkdir -p rsa x509 x509ca
1397 cp ${MOON_KEY}      rsa
1398 cp ${MOON_CERT}     x509
1399 cp ${SHA3_RSA_CERT} x509ca
1400 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1401 mkdir -p rsa x509 x509ca
1402 cp ${SUN_KEY}       rsa
1403 cp ${SUN_CERT}      x509
1404 cp ${SHA3_RSA_CERT} x509ca
1405
1406 # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
1407 TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
1408 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1409 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1410 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1411 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1412
1413 # Generate a carol SHA3-RSA certificate
1414 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1415 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1416 CN="carol@strongswan.org"
1417 SERIAL="03"
1418 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1419 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1420 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1421 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1422 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1423     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1424     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1425     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1426 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1427
1428 # Generate a dave SHA3-RSA certificate
1429 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1430 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1431 CN="dave@strongswan.org"
1432 SERIAL="04"
1433 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1434 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1435 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1436 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1437 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1438     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1439     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1440     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1441 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1442
1443 for h in moon carol dave
1444 do
1445   mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1446   cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1447 done
1448
1449 ################################################################################
1450 # strongSwan Ed25519 Root CA                                                   #
1451 ################################################################################
1452
1453 # Generate strongSwan Ed25519 Root CA
1454 pki --gen  --type ed25519 --outform pem > ${ED25519_KEY}
1455 pki --self --type ed25519 --in ${ED25519_KEY} \
1456     --not-before "${START}" --not-after "${CA_END}" --ca \
1457     --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
1458     --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
1459     --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
1460     --outform pem > ${ED25519_CERT}
1461
1462 # Put a copy in the swanctl/net2net-ed25519 scenario
1463 TEST="${TEST_DIR}/swanctl/net2net-ed25519"
1464 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1465 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1466 cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1467 cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1468
1469 # Generate a sun Ed25519 certificate
1470 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
1471 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1472 CN="sun.strongswan.org"
1473 SERIAL="01"
1474 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
1475 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1476 pki --gen --type ed25519 --outform pem > ${SUN_KEY}
1477 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1478     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1479     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1480     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
1481     --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
1482 cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1483
1484 # Generate a moon Ed25519 certificate
1485 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1486 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1487 CN="moon.strongswan.org"
1488 SERIAL="02"
1489 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1490 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1491 pki --gen --type ed25519 --outform pem > ${MOON_KEY}
1492 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1493     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1494     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1495     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
1496     --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
1497 cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1498
1499 # Put a copy in the botan/net2net-ed25519 scenario
1500 TEST="${TEST_DIR}/botan/net2net-ed25519"
1501 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1502 mkdir -p pkcs8 x509 x509ca
1503 cp ${MOON_KEY}     pkcs8
1504 cp ${MOON_CERT}    x509
1505 cp ${ED25519_CERT} x509ca
1506 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1507 mkdir -p pkcs8 x509 x509ca
1508 cp ${SUN_KEY}      pkcs8
1509 cp ${SUN_CERT}     x509
1510 cp ${ED25519_CERT} x509ca
1511
1512 # Put a copy in the ikev2/net2net-ed25519 scenario
1513 TEST="${TEST_DIR}/ikev2/net2net-ed25519"
1514 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
1515 cd ${TEST}/hosts/moon/${IPSEC_DIR}
1516 mkdir -p cacerts certs private
1517 cp ${MOON_KEY}     private
1518 cp ${MOON_CERT}    certs
1519 cp ${ED25519_CERT} cacerts
1520 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
1521 cd ${TEST}/hosts/sun/${IPSEC_DIR}
1522 mkdir -p cacerts certs private
1523 cp ${SUN_KEY}      private
1524 cp ${SUN_CERT}     certs
1525 cp ${ED25519_CERT} cacerts
1526
1527 # Put a copy in the swanctl/rw-ed25519-certpol scenario
1528 TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
1529 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1530 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1531 cp ${MOON_KEY}  ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1532 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1533
1534 for h in moon carol dave
1535 do
1536   mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1537   cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1538 done
1539
1540 # Generate a carol Ed25519 certificate
1541 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1542 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1543 CN="carol@strongswan.org"
1544 SERIAL="03"
1545 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1546 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1547 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1548 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1549     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1550     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1551     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
1552     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1553 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1554
1555 # Generate a dave Ed25519 certificate
1556 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1557 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1558 CN="dave@strongswan.org"
1559 SERIAL="04"
1560 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1561 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1562 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1563 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1564     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1565     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1566     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
1567     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1568 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1569
1570 ################################################################################
1571 # strongSwan Monster Root CA                                                   #
1572 ################################################################################
1573
1574 # Generate strongSwan Monster Root CA
1575 pki --gen  --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
1576 pki --self --type rsa --in ${MONSTER_KEY} \
1577     --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
1578     --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
1579     --outform pem > ${MONSTER_CERT}
1580
1581 # Put a copy in the ikev2/after-2038-certs scenario
1582 TEST="${TEST_DIR}/ikev2/after-2038-certs"
1583 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1584 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1585 cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1586 cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1587
1588 # Generate a moon Monster certificate
1589 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1590 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1591 CN="moon.strongswan.org"
1592 SERIAL="01"
1593 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1594 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1595 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1596 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1597     --in ${TEST_KEY} --san ${CN} \
1598     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1599     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1600     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1601 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1602
1603 # Generate a carol Monster certificate
1604 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1605 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1606 CN="carol@strongswan.org"
1607 SERIAL="02"
1608 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1609 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1610 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1611 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1612     --in ${TEST_KEY} --san ${CN} \
1613     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1614     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1615     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1616 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1617
1618 ################################################################################
1619 # Bliss CA                                                                     #
1620 ################################################################################
1621
1622 # Generate BLISS Root CA with 192 bit security strength
1623 pki --gen  --type bliss --size 4 > ${BLISS_KEY}
1624 pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
1625     --not-before "${START}" --not-after "${CA_END}" --ca \
1626     --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
1627
1628 # Put a copy in the following scenarios
1629 for t in rw-newhope-bliss rw-ntru-bliss
1630 do
1631   TEST="${TEST_DIR}/ikev2/${t}"
1632   for h in moon carol dave
1633   do
1634     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1635     cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1636   done
1637
1638   TEST="${TEST_DIR}/swanctl/${t}"
1639   for h in moon carol dave
1640   do
1641     mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1642     cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1643   done
1644 done
1645
1646 # Generate a carol BLISS certificate with 128 bit security strength
1647 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1648 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
1649 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
1650 CN="carol@strongswan.org"
1651 SERIAL="01"
1652 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1653 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1654 pki --gen --type bliss --size 1 > ${TEST_KEY}
1655 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1656     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1657     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
1658     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1659 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1660
1661 # Put a copy in the ikev2/rw-ntru-bliss scenario
1662 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1663 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1664 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1665 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1666 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1667
1668 # Put a copy in the swanctl scenarios
1669 for t in rw-newhope-bliss rw-ntru-bliss
1670 do
1671   TEST="${TEST_DIR}/swanctl/${t}"
1672   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1673   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1674   cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1675   cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1676 done
1677
1678 # Generate a dave BLISS certificate with 160 bit security strength
1679 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1680 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
1681 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
1682 CN="dave@strongswan.org"
1683 SERIAL="02"
1684 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1685 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1686 pki --gen --type bliss --size 3 > ${TEST_KEY}
1687 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1688     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1689     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
1690     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1691 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1692
1693 # Put a copy in the ikev2/rw-ntru-bliss scenario
1694 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1695 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1696 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1697 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
1698 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
1699
1700 # Put a copy in the swanctl scenarios
1701 for t in rw-newhope-bliss rw-ntru-bliss
1702 do
1703   TEST="${TEST_DIR}/swanctl/${t}"
1704   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
1705   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1706   cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
1707   cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
1708 done
1709
1710 # Generate a moon BLISS certificate with 192 bit security strength
1711 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1712 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
1713 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
1714 CN="moon.strongswan.org"
1715 SERIAL="03"
1716 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1717 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1718 pki --gen --type bliss --size 4 > ${TEST_KEY}
1719 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1720     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1721     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
1722     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1723 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1724
1725 # Put a copy in the ikev2/rw-ntru-bliss scenario
1726 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1727 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1728 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1729 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
1730 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
1731
1732 # Put a copy in the swanctl scenarios
1733 for t in rw-newhope-bliss rw-ntru-bliss
1734 do
1735   TEST="${TEST_DIR}/swanctl/${t}"
1736   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
1737   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1738   cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
1739   cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
1740 done
1741
1742 ################################################################################
1743 # SQL Data                                                                     #
1744 ################################################################################
1745
1746 CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
1747 CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
1748 CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1749 CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
1750 #
1751 MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1752 MOON_KEY="${CA_DIR}/keys/moonKey.der"
1753 MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1754 MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1755 MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1756 MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
1757 MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1758 MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1759 MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
1760 #
1761 SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1762 SUN_KEY="${CA_DIR}/keys/sunKey.der"
1763 SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1764 SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1765 SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
1766 SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
1767 SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1768 SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
1769 #
1770 CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1771 CAROL_KEY="${CA_DIR}/keys/carolKey.der"
1772 CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1773 CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
1774 CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1775 CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1776 #
1777 DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1778 DAVE_KEY="${CA_DIR}/keys/daveKey.der"
1779 DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1780 DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
1781 DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1782 DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1783 #
1784 ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
1785 ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
1786 ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
1787 ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
1788 ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1789 #
1790 VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
1791 VENUS_KEY="${CA_DIR}/keys/venusKey.der"
1792 VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
1793 VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
1794 VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1795 #
1796 RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
1797 RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
1798 RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1799 #
1800 CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
1801 CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
1802 CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
1803 CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
1804 CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1805 #
1806 SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
1807 SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
1808 SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1809 #
1810 DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
1811 DAVE_S_KEY="${SALES_DIR}/keys/01.der"
1812 DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
1813 DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
1814 DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1815 #
1816 for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
1817          ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
1818          rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
1819 do
1820   for h in carol dave moon
1821   do
1822     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1823     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1824         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1825         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1826         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1827         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1828         -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
1829         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1830         -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
1831         -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
1832         -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
1833         -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
1834         -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
1835         -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
1836         -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
1837         -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
1838         -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
1839         -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
1840         -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
1841         -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
1842         -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
1843         -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
1844         -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
1845         -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
1846         -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
1847         -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
1848         -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
1849         -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
1850         ${TEST_DATA}.in > ${TEST_DATA}
1851   done
1852 done
1853 #
1854 for t in rw-eap-aka-rsa
1855 do
1856   for h in carol moon
1857   do
1858     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1859     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1860         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1861         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1862         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1863         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1864         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1865         ${TEST_DATA}.in > ${TEST_DATA}
1866   done
1867 done
1868 #
1869 for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
1870 do
1871   for h in moon sun
1872   do
1873     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1874     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1875         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1876         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1877         -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
1878         -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
1879         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1880         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1881         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1882         -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
1883         -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
1884         -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1885         -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1886         -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1887         -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
1888                ${TEST_DATA}.in > ${TEST_DATA}
1889   done
1890 done
1891 #
1892 for t in shunt-policies-nat-rw
1893 do
1894   for h in alice venus sun
1895   do
1896     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1897     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1898         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1899         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1900         -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
1901         -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
1902         -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
1903         -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
1904         -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
1905         -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
1906         -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1907         -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1908         -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1909         ${TEST_DATA}.in > ${TEST_DATA}
1910   done
1911 done
1912
1913 ################################################################################
1914 # Raw RSA keys                                                                 #
1915 ################################################################################
1916
1917 MOON_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${MOON_KEY}`
1918 #
1919 SUN_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${SUN_KEY}`
1920 #
1921 for h in moon sun
1922 do
1923   TEST_DATA="${TEST_DIR}/ikev2/net2net-rsa/hosts/${h}/etc/ipsec.conf"
1924   sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \
1925       -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \
1926       ${TEST_DATA}.in > ${TEST_DATA}
1927 done
1928
1929 ################################################################################
1930 # TKM CA ID mapping                                                            #
1931 ################################################################################
1932
1933 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
1934          net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
1935 do
1936   for h in moon
1937   do
1938     TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/moon/etc/strongswan.conf"
1939     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1940         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1941         ${TEST_DATA}.in > ${TEST_DATA}
1942   done
1943 done
1944
1945 for t in multiple-clients
1946 do
1947   for h in sun
1948   do
1949     TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/${h}/etc/strongswan.conf"
1950     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1951         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1952         ${TEST_DATA}.in > ${TEST_DATA}
1953   done
1954 done