testing: Return an error if any command in the certificate build script fails
[strongswan.git] / testing / scripts / build-certs-chroot
1 #!/bin/bash
2
3 set -o errexit
4
5 echo "Building certificates"
6
7 # Disable leak detective when using pki as it produces warnings in tzset
8 export LEAK_DETECTIVE_DISABLE=1
9
10 # Determine testing directory
11 DIR="$(dirname `readlink -f $0`)/.."
12
13 # Define some global variables
14 PROJECT="strongSwan Project"
15 CA_DIR="${DIR}/hosts/winnetou/etc/ca"
16 CA_KEY="${CA_DIR}/strongswanKey.pem"
17 CA_CERT="${CA_DIR}/strongswanCert.pem"
18 CA_CERT_DER="${CA_DIR}/strongswanCert.der"
19 CA_CRL="${CA_DIR}/strongswan.crl"
20 CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
21 CA_CDP="http://crl.strongswan.org/strongswan.crl"
22 CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
23 CA_OCSP="http://ocsp.strongswan.org:8880"
24 #
25 START=`date  -d "-2 day"    "+%d.%m.%y %T"`
26 SH_END=`date -d "-1 day"    "+%d.%m.%y %T"`    #  1 day
27 CA_END=`date -d "+3651 day" "+%d.%m.%y %T"`    # 10 years
28 IM_END=`date -d "+3286 day" "+%d.%m.%y %T"`    #  9 years
29 EE_END=`date -d "+2920 day" "+%d.%m.%y %T"`    #  8 years
30 SH_EXP=`date -d "-1 day"    "+%y%m%d%H%M%SZ"`  #  1 day
31 IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"`  #  9 years
32 EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"`  #  8 years
33 NOW=`date "+%y%m%d%H%M%SZ"`
34 #
35 RESEARCH_DIR="${CA_DIR}/research"
36 RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
37 RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
38 RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
39 RESEARCH_CDP="http://crl.strongswan.org/research.crl"
40 #
41 SALES_DIR="${CA_DIR}/sales"
42 SALES_KEY="${SALES_DIR}/salesKey.pem"
43 SALES_CERT="${SALES_DIR}/salesCert.pem"
44 SALES_CERT_DER="${SALES_DIR}/salesCert.der"
45 SALES_CDP="http://crl.strongswan.org/sales.crl"
46 #
47 DUCK_DIR="${CA_DIR}/duck"
48 DUCK_KEY="${DUCK_DIR}/duckKey.pem"
49 DUCK_CERT="${DUCK_DIR}/duckCert.pem"
50 #
51 ECDSA_DIR="${CA_DIR}/ecdsa"
52 ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
53 ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
54 ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
55 #
56 RFC3779_DIR="${CA_DIR}/rfc3779"
57 RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
58 RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
59 RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
60 #
61 SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
62 SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
63 SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
64 SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
65 #
66 ED25519_DIR="${CA_DIR}/ed25519"
67 ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
68 ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
69 ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
70 #
71 MONSTER_DIR="${CA_DIR}/monster"
72 MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
73 MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
74 MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
75 MONSTER_CA_RSA_SIZE="8192"
76 MONSTER_EE_RSA_SIZE="4096"
77 #
78 BLISS_DIR="${CA_DIR}/bliss"
79 BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
80 BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
81 BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
82 #
83 RSA_SIZE="3072"
84 IPSEC_DIR="etc/ipsec.d"
85 SWANCTL_DIR="etc/swanctl"
86 TKM_DIR="etc/tkm"
87 HOSTS="carol dave moon sun alice venus bob"
88 TEST_DIR="${DIR}/tests"
89
90 # Create directories
91 mkdir -p ${CA_DIR}/certs
92 mkdir -p ${CA_DIR}/keys
93 mkdir -p ${RESEARCH_DIR}/certs
94 mkdir -p ${RESEARCH_DIR}/keys
95 mkdir -p ${SALES_DIR}/certs
96 mkdir -p ${SALES_DIR}/keys
97 mkdir -p ${DUCK_DIR}/certs
98 mkdir -p ${ECDSA_DIR}/certs
99 mkdir -p ${RFC3779_DIR}/certs
100 mkdir -p ${SHA3_RSA_DIR}/certs
101 mkdir -p ${ED25519_DIR}/certs
102 mkdir -p ${MONSTER_DIR}/certs
103 mkdir -p ${BLISS_DIR}/certs
104
105 ################################################################################
106 # strongSwan Root CA                                                           #
107 ################################################################################
108
109 # Generate strongSwan Root CA
110 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
111 pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
112     --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
113     --outform pem > ${CA_CERT}
114
115 # Distribute strongSwan Root CA certificate
116 for h in ${HOSTS}
117 do
118   HOST_DIR="${DIR}/hosts/${h}"
119   mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
120   mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
121   cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
122   cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
123 done
124
125 # Put a copy onto the alice FreeRADIUS server
126 mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
127 cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
128
129 # Convert strongSwan Root CA certificate into DER format
130 openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
131
132 # Gernerate a stale CRL
133 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
134     --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
135
136 # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
137 TEST="${TEST_DIR}/ikev2/crl-ldap"
138 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/crls
139 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/crls
140 cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
141 cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
142
143 # Generate host keys
144 for h in ${HOSTS}
145 do
146   HOST_DIR="${DIR}/hosts/${h}"
147   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
148   mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
149   pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
150
151   # Put a copy into swanctl directory tree
152   mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
153   cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
154
155   # Convert host key into DER format
156   openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
157           2> /dev/null
158 done
159
160 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
161 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
162          net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
163 do
164   TEST="${TEST_DIR}/tkm/${t}"
165   mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
166   cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
167 done
168
169 # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
170 TEST="${TEST_DIR}/tkm/multiple-clients"
171 mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
172 cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
173
174 # Convert moon private key into unencrypted PKCS#8 format
175 TEST="${TEST_DIR}/ikev2/rw-pkcs8"
176 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
177 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
178 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
179 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
180
181 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
182 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
183 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
184 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
185 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
186               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
187
188 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
189 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
190 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
191 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
192 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8  -v2 aes128 \
193               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
194
195 ################################################################################
196 # Public Key Extraction                                                        #
197 ################################################################################
198
199 # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
200 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
201 TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
202 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
203 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
204 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
205 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
206 cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
207
208 # Put a copy into the  following ikev2 scenarios
209 for t in net2net-dnssec net2net-pubkey rw-dnssec
210 do
211   TEST="${TEST_DIR}/ikev2/${t}"
212   mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
213   cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
214 done
215
216 # Put a copy into the ikev2/net2net-pubkey scenario
217 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
218 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
219 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
220
221 # Put a copy into the swanctl/rw-dnssec scenario
222 TEST="${TEST_DIR}/swanctl/rw-dnssec"
223 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
224 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
225
226 # Put a copy into the following swanctl scenarios
227 for t in rw-pubkey-anon rw-pubkey-keyid
228 do
229   TEST="${TEST_DIR}/swanctl/${t}"
230   for h in moon carol dave
231   do
232     mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
233     cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
234   done
235 done
236
237 # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
238 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
239 TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
240 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
241 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
242 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
243
244 # Put a copy into the ikev2/net2net-dnssec scenario
245 TEST="${TEST_DIR}/ikev2/net2net-dnssec"
246 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
247 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
248
249 # Put a copy into the ikev2/net2net-pubkey scenario
250 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
251 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
252 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
253
254 # Put a copy into the swanctl/rw-pubkey-anon scenario
255 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
256 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
257
258 # Extract the raw carol public key for the swanctl/rw-dnssec scenario
259 TEST="${TEST_DIR}/swanctl/rw-dnssec"
260 TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
261 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
262 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
263 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
264
265 # Put a copy into the swanctl/rw-pubkey-anon scenario
266 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
267 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
268 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
269
270 # Put a copy into the swanctl/rw-pubkey-keyid scenario
271 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
272 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
273 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
274
275 # Extract the raw dave public key for the swanctl/rw-dnssec scenario
276 TEST="${TEST_DIR}/swanctl/rw-dnssec"
277 TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
278 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
279 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
280 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
281
282 # Put a copy into the swanctl/rw-pubkey-anon scenario
283 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
284 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
285 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
286
287 # Put a copy into the swanctl/rw-pubkey-keyid scenario
288 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
289 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
290 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
291
292 ################################################################################
293 # Host Certificate Generation                                                  #
294 ################################################################################
295
296 # function issue_cert: serial host cn [ou]
297 issue_cert()
298 {
299   # does optional OU argument exist?
300   if [ -z "${4}" ]
301   then
302     OU=""
303   else
304     OU=" OU=${4},"
305   fi
306
307   HOST_DIR="${DIR}/hosts/${2}"
308   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
309   HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
310   mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
311   pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
312       --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
313       --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
314       --outform pem > ${HOST_CERT}
315   cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
316
317   # Put a certificate copy into swanctl directory tree
318   mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
319   cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
320 }
321
322 # Generate host certificates
323 issue_cert 01 carol carol@strongswan.org Research
324 issue_cert 02 dave dave@strongswan.org Accounting
325 issue_cert 03 moon moon.strongswan.org
326 issue_cert 04 sun sun.strongswan.org
327 issue_cert 05 alice alice@strongswan.org Sales
328 issue_cert 06 venus venus.strongswan.org
329 issue_cert 07 bob bob@strongswan.org Research
330
331 # Create PKCS#12 file for moon
332 TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
333 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
334 HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
335 MOON_PKCS12="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonCert.p12"
336 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
337 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
338         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
339         -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
340
341 # Create PKCS#12 file for sun
342 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
343 HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
344 SUN_PKCS12="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunCert.p12"
345 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
346 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
347         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
348         -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
349
350 # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
351 for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
352 do
353   TEST="${TEST_DIR}/${t}"
354   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
355   mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
356   cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
357   cp ${SUN_PKCS12}  ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
358 done
359
360 ################################################################################
361 # DNSSEC Zone Files                                                            #
362 ################################################################################
363
364 # Store moon and sun certificates in strongswan.org zone
365 ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
366 echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
367 for h in moon sun
368 do
369   HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
370   cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
371   echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
372 done
373
374 # Store public keys in strongswan.org zone
375 echo ";" >> ${ZONE_FILE}
376 for h in moon sun carol dave
377 do
378   HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
379   pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
380   echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
381 done
382
383 # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
384 TEST="${TEST_DIR}/swanctl/crl-to-cache"
385 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
386 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
387 CN="carol@strongswan.org"
388 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
389 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
390     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
391     --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
392     --outform pem > ${TEST_CERT}
393
394 # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
395 TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
396 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
397 CN="moon.strongswan.org"
398 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
399 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
400     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
401     --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
402     --outform pem > ${TEST_CERT}
403
404 # Encrypt carolKey.pem
405 HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
406 KEY_PWD="nH5ZQEWtku0RJEZ6"
407 openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
408         2> /dev/null
409
410 # Put a copy into the ikev2/dynamic-initiator scenario
411 for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
412 do
413   TEST="${TEST_DIR}/${t}"
414   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
415   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
416   cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
417   cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
418 done
419
420 # Put a copy into the swanctl/rw-cert scenario
421 TEST="${TEST_DIR}/swanctl/rw-cert"
422 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
423 cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
424
425 # Generate another carol certificate and revoke it
426 TEST="${TEST_DIR}/ikev2/crl-revoked"
427 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
428 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
429 CN="carol@strongswan.org"
430 SERIAL="08"
431 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
432 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
433 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
434 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
435     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
436     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
437     --outform pem > ${TEST_CERT}
438 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
439 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
440     --serial ${SERIAL} > ${CA_CRL}
441 cp ${CA_CRL} ${CA_LAST_CRL}
442
443 # Put a copy into the ikev2/ocsp-revoked scenario
444 TEST="${TEST_DIR}/ikev2/ocsp-revoked"
445 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
446 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
447 cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
448 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
449
450 # Generate another carol certificate with SN=002
451 TEST="${TEST_DIR}/ikev2/two-certs"
452 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
453 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
454 SERIAL="09"
455 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
456 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
457 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
458 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
459     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
460     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
461     --outform pem > ${TEST_CERT}
462 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
463
464 ################################################################################
465 # Research CA Certificate Generation                                           #
466 ################################################################################
467
468 # Generate a Research CA certificate signed by the Root CA and revoke it
469 TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
470 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
471 SERIAL="0A"
472 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
473 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
474 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
475     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
476     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
477     --outform pem > ${TEST_CERT}
478 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
479 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
480     --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
481 rm ${CA_LAST_CRL}
482
483 # Generate Research CA with the same private key as above signed by Root CA
484 SERIAL="0B"
485 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
486     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
487     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
488     --outform pem > ${RESEARCH_CERT}
489 cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
490
491 # Put a certificate copy into the following scenarios
492 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
493          ikev2/multi-level-ca-pathlen ikev2/multi-level-ca-strict \
494          ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
495 do
496   TEST="${TEST_DIR}/${t}"
497   mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
498   cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
499 done
500
501 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
502          ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
503 do
504   TEST="${TEST_DIR}/${t}"
505   mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
506   cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
507 done
508
509 for t in multi-level-ca ocsp-multi-level
510 do
511   TEST="${TEST_DIR}/swanctl/${t}"
512   mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
513   cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
514 done
515
516 # Convert Research CA certificate into DER format
517 openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
518
519 # Generate Research CA with the same private key as above but invalid CDP
520 TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
521 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
522 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
523 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
524     --crl "http://crl.strongswan.org/not-available.crl" \
525     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
526     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
527     --outform pem > ${TEST_CERT}
528
529 ################################################################################
530 # Sales CA Certificate Generation                                              #
531 ################################################################################
532
533 # Generate Sales CA signed by Root CA
534 SERIAL="0C"
535 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
536 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
537     --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
538     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
539     --outform pem > ${SALES_CERT}
540 cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
541
542 # Put a certificate copy into the following scenarios
543 for t in ikev1/multi-level-ca ikev2/multi-level-ca ikev2/multi-level-ca-ldap \
544          ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
545          ikev2/ocsp-multi-level ikev2/ocsp-strict-ifuri
546 do
547   TEST="${TEST_DIR}/${t}"
548   cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
549 done
550
551 for t in ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp \
552          ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp
553 do
554   TEST="${TEST_DIR}/${t}"
555   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
556   cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
557 done
558
559 for t in multi-level-ca ocsp-multi-level
560 do
561   TEST="${TEST_DIR}/swanctl/${t}"
562   cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
563 done
564
565 # Convert Sales CA certificate into DER format
566 openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
567
568 # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
569 TEST="${TEST_DIR}/ikev2/strong-keys-certs"
570 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
571 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
572 KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
573 CN="moon.strongswan.org"
574 SERIAL="0D"
575 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
576 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
577 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
578 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
579     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
580     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
581     --digest sha224 --outform pem > ${TEST_CERT}
582 openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
583         2> /dev/null
584 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
585
586 # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
587 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
588 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
589 KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
590 CN="carol@strongswan.org"
591 SERIAL="0E"
592 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
593 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
594 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
595 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
596     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
597     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
598     --digest sha384 --outform pem > ${TEST_CERT}
599 openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
600         2> /dev/null
601 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
602
603 # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
604 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
605 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
606 KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
607 CN="dave@strongswan.org"
608 SERIAL="0F"
609 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
610 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
611 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
612 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
613     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
614     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
615     --digest sha512 --outform pem > ${TEST_CERT}
616 openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
617         2> /dev/null
618 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
619
620 # Generate another carol certificate with an OCSP URI
621 TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
622 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
623 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
624 CN="carol@strongswan.org"
625 SERIAL="10"
626 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
627 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
628 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
629 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
630     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
631     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
632     --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
633 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
634
635 # Put a copy into the ikev2/ocsp-timeouts-good scenario
636 TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
637 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
638 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
639 cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
640 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
641
642 # Put a copy into the swanctl/ocsp-signer-cert scenario
643 for t in ocsp-signer-cert ocsp-disabled
644 do
645   cd "${TEST_DIR}/swanctl/${t}/hosts/carol/${SWANCTL_DIR}"
646   mkdir -p rsa x509
647   cp ${TEST_KEY} rsa
648   cp ${TEST_CERT} x509
649 done
650
651 # Generate an OCSP Signing certificate for the strongSwan Root CA
652 TEST_KEY="${CA_DIR}/ocspKey.pem"
653 TEST_CERT="${CA_DIR}/ocspCert.pem"
654 CN="ocsp.strongswan.org"
655 OU="OCSP Signing Authority"
656 SERIAL="11"
657 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
658 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
659     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
660     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
661     --flag ocspSigning --outform pem > ${TEST_CERT}
662 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
663
664 # Generate a self-signed OCSP Signing certificate
665 TEST_KEY="${CA_DIR}/ocspKey-self.pem"
666 TEST_CERT="${CA_DIR}/ocspCert-self.pem"
667 OU="OCSP Self-Signed Authority"
668 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
669 pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
670     --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
671     --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
672     --outform pem > ${TEST_CERT}
673
674 # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
675 TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
676 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
677 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
678 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
679 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
680
681 # Generate mars virtual server certificate
682 TEST="${TEST_DIR}/ha/both-active"
683 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
684 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
685 CN="mars.strongswan.org"
686 OU="Virtual VPN Gateway"
687 SERIAL="12"
688 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
689 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
690 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
691 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
692     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
693     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
694     --flag serverAuth --outform pem > ${TEST_CERT}
695 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
696
697 # Put a copy into the mirrored gateway
698 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
699 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
700 cp ${TEST_KEY}  ${TEST}/hosts/alice/${IPSEC_DIR}/private
701 cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
702
703 # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
704 for t in "ha/active-passive" "ikev2/redirect-active"
705 do
706   TEST="${TEST_DIR}/${t}"
707   for h in alice moon
708   do
709     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
710     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
711     cp ${TEST_KEY}  ${TEST}/hosts/${h}/${IPSEC_DIR}/private
712     cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
713   done
714 done
715
716 # Generate moon certificate with an unsupported critical X.509 extension
717 TEST="${TEST_DIR}/ikev2/critical-extension"
718 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
719 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
720 CN="moon.strongswan.org"
721 SERIAL="13"
722 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
723 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
724 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
725 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
726     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
727     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
728     --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
729     --outform pem > ${TEST_CERT}
730 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
731
732 # Put a copy in the openssl-ikev2/critical extension scenario
733 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
734 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
735 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
736 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
737 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
738
739 # Generate sun certificate with an unsupported critical X.509 extension
740 TEST="${TEST_DIR}/ikev2/critical-extension"
741 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
742 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
743 CN="sun.strongswan.org"
744 SERIAL="14"
745 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
746 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
747 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
748 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
749     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
750     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
751     --critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
752     --outform pem > ${TEST_CERT}
753 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
754
755 # Put a copy in the openssl-ikev2/critical extension scenario
756 TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
757 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
758 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
759 cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
760 cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
761
762 # Generate winnetou server certificate
763 HOST_KEY="${CA_DIR}/winnetouKey.pem"
764 HOST_CERT="${CA_DIR}/winnetouCert.pem"
765 CN="winnetou.strongswan.org"
766 SERIAL="15"
767 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
768 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
769     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
770     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
771     --flag serverAuth --outform pem > ${HOST_CERT}
772 cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
773
774 # Generate AAA server certificate
775 TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
776 TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
777 TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
778 CN="aaa.strongswan.org"
779 SERIAL="16"
780 cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
781 mkdir -p rsa x509
782 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
783 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
784 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
785     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
786     --flag serverAuth --outform pem > ${TEST_CERT}
787 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
788
789 # Put a copy into various tnc scenarios
790 for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
791 do
792   cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
793   mkdir -p rsa x509
794   cp ${TEST_KEY}  rsa
795   cp ${TEST_CERT} x509
796 done
797
798 # Put a copy into the alice FreeRADIUS server
799 cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
800
801 ################################################################################
802 # strongSwan Attribute Authority                                               #
803 ################################################################################
804
805 # Generate Attritbute Authority certificate
806 TEST="${TEST_DIR}/ikev2/acert-cached"
807 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
808 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
809 CN="strongSwan Attribute Authority"
810 SERIAL="17"
811 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
812 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
813 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
814 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
815 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
816     --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
817     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
818     --outform pem > ${TEST_CERT}
819 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
820
821 # Generate carol's attribute certificate for sales and finance
822 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem"
823 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
824     --in ${CA_DIR}/certs/01.pem --group sales --group finance \
825     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
826
827 # Generate dave's expired attribute certificate for sales
828 ACERT="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem"
829 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
830     --in ${CA_DIR}/certs/02.pem --group sales \
831     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
832
833 # Generate dave's attribute certificate for marketing
834 ACERT_DM="${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem"
835 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
836     --in ${CA_DIR}/certs/02.pem --group marketing \
837     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
838
839 # Put a copy into the ikev2/acert-fallback scenario
840 TEST="${TEST_DIR}/ikev2/acert-fallback"
841 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
842 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
843 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/acerts
844 cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
845 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
846
847 # Generate carol's expired attribute certificate for finance
848 ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
849 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
850 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
851     --in ${CA_DIR}/certs/01.pem --group finance \
852     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
853
854 # Generate carol's valid attribute certificate for sales
855 ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
856 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
857     --in ${CA_DIR}/certs/01.pem --group sales \
858     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
859
860 # Put a copy into the ikev2/acert-inline scenarion
861 TEST="${TEST_DIR}/ikev2/acert-inline"
862 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
863 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
864 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
865 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
866 cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
867 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
868 cp ${ACERT_CS}  ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
869 cp ${ACERT_DM}  ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
870
871 # Generate a short-lived Attritbute Authority certificate
872 CN="strongSwan Legacy AA"
873 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
874 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
875 SERIAL="18"
876 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
877 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
878     --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
879     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
880     --outform pem > ${TEST_CERT}
881 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
882
883 # Genrate dave's attribute certificate for sales from expired AA
884 ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
885 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
886 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
887     --in ${CA_DIR}/certs/02.pem --group sales \
888     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
889
890 ################################################################################
891 # strongSwan Root CA index for OCSP server                                     #
892 ################################################################################
893
894 # generate index.txt file for Root OCSP server
895 cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
896 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
897 sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
898 sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
899 sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
900
901 ################################################################################
902 # Research CA                                                                  #
903 ################################################################################
904
905 # Generate a carol research certificate
906 TEST="${TEST_DIR}/ikev2/multi-level-ca"
907 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
908 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
909 CN="carol@strongswan.org"
910 SERIAL="01"
911 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
912 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
913 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
914 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
915     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
916     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
917     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
918 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
919
920 # Save a copy of the private key in DER format
921 openssl rsa -in ${TEST_KEY} -outform der \
922             -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
923
924 # Put a copy in the following scenarios
925 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
926          ikev2/multi-level-ca-ldap ikev2/multi-level-ca-loop \
927          ikev2/multi-level-ca-revoked ikev2/multi-level-ca-skipped \
928          ikev2/multi-level-ca-strict ikev2/ocsp-multi-level \
929          ikev1/multi-level-ca ikev1/multi-level-ca-cr-init \
930          ikev1/multi-level-ca-cr-resp
931 do
932   TEST="${TEST_DIR}/${t}"
933   mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
934   mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
935   cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
936   cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
937 done
938
939 for t in multi-level-ca ocsp-multi-level
940 do
941   TEST="${TEST_DIR}/swanctl/${t}"
942   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
943   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
944   cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
945   cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
946 done
947
948 # Generate a carol research certificate without a CDP
949 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
950 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
951 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
952 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
953 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
954     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
955     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
956     --outform pem > ${TEST_CERT}
957 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
958
959 # Generate an OCSP Signing certificate for the Research CA
960 TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
961 TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
962 OU="Research OCSP Signing Authority"
963 CN="ocsp.research.strongswan.org"
964 SERIAL="02"
965 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
966 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
967     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
968     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
969     --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
970 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
971
972 # Generate a Sales CA certificate signed by the Research CA
973 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
974 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
975 SERIAL="03"
976 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
977 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
978     --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
979     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
980     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
981 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
982
983 ################################################################################
984 # Duck Research CA                                                                     #
985 ################################################################################
986
987 # Generate a Duck Research CA certificate signed by the Research CA
988 SERIAL="04"
989 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
990 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
991     --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
992     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
993     --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
994 cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
995
996 # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
997 TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
998 cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
999
1000 # Generate a carol certificate signed by the Duck Research CA
1001 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1002 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1003 CN="carol@strongswan.org"
1004 SERIAL="01"
1005 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1006 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1007 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1008 pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
1009     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1010     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
1011     --outform pem > ${TEST_CERT}
1012 cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
1013
1014 # Generate index.txt file for Research OCSP server
1015 cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
1016 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
1017
1018 ################################################################################
1019 # Sales CA                                                                     #
1020 ################################################################################
1021
1022 # Generate a dave sales certificate
1023 TEST="${TEST_DIR}/ikev2/multi-level-ca"
1024 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
1025 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1026 CN="dave@strongswan.org"
1027 SERIAL="01"
1028 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1029 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1030 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1031 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1032     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1033     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1034     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1035 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1036
1037 # Save a copy of the private key in DER format
1038 openssl rsa -in ${TEST_KEY} -outform der \
1039             -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
1040
1041 # Put a copy in the following scenarios
1042 for t in ikev2/multi-level-ca-cr-init ikev2/multi-level-ca-cr-resp \
1043          ikev2/multi-level-ca-ldap ikev2/multi-level-ca-strict \
1044          ikev2/ocsp-multi-level ikev1/multi-level-ca \
1045          ikev1/multi-level-ca-cr-init ikev1/multi-level-ca-cr-resp
1046 do
1047   TEST="${TEST_DIR}/${t}"
1048   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1049   mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1050   cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1051   cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1052 done
1053
1054 for t in multi-level-ca ocsp-multi-level
1055 do
1056   TEST="${TEST_DIR}/swanctl/${t}"
1057   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1058   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1059   cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1060   cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1061 done
1062
1063 # Generate a dave sales certificate with an inactive OCSP URI and no CDP
1064 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1065 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1066 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1067 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1068 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1069     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1070     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1071     --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
1072 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1073
1074 # Generate an OCSP Signing certificate for the Sales CA
1075 TEST_KEY="${SALES_DIR}/ocspKey.pem"
1076 TEST_CERT="${SALES_DIR}/ocspCert.pem"
1077 OU="Sales OCSP Signing Authority"
1078 CN="ocsp.sales.strongswan.org"
1079 SERIAL="02"
1080 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1081 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1082     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1083     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1084     --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1085 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1086
1087 # Generate a Research CA certificate signed by the Sales CA
1088 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1089 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
1090 SERIAL="03"
1091 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1092 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1093     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1094     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
1095     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1096 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1097
1098 # generate index.txt file for Sales OCSP server
1099 cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
1100 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
1101
1102 ################################################################################
1103 # strongSwan EC Root CA                                                        #
1104 ################################################################################
1105
1106 # Generate strongSwan EC Root CA
1107 pki --gen  --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
1108 pki --self --type ecdsa --in ${ECDSA_KEY} \
1109     --not-before "${START}" --not-after "${CA_END}" --ca \
1110     --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
1111     --outform pem > ${ECDSA_CERT}
1112
1113 # Put a copy in the openssl-ikev2/ecdsa-certs scenario
1114 for t in ecdsa-certs ecdsa-pkcs8
1115 do
1116   TEST="${TEST_DIR}/openssl-ikev2/${t}"
1117   for h in moon carol dave
1118   do
1119     mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1120     cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1121   done
1122 done
1123
1124 # Generate a moon ECDSA 521 bit certificate
1125 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
1126 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
1127 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1128 CN="moon.strongswan.org"
1129 SERIAL="01"
1130 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
1131 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1132 pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
1133 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1134     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1135     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
1136     --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
1137 cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1138
1139 # Generate a carol ECDSA 256 bit certificate
1140 CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
1141 CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1142 CN="carol@strongswan.org"
1143 SERIAL="02"
1144 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
1145 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1146 pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
1147 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1148     --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1149     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
1150     --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
1151 cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1152
1153 # Generate a dave ECDSA 384 bit certificate
1154 DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
1155 DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1156 CN="dave@strongswan.org"
1157 SERIAL="03"
1158 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
1159 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1160 pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
1161 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1162     --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1163     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
1164     --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
1165 cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1166
1167 # Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
1168 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
1169 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1170 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1171 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1172 cp ${MOON_CERT}  ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1173 cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1174 cp ${DAVE_CERT}  ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1175
1176 # Convert moon private key into unencrypted PKCS#8 format
1177 TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1178 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1179 openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
1180
1181 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
1182 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1183 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1184 openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
1185               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
1186
1187 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
1188 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1189 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1190 openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8  -v2 aes128 \
1191               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
1192
1193 # Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
1194 TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
1195 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1196 mkdir -p ecdsa x509 x509ca
1197 cp ${MOON_KEY}   ecdsa
1198 cp ${MOON_CERT}  x509
1199 cp ${ECDSA_CERT} x509ca
1200 cd ${TEST}/hosts/carol/${SWANCTL_DIR}
1201 mkdir -p ecdsa x509 x509ca
1202 cp ${CAROL_KEY}  ecdsa
1203 cp ${CAROL_CERT} x509
1204 cp ${ECDSA_CERT} x509ca
1205 cd ${TEST}/hosts/dave/${SWANCTL_DIR}
1206 mkdir -p ecdsa x509 x509ca
1207 cp ${DAVE_KEY}   ecdsa
1208 cp ${DAVE_CERT}  x509
1209 cp ${ECDSA_CERT} x509ca
1210
1211 ################################################################################
1212 # strongSwan RFC3779 Root CA                                                   #
1213 ################################################################################
1214
1215 # Generate strongSwan RFC3779 Root CA
1216 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
1217 pki --self --type rsa --in ${RFC3779_KEY} \
1218     --not-before "${START}" --not-after "${CA_END}" --ca \
1219     --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
1220     --addrblock "10.1.0.0-10.2.255.255" \
1221     --addrblock "10.3.0.1-10.3.3.232" \
1222     --addrblock "192.168.0.0/24" \
1223     --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
1224     --outform pem > ${RFC3779_CERT}
1225
1226 # Put a copy in the ikev2/net2net-rfc3779 scenario
1227 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1228 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1229 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1230 cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1231 cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1232
1233 # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
1234 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1235 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1236 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1237 cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1238 cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1239
1240 # Generate a moon RFC3779 certificate
1241 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1242 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1243 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1244 CN="moon.strongswan.org"
1245 SERIAL="01"
1246 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1247 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1248 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1249 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1250     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1251     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1252     --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
1253     --addrblock "fec0::1/128" --addrblock "fec1::/16" \
1254     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1255 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1256
1257 # Put a copy in the ipv6 scenarios
1258 for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
1259 do
1260   cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
1261   mkdir -p rsa x509 x509ca
1262   cp ${TEST_KEY}  rsa
1263   cp ${TEST_CERT} x509
1264   cp ${RFC3779_CERT} x509ca
1265 done
1266
1267 # Generate a sun RFC3779 certificate
1268 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1269 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
1270 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
1271 CN="sun.strongswan.org"
1272 SERIAL="02"
1273 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
1274 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
1275 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1276 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1277     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1278     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1279     --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
1280     --addrblock "fec0::2/128" --addrblock "fec2::/16" \
1281     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1282 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1283
1284 # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
1285 cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
1286 mkdir -p rsa x509 x509ca
1287 cp ${TEST_KEY} rsa
1288 cp ${TEST_CERT} x509
1289 cp ${RFC3779_CERT} x509ca
1290
1291 # Generate a carol RFC3779 certificate
1292 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1293 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1294 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1295 CN="carol@strongswan.org"
1296 SERIAL="03"
1297 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1298 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1299 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1300 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1301     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1302     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1303     --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
1304     --addrblock "fec0::10/128" \
1305     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1306 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1307
1308 # Generate a carol RFC3779 certificate
1309 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1310 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1311 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1312 CN="dave@strongswan.org"
1313 SERIAL="04"
1314 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1315 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1316 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1317 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1318     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1319     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1320     --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
1321     --addrblock "fec0::20/128" \
1322     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1323 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1324
1325 ################################################################################
1326 # strongSwan SHA3-RSA Root CA                                                  #
1327 ################################################################################
1328
1329 # Use specific plugin configuration to issue certificates with SHA-3 signatures
1330 # as not all crypto plugins support them.  To avoid entropy issues use the
1331 # default plugins to generate the keys.
1332 SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509"
1333
1334 # Generate strongSwan SHA3-RSA Root CA
1335 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
1336 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1337 pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
1338     --not-before "${START}" --not-after "${CA_END}" --ca \
1339     --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
1340     --outform pem > ${SHA3_RSA_CERT}
1341
1342 # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
1343 TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
1344 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1345 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1346 cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1347 cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1348
1349 # Generate a sun SHA3-RSA certificate
1350 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1351 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1352 CN="sun.strongswan.org"
1353 SERIAL="01"
1354 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
1355 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1356 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
1357 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1358 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1359     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1360     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1361     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
1362 cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1363
1364 # Generate a moon SHA3-RSA certificate
1365 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1366 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1367 CN="moon.strongswan.org"
1368 SERIAL="02"
1369 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1370 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1371 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
1372 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1373 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1374     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1375     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1376     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
1377 cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1378
1379 # Put a copy in the botan/net2net-sha3-rsa-cert scenario
1380 TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
1381 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1382 mkdir -p rsa x509 x509ca
1383 cp ${MOON_KEY}      rsa
1384 cp ${MOON_CERT}     x509
1385 cp ${SHA3_RSA_CERT} x509ca
1386 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1387 mkdir -p rsa x509 x509ca
1388 cp ${SUN_KEY}       rsa
1389 cp ${SUN_CERT}      x509
1390 cp ${SHA3_RSA_CERT} x509ca
1391
1392 # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
1393 TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
1394 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1395 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1396 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1397 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1398
1399 # Generate a carol SHA3-RSA certificate
1400 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1401 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1402 CN="carol@strongswan.org"
1403 SERIAL="03"
1404 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1405 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1406 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1407 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1408 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1409     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1410     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1411     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1412 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1413
1414 # Generate a dave SHA3-RSA certificate
1415 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1416 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1417 CN="dave@strongswan.org"
1418 SERIAL="04"
1419 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1420 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1421 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1422 PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
1423 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1424     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1425     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1426     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1427 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1428
1429 for h in moon carol dave
1430 do
1431   mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1432   cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1433 done
1434
1435 ################################################################################
1436 # strongSwan Ed25519 Root CA                                                   #
1437 ################################################################################
1438
1439 # Generate strongSwan Ed25519 Root CA
1440 pki --gen  --type ed25519 --outform pem > ${ED25519_KEY}
1441 pki --self --type ed25519 --in ${ED25519_KEY} \
1442     --not-before "${START}" --not-after "${CA_END}" --ca \
1443     --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
1444     --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
1445     --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
1446     --outform pem > ${ED25519_CERT}
1447
1448 # Put a copy in the swanctl/net2net-ed25519 scenario
1449 TEST="${TEST_DIR}/swanctl/net2net-ed25519"
1450 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1451 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1452 cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1453 cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1454
1455 # Generate a sun Ed25519 certificate
1456 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
1457 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1458 CN="sun.strongswan.org"
1459 SERIAL="01"
1460 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
1461 mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
1462 pki --gen --type ed25519 --outform pem > ${SUN_KEY}
1463 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1464     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1465     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1466     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
1467     --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
1468 cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1469
1470 # Generate a moon Ed25519 certificate
1471 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1472 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1473 CN="moon.strongswan.org"
1474 SERIAL="02"
1475 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1476 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1477 pki --gen --type ed25519 --outform pem > ${MOON_KEY}
1478 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1479     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1480     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1481     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
1482     --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
1483 cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1484
1485 # Put a copy in the botan/net2net-ed25519 scenario
1486 TEST="${TEST_DIR}/botan/net2net-ed25519"
1487 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1488 mkdir -p pkcs8 x509 x509ca
1489 cp ${MOON_KEY}     pkcs8
1490 cp ${MOON_CERT}    x509
1491 cp ${ED25519_CERT} x509ca
1492 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1493 mkdir -p pkcs8 x509 x509ca
1494 cp ${SUN_KEY}      pkcs8
1495 cp ${SUN_CERT}     x509
1496 cp ${ED25519_CERT} x509ca
1497
1498 # Put a copy in the ikev2/net2net-ed25519 scenario
1499 TEST="${TEST_DIR}/ikev2/net2net-ed25519"
1500 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}
1501 cd ${TEST}/hosts/moon/${IPSEC_DIR}
1502 mkdir -p cacerts certs private
1503 cp ${MOON_KEY}     private
1504 cp ${MOON_CERT}    certs
1505 cp ${ED25519_CERT} cacerts
1506 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}
1507 cd ${TEST}/hosts/sun/${IPSEC_DIR}
1508 mkdir -p cacerts certs private
1509 cp ${SUN_KEY}      private
1510 cp ${SUN_CERT}     certs
1511 cp ${ED25519_CERT} cacerts
1512
1513 # Put a copy in the swanctl/rw-ed25519-certpol scenario
1514 TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
1515 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1516 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1517 cp ${MOON_KEY}  ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1518 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1519
1520 for h in moon carol dave
1521 do
1522   mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1523   cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1524 done
1525
1526 # Generate a carol Ed25519 certificate
1527 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1528 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1529 CN="carol@strongswan.org"
1530 SERIAL="03"
1531 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
1532 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1533 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1534 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1535     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1536     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1537     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
1538     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1539 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1540
1541 # Generate a dave Ed25519 certificate
1542 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1543 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1544 CN="dave@strongswan.org"
1545 SERIAL="04"
1546 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
1547 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1548 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1549 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1550     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1551     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1552     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
1553     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1554 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1555
1556 ################################################################################
1557 # strongSwan Monster Root CA                                                   #
1558 ################################################################################
1559
1560 # Generate strongSwan Monster Root CA
1561 pki --gen  --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
1562 pki --self --type rsa --in ${MONSTER_KEY} \
1563     --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
1564     --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
1565     --outform pem > ${MONSTER_CERT}
1566
1567 # Put a copy in the ikev2/after-2038-certs scenario
1568 TEST="${TEST_DIR}/ikev2/after-2038-certs"
1569 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1570 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1571 cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1572 cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
1573
1574 # Generate a moon Monster certificate
1575 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1576 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1577 CN="moon.strongswan.org"
1578 SERIAL="01"
1579 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1580 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1581 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1582 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1583     --in ${TEST_KEY} --san ${CN} \
1584     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1585     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1586     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1587 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1588
1589 # Generate a carol Monster certificate
1590 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1591 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1592 CN="carol@strongswan.org"
1593 SERIAL="02"
1594 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1595 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1596 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1597 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1598     --in ${TEST_KEY} --san ${CN} \
1599     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1600     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1601     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1602 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1603
1604 ################################################################################
1605 # Bliss CA                                                                     #
1606 ################################################################################
1607
1608 # Generate BLISS Root CA with 192 bit security strength
1609 pki --gen  --type bliss --size 4 > ${BLISS_KEY}
1610 pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
1611     --not-before "${START}" --not-after "${CA_END}" --ca \
1612     --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
1613
1614 # Put a copy in the following scenarios
1615 for t in rw-newhope-bliss rw-ntru-bliss
1616 do
1617   TEST="${TEST_DIR}/ikev2/${t}"
1618   for h in moon carol dave
1619   do
1620     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1621     cp ${BLISS_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/cacerts
1622   done
1623 done
1624
1625 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1626 for h in moon carol dave
1627 do
1628    mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1629    cp ${BLISS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
1630 done
1631
1632 # Generate a carol BLISS certificate with 128 bit security strength
1633 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1634 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
1635 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
1636 CN="carol@strongswan.org"
1637 SERIAL="01"
1638 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1639 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1640 pki --gen --type bliss --size 1 > ${TEST_KEY}
1641 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1642     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1643     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
1644     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1645 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1646
1647 # Put a copy in the ikev2/rw-ntru-bliss scenario
1648 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1649 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/private
1650 mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1651 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
1652 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
1653
1654 # Put a copy in the swanctl/rw-ntru-bliss scenario
1655 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1656 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1657 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1658 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss
1659 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1660
1661 # Generate a dave BLISS certificate with 160 bit security strength
1662 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1663 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
1664 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
1665 CN="dave@strongswan.org"
1666 SERIAL="02"
1667 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1668 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1669 pki --gen --type bliss --size 3 > ${TEST_KEY}
1670 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1671     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1672     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
1673     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1674 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1675
1676 # Put a copy in the ikev2/rw-ntru-bliss scenario
1677 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1678 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/private
1679 mkdir -p ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1680 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
1681 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
1682
1683 # Put a copy in the swanctl/rw-ntru-bliss scenario
1684 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1685 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss
1686 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1687 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
1688 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
1689
1690 # Generate a moon BLISS certificate with 192 bit security strength
1691 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1692 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
1693 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
1694 CN="moon.strongswan.org"
1695 SERIAL="03"
1696 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1697 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1698 pki --gen --type bliss --size 4 > ${TEST_KEY}
1699 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1700     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1701     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
1702     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1703 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1704
1705 # Put a copy in the ikev2/rw-ntru-bliss scenario
1706 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1707 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1708 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1709 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
1710 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
1711
1712 # Put a copy in the swanctl/rw-ntru-bliss scenario
1713 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1714 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss
1715 mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1716 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
1717 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
1718
1719 ################################################################################
1720 # SQL Data                                                                     #
1721 ################################################################################
1722
1723 CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
1724 CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
1725 CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1726 CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
1727 #
1728 MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1729 MOON_KEY="${CA_DIR}/keys/moonKey.der"
1730 MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1731 MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1732 MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1733 MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
1734 MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1735 MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1736 MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
1737 #
1738 SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1739 SUN_KEY="${CA_DIR}/keys/sunKey.der"
1740 SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1741 SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1742 SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
1743 SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
1744 SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1745 SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
1746 #
1747 CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1748 CAROL_KEY="${CA_DIR}/keys/carolKey.der"
1749 CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1750 CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
1751 CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1752 CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1753 #
1754 DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1755 DAVE_KEY="${CA_DIR}/keys/daveKey.der"
1756 DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1757 DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
1758 DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1759 DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1760 #
1761 ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
1762 ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
1763 ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
1764 ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
1765 ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1766 #
1767 VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
1768 VENUS_KEY="${CA_DIR}/keys/venusKey.der"
1769 VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
1770 VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
1771 VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1772 #
1773 RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
1774 RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
1775 RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1776 #
1777 CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
1778 CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
1779 CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
1780 CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
1781 CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1782 #
1783 SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
1784 SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
1785 SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1786 #
1787 DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
1788 DAVE_S_KEY="${SALES_DIR}/keys/01.der"
1789 DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
1790 DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
1791 DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1792 #
1793 for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
1794          ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
1795          rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
1796 do
1797   for h in carol dave moon
1798   do
1799     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1800     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1801         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1802         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1803         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1804         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1805         -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
1806         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1807         -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
1808         -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
1809         -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
1810         -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
1811         -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
1812         -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
1813         -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
1814         -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
1815         -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
1816         -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
1817         -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
1818         -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
1819         -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
1820         -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
1821         -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
1822         -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
1823         -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
1824         -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
1825         -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
1826         -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
1827         ${TEST_DATA}.in > ${TEST_DATA}
1828   done
1829 done
1830 #
1831 for t in rw-eap-aka-rsa
1832 do
1833   for h in carol moon
1834   do
1835     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1836     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1837         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1838         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1839         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1840         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1841         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1842         ${TEST_DATA}.in > ${TEST_DATA}
1843   done
1844 done
1845 #
1846 for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
1847 do
1848   for h in moon sun
1849   do
1850     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1851     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1852         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1853         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1854         -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
1855         -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
1856         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1857         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1858         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1859         -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
1860         -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
1861         -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1862         -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1863         -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1864         -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
1865                ${TEST_DATA}.in > ${TEST_DATA}
1866   done
1867 done
1868 #
1869 for t in shunt-policies-nat-rw
1870 do
1871   for h in alice venus sun
1872   do
1873     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1874     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1875         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1876         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1877         -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
1878         -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
1879         -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
1880         -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
1881         -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
1882         -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
1883         -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1884         -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1885         -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1886         ${TEST_DATA}.in > ${TEST_DATA}
1887   done
1888 done
1889
1890 ################################################################################
1891 # Raw RSA keys                                                                 #
1892 ################################################################################
1893
1894 MOON_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${MOON_KEY}`
1895 #
1896 SUN_PUB_DNS=`pki --pub --type rsa --outform dnskey --in ${SUN_KEY}`
1897 #
1898 for h in moon sun
1899 do
1900   TEST_DATA="${TEST_DIR}/ikev2/net2net-rsa/hosts/${h}/etc/ipsec.conf"
1901   sed -e "s|MOON_PUB_DNS|${MOON_PUB_DNS}|g" \
1902       -e "s|SUN_PUB_DNS|${SUN_PUB_DNS}|g" \
1903       ${TEST_DATA}.in > ${TEST_DATA}
1904 done