added
authorAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 14 Mar 2007 09:05:27 +0000 (09:05 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 14 Mar 2007 09:05:27 +0000 (09:05 -0000)
testing/tests/ikev2/ocsp-revoked/description.txt [new file with mode: 0644]
testing/tests/ikev2/ocsp-revoked/evaltest.dat [new file with mode: 0644]
testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert-revoked.pem [new file with mode: 0644]
testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey-revoked.pem [new file with mode: 0644]
testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/ocsp-revoked/posttest.dat [new file with mode: 0644]
testing/tests/ikev2/ocsp-revoked/pretest.dat [new file with mode: 0644]
testing/tests/ikev2/ocsp-revoked/test.conf [new file with mode: 0644]

diff --git a/testing/tests/ikev2/ocsp-revoked/description.txt b/testing/tests/ikev2/ocsp-revoked/description.txt
new file mode 100644 (file)
index 0000000..ead076a
--- /dev/null
@@ -0,0 +1,9 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
+is checked via the OCSP server <b>winnetou</b> which possesses an OCSP signer certificate
+issued by the strongSwan CA. This certificate contains an <b>OCSPSigner</b>
+extended key usage flag. A strongswan <b>ca</b> section in ipsec.conf defines an
+<b>OCSP URI</b> pointing to <b>winnetou</b>.
+<p>
+<b>carol</b> tries to initiate an IPsec connection to <b>moon</b> but fails 
+because <b>carol</b>'s certificate has been <b>revoked</b>.
diff --git a/testing/tests/ikev2/ocsp-revoked/evaltest.dat b/testing/tests/ikev2/ocsp-revoked/evaltest.dat
new file mode 100644 (file)
index 0000000..1d9d760
--- /dev/null
@@ -0,0 +1,7 @@
+moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+moon::cat /var/log/daemon.log::received valid http response::YES
+moon::cat /var/log/daemon.log::certificate was revoked::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+moon::ipsec status::rw.*ESTABLISHED::NO
+carol::ipsec status::home.*ESTABLISHED::NO
+
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..be15f6e
--- /dev/null
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       crlcheckinterval=180
+       strictcrlpolicy=yes
+       plutostart=no
+
+ca strongswan
+       cacert=strongswanCert.pem
+       ocspuri=http://ocsp.strongswan.org:8880
+       auto=add
+
+conn %default
+       keyexchange=ikev2
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftcert=carolCert-revoked.pem
+       leftid=carol@strongswan.org
+
+conn home
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert-revoked.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert-revoked.pem
new file mode 100644 (file)
index 0000000..5b742fc
--- /dev/null
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
+mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
+5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
+VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
+IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
+K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
+OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
+56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
+2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
+O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
+LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
+wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
+9IcgYi5x
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey-revoked.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey-revoked.pem
new file mode 100644 (file)
index 0000000..8aefcc5
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn
+hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb
+v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7
+HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx
+vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE
+UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU
+WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf
+OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu
+og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2
+MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/
+khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx
+uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07
+a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt
+7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+
+rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y
+ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf
+IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi
+CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3
+baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R
+TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP
+r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i
+jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH
+46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva
+o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa
+9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..22f06e6
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey-revoked.pem
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..21b48ef
--- /dev/null
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       crlcheckinterval=180
+       strictcrlpolicy=yes
+       plutostart=no
+
+ca strongswan-ca
+       cacert=strongswanCert.pem
+       ocspuri=http://ocsp.strongswan.org:8880
+       auto=add
+
+conn %default
+       keyexchange=ikev2
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+
+conn rw
+       left=PH_IP_MOON
+       leftnexthop=%direct
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       auto=add
diff --git a/testing/tests/ikev2/ocsp-revoked/posttest.dat b/testing/tests/ikev2/ocsp-revoked/posttest.dat
new file mode 100644 (file)
index 0000000..d883459
--- /dev/null
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+winnetou::killall openssl
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/ocsp-revoked/pretest.dat b/testing/tests/ikev2/ocsp-revoked/pretest.dat
new file mode 100644 (file)
index 0000000..d5516fd
--- /dev/null
@@ -0,0 +1,5 @@
+winnetou::/etc/openssl/start-ocsp
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-revoked/test.conf b/testing/tests/ikev2/ocsp-revoked/test.conf
new file mode 100644 (file)
index 0000000..2b240d8
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"