testing: Build data.sql files for SQL test cases
[strongswan.git] / testing / scripts / build-certs
1 #!/bin/bash
2
3 echo "Building certificates"
4
5 # Disable leak detective when using pki as it produces warnings in tzset
6 export LEAK_DETECTIVE_DISABLE=1
7
8 # Determine testing directory
9 DIR="$(dirname `readlink -f $0`)/.."
10
11 # Define some global variables
12 PROJECT="strongSwan Project"
13 CA_DIR="${DIR}/hosts/winnetou/etc/ca"
14 CA_KEY="${CA_DIR}/strongswanKey.pem"
15 CA_CERT="${CA_DIR}/strongswanCert.pem"
16 CA_CERT_DER="${CA_DIR}/strongswanCert.der"
17 CA_CRL="${CA_DIR}/strongswan.crl"
18 CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
19 CA_CDP="http://crl.strongswan.org/strongswan.crl"
20 CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
21 CA_OCSP="http://ocsp.strongswan.org:8880"
22 #
23 START=`date  -d "-2 day"    "+%d.%m.%y %T"`
24 SH_END=`date -d "-1 day"    "+%d.%m.%y %T"`    #  1 day
25 CA_END=`date -d "+3651 day" "+%d.%m.%y %T"`    # 10 years
26 IM_END=`date -d "+3286 day" "+%d.%m.%y %T"`    #  9 years
27 EE_END=`date -d "+2920 day" "+%d.%m.%y %T"`    #  8 years
28 SH_EXP=`date -d "-1 day"    "+%y%m%d%H%M%SZ"`  #  1 day
29 IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"`  #  9 years
30 EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"`  #  8 years
31 NOW=`date "+%y%m%d%H%M%SZ"`
32 #
33 RESEARCH_DIR="${CA_DIR}/research"
34 RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
35 RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
36 RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
37 RESEARCH_CDP="http://crl.strongswan.org/research.crl"
38 #
39 SALES_DIR="${CA_DIR}/sales"
40 SALES_KEY="${SALES_DIR}/salesKey.pem"
41 SALES_CERT="${SALES_DIR}/salesCert.pem"
42 SALES_CERT_DER="${SALES_DIR}/salesCert.der"
43 SALES_CDP="http://crl.strongswan.org/sales.crl"
44 #
45 DUCK_DIR="${CA_DIR}/duck"
46 DUCK_KEY="${DUCK_DIR}/duckKey.pem"
47 DUCK_CERT="${DUCK_DIR}/duckCert.pem"
48 #
49 ECDSA_DIR="${CA_DIR}/ecdsa"
50 ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
51 ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
52 ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
53 #
54 RFC3779_DIR="${CA_DIR}/rfc3779"
55 RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
56 RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
57 RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
58 #
59 SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
60 SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
61 SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
62 SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
63 #
64 ED25519_DIR="${CA_DIR}/ed25519"
65 ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
66 ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
67 ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
68 #
69 MONSTER_DIR="${CA_DIR}/monster"
70 MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
71 MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
72 MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
73 MONSTER_CA_RSA_SIZE="8192"
74 MONSTER_EE_RSA_SIZE="4096"
75 #
76 BLISS_DIR="${CA_DIR}/bliss"
77 BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
78 BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
79 BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
80 #
81 RSA_SIZE="3072"
82 IPSEC_DIR="etc/ipsec.d"
83 SWANCTL_DIR="etc/swanctl"
84 TKM_DIR="etc/tkm"
85 HOSTS="carol dave moon sun alice venus bob"
86 TEST_DIR="${DIR}/tests"
87
88 # Create directories
89 mkdir -p ${CA_DIR}/certs
90 mkdir -p ${CA_DIR}/keys
91 mkdir -p ${RESEARCH_DIR}/certs
92 mkdir -p ${RESEARCH_DIR}/keys
93 mkdir -p ${SALES_DIR}/certs
94 mkdir -p ${SALES_DIR}/keys
95 mkdir -p ${DUCK_DIR}/certs
96 mkdir -p ${ECDSA_DIR}/certs
97 mkdir -p ${RFC3779_DIR}/certs
98 mkdir -p ${SHA3_RSA_DIR}/certs
99 mkdir -p ${ED25519_DIR}/certs
100 mkdir -p ${MONSTER_DIR}/certs
101 mkdir -p ${BLISS_DIR}/certs
102
103 ################################################################################
104 # strongSwan Root CA                                                           #
105 ################################################################################
106
107 # Generate strongSwan Root CA
108 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
109 pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
110     --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
111     --outform pem > ${CA_CERT}
112
113 # Distribute strongSwan Root CA certificate
114 for h in ${HOSTS}
115 do
116   HOST_DIR="${DIR}/hosts/${h}"
117   cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
118   cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
119 done
120
121 # Put a copy onto the alice FreeRADIUS server
122 cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
123
124 # Convert strongSwan Root CA certificate into DER format
125 openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
126
127 # Gernerate a stale CRL
128 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
129     --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
130
131 # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
132 TEST="${TEST_DIR}/ikev2/crl-ldap"
133 cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
134 cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
135
136 # Generate host keys
137 for h in ${HOSTS}
138 do
139   HOST_DIR="${DIR}/hosts/${h}"
140   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
141   pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
142
143   # Put a copy into swanctl directory tree
144   cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
145
146   # Convert host key into DER format
147   openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
148           2> /dev/null
149 done
150
151 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
152 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
153          net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
154 do
155   TEST="${TEST_DIR}/tkm/${t}"
156   cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
157 done
158
159 # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
160 for t in multiple-clients
161 do
162   TEST="${TEST_DIR}/tkm/${t}"
163   cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
164 done
165
166 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
167 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
168          net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
169 do
170   TEST="${TEST_DIR}/tkm/${t}"
171   mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
172   cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
173 done
174
175 # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
176 for t in multiple-clients
177 do
178   TEST="${TEST_DIR}/tkm/${t}"
179   mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
180   cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
181 done
182
183 # Convert moon private key into unencrypted PKCS#8 format
184 TEST="${TEST_DIR}/ikev2/rw-pkcs8"
185 HOST_KEY=${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem
186 TEST_KEY=${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem
187 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
188
189 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
190 HOST_KEY=${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem
191 TEST_KEY=${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem
192 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
193               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
194
195 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
196 HOST_KEY=${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem
197 TEST_KEY=${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem
198 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8  -v2 aes128 \
199               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
200
201 ################################################################################
202 # Public Key Extraction                                                        #
203 ################################################################################
204
205 # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
206 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
207 TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
208 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
209 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
210 cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
211
212 # Put a copy into the ikev2/net2net-dnssec scenario
213 TEST="${TEST_DIR}/ikev2/net2net-dnssec"
214 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
215
216 # Put a copy into the ikev2/net2net-pubkey scenario
217 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
218 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
219 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
220
221 # Put a copy into the ikev2/rw-dnssec scenario
222 TEST="${TEST_DIR}/ikev2/rw-dnssec"
223 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
224
225 # Put a copy into the swanctl/rw-dnssec scenario
226 TEST="${TEST_DIR}/swanctl/rw-dnssec"
227 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
228
229 # Put a copy into the swanctl/rw-pubkey-anon scenario
230 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
231 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
232 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
233 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
234
235 # Put a copy into the swanctl/rw-pubkey-keyid scenario
236 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
237 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
238 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
239 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
240
241 # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
242 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
243 TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
244 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
245 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
246 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
247
248 # Put a copy into the ikev2/net2net-dnssec scenario
249 TEST="${TEST_DIR}/ikev2/net2net-dnssec"
250 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
251
252 # Put a copy into the ikev2/net2net-pubkey scenario
253 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
254 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
255 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
256
257 # Put a copy into the swanctl/rw-pubkey-anon scenario
258 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
259 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
260
261 # Extract the raw carol public key for the swanctl/rw-dnssec scenario
262 TEST="${TEST_DIR}/swanctl/rw-dnssec"
263 TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
264 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
265 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
266
267 # Put a copy into the swanctl/rw-pubkey-anon scenario
268 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
269 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
270 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
271
272 # Put a copy into the swanctl/rw-pubkey-keyid scenario
273 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
274 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
275 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
276
277 # Extract the raw dave public key for the swanctl/rw-dnssec scenario
278 TEST="${TEST_DIR}/swanctl/rw-dnssec"
279 TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
280 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
281 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
282
283 # Put a copy into the swanctl/rw-pubkey-anon scenario
284 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
285 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
286 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
287
288 # Put a copy into the swanctl/rw-pubkey-keyid scenario
289 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
290 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
291 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
292
293 ################################################################################
294 # Host Certificate Generation                                                  #
295 ################################################################################
296
297 # function issue_cert: serial host cn [ou]
298 issue_cert()
299 {
300   # does optional OU argument exist?
301   if [ -z "${4}" ]
302   then
303     OU=""
304   else
305     OU=" OU=${4},"
306   fi
307
308   HOST_DIR="${DIR}/hosts/${2}"
309   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
310   HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
311   pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
312       --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
313       --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
314       --outform pem > ${HOST_CERT}
315   cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
316
317   # Put a certificate copy into swanctl directory tree
318   cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
319 }
320
321 # Generate host certificates
322 issue_cert 01 carol carol@strongswan.org Research
323 issue_cert 02 dave dave@strongswan.org Accounting
324 issue_cert 03 moon moon.strongswan.org
325 issue_cert 04 sun sun.strongswan.org
326 issue_cert 05 alice alice@strongswan.org Sales
327 issue_cert 06 venus venus.strongswan.org
328 issue_cert 07 bob bob@strongswan.org Research
329
330 # Create PKCS#12 file for moon
331 TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
332 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
333 HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
334 MOON_PKCS12="${TEST}/hosts/moon/etc/ipsec.d/private/moonCert.p12"
335 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
336         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
337         -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
338
339 # Create PKCS#12 file for sun
340 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
341 HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
342 SUN_PKCS12="${TEST}/hosts/sun/etc/ipsec.d/private/sunCert.p12"
343 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
344         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
345         -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
346
347 # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
348 TEST="${TEST_DIR}/botan/net2net-pkcs12"
349 mkdir -p "${TEST}/hosts/moon/etc/swanctl/pkcs12"
350 cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12"
351 mkdir -p "${TEST}/hosts/sun/etc/swanctl/pkcs12"
352 cp ${SUN_PKCS12}  "${TEST}/hosts/sun/etc/swanctl/pkcs12"
353
354 # Put a PKCS#12 copy into the openssl-ikev2/net2net-pkcs12 scenario
355 TEST="${TEST_DIR}/openssl-ikev2/net2net-pkcs12"
356 cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12"
357 cp ${SUN_PKCS12}  "${TEST}/hosts/sun/etc/swanctl/pkcs12"
358
359 ################################################################################
360 # DNSSEC Zone Files                                                            #
361 ################################################################################
362
363 # Store moon and sun certificates in strongswan.org zone
364 ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
365 echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
366 for h in moon sun
367 do
368   HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
369   cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
370   echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
371 done
372
373 # Store public keys in strongswan.org zone
374 echo ";" >> ${ZONE_FILE}
375 for h in moon sun carol dave
376 do
377   HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
378   pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
379   echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
380 done
381
382 # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
383 TEST="${TEST_DIR}/swanctl/crl-to-cache"
384 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
385 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
386 CN="carol@strongswan.org"
387 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
388     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
389     --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
390     --outform pem > ${TEST_CERT}
391
392 # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
393 TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
394 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
395 CN="moon.strongswan.org"
396 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
397     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
398     --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
399     --outform pem > ${TEST_CERT}
400
401 # Encrypt carolKey.pem
402 HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
403 KEY_PWD="nH5ZQEWtku0RJEZ6"
404 openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
405         2> /dev/null
406
407 # Put a copy into the ikev2/dynamic-initiator scenario
408 TEST="${TEST_DIR}/ikev2/dynamic-initiator"
409 cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
410 cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
411
412 # Put a copy into the ikev1/dynamic-initiator scenario
413 TEST="${TEST_DIR}/ikev1/dynamic-initiator"
414 cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
415 cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
416
417 # Put a copy into the ikev1/dynamic-responder scenario
418 TEST="${TEST_DIR}/ikev1/dynamic-responder"
419 cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
420 cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
421
422 # Put a copy into the swanctl/rw-cert scenario
423 TEST="${TEST_DIR}/swanctl/rw-cert"
424 cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
425
426 # Generate another carol certificate and revoke it
427 TEST="${TEST_DIR}/ikev2/crl-revoked"
428 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
429 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
430 CN="carol@strongswan.org"
431 SERIAL="08"
432 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
433 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
434     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
435     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
436     --outform pem > ${TEST_CERT}
437 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
438 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
439     --serial ${SERIAL} > ${CA_CRL}
440 cp ${CA_CRL} ${CA_LAST_CRL}
441
442 # Put a copy into the ikev2/ocsp-revoked scenario
443 TEST="${TEST_DIR}/ikev2/ocsp-revoked"
444 cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
445 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
446
447 # Generate another carol certificate with SN=002
448 TEST="${TEST_DIR}/ikev2/two-certs"
449 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
450 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
451 SERIAL="09"
452 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
453 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
454     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
455     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
456     --outform pem > ${TEST_CERT}
457 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
458
459 ################################################################################
460 # Research CA Certificate Generation                                           #
461 ################################################################################
462
463 # Generate a Research CA certificate signed by the Root CA and revoke it
464 TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
465 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
466 SERIAL="0A"
467 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
468 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
469     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
470     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
471     --outform pem > ${TEST_CERT}
472 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
473 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
474     --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
475 rm ${CA_LAST_CRL}
476
477 # Generate Research CA with the same private key as above signed by Root CA
478 SERIAL="0B"
479 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
480     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
481     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
482     --outform pem > ${RESEARCH_CERT}
483 cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
484
485 # Put a certificate copy into the ikev1/multi-level-ca scenario
486 TEST="${TEST_DIR}/ikev1/multi-level-ca"
487 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
488
489 # Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario
490 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
491 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
492
493 # Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario
494 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
495 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
496
497 # Put a certificate copy into the ikev2/multi-level-ca scenario
498 TEST="${TEST_DIR}/ikev2/multi-level-ca"
499 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
500
501 # Put a certificate copy into the ikev2/multi-level-ca-ldap scenario
502 TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
503 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
504
505 # Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario
506 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
507 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
508
509 # Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario
510 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
511 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
512
513 # Put a certificate copy into the ikev2/multi-level-ca-pathlen scenario
514 TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
515 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
516
517 # Put a certificate copy into the ikev2/multi-level-ca-strict scenario
518 TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
519 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
520
521 # Put a certificate copy into the ikev2/ocsp-multi-level scenario
522 TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
523 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
524
525 # Put a certificate copy into the ikev2/ocsp-strict-ifuri scenario
526 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
527 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
528
529 # Put a certificate copy into the swanctl/multi-level-ca scenario
530 TEST="${TEST_DIR}/swanctl/multi-level-ca"
531 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
532
533 # Put a certificate copy into the swanctl/ocsp-multi-level scenario
534 TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
535 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
536
537 # Convert Research CA certificate into DER format
538 openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
539
540 # Generate Research CA with the same private key as above but invalid CDP
541 TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
542 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
543 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
544     --crl "http://crl.strongswan.org/not-available.crl" \
545     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
546     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
547     --outform pem > ${TEST_CERT}
548
549 ################################################################################
550 # Sales CA Certificate Generation                                              #
551 ################################################################################
552
553 # Generate Sales CA signed by Root CA
554 SERIAL="0C"
555 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
556 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
557     --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
558     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
559     --outform pem > ${SALES_CERT}
560 cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
561
562 # Put a certificate copy into the ikev1/multi-level-ca scenario
563 TEST="${TEST_DIR}/ikev1/multi-level-ca"
564 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
565
566 # Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario
567 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
568 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
569
570 # Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario
571 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
572 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
573
574 # Put a certificate copy into the ikev2/multi-level-ca scenario
575 TEST="${TEST_DIR}/ikev2/multi-level-ca"
576 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
577
578 # Put a certificate copy into the ikev2/multi-level-ca-ldap scenario
579 TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
580 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
581
582 # Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario
583 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
584 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
585
586 # Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario
587 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
588 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
589
590 # Put a certificate copy into the ikev2/multi-level-ca-strict scenario
591 TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
592 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
593
594 # Put a certificate copy into the ikev2/ocsp-multi-level scenario
595 TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
596 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
597
598 # Put a certificate copy into the ikev2/ocsp-struct.ifuri scenario
599 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
600 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
601
602 # Put a certificate copy into the swanctl/multi-level-ca scenario
603 TEST="${TEST_DIR}/swanctl/multi-level-ca"
604 cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
605
606 # Put a certificate copy into the swanctl/ocsp-multi-level scenario
607 TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
608 cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
609
610 # Convert Sales CA certificate into DER format
611 openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
612
613 # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
614 TEST="${TEST_DIR}/ikev2/strong-keys-certs"
615 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
616 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
617 KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
618 CN="moon.strongswan.org"
619 SERIAL="0D"
620 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
621 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
622     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
623     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
624     --digest sha224 --outform pem > ${TEST_CERT}
625 openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
626         2> /dev/null
627 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
628
629 # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
630 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
631 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
632 KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
633 CN="carol@strongswan.org"
634 SERIAL="0E"
635 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
636 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
637     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
638     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
639     --digest sha384 --outform pem > ${TEST_CERT}
640 openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
641         2> /dev/null
642 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
643
644 # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
645 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
646 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
647 KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
648 CN="dave@strongswan.org"
649 SERIAL="0F"
650 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
651 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
652     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
653     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
654     --digest sha512 --outform pem > ${TEST_CERT}
655 openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
656         2> /dev/null
657 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
658
659 # Generate another carol certificate with an OCSP URI
660 TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
661 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
662 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
663 CN="carol@strongswan.org"
664 SERIAL="10"
665 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
666 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
667     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
668     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
669     --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
670 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
671
672 # Put a copy into the ikev2/ocsp-timeouts-good scenario
673 TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
674 cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
675 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
676
677 # Put a copy into the swanctl/ocsp-signer-cert scenario
678 TEST="${TEST_DIR}/swanctl/ocsp-signer-cert"
679 cp ${TEST_KEY}  ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
680 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
681
682 # Put a copy into the swanctl/ocsp-disabled scenario
683 TEST="${TEST_DIR}/swanctl/ocsp-disabled"
684 cp ${TEST_KEY}  ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
685 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
686
687 # Generate an OCSP Signing certificate for the strongSwan Root CA
688 TEST_KEY="${CA_DIR}/ocspKey.pem"
689 TEST_CERT="${CA_DIR}/ocspCert.pem"
690 CN="ocsp.strongswan.org"
691 OU="OCSP Signing Authority"
692 SERIAL="11"
693 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
694 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
695     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
696     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
697     --flag ocspSigning --outform pem > ${TEST_CERT}
698 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
699
700 # Generate a self-signed OCSP Signing certificate
701 TEST_KEY="${CA_DIR}/ocspKey-self.pem"
702 TEST_CERT="${CA_DIR}/ocspCert-self.pem"
703 OU="OCSP Self-Signed Authority"
704 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
705 pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
706     --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
707     --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
708     --outform pem > ${TEST_CERT}
709
710 # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
711 TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
712 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
713 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
714
715 # Generate mars virtual server certificate
716 TEST="${TEST_DIR}/ha/both-active"
717 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
718 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
719 CN="mars.strongswan.org"
720 OU="Virtual VPN Gateway"
721 SERIAL="12"
722 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
723 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
724 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
725 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
726     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
727     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
728     --flag serverAuth --outform pem > ${TEST_CERT}
729 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
730
731 # Put a copy into the mirrored gateway
732 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
733 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
734 cp ${TEST_KEY}  ${TEST}/hosts/alice/${IPSEC_DIR}/private
735 cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
736
737 # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
738 for t in "ha/active-passive" "ikev2/redirect-active"
739 do
740   TEST="${TEST_DIR}/${t}"
741   for h in alice moon
742   do
743     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
744     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
745     cp ${TEST_KEY}  ${TEST}/hosts/${h}/${IPSEC_DIR}/private
746     cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
747   done
748 done
749
750 # Generate winnetou server certificate
751 HOST_KEY="${CA_DIR}/winnetouKey.pem"
752 HOST_CERT="${CA_DIR}/winnetouCert.pem"
753 CN="winnetou.strongswan.org"
754 SERIAL="13"
755 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
756 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
757     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
758     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
759     --flag serverAuth --outform pem > ${HOST_CERT}
760 cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
761
762 # Generate AAA server certificate
763 TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
764 TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
765 TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
766 CN="aaa.strongswan.org"
767 SERIAL="14"
768 cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
769 mkdir -p rsa x509
770 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
771 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
772 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
773     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
774     --flag serverAuth --outform pem > ${TEST_CERT}
775 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
776
777 # Put a copy into various tnc scenarios
778 for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
779 do
780   cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
781   mkdir -p rsa x509
782   cp ${TEST_KEY}  rsa
783   cp ${TEST_CERT} x509
784 done
785
786 # Put a copy into the alice FreeRADIUS server
787 cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
788
789 ################################################################################
790 # strongSwan Attribute Authority                                               #
791 ################################################################################
792
793 # Generate Attritbute Authority certificate
794 TEST="${TEST_DIR}/ikev2/acert-cached"
795 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
796 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
797 CN="strongSwan Attribute Authority"
798 SERIAL="15"
799 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
800 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
801     --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
802     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
803     --outform pem > ${TEST_CERT}
804 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
805
806 # Generate carol's attribute certificate for sales and finance
807 ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem
808 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
809     --in ${CA_DIR}/certs/01.pem --group sales --group finance \
810     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
811
812 # Generate dave's expired attribute certificate for sales
813 ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem
814 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
815     --in ${CA_DIR}/certs/02.pem --group sales \
816     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
817
818 # Generate dave's attribute certificate for marketing
819 ACERT_DM=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem
820 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
821     --in ${CA_DIR}/certs/02.pem --group marketing \
822     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
823
824 # Put a copy into the ikev2/acert-fallback scenario
825 TEST="${TEST_DIR}/ikev2/acert-fallback"
826 cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
827 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
828
829 # Generate carol's expired attribute certificate for finance
830 ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
831 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
832     --in ${CA_DIR}/certs/01.pem --group finance \
833     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
834
835 # Generate carol's valid attribute certificate for sales
836 ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
837 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
838     --in ${CA_DIR}/certs/01.pem --group sales \
839     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
840
841 # Put a copy into the ikev2/acert-inline scenarion
842 TEST="${TEST_DIR}/ikev2/acert-inline"
843 cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
844 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
845 cp ${ACERT_CS}  ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
846 cp ${ACERT_DM}  ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
847
848 # Generate a short-lived Attritbute Authority certificate
849 CN="strongSwan Legacy AA"
850 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
851 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
852 SERIAL="16"
853 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
854 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
855     --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
856     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
857     --outform pem > ${TEST_CERT}
858 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
859
860 # Genrate dave's attribute certificate for sales from expired AA
861 ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
862 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
863     --in ${CA_DIR}/certs/02.pem --group sales \
864     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
865
866 ################################################################################
867 # strongSwan Root CA index for OCSP server                                     #
868 ################################################################################
869
870 # generate index.txt file for Root OCSP server
871 cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
872 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
873 sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
874 sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
875 sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
876
877 ################################################################################
878 # Research CA                                                                  #
879 ################################################################################
880
881 # Generate a carol research certificate
882 TEST="${TEST_DIR}/ikev2/multi-level-ca"
883 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
884 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
885 CN="carol@strongswan.org"
886 SERIAL="01"
887 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
888 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
889     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
890     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
891     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
892 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
893
894 # Save a copy of the private key in DER format
895 openssl rsa -in ${TEST_KEY} -outform der \
896             -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
897
898 # Put a copy in the ikev2/multilevel-ca-cr-init scenario
899 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
900 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
901 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
902
903 # Put a copy in the ikev2/multilevel-ca-cr-resp scenario
904 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
905 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
906 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
907
908 # Put a copy in the ikev2/multilevel-ca-ldap scenario
909 TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
910 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
911 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
912
913 # Put a copy in the ikev2/multilevel-ca-ldap scenario
914 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
915 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
916 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
917
918 # Put a copy in the ikev2/multilevel-ca-revoked scenario
919 TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
920 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
921 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
922
923 # Put a copy in the ikev2/multilevel-ca-skipped scenario
924 TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
925 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
926 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
927
928 # Put a copy in the ikev2/multilevel-ca-strict scenario
929 TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
930 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
931 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
932
933 # Put a copy in the ikev2/ocsp-multilevel scenario
934 TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
935 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
936 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
937
938 # Put a copy in the ikev1/multilevel-ca scenario
939 TEST="${TEST_DIR}/ikev1/multi-level-ca"
940 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
941 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
942
943 # Put a copy in the ikev1/multilevel-ca-cr-init scenario
944 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
945 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
946 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
947
948 # Put a copy in the ikev1/multilevel-ca-cr-resp scenario
949 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
950 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
951 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
952
953 # Put a copy in the swanctl/multilevel-ca scenario
954 TEST="${TEST_DIR}/swanctl/multi-level-ca"
955 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
956 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
957
958 # Put a copy in the swanctl/ocsp-multilevel scenario
959 TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
960 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
961 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
962
963 # Generate a carol research certificate without a CDP
964 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
965 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
966 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
967     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
968     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
969     --outform pem > ${TEST_CERT}
970 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
971
972 # Generate an OCSP Signing certificate for the Research CA
973 TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
974 TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
975 OU="Research OCSP Signing Authority"
976 CN="ocsp.research.strongswan.org"
977 SERIAL="02"
978 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
979 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
980     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
981     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
982     --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
983 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
984
985 # Generate a Sales CA certificate signed by the Research CA
986 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
987 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
988 SERIAL="03"
989 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
990     --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
991     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
992     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
993 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
994
995 ################################################################################
996 # Duck Research CA                                                                     #
997 ################################################################################
998
999 # Generate a Duck Research CA certificate signed by the Research CA
1000 SERIAL="04"
1001 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
1002 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
1003     --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1004     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
1005     --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
1006 cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
1007
1008 # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
1009 TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
1010 cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1011
1012 # Generate a carol certificate signed by the Duck Research CA
1013 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1014 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1015 CN="carol@strongswan.org"
1016 SERIAL="01"
1017 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1018 pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
1019     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1020     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
1021     --outform pem > ${TEST_CERT}
1022 cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
1023
1024 # Generate index.txt file for Research OCSP server
1025 cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
1026 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
1027
1028 ################################################################################
1029 # Sales CA                                                                     #
1030 ################################################################################
1031
1032 # Generate a dave sales certificate
1033 TEST="${TEST_DIR}/ikev2/multi-level-ca"
1034 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
1035 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1036 CN="dave@strongswan.org"
1037 SERIAL="01"
1038 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1039 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1040     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1041     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1042     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1043 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1044
1045 # Save a copy of the private key in DER format
1046 openssl rsa -in ${TEST_KEY} -outform der \
1047             -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
1048
1049 # Put a copy in the ikev2/multilevel-ca-cr-init scenario
1050 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
1051 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1052 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1053
1054 # Put a copy in the ikev2/multilevel-ca-cr-resp scenario
1055 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
1056 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1057 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1058
1059 # Put a copy in the ikev2/multilevel-ca-ldap scenario
1060 TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
1061 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1062 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1063
1064 # Put a copy in the ikev2/multilevel-ca-strict scenario
1065 TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
1066 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1067 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1068
1069 # Put a copy in the ikev2/ocsp-multilevel scenario
1070 TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
1071 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1072 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1073
1074 # Put a copy in the ikev1/multilevel-ca scenario
1075 TEST="${TEST_DIR}/ikev1/multi-level-ca"
1076 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1077 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1078
1079 # Put a copy in the ikev1/multilevel-ca-cr-init scenario
1080 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
1081 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1082 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1083
1084 # Put a copy in the ikev1/multilevel-ca-cr-resp scenario
1085 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
1086 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1087 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1088
1089 # Put a copy in the swanctl/multilevel-ca scenario
1090 TEST="${TEST_DIR}/swanctl/multi-level-ca"
1091 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1092 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1093
1094 # Put a copy in the swanctl/ocsp-multilevel scenario
1095 TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
1096 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1097 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1098
1099 # Generate a dave sales certificate with an inactive OCSP URI and no CDP
1100 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1101 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1102 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1103     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1104     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1105     --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
1106 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1107
1108 # Generate an OCSP Signing certificate for the Sales CA
1109 TEST_KEY="${SALES_DIR}/ocspKey.pem"
1110 TEST_CERT="${SALES_DIR}/ocspCert.pem"
1111 OU="Sales OCSP Signing Authority"
1112 CN="ocsp.sales.strongswan.org"
1113 SERIAL="02"
1114 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1115 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1116     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1117     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1118     --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1119 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1120
1121 # Generate a Research CA certificate signed by the Sales CA
1122 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1123 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
1124 SERIAL="03"
1125 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1126     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1127     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
1128     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1129 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1130
1131 # generate index.txt file for Sales OCSP server
1132 cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
1133 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
1134
1135 ################################################################################
1136 # strongSwan EC Root CA                                                        #
1137 ################################################################################
1138
1139 # Generate strongSwan EC Root CA
1140 pki --gen  --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
1141 pki --self --type ecdsa --in ${ECDSA_KEY} \
1142     --not-before "${START}" --not-after "${CA_END}" --ca \
1143     --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
1144     --outform pem > ${ECDSA_CERT}
1145
1146 # Put a copy in the openssl-ikev2/ecdsa-certs scenario
1147 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
1148 cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1149 cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1150 cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1151
1152 # Generate a moon ECDSA 521 bit certificate
1153 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
1154 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1155 CN="moon.strongswan.org"
1156 SERIAL="01"
1157 pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
1158 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1159     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1160     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
1161     --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
1162 cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1163
1164 # Generate a carol ECDSA 256 bit certificate
1165 CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
1166 CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1167 CN="carol@strongswan.org"
1168 SERIAL="02"
1169 pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
1170 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1171     --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1172     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
1173     --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
1174 cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1175
1176 # Generate a dave ECDSA 384 bit certificate
1177 DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
1178 DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1179 CN="dave@strongswan.org"
1180 SERIAL="03"
1181 pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
1182 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1183     --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1184     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
1185     --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
1186 cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1187
1188 # Put CA and EE certificate copies in the openssl-ikev2/rw-ecdsa-pkcs8 scenario
1189 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
1190 cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1191 cp ${MOON_CERT}  ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1192 cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1193 cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1194 cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1195 cp ${DAVE_CERT}  ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1196
1197 # Convert moon private key into unencrypted PKCS#8 format
1198 TEST_KEY=${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem
1199 openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
1200
1201 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
1202 TEST_KEY=${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem
1203 openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
1204               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
1205
1206 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
1207 TEST_KEY=${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem
1208 openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8  -v2 aes128 \
1209               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
1210
1211 # Put CA and EE certificate copies in the openssl-ikev1/rw-ecdsa-certs scenario
1212 TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
1213 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1214 mkdir -p ecdsa x509 x509ca
1215 cp ${MOON_KEY}   ecdsa
1216 cp ${MOON_CERT}  x509
1217 cp ${ECDSA_CERT} x509ca
1218 cd ${TEST}/hosts/carol/${SWANCTL_DIR}
1219 mkdir -p ecdsa x509 x509ca
1220 cp ${CAROL_KEY}  ecdsa
1221 cp ${CAROL_CERT} x509
1222 cp ${ECDSA_CERT} x509ca
1223 cd ${TEST}/hosts/dave/${SWANCTL_DIR}
1224 mkdir -p ecdsa x509 x509ca
1225 cp ${DAVE_KEY}   ecdsa
1226 cp ${DAVE_CERT}  x509
1227 cp ${ECDSA_CERT} x509ca
1228
1229 ################################################################################
1230 # strongSwan RFC3779 Root CA                                                   #
1231 ################################################################################
1232
1233 # Generate strongSwan RFC3779 Root CA
1234 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
1235 pki --self --type rsa --in ${RFC3779_KEY} \
1236     --not-before "${START}" --not-after "${CA_END}" --ca \
1237     --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
1238     --addrblock "10.1.0.0-10.2.255.255" \
1239     --addrblock "10.3.0.1-10.3.3.232" \
1240     --addrblock "192.168.0.0/24" \
1241     --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
1242     --outform pem > ${RFC3779_CERT}
1243
1244 # Put a copy in the ikev2/net2net-rfc3779 scenario
1245 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1246 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1247 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1248 cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1249 cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1250
1251 # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
1252 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1253 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1254 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1255 cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1256 cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1257
1258 # Generate a moon RFC3779 certificate
1259 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1260 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1261 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1262 CN="moon.strongswan.org"
1263 SERIAL="01"
1264 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1265 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1266 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1267 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1268     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1269     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1270     --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
1271     --addrblock "fec0::1/128" --addrblock "fec1::/16" \
1272     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1273 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1274
1275 # Put a copy in the ipv6 scenarios
1276 for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
1277 do
1278   cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
1279   mkdir -p rsa x509 x509ca
1280   cp ${TEST_KEY}  rsa
1281   cp ${TEST_CERT} x509
1282   cp ${RFC3779_CERT} x509ca
1283 done
1284
1285 # Generate a sun RFC3779 certificate
1286 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1287 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
1288 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
1289 CN="sun.strongswan.org"
1290 SERIAL="02"
1291 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
1292 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
1293 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1294 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1295     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1296     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1297     --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
1298     --addrblock "fec0::2/128" --addrblock "fec2::/16" \
1299     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1300 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1301
1302 # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
1303 cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
1304 mkdir -p rsa x509 x509ca
1305 cp ${TEST_KEY} rsa
1306 cp ${TEST_CERT} x509
1307 cp ${RFC3779_CERT} x509ca
1308
1309 # Generate a carol RFC3779 certificate
1310 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1311 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1312 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1313 CN="carol@strongswan.org"
1314 SERIAL="03"
1315 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1316 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1317 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1318 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1319     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1320     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1321     --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
1322     --addrblock "fec0::10/128" \
1323     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1324 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1325
1326 # Generate a carol RFC3779 certificate
1327 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1328 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1329 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1330 CN="dave@strongswan.org"
1331 SERIAL="04"
1332 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1333 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1334 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1335 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1336     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1337     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1338     --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
1339     --addrblock "fec0::20/128" \
1340     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1341 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1342
1343 ################################################################################
1344 # strongSwan SHA3-RSA Root CA                                                  #
1345 ################################################################################
1346
1347 # Generate strongSwan SHA3-RSA Root CA
1348 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
1349 pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
1350     --not-before "${START}" --not-after "${CA_END}" --ca \
1351     --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
1352     --outform pem > ${SHA3_RSA_CERT}
1353
1354 # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
1355 TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
1356 cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1357 cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1358
1359 # Generate a sun SHA3-RSA certificate
1360 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1361 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1362 CN="sun.strongswan.org"
1363 SERIAL="01"
1364 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
1365 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1366     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1367     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1368     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
1369 cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1370
1371 # Generate a moon SHA3-RSA certificate
1372 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1373 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1374 CN="moon.strongswan.org"
1375 SERIAL="02"
1376 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
1377 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1378     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1379     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1380     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
1381 cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1382
1383 # Put a copy in the botan/net2net-sha3-rsa-cert scenario
1384 TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
1385 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1386 mkdir -p rsa x509 x509ca
1387 cp ${MOON_KEY}      rsa
1388 cp ${MOON_CERT}     x509
1389 cp ${SHA3_RSA_CERT} x509ca
1390 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1391 mkdir -p rsa x509 x509ca
1392 cp ${SUN_KEY}       rsa
1393 cp ${SUN_CERT}      x509
1394 cp ${SHA3_RSA_CERT} x509ca
1395
1396 # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
1397 TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
1398 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1399 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1400 cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1401 cp ${SHA3_RSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1402 cp ${SHA3_RSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1403
1404 # Generate a carol SHA3-RSA certificate
1405 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1406 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1407 CN="carol@strongswan.org"
1408 SERIAL="03"
1409 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1410 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1411     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1412     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1413     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1414 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1415
1416 # Generate a dave SHA3-RSA certificate
1417 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1418 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1419 CN="dave@strongswan.org"
1420 SERIAL="04"
1421 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1422 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1423     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1424     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1425     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1426 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1427
1428 ################################################################################
1429 # strongSwan Ed25519 Root CA                                                   #
1430 ################################################################################
1431
1432 # Generate strongSwan Ed25519 Root CA
1433 pki --gen  --type ed25519 --outform pem > ${ED25519_KEY}
1434 pki --self --type ed25519 --in ${ED25519_KEY} \
1435     --not-before "${START}" --not-after "${CA_END}" --ca \
1436     --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
1437     --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
1438     --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
1439     --outform pem > ${ED25519_CERT}
1440
1441 # Put a copy in the swanctl/net2net-ed25519 scenario
1442 TEST="${TEST_DIR}/swanctl/net2net-ed25519"
1443 cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1444 cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1445
1446 # Generate a sun Ed25519 certificate
1447 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
1448 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1449 CN="sun.strongswan.org"
1450 SERIAL="01"
1451 pki --gen --type ed25519 --outform pem > ${SUN_KEY}
1452 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1453     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1454     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1455     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
1456     --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
1457 cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1458
1459 # Generate a moon Ed25519 certificate
1460 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1461 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1462 CN="moon.strongswan.org"
1463 SERIAL="02"
1464 pki --gen --type ed25519 --outform pem > ${MOON_KEY}
1465 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1466     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1467     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1468     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
1469     --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
1470 cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1471
1472 # Put a copy in the botan/net2net-ed25519 scenario
1473 TEST="${TEST_DIR}/botan/net2net-ed25519"
1474 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1475 mkdir -p pkcs8 x509 x509ca
1476 cp ${MOON_KEY}     pkcs8
1477 cp ${MOON_CERT}    x509
1478 cp ${ED25519_CERT} x509ca
1479 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1480 mkdir -p pkcs8 x509 x509ca
1481 cp ${SUN_KEY}      pkcs8
1482 cp ${SUN_CERT}     x509
1483 cp ${ED25519_CERT} x509ca
1484
1485 # Put a copy in the ikev2/net2net-ed25519 scenario
1486 TEST="${TEST_DIR}/ikev2/net2net-ed25519"
1487 cd ${TEST}/hosts/moon/${IPSEC_DIR}
1488 mkdir -p cacerts certs private
1489 cp ${MOON_KEY}     private
1490 cp ${MOON_CERT}    certs
1491 cp ${ED25519_CERT} cacerts
1492 cd ${TEST}/hosts/sun/${IPSEC_DIR}
1493 mkdir -p cacerts certs private
1494 cp ${SUN_KEY}      private
1495 cp ${SUN_CERT}     certs
1496 cp ${ED25519_CERT} cacerts
1497
1498 # Put a copy in the swanctl/rw-ed25519-certpol scenario
1499 TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
1500 cp ${MOON_KEY}     ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1501 cp ${MOON_CERT}    ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1502 cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1503 cp ${ED25519_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1504 cp ${ED25519_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1505
1506 # Generate a carol Ed25519 certificate
1507 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1508 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1509 CN="carol@strongswan.org"
1510 SERIAL="03"
1511 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1512 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1513     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1514     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1515     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
1516     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1517 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1518
1519 # Generate a dave Ed25519 certificate
1520 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1521 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1522 CN="dave@strongswan.org"
1523 SERIAL="04"
1524 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1525 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1526     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1527     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1528     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
1529     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1530 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1531
1532 ################################################################################
1533 # strongSwan Monster Root CA                                                   #
1534 ################################################################################
1535
1536 # Generate strongSwan Monster Root CA
1537 pki --gen  --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
1538 pki --self --type rsa --in ${MONSTER_KEY} \
1539     --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
1540     --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
1541     --outform pem > ${MONSTER_CERT}
1542
1543 # Put a copy in the ikev2/after-2038-certs scenario
1544 TEST="${TEST_DIR}/ikev2/after-2038-certs"
1545 cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
1546 cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
1547
1548 # Generate a moon Monster certificate
1549 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1550 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1551 CN="moon.strongswan.org"
1552 SERIAL="01"
1553 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1554 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1555     --in ${TEST_KEY} --san ${CN} \
1556     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1557     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1558     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1559 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1560
1561 # Generate a carol Monster certificate
1562 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1563 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1564 CN="carol@strongswan.org"
1565 SERIAL="02"
1566 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1567 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1568     --in ${TEST_KEY} --san ${CN} \
1569     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1570     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1571     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1572 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1573
1574 ################################################################################
1575 # Bliss CA                                                                     #
1576 ################################################################################
1577
1578 # Generate BLISS Root CA with 192 bit security strength
1579 pki --gen  --type bliss --size 4 > ${BLISS_KEY}
1580 pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
1581     --not-before "${START}" --not-after "${CA_END}" --ca \
1582     --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
1583
1584 # Put a copy in the ikev2/rw-newhope-bliss scenario
1585 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1586 cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
1587 cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/
1588 cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
1589
1590 # Put a copy in the ikev2/rw-ntru-bliss scenario
1591 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1592 cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
1593 cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/
1594 cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
1595
1596 # Put a copy in the swanctl/rw-ntru-bliss scenario
1597 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1598 cp ${BLISS_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca/
1599 cp ${BLISS_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca/
1600 cp ${BLISS_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/
1601
1602 # Generate a carol BLISS certificate with 128 bit security strength
1603 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1604 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
1605 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
1606 CN="carol@strongswan.org"
1607 SERIAL="01"
1608 pki --gen --type bliss --size 1 > ${TEST_KEY}
1609 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1610     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1611     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
1612     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1613 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1614
1615 # Put a copy in the ikev2/rw-ntru-bliss scenario
1616 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1617 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private/
1618 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs/
1619
1620 # Put a copy in the swanctl/rw-ntru-bliss scenario
1621 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1622 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss/
1623 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509/
1624
1625 # Generate a dave BLISS certificate with 160 bit security strength
1626 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1627 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
1628 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
1629 CN="dave@strongswan.org"
1630 SERIAL="02"
1631 pki --gen --type bliss --size 3 > ${TEST_KEY}
1632 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1633     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1634     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
1635     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1636 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1637
1638 # Put a copy in the ikev2/rw-ntru-bliss scenario
1639 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1640 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
1641 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
1642
1643 # Put a copy in the swanctl/rw-ntru-bliss scenario
1644 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1645 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
1646 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
1647
1648 # Generate a moon BLISS certificate with 192 bit security strength
1649 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1650 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
1651 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
1652 CN="moon.strongswan.org"
1653 SERIAL="03"
1654 pki --gen --type bliss --size 4 > ${TEST_KEY}
1655 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1656     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1657     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
1658     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1659 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1660
1661 # Put a copy in the ikev2/rw-ntru-bliss scenario
1662 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1663 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
1664 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
1665
1666 # Put a copy in the swanctl/rw-ntru-bliss scenario
1667 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1668 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
1669 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
1670
1671 ################################################################################
1672 # SQL Data                                                                     #
1673 ################################################################################
1674
1675 CA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CA_KEY}`
1676 CA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${CA_KEY}`
1677 CA_CERT_HEX=`cat ${CA_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1678 CA_CERT_PEM_HEX=`cat ${CA_CERT} | hexdump -v -e '/1 "%02x"'`
1679 #
1680 MOON_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1681 MOON_KEY="${CA_DIR}/keys/moonKey.der"
1682 MOON_KEY_PEM="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1683 MOON_KEY_PEM_HEX=`cat ${MOON_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1684 MOON_KEY_HEX=`cat ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1685 MOON_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${MOON_KEY}`
1686 MOON_PUB_HEX=`pki --pub --type rsa --in ${MOON_KEY} | hexdump -v -e '/1 "%02x"'`
1687 MOON_CERT_HEX=`openssl x509 -in ${MOON_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1688 MOON_CERT_PEM_HEX=`cat ${MOON_CERT} | hexdump -v -e '/1 "%02x"'`
1689 #
1690 SUN_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1691 SUN_KEY="${CA_DIR}/keys/sunKey.der"
1692 SUN_KEY_PEM="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1693 SUN_KEY_PEM_HEX=`cat ${SUN_KEY_PEM} | hexdump -v -e '/1 "%02x"'`
1694 SUN_KEY_HEX=`cat ${SUN_KEY} | hexdump -v -e '/1 "%02x"'`
1695 SUN_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SUN_KEY}`
1696 SUN_CERT_HEX=`openssl x509 -in ${SUN_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1697 SUN_CERT_PEM_HEX=`cat ${SUN_CERT} | hexdump -v -e '/1 "%02x"'`
1698 #
1699 CAROL_CERT="${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1700 CAROL_KEY="${CA_DIR}/keys/carolKey.der"
1701 CAROL_KEY_HEX=`cat ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1702 CAROL_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_KEY}`
1703 CAROL_PUB_HEX=`pki --pub --type rsa --in ${CAROL_KEY} | hexdump -v -e '/1 "%02x"'`
1704 CAROL_CERT_HEX=`openssl x509 -in ${CAROL_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1705 #
1706 DAVE_CERT="${DIR}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1707 DAVE_KEY="${CA_DIR}/keys/daveKey.der"
1708 DAVE_KEY_HEX=`cat ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1709 DAVE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_KEY}`
1710 DAVE_PUB_HEX=`pki --pub --type rsa --in ${DAVE_KEY} | hexdump -v -e '/1 "%02x"'`
1711 DAVE_CERT_HEX=`openssl x509 -in ${DAVE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1712 #
1713 ALICE_CERT="${DIR}/hosts/alice/${SWANCTL_DIR}/x509/aliceCert.pem"
1714 ALICE_KEY="${CA_DIR}/keys/aliceKey.der"
1715 ALICE_KEY_HEX=`cat ${ALICE_KEY} | hexdump -v -e '/1 "%02x"'`
1716 ALICE_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${ALICE_KEY}`
1717 ALICE_CERT_HEX=`openssl x509 -in ${ALICE_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1718 #
1719 VENUS_CERT="${DIR}/hosts/venus/${SWANCTL_DIR}/x509/venusCert.pem"
1720 VENUS_KEY="${CA_DIR}/keys/venusKey.der"
1721 VENUS_KEY_HEX=`cat ${VENUS_KEY} | hexdump -v -e '/1 "%02x"'`
1722 VENUS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${VENUS_KEY}`
1723 VENUS_CERT_HEX=`openssl x509 -in ${VENUS_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1724 #
1725 RESEARCH_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${RESEARCH_KEY}`
1726 RESEARCH_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${RESEARCH_KEY}`
1727 RESEARCH_CERT_HEX=`cat ${RESEARCH_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1728 #
1729 CAROL_R_CERT="${RESEARCH_DIR}/certs/01.pem"
1730 CAROL_R_KEY="${RESEARCH_DIR}/keys/01.der"
1731 CAROL_R_KEY_HEX=`cat ${CAROL_R_KEY} | hexdump -v -e '/1 "%02x"'`
1732 CAROL_R_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${CAROL_R_KEY}`
1733 CAROL_R_CERT_HEX=`openssl x509 -in ${CAROL_R_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1734 #
1735 SALES_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${SALES_KEY}`
1736 SALES_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${SALES_KEY}`
1737 SALES_CERT_HEX=`cat ${SALES_CERT_DER} | hexdump -v -e '/1 "%02x"'`
1738 #
1739 DAVE_S_CERT="${SALES_DIR}/certs/01.pem"
1740 DAVE_S_KEY="${SALES_DIR}/keys/01.der"
1741 DAVE_S_KEY_HEX=`cat ${DAVE_S_KEY} | hexdump -v -e '/1 "%02x"'`
1742 DAVE_S_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${DAVE_S_KEY}`
1743 DAVE_S_CERT_HEX=`openssl x509 -in ${DAVE_S_CERT} -outform der | hexdump -v -e '/1 "%02x"'`
1744 #
1745 for t in ip-pool-db ip-pool-db-expired ip-pool-db-restart ip-split-pools-db \
1746          ip-split-pools-db-restart multi-level-ca rw-cert rw-psk-rsa-split \
1747          rw-psk-ipv4 rw-psk-ipv6 rw-rsa rw-rsa-keyid
1748 do
1749   for h in carol dave moon
1750   do
1751     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1752     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1753         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1754         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1755         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1756         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1757         -e "s/MOON_PUB_HEX/${MOON_PUB_HEX}/g" \
1758         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1759         -e "s/CAROL_KEY_HEX/${CAROL_KEY_HEX}/g" \
1760         -e "s/CAROL_SPK_HEX/${CAROL_SPK_HEX}/g" \
1761         -e "s/CAROL_PUB_HEX/${CAROL_PUB_HEX}/g" \
1762         -e "s/CAROL_CERT_HEX/${CAROL_CERT_HEX}/g" \
1763         -e "s/DAVE_KEY_HEX/${DAVE_KEY_HEX}/g" \
1764         -e "s/DAVE_SPK_HEX/${DAVE_SPK_HEX}/g" \
1765         -e "s/DAVE_PUB_HEX/${DAVE_PUB_HEX}/g" \
1766         -e "s/DAVE_CERT_HEX/${DAVE_CERT_HEX}/g" \
1767         -e "s/RESEARCH_SPK_HEX/${RESEARCH_SPK_HEX}/g" \
1768         -e "s/RESEARCH_SPKI_HEX/${RESEARCH_SPKI_HEX}/g" \
1769         -e "s/RESEARCH_CERT_HEX/${RESEARCH_CERT_HEX}/g" \
1770         -e "s/CAROL_R_KEY_HEX/${CAROL_R_KEY_HEX}/g" \
1771         -e "s/CAROL_R_SPK_HEX/${CAROL_R_SPK_HEX}/g" \
1772         -e "s/CAROL_R_CERT_HEX/${CAROL_R_CERT_HEX}/g" \
1773         -e "s/SALES_SPK_HEX/${SALES_SPK_HEX}/g" \
1774         -e "s/SALES_SPKI_HEX/${SALES_SPKI_HEX}/g" \
1775         -e "s/SALES_CERT_HEX/${SALES_CERT_HEX}/g" \
1776         -e "s/DAVE_S_KEY_HEX/${DAVE_S_KEY_HEX}/g" \
1777         -e "s/DAVE_S_SPK_HEX/${DAVE_S_SPK_HEX}/g" \
1778         -e "s/DAVE_S_CERT_HEX/${DAVE_S_CERT_HEX}/g" \
1779         ${TEST_DATA}.in > ${TEST_DATA}
1780   done
1781 done
1782 #
1783 for t in rw-eap-aka-rsa
1784 do
1785   for h in carol moon
1786   do
1787     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1788     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1789         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1790         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1791         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1792         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1793         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1794         ${TEST_DATA}.in > ${TEST_DATA}
1795   done
1796 done
1797 #
1798 for t in net2net-cert net2net-psk net2net-route-pem net2net-start-pem
1799 do
1800   for h in moon sun
1801   do
1802     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1803     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1804         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1805         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1806         -e "s/CA_CERT_PEM_HEX/${CA_CERT_PEM_HEX}/g" \
1807         -e "s/MOON_KEY_PEM_HEX/${MOON_KEY_PEM_HEX}/g" \
1808         -e "s/MOON_KEY_HEX/${MOON_KEY_HEX}/g" \
1809         -e "s/MOON_SPK_HEX/${MOON_SPK_HEX}/g" \
1810         -e "s/MOON_CERT_HEX/${MOON_CERT_HEX}/g" \
1811         -e "s/MOON_CERT_PEM_HEX/${MOON_CERT_PEM_HEX}/g" \
1812         -e "s/SUN_KEY_PEM_HEX/${SUN_KEY_PEM_HEX}/g" \
1813         -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1814         -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1815         -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1816         -e "s/SUN_CERT_PEM_HEX/${SUN_CERT_PEM_HEX}/g" \
1817                ${TEST_DATA}.in > ${TEST_DATA}
1818   done
1819 done
1820 #
1821 for t in shunt-policies-nat-rw
1822 do
1823   for h in alice venus sun
1824   do
1825     TEST_DATA="${TEST_DIR}/sql/${t}/hosts/${h}/${IPSEC_DIR}/data.sql"
1826     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
1827         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
1828         -e "s/CA_CERT_HEX/${CA_CERT_HEX}/g" \
1829         -e "s/ALICE_KEY_HEX/${ALICE_KEY_HEX}/g" \
1830         -e "s/ALICE_SPK_HEX/${ALICE_SPK_HEX}/g" \
1831         -e "s/ALICE_CERT_HEX/${ALICE_CERT_HEX}/g" \
1832         -e "s/VENUS_KEY_HEX/${VENUS_KEY_HEX}/g" \
1833         -e "s/VENUS_SPK_HEX/${VENUS_SPK_HEX}/g" \
1834         -e "s/VENUS_CERT_HEX/${VENUS_CERT_HEX}/g" \
1835         -e "s/SUN_KEY_HEX/${SUN_KEY_HEX}/g" \
1836         -e "s/SUN_SPK_HEX/${SUN_SPK_HEX}/g" \
1837         -e "s/SUN_CERT_HEX/${SUN_CERT_HEX}/g" \
1838         ${TEST_DATA}.in > ${TEST_DATA}
1839   done
1840 done