5 echo "Building certificates"
7 # Disable leak detective when using pki as it produces warnings in tzset
8 export LEAK_DETECTIVE_DISABLE=1
10 # Determine testing directory
11 DIR="$(dirname `readlink -f $0`)/.."
13 # Define some global variables
14 PROJECT="strongSwan Project"
15 CA_DIR="${DIR}/hosts/winnetou/etc/ca"
16 CA_KEY="${CA_DIR}/strongswanKey.pem"
17 CA_CERT="${CA_DIR}/strongswanCert.pem"
18 CA_CERT_DER="${CA_DIR}/strongswanCert.der"
19 CA_CRL="${CA_DIR}/strongswan.crl"
20 CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
21 CA_CDP="http://crl.strongswan.org/strongswan.crl"
22 CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
23 CA_OCSP="http://ocsp.strongswan.org:8880"
25 START=`date -d "-2 day" "+%d.%m.%y %T"`
26 SH_END=`date -d "-1 day" "+%d.%m.%y %T"` # 1 day
27 CA_END=`date -d "+3651 day" "+%d.%m.%y %T"` # 10 years
28 IM_END=`date -d "+3286 day" "+%d.%m.%y %T"` # 9 years
29 EE_END=`date -d "+2920 day" "+%d.%m.%y %T"` # 8 years
30 SH_EXP=`date -d "-1 day" "+%y%m%d%H%M%SZ"` # 1 day
31 IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"` # 9 years
32 EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"` # 8 years
33 NOW=`date "+%y%m%d%H%M%SZ"`
35 RESEARCH_DIR="${CA_DIR}/research"
36 RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
37 RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
38 RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
39 RESEARCH_CDP="http://crl.strongswan.org/research.crl"
41 SALES_DIR="${CA_DIR}/sales"
42 SALES_KEY="${SALES_DIR}/salesKey.pem"
43 SALES_CERT="${SALES_DIR}/salesCert.pem"
44 SALES_CERT_DER="${SALES_DIR}/salesCert.der"
45 SALES_CDP="http://crl.strongswan.org/sales.crl"
47 DUCK_DIR="${CA_DIR}/duck"
48 DUCK_KEY="${DUCK_DIR}/duckKey.pem"
49 DUCK_CERT="${DUCK_DIR}/duckCert.pem"
51 ECDSA_DIR="${CA_DIR}/ecdsa"
52 ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
53 ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
54 ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
56 RFC3779_DIR="${CA_DIR}/rfc3779"
57 RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
58 RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
59 RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
61 SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
62 SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
63 SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
64 SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
66 ED25519_DIR="${CA_DIR}/ed25519"
67 ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
68 ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
69 ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
71 MONSTER_DIR="${CA_DIR}/monster"
72 MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
73 MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
74 MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
75 MONSTER_CA_RSA_SIZE="8192"
76 MONSTER_EE_RSA_SIZE="4096"
78 BLISS_DIR="${CA_DIR}/bliss"
79 BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
80 BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
81 BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
84 IPSEC_DIR="etc/ipsec.d"
85 SWANCTL_DIR="etc/swanctl"
87 HOSTS="carol dave moon sun alice venus bob"
88 TEST_DIR="${DIR}/tests"
91 mkdir -p ${CA_DIR}/certs
92 mkdir -p ${CA_DIR}/keys
93 mkdir -p ${RESEARCH_DIR}/certs
94 mkdir -p ${RESEARCH_DIR}/keys
95 mkdir -p ${SALES_DIR}/certs
96 mkdir -p ${SALES_DIR}/keys
97 mkdir -p ${DUCK_DIR}/certs
98 mkdir -p ${ECDSA_DIR}/certs
99 mkdir -p ${RFC3779_DIR}/certs
100 mkdir -p ${SHA3_RSA_DIR}/certs
101 mkdir -p ${ED25519_DIR}/certs
102 mkdir -p ${MONSTER_DIR}/certs
103 mkdir -p ${BLISS_DIR}/certs
105 ################################################################################
106 # strongSwan Root CA #
107 ################################################################################
109 # Generate strongSwan Root CA
110 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
111 pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
112 --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
113 --outform pem > ${CA_CERT}
115 # Distribute strongSwan Root CA certificate
118 HOST_DIR="${DIR}/hosts/${h}"
119 mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
120 mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
121 cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
122 cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
125 # Put a copy onto the alice FreeRADIUS server
126 mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
127 cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
129 # Convert strongSwan Root CA certificate into DER format
130 openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
132 # Generate a stale CRL
133 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
134 --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
136 # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
137 TEST="${TEST_DIR}/ikev2/crl-ldap"
138 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
139 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
140 cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
141 cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
146 HOST_DIR="${DIR}/hosts/${h}"
147 HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
148 mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
149 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
151 # Put a copy into swanctl directory tree
152 mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
153 cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
155 # Convert host key into DER format
156 openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
160 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
161 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
162 net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
164 TEST="${TEST_DIR}/tkm/${t}"
165 mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
166 cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
169 # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
170 TEST="${TEST_DIR}/tkm/multiple-clients"
171 mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
172 cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
174 # Convert moon private key into unencrypted PKCS#8 format
175 TEST="${TEST_DIR}/ikev2/rw-pkcs8"
176 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
177 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
178 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
179 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
181 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
182 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
183 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
184 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
185 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
186 -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
188 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
189 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
190 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
191 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
192 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v2 aes128 \
193 -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
195 ################################################################################
196 # Public Key Extraction #
197 ################################################################################
199 # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
200 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
201 TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
202 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
203 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
204 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
205 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
206 cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
208 # Put a copy into the following ikev2 scenarios
209 for t in net2net-dnssec net2net-pubkey rw-dnssec
211 TEST="${TEST_DIR}/ikev2/${t}"
212 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
213 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
216 # Put a copy into the ikev2/net2net-pubkey scenario
217 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
218 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
219 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
221 # Put a copy into the swanctl/rw-dnssec scenario
222 TEST="${TEST_DIR}/swanctl/rw-dnssec"
223 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
224 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
226 # Put a copy into the following swanctl scenarios
227 for t in rw-pubkey-anon rw-pubkey-keyid
229 TEST="${TEST_DIR}/swanctl/${t}"
230 for h in moon carol dave
232 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
233 cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
237 # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
238 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
239 TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
240 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
241 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
242 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
244 # Put a copy into the ikev2/net2net-dnssec scenario
245 TEST="${TEST_DIR}/ikev2/net2net-dnssec"
246 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
247 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
249 # Put a copy into the ikev2/net2net-pubkey scenario
250 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
251 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
252 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
254 # Put a copy into the swanctl/rw-pubkey-anon scenario
255 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
256 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
258 # Extract the raw carol public key for the swanctl/rw-dnssec scenario
259 TEST="${TEST_DIR}/swanctl/rw-dnssec"
260 TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
261 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
262 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
263 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
265 # Put a copy into the swanctl/rw-pubkey-anon scenario
266 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
267 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
268 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
270 # Put a copy into the swanctl/rw-pubkey-keyid scenario
271 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
272 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
273 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
275 # Extract the raw dave public key for the swanctl/rw-dnssec scenario
276 TEST="${TEST_DIR}/swanctl/rw-dnssec"
277 TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
278 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
279 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
280 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
282 # Put a copy into the swanctl/rw-pubkey-anon scenario
283 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
284 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
285 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
287 # Put a copy into the swanctl/rw-pubkey-keyid scenario
288 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
289 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
290 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
292 ################################################################################
293 # Host Certificate Generation #
294 ################################################################################
296 # function issue_cert: serial host cn [ou]
299 # does optional OU argument exist?
307 HOST_DIR="${DIR}/hosts/${2}"
308 HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
309 HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
310 mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
311 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
312 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
313 --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
314 --outform pem > ${HOST_CERT}
315 cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
317 # Put a certificate copy into swanctl directory tree
318 mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
319 cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
322 # Generate host certificates
323 issue_cert 01 carol carol@strongswan.org Research
324 issue_cert 02 dave dave@strongswan.org Accounting
325 issue_cert 03 moon moon.strongswan.org
326 issue_cert 04 sun sun.strongswan.org
327 issue_cert 05 alice alice@strongswan.org Sales
328 issue_cert 06 venus venus.strongswan.org
329 issue_cert 07 bob bob@strongswan.org Research
331 # Create PKCS#12 file for moon
332 TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
333 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
334 HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
335 MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
336 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
337 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
338 -certfile ${CA_CERT} -caname "strongSwan Root CA" \
339 -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
341 # Create PKCS#12 file for sun
342 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
343 HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
344 SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
345 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
346 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
347 -certfile ${CA_CERT} -caname "strongSwan Root CA" \
348 -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
350 # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
351 for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
353 TEST="${TEST_DIR}/${t}"
354 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
355 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
356 cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
357 cp ${SUN_PKCS12} ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
360 ################################################################################
361 # DNSSEC Zone Files #
362 ################################################################################
364 # Store moon and sun certificates in strongswan.org zone
365 ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
366 echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
369 HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
370 cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
371 echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
374 # Store public keys in strongswan.org zone
375 echo ";" >> ${ZONE_FILE}
376 for h in moon sun carol dave
378 HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
379 pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
380 echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
383 # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
384 TEST="${TEST_DIR}/swanctl/crl-to-cache"
385 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
386 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
387 CN="carol@strongswan.org"
388 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
389 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
390 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
391 --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
392 --outform pem > ${TEST_CERT}
394 # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
395 TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
396 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
397 CN="moon.strongswan.org"
398 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
399 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
400 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
401 --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
402 --outform pem > ${TEST_CERT}
404 # Encrypt carolKey.pem
405 HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
406 KEY_PWD="nH5ZQEWtku0RJEZ6"
407 openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
410 # Put a copy into the ikev2/dynamic-initiator scenario
411 for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
413 TEST="${TEST_DIR}/${t}"
414 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
415 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
416 cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
417 cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
420 # Put a copy into the swanctl/rw-cert scenario
421 TEST="${TEST_DIR}/swanctl/rw-cert"
422 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
423 cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
425 # Generate another carol certificate and revoke it
426 TEST="${TEST_DIR}/ikev2/crl-revoked"
427 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
428 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
429 CN="carol@strongswan.org"
431 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
432 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
433 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
434 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
435 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
436 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
437 --outform pem > ${TEST_CERT}
438 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
439 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
440 --serial ${SERIAL} > ${CA_CRL}
441 cp ${CA_CRL} ${CA_LAST_CRL}
443 # Put a copy into the ikev2/ocsp-revoked scenario
444 TEST="${TEST_DIR}/ikev2/ocsp-revoked"
445 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
446 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
447 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
448 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
450 # Generate another carol certificate with SN=002
451 TEST="${TEST_DIR}/ikev2/two-certs"
452 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
453 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
455 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
456 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
457 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
458 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
459 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
460 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
461 --outform pem > ${TEST_CERT}
462 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
464 ################################################################################
465 # Research CA Certificate Generation #
466 ################################################################################
468 # Generate a Research CA certificate signed by the Root CA and revoke it
469 TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
470 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
472 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
473 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
474 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
475 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
476 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
477 --outform pem > ${TEST_CERT}
478 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
479 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
480 --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
483 # Generate Research CA with the same private key as above signed by Root CA
485 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
486 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
487 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
488 --outform pem > ${RESEARCH_CERT}
489 cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
491 # Put a certificate copy into the following scenarios
492 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
493 ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
494 ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
496 TEST="${TEST_DIR}/${t}"
497 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
498 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
501 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
502 ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
504 TEST="${TEST_DIR}/${t}"
505 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
506 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
509 for t in multi-level-ca ocsp-multi-level
511 TEST="${TEST_DIR}/swanctl/${t}"
512 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
513 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
516 for t in rw-hash-and-url-multi-level
518 TEST="${TEST_DIR}/swanctl/${t}"
519 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
520 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
523 # Convert Research CA certificate into DER format
524 openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
526 # Generate Research CA with the same private key as above but invalid CDP
527 TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
528 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
529 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
530 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
531 --crl "http://crl.strongswan.org/not-available.crl" \
532 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
533 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
534 --outform pem > ${TEST_CERT}
536 ################################################################################
537 # Sales CA Certificate Generation #
538 ################################################################################
540 # Generate Sales CA signed by Root CA
542 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
543 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
544 --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
545 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
546 --outform pem > ${SALES_CERT}
547 cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
549 # Put a certificate copy into the following scenarios
550 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
551 ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
552 ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
554 TEST="${TEST_DIR}/${t}"
555 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
558 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
559 ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
561 TEST="${TEST_DIR}/${t}"
562 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
563 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
566 for t in multi-level-ca ocsp-multi-level
568 TEST="${TEST_DIR}/swanctl/${t}"
569 cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
572 for t in rw-hash-and-url-multi-level
574 TEST="${TEST_DIR}/swanctl/${t}"
575 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
576 cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
579 # Convert Sales CA certificate into DER format
580 openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
582 # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
583 TEST="${TEST_DIR}/ikev2/strong-keys-certs"
584 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
585 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
586 KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
587 CN="moon.strongswan.org"
589 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
590 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
591 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
592 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
593 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
594 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
595 --digest sha224 --outform pem > ${TEST_CERT}
596 openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
598 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
600 # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
601 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
602 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
603 KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
604 CN="carol@strongswan.org"
606 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
607 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
608 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
609 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
610 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
611 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
612 --digest sha384 --outform pem > ${TEST_CERT}
613 openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
615 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
617 # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
618 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
619 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
620 KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
621 CN="dave@strongswan.org"
623 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
624 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
625 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
626 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
627 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
628 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
629 --digest sha512 --outform pem > ${TEST_CERT}
630 openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
632 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
634 # Generate another carol certificate with an OCSP URI
635 TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
636 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
637 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
638 CN="carol@strongswan.org"
640 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
641 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
642 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
643 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
644 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
645 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
646 --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
647 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
649 # Put a copy into the ikev2/ocsp-timeouts-good scenario
650 TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
651 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
652 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
653 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
654 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
656 # Put a copy into the swanctl/ocsp-signer-cert scenario
657 for t in ocsp-signer-cert ocsp-disabled
659 cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
665 # Generate an OCSP Signing certificate for the strongSwan Root CA
666 TEST_KEY="${CA_DIR}/ocspKey.pem"
667 TEST_CERT="${CA_DIR}/ocspCert.pem"
668 CN="ocsp.strongswan.org"
669 OU="OCSP Signing Authority"
671 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
672 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
673 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
674 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
675 --flag ocspSigning --outform pem > ${TEST_CERT}
676 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
678 # Generate a self-signed OCSP Signing certificate
679 TEST_KEY="${CA_DIR}/ocspKey-self.pem"
680 TEST_CERT="${CA_DIR}/ocspCert-self.pem"
681 OU="OCSP Self-Signed Authority"
682 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
683 pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
684 --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
685 --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
686 --outform pem > ${TEST_CERT}
688 # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
689 TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
690 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
691 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
692 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
693 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
695 # Generate mars virtual server certificate
696 TEST="${TEST_DIR}/ha/both-active"
697 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
698 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
699 CN="mars.strongswan.org"
700 OU="Virtual VPN Gateway"
702 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
703 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
704 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
705 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
706 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
707 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
708 --flag serverAuth --outform pem > ${TEST_CERT}
709 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
711 # Put a copy into the mirrored gateway
712 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
713 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
714 cp ${TEST_KEY} ${TEST}/hosts/alice/${IPSEC_DIR}/private
715 cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
717 # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
718 for t in "ha/active-passive" "ikev2/redirect-active"
720 TEST="${TEST_DIR}/${t}"
723 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
724 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
725 cp ${TEST_KEY} ${TEST}/hosts/${h}/${IPSEC_DIR}/private
726 cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
730 # Generate moon certificate with an unsupported critical X.509 extension
731 TEST="${TEST_DIR}/ikev2/critical-extension"
732 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
733 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
734 CN="moon.strongswan.org"
736 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
737 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
738 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
739 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
740 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
741 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
742 --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
743 --outform pem > ${TEST_CERT}
744 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
746 # Put a copy in the openssl-ikev2/critical extension scenario
747 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
748 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
749 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
750 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
751 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
753 # Generate sun certificate with an unsupported critical X.509 extension
754 TEST="${TEST_DIR}/ikev2/critical-extension"
755 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
756 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
757 CN="sun.strongswan.org"
759 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
760 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
761 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
762 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
763 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
764 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
765 --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
766 --outform pem > ${TEST_CERT}
767 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
769 # Put a copy in the openssl-ikev2/critical extension scenario
770 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
771 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
772 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
773 cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
774 cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
776 # Generate winnetou server certificate
777 HOST_KEY="${CA_DIR}/winnetouKey.pem"
778 HOST_CERT="${CA_DIR}/winnetouCert.pem"
779 CN="winnetou.strongswan.org"
781 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
782 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
783 --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
784 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
785 --flag serverAuth --outform pem > ${HOST_CERT}
786 cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
788 # Generate AAA server certificate
789 TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
790 TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
791 TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
792 CN="aaa.strongswan.org"
794 cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
796 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
797 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
798 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
799 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
800 --flag serverAuth --outform pem > ${TEST_CERT}
801 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
803 # Put a copy into various tnc scenarios
804 for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
806 cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
812 # Put a copy into the alice FreeRADIUS server
813 cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
815 ################################################################################
816 # strongSwan Attribute Authority #
817 ################################################################################
819 # Generate Attribute Authority certificate
820 TEST="${TEST_DIR}/ikev2/acert-cached"
821 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
822 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
823 CN="strongSwan Attribute Authority"
825 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
826 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
827 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
828 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
829 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
830 --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
831 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
832 --outform pem > ${TEST_CERT}
833 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
835 # Generate carol's attribute certificate for sales and finance
836 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
837 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
838 --in ${CA_DIR}/certs/01.pem --group sales --group finance \
839 --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
841 # Generate dave's expired attribute certificate for sales
842 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
843 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
844 --in ${CA_DIR}/certs/02.pem --group sales \
845 --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
847 # Generate dave's attribute certificate for marketing
848 ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
849 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
850 --in ${CA_DIR}/certs/02.pem --group marketing \
851 --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
853 # Put a copy into the ikev2/acert-fallback scenario
854 TEST="${TEST_DIR}/ikev2/acert-fallback"
855 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
856 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
857 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
858 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
859 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
861 # Generate carol's expired attribute certificate for finance
862 ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
863 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
864 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
865 --in ${CA_DIR}/certs/01.pem --group finance \
866 --not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
868 # Generate carol's valid attribute certificate for sales
869 ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
870 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
871 --in ${CA_DIR}/certs/01.pem --group sales \
872 --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
874 # Put a copy into the ikev2/acert-inline scenario
875 TEST="${TEST_DIR}/ikev2/acert-inline"
876 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
877 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
878 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
879 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
880 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private
881 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
882 cp ${ACERT_CS} ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
883 cp ${ACERT_DM} ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
885 # Generate a short-lived Attribute Authority certificate
886 CN="strongSwan Legacy AA"
887 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
888 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
890 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
891 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
892 --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
893 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
894 --outform pem > ${TEST_CERT}
895 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
897 # Generate dave's attribute certificate for sales from expired AA
898 ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
899 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
900 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
901 --in ${CA_DIR}/certs/02.pem --group sales \
902 --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
904 ################################################################################
905 # strongSwan Root CA index for OCSP server #
906 ################################################################################
908 # generate index.txt file for Root OCSP server
909 cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
910 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
911 sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
912 sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
913 sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
915 ################################################################################
917 ################################################################################
919 # Generate a carol research certificate
920 TEST="${TEST_DIR}/ikev2/multi-level-ca"
921 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
922 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
923 CN="carol@strongswan.org"
925 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
926 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
927 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
928 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
929 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
930 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
931 --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
932 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
934 # Save a copy of the private key in DER format
935 openssl rsa -in ${TEST_KEY} -outform der \
936 -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
938 # Put a copy in the following scenarios
939 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
940 ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
941 ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
942 ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
943 ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
944 ikev1/multi-level-ca-cr-resp
946 TEST="${TEST_DIR}/${t}"
947 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
948 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
949 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
950 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
953 for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
955 TEST="${TEST_DIR}/swanctl/${t}"
956 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
957 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
958 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
959 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
962 # Generate a carol research certificate without a CDP
963 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
964 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
965 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
966 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
967 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
968 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
969 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
970 --outform pem > ${TEST_CERT}
971 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
973 # Generate an OCSP Signing certificate for the Research CA
974 TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
975 TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
976 OU="Research OCSP Signing Authority"
977 CN="ocsp.research.strongswan.org"
979 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
980 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
981 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
982 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
983 --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
984 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
986 # Generate a Sales CA certificate signed by the Research CA
987 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
988 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
990 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
991 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
992 --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
993 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
994 --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
995 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
997 ################################################################################
999 ################################################################################
1001 # Generate a Duck Research CA certificate signed by the Research CA
1003 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
1004 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1005 --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1006 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
1007 --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
1008 cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
1010 # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
1011 TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
1012 cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1014 # Generate a carol certificate signed by the Duck Research CA
1015 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1016 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1017 CN="carol@strongswan.org"
1019 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1020 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1021 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1022 pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
1023 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1024 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
1025 --outform pem > ${TEST_CERT}
1026 cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
1028 # Generate index.txt file for Research OCSP server
1029 cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
1030 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
1032 ################################################################################
1034 ################################################################################
1036 # Generate a dave sales certificate
1037 TEST="${TEST_DIR}/ikev2/multi-level-ca"
1038 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
1039 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1040 CN="dave@strongswan.org"
1042 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1043 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1044 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1045 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1046 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1047 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1048 --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1049 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1051 # Save a copy of the private key in DER format
1052 openssl rsa -in ${TEST_KEY} -outform der \
1053 -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
1055 # Put a copy in the following scenarios
1056 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
1057 ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
1058 ikev2/ocsp-multi-level ikev1/multi-level-ca \
1059 ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
1061 TEST="${TEST_DIR}/${t}"
1062 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1063 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1064 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1065 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1068 for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
1070 TEST="${TEST_DIR}/swanctl/${t}"
1071 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1072 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1073 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1074 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1077 # Generate a dave sales certificate with an inactive OCSP URI and no CDP
1078 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1079 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1080 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1081 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1082 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1083 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1084 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1085 --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
1086 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1088 # Generate an OCSP Signing certificate for the Sales CA
1089 TEST_KEY="${SALES_DIR}/ocspKey.pem"
1090 TEST_CERT="${SALES_DIR}/ocspCert.pem"
1091 OU="Sales OCSP Signing Authority"
1092 CN="ocsp.sales.strongswan.org"
1094 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1095 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1096 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1097 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1098 --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1099 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1101 # Generate a Research CA certificate signed by the Sales CA
1102 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1103 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
1105 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1106 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1107 --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1108 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
1109 --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1110 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1112 # generate index.txt file for Sales OCSP server
1113 cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
1114 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
1116 ################################################################################
1117 # strongSwan EC Root CA #
1118 ################################################################################
1120 # Generate strongSwan EC Root CA
1121 pki --gen --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
1122 pki --self --type ecdsa --in ${ECDSA_KEY} \
1123 --not-before "${START}" --not-after "${CA_END}" --ca \
1124 --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
1125 --outform pem > ${ECDSA_CERT}
1127 # Put a copy in the openssl-ikev2/ecdsa-certs scenario
1128 for t in ecdsa-certs ecdsa-pkcs8
1130 TEST="${TEST_DIR}/openssl-ikev2/${t}"
1131 for h in moon carol dave
1133 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1134 cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1138 # Generate a moon ECDSA 521 bit certificate
1139 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
1140 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
1141 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1142 CN="moon.strongswan.org"
1144 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
1145 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1146 pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
1147 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1148 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1149 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
1150 --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
1151 cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1153 # Generate a carol ECDSA 256 bit certificate
1154 CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
1155 CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1156 CN="carol@strongswan.org"
1158 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
1159 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1160 pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
1161 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1162 --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1163 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
1164 --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
1165 cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1167 # Generate a dave ECDSA 384 bit certificate
1168 DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
1169 DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1170 CN="dave@strongswan.org"
1172 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
1173 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1174 pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
1175 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1176 --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1177 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
1178 --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
1179 cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1181 # Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
1182 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
1183 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1184 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1185 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1186 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1187 cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1188 cp ${DAVE_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1190 # Convert moon private key into unencrypted PKCS#8 format
1191 TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1192 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1193 openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
1195 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
1196 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1197 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1198 openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
1199 -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
1201 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
1202 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1203 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1204 openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8 -v2 aes128 \
1205 -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
1207 # Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
1208 TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
1209 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1210 mkdir -p ecdsa x509 x509ca
1211 cp ${MOON_KEY} ecdsa
1212 cp ${MOON_CERT} x509
1213 cp ${ECDSA_CERT} x509ca
1214 cd ${TEST}/hosts/carol/${SWANCTL_DIR}
1215 mkdir -p ecdsa x509 x509ca
1216 cp ${CAROL_KEY} ecdsa
1217 cp ${CAROL_CERT} x509
1218 cp ${ECDSA_CERT} x509ca
1219 cd ${TEST}/hosts/dave/${SWANCTL_DIR}
1220 mkdir -p ecdsa x509 x509ca
1221 cp ${DAVE_KEY} ecdsa
1222 cp ${DAVE_CERT} x509
1223 cp ${ECDSA_CERT} x509ca
1225 ################################################################################
1226 # strongSwan RFC3779 Root CA #
1227 ################################################################################
1229 # Generate strongSwan RFC3779 Root CA
1230 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
1231 pki --self --type rsa --in ${RFC3779_KEY} \
1232 --not-before "${START}" --not-after "${CA_END}" --ca \
1233 --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
1234 --addrblock "10.1.0.0-10.2.255.255" \
1235 --addrblock "10.3.0.1-10.3.3.232" \
1236 --addrblock "192.168.0.0/24" \
1237 --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
1238 --outform pem > ${RFC3779_CERT}
1240 # Put a copy in the ikev2/net2net-rfc3779 scenario
1241 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1242 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1243 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1244 cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1245 cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1247 # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
1248 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1249 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1250 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1251 cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1252 cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1254 # Generate a moon RFC3779 certificate
1255 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1256 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1257 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1258 CN="moon.strongswan.org"
1260 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1261 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1262 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1263 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1264 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1265 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1266 --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
1267 --addrblock "fec0::1/128" --addrblock "fec1::/16" \
1268 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1269 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1271 # Put a copy in the ipv6 scenarios
1272 for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
1274 cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
1275 mkdir -p rsa x509 x509ca
1277 cp ${TEST_CERT} x509
1278 cp ${RFC3779_CERT} x509ca
1281 # Generate a sun RFC3779 certificate
1282 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1283 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
1284 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
1285 CN="sun.strongswan.org"
1287 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
1288 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
1289 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1290 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1291 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1292 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1293 --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
1294 --addrblock "fec0::2/128" --addrblock "fec2::/16" \
1295 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1296 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1298 # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
1299 cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
1300 mkdir -p rsa x509 x509ca
1302 cp ${TEST_CERT} x509
1303 cp ${RFC3779_CERT} x509ca
1305 # Generate a carol RFC3779 certificate
1306 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1307 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1308 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1309 CN="carol@strongswan.org"
1311 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1312 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1313 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1314 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1315 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1316 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1317 --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
1318 --addrblock "fec0::10/128" \
1319 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1320 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1322 # Generate a carol RFC3779 certificate
1323 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1324 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1325 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1326 CN="dave@strongswan.org"
1328 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1329 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1330 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1331 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1332 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1333 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1334 --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
1335 --addrblock "fec0::20/128" \
1336 --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1337 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1339 ################################################################################
1340 # strongSwan SHA3-RSA Root CA #
1341 ################################################################################
1343 # Use specific plugin configuration to issue certificates with SHA-3 signatures
1344 # as not all crypto plugins support them. To avoid entropy issues use the
1345 # default plugins to generate the keys.
1346 SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509"
1348 # Generate strongSwan SHA3-RSA Root CA
1349 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
1350 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1351 pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
1352 --not-before "${START}" --not-after "${CA_END}" --ca \
1353 --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
1354 --outform pem > ${SHA3_RSA_CERT}
1356 # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
1357 TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
1358 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1359 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1360 cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1361 cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1363 # Generate a sun SHA3-RSA certificate
1364 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1365 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1366 CN="sun.strongswan.org"
1368 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
1369 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1370 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
1371 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1372 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1373 --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1374 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1375 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
1376 cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1378 # Generate a moon SHA3-RSA certificate
1379 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1380 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1381 CN="moon.strongswan.org"
1383 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1384 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1385 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
1386 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1387 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1388 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1389 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1390 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
1391 cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1393 # Put a copy in the botan/net2net-sha3-rsa-cert scenario
1394 TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
1395 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1396 mkdir -p rsa x509 x509ca
1398 cp ${MOON_CERT} x509
1399 cp ${SHA3_RSA_CERT} x509ca
1400 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1401 mkdir -p rsa x509 x509ca
1404 cp ${SHA3_RSA_CERT} x509ca
1406 # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
1407 TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
1408 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1409 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1410 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1411 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1413 # Generate a carol SHA3-RSA certificate
1414 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1415 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1416 CN="carol@strongswan.org"
1418 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1419 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1420 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1421 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1422 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1423 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1424 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1425 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1426 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1428 # Generate a dave SHA3-RSA certificate
1429 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1430 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1431 CN="dave@strongswan.org"
1433 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1434 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1435 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1436 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1437 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1438 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1439 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1440 --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1441 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1443 for h in moon carol dave
1445 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1446 cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1449 ################################################################################
1450 # strongSwan Ed25519 Root CA #
1451 ################################################################################
1453 # Generate strongSwan Ed25519 Root CA
1454 pki --gen --type ed25519 --outform pem > ${ED25519_KEY}
1455 pki --self --type ed25519 --in ${ED25519_KEY} \
1456 --not-before "${START}" --not-after "${CA_END}" --ca \
1457 --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
1458 --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
1459 --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
1460 --outform pem > ${ED25519_CERT}
1462 # Put a copy in the swanctl/net2net-ed25519 scenario
1463 TEST="${TEST_DIR}/swanctl/net2net-ed25519"
1464 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1465 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1466 cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1467 cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1469 # Generate a sun Ed25519 certificate
1470 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
1471 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1472 CN="sun.strongswan.org"
1474 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
1475 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1476 pki --gen --type ed25519 --outform pem > ${SUN_KEY}
1477 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1478 --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1479 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1480 --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
1481 --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
1482 cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1484 # Generate a moon Ed25519 certificate
1485 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1486 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1487 CN="moon.strongswan.org"
1489 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1490 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1491 pki --gen --type ed25519 --outform pem > ${MOON_KEY}
1492 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1493 --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1494 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1495 --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
1496 --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
1497 cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1499 # Put a copy in the botan/net2net-ed25519 scenario
1500 TEST="${TEST_DIR}/botan/net2net-ed25519"
1501 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1502 mkdir -p pkcs8 x509 x509ca
1503 cp ${MOON_KEY} pkcs8
1504 cp ${MOON_CERT} x509
1505 cp ${ED25519_CERT} x509ca
1506 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1507 mkdir -p pkcs8 x509 x509ca
1510 cp ${ED25519_CERT} x509ca
1512 # Put a copy in the ikev2/net2net-ed25519 scenario
1513 TEST="${TEST_DIR}/ikev2/net2net-ed25519"
1514 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
1515 cd ${TEST}/hosts/moon/${IPSEC_DIR}
1516 mkdir -p cacerts certs private
1517 cp ${MOON_KEY} private
1518 cp ${MOON_CERT} certs
1519 cp ${ED25519_CERT} cacerts
1520 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
1521 cd ${TEST}/hosts/sun/${IPSEC_DIR}
1522 mkdir -p cacerts certs private
1523 cp ${SUN_KEY} private
1524 cp ${SUN_CERT} certs
1525 cp ${ED25519_CERT} cacerts
1527 # Put a copy in the swanctl/rw-ed25519-certpol scenario
1528 TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
1529 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1530 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1531 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1532 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1534 for h in moon carol dave
1536 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1537 cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1540 # Generate a carol Ed25519 certificate
1541 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1542 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1543 CN="carol@strongswan.org"
1545 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1546 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1547 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1548 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1549 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1550 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1551 --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
1552 --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1553 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1555 # Generate a dave Ed25519 certificate
1556 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1557 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1558 CN="dave@strongswan.org"
1560 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1561 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1562 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1563 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1564 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1565 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1566 --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
1567 --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1568 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1570 ################################################################################
1571 # strongSwan Monster Root CA #
1572 ################################################################################
1574 # Generate strongSwan Monster Root CA
1575 pki --gen --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
1576 pki --self --type rsa --in ${MONSTER_KEY} \
1577 --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
1578 --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
1579 --outform pem > ${MONSTER_CERT}
1581 # Put a copy in the ikev2/after-2038-certs scenario
1582 TEST="${TEST_DIR}/ikev2/after-2038-certs"
1583 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1584 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1585 cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1586 cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1588 # Generate a moon Monster certificate
1589 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1590 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1591 CN="moon.strongswan.org"
1593 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1594 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1595 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1596 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1597 --in ${TEST_KEY} --san ${CN} \
1598 --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1599 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1600 --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1601 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1603 # Generate a carol Monster certificate
1604 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1605 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1606 CN="carol@strongswan.org"
1608 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1609 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1610 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1611 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1612 --in ${TEST_KEY} --san ${CN} \
1613 --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1614 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1615 --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1616 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1618 ################################################################################
1620 ################################################################################
1622 # Generate BLISS Root CA with 192 bit security strength
1623 pki --gen --type bliss --size 4 > ${BLISS_KEY}
1624 pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
1625 --not-before "${START}" --not-after "${CA_END}" --ca \
1626 --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
1628 # Put a copy in the following scenarios
1629 for t in rw-newhope-bliss rw-ntru-bliss
1631 TEST="${TEST_DIR}/ikev2/${t}"
1632 for h in moon carol dave
1634 mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1635 cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1638 TEST="${TEST_DIR}/swanctl/${t}"
1639 for h in moon carol dave
1641 mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1642 cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1646 # Generate a carol BLISS certificate with 128 bit security strength
1647 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1648 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
1649 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
1650 CN="carol@strongswan.org"
1652 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1653 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1654 pki --gen --type bliss --size 1 > ${TEST_KEY}
1655 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1656 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1657 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
1658 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1659 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1661 # Put a copy in the ikev2/rw-ntru-bliss scenario
1662 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1663 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1664 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1665 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1666 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1668 # Put a copy in the swanctl scenarios
1669 for t in rw-newhope-bliss rw-ntru-bliss
1671 TEST="${TEST_DIR}/swanctl/${t}"
1672 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1673 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1674 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1675 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1678 # Generate a dave BLISS certificate with 160 bit security strength
1679 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1680 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
1681 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
1682 CN="dave@strongswan.org"
1684 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1685 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1686 pki --gen --type bliss --size 3 > ${TEST_KEY}
1687 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1688 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1689 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
1690 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1691 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1693 # Put a copy in the ikev2/rw-ntru-bliss scenario
1694 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1695 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1696 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1697 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
1698 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
1700 # Put a copy in the swanctl scenarios
1701 for t in rw-newhope-bliss rw-ntru-bliss
1703 TEST="${TEST_DIR}/swanctl/${t}"
1704 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
1705 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1706 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
1707 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
1710 # Generate a moon BLISS certificate with 192 bit security strength
1711 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1712 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
1713 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
1714 CN="moon.strongswan.org"
1716 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1717 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1718 pki --gen --type bliss --size 4 > ${TEST_KEY}
1719 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1720 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1721 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
1722 --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1723 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1725 # Put a copy in the ikev2/rw-ntru-bliss scenario
1726 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1727 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1728 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1729 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
1730 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
1732 # Put a copy in the swanctl scenarios
1733 for t in rw-newhope-bliss rw-ntru-bliss
1735 TEST="${TEST_DIR}/swanctl/${t}"
1736 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
1737 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1738 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
1739 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
1742 ################################################################################
1744 ################################################################################
1746 CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
1747 CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
1748 CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1749 CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
1751 MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1752 MOON_KEY="${CA_DIR}/keys/moonKey.der"
1753 MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1754 MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1755 MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1756 MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
1757 MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1758 MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1759 MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
1761 SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1762 SUN_KEY="${CA_DIR}/keys/sunKey.der"
1763 SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1764 SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1765 SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
1766 SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
1767 SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1768 SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
1770 CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1771 CAROL_KEY="${CA_DIR}/keys/carolKey.der"
1772 CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1773 CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
1774 CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1775 CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1777 DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1778 DAVE_KEY="${CA_DIR}/keys/daveKey.der"
1779 DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1780 DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
1781 DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1782 DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1784 ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
1785 ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
1786 ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
1787 ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
1788 ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1790 VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
1791 VENUS_KEY="${CA_DIR}/keys/venusKey.der"
1792 VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
1793 VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
1794 VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1796 RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
1797 RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
1798 RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1800 CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
1801 CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
1802 CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
1803 CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
1804 CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1806 SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
1807 SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
1808 SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1810 DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
1811 DAVE_S_KEY="${SALES_DIR}/keys/01.der"
1812 DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
1813 DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
1814 DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1816 for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
1817 ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
1818 rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
1820 for h in carol dave moon
1822 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1823 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1824 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1825 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1826 -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1827 -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1828 -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
1829 -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1830 -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
1831 -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
1832 -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
1833 -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
1834 -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
1835 -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
1836 -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
1837 -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
1838 -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
1839 -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
1840 -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
1841 -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
1842 -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
1843 -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
1844 -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
1845 -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
1846 -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
1847 -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
1848 -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
1849 -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
1850 ${TEST_DATA}.in > ${TEST_DATA}
1854 for t in rw-eap-aka-rsa
1858 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1859 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1860 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1861 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1862 -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1863 -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1864 -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1865 ${TEST_DATA}.in > ${TEST_DATA}
1869 for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
1873 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1874 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1875 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1876 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1877 -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
1878 -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
1879 -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1880 -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1881 -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1882 -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
1883 -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
1884 -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1885 -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1886 -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1887 -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
1888 ${TEST_DATA}.in > ${TEST_DATA}
1892 for t in shunt-policies-nat-rw
1894 for h in alice venus sun
1896 TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1897 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1898 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1899 -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1900 -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
1901 -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
1902 -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
1903 -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
1904 -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
1905 -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
1906 -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1907 -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1908 -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1909 ${TEST_DATA}.in > ${TEST_DATA}
1913 ################################################################################
1915 ################################################################################
1917 MOON_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${MOON_KEY}`
1919 SUN_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${SUN_KEY}`
1923 TEST_DATA="${TEST_DIR}/ikev2/net2net-rsa/hosts/${h}/etc/ipsec.conf"
1924 sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \
1925 -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \
1926 ${TEST_DATA}.in > ${TEST_DATA}
1929 ################################################################################
1930 # TKM CA ID mapping #
1931 ################################################################################
1933 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
1934 net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
1938 TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/moon/etc/strongswan.conf"
1939 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1940 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1941 ${TEST_DATA}.in > ${TEST_DATA}
1945 for t in multiple-clients
1949 TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/${h}/etc/strongswan.conf"
1950 sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1951 -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1952 ${TEST_DATA}.in > ${TEST_DATA}