testing: Disable leak detective in build-certs script
[strongswan.git] / testing / scripts / build-certs
1 #!/bin/bash
2
3 echo "Building certificates"
4
5 # Disable leak detective when using pki as it produces warnings in tzset
6 export LEAK_DETECTIVE_DISABLE=1
7
8 # Determine testing directory
9 DIR="$(dirname `readlink -f $0`)/.."
10
11 # Define some global variables
12 PROJECT="strongSwan Project"
13 CA_DIR="${DIR}/hosts/winnetou/etc/ca"
14 CA_KEY="${CA_DIR}/strongswanKey.pem"
15 CA_CERT="${CA_DIR}/strongswanCert.pem"
16 CA_CRL="${CA_DIR}/strongswan.crl"
17 CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
18 CA_CDP="http://crl.strongswan.org/strongswan.crl"
19 CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
20 CA_OCSP="http://ocsp.strongswan.org:8880"
21 #
22 START=`date  -d "-2 day"    "+%d.%m.%y %T"`
23 SH_END=`date -d "-1 day"    "+%d.%m.%y %T"`    #  1 day
24 CA_END=`date -d "+3651 day" "+%d.%m.%y %T"`    # 10 years
25 IM_END=`date -d "+3286 day" "+%d.%m.%y %T"`    #  9 years
26 EE_END=`date -d "+2920 day" "+%d.%m.%y %T"`    #  8 years
27 SH_EXP=`date -d "-1 day"    "+%y%m%d%H%M%SZ"`  #  1 day
28 IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"`  #  9 years
29 EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"`  #  8 years
30 NOW=`date "+%y%m%d%H%M%SZ"`
31 #
32 RESEARCH_DIR="${CA_DIR}/research"
33 RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
34 RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
35 RESEARCH_CDP="http://crl.strongswan.org/research.crl"
36 #
37 SALES_DIR="${CA_DIR}/sales"
38 SALES_KEY="${SALES_DIR}/salesKey.pem"
39 SALES_CERT="${SALES_DIR}/salesCert.pem"
40 SALES_CDP="http://crl.strongswan.org/sales.crl"
41 #
42 DUCK_DIR="${CA_DIR}/duck"
43 DUCK_KEY="${DUCK_DIR}/duckKey.pem"
44 DUCK_CERT="${DUCK_DIR}/duckCert.pem"
45 #
46 ECDSA_DIR="${CA_DIR}/ecdsa"
47 ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
48 ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
49 ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
50 #
51 RFC3779_DIR="${CA_DIR}/rfc3779"
52 RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
53 RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
54 RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
55 #
56 SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
57 SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
58 SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
59 SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
60 #
61 ED25519_DIR="${CA_DIR}/ed25519"
62 ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
63 ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
64 ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
65 #
66 MONSTER_DIR="${CA_DIR}/monster"
67 MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
68 MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
69 MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
70 MONSTER_CA_RSA_SIZE="8192"
71 MONSTER_EE_RSA_SIZE="4096"
72 #
73 BLISS_DIR="${CA_DIR}/bliss"
74 BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
75 BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
76 BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
77 #
78 RSA_SIZE="3072"
79 IPSEC_DIR="etc/ipsec.d"
80 SWANCTL_DIR="etc/swanctl"
81 TKM_DIR="etc/tkm"
82 HOSTS="carol dave moon sun alice venus bob"
83 TEST_DIR="${DIR}/tests"
84
85 # Create directories
86 mkdir -p ${CA_DIR}/certs
87 mkdir -p ${RESEARCH_DIR}/certs
88 mkdir -p ${SALES_DIR}/certs
89 mkdir -p ${DUCK_DIR}/certs
90 mkdir -p ${ECDSA_DIR}/certs
91 mkdir -p ${RFC3779_DIR}/certs
92 mkdir -p ${SHA3_RSA_DIR}/certs
93 mkdir -p ${ED25519_DIR}/certs
94 mkdir -p ${MONSTER_DIR}/certs
95 mkdir -p ${BLISS_DIR}/certs
96
97 ################################################################################
98 # strongSwan Root CA                                                           #
99 ################################################################################
100
101 # Generate strongSwan Root CA
102 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
103 pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
104     --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
105     --outform pem > ${CA_CERT}
106
107 # Distribute strongSwan Root CA certificate
108 for h in ${HOSTS}
109 do
110   HOST_DIR="${DIR}/hosts/${h}"
111   cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
112   cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
113 done
114
115 # Put a copy onto the alice FreeRADIUS server
116 cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
117
118 # Gernerate a stale CRL
119 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
120     --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
121
122 # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
123 TEST="${TEST_DIR}/ikev2/crl-ldap"
124 cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
125 cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
126
127 # Generate host keys
128 for h in ${HOSTS}
129 do
130   HOST_DIR="${DIR}/hosts/${h}"
131   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
132   pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
133
134   # Put a copy into swanctl directory tree
135   cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
136 done
137
138 # Convert moon private key and Root CA certificate into DER format
139 HOST_KEY=${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem
140 TEST="${TEST_DIR}/tkm/host2host-initiator"
141 TEST_KEY=${TEST}/hosts/moon/${TKM_DIR}/moonKey.der
142 TEST_CERT=${TEST}/hosts/moon/${TKM_DIR}/strongswanCert.der
143 openssl rsa -in ${HOST_KEY} -outform der -out ${TEST_KEY} 2> /dev/null
144 openssl x509 -in ${CA_CERT} -outform der -out ${TEST_CERT}
145
146 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
147 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
148          net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
149 do
150   TEST="${TEST_DIR}/tkm/${t}"
151   mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
152   cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
153 done
154
155 # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
156 for t in multiple-clients
157 do
158   TEST="${TEST_DIR}/tkm/${t}"
159   mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
160   cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
161 done
162
163 # Convert moon private key into unencrypted PKCS#8 format
164 TEST="${TEST_DIR}/ikev2/rw-pkcs8"
165 HOST_KEY=${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem
166 TEST_KEY=${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem
167 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
168
169 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
170 HOST_KEY=${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem
171 TEST_KEY=${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem
172 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
173               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
174
175 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
176 HOST_KEY=${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem
177 TEST_KEY=${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem
178 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8  -v2 aes128 \
179               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
180
181 ################################################################################
182 # Public Key Extraction                                                        #
183 ################################################################################
184
185 # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
186 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
187 TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
188 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
189 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
190 cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
191
192 # Put a copy into the ikev2/net2net-pubkey scenario
193 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
194 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
195 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
196
197 # Put a copy into the swanctl/rw-pubkey-anon scenario
198 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
199 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
200 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
201 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
202
203 # Put a copy into the swanctl/rw-pubkey-keyid scenario
204 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
205 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
206 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
207 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
208
209 # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
210 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
211 TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
212 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
213 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
214 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
215
216 # Put a copy into the ikev2/net2net-pubkey scenario
217 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
218 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
219 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
220
221 # Put a copy into the swanctl/rw-pubkey-anon scenario
222 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
223 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
224
225 # Extract the raw carol public key for the swanctl/rw-pubkey-anon scenario
226 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
227 TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
228 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
229 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
230 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
231
232 # Put a copy into the swanctl/rw-pubkey-keyid scenario
233 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
234 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
235 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
236
237 # Extract the raw dave public key for the swanctl/rw-pubkey-anon scenario
238 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
239 TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
240 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
241 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
242 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
243
244 # Put a copy into the swanctl/rw-pubkey-keyid scenario
245 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
246 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
247 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
248
249 ################################################################################
250 # Host Certificate Generation                                                  #
251 ################################################################################
252
253 # function issue_cert: serial host cn [ou]
254 issue_cert()
255 {
256   # does optional OU argument exist?
257   if [ -z "${4}" ]
258   then
259     OU=""
260   else
261     OU=" OU=${4},"
262   fi
263
264   HOST_DIR="${DIR}/hosts/${2}"
265   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
266   HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
267   pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
268       --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
269       --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
270       --outform pem > ${HOST_CERT}
271   cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
272
273   # Put a certificate copy into swanctl directory tree
274   cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
275 }
276
277 # Generate host certificates
278 issue_cert 01 carol carol@strongswan.org Research
279 issue_cert 02 dave dave@strongswan.org Accounting
280 issue_cert 03 moon moon.strongswan.org
281 issue_cert 04 sun sun.strongswan.org
282 issue_cert 05 alice alice@strongswan.org Sales
283 issue_cert 06 venus venus.strongswan.org
284 issue_cert 07 bob bob@strongswan.org Research
285
286 # Create PKCS#12 file for moon
287 TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
288 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
289 HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
290 MOON_PKCS12="${TEST}/hosts/moon/etc/ipsec.d/private/moonCert.p12"
291 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
292         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
293         -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
294
295 # Create PKCS#12 file for sun
296 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
297 HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
298 SUN_PKCS12="${TEST}/hosts/sun/etc/ipsec.d/private/sunCert.p12"
299 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
300         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
301         -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
302
303 # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
304 TEST="${TEST_DIR}/botan/net2net-pkcs12"
305 mkdir -p "${TEST}/hosts/moon/etc/swanctl/pkcs12"
306 cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12"
307 mkdir -p "${TEST}/hosts/sun/etc/swanctl/pkcs12"
308 cp ${SUN_PKCS12}  "${TEST}/hosts/sun/etc/swanctl/pkcs12"
309
310 # Put a PKCS#12 copy into the openssl-ikev2/net2net-pkcs12 scenario
311 TEST="${TEST_DIR}/openssl-ikev2/net2net-pkcs12"
312 cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12"
313 cp ${SUN_PKCS12}  "${TEST}/hosts/sun/etc/swanctl/pkcs12"
314
315 # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
316 TEST="${TEST_DIR}/swanctl/crl-to-cache"
317 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
318 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
319 CN="carol@strongswan.org"
320 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
321     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
322     --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
323     --outform pem > ${TEST_CERT}
324
325 # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
326 TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
327 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
328 CN="moon.strongswan.org"
329 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
330     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
331     --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
332     --outform pem > ${TEST_CERT}
333
334 # Encrypt carolKey.pem
335 HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
336 KEY_PWD="nH5ZQEWtku0RJEZ6"
337 openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
338         2> /dev/null
339
340 # Put a copy into the ikev2/dynamic-initiator scenario
341 TEST="${TEST_DIR}/ikev2/dynamic-initiator"
342 cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
343 cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
344
345 # Put a copy into the ikev1/dynamic-initiator scenario
346 TEST="${TEST_DIR}/ikev1/dynamic-initiator"
347 cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
348 cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
349
350 # Put a copy into the ikev1/dynamic-responder scenario
351 TEST="${TEST_DIR}/ikev1/dynamic-responder"
352 cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
353 cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
354
355 # Put a copy into the swanctl/rw-cert scenario
356 TEST="${TEST_DIR}/swanctl/rw-cert"
357 cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
358
359 # Generate another carol certificate and revoke it
360 TEST="${TEST_DIR}/ikev2/crl-revoked"
361 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
362 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
363 CN="carol@strongswan.org"
364 SERIAL="08"
365 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
366 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
367     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
368     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
369     --outform pem > ${TEST_CERT}
370 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
371 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
372     --serial ${SERIAL} > ${CA_CRL}
373 cp ${CA_CRL} ${CA_LAST_CRL}
374
375 # Put a copy into the ikev2/ocsp-revoked scenario
376 TEST="${TEST_DIR}/ikev2/ocsp-revoked"
377 cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
378 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
379
380 # Generate another carol certificate with SN=002
381 TEST="${TEST_DIR}/ikev2/two-certs"
382 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
383 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
384 SERIAL="09"
385 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
386 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
387     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
388     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
389     --outform pem > ${TEST_CERT}
390 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
391
392 ################################################################################
393 # Research CA Certificate Generation                                           #
394 ################################################################################
395
396 # Generate a Research CA certificate signed by the Root CA and revoke it
397 TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
398 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
399 SERIAL="0A"
400 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
401 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
402     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
403     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
404     --outform pem > ${TEST_CERT}
405 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
406 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
407     --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
408 rm ${CA_LAST_CRL}
409
410 # Generate Research CA with the same private key as above signed by Root CA
411 SERIAL="0B"
412 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
413     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
414     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
415     --outform pem > ${RESEARCH_CERT}
416 cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
417
418 # Put a certificate copy into the ikev1/multi-level-ca scenario
419 TEST="${TEST_DIR}/ikev1/multi-level-ca"
420 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
421
422 # Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario
423 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
424 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
425
426 # Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario
427 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
428 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
429
430 # Put a certificate copy into the ikev2/multi-level-ca scenario
431 TEST="${TEST_DIR}/ikev2/multi-level-ca"
432 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
433
434 # Put a certificate copy into the ikev2/multi-level-ca-ldap scenario
435 TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
436 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
437
438 # Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario
439 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
440 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
441
442 # Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario
443 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
444 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
445
446 # Put a certificate copy into the ikev2/multi-level-ca-pathlen scenario
447 TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
448 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
449
450 # Put a certificate copy into the ikev2/multi-level-ca-strict scenario
451 TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
452 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
453
454 # Put a certificate copy into the ikev2/ocsp-multi-level scenario
455 TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
456 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
457
458 # Put a certificate copy into the ikev2/ocsp-strict-ifuri scenario
459 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
460 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
461
462 # Put a certificate copy into the swanctl/multi-level-ca scenario
463 TEST="${TEST_DIR}/swanctl/multi-level-ca"
464 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
465
466 # Put a certificate copy into the swanctl/ocsp-multi-level scenario
467 TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
468 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
469
470 # Generate Research CA with the same private key as above but invalid CDP
471 TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
472 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
473 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
474     --crl "http://crl.strongswan.org/not-available.crl" \
475     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
476     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
477     --outform pem > ${TEST_CERT}
478
479 ################################################################################
480 # Sales CA Certificate Generation                                              #
481 ################################################################################
482
483 # Generate Sales CA signed by Root CA
484 SERIAL="0C"
485 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
486 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
487     --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
488     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
489     --outform pem > ${SALES_CERT}
490 cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
491
492 # Put a certificate copy into the ikev1/multi-level-ca scenario
493 TEST="${TEST_DIR}/ikev1/multi-level-ca"
494 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
495
496 # Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario
497 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
498 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
499
500 # Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario
501 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
502 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
503
504 # Put a certificate copy into the ikev2/multi-level-ca scenario
505 TEST="${TEST_DIR}/ikev2/multi-level-ca"
506 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
507
508 # Put a certificate copy into the ikev2/multi-level-ca-ldap scenario
509 TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
510 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
511
512 # Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario
513 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
514 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
515
516 # Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario
517 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
518 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
519
520 # Put a certificate copy into the ikev2/multi-level-ca-strict scenario
521 TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
522 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
523
524 # Put a certificate copy into the ikev2/ocsp-multi-level scenario
525 TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
526 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
527
528 # Put a certificate copy into the ikev2/ocsp-struct.ifuri scenario
529 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
530 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
531
532 # Put a certificate copy into the swanctl/multi-level-ca scenario
533 TEST="${TEST_DIR}/swanctl/multi-level-ca"
534 cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
535
536 # Put a certificate copy into the swanctl/ocsp-multi-level scenario
537 TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
538 cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
539
540 # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
541 TEST="${TEST_DIR}/ikev2/strong-keys-certs"
542 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
543 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
544 KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
545 CN="moon.strongswan.org"
546 SERIAL="0D"
547 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
548 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
549     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
550     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
551     --digest sha224 --outform pem > ${TEST_CERT}
552 openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
553         2> /dev/null
554 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
555
556 # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
557 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
558 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
559 KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
560 CN="carol@strongswan.org"
561 SERIAL="0E"
562 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
563 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
564     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
565     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
566     --digest sha384 --outform pem > ${TEST_CERT}
567 openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
568         2> /dev/null
569 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
570
571 # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
572 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
573 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
574 KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
575 CN="dave@strongswan.org"
576 SERIAL="0F"
577 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
578 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
579     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
580     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
581     --digest sha512 --outform pem > ${TEST_CERT}
582 openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
583         2> /dev/null
584 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
585
586 # Generate another carol certificate with an OCSP URI
587 TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
588 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
589 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
590 CN="carol@strongswan.org"
591 SERIAL="10"
592 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
593 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
594     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
595     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
596     --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
597 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
598
599 # Put a copy into the ikev2/ocsp-timeouts-good scenario
600 TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
601 cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
602 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
603
604 # Put a copy into the swanctl/ocsp-signer-cert scenario
605 TEST="${TEST_DIR}/swanctl/ocsp-signer-cert"
606 cp ${TEST_KEY}  ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
607 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
608
609 # Put a copy into the swanctl/ocsp-disabled scenario
610 TEST="${TEST_DIR}/swanctl/ocsp-disabled"
611 cp ${TEST_KEY}  ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
612 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
613
614 # Generate an OCSP Signing certificate for the strongSwan Root CA
615 TEST_KEY="${CA_DIR}/ocspKey.pem"
616 TEST_CERT="${CA_DIR}/ocspCert.pem"
617 CN="ocsp.strongswan.org"
618 OU="OCSP Signing Authority"
619 SERIAL="11"
620 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
621 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
622     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
623     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
624     --flag ocspSigning --outform pem > ${TEST_CERT}
625 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
626
627 # Generate a self-signed OCSP Signing certificate
628 TEST_KEY="${CA_DIR}/ocspKey-self.pem"
629 TEST_CERT="${CA_DIR}/ocspCert-self.pem"
630 OU="OCSP Self-Signed Authority"
631 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
632 pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
633     --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
634     --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
635     --outform pem > ${TEST_CERT}
636
637 # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
638 TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
639 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
640 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
641
642 # Generate mars virtual server certificate
643 TEST="${TEST_DIR}/ha/both-active"
644 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
645 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
646 CN="mars.strongswan.org"
647 OU="Virtual VPN Gateway"
648 SERIAL="12"
649 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
650 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
651 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
652 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
653     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
654     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
655     --flag serverAuth --outform pem > ${TEST_CERT}
656 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
657
658 # Put a copy into the mirrored gateway
659 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
660 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
661 cp ${TEST_KEY}  ${TEST}/hosts/alice/${IPSEC_DIR}/private
662 cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
663
664 # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
665 for t in "ha/active-passive" "ikev2/redirect-active"
666 do
667   TEST="${TEST_DIR}/${t}"
668   for h in alice moon
669   do
670     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
671     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
672     cp ${TEST_KEY}  ${TEST}/hosts/${h}/${IPSEC_DIR}/private
673     cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
674   done
675 done
676
677 # Generate winnetou server certificate
678 HOST_KEY="${CA_DIR}/winnetouKey.pem"
679 HOST_CERT="${CA_DIR}/winnetouCert.pem"
680 CN="winnetou.strongswan.org"
681 SERIAL="13"
682 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
683 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
684     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
685     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
686     --flag serverAuth --outform pem > ${HOST_CERT}
687 cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
688
689 # Generate AAA server certificate
690 TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
691 TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
692 TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
693 CN="aaa.strongswan.org"
694 SERIAL="14"
695 cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
696 mkdir -p rsa x509
697 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
698 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
699 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
700     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
701     --flag serverAuth --outform pem > ${TEST_CERT}
702 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
703
704 # Put a copy into various tnc scenarios
705 for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
706 do
707   cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
708   mkdir -p rsa x509
709   cp ${TEST_KEY}  rsa
710   cp ${TEST_CERT} x509
711 done
712
713 # Put a copy into the alice FreeRADIUS server
714 cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
715
716 ################################################################################
717 # strongSwan Attribute Authority                                               #
718 ################################################################################
719
720 # Generate Attritbute Authority certificate
721 TEST="${TEST_DIR}/ikev2/acert-cached"
722 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
723 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
724 CN="strongSwan Attribute Authority"
725 SERIAL="15"
726 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
727 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
728     --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
729     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
730     --outform pem > ${TEST_CERT}
731 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
732
733 # Generate carol's attribute certificate for sales and finance
734 ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem
735 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
736     --in ${CA_DIR}/certs/01.pem --group sales --group finance \
737     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
738
739 # Generate dave's expired attribute certificate for sales
740 ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem
741 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
742     --in ${CA_DIR}/certs/02.pem --group sales \
743     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
744
745 # Generate dave's attribute certificate for marketing
746 ACERT_DM=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem
747 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
748     --in ${CA_DIR}/certs/02.pem --group marketing \
749     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
750
751 # Put a copy into the ikev2/acert-fallback scenario
752 TEST="${TEST_DIR}/ikev2/acert-fallback"
753 cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
754 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
755
756 # Generate carol's expired attribute certificate for finance
757 ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
758 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
759     --in ${CA_DIR}/certs/01.pem --group finance \
760     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
761
762 # Generate carol's valid attribute certificate for sales
763 ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
764 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
765     --in ${CA_DIR}/certs/01.pem --group sales \
766     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
767
768 # Put a copy into the ikev2/acert-inline scenarion
769 TEST="${TEST_DIR}/ikev2/acert-inline"
770 cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
771 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
772 cp ${ACERT_CS}  ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
773 cp ${ACERT_DM}  ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
774
775 # Generate a short-lived Attritbute Authority certificate
776 CN="strongSwan Legacy AA"
777 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
778 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
779 SERIAL="16"
780 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
781 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
782     --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
783     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
784     --outform pem > ${TEST_CERT}
785 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
786
787 # Genrate dave's attribute certificate for sales from expired AA
788 ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
789 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
790     --in ${CA_DIR}/certs/02.pem --group sales \
791     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
792
793 ################################################################################
794 # strongSwan Root CA index for OCSP server                                     #
795 ################################################################################
796
797 # generate index.txt file for Root OCSP server
798 cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
799 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
800 sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
801 sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
802 sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
803
804 ################################################################################
805 # Research CA                                                                  #
806 ################################################################################
807
808 # Generate a carol research certificate
809 TEST="${TEST_DIR}/ikev2/multi-level-ca"
810 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
811 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
812 CN="carol@strongswan.org"
813 SERIAL="01"
814 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
815 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
816     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
817     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
818     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
819 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
820
821 # Put a copy in the ikev2/multilevel-ca-cr-init scenario
822 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
823 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
824 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
825
826 # Put a copy in the ikev2/multilevel-ca-cr-resp scenario
827 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
828 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
829 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
830
831 # Put a copy in the ikev2/multilevel-ca-ldap scenario
832 TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
833 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
834 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
835
836 # Put a copy in the ikev2/multilevel-ca-ldap scenario
837 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
838 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
839 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
840
841 # Put a copy in the ikev2/multilevel-ca-revoked scenario
842 TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
843 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
844 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
845
846 # Put a copy in the ikev2/multilevel-ca-skipped scenario
847 TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
848 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
849 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
850
851 # Put a copy in the ikev2/multilevel-ca-strict scenario
852 TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
853 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
854 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
855
856 # Put a copy in the ikev2/ocsp-multilevel scenario
857 TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
858 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
859 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
860
861 # Put a copy in the ikev1/multilevel-ca scenario
862 TEST="${TEST_DIR}/ikev1/multi-level-ca"
863 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
864 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
865
866 # Put a copy in the ikev1/multilevel-ca-cr-init scenario
867 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
868 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
869 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
870
871 # Put a copy in the ikev1/multilevel-ca-cr-resp scenario
872 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
873 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
874 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
875
876 # Put a copy in the swanctl/multilevel-ca scenario
877 TEST="${TEST_DIR}/swanctl/multi-level-ca"
878 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
879 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
880
881 # Put a copy in the swanctl/ocsp-multilevel scenario
882 TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
883 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
884 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
885
886 # Generate a carol research certificate without a CDP
887 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
888 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
889 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
890     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
891     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
892     --outform pem > ${TEST_CERT}
893 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
894
895 # Generate an OCSP Signing certificate for the Research CA
896 TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
897 TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
898 OU="Research OCSP Signing Authority"
899 CN="ocsp.research.strongswan.org"
900 SERIAL="02"
901 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
902 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
903     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
904     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
905     --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
906 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
907
908 # Generate a Sales CA certificate signed by the Research CA
909 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
910 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
911 SERIAL="03"
912 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
913     --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
914     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
915     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
916 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
917
918 ################################################################################
919 # Duck Research CA                                                                     #
920 ################################################################################
921
922 # Generate a Duck Research CA certificate signed by the Research CA
923 SERIAL="04"
924 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
925 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
926     --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
927     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
928     --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
929 cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
930
931 # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
932 TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
933 cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
934
935 # Generate a carol certificate signed by the Duck Research CA
936 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
937 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
938 CN="carol@strongswan.org"
939 SERIAL="01"
940 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
941 pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
942     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
943     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
944     --outform pem > ${TEST_CERT}
945 cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
946
947 # Generate index.txt file for Research OCSP server
948 cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
949 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
950
951 ################################################################################
952 # Sales CA                                                                     #
953 ################################################################################
954
955 # Generate a dave sales certificate
956 TEST="${TEST_DIR}/ikev2/multi-level-ca"
957 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
958 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
959 CN="dave@strongswan.org"
960 SERIAL="01"
961 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
962 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
963     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
964     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
965     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
966 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
967
968 # Put a copy in the ikev2/multilevel-ca-cr-init scenario
969 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
970 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
971 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
972
973 # Put a copy in the ikev2/multilevel-ca-cr-resp scenario
974 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
975 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
976 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
977
978 # Put a copy in the ikev2/multilevel-ca-ldap scenario
979 TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
980 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
981 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
982
983 # Put a copy in the ikev2/multilevel-ca-strict scenario
984 TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
985 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
986 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
987
988 # Put a copy in the ikev2/ocsp-multilevel scenario
989 TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
990 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
991 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
992
993 # Put a copy in the ikev1/multilevel-ca scenario
994 TEST="${TEST_DIR}/ikev1/multi-level-ca"
995 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
996 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
997
998 # Put a copy in the ikev1/multilevel-ca-cr-init scenario
999 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
1000 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1001 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1002
1003 # Put a copy in the ikev1/multilevel-ca-cr-resp scenario
1004 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
1005 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1006 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1007
1008 # Put a copy in the swanctl/multilevel-ca scenario
1009 TEST="${TEST_DIR}/swanctl/multi-level-ca"
1010 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1011 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1012
1013 # Put a copy in the swanctl/ocsp-multilevel scenario
1014 TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
1015 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1016 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1017
1018 # Generate a dave sales certificate with an inactive OCSP URI and no CDP
1019 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1020 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1021 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1022     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1023     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1024     --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
1025 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1026
1027 # Generate an OCSP Signing certificate for the Sales CA
1028 TEST_KEY="${SALES_DIR}/ocspKey.pem"
1029 TEST_CERT="${SALES_DIR}/ocspCert.pem"
1030 OU="Sales OCSP Signing Authority"
1031 CN="ocsp.sales.strongswan.org"
1032 SERIAL="02"
1033 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1034 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1035     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1036     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1037     --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1038 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1039
1040 # Generate a Research CA certificate signed by the Sales CA
1041 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1042 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
1043 SERIAL="03"
1044 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1045     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1046     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
1047     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1048 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1049
1050 # generate index.txt file for Sales OCSP server
1051 cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
1052 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
1053
1054 ################################################################################
1055 # strongSwan EC Root CA                                                        #
1056 ################################################################################
1057
1058 # Generate strongSwan EC Root CA
1059 pki --gen  --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
1060 pki --self --type ecdsa --in ${ECDSA_KEY} \
1061     --not-before "${START}" --not-after "${CA_END}" --ca \
1062     --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
1063     --outform pem > ${ECDSA_CERT}
1064
1065 # Put a copy in the openssl-ikev2/ecdsa-certs scenario
1066 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
1067 cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1068 cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1069 cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1070
1071 # Generate a moon ECDSA 521 bit certificate
1072 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
1073 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1074 CN="moon.strongswan.org"
1075 SERIAL="01"
1076 pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
1077 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1078     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1079     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
1080     --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
1081 cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1082
1083 # Generate a carol ECDSA 256 bit certificate
1084 CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
1085 CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1086 CN="carol@strongswan.org"
1087 SERIAL="02"
1088 pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
1089 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1090     --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1091     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
1092     --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
1093 cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1094
1095 # Generate a dave ECDSA 384 bit certificate
1096 DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
1097 DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1098 CN="dave@strongswan.org"
1099 SERIAL="03"
1100 pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
1101 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1102     --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1103     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
1104     --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
1105 cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1106
1107 # Put CA and EE certificate copies in the openssl-ikev2/rw-ecdsa-pkcs8 scenario
1108 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
1109 cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1110 cp ${MOON_CERT}  ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1111 cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1112 cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1113 cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1114 cp ${DAVE_CERT}  ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1115
1116 # Convert moon private key into unencrypted PKCS#8 format
1117 TEST_KEY=${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem
1118 openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
1119
1120 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
1121 TEST_KEY=${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem
1122 openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
1123               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
1124
1125 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
1126 TEST_KEY=${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem
1127 openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8  -v2 aes128 \
1128               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
1129
1130 # Put CA and EE certificate copies in the openssl-ikev1/rw-ecdsa-certs scenario
1131 TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
1132 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1133 mkdir -p ecdsa x509 x509ca
1134 cp ${MOON_KEY}   ecdsa
1135 cp ${MOON_CERT}  x509
1136 cp ${ECDSA_CERT} x509ca
1137 cd ${TEST}/hosts/carol/${SWANCTL_DIR}
1138 mkdir -p ecdsa x509 x509ca
1139 cp ${CAROL_KEY}  ecdsa
1140 cp ${CAROL_CERT} x509
1141 cp ${ECDSA_CERT} x509ca
1142 cd ${TEST}/hosts/dave/${SWANCTL_DIR}
1143 mkdir -p ecdsa x509 x509ca
1144 cp ${DAVE_KEY}   ecdsa
1145 cp ${DAVE_CERT}  x509
1146 cp ${ECDSA_CERT} x509ca
1147
1148 ################################################################################
1149 # strongSwan RFC3779 Root CA                                                   #
1150 ################################################################################
1151
1152 # Generate strongSwan RFC3779 Root CA
1153 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
1154 pki --self --type rsa --in ${RFC3779_KEY} \
1155     --not-before "${START}" --not-after "${CA_END}" --ca \
1156     --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
1157     --addrblock "10.1.0.0-10.2.255.255" \
1158     --addrblock "10.3.0.1-10.3.3.232" \
1159     --addrblock "192.168.0.0/24" \
1160     --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
1161     --outform pem > ${RFC3779_CERT}
1162
1163 # Put a copy in the ikev2/net2net-rfc3779 scenario
1164 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1165 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1166 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1167 cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1168 cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1169
1170 # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
1171 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1172 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1173 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1174 cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1175 cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1176
1177 # Generate a moon RFC3779 certificate
1178 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1179 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1180 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1181 CN="moon.strongswan.org"
1182 SERIAL="01"
1183 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1184 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1185 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1186 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1187     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1188     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1189     --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
1190     --addrblock "fec0::1/128" --addrblock "fec1::/16" \
1191     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1192 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1193
1194 # Put a copy in the ipv6 scenarios
1195 for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
1196 do
1197   cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
1198   mkdir -p rsa x509 x509ca
1199   cp ${TEST_KEY}  rsa
1200   cp ${TEST_CERT} x509
1201   cp ${RFC3779_CERT} x509ca
1202 done
1203
1204 # Generate a sun RFC3779 certificate
1205 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1206 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
1207 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
1208 CN="sun.strongswan.org"
1209 SERIAL="02"
1210 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
1211 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
1212 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1213 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1214     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1215     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1216     --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
1217     --addrblock "fec0::2/128" --addrblock "fec2::/16" \
1218     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1219 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1220
1221 # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
1222 cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
1223 mkdir -p rsa x509 x509ca
1224 cp ${TEST_KEY} rsa
1225 cp ${TEST_CERT} x509
1226 cp ${RFC3779_CERT} x509ca
1227
1228 # Generate a carol RFC3779 certificate
1229 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1230 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1231 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1232 CN="carol@strongswan.org"
1233 SERIAL="03"
1234 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1235 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1236 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1237 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1238     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1239     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1240     --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
1241     --addrblock "fec0::10/128" \
1242     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1243 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1244
1245 # Generate a carol RFC3779 certificate
1246 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1247 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1248 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1249 CN="dave@strongswan.org"
1250 SERIAL="04"
1251 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1252 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1253 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1254 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1255     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1256     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1257     --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
1258     --addrblock "fec0::20/128" \
1259     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1260 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1261
1262 ################################################################################
1263 # strongSwan SHA3-RSA Root CA                                                  #
1264 ################################################################################
1265
1266 # Generate strongSwan SHA3-RSA Root CA
1267 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
1268 pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
1269     --not-before "${START}" --not-after "${CA_END}" --ca \
1270     --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
1271     --outform pem > ${SHA3_RSA_CERT}
1272
1273 # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
1274 TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
1275 cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1276 cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1277
1278 # Generate a sun SHA3-RSA certificate
1279 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1280 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1281 CN="sun.strongswan.org"
1282 SERIAL="01"
1283 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
1284 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1285     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1286     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1287     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
1288 cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1289
1290 # Generate a moon SHA3-RSA certificate
1291 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1292 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1293 CN="moon.strongswan.org"
1294 SERIAL="02"
1295 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
1296 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1297     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1298     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1299     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
1300 cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1301
1302 # Put a copy in the botan/net2net-sha3-rsa-cert scenario
1303 TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
1304 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1305 mkdir -p rsa x509 x509ca
1306 cp ${MOON_KEY}      rsa
1307 cp ${MOON_CERT}     x509
1308 cp ${SHA3_RSA_CERT} x509ca
1309 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1310 mkdir -p rsa x509 x509ca
1311 cp ${SUN_KEY}       rsa
1312 cp ${SUN_CERT}      x509
1313 cp ${SHA3_RSA_CERT} x509ca
1314
1315 # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
1316 TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
1317 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1318 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1319 cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1320 cp ${SHA3_RSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1321 cp ${SHA3_RSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1322
1323 # Generate a carol SHA3-RSA certificate
1324 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1325 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1326 CN="carol@strongswan.org"
1327 SERIAL="03"
1328 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1329 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1330     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1331     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1332     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1333 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1334
1335 # Generate a dave SHA3-RSA certificate
1336 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1337 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1338 CN="dave@strongswan.org"
1339 SERIAL="04"
1340 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1341 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1342     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1343     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1344     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1345 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1346
1347 ################################################################################
1348 # strongSwan Ed25519 Root CA                                                   #
1349 ################################################################################
1350
1351 # Generate strongSwan Ed25519 Root CA
1352 pki --gen  --type ed25519 --outform pem > ${ED25519_KEY}
1353 pki --self --type ed25519 --in ${ED25519_KEY} \
1354     --not-before "${START}" --not-after "${CA_END}" --ca \
1355     --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
1356     --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
1357     --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
1358     --outform pem > ${ED25519_CERT}
1359
1360 # Put a copy in the swanctl/net2net-ed25519 scenario
1361 TEST="${TEST_DIR}/swanctl/net2net-ed25519"
1362 cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1363 cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1364
1365 # Generate a sun Ed25519 certificate
1366 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
1367 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1368 CN="sun.strongswan.org"
1369 SERIAL="01"
1370 pki --gen --type ed25519 --outform pem > ${SUN_KEY}
1371 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1372     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1373     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1374     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
1375     --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
1376 cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1377
1378 # Generate a moon Ed25519 certificate
1379 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1380 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1381 CN="moon.strongswan.org"
1382 SERIAL="02"
1383 pki --gen --type ed25519 --outform pem > ${MOON_KEY}
1384 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1385     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1386     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1387     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
1388     --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
1389 cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1390
1391 # Put a copy in the botan/net2net-ed25519 scenario
1392 TEST="${TEST_DIR}/botan/net2net-ed25519"
1393 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1394 mkdir -p pkcs8 x509 x509ca
1395 cp ${MOON_KEY}     pkcs8
1396 cp ${MOON_CERT}    x509
1397 cp ${ED25519_CERT} x509ca
1398 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1399 mkdir -p pkcs8 x509 x509ca
1400 cp ${SUN_KEY}      pkcs8
1401 cp ${SUN_CERT}     x509
1402 cp ${ED25519_CERT} x509ca
1403
1404 # Put a copy in the ikev2/net2net-ed25519 scenario
1405 TEST="${TEST_DIR}/ikev2/net2net-ed25519"
1406 cd ${TEST}/hosts/moon/${IPSEC_DIR}
1407 mkdir -p cacerts certs private
1408 cp ${MOON_KEY}     private
1409 cp ${MOON_CERT}    certs
1410 cp ${ED25519_CERT} cacerts
1411 cd ${TEST}/hosts/sun/${IPSEC_DIR}
1412 mkdir -p cacerts certs private
1413 cp ${SUN_KEY}      private
1414 cp ${SUN_CERT}     certs
1415 cp ${ED25519_CERT} cacerts
1416
1417 # Put a copy in the swanctl/rw-ed25519-certpol scenario
1418 TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
1419 cp ${MOON_KEY}     ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1420 cp ${MOON_CERT}    ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1421 cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1422 cp ${ED25519_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1423 cp ${ED25519_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1424
1425 # Generate a carol Ed25519 certificate
1426 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1427 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1428 CN="carol@strongswan.org"
1429 SERIAL="03"
1430 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1431 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1432     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1433     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1434     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
1435     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1436 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1437
1438 # Generate a dave Ed25519 certificate
1439 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1440 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1441 CN="dave@strongswan.org"
1442 SERIAL="04"
1443 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1444 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1445     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1446     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1447     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
1448     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1449 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1450
1451 ################################################################################
1452 # strongSwan Monster Root CA                                                   #
1453 ################################################################################
1454
1455 # Generate strongSwan Monster Root CA
1456 pki --gen  --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
1457 pki --self --type rsa --in ${MONSTER_KEY} \
1458     --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
1459     --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
1460     --outform pem > ${MONSTER_CERT}
1461
1462 # Put a copy in the ikev2/after-2038-certs scenario
1463 TEST="${TEST_DIR}/ikev2/after-2038-certs"
1464 cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
1465 cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
1466
1467 # Generate a moon Monster certificate
1468 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1469 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1470 CN="moon.strongswan.org"
1471 SERIAL="01"
1472 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1473 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1474     --in ${TEST_KEY} --san ${CN} \
1475     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1476     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1477     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1478 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1479
1480 # Generate a carol Monster certificate
1481 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1482 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1483 CN="carol@strongswan.org"
1484 SERIAL="02"
1485 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1486 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1487     --in ${TEST_KEY} --san ${CN} \
1488     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1489     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1490     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1491 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1492
1493 ################################################################################
1494 # Bliss CA                                                                     #
1495 ################################################################################
1496
1497 # Generate BLISS Root CA with 192 bit security strength
1498 pki --gen  --type bliss --size 4 > ${BLISS_KEY}
1499 pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
1500     --not-before "${START}" --not-after "${CA_END}" --ca \
1501     --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
1502
1503 # Put a copy in the ikev2/rw-newhope-bliss scenario
1504 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1505 cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
1506 cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/
1507 cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
1508
1509 # Put a copy in the ikev2/rw-ntru-bliss scenario
1510 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1511 cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
1512 cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/
1513 cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
1514
1515 # Put a copy in the swanctl/rw-ntru-bliss scenario
1516 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1517 cp ${BLISS_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca/
1518 cp ${BLISS_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca/
1519 cp ${BLISS_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/
1520
1521 # Generate a carol BLISS certificate with 128 bit security strength
1522 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1523 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
1524 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
1525 CN="carol@strongswan.org"
1526 SERIAL="01"
1527 pki --gen --type bliss --size 1 > ${TEST_KEY}
1528 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1529     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1530     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
1531     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1532 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1533
1534 # Put a copy in the ikev2/rw-ntru-bliss scenario
1535 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1536 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private/
1537 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs/
1538
1539 # Put a copy in the swanctl/rw-ntru-bliss scenario
1540 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1541 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss/
1542 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509/
1543
1544 # Generate a dave BLISS certificate with 160 bit security strength
1545 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1546 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
1547 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
1548 CN="dave@strongswan.org"
1549 SERIAL="02"
1550 pki --gen --type bliss --size 3 > ${TEST_KEY}
1551 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1552     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1553     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
1554     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1555 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1556
1557 # Put a copy in the ikev2/rw-ntru-bliss scenario
1558 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1559 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
1560 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
1561
1562 # Put a copy in the swanctl/rw-ntru-bliss scenario
1563 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1564 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
1565 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
1566
1567 # Generate a moon BLISS certificate with 192 bit security strength
1568 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1569 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
1570 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
1571 CN="moon.strongswan.org"
1572 SERIAL="03"
1573 pki --gen --type bliss --size 4 > ${TEST_KEY}
1574 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1575     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1576     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
1577     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1578 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1579
1580 # Put a copy in the ikev2/rw-ntru-bliss scenario
1581 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1582 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
1583 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
1584
1585 # Put a copy in the swanctl/rw-ntru-bliss scenario
1586 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1587 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
1588 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/