9e3031c9de9edf1a4922befa1bf8677ff66a9329
[strongswan.git] / testing / scripts / build-certs
1 #!/bin/bash
2
3 echo "Building certificates"
4
5 # Disable leak detective when using pki as it produces warnings in tzset
6 export LEAK_DETECTIVE_DISABLE=1
7
8 # Determine testing directory
9 DIR="$(dirname `readlink -f $0`)/.."
10
11 # Define some global variables
12 PROJECT="strongSwan Project"
13 CA_DIR="${DIR}/hosts/winnetou/etc/ca"
14 CA_KEY="${CA_DIR}/strongswanKey.pem"
15 CA_CERT="${CA_DIR}/strongswanCert.pem"
16 CA_CRL="${CA_DIR}/strongswan.crl"
17 CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
18 CA_CDP="http://crl.strongswan.org/strongswan.crl"
19 CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
20 CA_OCSP="http://ocsp.strongswan.org:8880"
21 #
22 START=`date  -d "-2 day"    "+%d.%m.%y %T"`
23 SH_END=`date -d "-1 day"    "+%d.%m.%y %T"`    #  1 day
24 CA_END=`date -d "+3651 day" "+%d.%m.%y %T"`    # 10 years
25 IM_END=`date -d "+3286 day" "+%d.%m.%y %T"`    #  9 years
26 EE_END=`date -d "+2920 day" "+%d.%m.%y %T"`    #  8 years
27 SH_EXP=`date -d "-1 day"    "+%y%m%d%H%M%SZ"`  #  1 day
28 IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"`  #  9 years
29 EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"`  #  8 years
30 NOW=`date "+%y%m%d%H%M%SZ"`
31 #
32 RESEARCH_DIR="${CA_DIR}/research"
33 RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
34 RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
35 RESEARCH_CDP="http://crl.strongswan.org/research.crl"
36 #
37 SALES_DIR="${CA_DIR}/sales"
38 SALES_KEY="${SALES_DIR}/salesKey.pem"
39 SALES_CERT="${SALES_DIR}/salesCert.pem"
40 SALES_CDP="http://crl.strongswan.org/sales.crl"
41 #
42 DUCK_DIR="${CA_DIR}/duck"
43 DUCK_KEY="${DUCK_DIR}/duckKey.pem"
44 DUCK_CERT="${DUCK_DIR}/duckCert.pem"
45 #
46 ECDSA_DIR="${CA_DIR}/ecdsa"
47 ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
48 ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
49 ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
50 #
51 RFC3779_DIR="${CA_DIR}/rfc3779"
52 RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
53 RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
54 RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
55 #
56 SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
57 SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
58 SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
59 SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
60 #
61 ED25519_DIR="${CA_DIR}/ed25519"
62 ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
63 ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
64 ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
65 #
66 MONSTER_DIR="${CA_DIR}/monster"
67 MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
68 MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
69 MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
70 MONSTER_CA_RSA_SIZE="8192"
71 MONSTER_EE_RSA_SIZE="4096"
72 #
73 BLISS_DIR="${CA_DIR}/bliss"
74 BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
75 BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
76 BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
77 #
78 RSA_SIZE="3072"
79 IPSEC_DIR="etc/ipsec.d"
80 SWANCTL_DIR="etc/swanctl"
81 TKM_DIR="etc/tkm"
82 HOSTS="carol dave moon sun alice venus bob"
83 TEST_DIR="${DIR}/tests"
84
85 # Create directories
86 mkdir -p ${CA_DIR}/certs
87 mkdir -p ${RESEARCH_DIR}/certs
88 mkdir -p ${SALES_DIR}/certs
89 mkdir -p ${DUCK_DIR}/certs
90 mkdir -p ${ECDSA_DIR}/certs
91 mkdir -p ${RFC3779_DIR}/certs
92 mkdir -p ${SHA3_RSA_DIR}/certs
93 mkdir -p ${ED25519_DIR}/certs
94 mkdir -p ${MONSTER_DIR}/certs
95 mkdir -p ${BLISS_DIR}/certs
96
97 ################################################################################
98 # strongSwan Root CA                                                           #
99 ################################################################################
100
101 # Generate strongSwan Root CA
102 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
103 pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
104     --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
105     --outform pem > ${CA_CERT}
106
107 # Distribute strongSwan Root CA certificate
108 for h in ${HOSTS}
109 do
110   HOST_DIR="${DIR}/hosts/${h}"
111   cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
112   cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
113 done
114
115 # Put a copy onto the alice FreeRADIUS server
116 cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
117
118 # Gernerate a stale CRL
119 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
120     --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
121
122 # Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
123 TEST="${TEST_DIR}/ikev2/crl-ldap"
124 cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
125 cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
126
127 # Generate host keys
128 for h in ${HOSTS}
129 do
130   HOST_DIR="${DIR}/hosts/${h}"
131   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
132   pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
133
134   # Put a copy into swanctl directory tree
135   cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
136 done
137
138 # Convert moon private key and Root CA certificate into DER format
139 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
140          net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
141 do
142   HOST_KEY=${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem
143   TEST="${TEST_DIR}/tkm/${t}"
144   TEST_KEY=${TEST}/hosts/moon/${TKM_DIR}/moonKey.der
145   TEST_CERT=${TEST}/hosts/moon/${TKM_DIR}/strongswanCert.der
146   openssl rsa -in ${HOST_KEY} -outform der -out ${TEST_KEY} 2> /dev/null
147   openssl x509 -in ${CA_CERT} -outform der -out ${TEST_CERT}
148 done
149
150 # Convert sun private key and Root CA certificate into DER format
151 for t in multiple-clients
152 do
153   HOST_KEY=${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem
154   TEST="${TEST_DIR}/tkm/${t}"
155   TEST_KEY=${TEST}/hosts/sun/${TKM_DIR}/sunKey.der
156   TEST_CERT=${TEST}/hosts/sun/${TKM_DIR}/strongswanCert.der
157   openssl rsa -in ${HOST_KEY} -outform der -out ${TEST_KEY} 2> /dev/null
158   openssl x509 -in ${CA_CERT} -outform der -out ${TEST_CERT}
159 done
160
161 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
162 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
163          net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
164 do
165   TEST="${TEST_DIR}/tkm/${t}"
166   mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
167   cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
168 done
169
170 # Put DER_encoded sun private key and Root CA certificate into tkm scenarios
171 for t in multiple-clients
172 do
173   TEST="${TEST_DIR}/tkm/${t}"
174   mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
175   cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
176 done
177
178 # Convert moon private key into unencrypted PKCS#8 format
179 TEST="${TEST_DIR}/ikev2/rw-pkcs8"
180 HOST_KEY=${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem
181 TEST_KEY=${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem
182 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
183
184 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
185 HOST_KEY=${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem
186 TEST_KEY=${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem
187 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
188               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
189
190 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
191 HOST_KEY=${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem
192 TEST_KEY=${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem
193 openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8  -v2 aes128 \
194               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
195
196 ################################################################################
197 # Public Key Extraction                                                        #
198 ################################################################################
199
200 # Extract the raw moon public key for the swanctl/net2net-pubkey scenario
201 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
202 TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
203 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
204 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
205 cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
206
207 # Put a copy into the ikev2/net2net-dnssec scenario
208 TEST="${TEST_DIR}/ikev2/net2net-dnssec"
209 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
210
211 # Put a copy into the ikev2/net2net-pubkey scenario
212 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
213 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
214 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
215
216 # Put a copy into the ikev2/rw-dnssec scenario
217 TEST="${TEST_DIR}/ikev2/rw-dnssec"
218 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
219
220 # Put a copy into the swanctl/rw-dnssec scenario
221 TEST="${TEST_DIR}/swanctl/rw-dnssec"
222 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
223
224 # Put a copy into the swanctl/rw-pubkey-anon scenario
225 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
226 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
227 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
228 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
229
230 # Put a copy into the swanctl/rw-pubkey-keyid scenario
231 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
232 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
233 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
234 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
235
236 # Extract the raw sun public key for the swanctl/net2net-pubkey scenario
237 TEST="${TEST_DIR}/swanctl/net2net-pubkey"
238 TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
239 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
240 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
241 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
242
243 # Put a copy into the ikev2/net2net-dnssec scenario
244 TEST="${TEST_DIR}/ikev2/net2net-dnssec"
245 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
246
247 # Put a copy into the ikev2/net2net-pubkey scenario
248 TEST="${TEST_DIR}/ikev2/net2net-pubkey"
249 cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
250 cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
251
252 # Put a copy into the swanctl/rw-pubkey-anon scenario
253 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
254 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
255
256 # Extract the raw carol public key for the swanctl/rw-dnssec scenario
257 TEST="${TEST_DIR}/swanctl/rw-dnssec"
258 TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
259 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
260 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
261
262 # Put a copy into the swanctl/rw-pubkey-anon scenario
263 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
264 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
265 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
266
267 # Put a copy into the swanctl/rw-pubkey-keyid scenario
268 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
269 cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
270 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
271
272 # Extract the raw dave public key for the swanctl/rw-dnssec scenario
273 TEST="${TEST_DIR}/swanctl/rw-dnssec"
274 TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
275 HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
276 pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
277
278 # Put a copy into the swanctl/rw-pubkey-anon scenario
279 TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
280 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
281 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
282
283 # Put a copy into the swanctl/rw-pubkey-keyid scenario
284 TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
285 cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
286 cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
287
288 ################################################################################
289 # Host Certificate Generation                                                  #
290 ################################################################################
291
292 # function issue_cert: serial host cn [ou]
293 issue_cert()
294 {
295   # does optional OU argument exist?
296   if [ -z "${4}" ]
297   then
298     OU=""
299   else
300     OU=" OU=${4},"
301   fi
302
303   HOST_DIR="${DIR}/hosts/${2}"
304   HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
305   HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
306   pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
307       --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
308       --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
309       --outform pem > ${HOST_CERT}
310   cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
311
312   # Put a certificate copy into swanctl directory tree
313   cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
314 }
315
316 # Generate host certificates
317 issue_cert 01 carol carol@strongswan.org Research
318 issue_cert 02 dave dave@strongswan.org Accounting
319 issue_cert 03 moon moon.strongswan.org
320 issue_cert 04 sun sun.strongswan.org
321 issue_cert 05 alice alice@strongswan.org Sales
322 issue_cert 06 venus venus.strongswan.org
323 issue_cert 07 bob bob@strongswan.org Research
324
325 # Create PKCS#12 file for moon
326 TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
327 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
328 HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
329 MOON_PKCS12="${TEST}/hosts/moon/etc/ipsec.d/private/moonCert.p12"
330 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
331         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
332         -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
333
334 # Create PKCS#12 file for sun
335 HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
336 HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
337 SUN_PKCS12="${TEST}/hosts/sun/etc/ipsec.d/private/sunCert.p12"
338 openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
339         -certfile ${CA_CERT} -caname "strongSwan Root CA" \
340         -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
341
342 # Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
343 TEST="${TEST_DIR}/botan/net2net-pkcs12"
344 mkdir -p "${TEST}/hosts/moon/etc/swanctl/pkcs12"
345 cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12"
346 mkdir -p "${TEST}/hosts/sun/etc/swanctl/pkcs12"
347 cp ${SUN_PKCS12}  "${TEST}/hosts/sun/etc/swanctl/pkcs12"
348
349 # Put a PKCS#12 copy into the openssl-ikev2/net2net-pkcs12 scenario
350 TEST="${TEST_DIR}/openssl-ikev2/net2net-pkcs12"
351 cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12"
352 cp ${SUN_PKCS12}  "${TEST}/hosts/sun/etc/swanctl/pkcs12"
353
354 ################################################################################
355 # DNSSEC Zone Files                                                            #
356 ################################################################################
357
358 # Store moon and sun certificates in strongswan.org zone
359 ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
360 echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
361 for h in moon sun
362 do
363   HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
364   cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
365   echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
366 done
367
368 # Store public keys in strongswan.org zone
369 echo ";" >> ${ZONE_FILE}
370 for h in moon sun carol dave
371 do
372   HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
373   pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
374   echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
375 done
376
377 # Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
378 TEST="${TEST_DIR}/swanctl/crl-to-cache"
379 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
380 HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
381 CN="carol@strongswan.org"
382 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
383     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
384     --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
385     --outform pem > ${TEST_CERT}
386
387 # Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
388 TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
389 HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
390 CN="moon.strongswan.org"
391 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
392     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
393     --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
394     --outform pem > ${TEST_CERT}
395
396 # Encrypt carolKey.pem
397 HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
398 KEY_PWD="nH5ZQEWtku0RJEZ6"
399 openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
400         2> /dev/null
401
402 # Put a copy into the ikev2/dynamic-initiator scenario
403 TEST="${TEST_DIR}/ikev2/dynamic-initiator"
404 cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
405 cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
406
407 # Put a copy into the ikev1/dynamic-initiator scenario
408 TEST="${TEST_DIR}/ikev1/dynamic-initiator"
409 cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
410 cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
411
412 # Put a copy into the ikev1/dynamic-responder scenario
413 TEST="${TEST_DIR}/ikev1/dynamic-responder"
414 cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
415 cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
416
417 # Put a copy into the swanctl/rw-cert scenario
418 TEST="${TEST_DIR}/swanctl/rw-cert"
419 cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
420
421 # Generate another carol certificate and revoke it
422 TEST="${TEST_DIR}/ikev2/crl-revoked"
423 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
424 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
425 CN="carol@strongswan.org"
426 SERIAL="08"
427 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
428 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
429     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
430     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
431     --outform pem > ${TEST_CERT}
432 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
433 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
434     --serial ${SERIAL} > ${CA_CRL}
435 cp ${CA_CRL} ${CA_LAST_CRL}
436
437 # Put a copy into the ikev2/ocsp-revoked scenario
438 TEST="${TEST_DIR}/ikev2/ocsp-revoked"
439 cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
440 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
441
442 # Generate another carol certificate with SN=002
443 TEST="${TEST_DIR}/ikev2/two-certs"
444 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
445 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
446 SERIAL="09"
447 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
448 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
449     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
450     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
451     --outform pem > ${TEST_CERT}
452 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
453
454 ################################################################################
455 # Research CA Certificate Generation                                           #
456 ################################################################################
457
458 # Generate a Research CA certificate signed by the Root CA and revoke it
459 TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
460 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
461 SERIAL="0A"
462 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
463 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
464     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
465     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
466     --outform pem > ${TEST_CERT}
467 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
468 pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
469     --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
470 rm ${CA_LAST_CRL}
471
472 # Generate Research CA with the same private key as above signed by Root CA
473 SERIAL="0B"
474 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
475     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
476     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
477     --outform pem > ${RESEARCH_CERT}
478 cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
479
480 # Put a certificate copy into the ikev1/multi-level-ca scenario
481 TEST="${TEST_DIR}/ikev1/multi-level-ca"
482 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
483
484 # Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario
485 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
486 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
487
488 # Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario
489 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
490 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
491
492 # Put a certificate copy into the ikev2/multi-level-ca scenario
493 TEST="${TEST_DIR}/ikev2/multi-level-ca"
494 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
495
496 # Put a certificate copy into the ikev2/multi-level-ca-ldap scenario
497 TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
498 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
499
500 # Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario
501 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
502 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
503
504 # Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario
505 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
506 cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
507
508 # Put a certificate copy into the ikev2/multi-level-ca-pathlen scenario
509 TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
510 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
511
512 # Put a certificate copy into the ikev2/multi-level-ca-strict scenario
513 TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
514 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
515
516 # Put a certificate copy into the ikev2/ocsp-multi-level scenario
517 TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
518 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
519
520 # Put a certificate copy into the ikev2/ocsp-strict-ifuri scenario
521 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
522 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
523
524 # Put a certificate copy into the swanctl/multi-level-ca scenario
525 TEST="${TEST_DIR}/swanctl/multi-level-ca"
526 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
527
528 # Put a certificate copy into the swanctl/ocsp-multi-level scenario
529 TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
530 cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
531
532 # Generate Research CA with the same private key as above but invalid CDP
533 TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
534 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
535 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
536     --crl "http://crl.strongswan.org/not-available.crl" \
537     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
538     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
539     --outform pem > ${TEST_CERT}
540
541 ################################################################################
542 # Sales CA Certificate Generation                                              #
543 ################################################################################
544
545 # Generate Sales CA signed by Root CA
546 SERIAL="0C"
547 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
548 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
549     --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
550     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
551     --outform pem > ${SALES_CERT}
552 cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
553
554 # Put a certificate copy into the ikev1/multi-level-ca scenario
555 TEST="${TEST_DIR}/ikev1/multi-level-ca"
556 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
557
558 # Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario
559 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
560 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
561
562 # Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario
563 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
564 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
565
566 # Put a certificate copy into the ikev2/multi-level-ca scenario
567 TEST="${TEST_DIR}/ikev2/multi-level-ca"
568 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
569
570 # Put a certificate copy into the ikev2/multi-level-ca-ldap scenario
571 TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
572 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
573
574 # Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario
575 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
576 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
577
578 # Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario
579 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
580 cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
581
582 # Put a certificate copy into the ikev2/multi-level-ca-strict scenario
583 TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
584 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
585
586 # Put a certificate copy into the ikev2/ocsp-multi-level scenario
587 TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
588 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
589
590 # Put a certificate copy into the ikev2/ocsp-struct.ifuri scenario
591 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
592 cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
593
594 # Put a certificate copy into the swanctl/multi-level-ca scenario
595 TEST="${TEST_DIR}/swanctl/multi-level-ca"
596 cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
597
598 # Put a certificate copy into the swanctl/ocsp-multi-level scenario
599 TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
600 cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
601
602 # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
603 TEST="${TEST_DIR}/ikev2/strong-keys-certs"
604 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
605 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
606 KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
607 CN="moon.strongswan.org"
608 SERIAL="0D"
609 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
610 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
611     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
612     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
613     --digest sha224 --outform pem > ${TEST_CERT}
614 openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
615         2> /dev/null
616 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
617
618 # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
619 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
620 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
621 KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
622 CN="carol@strongswan.org"
623 SERIAL="0E"
624 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
625 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
626     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
627     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
628     --digest sha384 --outform pem > ${TEST_CERT}
629 openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
630         2> /dev/null
631 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
632
633 # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
634 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
635 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
636 KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
637 CN="dave@strongswan.org"
638 SERIAL="0F"
639 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
640 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
641     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
642     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
643     --digest sha512 --outform pem > ${TEST_CERT}
644 openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
645         2> /dev/null
646 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
647
648 # Generate another carol certificate with an OCSP URI
649 TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
650 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
651 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
652 CN="carol@strongswan.org"
653 SERIAL="10"
654 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
655 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
656     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
657     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
658     --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
659 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
660
661 # Put a copy into the ikev2/ocsp-timeouts-good scenario
662 TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
663 cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
664 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
665
666 # Put a copy into the swanctl/ocsp-signer-cert scenario
667 TEST="${TEST_DIR}/swanctl/ocsp-signer-cert"
668 cp ${TEST_KEY}  ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
669 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
670
671 # Put a copy into the swanctl/ocsp-disabled scenario
672 TEST="${TEST_DIR}/swanctl/ocsp-disabled"
673 cp ${TEST_KEY}  ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
674 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
675
676 # Generate an OCSP Signing certificate for the strongSwan Root CA
677 TEST_KEY="${CA_DIR}/ocspKey.pem"
678 TEST_CERT="${CA_DIR}/ocspCert.pem"
679 CN="ocsp.strongswan.org"
680 OU="OCSP Signing Authority"
681 SERIAL="11"
682 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
683 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
684     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
685     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
686     --flag ocspSigning --outform pem > ${TEST_CERT}
687 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
688
689 # Generate a self-signed OCSP Signing certificate
690 TEST_KEY="${CA_DIR}/ocspKey-self.pem"
691 TEST_CERT="${CA_DIR}/ocspCert-self.pem"
692 OU="OCSP Self-Signed Authority"
693 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
694 pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
695     --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
696     --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
697     --outform pem > ${TEST_CERT}
698
699 # Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
700 TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
701 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
702 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
703
704 # Generate mars virtual server certificate
705 TEST="${TEST_DIR}/ha/both-active"
706 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
707 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
708 CN="mars.strongswan.org"
709 OU="Virtual VPN Gateway"
710 SERIAL="12"
711 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
712 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
713 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
714 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
715     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
716     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
717     --flag serverAuth --outform pem > ${TEST_CERT}
718 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
719
720 # Put a copy into the mirrored gateway
721 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
722 mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
723 cp ${TEST_KEY}  ${TEST}/hosts/alice/${IPSEC_DIR}/private
724 cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
725
726 # Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
727 for t in "ha/active-passive" "ikev2/redirect-active"
728 do
729   TEST="${TEST_DIR}/${t}"
730   for h in alice moon
731   do
732     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
733     mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
734     cp ${TEST_KEY}  ${TEST}/hosts/${h}/${IPSEC_DIR}/private
735     cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
736   done
737 done
738
739 # Generate winnetou server certificate
740 HOST_KEY="${CA_DIR}/winnetouKey.pem"
741 HOST_CERT="${CA_DIR}/winnetouCert.pem"
742 CN="winnetou.strongswan.org"
743 SERIAL="13"
744 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
745 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
746     --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
747     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
748     --flag serverAuth --outform pem > ${HOST_CERT}
749 cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
750
751 # Generate AAA server certificate
752 TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
753 TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
754 TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
755 CN="aaa.strongswan.org"
756 SERIAL="14"
757 cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
758 mkdir -p rsa x509
759 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
760 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
761 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
762     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
763     --flag serverAuth --outform pem > ${TEST_CERT}
764 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
765
766 # Put a copy into various tnc scenarios
767 for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
768 do
769   cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
770   mkdir -p rsa x509
771   cp ${TEST_KEY}  rsa
772   cp ${TEST_CERT} x509
773 done
774
775 # Put a copy into the alice FreeRADIUS server
776 cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
777
778 ################################################################################
779 # strongSwan Attribute Authority                                               #
780 ################################################################################
781
782 # Generate Attritbute Authority certificate
783 TEST="${TEST_DIR}/ikev2/acert-cached"
784 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
785 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
786 CN="strongSwan Attribute Authority"
787 SERIAL="15"
788 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
789 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
790     --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
791     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
792     --outform pem > ${TEST_CERT}
793 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
794
795 # Generate carol's attribute certificate for sales and finance
796 ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem
797 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
798     --in ${CA_DIR}/certs/01.pem --group sales --group finance \
799     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
800
801 # Generate dave's expired attribute certificate for sales
802 ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem
803 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
804     --in ${CA_DIR}/certs/02.pem --group sales \
805     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
806
807 # Generate dave's attribute certificate for marketing
808 ACERT_DM=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem
809 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
810     --in ${CA_DIR}/certs/02.pem --group marketing \
811     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
812
813 # Put a copy into the ikev2/acert-fallback scenario
814 TEST="${TEST_DIR}/ikev2/acert-fallback"
815 cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
816 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
817
818 # Generate carol's expired attribute certificate for finance
819 ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
820 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
821     --in ${CA_DIR}/certs/01.pem --group finance \
822     --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
823
824 # Generate carol's valid attribute certificate for sales
825 ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
826 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
827     --in ${CA_DIR}/certs/01.pem --group sales \
828     --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
829
830 # Put a copy into the ikev2/acert-inline scenarion
831 TEST="${TEST_DIR}/ikev2/acert-inline"
832 cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
833 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
834 cp ${ACERT_CS}  ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
835 cp ${ACERT_DM}  ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
836
837 # Generate a short-lived Attritbute Authority certificate
838 CN="strongSwan Legacy AA"
839 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
840 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
841 SERIAL="16"
842 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
843 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
844     --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
845     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
846     --outform pem > ${TEST_CERT}
847 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
848
849 # Genrate dave's attribute certificate for sales from expired AA
850 ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
851 pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
852     --in ${CA_DIR}/certs/02.pem --group sales \
853     --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
854
855 ################################################################################
856 # strongSwan Root CA index for OCSP server                                     #
857 ################################################################################
858
859 # generate index.txt file for Root OCSP server
860 cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
861 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
862 sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
863 sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
864 sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
865
866 ################################################################################
867 # Research CA                                                                  #
868 ################################################################################
869
870 # Generate a carol research certificate
871 TEST="${TEST_DIR}/ikev2/multi-level-ca"
872 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
873 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
874 CN="carol@strongswan.org"
875 SERIAL="01"
876 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
877 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
878     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
879     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
880     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
881 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
882
883 # Put a copy in the ikev2/multilevel-ca-cr-init scenario
884 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
885 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
886 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
887
888 # Put a copy in the ikev2/multilevel-ca-cr-resp scenario
889 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
890 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
891 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
892
893 # Put a copy in the ikev2/multilevel-ca-ldap scenario
894 TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
895 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
896 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
897
898 # Put a copy in the ikev2/multilevel-ca-ldap scenario
899 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
900 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
901 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
902
903 # Put a copy in the ikev2/multilevel-ca-revoked scenario
904 TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
905 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
906 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
907
908 # Put a copy in the ikev2/multilevel-ca-skipped scenario
909 TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
910 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
911 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
912
913 # Put a copy in the ikev2/multilevel-ca-strict scenario
914 TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
915 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
916 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
917
918 # Put a copy in the ikev2/ocsp-multilevel scenario
919 TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
920 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
921 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
922
923 # Put a copy in the ikev1/multilevel-ca scenario
924 TEST="${TEST_DIR}/ikev1/multi-level-ca"
925 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
926 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
927
928 # Put a copy in the ikev1/multilevel-ca-cr-init scenario
929 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
930 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
931 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
932
933 # Put a copy in the ikev1/multilevel-ca-cr-resp scenario
934 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
935 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
936 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
937
938 # Put a copy in the swanctl/multilevel-ca scenario
939 TEST="${TEST_DIR}/swanctl/multi-level-ca"
940 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
941 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
942
943 # Put a copy in the swanctl/ocsp-multilevel scenario
944 TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
945 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
946 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
947
948 # Generate a carol research certificate without a CDP
949 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
950 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
951 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
952     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
953     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
954     --outform pem > ${TEST_CERT}
955 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
956
957 # Generate an OCSP Signing certificate for the Research CA
958 TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
959 TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
960 OU="Research OCSP Signing Authority"
961 CN="ocsp.research.strongswan.org"
962 SERIAL="02"
963 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
964 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
965     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
966     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
967     --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
968 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
969
970 # Generate a Sales CA certificate signed by the Research CA
971 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
972 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
973 SERIAL="03"
974 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
975     --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
976     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
977     --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
978 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
979
980 ################################################################################
981 # Duck Research CA                                                                     #
982 ################################################################################
983
984 # Generate a Duck Research CA certificate signed by the Research CA
985 SERIAL="04"
986 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
987 pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
988     --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
989     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
990     --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
991 cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
992
993 # Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
994 TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
995 cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
996
997 # Generate a carol certificate signed by the Duck Research CA
998 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
999 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1000 CN="carol@strongswan.org"
1001 SERIAL="01"
1002 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1003 pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
1004     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1005     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
1006     --outform pem > ${TEST_CERT}
1007 cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
1008
1009 # Generate index.txt file for Research OCSP server
1010 cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
1011 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
1012
1013 ################################################################################
1014 # Sales CA                                                                     #
1015 ################################################################################
1016
1017 # Generate a dave sales certificate
1018 TEST="${TEST_DIR}/ikev2/multi-level-ca"
1019 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
1020 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1021 CN="dave@strongswan.org"
1022 SERIAL="01"
1023 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1024 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1025     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1026     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1027     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1028 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1029
1030 # Put a copy in the ikev2/multilevel-ca-cr-init scenario
1031 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
1032 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1033 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1034
1035 # Put a copy in the ikev2/multilevel-ca-cr-resp scenario
1036 TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
1037 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1038 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1039
1040 # Put a copy in the ikev2/multilevel-ca-ldap scenario
1041 TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
1042 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1043 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1044
1045 # Put a copy in the ikev2/multilevel-ca-strict scenario
1046 TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
1047 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1048 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1049
1050 # Put a copy in the ikev2/ocsp-multilevel scenario
1051 TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
1052 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1053 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1054
1055 # Put a copy in the ikev1/multilevel-ca scenario
1056 TEST="${TEST_DIR}/ikev1/multi-level-ca"
1057 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1058 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1059
1060 # Put a copy in the ikev1/multilevel-ca-cr-init scenario
1061 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
1062 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1063 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1064
1065 # Put a copy in the ikev1/multilevel-ca-cr-resp scenario
1066 TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
1067 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1068 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
1069
1070 # Put a copy in the swanctl/multilevel-ca scenario
1071 TEST="${TEST_DIR}/swanctl/multi-level-ca"
1072 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1073 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1074
1075 # Put a copy in the swanctl/ocsp-multilevel scenario
1076 TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
1077 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1078 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1079
1080 # Generate a dave sales certificate with an inactive OCSP URI and no CDP
1081 TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
1082 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
1083 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1084     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1085     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
1086     --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
1087 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
1088
1089 # Generate an OCSP Signing certificate for the Sales CA
1090 TEST_KEY="${SALES_DIR}/ocspKey.pem"
1091 TEST_CERT="${SALES_DIR}/ocspCert.pem"
1092 OU="Sales OCSP Signing Authority"
1093 CN="ocsp.sales.strongswan.org"
1094 SERIAL="02"
1095 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1096 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1097     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1098     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
1099     --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
1100 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1101
1102 # Generate a Research CA certificate signed by the Sales CA
1103 TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
1104 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
1105 SERIAL="03"
1106 pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
1107     --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
1108     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
1109     --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
1110 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
1111
1112 # generate index.txt file for Sales OCSP server
1113 cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
1114 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
1115
1116 ################################################################################
1117 # strongSwan EC Root CA                                                        #
1118 ################################################################################
1119
1120 # Generate strongSwan EC Root CA
1121 pki --gen  --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
1122 pki --self --type ecdsa --in ${ECDSA_KEY} \
1123     --not-before "${START}" --not-after "${CA_END}" --ca \
1124     --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
1125     --outform pem > ${ECDSA_CERT}
1126
1127 # Put a copy in the openssl-ikev2/ecdsa-certs scenario
1128 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
1129 cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1130 cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1131 cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1132
1133 # Generate a moon ECDSA 521 bit certificate
1134 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
1135 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1136 CN="moon.strongswan.org"
1137 SERIAL="01"
1138 pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
1139 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1140     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1141     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
1142     --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
1143 cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1144
1145 # Generate a carol ECDSA 256 bit certificate
1146 CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
1147 CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1148 CN="carol@strongswan.org"
1149 SERIAL="02"
1150 pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
1151 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1152     --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1153     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
1154     --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
1155 cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1156
1157 # Generate a dave ECDSA 384 bit certificate
1158 DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
1159 DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1160 CN="dave@strongswan.org"
1161 SERIAL="03"
1162 pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
1163 pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
1164     --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1165     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
1166     --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
1167 cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
1168
1169 # Put CA and EE certificate copies in the openssl-ikev2/rw-ecdsa-pkcs8 scenario
1170 TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
1171 cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1172 cp ${MOON_CERT}  ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1173 cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1174 cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1175 cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1176 cp ${DAVE_CERT}  ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1177
1178 # Convert moon private key into unencrypted PKCS#8 format
1179 TEST_KEY=${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem
1180 openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
1181
1182 # Convert carol private key into v1.5 DES encrypted PKCS#8 format
1183 TEST_KEY=${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem
1184 openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
1185               -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
1186
1187 # Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
1188 TEST_KEY=${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem
1189 openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8  -v2 aes128 \
1190               -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
1191
1192 # Put CA and EE certificate copies in the openssl-ikev1/rw-ecdsa-certs scenario
1193 TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
1194 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1195 mkdir -p ecdsa x509 x509ca
1196 cp ${MOON_KEY}   ecdsa
1197 cp ${MOON_CERT}  x509
1198 cp ${ECDSA_CERT} x509ca
1199 cd ${TEST}/hosts/carol/${SWANCTL_DIR}
1200 mkdir -p ecdsa x509 x509ca
1201 cp ${CAROL_KEY}  ecdsa
1202 cp ${CAROL_CERT} x509
1203 cp ${ECDSA_CERT} x509ca
1204 cd ${TEST}/hosts/dave/${SWANCTL_DIR}
1205 mkdir -p ecdsa x509 x509ca
1206 cp ${DAVE_KEY}   ecdsa
1207 cp ${DAVE_CERT}  x509
1208 cp ${ECDSA_CERT} x509ca
1209
1210 ################################################################################
1211 # strongSwan RFC3779 Root CA                                                   #
1212 ################################################################################
1213
1214 # Generate strongSwan RFC3779 Root CA
1215 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
1216 pki --self --type rsa --in ${RFC3779_KEY} \
1217     --not-before "${START}" --not-after "${CA_END}" --ca \
1218     --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
1219     --addrblock "10.1.0.0-10.2.255.255" \
1220     --addrblock "10.3.0.1-10.3.3.232" \
1221     --addrblock "192.168.0.0/24" \
1222     --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
1223     --outform pem > ${RFC3779_CERT}
1224
1225 # Put a copy in the ikev2/net2net-rfc3779 scenario
1226 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1227 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1228 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1229 cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
1230 cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
1231
1232 # Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
1233 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1234 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1235 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1236 cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1237 cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1238
1239 # Generate a moon RFC3779 certificate
1240 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1241 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1242 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1243 CN="moon.strongswan.org"
1244 SERIAL="01"
1245 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
1246 mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
1247 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1248 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1249     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1250     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1251     --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
1252     --addrblock "fec0::1/128" --addrblock "fec1::/16" \
1253     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1254 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1255
1256 # Put a copy in the ipv6 scenarios
1257 for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
1258 do
1259   cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
1260   mkdir -p rsa x509 x509ca
1261   cp ${TEST_KEY}  rsa
1262   cp ${TEST_CERT} x509
1263   cp ${RFC3779_CERT} x509ca
1264 done
1265
1266 # Generate a sun RFC3779 certificate
1267 TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
1268 TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
1269 TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
1270 CN="sun.strongswan.org"
1271 SERIAL="02"
1272 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
1273 mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
1274 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1275 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1276     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1277     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1278     --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
1279     --addrblock "fec0::2/128" --addrblock "fec2::/16" \
1280     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1281 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1282
1283 # Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
1284 cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
1285 mkdir -p rsa x509 x509ca
1286 cp ${TEST_KEY} rsa
1287 cp ${TEST_CERT} x509
1288 cp ${RFC3779_CERT} x509ca
1289
1290 # Generate a carol RFC3779 certificate
1291 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1292 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1293 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1294 CN="carol@strongswan.org"
1295 SERIAL="03"
1296 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
1297 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
1298 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1299 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1300     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1301     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1302     --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
1303     --addrblock "fec0::10/128" \
1304     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1305 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1306
1307 # Generate a carol RFC3779 certificate
1308 TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
1309 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1310 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1311 CN="dave@strongswan.org"
1312 SERIAL="04"
1313 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
1314 mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
1315 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1316 pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
1317     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1318     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
1319     --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
1320     --addrblock "fec0::20/128" \
1321     --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
1322 cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
1323
1324 ################################################################################
1325 # strongSwan SHA3-RSA Root CA                                                  #
1326 ################################################################################
1327
1328 # Generate strongSwan SHA3-RSA Root CA
1329 pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
1330 pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
1331     --not-before "${START}" --not-after "${CA_END}" --ca \
1332     --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
1333     --outform pem > ${SHA3_RSA_CERT}
1334
1335 # Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
1336 TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
1337 cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1338 cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1339
1340 # Generate a sun SHA3-RSA certificate
1341 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
1342 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1343 CN="sun.strongswan.org"
1344 SERIAL="01"
1345 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
1346 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1347     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1348     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1349     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
1350 cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1351
1352 # Generate a moon SHA3-RSA certificate
1353 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
1354 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1355 CN="moon.strongswan.org"
1356 SERIAL="02"
1357 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
1358 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1359     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1360     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1361     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
1362 cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1363
1364 # Put a copy in the botan/net2net-sha3-rsa-cert scenario
1365 TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
1366 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1367 mkdir -p rsa x509 x509ca
1368 cp ${MOON_KEY}      rsa
1369 cp ${MOON_CERT}     x509
1370 cp ${SHA3_RSA_CERT} x509ca
1371 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1372 mkdir -p rsa x509 x509ca
1373 cp ${SUN_KEY}       rsa
1374 cp ${SUN_CERT}      x509
1375 cp ${SHA3_RSA_CERT} x509ca
1376
1377 # Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
1378 TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
1379 cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
1380 cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1381 cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1382 cp ${SHA3_RSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1383 cp ${SHA3_RSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1384
1385 # Generate a carol SHA3-RSA certificate
1386 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
1387 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1388 CN="carol@strongswan.org"
1389 SERIAL="03"
1390 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1391 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1392     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1393     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1394     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1395 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1396
1397 # Generate a dave SHA3-RSA certificate
1398 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
1399 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1400 CN="dave@strongswan.org"
1401 SERIAL="04"
1402 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
1403 pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
1404     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1405     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
1406     --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
1407 cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
1408
1409 ################################################################################
1410 # strongSwan Ed25519 Root CA                                                   #
1411 ################################################################################
1412
1413 # Generate strongSwan Ed25519 Root CA
1414 pki --gen  --type ed25519 --outform pem > ${ED25519_KEY}
1415 pki --self --type ed25519 --in ${ED25519_KEY} \
1416     --not-before "${START}" --not-after "${CA_END}" --ca \
1417     --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
1418     --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
1419     --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
1420     --outform pem > ${ED25519_CERT}
1421
1422 # Put a copy in the swanctl/net2net-ed25519 scenario
1423 TEST="${TEST_DIR}/swanctl/net2net-ed25519"
1424 cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1425 cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
1426
1427 # Generate a sun Ed25519 certificate
1428 SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
1429 SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
1430 CN="sun.strongswan.org"
1431 SERIAL="01"
1432 pki --gen --type ed25519 --outform pem > ${SUN_KEY}
1433 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1434     --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1435     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1436     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
1437     --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
1438 cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1439
1440 # Generate a moon Ed25519 certificate
1441 MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
1442 MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
1443 CN="moon.strongswan.org"
1444 SERIAL="02"
1445 pki --gen --type ed25519 --outform pem > ${MOON_KEY}
1446 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1447     --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1448     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1449     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
1450     --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
1451 cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1452
1453 # Put a copy in the botan/net2net-ed25519 scenario
1454 TEST="${TEST_DIR}/botan/net2net-ed25519"
1455 cd ${TEST}/hosts/moon/${SWANCTL_DIR}
1456 mkdir -p pkcs8 x509 x509ca
1457 cp ${MOON_KEY}     pkcs8
1458 cp ${MOON_CERT}    x509
1459 cp ${ED25519_CERT} x509ca
1460 cd ${TEST}/hosts/sun/${SWANCTL_DIR}
1461 mkdir -p pkcs8 x509 x509ca
1462 cp ${SUN_KEY}      pkcs8
1463 cp ${SUN_CERT}     x509
1464 cp ${ED25519_CERT} x509ca
1465
1466 # Put a copy in the ikev2/net2net-ed25519 scenario
1467 TEST="${TEST_DIR}/ikev2/net2net-ed25519"
1468 cd ${TEST}/hosts/moon/${IPSEC_DIR}
1469 mkdir -p cacerts certs private
1470 cp ${MOON_KEY}     private
1471 cp ${MOON_CERT}    certs
1472 cp ${ED25519_CERT} cacerts
1473 cd ${TEST}/hosts/sun/${IPSEC_DIR}
1474 mkdir -p cacerts certs private
1475 cp ${SUN_KEY}      private
1476 cp ${SUN_CERT}     certs
1477 cp ${ED25519_CERT} cacerts
1478
1479 # Put a copy in the swanctl/rw-ed25519-certpol scenario
1480 TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
1481 cp ${MOON_KEY}     ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
1482 cp ${MOON_CERT}    ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
1483 cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
1484 cp ${ED25519_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
1485 cp ${ED25519_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
1486
1487 # Generate a carol Ed25519 certificate
1488 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
1489 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
1490 CN="carol@strongswan.org"
1491 SERIAL="03"
1492 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1493 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1494     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1495     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1496     --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
1497     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1498 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1499
1500 # Generate a dave Ed25519 certificate
1501 TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
1502 TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
1503 CN="dave@strongswan.org"
1504 SERIAL="04"
1505 pki --gen --type ed25519 --outform pem > ${TEST_KEY}
1506 pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
1507     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1508     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
1509     --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
1510     --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
1511 cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
1512
1513 ################################################################################
1514 # strongSwan Monster Root CA                                                   #
1515 ################################################################################
1516
1517 # Generate strongSwan Monster Root CA
1518 pki --gen  --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
1519 pki --self --type rsa --in ${MONSTER_KEY} \
1520     --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
1521     --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
1522     --outform pem > ${MONSTER_CERT}
1523
1524 # Put a copy in the ikev2/after-2038-certs scenario
1525 TEST="${TEST_DIR}/ikev2/after-2038-certs"
1526 cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
1527 cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
1528
1529 # Generate a moon Monster certificate
1530 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
1531 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
1532 CN="moon.strongswan.org"
1533 SERIAL="01"
1534 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1535 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1536     --in ${TEST_KEY} --san ${CN} \
1537     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1538     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1539     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1540 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1541
1542 # Generate a carol Monster certificate
1543 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
1544 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
1545 CN="carol@strongswan.org"
1546 SERIAL="02"
1547 pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
1548 pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
1549     --in ${TEST_KEY} --san ${CN} \
1550     --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
1551     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
1552     --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
1553 cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
1554
1555 ################################################################################
1556 # Bliss CA                                                                     #
1557 ################################################################################
1558
1559 # Generate BLISS Root CA with 192 bit security strength
1560 pki --gen  --type bliss --size 4 > ${BLISS_KEY}
1561 pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
1562     --not-before "${START}" --not-after "${CA_END}" --ca \
1563     --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
1564
1565 # Put a copy in the ikev2/rw-newhope-bliss scenario
1566 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1567 cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
1568 cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/
1569 cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
1570
1571 # Put a copy in the ikev2/rw-ntru-bliss scenario
1572 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1573 cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
1574 cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/
1575 cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
1576
1577 # Put a copy in the swanctl/rw-ntru-bliss scenario
1578 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1579 cp ${BLISS_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca/
1580 cp ${BLISS_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca/
1581 cp ${BLISS_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/
1582
1583 # Generate a carol BLISS certificate with 128 bit security strength
1584 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1585 TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
1586 TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
1587 CN="carol@strongswan.org"
1588 SERIAL="01"
1589 pki --gen --type bliss --size 1 > ${TEST_KEY}
1590 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1591     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1592     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
1593     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1594 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1595
1596 # Put a copy in the ikev2/rw-ntru-bliss scenario
1597 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1598 cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private/
1599 cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs/
1600
1601 # Put a copy in the swanctl/rw-ntru-bliss scenario
1602 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1603 cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss/
1604 cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509/
1605
1606 # Generate a dave BLISS certificate with 160 bit security strength
1607 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1608 TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
1609 TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
1610 CN="dave@strongswan.org"
1611 SERIAL="02"
1612 pki --gen --type bliss --size 3 > ${TEST_KEY}
1613 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1614     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1615     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
1616     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1617 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1618
1619 # Put a copy in the ikev2/rw-ntru-bliss scenario
1620 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1621 cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
1622 cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
1623
1624 # Put a copy in the swanctl/rw-ntru-bliss scenario
1625 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1626 cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
1627 cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
1628
1629 # Generate a moon BLISS certificate with 192 bit security strength
1630 TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
1631 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
1632 TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
1633 CN="moon.strongswan.org"
1634 SERIAL="03"
1635 pki --gen --type bliss --size 4 > ${TEST_KEY}
1636 pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
1637     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
1638     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
1639     --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
1640 cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
1641
1642 # Put a copy in the ikev2/rw-ntru-bliss scenario
1643 TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
1644 cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
1645 cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
1646
1647 # Put a copy in the swanctl/rw-ntru-bliss scenario
1648 TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
1649 cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
1650 cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/