testing: Script building fresh certificates
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 1 Apr 2019 14:21:10 +0000 (16:21 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 8 May 2019 12:56:48 +0000 (14:56 +0200)
192 files changed:
testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf
testing/hosts/winnetou/etc/ca/generate-crl [new file with mode: 0755]
testing/hosts/winnetou/etc/ca/index.html [new file with mode: 0644]
testing/hosts/winnetou/etc/ca/index.txt.template [new file with mode: 0644]
testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi [new file with mode: 0755]
testing/hosts/winnetou/etc/ca/research/index.txt.template [new file with mode: 0644]
testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi [new file with mode: 0755]
testing/hosts/winnetou/etc/ca/sales/index.txt.template [new file with mode: 0644]
testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi [new file with mode: 0755]
testing/hosts/winnetou/etc/ldap/ldif.txt
testing/hosts/winnetou/etc/ldap/slapd.conf
testing/hosts/winnetou/etc/openssl/index.html [deleted file]
testing/hosts/winnetou/etc/strongswan.conf
testing/scripts/build-certs [new file with mode: 0755]
testing/scripts/build-guestimages
testing/tests/botan/rw-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem [deleted file]
testing/tests/botan/rw-ecp256/hosts/carol/etc/swanctl/rsa/carolKey.pem [deleted file]
testing/tests/botan/rw-modp3072/hosts/carol/etc/swanctl/rsa/carolKey.pem [deleted file]
testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aa.pem [deleted file]
testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem [new file with mode: 0644]
testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aa.pem [deleted file]
testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aaKey.pem [new file with mode: 0644]
testing/tests/ikev2/acert-cached/posttest.dat
testing/tests/ikev2/acert-cached/reissue.txt [deleted file]
testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aa.pem [deleted file]
testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem [new file with mode: 0644]
testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aa.pem [deleted file]
testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aaKey.pem [new file with mode: 0644]
testing/tests/ikev2/acert-fallback/posttest.dat
testing/tests/ikev2/acert-fallback/reissue.txt [deleted file]
testing/tests/ikev2/acert-inline/evaltest.dat
testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem [deleted file]
testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa.pem [deleted file]
testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aaCert-expired.pem [new file with mode: 0644]
testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem [new file with mode: 0644]
testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa-expired.pem [deleted file]
testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa.pem [deleted file]
testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aaKey-expired.pem [new file with mode: 0644]
testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aaKey.pem [new file with mode: 0644]
testing/tests/ikev2/acert-inline/posttest.dat
testing/tests/ikev2/acert-inline/reissue.txt [deleted file]
testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf
testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl [deleted file]
testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/stale.crl [new file with mode: 0644]
testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl [deleted file]
testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/stale.crl [new file with mode: 0644]
testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem [new file with mode: 0644]
testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem [deleted file]
testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem [new file with mode: 0644]
testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem [deleted file]
testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets
testing/tests/ikev2/crl-revoked/posttest.dat
testing/tests/ikev2/crl-to-cache/evaltest.dat
testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf
testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf
testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.der [deleted file]
testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.pem [new file with mode: 0644]
testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.der [deleted file]
testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.pem [new file with mode: 0644]
testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/private/moonKey.der [deleted file]
testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.der [deleted file]
testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.pem [new file with mode: 0644]
testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.der [deleted file]
testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.pem [new file with mode: 0644]
testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/private/sunKey.der [deleted file]
testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.secrets [deleted file]
testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi [new file with mode: 0755]
testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi [deleted file]
testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/ocsp-multi-level/pretest.dat
testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi [new file with mode: 0755]
testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi [deleted file]
testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem [new file with mode: 0644]
testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem [deleted file]
testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem [new file with mode: 0644]
testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem [deleted file]
testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets
testing/tests/ikev2/ocsp-revoked/posttest.dat
testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem [deleted file]
testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert.pem [new file with mode: 0644]
testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem [deleted file]
testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey.pem [new file with mode: 0644]
testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets
testing/tests/ikev2/ocsp-signer-cert/posttest.dat
testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem [deleted file]
testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert.pem [new file with mode: 0644]
testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem [deleted file]
testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert.pem [new file with mode: 0644]
testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem [deleted file]
testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert.pem [new file with mode: 0644]
testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem [deleted file]
testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey.pem [new file with mode: 0644]
testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets
testing/tests/ikev2/ocsp-timeouts-good/posttest.dat
testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi [new file with mode: 0755]
testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi [deleted file]
testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf
testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf
testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf
testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
testing/tests/ikev2/rw-pkcs8/description.txt
testing/tests/ikev2/strong-keys-certs/description.txt
testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem [deleted file]
testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/pkcs8/moonKey.pem [new file with mode: 0644]
testing/tests/swanctl/crl-to-cache/evaltest.dat
testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/x509ca/researchCert.pem [deleted file]
testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/x509ca/salesCert.pem [deleted file]
testing/tests/swanctl/multi-level-ca/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/rsa/carolKey.pem [deleted file]
testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem [deleted file]
testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat
testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat
testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-tls-only/evaltest.dat
testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat
testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf
testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf
testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf
testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat
testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-pubkey-anon/evaltest.dat
testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/rsa/carolKey.pem [deleted file]
testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat
testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/rsa/carolKey.pem [deleted file]
testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat
testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat
testing/tests/tnc/tnccs-20-tls/evaltest.dat

index fb9e984..d160c3e 100644 (file)
@@ -6,11 +6,11 @@ AddHandler cgi-script .cgi
 
 <VirtualHost *:8880>
     ServerAdmin  root@strongswan.org
-    DocumentRoot /etc/openssl/ocsp
+    DocumentRoot /etc/ca/ocsp
     ServerName   ocsp.strongswan.org
     ServerAlias         192.168.0.150
     DirectoryIndex ocsp.cgi
-    <Directory "/etc/openssl/ocsp">
+    <Directory "/etc/ca/ocsp">
         Options  +ExecCGI
         Require all granted
    </Directory>
@@ -22,11 +22,11 @@ Listen 8881
 
 <VirtualHost *:8881>
     ServerAdmin  root@research.strongswan.org
-    DocumentRoot /etc/openssl/research/ocsp
+    DocumentRoot /etc/ca/research/ocsp
     ServerName   ocsp.research.strongswan.org
     ServerAlias         ocsp.strongswan.org 192.168.0.150
     DirectoryIndex ocsp.cgi
-    <Directory "/etc/openssl/research/ocsp">
+    <Directory "/etc/ca/research/ocsp">
         Options +ExecCGI
         Require all granted
    </Directory>
@@ -38,11 +38,11 @@ Listen 8882
 
 <VirtualHost *:8882>
     ServerAdmin  root@sales.strongswan.org
-    DocumentRoot /etc/openssl/sales/ocsp
+    DocumentRoot /etc/ca/sales/ocsp
     ServerName   ocsp.sales.strongswan.org
     ServerAlias         ocsp.strongswan.org 192.168.0.150
     DirectoryIndex ocsp.cgi
-    <Directory "/etc/openssl/sales/ocsp">
+    <Directory "/etc/ca/sales/ocsp">
         Options +ExecCGI
         Require all granted
    </Directory>
diff --git a/testing/hosts/winnetou/etc/ca/generate-crl b/testing/hosts/winnetou/etc/ca/generate-crl
new file mode 100755 (executable)
index 0000000..39db1af
--- /dev/null
@@ -0,0 +1,133 @@
+#!/bin/bash
+
+export LEAK_DETECTIVE_DISABLE=1
+
+ROOT="/var/www"
+
+##
+# strongSwan Root CA
+cd /etc/ca
+
+# copy strongsSwan CA certificate
+cp strongswanCert.pem ${ROOT}
+cp strongswanCert.der ${ROOT}
+
+# generate CRL for strongSwan Root CA
+pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
+    --lastcrl strongswan.crl > ${ROOT}/strongswan.crl
+
+# revoke moon's current certificate
+pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
+    --reason key-compromise --serial 03 \
+    --lastcrl ${ROOT}/strongswan.crl > ${ROOT}/strongswan_moon_revoked.crl
+
+# generate a base CRL
+pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
+    --crluri http://crl.strongswan.org/strongswan_delta.crl \
+    --lastcrl strongswan.crl --lifetime 30 > ${ROOT}/strongswan_base.crl
+
+# generate a delta CRL revoking moon's current cert
+pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
+    --basecrl ${ROOT}/strongswan_base.crl --reason key-compromise \
+    --serial 03 --lifetime 15 > ${ROOT}/strongswan_delta.crl
+
+# generate Hash-and-URL certificates
+CERTS_DIR="${ROOT}/certs"
+for cert in `ls certs`
+do
+  openssl x509 -in certs/${cert} -outform der -out ${CERTS_DIR}/cert.der
+  mv ${CERTS_DIR}/cert.der ${CERTS_DIR}/`sha1sum ${CERTS_DIR}/cert.der | head -c 40`
+done
+
+##
+# Research CA
+cd /etc/ca/research
+
+# copy Research CA certificate
+cp researchCert.pem ${ROOT}
+cp researchCert.der ${ROOT}
+
+# generate CRL for Research CA
+pki --signcrl --cakey researchKey.pem --cacert researchCert.pem \
+    > ${ROOT}/research.crl
+
+# generate Hash-and-URL certificates
+CERTS_DIR="${ROOT}/certs/research"
+for cert in `ls certs`
+do
+  openssl x509 -in certs/${cert} -outform der -out ${CERTS_DIR}/cert.der
+  mv ${CERTS_DIR}/cert.der ${CERTS_DIR}/`sha1sum ${CERTS_DIR}/cert.der | head -c 40`
+done
+
+##
+# Sales CA
+cd /etc/ca/sales
+
+# copy Sales CA certificate
+cp salesCert.pem ${ROOT}
+cp salesCert.der ${ROOT}
+
+# generate CRL for Sales CA
+pki --signcrl --cakey salesKey.pem --cacert salesCert.pem \
+    > ${ROOT}/sales.crl
+
+# generate Hash-and-URL certificates
+CERTS_DIR="${ROOT}/certs/sales"
+for cert in `ls certs`
+do
+  openssl x509 -in certs/${cert} -outform der -out ${CERTS_DIR}/cert.der
+  mv ${CERTS_DIR}/cert.der ${CERTS_DIR}/`sha1sum ${CERTS_DIR}/cert.der | head -c 40`
+done
+
+##
+# strongSwan EC Root CA
+cd /etc/ca/ecdsa
+
+# copy ECDSA CA certificate
+cp strongswanCert.pem ${ROOT}/strongswan_ecdsaCert.pem
+openssl ec -in strongswanKey.pem -outform der -out ${ROOT}/strongswan_ecdsaCert.der
+chmod a+r ${ROOT}/strongswan_ecdsaCert.der
+
+# generate CRL for strongSwan EC Root CA
+pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
+    > ${ROOT}/strongswan_ecdsa.crl
+
+##
+# strongSwan RFC3779 Root CA
+cd /etc/ca/rfc3779
+
+# generate CRL for strongSwan RFC3779 Root CA
+pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
+    > ${ROOT}/strongswan_rfc3779.crl
+
+##
+# strongSwan SHA3-RSA Root CA
+cd /etc/ca/sha3-rsa
+
+# generate CRL for strongSwan SHA3-RSA Root CA
+pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
+    --digest sha3_256 > ${ROOT}/strongswan_sha3_rsa.crl
+
+##
+# strongSwan Ed25519 Root CA
+cd /etc/ca/ed25519
+
+# generate CRL for strongSwan Ed25519 Root CA
+pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
+    > ${ROOT}/strongswan_ed25519.crl
+
+##
+# strongSwan Monster Root CA
+cd /etc/ca/monster
+
+# generate CRL for strongSwan Monster Root CA
+pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
+    > ${ROOT}/strongswan_monster.crl
+
+##
+# strongSwan BlISS Root CA
+cd /etc/ca/bliss
+
+# generate CRL for strongSwan BLISS Root CA
+pki --signcrl --cakey strongswan_blissKey.der --cacert strongswan_blissCert.der \
+    --lifetime 30 --digest sha3_512 > ${ROOT}/strongswan_bliss.crl
diff --git a/testing/hosts/winnetou/etc/ca/index.html b/testing/hosts/winnetou/etc/ca/index.html
new file mode 100644 (file)
index 0000000..9de0590
--- /dev/null
@@ -0,0 +1,58 @@
+<html>
+<head>
+  <title>strongSwan Web Services</title>
+  <base target="_self">
+</head>
+
+<body bgcolor="#FFFFFF">
+<table border=0 cellpadding=0 cellspacing=0 width=600>
+
+<tr><td>
+  <h2>strongSwan Testing Environment</h2>
+  <ul>
+    <li>
+      <a href="testresults/">Test Results</a>
+    </li>
+  </ul>
+  <a href="images/umlArchitecture_large.png" target="_blank">
+    <img src="images/umlArchitecture_small.png" border="0">
+  </a>
+
+    <h2>strongSwan Certification Authorities</h2>
+  <ul>
+    <li>
+      <bold>Root CA: </bold>
+      <a href="strongswanCert.pem">PEM</a> ,
+      <a href="strongswanCert.der">DER</a> ,
+      <a href="strongswan.crl">CRL</a>
+    </li>
+  </ul>
+  <ul>
+    <li>
+      <bold>Research CA: </bold>
+      <a href="researchCert.pem">PEM</a> ,
+      <a href="researchCert.der">DER</a> ,
+      <a href="research.crl">CRL</a>
+    </li>
+  </ul>
+  <ul>
+    <li>
+      <bold>Sales CA: </bold>
+       <a href="salesCert.pem">PEM</a> ,
+      <a href="salesCert.der">DER</a> ,
+      <a href="sales.crl">CRL</a>
+    </li>
+  </ul>
+  <ul>
+    <li>
+      <bold>ECDSA CA: </bold>
+      <a href="strongswan_ecdsaCert.pem">PEM</a> ,
+      <a href="strongswan_ecdsaCert.der">DER</a> ,
+     <a href="strongswan_ecdsa.crl">CRL</a>
+    </li>
+  </ul>
+  <hr>
+  <address>The strongSwan Project (<a href="https://www.strongswan.org">www.strongswan.org</a>)</address>
+</td></tr>
+</table>
+</body>
diff --git a/testing/hosts/winnetou/etc/ca/index.txt.template b/testing/hosts/winnetou/etc/ca/index.txt.template
new file mode 100644 (file)
index 0000000..8feccc8
--- /dev/null
@@ -0,0 +1,22 @@
+V      EE_EXPIRATION           01      unknown /C=CH/O=strongSwan Project/OU=Research/CN=carol@strongswan.org
+V      EE_EXPIRATION           02      unknown /C=CH/O=strongSwan Project/OU=Accounting/CN=dave@strongswan.org
+V      EE_EXPIRATION           03      unknown /C=CH/O=strongSwan Project/CN=moon.strongswan.org
+V      EE_EXPIRATION           04      unknown /C=CH/O=strongSwan Project/CN=sun.strongswan.org
+V      EE_EXPIRATION           05      unknown /C=CH/O=strongSwan Project/OU=Sales/CN=alice@strongswan.org
+V      EE_EXPIRATION           06      unknown /C=CH/O=strongSwan Project/CN=venus.strongswan.org
+V      EE_EXPIRATION           07      unknown /C=CH/O=strongSwan Project/OU=Research/CN=bob@strongswan.org
+R      EE_EXPIRATION   REVOCATION,keyCompromise        08      unknown /C=CH/O=strongSwan Project/OU=Research/CN=carol@strongswan.org
+V      EE_EXPIRATION           09      unknown /C=CH/O=strongSwan Project/OU=Research/serialNumber=002/CN=carol@strongswan.org
+R      IM_EXPIRATION   REVOCATION,CACompromise 0A      unknown /C=CH/O=strongSwan Project/OU=Research/CN=Research CA
+V      IM_EXPIRATION           0B      unknown /C=CH/O=strongSwan Project/OU=Research/CN=Research CA
+V      IM_EXPIRATION           0C      unknown /C=CH/O=strongSwan Project/OU=Sales/CN=Sales CA
+V      EE_EXPIRATION           0D      unknown /C=CH/O=strongSwan Project/OU=SHA-224/CN=moon.strongswan.org
+V      EE_EXPIRATION           0E      unknown /C=CH/O=strongSwan Project/OU=SHA-384/CN=carol@strongswan.org
+V      EE_EXPIRATION           0F      unknown /C=CH/O=strongSwan Project/OU=SHA-512/CN=dave@strongswan.org
+V      EE_EXPIRATION           10      unknown /C=CH/O=strongSwan Project/OU=OCSP/CN=carol@strongswan.org
+V      EE_EXPIRATION           11      unknown /C=CH/O=strongSwan Project/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
+V      EE_EXPIRATION           12      unknown /C=CH/O=strongSwan Project/OU=Virtual VPN Gateway/CN=mars.strongswan.org
+V      EE_EXPIRATION           13      unknown /C=CH/O=strongSwan Project/CN=winnetou.strongswan.org
+V      EE_EXPIRATION           14      unknown /C=CH/O=strongSwan Project/CN=aaa.strongswan.org
+V      IM_EXPIRATION           15      unknown /C=CH/O=strongSwan Project/CN=strongSwan Attribute Authority
+V      SH_EXPIRATION           16      unknown /C=CH/O=strongSwan Project/CN=strongSwan Legacy AA
diff --git a/testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
new file mode 100755 (executable)
index 0000000..230bbf3
--- /dev/null
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/ca
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+       -rkey ocspKey.pem -rsigner ocspCert.pem \
+       -nmin 5 \
+       -reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/hosts/winnetou/etc/ca/research/index.txt.template b/testing/hosts/winnetou/etc/ca/research/index.txt.template
new file mode 100644 (file)
index 0000000..f9ca26b
--- /dev/null
@@ -0,0 +1,4 @@
+V      EE_EXPIRATION           01      unknown /C=CH/O=strongSwan Project/OU=Research/CN=carol@strongswan.org
+V      EE_EXPIRATION           02      unknown /C=CH/O=strongSwan Project/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
+V      EE_EXPIRATION           03      unknown /C=CH/O=strongSwan Project/OU=Sales/CN=Sales CA
+V      EE_EXPIRATION           04      unknown /C=CH/O=strongSwan Project/OU=Research/CN=Duck Research CA
diff --git a/testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi
new file mode 100755 (executable)
index 0000000..4154f5d
--- /dev/null
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/ca/research
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+cat | /usr/bin/openssl ocsp -index index.txt -CA researchCert.pem \
+       -rkey ocspKey.pem -rsigner ocspCert.pem \
+       -nmin 5 \
+       -reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/hosts/winnetou/etc/ca/sales/index.txt.template b/testing/hosts/winnetou/etc/ca/sales/index.txt.template
new file mode 100644 (file)
index 0000000..5bc935f
--- /dev/null
@@ -0,0 +1,3 @@
+V      EE_EXPIRATION           01      unknown /C=CH/O=strongSwan Project/OU=Sales/CN=dave@strongswan.org
+V      EE_EXPIRATION           02      unknown /C=CH/O=strongSwan Project/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
+V      EE_EXPIRATION           03      unknown /C=CH/O=strongSwan Project/OU=Research/CN=Research CA
diff --git a/testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi
new file mode 100755 (executable)
index 0000000..05d304d
--- /dev/null
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/ca/sales
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+cat | /usr/bin/openssl ocsp -index index.txt -CA salesCert.pem \
+       -rkey ocspKey.pem -rsigner ocspCert.pem \
+       -nmin 5 \
+       -reqin /dev/stdin -respout /dev/stdout | cat
index d06621a..c3c27cc 100644 (file)
@@ -1,39 +1,39 @@
-dn: o=Linux strongSwan, c=CH
+dn: o=strongSwan Project, c=CH
 objectclass: organization
-o: Linux strongSwan
+o: strongSwan Project
 
-dn: cn=Manager,o=Linux strongSwan, c=CH
+dn: cn=Manager,o=strongSwan Project, c=CH
 objectclass: organizationalRole
 cn: Manager
 
-dn: cn=strongSwan Root CA, o=Linux strongSwan, c=CH
+dn: cn=strongSwan Root CA, o=strongSwan Project, c=CH
 objectClass: organizationalRole
 cn: strongSwan Root CA
 objectClass: certificationAuthority
-authorityRevocationList;binary:< file:///etc/openssl/strongswan.crl
-certificateRevocationList;binary:< file:///etc/openssl/strongswan.crl
-cACertificate;binary:< file:///etc/openssl/strongswanCert.der
+authorityRevocationList;binary:< file:///var/www/strongswan.crl
+certificateRevocationList;binary:< file:///var/www/strongswan.crl
+cACertificate;binary:< file:///var/www/strongswanCert.der
 
-dn: ou=Research, o=Linux strongSwan, c=CH
+dn: ou=Research, o=strongSwan Project, c=CH
 objectclass: organizationalUnit
 ou: Research
 
-dn: cn=Research CA, ou=Research, o=Linux strongSwan, c=CH
+dn: cn=Research CA, ou=Research, o=strongSwan Project, c=CH
 objectClass: organizationalRole
 cn: Research CA
 objectClass: certificationAuthority
-authorityRevocationList;binary:< file:///etc/openssl/research/research.crl
-certificateRevocationList;binary:< file:///etc/openssl/research/research.crl
-cACertificate;binary:< file:///etc/openssl/research/researchCert.der
+authorityRevocationList;binary:< file:///var/www/research.crl
+certificateRevocationList;binary:< file:///var/www/research.crl
+cACertificate;binary:< file:///var/www/researchCert.der
 
-dn: ou=Sales, o=Linux strongSwan, c=CH
+dn: ou=Sales, o=strongSwan Project, c=CH
 objectclass: organizationalUnit
 ou: Sales
 
-dn: cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH
+dn: cn=Sales CA, ou=Sales, o=strongSwan Project, c=CH
 objectClass: organizationalRole
 cn: Sales CA
 objectClass: certificationAuthority
-authorityRevocationList;binary:< file:///etc/openssl/sales/sales.crl
-certificateRevocationList;binary:< file:///etc/openssl/sales/sales.crl
-cACertificate;binary:< file:///etc/openssl/sales/salesCert.der
+authorityRevocationList;binary:< file:///var/www/sales.crl
+certificateRevocationList;binary:< file:///var/www/sales.crl
+cACertificate;binary:< file:///var/www/salesCert.der
index 103d457..17a32c7 100644 (file)
@@ -15,8 +15,8 @@ argsfile      /var/run/openldap/slapd.args
 #######################################################################
 
 database       bdb
-suffix         "o=Linux strongSwan,c=CH"
-rootdn         "cn=Manager,o=Linux strongSwan,c=CH"
+suffix         "o=strongSwan Project,c=CH"
+rootdn         "cn=Manager,o=strongSwan Project,c=CH"
 checkpoint     32      30
 rootpw         tuxmux
 directory      /var/lib/ldap
diff --git a/testing/hosts/winnetou/etc/openssl/index.html b/testing/hosts/winnetou/etc/openssl/index.html
deleted file mode 100644 (file)
index 8cbb2c4..0000000
+++ /dev/null
@@ -1,36 +0,0 @@
-<html>
-<head>
-  <title>strongSwan Web Services</title>
-  <base target="_self">
-</head>
-
-<body bgcolor="#FFFFFF">
-<table border=0 cellpadding=0 cellspacing=0 width=600>
-
-<tr><td>
-  <h2>strongSwan Certification Authority</h2>
-  <ul>
-    <li>
-      <a href="strongswanCert.pem">Root CA Certificate</a>
-    </li>
-  </ul>
-  <ul>
-    <li>
-      <a href="strongswan.crl">Certificate Revocation List (CRL)</a>
-    </li>
-  </ul>
-
-  <h2>strongSwan Testing Environment</h2>
-  <ul>
-    <li>
-      <a href="testresults/">Test Results</a>
-    </li>
-  </ul>
-  <a href="images/umlArchitecture_large.png" target="_blank">
-    <img src="images/umlArchitecture_small.png" border="0">
-  </a>
-  <hr>
-  <address>Linux strongSwan (<a href="http://www.strongswan.org">www.strongswan.org</a>)</address>
-</td></tr>
-</table>
-</body>
index a69df79..ad718b5 100644 (file)
@@ -1,5 +1,5 @@
 # strongswan.conf - strongSwan configuration file
 
 pki {
-  load = random pem sha1 sha2 sha3 pkcs1 pkcs8 pem gmp mgf1 bliss curve25519 x509
+  load = random pem sha1 sha2 sha3 pkcs1 pkcs8 pem gmp mgf1 bliss curve25519 x509 openssl
 }
diff --git a/testing/scripts/build-certs b/testing/scripts/build-certs
new file mode 100755 (executable)
index 0000000..649ea77
--- /dev/null
@@ -0,0 +1,1585 @@
+#!/bin/bash
+
+echo "Building certificates"
+
+# Determine testing directory
+DIR="$(dirname `readlink -f $0`)/.."
+
+# Define some global variables
+PROJECT="strongSwan Project"
+CA_DIR="${DIR}/hosts/winnetou/etc/ca"
+CA_KEY="${CA_DIR}/strongswanKey.pem"
+CA_CERT="${CA_DIR}/strongswanCert.pem"
+CA_CRL="${CA_DIR}/strongswan.crl"
+CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
+CA_CDP="http://crl.strongswan.org/strongswan.crl"
+CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
+CA_OCSP="http://ocsp.strongswan.org:8880"
+#
+START=`date  -d "-2 day"    "+%d.%m.%y %T"`
+SH_END=`date -d "-1 day"    "+%d.%m.%y %T"`    #  1 day
+CA_END=`date -d "+3651 day" "+%d.%m.%y %T"`    # 10 years
+IM_END=`date -d "+3286 day" "+%d.%m.%y %T"`    #  9 years
+EE_END=`date -d "+2920 day" "+%d.%m.%y %T"`    #  8 years
+SH_EXP=`date -d "-1 day"    "+%y%m%d%H%M%SZ"`  #  1 day
+IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"`  #  9 years
+EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"`  #  8 years
+NOW=`date "+%y%m%d%H%M%SZ"`
+#
+RESEARCH_DIR="${CA_DIR}/research"
+RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
+RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
+RESEARCH_CDP="http://crl.strongswan.org/research.crl"
+#
+SALES_DIR="${CA_DIR}/sales"
+SALES_KEY="${SALES_DIR}/salesKey.pem"
+SALES_CERT="${SALES_DIR}/salesCert.pem"
+SALES_CDP="http://crl.strongswan.org/sales.crl"
+#
+DUCK_DIR="${CA_DIR}/duck"
+DUCK_KEY="${DUCK_DIR}/duckKey.pem"
+DUCK_CERT="${DUCK_DIR}/duckCert.pem"
+#
+ECDSA_DIR="${CA_DIR}/ecdsa"
+ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
+ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
+ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
+#
+RFC3779_DIR="${CA_DIR}/rfc3779"
+RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
+RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
+RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
+#
+SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
+SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
+SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
+SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
+#
+ED25519_DIR="${CA_DIR}/ed25519"
+ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
+ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
+ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
+#
+MONSTER_DIR="${CA_DIR}/monster"
+MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
+MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
+MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
+MONSTER_CA_RSA_SIZE="8192"
+MONSTER_EE_RSA_SIZE="4096"
+#
+BLISS_DIR="${CA_DIR}/bliss"
+BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
+BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
+BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
+#
+RSA_SIZE="3072"
+IPSEC_DIR="etc/ipsec.d"
+SWANCTL_DIR="etc/swanctl"
+TKM_DIR="etc/tkm"
+HOSTS="carol dave moon sun alice venus bob"
+TEST_DIR="${DIR}/tests"
+
+# Create directories
+mkdir -p ${CA_DIR}/certs
+mkdir -p ${RESEARCH_DIR}/certs
+mkdir -p ${SALES_DIR}/certs
+mkdir -p ${DUCK_DIR}/certs
+mkdir -p ${ECDSA_DIR}/certs
+mkdir -p ${RFC3779_DIR}/certs
+mkdir -p ${SHA3_RSA_DIR}/certs
+mkdir -p ${ED25519_DIR}/certs
+mkdir -p ${MONSTER_DIR}/certs
+mkdir -p ${BLISS_DIR}/certs
+
+################################################################################
+# strongSwan Root CA                                                           #
+################################################################################
+
+# Generate strongSwan Root CA
+pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
+pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
+    --ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
+    --outform pem > ${CA_CERT}
+
+# Distribute strongSwan Root CA certificate
+for h in ${HOSTS}
+do
+  HOST_DIR="${DIR}/hosts/${h}"
+  cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
+  cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
+done
+
+# Put a copy onto the alice FreeRADIUS server
+cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
+
+# Gernerate a stale CRL
+pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
+    --this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
+
+# Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
+TEST="${TEST_DIR}/ikev2/crl-ldap"
+cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${IPSEC_DIR}/crls/stale.crl
+cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${IPSEC_DIR}/crls/stale.crl
+
+# Generate host keys
+for h in ${HOSTS}
+do
+  HOST_DIR="${DIR}/hosts/${h}"
+  HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
+  pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
+
+  # Put a copy into swanctl directory tree
+  cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
+done
+
+# Convert moon private key and Root CA certificate into DER format
+HOST_KEY=${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem
+TEST="${TEST_DIR}/tkm/host2host-initiator"
+TEST_KEY=${TEST}/hosts/moon/${TKM_DIR}/moonKey.der
+TEST_CERT=${TEST}/hosts/moon/${TKM_DIR}/strongswanCert.der
+openssl rsa -in ${HOST_KEY} -outform der -out ${TEST_KEY} 2> /dev/null
+openssl x509 -in ${CA_CERT} -outform der -out ${TEST_CERT}
+
+# Put DER-encoded moon private key and Root CA certificate into tkm scenarios
+for t in host2host-initiator host2host-responder host2host-xfrmproxy \
+         net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
+do
+  TEST="${TEST_DIR}/tkm/${t}"
+  mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
+  cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
+done
+
+# Put DER_encoded sun private key and Root CA certificate into tkm scenarios
+for t in multiple-clients
+do
+  TEST="${TEST_DIR}/tkm/${t}"
+  mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
+  cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
+done
+
+# Convert moon private key into unencrypted PKCS#8 format
+TEST="${TEST_DIR}/ikev2/rw-pkcs8"
+HOST_KEY=${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem
+TEST_KEY=${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem
+openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
+
+# Convert carol private key into v1.5 DES encrypted PKCS#8 format
+HOST_KEY=${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem
+TEST_KEY=${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem
+openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
+              -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
+
+# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
+HOST_KEY=${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem
+TEST_KEY=${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem
+openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8  -v2 aes128 \
+              -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
+
+################################################################################
+# Public Key Extraction                                                        #
+################################################################################
+
+# Extract the raw moon public key for the swanctl/net2net-pubkey scenario
+TEST="${TEST_DIR}/swanctl/net2net-pubkey"
+TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
+HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
+pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
+cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
+
+# Put a copy into the ikev2/net2net-pubkey scenario
+TEST="${TEST_DIR}/ikev2/net2net-pubkey"
+cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
+
+# Put a copy into the swanctl/rw-pubkey-anon scenario
+TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
+cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
+
+# Put a copy into the swanctl/rw-pubkey-keyid scenario
+TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
+cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
+
+# Extract the raw sun public key for the swanctl/net2net-pubkey scenario
+TEST="${TEST_DIR}/swanctl/net2net-pubkey"
+TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
+HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
+pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+
+# Put a copy into the ikev2/net2net-pubkey scenario
+TEST="${TEST_DIR}/ikev2/net2net-pubkey"
+cp ${TEST_PUB} ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+cp ${TEST_PUB} ${TEST}/hosts/sun/${IPSEC_DIR}/certs
+
+# Put a copy into the swanctl/rw-pubkey-anon scenario
+TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+
+# Extract the raw carol public key for the swanctl/rw-pubkey-anon scenario
+TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
+TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
+HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+
+# Put a copy into the swanctl/rw-pubkey-keyid scenario
+TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
+cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+
+# Extract the raw dave public key for the swanctl/rw-pubkey-anon scenario
+TEST="${TEST_DIR}/swanctl/rw-pubkey-anon"
+TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
+HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
+pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+
+# Put a copy into the swanctl/rw-pubkey-keyid scenario
+TEST="${TEST_DIR}/swanctl/rw-pubkey-keyid"
+cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
+cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
+
+################################################################################
+# Host Certificate Generation                                                  #
+################################################################################
+
+# function issue_cert: serial host cn [ou]
+issue_cert()
+{
+  # does optional OU argument exist?
+  if [ -z "${4}" ]
+  then
+    OU=""
+  else
+    OU=" OU=${4},"
+  fi
+
+  HOST_DIR="${DIR}/hosts/${2}"
+  HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
+  HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
+  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+      --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
+      --serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
+      --outform pem > ${HOST_CERT}
+  cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
+
+  # Put a certificate copy into swanctl directory tree
+  cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
+}
+
+# Generate host certificates
+issue_cert 01 carol carol@strongswan.org Research
+issue_cert 02 dave dave@strongswan.org Accounting
+issue_cert 03 moon moon.strongswan.org
+issue_cert 04 sun sun.strongswan.org
+issue_cert 05 alice alice@strongswan.org Sales
+issue_cert 06 venus venus.strongswan.org
+issue_cert 07 bob bob@strongswan.org Research
+
+# Create PKCS#12 file for moon
+TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
+HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
+HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
+MOON_PKCS12="${TEST}/hosts/moon/etc/ipsec.d/private/moonCert.p12"
+openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
+        -certfile ${CA_CERT} -caname "strongSwan Root CA" \
+        -aes128 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12} 2> /dev/null
+
+# Create PKCS#12 file for sun
+HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
+HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
+SUN_PKCS12="${TEST}/hosts/sun/etc/ipsec.d/private/sunCert.p12"
+openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
+        -certfile ${CA_CERT} -caname "strongSwan Root CA" \
+        -aes128 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12} 2> /dev/null
+
+# Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
+TEST="${TEST_DIR}/botan/net2net-pkcs12"
+mkdir -p "${TEST}/hosts/moon/etc/swanctl/pkcs12"
+cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12"
+mkdir -p "${TEST}/hosts/sun/etc/swanctl/pkcs12"
+cp ${SUN_PKCS12}  "${TEST}/hosts/sun/etc/swanctl/pkcs12"
+
+# Put a PKCS#12 copy into the openssl-ikev2/net2net-pkcs12 scenario
+TEST="${TEST_DIR}/openssl-ikev2/net2net-pkcs12"
+cp ${MOON_PKCS12} "${TEST}/hosts/moon/etc/swanctl/pkcs12"
+cp ${SUN_PKCS12}  "${TEST}/hosts/sun/etc/swanctl/pkcs12"
+
+# Generate a carol certificate for the swanctl/crl-to-cache scenario with base CDP
+TEST="${TEST_DIR}/swanctl/crl-to-cache"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+CN="carol@strongswan.org"
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
+    --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+
+# Generate a moon certificate for the swanctl/crl-to-cache scenario with base CDP
+TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
+HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
+CN="moon.strongswan.org"
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
+    --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+
+# Encrypt carolKey.pem
+HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
+KEY_PWD="nH5ZQEWtku0RJEZ6"
+openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
+        2> /dev/null
+
+# Put a copy into the ikev2/dynamic-initiator scenario
+TEST="${TEST_DIR}/ikev2/dynamic-initiator"
+cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
+
+# Put a copy into the ikev1/dynamic-initiator scenario
+TEST="${TEST_DIR}/ikev1/dynamic-initiator"
+cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
+
+# Put a copy into the ikev1/dynamic-responder scenario
+TEST="${TEST_DIR}/ikev1/dynamic-responder"
+cp ${HOST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+cp ${CA_DIR}/certs/01.pem ${TEST}/hosts/dave/${IPSEC_DIR}/certs/carolCert.pem
+
+# Put a copy into the swanctl/rw-cert scenario
+TEST="${TEST_DIR}/swanctl/rw-cert"
+cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+
+# Generate another carol certificate and revoke it
+TEST="${TEST_DIR}/ikev2/crl-revoked"
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="08"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
+    --serial ${SERIAL} > ${CA_CRL}
+cp ${CA_CRL} ${CA_LAST_CRL}
+
+# Put a copy into the ikev2/ocsp-revoked scenario
+TEST="${TEST_DIR}/ikev2/ocsp-revoked"
+cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Generate another carol certificate with SN=002
+TEST="${TEST_DIR}/ikev2/two-certs"
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
+SERIAL="09"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+################################################################################
+# Research CA Certificate Generation                                           #
+################################################################################
+
+# Generate a Research CA certificate signed by the Root CA and revoke it
+TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
+SERIAL="0A"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
+    --serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
+rm ${CA_LAST_CRL}
+
+# Generate Research CA with the same private key as above signed by Root CA
+SERIAL="0B"
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
+    --outform pem > ${RESEARCH_CERT}
+cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Put a certificate copy into the ikev1/multi-level-ca scenario
+TEST="${TEST_DIR}/ikev1/multi-level-ca"
+cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario
+TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
+cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario
+TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
+cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/multi-level-ca scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca"
+cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/multi-level-ca-ldap scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
+cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
+cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
+cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/multi-level-ca-pathlen scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
+cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/multi-level-ca-strict scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
+cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/ocsp-multi-level scenario
+TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
+cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/ocsp-strict-ifuri scenario
+TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
+cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the swanctl/multi-level-ca scenario
+TEST="${TEST_DIR}/swanctl/multi-level-ca"
+cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+
+# Put a certificate copy into the swanctl/ocsp-multi-level scenario
+TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
+cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+
+# Generate Research CA with the same private key as above but invalid CDP
+TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/researchCert.pem"
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
+    --crl "http://crl.strongswan.org/not-available.crl" \
+    --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
+    --outform pem > ${TEST_CERT}
+
+################################################################################
+# Sales CA Certificate Generation                                              #
+################################################################################
+
+# Generate Sales CA signed by Root CA
+SERIAL="0C"
+pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
+    --outform pem > ${SALES_CERT}
+cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Put a certificate copy into the ikev1/multi-level-ca scenario
+TEST="${TEST_DIR}/ikev1/multi-level-ca"
+cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev1/multi-level-ca-cr-init scenario
+TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
+cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev1/multi-level-ca-cr-resp scenario
+TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
+cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/multi-level-ca scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca"
+cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/multi-level-ca-ldap scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
+cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/multi-level-ca-cr-init scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
+cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/multi-level-ca-cr-resp scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
+cp ${SALES_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/multi-level-ca-strict scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
+cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/ocsp-multi-level scenario
+TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
+cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the ikev2/ocsp-struct.ifuri scenario
+TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
+cp ${SALES_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Put a certificate copy into the swanctl/multi-level-ca scenario
+TEST="${TEST_DIR}/swanctl/multi-level-ca"
+cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+
+# Put a certificate copy into the swanctl/ocsp-multi-level scenario
+TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
+cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+
+# Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
+TEST="${TEST_DIR}/ikev2/strong-keys-certs"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert-sha224.pem"
+KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
+CN="moon.strongswan.org"
+SERIAL="0D"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
+    --digest sha224 --outform pem > ${TEST_CERT}
+openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
+        2> /dev/null
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-aes192.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-sha384.pem"
+KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
+CN="carol@strongswan.org"
+SERIAL="0E"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
+    --digest sha384 --outform pem > ${TEST_CERT}
+openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
+        2> /dev/null
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
+TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey-aes256.pem"
+TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert-sha512.pem"
+KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
+CN="dave@strongswan.org"
+SERIAL="0F"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
+    --digest sha512 --outform pem > ${TEST_CERT}
+openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
+        2> /dev/null
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Generate another carol certificate with an OCSP URI
+TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="10"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
+    --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Put a copy into the ikev2/ocsp-timeouts-good scenario
+TEST="${TEST_DIR}/ikev2/ocsp-timeouts-good"
+cp ${TEST_KEY}  ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy into the swanctl/ocsp-signer-cert scenario
+TEST="${TEST_DIR}/swanctl/ocsp-signer-cert"
+cp ${TEST_KEY}  ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+
+# Put a copy into the swanctl/ocsp-disabled scenario
+TEST="${TEST_DIR}/swanctl/ocsp-disabled"
+cp ${TEST_KEY}  ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+
+# Generate an OCSP Signing certificate for the strongSwan Root CA
+TEST_KEY="${CA_DIR}/ocspKey.pem"
+TEST_CERT="${CA_DIR}/ocspCert.pem"
+CN="ocsp.strongswan.org"
+OU="OCSP Signing Authority"
+SERIAL="11"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
+    --flag ocspSigning --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Generate a self-signed OCSP Signing certificate
+TEST_KEY="${CA_DIR}/ocspKey-self.pem"
+TEST_CERT="${CA_DIR}/ocspCert-self.pem"
+OU="OCSP Self-Signed Authority"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
+    --not-before "${START}" --not-after "${CA_END}" --san ${CN} \
+    --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+
+# Copy self-signed OCSP Signing certificate to ikev2/ocsp-local-cert scenario
+TEST="${TEST_DIR}/ikev2/ocsp-local-cert"
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/ocspcerts
+cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/ocspcerts
+
+# Generate mars virtual server certificate
+TEST="${TEST_DIR}/ha/both-active"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/marsKey.pem"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/marsCert.pem"
+CN="mars.strongswan.org"
+OU="Virtual VPN Gateway"
+SERIAL="12"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
+    --flag serverAuth --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Put a copy into the mirrored gateway
+mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/alice/${IPSEC_DIR}/certs
+cp ${TEST_KEY}  ${TEST}/hosts/alice/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/alice/${IPSEC_DIR}/certs
+
+# Put a copy into the ha/active-passive and ikev2-redirect-active scenarios
+for t in "ha/active-passive" "ikev2/redirect-active"
+do
+  TEST="${TEST_DIR}/${t}"
+  for h in alice moon
+  do
+    mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/private
+    mkdir -p ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
+    cp ${TEST_KEY}  ${TEST}/hosts/${h}/${IPSEC_DIR}/private
+    cp ${TEST_CERT} ${TEST}/hosts/${h}/${IPSEC_DIR}/certs
+  done
+done
+
+# Generate winnetou server certificate
+HOST_KEY="${CA_DIR}/winnetouKey.pem"
+HOST_CERT="${CA_DIR}/winnetouCert.pem"
+CN="winnetou.strongswan.org"
+SERIAL="13"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
+    --flag serverAuth --outform pem > ${HOST_CERT}
+cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Generate AAA server certificate
+TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
+TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
+TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
+CN="aaa.strongswan.org"
+SERIAL="14"
+cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
+mkdir -p rsa x509
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
+    --flag serverAuth --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Put a copy into various tnc scenarios
+for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
+do
+  cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
+  mkdir -p rsa x509
+  cp ${TEST_KEY}  rsa
+  cp ${TEST_CERT} x509
+done
+
+# Put a copy into the alice FreeRADIUS server
+cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
+
+################################################################################
+# strongSwan Attribute Authority                                               #
+################################################################################
+
+# Generate Attritbute Authority certificate
+TEST="${TEST_DIR}/ikev2/acert-cached"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
+CN="strongSwan Attribute Authority"
+SERIAL="15"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Generate carol's attribute certificate for sales and finance
+ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/carol-sales-finance.pem
+pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
+    --in ${CA_DIR}/certs/01.pem --group sales --group finance \
+    --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
+
+# Generate dave's expired attribute certificate for sales
+ACERT=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-sales-expired.pem
+pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
+    --in ${CA_DIR}/certs/02.pem --group sales \
+    --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
+
+# Generate dave's attribute certificate for marketing
+ACERT_DM=${TEST}/hosts/moon/${IPSEC_DIR}/acerts/dave-marketing.pem
+pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
+    --in ${CA_DIR}/certs/02.pem --group marketing \
+    --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
+
+# Put a copy into the ikev2/acert-fallback scenario
+TEST="${TEST_DIR}/ikev2/acert-fallback"
+cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
+
+# Generate carol's expired attribute certificate for finance
+ACERT=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-finance-expired.pem
+pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
+    --in ${CA_DIR}/certs/01.pem --group finance \
+    --not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}
+
+# Generate carol's valid attribute certificate for sales
+ACERT_CS=${TEST}/hosts/carol/${IPSEC_DIR}/acerts/carol-sales.pem
+pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
+    --in ${CA_DIR}/certs/01.pem --group sales \
+    --not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
+
+# Put a copy into the ikev2/acert-inline scenarion
+TEST="${TEST_DIR}/ikev2/acert-inline"
+cp ${TEST_KEY}  ${TEST}/hosts/moon/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/aacerts
+cp ${ACERT_CS}  ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
+cp ${ACERT_DM}  ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
+
+# Generate a short-lived Attritbute Authority certificate
+CN="strongSwan Legacy AA"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
+SERIAL="16"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
+
+# Genrate dave's attribute certificate for sales from expired AA
+ACERT=${TEST}/hosts/dave/${IPSEC_DIR}/acerts/dave-expired-aa.pem
+pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
+    --in ${CA_DIR}/certs/02.pem --group sales \
+    --not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
+
+################################################################################
+# strongSwan Root CA index for OCSP server                                     #
+################################################################################
+
+# generate index.txt file for Root OCSP server
+cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
+sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
+sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
+sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
+sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
+
+################################################################################
+# Research CA                                                                  #
+################################################################################
+
+# Generate a carol research certificate
+TEST="${TEST_DIR}/ikev2/multi-level-ca"
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="01"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
+    --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
+
+# Put a copy in the ikev2/multilevel-ca-cr-init scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev2/multilevel-ca-cr-resp scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev2/multilevel-ca-ldap scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev2/multilevel-ca-ldap scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev2/multilevel-ca-revoked scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-revoked"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev2/multilevel-ca-skipped scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-skipped"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev2/multilevel-ca-strict scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev2/ocsp-multilevel scenario
+TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev1/multilevel-ca scenario
+TEST="${TEST_DIR}/ikev1/multi-level-ca"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev1/multilevel-ca-cr-init scenario
+TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev1/multilevel-ca-cr-resp scenario
+TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
+
+# Put a copy in the swanctl/multilevel-ca scenario
+TEST="${TEST_DIR}/swanctl/multi-level-ca"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+
+# Put a copy in the swanctl/ocsp-multilevel scenario
+TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+
+# Generate a carol research certificate without a CDP
+TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
+
+# Generate an OCSP Signing certificate for the Research CA
+TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
+TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
+OU="Research OCSP Signing Authority"
+CN="ocsp.research.strongswan.org"
+SERIAL="02"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
+    --crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
+
+# Generate a Sales CA certificate signed by the Research CA
+TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/sales_by_researchCert.pem"
+SERIAL="03"
+pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
+    --in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
+    --crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
+
+################################################################################
+# Duck Research CA                                                                     #
+################################################################################
+
+# Generate a Duck Research CA certificate signed by the Research CA
+SERIAL="04"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
+pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
+    --in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
+    --crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
+cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
+
+# Put a certificate copy in the ikev2/multilevel-ca-pathlen scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-pathlen"
+cp ${DUCK_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+
+# Generate a carol certificate signed by the Duck Research CA
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="01"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
+    --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
+
+# Generate index.txt file for Research OCSP server
+cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
+sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
+
+################################################################################
+# Sales CA                                                                     #
+################################################################################
+
+# Generate a dave sales certificate
+TEST="${TEST_DIR}/ikev2/multi-level-ca"
+TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.pem"
+TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
+CN="dave@strongswan.org"
+SERIAL="01"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
+    --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
+
+# Put a copy in the ikev2/multilevel-ca-cr-init scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-init"
+cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev2/multilevel-ca-cr-resp scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-cr-resp"
+cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev2/multilevel-ca-ldap scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-ldap"
+cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev2/multilevel-ca-strict scenario
+TEST="${TEST_DIR}/ikev2/multi-level-ca-strict"
+cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev2/ocsp-multilevel scenario
+TEST="${TEST_DIR}/ikev2/ocsp-multi-level"
+cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev1/multilevel-ca scenario
+TEST="${TEST_DIR}/ikev1/multi-level-ca"
+cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev1/multilevel-ca-cr-init scenario
+TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-init"
+cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+
+# Put a copy in the ikev1/multilevel-ca-cr-resp scenario
+TEST="${TEST_DIR}/ikev1/multi-level-ca-cr-resp"
+cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
+
+# Put a copy in the swanctl/multilevel-ca scenario
+TEST="${TEST_DIR}/swanctl/multi-level-ca"
+cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
+cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+
+# Put a copy in the swanctl/ocsp-multilevel scenario
+TEST="${TEST_DIR}/swanctl/ocsp-multi-level"
+cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
+cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+
+# Generate a dave sales certificate with an inactive OCSP URI and no CDP
+TEST="${TEST_DIR}/ikev2/ocsp-strict-ifuri"
+TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.pem"
+pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
+    --ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
+cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private
+
+# Generate an OCSP Signing certificate for the Sales CA
+TEST_KEY="${SALES_DIR}/ocspKey.pem"
+TEST_CERT="${SALES_DIR}/ocspCert.pem"
+OU="Sales OCSP Signing Authority"
+CN="ocsp.sales.strongswan.org"
+SERIAL="02"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
+    --crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
+
+# Generate a Research CA certificate signed by the Sales CA
+TEST="${TEST_DIR}/ikev2/multi-level-ca-loop"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/research_by_salesCert.pem"
+SERIAL="03"
+pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
+    --in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
+    --crl ${SALES_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
+
+# generate index.txt file for Sales OCSP server
+cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
+sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
+
+################################################################################
+# strongSwan EC Root CA                                                        #
+################################################################################
+
+# Generate strongSwan EC Root CA
+pki --gen  --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
+pki --self --type ecdsa --in ${ECDSA_KEY} \
+    --not-before "${START}" --not-after "${CA_END}" --ca \
+    --dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
+    --outform pem > ${ECDSA_CERT}
+
+# Put a copy in the openssl-ikev2/ecdsa-certs scenario
+TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
+cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+
+# Generate a moon ECDSA 521 bit certificate
+MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
+MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
+CN="moon.strongswan.org"
+SERIAL="01"
+pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
+pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
+    --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
+    --crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
+cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
+
+# Generate a carol ECDSA 256 bit certificate
+CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
+CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="02"
+pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
+pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
+    --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
+    --crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
+cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
+
+# Generate a dave ECDSA 384 bit certificate
+DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
+DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
+CN="dave@strongswan.org"
+SERIAL="03"
+pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
+pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
+    --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
+    --crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
+cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
+
+# Put CA and EE certificate copies in the openssl-ikev2/rw-ecdsa-pkcs8 scenario
+TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
+cp ${ECDSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+cp ${MOON_CERT}  ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+cp ${ECDSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+cp ${ECDSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+cp ${DAVE_CERT}  ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+
+# Convert moon private key into unencrypted PKCS#8 format
+TEST_KEY=${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem
+openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
+
+# Convert carol private key into v1.5 DES encrypted PKCS#8 format
+TEST_KEY=${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem
+openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
+              -passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
+
+# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
+TEST_KEY=${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem
+openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8  -v2 aes128 \
+              -passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
+
+# Put CA and EE certificate copies in the openssl-ikev1/rw-ecdsa-certs scenario
+TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
+cd ${TEST}/hosts/moon/${SWANCTL_DIR}
+mkdir -p ecdsa x509 x509ca
+cp ${MOON_KEY}   ecdsa
+cp ${MOON_CERT}  x509
+cp ${ECDSA_CERT} x509ca
+cd ${TEST}/hosts/carol/${SWANCTL_DIR}
+mkdir -p ecdsa x509 x509ca
+cp ${CAROL_KEY}  ecdsa
+cp ${CAROL_CERT} x509
+cp ${ECDSA_CERT} x509ca
+cd ${TEST}/hosts/dave/${SWANCTL_DIR}
+mkdir -p ecdsa x509 x509ca
+cp ${DAVE_KEY}   ecdsa
+cp ${DAVE_CERT}  x509
+cp ${ECDSA_CERT} x509ca
+
+################################################################################
+# strongSwan RFC3779 Root CA                                                   #
+################################################################################
+
+# Generate strongSwan RFC3779 Root CA
+pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
+pki --self --type rsa --in ${RFC3779_KEY} \
+    --not-before "${START}" --not-after "${CA_END}" --ca \
+    --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
+    --addrblock "10.1.0.0-10.2.255.255" \
+    --addrblock "10.3.0.1-10.3.3.232" \
+    --addrblock "192.168.0.0/24" \
+    --addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
+    --outform pem > ${RFC3779_CERT}
+
+# Put a copy in the ikev2/net2net-rfc3779 scenario
+TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
+cp ${RFC3779_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts
+cp ${RFC3779_CERT} ${TEST}/hosts/sun/${IPSEC_DIR}/cacerts
+
+# Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
+TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+
+# Generate a moon RFC3779 certificate
+TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
+CN="moon.strongswan.org"
+SERIAL="01"
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/moon/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
+    --addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
+    --addrblock "fec0::1/128" --addrblock "fec1::/16" \
+    --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
+
+# Put a copy in the ipv6 scenarios
+for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
+do
+  cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
+  mkdir -p rsa x509 x509ca
+  cp ${TEST_KEY}  rsa
+  cp ${TEST_CERT} x509
+  cp ${RFC3779_CERT} x509ca
+done
+
+# Generate a sun RFC3779 certificate
+TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
+TEST_KEY="${TEST}/hosts/sun/${IPSEC_DIR}/private/sunKey.pem"
+TEST_CERT="${TEST}/hosts/sun/${IPSEC_DIR}/certs/sunCert.pem"
+CN="sun.strongswan.org"
+SERIAL="02"
+mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/private
+mkdir -p ${TEST}/hosts/sun/${IPSEC_DIR}/certs
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
+    --addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
+    --addrblock "fec0::2/128" --addrblock "fec2::/16" \
+    --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
+
+# Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
+cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
+mkdir -p rsa x509 x509ca
+cp ${TEST_KEY} rsa
+cp ${TEST_CERT} x509
+cp ${RFC3779_CERT} x509ca
+
+# Generate a carol RFC3779 certificate
+TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="03"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
+    --addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
+    --addrblock "fec0::10/128" \
+    --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
+
+# Generate a carol RFC3779 certificate
+TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
+TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
+TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
+CN="dave@strongswan.org"
+SERIAL="04"
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
+    --addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
+    --addrblock "fec0::20/128" \
+    --crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
+
+################################################################################
+# strongSwan SHA3-RSA Root CA                                                  #
+################################################################################
+
+# Generate strongSwan SHA3-RSA Root CA
+pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
+pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
+    --not-before "${START}" --not-after "${CA_END}" --ca \
+    --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
+    --outform pem > ${SHA3_RSA_CERT}
+
+# Put a copy in the swanctl/net2net-sha3-rsa-cert scenario
+TEST="${TEST_DIR}/swanctl/net2net-sha3-rsa-cert"
+cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
+
+# Generate a sun SHA3-RSA certificate
+SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
+SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
+CN="sun.strongswan.org"
+SERIAL="01"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
+pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
+    --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
+    --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
+cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
+
+# Generate a moon SHA3-RSA certificate
+MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
+MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
+CN="moon.strongswan.org"
+SERIAL="02"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
+pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
+    --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
+    --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
+cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
+
+# Put a copy in the botan/net2net-sha3-rsa-cert scenario
+TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
+cd ${TEST}/hosts/moon/${SWANCTL_DIR}
+mkdir -p rsa x509 x509ca
+cp ${MOON_KEY}      rsa
+cp ${MOON_CERT}     x509
+cp ${SHA3_RSA_CERT} x509ca
+cd ${TEST}/hosts/sun/${SWANCTL_DIR}
+mkdir -p rsa x509 x509ca
+cp ${SUN_KEY}       rsa
+cp ${SUN_CERT}      x509
+cp ${SHA3_RSA_CERT} x509ca
+
+# Put a copy in the swanctl/rw-eap-tls-sha3-rsa scenario
+TEST="${TEST_DIR}/swanctl/rw-eap-tls-sha3-rsa"
+cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
+cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+cp ${SHA3_RSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+cp ${SHA3_RSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+
+# Generate a carol SHA3-RSA certificate
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="03"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
+    --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
+
+# Generate a dave SHA3-RSA certificate
+TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
+TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
+CN="dave@strongswan.org"
+SERIAL="04"
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
+    --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
+
+################################################################################
+# strongSwan Ed25519 Root CA                                                   #
+################################################################################
+
+# Generate strongSwan Ed25519 Root CA
+pki --gen  --type ed25519 --outform pem > ${ED25519_KEY}
+pki --self --type ed25519 --in ${ED25519_KEY} \
+    --not-before "${START}" --not-after "${CA_END}" --ca \
+    --dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
+    --cert-policy "1.3.6.1.4.1.36906.1.1.1" \
+    --cert-policy "1.3.6.1.4.1.36906.1.1.2" \
+    --outform pem > ${ED25519_CERT}
+
+# Put a copy in the swanctl/net2net-ed25519 scenario
+TEST="${TEST_DIR}/swanctl/net2net-ed25519"
+cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
+
+# Generate a sun Ed25519 certificate
+SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
+SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
+CN="sun.strongswan.org"
+SERIAL="01"
+pki --gen --type ed25519 --outform pem > ${SUN_KEY}
+pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
+    --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
+    --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
+    --crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
+cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
+
+# Generate a moon Ed25519 certificate
+MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
+MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
+CN="moon.strongswan.org"
+SERIAL="02"
+pki --gen --type ed25519 --outform pem > ${MOON_KEY}
+pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
+    --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
+    --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
+    --crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
+cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
+
+# Put a copy in the botan/net2net-ed25519 scenario
+TEST="${TEST_DIR}/botan/net2net-ed25519"
+cd ${TEST}/hosts/moon/${SWANCTL_DIR}
+mkdir -p pkcs8 x509 x509ca
+cp ${MOON_KEY}     pkcs8
+cp ${MOON_CERT}    x509
+cp ${ED25519_CERT} x509ca
+cd ${TEST}/hosts/sun/${SWANCTL_DIR}
+mkdir -p pkcs8 x509 x509ca
+cp ${SUN_KEY}      pkcs8
+cp ${SUN_CERT}     x509
+cp ${ED25519_CERT} x509ca
+
+# Put a copy in the ikev2/net2net-ed25519 scenario
+TEST="${TEST_DIR}/ikev2/net2net-ed25519"
+cd ${TEST}/hosts/moon/${IPSEC_DIR}
+mkdir -p cacerts certs private
+cp ${MOON_KEY}     private
+cp ${MOON_CERT}    certs
+cp ${ED25519_CERT} cacerts
+cd ${TEST}/hosts/sun/${IPSEC_DIR}
+mkdir -p cacerts certs private
+cp ${SUN_KEY}      private
+cp ${SUN_CERT}     certs
+cp ${ED25519_CERT} cacerts
+
+# Put a copy in the swanctl/rw-ed25519-certpol scenario
+TEST="${TEST_DIR}/swanctl/rw-ed25519-certpol"
+cp ${MOON_KEY}     ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
+cp ${MOON_CERT}    ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
+cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
+cp ${ED25519_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+cp ${ED25519_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+
+# Generate a carol Ed25519 certificate
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="03"
+pki --gen --type ed25519 --outform pem > ${TEST_KEY}
+pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
+    --cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
+    --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
+
+# Generate a dave Ed25519 certificate
+TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
+TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
+CN="dave@strongswan.org"
+SERIAL="04"
+pki --gen --type ed25519 --outform pem > ${TEST_KEY}
+pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
+    --cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
+    --crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
+
+################################################################################
+# strongSwan Monster Root CA                                                   #
+################################################################################
+
+# Generate strongSwan Monster Root CA
+pki --gen  --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
+pki --self --type rsa --in ${MONSTER_KEY} \
+    --not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
+    --dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
+    --outform pem > ${MONSTER_CERT}
+
+# Put a copy in the ikev2/after-2038-certs scenario
+TEST="${TEST_DIR}/ikev2/after-2038-certs"
+cp ${MONSTER_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
+cp ${MONSTER_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
+
+# Generate a moon Monster certificate
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.pem"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.pem"
+CN="moon.strongswan.org"
+SERIAL="01"
+pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
+    --in ${TEST_KEY} --san ${CN} \
+    --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
+    --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
+
+# Generate a carol Monster certificate
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="02"
+pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
+    --in ${TEST_KEY} --san ${CN} \
+    --not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
+    --crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
+
+################################################################################
+# Bliss CA                                                                     #
+################################################################################
+
+# Generate BLISS Root CA with 192 bit security strength
+pki --gen  --type bliss --size 4 > ${BLISS_KEY}
+pki --self --type bliss --in ${BLISS_KEY} --digest sha3_512 \
+    --not-before "${START}" --not-after "${CA_END}" --ca \
+    --dn "C=CH, O=${PROJECT}, CN=strongSwan BLISS Root CA" > ${BLISS_CERT}
+
+# Put a copy in the ikev2/rw-newhope-bliss scenario
+TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
+cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
+cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/
+cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
+
+# Put a copy in the ikev2/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
+cp ${BLISS_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/cacerts/
+cp ${BLISS_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/cacerts/
+cp ${BLISS_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/cacerts/
+
+# Put a copy in the swanctl/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
+cp ${BLISS_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca/
+cp ${BLISS_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca/
+cp ${BLISS_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/
+
+# Generate a carol BLISS certificate with 128 bit security strength
+TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
+TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey.der"
+TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert.der"
+CN="carol@strongswan.org"
+SERIAL="01"
+pki --gen --type bliss --size 1 > ${TEST_KEY}
+pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS I, CN=${CN}" \
+    --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
+cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
+
+# Put a copy in the ikev2/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private/
+cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs/
+
+# Put a copy in the swanctl/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
+cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/bliss/
+cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509/
+
+# Generate a dave BLISS certificate with 160 bit security strength
+TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
+TEST_KEY="${TEST}/hosts/dave/${IPSEC_DIR}/private/daveKey.der"
+TEST_CERT="${TEST}/hosts/dave/${IPSEC_DIR}/certs/daveCert.der"
+CN="dave@strongswan.org"
+SERIAL="02"
+pki --gen --type bliss --size 3 > ${TEST_KEY}
+pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS III, CN=${CN}" \
+    --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
+cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
+
+# Put a copy in the ikev2/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
+cp ${TEST_KEY} ${TEST}/hosts/dave/${IPSEC_DIR}/private/
+cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs/
+
+# Put a copy in the swanctl/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
+cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/bliss/
+cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509/
+
+# Generate a moon BLISS certificate with 192 bit security strength
+TEST="${TEST_DIR}/ikev2/rw-newhope-bliss"
+TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey.der"
+TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/certs/moonCert.der"
+CN="moon.strongswan.org"
+SERIAL="03"
+pki --gen --type bliss --size 4 > ${TEST_KEY}
+pki --issue --cakey ${BLISS_KEY} --cacert ${BLISS_CERT} --type bliss \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=BLISS IV, CN=${CN}" \
+    --crl ${BLISS_CDP} --digest sha3_512 > ${TEST_CERT}
+cp ${TEST_CERT} ${BLISS_DIR}/certs/${SERIAL}.der
+
+# Put a copy in the ikev2/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/ikev2/rw-ntru-bliss"
+cp ${TEST_KEY} ${TEST}/hosts/moon/${IPSEC_DIR}/private/
+cp ${TEST_CERT} ${TEST}/hosts/moon/${IPSEC_DIR}/certs/
+
+# Put a copy in the swanctl/rw-ntru-bliss scenario
+TEST="${TEST_DIR}/swanctl/rw-ntru-bliss"
+cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/bliss/
+cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509/
index 5116d09..2309123 100755 (executable)
@@ -65,8 +65,9 @@ do
                echo "/testresults /var/www/testresults 9p trans=virtio,version=9p2000.L 0 0" >> $LOOPDIR/etc/fstab
                execute_chroot "a2enmod -q cgid" 0
                execute_chroot "a2enmod -q rewrite" 0
-               execute_chroot "ln -s /etc/openssl/certs /var/www/certs" 0
-               execute_chroot "/etc/openssl/generate-crl" 0
+               execute_chroot "mkdir /var/www/certs" 0
+               execute_chroot "mkdir /var/www/certs/research /var/www/certs/sales" 0
+               execute_chroot "/etc/ca/generate-crl" 0
                execute_chroot "rm -rf /var/lib/ldap/*" 0
                execute_chroot "slapadd -l /etc/ldap/ldif.txt -f /etc/ldap/slapd.conf" 0
                execute_chroot "chown -R openldap:openldap /var/lib/ldap" 0
diff --git a/testing/tests/botan/rw-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/botan/rw-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem
deleted file mode 100644 (file)
index 1454ec5..0000000
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F
-
-1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b
-/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ
-/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o
-Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+
-f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6
-LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv
-06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC
-e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr
-3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC
-sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily
-c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy
-UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h
-XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T
-iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO
-Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO
-v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO
-t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H
-8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA
-jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p
-p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS
-7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk
-GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+
-4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0
-yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd
-+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/botan/rw-ecp256/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/botan/rw-ecp256/hosts/carol/etc/swanctl/rsa/carolKey.pem
deleted file mode 100644 (file)
index 1454ec5..0000000
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F
-
-1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b
-/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ
-/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o
-Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+
-f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6
-LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv
-06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC
-e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr
-3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC
-sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily
-c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy
-UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h
-XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T
-iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO
-Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO
-v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO
-t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H
-8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA
-jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p
-p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS
-7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk
-GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+
-4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0
-yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd
-+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/botan/rw-modp3072/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/botan/rw-modp3072/hosts/carol/etc/swanctl/rsa/carolKey.pem
deleted file mode 100644 (file)
index 1454ec5..0000000
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F
-
-1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b
-/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ
-/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o
-Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+
-f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6
-LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv
-06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC
-e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr
-3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC
-sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily
-c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy
-UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h
-XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T
-iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO
-Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO
-v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO
-t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H
-8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA
-jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p
-p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS
-7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk
-GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+
-4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0
-yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd
-+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC
------END RSA PRIVATE KEY-----
index 73e1706..8421527 100644 (file)
@@ -16,6 +16,6 @@ conn alice
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
        rightsubnet=PH_IP_ALICE/32
        auto=add
index 7140bef..953fa18 100644 (file)
@@ -16,6 +16,6 @@ conn venus
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
        rightsubnet=PH_IP_VENUS/32
        auto=add
index 2571696..998fa3f 100644 (file)
@@ -22,12 +22,12 @@ conn alice
        leftsubnet=PH_IP_ALICE/32
        right=PH_IP_CAROL
        rightid=carol@strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
        auto=add
-       
+
 conn venus
        leftsubnet=PH_IP_VENUS/32
        right=PH_IP_DAVE
        rightid=dave@strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
        auto=add
index 96da6db..43cbb47 100644 (file)
@@ -13,7 +13,7 @@ conn %default
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
 
 conn alice
        rightsubnet=PH_IP_ALICE/32
index bafec31..0cef26c 100644 (file)
@@ -13,7 +13,7 @@ conn %default
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
 
 conn venus
        rightsubnet=PH_IP_VENUS/32
index 7bae1ab..f6224ed 100644 (file)
@@ -21,11 +21,11 @@ conn %default
 conn alice
        leftsubnet=PH_IP_ALICE/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
        auto=add
-       
+
 conn venus
        leftsubnet=PH_IP_VENUS/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
        auto=add
index 3df94ba..09dfafc 100644 (file)
@@ -13,12 +13,12 @@ conn %default
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
 
 conn alice
        rightsubnet=PH_IP_ALICE/32
        auto=add
-       
+
 conn venus
        rightsubnet=PH_IP_VENUS/32
        auto=add
index 2838911..8f1609e 100644 (file)
@@ -13,12 +13,12 @@ conn %default
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
 
 conn alice
        rightsubnet=PH_IP_ALICE/32
        auto=add
-       
+
 conn venus
        rightsubnet=PH_IP_VENUS/32
        auto=add
index 2dfd40f..ec45854 100644 (file)
@@ -21,11 +21,11 @@ conn %default
 conn alice
        leftsubnet=PH_IP_ALICE/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
        auto=add
-       
+
 conn venus
        leftsubnet=PH_IP_VENUS/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+       rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
        auto=add
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aa.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aa.pem
deleted file mode 100644 (file)
index fbfa7ee..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDKjCCAhKgAwIBAgIIFU5+Fa8cF2EwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
-Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDcwODUwMzVaFw0yMjA0MjYwODUwMzVaMEAx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRYwFAYDVQQD
-Ew1zdHJvbmdTd2FuIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-y6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTFFbSbpQJxWk603BJH
-hlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsAQ3yWfkZZK1jxTdTP
-dvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqYzdWFCUINTXUGEr/L
-lt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNTjS2xaaklUCq2auR/
-QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf+7suyGczSRMP6+5N
-jqNqab7l/SHwHQMVEE5ihwIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2
-bbO15eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAakPgMKVjkQmpI1VROcetvZzM
-ZHMWwdu9IcwNpi/8qs2qNh6wCYv9c4V6O4zRCB1u8TuAIQiwLNZgjk+OKKLzvUik
-gBRogn/apXsvAtfu9ODv5GuS6F38OYWDu/c3fiCZB2MKTtmEro2EkxxMw4DkfJ02
-R/xrhAnjeQlRQOChgQ3fHNmH9gVNaKXNq+JaoU2TfHFwuYMMe6q1L+vhOaBd58YA
-6wPHOOLcIEaebHIqa4duAE5txJsZCEEySrr5stqo4j7929BAw+U6f+6Wb+UAEW6g
-91PKAl5QVbAzgPFWoPkOTNdDOprT+B4eGx0EC2QTEtxxDv5589choF7BMRCzsQ==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
new file mode 100644 (file)
index 0000000..fbfa7ee
--- /dev/null
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKjCCAhKgAwIBAgIIFU5+Fa8cF2EwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDcwODUwMzVaFw0yMjA0MjYwODUwMzVaMEAx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRYwFAYDVQQD
+Ew1zdHJvbmdTd2FuIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+y6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTFFbSbpQJxWk603BJH
+hlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsAQ3yWfkZZK1jxTdTP
+dvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqYzdWFCUINTXUGEr/L
+lt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNTjS2xaaklUCq2auR/
+QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf+7suyGczSRMP6+5N
+jqNqab7l/SHwHQMVEE5ihwIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2
+bbO15eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAakPgMKVjkQmpI1VROcetvZzM
+ZHMWwdu9IcwNpi/8qs2qNh6wCYv9c4V6O4zRCB1u8TuAIQiwLNZgjk+OKKLzvUik
+gBRogn/apXsvAtfu9ODv5GuS6F38OYWDu/c3fiCZB2MKTtmEro2EkxxMw4DkfJ02
+R/xrhAnjeQlRQOChgQ3fHNmH9gVNaKXNq+JaoU2TfHFwuYMMe6q1L+vhOaBd58YA
+6wPHOOLcIEaebHIqa4duAE5txJsZCEEySrr5stqo4j7929BAw+U6f+6Wb+UAEW6g
+91PKAl5QVbAzgPFWoPkOTNdDOprT+B4eGx0EC2QTEtxxDv5589choF7BMRCzsQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aa.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aa.pem
deleted file mode 100644 (file)
index a4e0017..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAy6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTF
-FbSbpQJxWk603BJHhlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsA
-Q3yWfkZZK1jxTdTPdvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqY
-zdWFCUINTXUGEr/Llt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNT
-jS2xaaklUCq2auR/QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf
-+7suyGczSRMP6+5NjqNqab7l/SHwHQMVEE5ihwIDAQABAoIBAQCIvn5QfkYUG87+
-eyirV2xTjdMw/Md1UfBgP4yTTsmpqr79K5fUqg5zLX+0VfJDbRaPEICBKCVrKDfz
-d5QFwAsTiXf8CKwQqFdEunWmJfgppEQIYGzN40IciNloLHDghEnEI9GGpv9glLQn
-DugjRprEUmWJ+HpB0LH9fc2Ums704Fcd8ud3bStCRxU1TA5VGBHmnyK5/n1Lb1oB
-01LoW8ins8lATuV+MAaWZgmCbPajfXY9wQGq3IDMVlOUOTxRo742T1GTrwBZR8ot
-mgs/Gs1XkJRC1x9Z9Z1Cej1iC5llv0zX8AUdejczGHQGHj1a1Dg8FpRneW6rrLyK
-vvKR8jtRAoGBAOpyk63yCPM2LqU4US5aHXPoLyyGeo4v7okTKIuoUfosQ4XJvylM
-lEYoFVFKYBKcXRQhmeWyILtto2BBDnG1HWAi1MbUWLxDNEYieurzJiv4i0XbR6cH
-mLhMMlQyKmwLRF5v3EiupjKBZRk2iYcx4eeL3gsUWUzRPeWJHKDgYF4PAoGBAN5i
-xyOsU/32gQ6vLQxt8us6n3OBr1PiFg8JIdADPnKOCxJ5uS8dkqOQHCMKyvS9MWrf
-3Wj4MOBEgW7fBBAxkvjJdPhBW70/pGM46mb991dTHJ4gIAzGxgvJIqw/FjqEC7Oo
-vWDRS4dxW56Rs2tdLn2GRvvlS3+3z90twqS/t6wJAoGBAJpzhzT2Gc1YaZxxIJI/
-zd15HfLgWUbo7uWhGHoBFpiQpp8yDNzBVYFukLSwIeDA4FUN2dxH4GZ50ULtOP3S
-Cps19yVR6W+Fep+lwYKdUw1uvRn1Xxv71jG8CQAM2IO7XHw2h1HetSDau+bDVhEZ
-3LB1JX/5FOeVhYh9Lr4Rc4sjAoGBAJCTCv+oEtqyHOjc/Z5tBFXkwLCpCMCx5MFV
-oIPI+BolOhGCzN9SjHiFQaWOaK9/J9dhPmH1qGDEaJkZp1yXvgK7ha23X9rCuy4+
-XDUkul4tDBfIrs1flHUpB7+PK/ZSzgC4nJWKu12MVpHaCxirdYPpfdBZGyIm753N
-GBNfCBtxAoGAKkrHlsfq7GVVU7Jj1AlNCwmlm21vSJ45G3cNR1GpgdplB5JR1ldV
-2kxA4xm8uFVIJ60OQ9VZ5Svaovqh8iX2sndSOZMefjH3qiDu/4mJqRA3xV5ugon3
-RAzinJzUU4tnk9pajOMD3FHOHvUO4hAJjVYEzqLIIRE7QhPuEpLevZ4=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aaKey.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aaKey.pem
new file mode 100644 (file)
index 0000000..a4e0017
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAy6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTF
+FbSbpQJxWk603BJHhlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsA
+Q3yWfkZZK1jxTdTPdvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqY
+zdWFCUINTXUGEr/Llt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNT
+jS2xaaklUCq2auR/QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf
++7suyGczSRMP6+5NjqNqab7l/SHwHQMVEE5ihwIDAQABAoIBAQCIvn5QfkYUG87+
+eyirV2xTjdMw/Md1UfBgP4yTTsmpqr79K5fUqg5zLX+0VfJDbRaPEICBKCVrKDfz
+d5QFwAsTiXf8CKwQqFdEunWmJfgppEQIYGzN40IciNloLHDghEnEI9GGpv9glLQn
+DugjRprEUmWJ+HpB0LH9fc2Ums704Fcd8ud3bStCRxU1TA5VGBHmnyK5/n1Lb1oB
+01LoW8ins8lATuV+MAaWZgmCbPajfXY9wQGq3IDMVlOUOTxRo742T1GTrwBZR8ot
+mgs/Gs1XkJRC1x9Z9Z1Cej1iC5llv0zX8AUdejczGHQGHj1a1Dg8FpRneW6rrLyK
+vvKR8jtRAoGBAOpyk63yCPM2LqU4US5aHXPoLyyGeo4v7okTKIuoUfosQ4XJvylM
+lEYoFVFKYBKcXRQhmeWyILtto2BBDnG1HWAi1MbUWLxDNEYieurzJiv4i0XbR6cH
+mLhMMlQyKmwLRF5v3EiupjKBZRk2iYcx4eeL3gsUWUzRPeWJHKDgYF4PAoGBAN5i
+xyOsU/32gQ6vLQxt8us6n3OBr1PiFg8JIdADPnKOCxJ5uS8dkqOQHCMKyvS9MWrf
+3Wj4MOBEgW7fBBAxkvjJdPhBW70/pGM46mb991dTHJ4gIAzGxgvJIqw/FjqEC7Oo
+vWDRS4dxW56Rs2tdLn2GRvvlS3+3z90twqS/t6wJAoGBAJpzhzT2Gc1YaZxxIJI/
+zd15HfLgWUbo7uWhGHoBFpiQpp8yDNzBVYFukLSwIeDA4FUN2dxH4GZ50ULtOP3S
+Cps19yVR6W+Fep+lwYKdUw1uvRn1Xxv71jG8CQAM2IO7XHw2h1HetSDau+bDVhEZ
+3LB1JX/5FOeVhYh9Lr4Rc4sjAoGBAJCTCv+oEtqyHOjc/Z5tBFXkwLCpCMCx5MFV
+oIPI+BolOhGCzN9SjHiFQaWOaK9/J9dhPmH1qGDEaJkZp1yXvgK7ha23X9rCuy4+
+XDUkul4tDBfIrs1flHUpB7+PK/ZSzgC4nJWKu12MVpHaCxirdYPpfdBZGyIm753N
+GBNfCBtxAoGAKkrHlsfq7GVVU7Jj1AlNCwmlm21vSJ45G3cNR1GpgdplB5JR1ldV
+2kxA4xm8uFVIJ60OQ9VZ5Svaovqh8iX2sndSOZMefjH3qiDu/4mJqRA3xV5ugon3
+RAzinJzUU4tnk9pajOMD3FHOHvUO4hAJjVYEzqLIIRE7QhPuEpLevZ4=
+-----END RSA PRIVATE KEY-----
index e5b8d29..43c6959 100644 (file)
@@ -7,5 +7,5 @@ dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/acerts/carol-sales-finance.pem
 moon::rm /etc/ipsec.d/acerts/dave-sales-expired.pem
 moon::rm /etc/ipsec.d/acerts/dave-marketing.pem
-moon::rm /etc/ipsec.d/private/aa.pem
-moon::rm /etc/ipsec.d/aacerts/aa.pem
+moon::rm /etc/ipsec.d/private/aaKey.pem
+moon::rm /etc/ipsec.d/aacerts/aaCert.pem
diff --git a/testing/tests/ikev2/acert-cached/reissue.txt b/testing/tests/ikev2/acert-cached/reissue.txt
deleted file mode 100644 (file)
index 6ab98f1..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# Carols acert for sales and finance
-pki --acert \
-       --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \
-       --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem \
-       --in ../../../hosts/carol/etc/ipsec.d/certs/carolCert.pem \
-       --group sales --group finance -l 87600 -f pem \
-       > hosts/moon/etc/ipsec.d/acerts/carol-sales-finance.pem
-
-# Daves acert for marketing
-pki --acert \
-       --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \
-       --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem \
-       --in ../../../hosts/dave/etc/ipsec.d/certs/daveCert.pem \
-       --group marketing -l 87600 -f pem \
-       > hosts/moon/etc/ipsec.d/acerts/dave-marketing.pem
-
-# Daves expired acert for sales
-pki --acert \
-       --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \
-       --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem \
-       --in ../../../hosts/dave/etc/ipsec.d/certs/daveCert.pem \
-       --group sales -F "01.01.13 08:00:00" -l 240 -f pem \
-       > hosts/moon/etc/ipsec.d/acerts/dave-sales-expired.pem
diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aa.pem b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aa.pem
deleted file mode 100644 (file)
index fbfa7ee..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDKjCCAhKgAwIBAgIIFU5+Fa8cF2EwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
-Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDcwODUwMzVaFw0yMjA0MjYwODUwMzVaMEAx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRYwFAYDVQQD
-Ew1zdHJvbmdTd2FuIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-y6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTFFbSbpQJxWk603BJH
-hlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsAQ3yWfkZZK1jxTdTP
-dvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqYzdWFCUINTXUGEr/L
-lt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNTjS2xaaklUCq2auR/
-QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf+7suyGczSRMP6+5N
-jqNqab7l/SHwHQMVEE5ihwIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2
-bbO15eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAakPgMKVjkQmpI1VROcetvZzM
-ZHMWwdu9IcwNpi/8qs2qNh6wCYv9c4V6O4zRCB1u8TuAIQiwLNZgjk+OKKLzvUik
-gBRogn/apXsvAtfu9ODv5GuS6F38OYWDu/c3fiCZB2MKTtmEro2EkxxMw4DkfJ02
-R/xrhAnjeQlRQOChgQ3fHNmH9gVNaKXNq+JaoU2TfHFwuYMMe6q1L+vhOaBd58YA
-6wPHOOLcIEaebHIqa4duAE5txJsZCEEySrr5stqo4j7929BAw+U6f+6Wb+UAEW6g
-91PKAl5QVbAzgPFWoPkOTNdDOprT+B4eGx0EC2QTEtxxDv5589choF7BMRCzsQ==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
new file mode 100644 (file)
index 0000000..fbfa7ee
--- /dev/null
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKjCCAhKgAwIBAgIIFU5+Fa8cF2EwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDcwODUwMzVaFw0yMjA0MjYwODUwMzVaMEAx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRYwFAYDVQQD
+Ew1zdHJvbmdTd2FuIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+y6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTFFbSbpQJxWk603BJH
+hlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsAQ3yWfkZZK1jxTdTP
+dvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqYzdWFCUINTXUGEr/L
+lt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNTjS2xaaklUCq2auR/
+QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf+7suyGczSRMP6+5N
+jqNqab7l/SHwHQMVEE5ihwIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2
+bbO15eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAakPgMKVjkQmpI1VROcetvZzM
+ZHMWwdu9IcwNpi/8qs2qNh6wCYv9c4V6O4zRCB1u8TuAIQiwLNZgjk+OKKLzvUik
+gBRogn/apXsvAtfu9ODv5GuS6F38OYWDu/c3fiCZB2MKTtmEro2EkxxMw4DkfJ02
+R/xrhAnjeQlRQOChgQ3fHNmH9gVNaKXNq+JaoU2TfHFwuYMMe6q1L+vhOaBd58YA
+6wPHOOLcIEaebHIqa4duAE5txJsZCEEySrr5stqo4j7929BAw+U6f+6Wb+UAEW6g
+91PKAl5QVbAzgPFWoPkOTNdDOprT+B4eGx0EC2QTEtxxDv5589choF7BMRCzsQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aa.pem b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aa.pem
deleted file mode 100644 (file)
index a4e0017..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAy6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTF
-FbSbpQJxWk603BJHhlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsA
-Q3yWfkZZK1jxTdTPdvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqY
-zdWFCUINTXUGEr/Llt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNT
-jS2xaaklUCq2auR/QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf
-+7suyGczSRMP6+5NjqNqab7l/SHwHQMVEE5ihwIDAQABAoIBAQCIvn5QfkYUG87+
-eyirV2xTjdMw/Md1UfBgP4yTTsmpqr79K5fUqg5zLX+0VfJDbRaPEICBKCVrKDfz
-d5QFwAsTiXf8CKwQqFdEunWmJfgppEQIYGzN40IciNloLHDghEnEI9GGpv9glLQn
-DugjRprEUmWJ+HpB0LH9fc2Ums704Fcd8ud3bStCRxU1TA5VGBHmnyK5/n1Lb1oB
-01LoW8ins8lATuV+MAaWZgmCbPajfXY9wQGq3IDMVlOUOTxRo742T1GTrwBZR8ot
-mgs/Gs1XkJRC1x9Z9Z1Cej1iC5llv0zX8AUdejczGHQGHj1a1Dg8FpRneW6rrLyK
-vvKR8jtRAoGBAOpyk63yCPM2LqU4US5aHXPoLyyGeo4v7okTKIuoUfosQ4XJvylM
-lEYoFVFKYBKcXRQhmeWyILtto2BBDnG1HWAi1MbUWLxDNEYieurzJiv4i0XbR6cH
-mLhMMlQyKmwLRF5v3EiupjKBZRk2iYcx4eeL3gsUWUzRPeWJHKDgYF4PAoGBAN5i
-xyOsU/32gQ6vLQxt8us6n3OBr1PiFg8JIdADPnKOCxJ5uS8dkqOQHCMKyvS9MWrf
-3Wj4MOBEgW7fBBAxkvjJdPhBW70/pGM46mb991dTHJ4gIAzGxgvJIqw/FjqEC7Oo
-vWDRS4dxW56Rs2tdLn2GRvvlS3+3z90twqS/t6wJAoGBAJpzhzT2Gc1YaZxxIJI/
-zd15HfLgWUbo7uWhGHoBFpiQpp8yDNzBVYFukLSwIeDA4FUN2dxH4GZ50ULtOP3S
-Cps19yVR6W+Fep+lwYKdUw1uvRn1Xxv71jG8CQAM2IO7XHw2h1HetSDau+bDVhEZ
-3LB1JX/5FOeVhYh9Lr4Rc4sjAoGBAJCTCv+oEtqyHOjc/Z5tBFXkwLCpCMCx5MFV
-oIPI+BolOhGCzN9SjHiFQaWOaK9/J9dhPmH1qGDEaJkZp1yXvgK7ha23X9rCuy4+
-XDUkul4tDBfIrs1flHUpB7+PK/ZSzgC4nJWKu12MVpHaCxirdYPpfdBZGyIm753N
-GBNfCBtxAoGAKkrHlsfq7GVVU7Jj1AlNCwmlm21vSJ45G3cNR1GpgdplB5JR1ldV
-2kxA4xm8uFVIJ60OQ9VZ5Svaovqh8iX2sndSOZMefjH3qiDu/4mJqRA3xV5ugon3
-RAzinJzUU4tnk9pajOMD3FHOHvUO4hAJjVYEzqLIIRE7QhPuEpLevZ4=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aaKey.pem b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aaKey.pem
new file mode 100644 (file)
index 0000000..a4e0017
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAy6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTF
+FbSbpQJxWk603BJHhlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsA
+Q3yWfkZZK1jxTdTPdvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqY
+zdWFCUINTXUGEr/Llt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNT
+jS2xaaklUCq2auR/QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf
++7suyGczSRMP6+5NjqNqab7l/SHwHQMVEE5ihwIDAQABAoIBAQCIvn5QfkYUG87+
+eyirV2xTjdMw/Md1UfBgP4yTTsmpqr79K5fUqg5zLX+0VfJDbRaPEICBKCVrKDfz
+d5QFwAsTiXf8CKwQqFdEunWmJfgppEQIYGzN40IciNloLHDghEnEI9GGpv9glLQn
+DugjRprEUmWJ+HpB0LH9fc2Ums704Fcd8ud3bStCRxU1TA5VGBHmnyK5/n1Lb1oB
+01LoW8ins8lATuV+MAaWZgmCbPajfXY9wQGq3IDMVlOUOTxRo742T1GTrwBZR8ot
+mgs/Gs1XkJRC1x9Z9Z1Cej1iC5llv0zX8AUdejczGHQGHj1a1Dg8FpRneW6rrLyK
+vvKR8jtRAoGBAOpyk63yCPM2LqU4US5aHXPoLyyGeo4v7okTKIuoUfosQ4XJvylM
+lEYoFVFKYBKcXRQhmeWyILtto2BBDnG1HWAi1MbUWLxDNEYieurzJiv4i0XbR6cH
+mLhMMlQyKmwLRF5v3EiupjKBZRk2iYcx4eeL3gsUWUzRPeWJHKDgYF4PAoGBAN5i
+xyOsU/32gQ6vLQxt8us6n3OBr1PiFg8JIdADPnKOCxJ5uS8dkqOQHCMKyvS9MWrf
+3Wj4MOBEgW7fBBAxkvjJdPhBW70/pGM46mb991dTHJ4gIAzGxgvJIqw/FjqEC7Oo
+vWDRS4dxW56Rs2tdLn2GRvvlS3+3z90twqS/t6wJAoGBAJpzhzT2Gc1YaZxxIJI/
+zd15HfLgWUbo7uWhGHoBFpiQpp8yDNzBVYFukLSwIeDA4FUN2dxH4GZ50ULtOP3S
+Cps19yVR6W+Fep+lwYKdUw1uvRn1Xxv71jG8CQAM2IO7XHw2h1HetSDau+bDVhEZ
+3LB1JX/5FOeVhYh9Lr4Rc4sjAoGBAJCTCv+oEtqyHOjc/Z5tBFXkwLCpCMCx5MFV
+oIPI+BolOhGCzN9SjHiFQaWOaK9/J9dhPmH1qGDEaJkZp1yXvgK7ha23X9rCuy4+
+XDUkul4tDBfIrs1flHUpB7+PK/ZSzgC4nJWKu12MVpHaCxirdYPpfdBZGyIm753N
+GBNfCBtxAoGAKkrHlsfq7GVVU7Jj1AlNCwmlm21vSJ45G3cNR1GpgdplB5JR1ldV
+2kxA4xm8uFVIJ60OQ9VZ5Svaovqh8iX2sndSOZMefjH3qiDu/4mJqRA3xV5ugon3
+RAzinJzUU4tnk9pajOMD3FHOHvUO4hAJjVYEzqLIIRE7QhPuEpLevZ4=
+-----END RSA PRIVATE KEY-----
index 2ccb86a..b90119c 100644 (file)
@@ -4,5 +4,5 @@ moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 carol::rm /etc/ipsec.d/acerts/carol-sales.pem
 carol::rm /etc/ipsec.d/acerts/carol-finance-expired.pem
-moon::rm /etc/ipsec.d/private/aa.pem
-moon::rm /etc/ipsec.d/aacerts/aa.pem
+moon::rm /etc/ipsec.d/private/aaKey.pem
+moon::rm /etc/ipsec.d/aacerts/aaCert.pem
diff --git a/testing/tests/ikev2/acert-fallback/reissue.txt b/testing/tests/ikev2/acert-fallback/reissue.txt
deleted file mode 100644 (file)
index 2e1cd68..0000000
+++ /dev/null
@@ -1,15 +0,0 @@
-# Carols expired acert for finance
-pki --acert \
-       --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \
-       --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem \
-       --in ../../../hosts/carol/etc/ipsec.d/certs/carolCert.pem \
-       --group finance -F "01.01.13 08:00:00" -l 240 -f pem \
-       > ./hosts/carol/etc/ipsec.d/acerts/carol-finance-expired.pem
-
-# Carols valid acert for sales
-pki --acert \
-       --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \
-       --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem \
-       --in ../../../hosts/carol/etc/ipsec.d/certs/carolCert.pem \
-       --group sales -l 87600 -f pem \
-       > hosts/carol/etc/ipsec.d/acerts/carol-sales.pem
index 1363354..cf0e7be 100644 (file)
@@ -3,9 +3,9 @@ dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.s
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
 moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES
-carol::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=strongSwan AA\"::YES
-dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=strongSwan AA\"::YES
-dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=expired AA\"::YES
+carol::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority\"::YES
+dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority\"::YES
+dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=strongSwan Project, CN=strongSwan Legacy AA\"::YES
 dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem
deleted file mode 100644 (file)
index 20336fd..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDJzCCAg+gAwIBAgIIKiJDZY0XfQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
-Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDYwOTQ4NTJaFw0xNDAyMDcwOTQ4NTJaMD0x
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRMwEQYDVQQD
-EwpleHBpcmVkIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0s5R
-X2Y9KUSoNewtwOhQunET9VRGrVYS+xDewmIuAHZt4jhbETSHS+r/qipV4mI+/orS
-zma0+GVcDwbHRT3oDCrpG/DMpPznki+OzHT9e/HHk0yxb0Ti6vDDbZOM8y3r7ak0
-Dcq6BgGwPxwIW2u1YHRTj4yxlr5wj9iKU1SQGCwZIQZmjqrjoQlcrThIXju2bqN3
-SOjuaN6A2GAvcbb/IeQEm8HBqulmyBuGV7Gk9umG/nr61rulNxEp+3Dsce5mv7JR
-dX5W8P6pv38A/f31Bh/EetEkv8qdnkH0aVAvd8Kb2yxc8Ofdu0kJNoPHGjrnSywl
-kPh3z2pw6nOFpyFHoQIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2bbO1
-5eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAh9Sxryf5ip00ykCMStDYzQk27l4N
-ncjU19RJqjrCuHupvWPJ+aYQFvssAnGGuK2rbw3rzVQba/Vn/o5d5wr1gxRtNQjv
-z60jbqllmjF0TWvPf/CM/5LVAQJs2x5Mqtvy3pbNvetFHjZrzVDobdVJpqzaZGnh
-oP0+HUMdE+fyLa0LfaRKYNv7r/vxvzsHZvgJawHK1b/2VWtrkIMyhAgHYViih06j
-2bfVI/f5tk7/UljzLOCB22IFIn05wh4jyKq6az7B2Xu1Kk0/eA12eRqG134P8OYe
-hAPcuj4QEDwV0ESw5cueD2I0MxbXuH2vBG5ziSBfw2Phj7f9iYurmMsZew==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa.pem
deleted file mode 100644 (file)
index fbfa7ee..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDKjCCAhKgAwIBAgIIFU5+Fa8cF2EwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
-Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDcwODUwMzVaFw0yMjA0MjYwODUwMzVaMEAx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRYwFAYDVQQD
-Ew1zdHJvbmdTd2FuIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-y6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTFFbSbpQJxWk603BJH
-hlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsAQ3yWfkZZK1jxTdTP
-dvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqYzdWFCUINTXUGEr/L
-lt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNTjS2xaaklUCq2auR/
-QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf+7suyGczSRMP6+5N
-jqNqab7l/SHwHQMVEE5ihwIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2
-bbO15eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAakPgMKVjkQmpI1VROcetvZzM
-ZHMWwdu9IcwNpi/8qs2qNh6wCYv9c4V6O4zRCB1u8TuAIQiwLNZgjk+OKKLzvUik
-gBRogn/apXsvAtfu9ODv5GuS6F38OYWDu/c3fiCZB2MKTtmEro2EkxxMw4DkfJ02
-R/xrhAnjeQlRQOChgQ3fHNmH9gVNaKXNq+JaoU2TfHFwuYMMe6q1L+vhOaBd58YA
-6wPHOOLcIEaebHIqa4duAE5txJsZCEEySrr5stqo4j7929BAw+U6f+6Wb+UAEW6g
-91PKAl5QVbAzgPFWoPkOTNdDOprT+B4eGx0EC2QTEtxxDv5589choF7BMRCzsQ==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aaCert-expired.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aaCert-expired.pem
new file mode 100644 (file)
index 0000000..20336fd
--- /dev/null
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJzCCAg+gAwIBAgIIKiJDZY0XfQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDYwOTQ4NTJaFw0xNDAyMDcwOTQ4NTJaMD0x
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRMwEQYDVQQD
+EwpleHBpcmVkIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0s5R
+X2Y9KUSoNewtwOhQunET9VRGrVYS+xDewmIuAHZt4jhbETSHS+r/qipV4mI+/orS
+zma0+GVcDwbHRT3oDCrpG/DMpPznki+OzHT9e/HHk0yxb0Ti6vDDbZOM8y3r7ak0
+Dcq6BgGwPxwIW2u1YHRTj4yxlr5wj9iKU1SQGCwZIQZmjqrjoQlcrThIXju2bqN3
+SOjuaN6A2GAvcbb/IeQEm8HBqulmyBuGV7Gk9umG/nr61rulNxEp+3Dsce5mv7JR
+dX5W8P6pv38A/f31Bh/EetEkv8qdnkH0aVAvd8Kb2yxc8Ofdu0kJNoPHGjrnSywl
+kPh3z2pw6nOFpyFHoQIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2bbO1
+5eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAh9Sxryf5ip00ykCMStDYzQk27l4N
+ncjU19RJqjrCuHupvWPJ+aYQFvssAnGGuK2rbw3rzVQba/Vn/o5d5wr1gxRtNQjv
+z60jbqllmjF0TWvPf/CM/5LVAQJs2x5Mqtvy3pbNvetFHjZrzVDobdVJpqzaZGnh
+oP0+HUMdE+fyLa0LfaRKYNv7r/vxvzsHZvgJawHK1b/2VWtrkIMyhAgHYViih06j
+2bfVI/f5tk7/UljzLOCB22IFIn05wh4jyKq6az7B2Xu1Kk0/eA12eRqG134P8OYe
+hAPcuj4QEDwV0ESw5cueD2I0MxbXuH2vBG5ziSBfw2Phj7f9iYurmMsZew==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
new file mode 100644 (file)
index 0000000..fbfa7ee
--- /dev/null
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKjCCAhKgAwIBAgIIFU5+Fa8cF2EwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDcwODUwMzVaFw0yMjA0MjYwODUwMzVaMEAx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRYwFAYDVQQD
+Ew1zdHJvbmdTd2FuIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+y6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTFFbSbpQJxWk603BJH
+hlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsAQ3yWfkZZK1jxTdTP
+dvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqYzdWFCUINTXUGEr/L
+lt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNTjS2xaaklUCq2auR/
+QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf+7suyGczSRMP6+5N
+jqNqab7l/SHwHQMVEE5ihwIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2
+bbO15eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAakPgMKVjkQmpI1VROcetvZzM
+ZHMWwdu9IcwNpi/8qs2qNh6wCYv9c4V6O4zRCB1u8TuAIQiwLNZgjk+OKKLzvUik
+gBRogn/apXsvAtfu9ODv5GuS6F38OYWDu/c3fiCZB2MKTtmEro2EkxxMw4DkfJ02
+R/xrhAnjeQlRQOChgQ3fHNmH9gVNaKXNq+JaoU2TfHFwuYMMe6q1L+vhOaBd58YA
+6wPHOOLcIEaebHIqa4duAE5txJsZCEEySrr5stqo4j7929BAw+U6f+6Wb+UAEW6g
+91PKAl5QVbAzgPFWoPkOTNdDOprT+B4eGx0EC2QTEtxxDv5589choF7BMRCzsQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa-expired.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa-expired.pem
deleted file mode 100644 (file)
index 0e694c4..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0s5RX2Y9KUSoNewtwOhQunET9VRGrVYS+xDewmIuAHZt4jhb
-ETSHS+r/qipV4mI+/orSzma0+GVcDwbHRT3oDCrpG/DMpPznki+OzHT9e/HHk0yx
-b0Ti6vDDbZOM8y3r7ak0Dcq6BgGwPxwIW2u1YHRTj4yxlr5wj9iKU1SQGCwZIQZm
-jqrjoQlcrThIXju2bqN3SOjuaN6A2GAvcbb/IeQEm8HBqulmyBuGV7Gk9umG/nr6
-1rulNxEp+3Dsce5mv7JRdX5W8P6pv38A/f31Bh/EetEkv8qdnkH0aVAvd8Kb2yxc
-8Ofdu0kJNoPHGjrnSywlkPh3z2pw6nOFpyFHoQIDAQABAoIBAQCRRwiDM2VhBGTc
-THi3oiLIaldz0fGnUVNhXR33XkwPm45cwbPY5pd7NWeecPChRE3fg/KFtfhv2wKX
-hHdd+6zofcYKsGeIKJa6gzXpJ5LtkRGWLNt3MEUl3mkAIhiYGoSmU96Axr5ul0lM
-JNiJkG/+GgzgN/jHR1UxfOzPQs7PKIyzCE2N0v8dRxHWeyPCRxSavlhAoQKjWxCe
-FfVBzLi+L1faidcwf4GWyeTfhvALXQnQGgVPH6PX0z3mwaeYHPWVXWJGcaF0bi3H
-HaEb2YexTDkEVU0PUVYO40OgtmKVLmi5t+ZP+/dFasy9elzgM3sSmVc7IBp6BBCH
-NgUcWcf1AoGBAOiti9raozwdA/wHAMaCCbgXq8Dg0+3LYnb0ob7w8OaHRl4Mvpup
-7MtxPGmr9IOddf8/49+L9STsioMllGt0TrkMrlKyg/eglGMalvbJmUYw1kERtQZw
-0CYYE8DXR3fvN+eMl1maZ4Wf048UugWQhsRGzOyUKcMXhAlIXwTevnCfAoGBAOfv
-isxrw5vttRxfszZaWeomos9bk6NA9FJYG1rS6ocR+Ww2OpQSJVTmbjpYv1lTb9yr
-PvcZtPbWP/6g8kjPTQQ+ZnJQB4RpWek0KlxwxC6JW5HzqMJFn68zX4/jE5kXqVow
-Y+Sfgrkr4QXX8vjzp9GFRhAW6bA5DlswqH7XmB+/AoGARHYDx3I7Q026RWZ+GOpc
-F7mHRKoiUT5di2ixSrA0AXBeCQAw+TZHQRjhUKpSuIMVG/RdhQH2MFYU7z+YawF+
-xD3x8M0rvSmXX42MS7LHkXp/IAgovmtlI0BEV6JAGg7d4Rhh0/B1c0Cyi8/qaAa9
-UHUQiK+Tlh6OL/kGVDWBzTsCgYBTW5Jk+e4pontPIU4FoN9j+lLVd7JOIFAvMB9U
-uy0zMlCUhcDz6rmkE9VV/wN2lThE9P8CTCjv9fy2BR5O8MJbXhnvx7eL7Vk1KVx4
-MMcxeoiAojPq7p7/ltUnn5MxmIFzOqUMTA/tgUm0kfJvaxLLiLyvl6yRe1AfkhNc
-0xuHfQKBgQCyQEcvtmR1Qx82ob5uTvBbKFDbSniiJMi9kgMk266PNRdg85Q4RC7X
-j5KNALOb5u2oMT6/Hzi4KruDBc/6viXRuMYM+L1JIy8y6wcVjCQetxyUIGgc9Ouh
-59bOkD+SOth52Y+AYFyCaJOSoTFHlTcLwCvk9gVdbgVYJi7/jyohSQ==
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa.pem
deleted file mode 100644 (file)
index a4e0017..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAy6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTF
-FbSbpQJxWk603BJHhlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsA
-Q3yWfkZZK1jxTdTPdvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqY
-zdWFCUINTXUGEr/Llt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNT
-jS2xaaklUCq2auR/QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf
-+7suyGczSRMP6+5NjqNqab7l/SHwHQMVEE5ihwIDAQABAoIBAQCIvn5QfkYUG87+
-eyirV2xTjdMw/Md1UfBgP4yTTsmpqr79K5fUqg5zLX+0VfJDbRaPEICBKCVrKDfz
-d5QFwAsTiXf8CKwQqFdEunWmJfgppEQIYGzN40IciNloLHDghEnEI9GGpv9glLQn
-DugjRprEUmWJ+HpB0LH9fc2Ums704Fcd8ud3bStCRxU1TA5VGBHmnyK5/n1Lb1oB
-01LoW8ins8lATuV+MAaWZgmCbPajfXY9wQGq3IDMVlOUOTxRo742T1GTrwBZR8ot
-mgs/Gs1XkJRC1x9Z9Z1Cej1iC5llv0zX8AUdejczGHQGHj1a1Dg8FpRneW6rrLyK
-vvKR8jtRAoGBAOpyk63yCPM2LqU4US5aHXPoLyyGeo4v7okTKIuoUfosQ4XJvylM
-lEYoFVFKYBKcXRQhmeWyILtto2BBDnG1HWAi1MbUWLxDNEYieurzJiv4i0XbR6cH
-mLhMMlQyKmwLRF5v3EiupjKBZRk2iYcx4eeL3gsUWUzRPeWJHKDgYF4PAoGBAN5i
-xyOsU/32gQ6vLQxt8us6n3OBr1PiFg8JIdADPnKOCxJ5uS8dkqOQHCMKyvS9MWrf
-3Wj4MOBEgW7fBBAxkvjJdPhBW70/pGM46mb991dTHJ4gIAzGxgvJIqw/FjqEC7Oo
-vWDRS4dxW56Rs2tdLn2GRvvlS3+3z90twqS/t6wJAoGBAJpzhzT2Gc1YaZxxIJI/
-zd15HfLgWUbo7uWhGHoBFpiQpp8yDNzBVYFukLSwIeDA4FUN2dxH4GZ50ULtOP3S
-Cps19yVR6W+Fep+lwYKdUw1uvRn1Xxv71jG8CQAM2IO7XHw2h1HetSDau+bDVhEZ
-3LB1JX/5FOeVhYh9Lr4Rc4sjAoGBAJCTCv+oEtqyHOjc/Z5tBFXkwLCpCMCx5MFV
-oIPI+BolOhGCzN9SjHiFQaWOaK9/J9dhPmH1qGDEaJkZp1yXvgK7ha23X9rCuy4+
-XDUkul4tDBfIrs1flHUpB7+PK/ZSzgC4nJWKu12MVpHaCxirdYPpfdBZGyIm753N
-GBNfCBtxAoGAKkrHlsfq7GVVU7Jj1AlNCwmlm21vSJ45G3cNR1GpgdplB5JR1ldV
-2kxA4xm8uFVIJ60OQ9VZ5Svaovqh8iX2sndSOZMefjH3qiDu/4mJqRA3xV5ugon3
-RAzinJzUU4tnk9pajOMD3FHOHvUO4hAJjVYEzqLIIRE7QhPuEpLevZ4=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aaKey-expired.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aaKey-expired.pem
new file mode 100644 (file)
index 0000000..0e694c4
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0s5RX2Y9KUSoNewtwOhQunET9VRGrVYS+xDewmIuAHZt4jhb
+ETSHS+r/qipV4mI+/orSzma0+GVcDwbHRT3oDCrpG/DMpPznki+OzHT9e/HHk0yx
+b0Ti6vDDbZOM8y3r7ak0Dcq6BgGwPxwIW2u1YHRTj4yxlr5wj9iKU1SQGCwZIQZm
+jqrjoQlcrThIXju2bqN3SOjuaN6A2GAvcbb/IeQEm8HBqulmyBuGV7Gk9umG/nr6
+1rulNxEp+3Dsce5mv7JRdX5W8P6pv38A/f31Bh/EetEkv8qdnkH0aVAvd8Kb2yxc
+8Ofdu0kJNoPHGjrnSywlkPh3z2pw6nOFpyFHoQIDAQABAoIBAQCRRwiDM2VhBGTc
+THi3oiLIaldz0fGnUVNhXR33XkwPm45cwbPY5pd7NWeecPChRE3fg/KFtfhv2wKX
+hHdd+6zofcYKsGeIKJa6gzXpJ5LtkRGWLNt3MEUl3mkAIhiYGoSmU96Axr5ul0lM
+JNiJkG/+GgzgN/jHR1UxfOzPQs7PKIyzCE2N0v8dRxHWeyPCRxSavlhAoQKjWxCe
+FfVBzLi+L1faidcwf4GWyeTfhvALXQnQGgVPH6PX0z3mwaeYHPWVXWJGcaF0bi3H
+HaEb2YexTDkEVU0PUVYO40OgtmKVLmi5t+ZP+/dFasy9elzgM3sSmVc7IBp6BBCH
+NgUcWcf1AoGBAOiti9raozwdA/wHAMaCCbgXq8Dg0+3LYnb0ob7w8OaHRl4Mvpup
+7MtxPGmr9IOddf8/49+L9STsioMllGt0TrkMrlKyg/eglGMalvbJmUYw1kERtQZw
+0CYYE8DXR3fvN+eMl1maZ4Wf048UugWQhsRGzOyUKcMXhAlIXwTevnCfAoGBAOfv
+isxrw5vttRxfszZaWeomos9bk6NA9FJYG1rS6ocR+Ww2OpQSJVTmbjpYv1lTb9yr
+PvcZtPbWP/6g8kjPTQQ+ZnJQB4RpWek0KlxwxC6JW5HzqMJFn68zX4/jE5kXqVow
+Y+Sfgrkr4QXX8vjzp9GFRhAW6bA5DlswqH7XmB+/AoGARHYDx3I7Q026RWZ+GOpc
+F7mHRKoiUT5di2ixSrA0AXBeCQAw+TZHQRjhUKpSuIMVG/RdhQH2MFYU7z+YawF+
+xD3x8M0rvSmXX42MS7LHkXp/IAgovmtlI0BEV6JAGg7d4Rhh0/B1c0Cyi8/qaAa9
+UHUQiK+Tlh6OL/kGVDWBzTsCgYBTW5Jk+e4pontPIU4FoN9j+lLVd7JOIFAvMB9U
+uy0zMlCUhcDz6rmkE9VV/wN2lThE9P8CTCjv9fy2BR5O8MJbXhnvx7eL7Vk1KVx4
+MMcxeoiAojPq7p7/ltUnn5MxmIFzOqUMTA/tgUm0kfJvaxLLiLyvl6yRe1AfkhNc
+0xuHfQKBgQCyQEcvtmR1Qx82ob5uTvBbKFDbSniiJMi9kgMk266PNRdg85Q4RC7X
+j5KNALOb5u2oMT6/Hzi4KruDBc/6viXRuMYM+L1JIy8y6wcVjCQetxyUIGgc9Ouh
+59bOkD+SOth52Y+AYFyCaJOSoTFHlTcLwCvk9gVdbgVYJi7/jyohSQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aaKey.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aaKey.pem
new file mode 100644 (file)
index 0000000..a4e0017
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAy6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTF
+FbSbpQJxWk603BJHhlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsA
+Q3yWfkZZK1jxTdTPdvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqY
+zdWFCUINTXUGEr/Llt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNT
+jS2xaaklUCq2auR/QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf
++7suyGczSRMP6+5NjqNqab7l/SHwHQMVEE5ihwIDAQABAoIBAQCIvn5QfkYUG87+
+eyirV2xTjdMw/Md1UfBgP4yTTsmpqr79K5fUqg5zLX+0VfJDbRaPEICBKCVrKDfz
+d5QFwAsTiXf8CKwQqFdEunWmJfgppEQIYGzN40IciNloLHDghEnEI9GGpv9glLQn
+DugjRprEUmWJ+HpB0LH9fc2Ums704Fcd8ud3bStCRxU1TA5VGBHmnyK5/n1Lb1oB
+01LoW8ins8lATuV+MAaWZgmCbPajfXY9wQGq3IDMVlOUOTxRo742T1GTrwBZR8ot
+mgs/Gs1XkJRC1x9Z9Z1Cej1iC5llv0zX8AUdejczGHQGHj1a1Dg8FpRneW6rrLyK
+vvKR8jtRAoGBAOpyk63yCPM2LqU4US5aHXPoLyyGeo4v7okTKIuoUfosQ4XJvylM
+lEYoFVFKYBKcXRQhmeWyILtto2BBDnG1HWAi1MbUWLxDNEYieurzJiv4i0XbR6cH
+mLhMMlQyKmwLRF5v3EiupjKBZRk2iYcx4eeL3gsUWUzRPeWJHKDgYF4PAoGBAN5i
+xyOsU/32gQ6vLQxt8us6n3OBr1PiFg8JIdADPnKOCxJ5uS8dkqOQHCMKyvS9MWrf
+3Wj4MOBEgW7fBBAxkvjJdPhBW70/pGM46mb991dTHJ4gIAzGxgvJIqw/FjqEC7Oo
+vWDRS4dxW56Rs2tdLn2GRvvlS3+3z90twqS/t6wJAoGBAJpzhzT2Gc1YaZxxIJI/
+zd15HfLgWUbo7uWhGHoBFpiQpp8yDNzBVYFukLSwIeDA4FUN2dxH4GZ50ULtOP3S
+Cps19yVR6W+Fep+lwYKdUw1uvRn1Xxv71jG8CQAM2IO7XHw2h1HetSDau+bDVhEZ
+3LB1JX/5FOeVhYh9Lr4Rc4sjAoGBAJCTCv+oEtqyHOjc/Z5tBFXkwLCpCMCx5MFV
+oIPI+BolOhGCzN9SjHiFQaWOaK9/J9dhPmH1qGDEaJkZp1yXvgK7ha23X9rCuy4+
+XDUkul4tDBfIrs1flHUpB7+PK/ZSzgC4nJWKu12MVpHaCxirdYPpfdBZGyIm753N
+GBNfCBtxAoGAKkrHlsfq7GVVU7Jj1AlNCwmlm21vSJ45G3cNR1GpgdplB5JR1ldV
+2kxA4xm8uFVIJ60OQ9VZ5Svaovqh8iX2sndSOZMefjH3qiDu/4mJqRA3xV5ugon3
+RAzinJzUU4tnk9pajOMD3FHOHvUO4hAJjVYEzqLIIRE7QhPuEpLevZ4=
+-----END RSA PRIVATE KEY-----
index a0ef984..bd2272b 100644 (file)
@@ -7,7 +7,7 @@ dave::iptables-restore < /etc/iptables.flush
 carol::rm /etc/ipsec.d/acerts/carol-sales.pem
 dave::rm /etc/ipsec.d/acerts/dave-expired-aa.pem
 dave::rm /etc/ipsec.d/acerts/dave-marketing.pem
-moon::rm /etc/ipsec.d/private/aa-expired.pem
-moon::rm /etc/ipsec.d/private/aa.pem
-moon::rm /etc/ipsec.d/aacerts/aa-expired.pem
-moon::rm /etc/ipsec.d/aacerts/aa.pem
+moon::rm /etc/ipsec.d/private/aaKey-expired.pem
+moon::rm /etc/ipsec.d/private/aaKey.pem
+moon::rm /etc/ipsec.d/aacerts/aaCert-expired.pem
+moon::rm /etc/ipsec.d/aacerts/aaCert.pem
diff --git a/testing/tests/ikev2/acert-inline/reissue.txt b/testing/tests/ikev2/acert-inline/reissue.txt
deleted file mode 100644 (file)
index 994fa0f..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# Carols sales acert
-pki --acert \
-       --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \
-       --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem --in \
-       ../../../hosts/carol/etc/ipsec.d/certs/carolCert.pem \
-       --group sales -l 87600 -f pem \
-       > hosts/carol/etc/ipsec.d/acerts/carol-sales.pem
-
-# Daves marketing acert
-pki --acert \
-       --issuercert hosts/moon/etc/ipsec.d/aacerts/aa.pem \
-       --issuerkey hosts/moon/etc/ipsec.d/private/aa.pem \
-       --in ../../../hosts/dave/etc/ipsec.d/certs/daveCert.pem \
-       --group marketing -l 87600 -f pem
-       > hosts/dave/etc/ipsec.d/acerts/dave-marketing.pem
-
-# Daves sales acert from expired AA
-pki --acert \
-       --issuercert hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem \
-       --issuerkey hosts/moon/etc/ipsec.d/private/aa-expired.pem \
-       --in ../../../hosts/dave/etc/ipsec.d/certs/daveCert.pem \
-       --group sales -l 87600 -f pem \
-       > hosts/dave/etc/ipsec.d/acerts/dave-expired-aa.pem
index c232c43..25b05f7 100644 (file)
@@ -16,7 +16,7 @@ conn %default
        left=%any
        leftcert=bobCert.pem
 
-conn sun 
+conn sun
        right=PH_IP_SUN1
-       rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
+       rightid="C=CH, O=strongSwan Project, CN=sun.strongswan.org"
        auto=route
index 17fcf0a..c44c6bb 100644 (file)
@@ -18,10 +18,10 @@ conn %default
 
 conn alice
        right=PH_IP_ALICE
-       rightid="C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org"
+       rightid="C=CH, O=strongSwan Project, OU=Sales, CN=alice@strongswan.org"
        auto=route
 
-conn sun 
+conn sun
        right=PH_IP_SUN
-       rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
+       rightid="C=CH, O=strongSwan Project, CN=sun.strongswan.org"
        auto=route
index 69ba420..1c9a7c4 100644 (file)
@@ -6,7 +6,7 @@ config setup
 
 ca strongswan
        cacert=strongswanCert.pem
-       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList"
        auto=add
 
 conn %default
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
deleted file mode 100644 (file)
index 75e8b09..0000000
Binary files a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl and /dev/null differ
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/stale.crl b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/stale.crl
new file mode 100644 (file)
index 0000000..75e8b09
Binary files /dev/null and b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/stale.crl differ
index 25656cb..57fb7dd 100644 (file)
@@ -6,7 +6,7 @@ config setup
 
 ca strongswan
        cacert=strongswanCert.pem
-       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList"
        auto=add
 
 conn %default
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
deleted file mode 100644 (file)
index 75e8b09..0000000
Binary files a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl and /dev/null differ
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/stale.crl b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/stale.crl
new file mode 100644 (file)
index 0000000..75e8b09
Binary files /dev/null and b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/stale.crl differ
index 95cd144..fa67815 100644 (file)
@@ -11,7 +11,7 @@ conn %default
 
 conn home
        left=PH_IP_CAROL
-       leftcert=carolRevokedCert.pem
+       leftcert=carolCert.pem
        leftid=carol@strongswan.org
        right=PH_IP_MOON
        rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644 (file)
index 0000000..e9a75fa
--- /dev/null
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBLzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE0MDgyNzE1MDIyMloXDTE5MDgyNjE1MDIyMlowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMJhEfwaamqe85Wwr+AWO8YJbxX717rTX0tVLEVG
+AB/Q1CAnQquMxo8Cf4Ufto/Odm+25Ihxy2Zedmjnoy8xe4s9vFUjEYPgo+wIT7t3
+I3nUhKJhJWEw7hdHwPHif1aAMK/Mrvkou/VFwzJwnCwA9VKe1/Mn4X1YNLak/cQD
+L2Ci34uxJzvjt/5DVDmh7Fd/9wsNHOafycsxEJEyDtDpbZSMklIArTcA61U0+oxZ
+MBZVZHMN9vJETR+BEBaZkEpFSn4vaYjtzpsLG+MicYiuspQ+v8dG50JzeTRpRRpP
+HF3ob20kd9VOz1nU/43CVpvxFk3d+UNNYF89iIBCNZAf6gMCAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQTfdv0x2BIOc0ZAvGE
+VrABn/Jk6zBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC6A+3G600itmdH
+4+zQ1FskGsCUj6mUXn+4blshl41zzhyRmplJT51Wch926E1LUxca9FKUu8XT1tAP
+Wo56RO92eX7M3OgeQz7NqtYxgNauqKfd+IFg+y1vC4etj25dfC56+ETfCrxOZzuZ
+vFD0mhn1hzXw3CNjSIH3HtWHOJjat+jZKsSayiYg3jO+L7i+cz6arbMhQwwGzskb
+wTJejXul+G1/lFhPwMFyep2ilKwRiLJpE3L17hYVwXNEerFcpq6q0OEylmCxXswd
+uO4NPb7dDiKw1pbdIQfZh2HqUXr3Vb4FcCWpAHhSCnNtwQQGKMg0CZtiPvwaaeXI
+oXwOnQXX
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
deleted file mode 100644 (file)
index e9a75fa..0000000
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBLzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTE0MDgyNzE1MDIyMloXDTE5MDgyNjE1MDIyMlowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMJhEfwaamqe85Wwr+AWO8YJbxX717rTX0tVLEVG
-AB/Q1CAnQquMxo8Cf4Ufto/Odm+25Ihxy2Zedmjnoy8xe4s9vFUjEYPgo+wIT7t3
-I3nUhKJhJWEw7hdHwPHif1aAMK/Mrvkou/VFwzJwnCwA9VKe1/Mn4X1YNLak/cQD
-L2Ci34uxJzvjt/5DVDmh7Fd/9wsNHOafycsxEJEyDtDpbZSMklIArTcA61U0+oxZ
-MBZVZHMN9vJETR+BEBaZkEpFSn4vaYjtzpsLG+MicYiuspQ+v8dG50JzeTRpRRpP
-HF3ob20kd9VOz1nU/43CVpvxFk3d+UNNYF89iIBCNZAf6gMCAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQTfdv0x2BIOc0ZAvGE
-VrABn/Jk6zBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC6A+3G600itmdH
-4+zQ1FskGsCUj6mUXn+4blshl41zzhyRmplJT51Wch926E1LUxca9FKUu8XT1tAP
-Wo56RO92eX7M3OgeQz7NqtYxgNauqKfd+IFg+y1vC4etj25dfC56+ETfCrxOZzuZ
-vFD0mhn1hzXw3CNjSIH3HtWHOJjat+jZKsSayiYg3jO+L7i+cz6arbMhQwwGzskb
-wTJejXul+G1/lFhPwMFyep2ilKwRiLJpE3L17hYVwXNEerFcpq6q0OEylmCxXswd
-uO4NPb7dDiKw1pbdIQfZh2HqUXr3Vb4FcCWpAHhSCnNtwQQGKMg0CZtiPvwaaeXI
-oXwOnQXX
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644 (file)
index 0000000..7b72371
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAwmER/Bpqap7zlbCv4BY7xglvFfvXutNfS1UsRUYAH9DUICdC
+q4zGjwJ/hR+2j852b7bkiHHLZl52aOejLzF7iz28VSMRg+Cj7AhPu3cjedSEomEl
+YTDuF0fA8eJ/VoAwr8yu+Si79UXDMnCcLAD1Up7X8yfhfVg0tqT9xAMvYKLfi7En
+O+O3/kNUOaHsV3/3Cw0c5p/JyzEQkTIO0OltlIySUgCtNwDrVTT6jFkwFlVkcw32
+8kRNH4EQFpmQSkVKfi9piO3Omwsb4yJxiK6ylD6/x0bnQnN5NGlFGk8cXehvbSR3
+1U7PWdT/jcJWm/EWTd35Q01gXz2IgEI1kB/qAwIDAQABAoIBAQCNiPD3iKSEDkl/
+bbAikw3jHWttrnte5ho1WEdsCZR9lilfYDcDgvXxm/gOjxD3lXZX0eyGDZX1bEL8
+D+6apoU21jUUKPzP8fpqG4MzFYUXaM9LDUGSi3ZSLUUo26us6JqK55dghXCXH70K
+NUUCJZB8IH1N6HQgOOHpPCorV8ZfrfOklNmCJgevVi2ySJ9Oke5YGhhIgNBuXMAB
+Llpg8mc6WqQVCzQnQqOMLT+cHGVcSiwyP04J0vhRWtFCKhaOTJfEG2/RwyHMeOwV
+cjOIHZhviW1QmYV3/kIUaYtOW7HqxCzPHxXlulgWjF6jF7cFmHtsVmjfZxqNDMID
+Fdz+ODQBAoGBAOp/kSOOCK93sojk2zmJdeuiWzIQaQ9Dkt9sgq2h98pFfcQ6veTH
+s2IHbr5nCFl4DvX+Ugh5H/hNIG2FOQ/XWpasXJvQKvttBXXTBHSi8/ZwmcR5xPsA
++9xLaajg4PFIYY2aiSV5Ydoe55dve+8AMNvFmt5chW9hBZ4XdPJL25hBAoGBANQz
+xxm+bI4Y942zKOJRfMc+7zNlQBRcB4TisAEYjviEONRFyWg+mToV2WYGhdU9wduy
+8etriCUTKlS7i+MR80vT874oak+ZK9eDGdzTcNQwKo5pUvBpGkHea+QyWrm0oWg4
+mX4F1TGRFLDdkKPK4F42n8cjozGljjoQb7QH2tFDAoGAMA+lN5xMu2nU9amyJMC/
+omPMPR6P6cj3uUMMJXokxxgnBqjjcphbc6QCVpPXaj7pEhHlzkbE/qcQFmJPp6eD
+sY3yDR1FMfLOQ6/UIfOj/MZnPZWXgbpZ5HSwWyR79ffXxqX9peiS3Zmn7amzxPBN
+Ez4U164uyv0foZ89IMvbXgECgYB7V2E58HpOmeqCPYndCnpZoZYNrKNzcg6Yyd59
+tJWdk9UoZSvtYL1Vis+jQtVVniDpH3kIWqd2zU4ElEJ6CLv+7kK12+33OFPIX5aP
+yYLCgwCpaETiImU1th/GMxKS8JAE8SkenCtQNUDukMp6ufhyKpPyfx9jQxSJYXZc
+EVi52wKBgHpfgXTUHASyAGDaNr5pUk6xZC59eLW3+JquQVxl5GjTDCXK5ilaMLtq
+sLT6B0AWd3QKQQHKOl8rVeMA3/SkXXxTooRisgL1OvzEuJg9mHOM/tLLYFTg6Dna
+RKtXeklyTaEsmmFT+zgRVqp0qDN7JhlNtCfUYz4fW70kx3Iet/Tv
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
deleted file mode 100644 (file)
index 7b72371..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAwmER/Bpqap7zlbCv4BY7xglvFfvXutNfS1UsRUYAH9DUICdC
-q4zGjwJ/hR+2j852b7bkiHHLZl52aOejLzF7iz28VSMRg+Cj7AhPu3cjedSEomEl
-YTDuF0fA8eJ/VoAwr8yu+Si79UXDMnCcLAD1Up7X8yfhfVg0tqT9xAMvYKLfi7En
-O+O3/kNUOaHsV3/3Cw0c5p/JyzEQkTIO0OltlIySUgCtNwDrVTT6jFkwFlVkcw32
-8kRNH4EQFpmQSkVKfi9piO3Omwsb4yJxiK6ylD6/x0bnQnN5NGlFGk8cXehvbSR3
-1U7PWdT/jcJWm/EWTd35Q01gXz2IgEI1kB/qAwIDAQABAoIBAQCNiPD3iKSEDkl/
-bbAikw3jHWttrnte5ho1WEdsCZR9lilfYDcDgvXxm/gOjxD3lXZX0eyGDZX1bEL8
-D+6apoU21jUUKPzP8fpqG4MzFYUXaM9LDUGSi3ZSLUUo26us6JqK55dghXCXH70K
-NUUCJZB8IH1N6HQgOOHpPCorV8ZfrfOklNmCJgevVi2ySJ9Oke5YGhhIgNBuXMAB
-Llpg8mc6WqQVCzQnQqOMLT+cHGVcSiwyP04J0vhRWtFCKhaOTJfEG2/RwyHMeOwV
-cjOIHZhviW1QmYV3/kIUaYtOW7HqxCzPHxXlulgWjF6jF7cFmHtsVmjfZxqNDMID
-Fdz+ODQBAoGBAOp/kSOOCK93sojk2zmJdeuiWzIQaQ9Dkt9sgq2h98pFfcQ6veTH
-s2IHbr5nCFl4DvX+Ugh5H/hNIG2FOQ/XWpasXJvQKvttBXXTBHSi8/ZwmcR5xPsA
-+9xLaajg4PFIYY2aiSV5Ydoe55dve+8AMNvFmt5chW9hBZ4XdPJL25hBAoGBANQz
-xxm+bI4Y942zKOJRfMc+7zNlQBRcB4TisAEYjviEONRFyWg+mToV2WYGhdU9wduy
-8etriCUTKlS7i+MR80vT874oak+ZK9eDGdzTcNQwKo5pUvBpGkHea+QyWrm0oWg4
-mX4F1TGRFLDdkKPK4F42n8cjozGljjoQb7QH2tFDAoGAMA+lN5xMu2nU9amyJMC/
-omPMPR6P6cj3uUMMJXokxxgnBqjjcphbc6QCVpPXaj7pEhHlzkbE/qcQFmJPp6eD
-sY3yDR1FMfLOQ6/UIfOj/MZnPZWXgbpZ5HSwWyR79ffXxqX9peiS3Zmn7amzxPBN
-Ez4U164uyv0foZ89IMvbXgECgYB7V2E58HpOmeqCPYndCnpZoZYNrKNzcg6Yyd59
-tJWdk9UoZSvtYL1Vis+jQtVVniDpH3kIWqd2zU4ElEJ6CLv+7kK12+33OFPIX5aP
-yYLCgwCpaETiImU1th/GMxKS8JAE8SkenCtQNUDukMp6ufhyKpPyfx9jQxSJYXZc
-EVi52wKBgHpfgXTUHASyAGDaNr5pUk6xZC59eLW3+JquQVxl5GjTDCXK5ilaMLtq
-sLT6B0AWd3QKQQHKOl8rVeMA3/SkXXxTooRisgL1OvzEuJg9mHOM/tLLYFTg6Dna
-RKtXeklyTaEsmmFT+zgRVqp0qDN7JhlNtCfUYz4fW70kx3Iet/Tv
------END RSA PRIVATE KEY-----
index d742e84..c6d6235 100644 (file)
@@ -1,4 +1,2 @@
 moon::ipsec stop
 carol::ipsec stop
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
index fe6a55a..f7417da 100644 (file)
@@ -1,4 +1,4 @@
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
-carol::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+moon:: cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/.*.crl::YES
+carol::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/.*.crl::YES
index 995b347..9b28c50 100644 (file)
@@ -5,7 +5,7 @@ config setup
 
 ca strongswan
         cacert=strongswanCert.pem
-        crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+        crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList"
         auto=add
 
 conn %default
@@ -18,12 +18,12 @@ conn %default
        leftcert=carolCert.pem
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
 
 conn alice
        rightsubnet=PH_IP_ALICE/32
        auto=add
-       
+
 conn venus
        rightsubnet=PH_IP_VENUS/32
        auto=add
index 320c071..082c2f2 100644 (file)
@@ -5,7 +5,7 @@ config setup
 
 ca strongswan
        cacert=strongswanCert.pem
-       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList"
        auto=add
 
 conn %default
@@ -18,12 +18,12 @@ conn %default
        leftcert=daveCert.pem
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
 
 conn alice
        rightsubnet=PH_IP_ALICE/32
        auto=add
-       
+
 conn venus
        rightsubnet=PH_IP_VENUS/32
        auto=add
index e67c9af..deae852 100644 (file)
@@ -5,19 +5,19 @@ config setup
 
 ca strongswan
        cacert=strongswanCert.pem
-       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+       crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan Project, c=CH?certificateRevocationList"
        auto=add
 
-ca research 
+ca research
         cacert=researchCert.pem
-       crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=Linux strongSwan, c=CH?certificateRevocationList"
+       crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=strongSwan Project, c=CH?certificateRevocationList"
        auto=add
-       
-ca sales 
+
+ca sales
         cacert=salesCert.pem
-       crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH?certificateRevocationList"
+       crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=strongSwan Project, c=CH?certificateRevocationList"
        auto=add
-                       
+
 conn %default
        ikelifetime=60m
        keylife=20m
@@ -32,11 +32,11 @@ conn %default
 conn alice
        leftsubnet=PH_IP_ALICE/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
        auto=add
-       
+
 conn venus
        leftsubnet=PH_IP_VENUS/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+       rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
        auto=add
index 297e348..e6bd872 100644 (file)
@@ -17,5 +17,5 @@ conn home
        right=PH_IP_MOON
        rightsubnet=10.1.0.0/16
        rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
        auto=add
index a351796..e2c8df2 100644 (file)
@@ -3,11 +3,6 @@
 config setup
        strictcrlpolicy=yes
 
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri=http://crl.strongswan.org/strongswan.crl
-       auto=add
-
 conn %default
        ikelifetime=60m
        keylife=20m
@@ -21,5 +16,5 @@ conn %default
 conn alice
        leftsubnet=PH_IP_ALICE/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
        auto=add
index 297e348..e6bd872 100644 (file)
@@ -17,5 +17,5 @@ conn home
        right=PH_IP_MOON
        rightsubnet=10.1.0.0/16
        rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
        auto=add
index fe69abe..e2c8df2 100644 (file)
@@ -3,11 +3,6 @@
 config setup
        strictcrlpolicy=yes
 
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri=http://crl.strongswan.org/not-available.crl
-       auto=add
-
 conn %default
        ikelifetime=60m
        keylife=20m
@@ -21,5 +16,5 @@ conn %default
 conn alice
        leftsubnet=PH_IP_ALICE/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
        auto=add
index d65d37b..611f259 100644 (file)
@@ -14,12 +14,12 @@ conn %default
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
 
 conn alice
        rightsubnet=PH_IP_ALICE/32
        auto=add
-       
+
 conn venus
        rightsubnet=PH_IP_VENUS/32
        auto=add
index 121f7d4..abe0f3a 100644 (file)
@@ -14,12 +14,12 @@ conn %default
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
 
 conn alice
        rightsubnet=PH_IP_ALICE/32
        auto=add
-       
+
 conn venus
        rightsubnet=PH_IP_VENUS/32
        auto=add
index a49c833..c58de46 100644 (file)
@@ -22,11 +22,11 @@ conn %default
 conn alice
        leftsubnet=PH_IP_ALICE/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
        auto=add
-       
+
 conn venus
        leftsubnet=PH_IP_VENUS/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+       rightca="C=CH, O=strongSwan Project, CN=strongSwan Root CA"
        auto=add
index 3a5aaa6..a607a0d 100644 (file)
@@ -2,11 +2,6 @@
 
 config setup
 
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri=http://crl.strongswan.org/strongswan.crl
-       auto=add
-
 conn %default
        ikelifetime=60m
        keylife=20m
@@ -21,11 +16,11 @@ conn %default
 conn alice
        leftsubnet=PH_IP_ALICE/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
        auto=add
-       
+
 conn venus
        leftsubnet=PH_IP_VENUS/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+       rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
        auto=add
index 02280ac..ea9e55c 100644 (file)
@@ -3,5 +3,5 @@
 charon {
   load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
 
-  fragment_size = 1024
+  fragment_size = 1088
 }
index 02280ac..ea9e55c 100644 (file)
@@ -3,5 +3,5 @@
 charon {
   load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
 
-  fragment_size = 1024
+  fragment_size = 1088
 }
index bcc6d5b..7c8346b 100644 (file)
@@ -13,12 +13,12 @@ conn net-net
        left=PH_IP_MOON
        leftsubnet=10.1.0.0/16
        leftid=@moon.strongswan.org
-       leftsigkey=moonPub.der
+       leftsigkey=moonPub.pem
        leftauth=pubkey
        leftfirewall=yes
        right=PH_IP_SUN
        rightsubnet=10.2.0.0/16
        rightid=@sun.strongswan.org
-       rightsigkey=sunPub.der
+       rightsigkey=sunPub.pem
        rightauth=pubkey
        auto=add
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.der
deleted file mode 100644 (file)
index 55bd362..0000000
Binary files a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.der and /dev/null differ
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.pem b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.pem
new file mode 100644 (file)
index 0000000..55bd362
Binary files /dev/null and b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.pem differ
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.der b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.der
deleted file mode 100644 (file)
index 8d0c644..0000000
Binary files a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.der and /dev/null differ
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.pem b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.pem
new file mode 100644 (file)
index 0000000..8d0c644
Binary files /dev/null and b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.pem differ
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/private/moonKey.der b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/private/moonKey.der
deleted file mode 100644 (file)
index 49e0111..0000000
Binary files a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/private/moonKey.der and /dev/null differ
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.secrets
deleted file mode 100644 (file)
index b9ec17d..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.der
index 4fe2e67..e94022f 100644 (file)
@@ -13,10 +13,10 @@ conn net-net
        left=PH_IP_SUN
        leftsubnet=10.2.0.0/16
        leftid=@sun.strongswan.org
-       leftsigkey=sunPub.der
+       leftsigkey=sunPub.pem
        leftfirewall=yes
        right=PH_IP_MOON
        rightsubnet=10.1.0.0/16
        rightid=@moon.strongswan.org
-       rightsigkey=moonPub.der
+       rightsigkey=moonPub.pem
        auto=add
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.der
deleted file mode 100644 (file)
index 55bd362..0000000
Binary files a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.der and /dev/null differ
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.pem b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.pem
new file mode 100644 (file)
index 0000000..55bd362
Binary files /dev/null and b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.pem differ
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.der b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.der
deleted file mode 100644 (file)
index 8d0c644..0000000
Binary files a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.der and /dev/null differ
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.pem b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.pem
new file mode 100644 (file)
index 0000000..8d0c644
Binary files /dev/null and b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.pem differ
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/private/sunKey.der b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/private/sunKey.der
deleted file mode 100644 (file)
index 7c284f9..0000000
Binary files a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/private/sunKey.der and /dev/null differ
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.secrets
deleted file mode 100644 (file)
index 6aa9ed5..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA sunKey.der
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
new file mode 100755 (executable)
index 0000000..ea9be3d
--- /dev/null
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/ca
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+       -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
+       -resp_no_certs -nmin 5 \
+       -reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
deleted file mode 100755 (executable)
index 4e2cc28..0000000
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-cd /etc/openssl
-
-echo "Content-type: application/ocsp-response"
-echo ""
-
-cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-       -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
-       -resp_no_certs -nmin 5 \
-       -reqin /dev/stdin -respout /dev/stdout | cat
index 630117a..ba484eb 100644 (file)
@@ -31,11 +31,11 @@ conn %default
 conn alice
        leftsubnet=PH_IP_ALICE/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
        auto=add
-       
+
 conn venus
        leftsubnet=PH_IP_VENUS/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+       rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
        auto=add
index eedd737..b660f2d 100644 (file)
@@ -4,5 +4,7 @@ dave::ipsec start
 moon::expect-connection alice
 carol::expect-connection alice
 carol::ipsec up alice
+carol::ipsec up venus
 dave::expect-connection venus
 dave::ipsec up venus
+dave::ipsec up alice
\ No newline at end of file
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
new file mode 100755 (executable)
index 0000000..8c7b9cd
--- /dev/null
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/ca
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+       -rkey winnetouKey.pem -rsigner winnetouCert.pem \
+       -nmin 5 \
+       -reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
deleted file mode 100755 (executable)
index 4290613..0000000
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-cd /etc/openssl
-
-echo "Content-type: application/ocsp-response"
-echo ""
-
-cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-       -rkey winnetouKey.pem -rsigner winnetouCert.pem \
-       -nmin 5 \
-       -reqin /dev/stdin -respout /dev/stdout | cat
index 94eb586..17225d2 100644 (file)
@@ -15,7 +15,7 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        left=PH_IP_CAROL
-       leftcert=carolRevokedCert.pem
+       leftcert=carolCert.pem
        leftid=carol@strongswan.org
 
 conn home
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644 (file)
index 0000000..e9a75fa
--- /dev/null
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBLzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE0MDgyNzE1MDIyMloXDTE5MDgyNjE1MDIyMlowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMJhEfwaamqe85Wwr+AWO8YJbxX717rTX0tVLEVG
+AB/Q1CAnQquMxo8Cf4Ufto/Odm+25Ihxy2Zedmjnoy8xe4s9vFUjEYPgo+wIT7t3
+I3nUhKJhJWEw7hdHwPHif1aAMK/Mrvkou/VFwzJwnCwA9VKe1/Mn4X1YNLak/cQD
+L2Ci34uxJzvjt/5DVDmh7Fd/9wsNHOafycsxEJEyDtDpbZSMklIArTcA61U0+oxZ
+MBZVZHMN9vJETR+BEBaZkEpFSn4vaYjtzpsLG+MicYiuspQ+v8dG50JzeTRpRRpP
+HF3ob20kd9VOz1nU/43CVpvxFk3d+UNNYF89iIBCNZAf6gMCAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQTfdv0x2BIOc0ZAvGE
+VrABn/Jk6zBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC6A+3G600itmdH
+4+zQ1FskGsCUj6mUXn+4blshl41zzhyRmplJT51Wch926E1LUxca9FKUu8XT1tAP
+Wo56RO92eX7M3OgeQz7NqtYxgNauqKfd+IFg+y1vC4etj25dfC56+ETfCrxOZzuZ
+vFD0mhn1hzXw3CNjSIH3HtWHOJjat+jZKsSayiYg3jO+L7i+cz6arbMhQwwGzskb
+wTJejXul+G1/lFhPwMFyep2ilKwRiLJpE3L17hYVwXNEerFcpq6q0OEylmCxXswd
+uO4NPb7dDiKw1pbdIQfZh2HqUXr3Vb4FcCWpAHhSCnNtwQQGKMg0CZtiPvwaaeXI
+oXwOnQXX
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
deleted file mode 100644 (file)
index e9a75fa..0000000
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBLzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTE0MDgyNzE1MDIyMloXDTE5MDgyNjE1MDIyMlowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMJhEfwaamqe85Wwr+AWO8YJbxX717rTX0tVLEVG
-AB/Q1CAnQquMxo8Cf4Ufto/Odm+25Ihxy2Zedmjnoy8xe4s9vFUjEYPgo+wIT7t3
-I3nUhKJhJWEw7hdHwPHif1aAMK/Mrvkou/VFwzJwnCwA9VKe1/Mn4X1YNLak/cQD
-L2Ci34uxJzvjt/5DVDmh7Fd/9wsNHOafycsxEJEyDtDpbZSMklIArTcA61U0+oxZ
-MBZVZHMN9vJETR+BEBaZkEpFSn4vaYjtzpsLG+MicYiuspQ+v8dG50JzeTRpRRpP
-HF3ob20kd9VOz1nU/43CVpvxFk3d+UNNYF89iIBCNZAf6gMCAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQTfdv0x2BIOc0ZAvGE
-VrABn/Jk6zBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC6A+3G600itmdH
-4+zQ1FskGsCUj6mUXn+4blshl41zzhyRmplJT51Wch926E1LUxca9FKUu8XT1tAP
-Wo56RO92eX7M3OgeQz7NqtYxgNauqKfd+IFg+y1vC4etj25dfC56+ETfCrxOZzuZ
-vFD0mhn1hzXw3CNjSIH3HtWHOJjat+jZKsSayiYg3jO+L7i+cz6arbMhQwwGzskb
-wTJejXul+G1/lFhPwMFyep2ilKwRiLJpE3L17hYVwXNEerFcpq6q0OEylmCxXswd
-uO4NPb7dDiKw1pbdIQfZh2HqUXr3Vb4FcCWpAHhSCnNtwQQGKMg0CZtiPvwaaeXI
-oXwOnQXX
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644 (file)
index 0000000..7b72371
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAwmER/Bpqap7zlbCv4BY7xglvFfvXutNfS1UsRUYAH9DUICdC
+q4zGjwJ/hR+2j852b7bkiHHLZl52aOejLzF7iz28VSMRg+Cj7AhPu3cjedSEomEl
+YTDuF0fA8eJ/VoAwr8yu+Si79UXDMnCcLAD1Up7X8yfhfVg0tqT9xAMvYKLfi7En
+O+O3/kNUOaHsV3/3Cw0c5p/JyzEQkTIO0OltlIySUgCtNwDrVTT6jFkwFlVkcw32
+8kRNH4EQFpmQSkVKfi9piO3Omwsb4yJxiK6ylD6/x0bnQnN5NGlFGk8cXehvbSR3
+1U7PWdT/jcJWm/EWTd35Q01gXz2IgEI1kB/qAwIDAQABAoIBAQCNiPD3iKSEDkl/
+bbAikw3jHWttrnte5ho1WEdsCZR9lilfYDcDgvXxm/gOjxD3lXZX0eyGDZX1bEL8
+D+6apoU21jUUKPzP8fpqG4MzFYUXaM9LDUGSi3ZSLUUo26us6JqK55dghXCXH70K
+NUUCJZB8IH1N6HQgOOHpPCorV8ZfrfOklNmCJgevVi2ySJ9Oke5YGhhIgNBuXMAB
+Llpg8mc6WqQVCzQnQqOMLT+cHGVcSiwyP04J0vhRWtFCKhaOTJfEG2/RwyHMeOwV
+cjOIHZhviW1QmYV3/kIUaYtOW7HqxCzPHxXlulgWjF6jF7cFmHtsVmjfZxqNDMID
+Fdz+ODQBAoGBAOp/kSOOCK93sojk2zmJdeuiWzIQaQ9Dkt9sgq2h98pFfcQ6veTH
+s2IHbr5nCFl4DvX+Ugh5H/hNIG2FOQ/XWpasXJvQKvttBXXTBHSi8/ZwmcR5xPsA
++9xLaajg4PFIYY2aiSV5Ydoe55dve+8AMNvFmt5chW9hBZ4XdPJL25hBAoGBANQz
+xxm+bI4Y942zKOJRfMc+7zNlQBRcB4TisAEYjviEONRFyWg+mToV2WYGhdU9wduy
+8etriCUTKlS7i+MR80vT874oak+ZK9eDGdzTcNQwKo5pUvBpGkHea+QyWrm0oWg4
+mX4F1TGRFLDdkKPK4F42n8cjozGljjoQb7QH2tFDAoGAMA+lN5xMu2nU9amyJMC/
+omPMPR6P6cj3uUMMJXokxxgnBqjjcphbc6QCVpPXaj7pEhHlzkbE/qcQFmJPp6eD
+sY3yDR1FMfLOQ6/UIfOj/MZnPZWXgbpZ5HSwWyR79ffXxqX9peiS3Zmn7amzxPBN
+Ez4U164uyv0foZ89IMvbXgECgYB7V2E58HpOmeqCPYndCnpZoZYNrKNzcg6Yyd59
+tJWdk9UoZSvtYL1Vis+jQtVVniDpH3kIWqd2zU4ElEJ6CLv+7kK12+33OFPIX5aP
+yYLCgwCpaETiImU1th/GMxKS8JAE8SkenCtQNUDukMp6ufhyKpPyfx9jQxSJYXZc
+EVi52wKBgHpfgXTUHASyAGDaNr5pUk6xZC59eLW3+JquQVxl5GjTDCXK5ilaMLtq
+sLT6B0AWd3QKQQHKOl8rVeMA3/SkXXxTooRisgL1OvzEuJg9mHOM/tLLYFTg6Dna
+RKtXeklyTaEsmmFT+zgRVqp0qDN7JhlNtCfUYz4fW70kx3Iet/Tv
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
deleted file mode 100644 (file)
index 7b72371..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAwmER/Bpqap7zlbCv4BY7xglvFfvXutNfS1UsRUYAH9DUICdC
-q4zGjwJ/hR+2j852b7bkiHHLZl52aOejLzF7iz28VSMRg+Cj7AhPu3cjedSEomEl
-YTDuF0fA8eJ/VoAwr8yu+Si79UXDMnCcLAD1Up7X8yfhfVg0tqT9xAMvYKLfi7En
-O+O3/kNUOaHsV3/3Cw0c5p/JyzEQkTIO0OltlIySUgCtNwDrVTT6jFkwFlVkcw32
-8kRNH4EQFpmQSkVKfi9piO3Omwsb4yJxiK6ylD6/x0bnQnN5NGlFGk8cXehvbSR3
-1U7PWdT/jcJWm/EWTd35Q01gXz2IgEI1kB/qAwIDAQABAoIBAQCNiPD3iKSEDkl/
-bbAikw3jHWttrnte5ho1WEdsCZR9lilfYDcDgvXxm/gOjxD3lXZX0eyGDZX1bEL8
-D+6apoU21jUUKPzP8fpqG4MzFYUXaM9LDUGSi3ZSLUUo26us6JqK55dghXCXH70K
-NUUCJZB8IH1N6HQgOOHpPCorV8ZfrfOklNmCJgevVi2ySJ9Oke5YGhhIgNBuXMAB
-Llpg8mc6WqQVCzQnQqOMLT+cHGVcSiwyP04J0vhRWtFCKhaOTJfEG2/RwyHMeOwV
-cjOIHZhviW1QmYV3/kIUaYtOW7HqxCzPHxXlulgWjF6jF7cFmHtsVmjfZxqNDMID
-Fdz+ODQBAoGBAOp/kSOOCK93sojk2zmJdeuiWzIQaQ9Dkt9sgq2h98pFfcQ6veTH
-s2IHbr5nCFl4DvX+Ugh5H/hNIG2FOQ/XWpasXJvQKvttBXXTBHSi8/ZwmcR5xPsA
-+9xLaajg4PFIYY2aiSV5Ydoe55dve+8AMNvFmt5chW9hBZ4XdPJL25hBAoGBANQz
-xxm+bI4Y942zKOJRfMc+7zNlQBRcB4TisAEYjviEONRFyWg+mToV2WYGhdU9wduy
-8etriCUTKlS7i+MR80vT874oak+ZK9eDGdzTcNQwKo5pUvBpGkHea+QyWrm0oWg4
-mX4F1TGRFLDdkKPK4F42n8cjozGljjoQb7QH2tFDAoGAMA+lN5xMu2nU9amyJMC/
-omPMPR6P6cj3uUMMJXokxxgnBqjjcphbc6QCVpPXaj7pEhHlzkbE/qcQFmJPp6eD
-sY3yDR1FMfLOQ6/UIfOj/MZnPZWXgbpZ5HSwWyR79ffXxqX9peiS3Zmn7amzxPBN
-Ez4U164uyv0foZ89IMvbXgECgYB7V2E58HpOmeqCPYndCnpZoZYNrKNzcg6Yyd59
-tJWdk9UoZSvtYL1Vis+jQtVVniDpH3kIWqd2zU4ElEJ6CLv+7kK12+33OFPIX5aP
-yYLCgwCpaETiImU1th/GMxKS8JAE8SkenCtQNUDukMp6ufhyKpPyfx9jQxSJYXZc
-EVi52wKBgHpfgXTUHASyAGDaNr5pUk6xZC59eLW3+JquQVxl5GjTDCXK5ilaMLtq
-sLT6B0AWd3QKQQHKOl8rVeMA3/SkXXxTooRisgL1OvzEuJg9mHOM/tLLYFTg6Dna
-RKtXeklyTaEsmmFT+zgRVqp0qDN7JhlNtCfUYz4fW70kx3Iet/Tv
------END RSA PRIVATE KEY-----
index d742e84..c6d6235 100644 (file)
@@ -1,4 +1,2 @@
 moon::ipsec stop
 carol::ipsec stop
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
index a1bc9b0..17225d2 100644 (file)
@@ -15,7 +15,7 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        left=PH_IP_CAROL
-       leftcert=carolCert-ocsp.pem
+       leftcert=carolCert.pem
        leftid=carol@strongswan.org
 
 conn home
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
deleted file mode 100644 (file)
index d1e85db..0000000
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEWzCCA0OgAwIBAgIBODANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTE3MDMyMDIwNTI0NFoXDTE5MDkwNjIwNTI0NFowVjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
-HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu
-8qaOjRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS
-6ngwOEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5
-WRqVVDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbR
-wjx2afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj
-2uStn7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABo4IBQzCCAT8wCQYD
-VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFJCYo8BXG9mSEkp2ag3HiT74
-TT+4MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
-VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
-b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
-b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
-b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
-cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCo
-tFCDUTmBfPjeaDQVCv7uBausS0sZCw+Pw7zypqo3vyRm0R2Ds2eymfVI4/Zc1NwW
-hYCy9D1f1r2gukI2jDWHdDwNMQPptyx0Kxr98SIlm9ms8jGT7GZ5l0SdkGe5GDMO
-vq7FscqQZX/KkdFk3ye/ONffFS/ukjVRHu8971BNODcRbG0OBhEI2TQsIyxf/iir
-taI23m8b9dclikqZx3FqoxfTHSN5T5KHntpH7KVIS00hrlavxkLLMn5oePRnkBWu
-feSmpfbOBbnEpElLtJM5K8AjArGOx8nxrtw/KNjMiOsyfCim1r0ff1tnZGtHhHCq
-ZCZKA5DsRXZVWasv1CIz
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644 (file)
index 0000000..d1e85db
--- /dev/null
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEWzCCA0OgAwIBAgIBODANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE3MDMyMDIwNTI0NFoXDTE5MDkwNjIwNTI0NFowVjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
+HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu
+8qaOjRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS
+6ngwOEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5
+WRqVVDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbR
+wjx2afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj
+2uStn7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFJCYo8BXG9mSEkp2ag3HiT74
+TT+4MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
+b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
+b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
+b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCo
+tFCDUTmBfPjeaDQVCv7uBausS0sZCw+Pw7zypqo3vyRm0R2Ds2eymfVI4/Zc1NwW
+hYCy9D1f1r2gukI2jDWHdDwNMQPptyx0Kxr98SIlm9ms8jGT7GZ5l0SdkGe5GDMO
+vq7FscqQZX/KkdFk3ye/ONffFS/ukjVRHu8971BNODcRbG0OBhEI2TQsIyxf/iir
+taI23m8b9dclikqZx3FqoxfTHSN5T5KHntpH7KVIS00hrlavxkLLMn5oePRnkBWu
+feSmpfbOBbnEpElLtJM5K8AjArGOx8nxrtw/KNjMiOsyfCim1r0ff1tnZGtHhHCq
+ZCZKA5DsRXZVWasv1CIz
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
deleted file mode 100644 (file)
index 2d7938a..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu8qaO
-jRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS6ngw
-OEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5WRqV
-VDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbRwjx2
-afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj2uSt
-n7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABAoIBAGuC6UU3NyvYqVc+
-AiVC+r1rdU/052Rj53ahQVPhNXGZDdGkXlkdTgVynk5s+sA65KTl+7ppyAL7vzWe
-QBhRUXCXPxs+3yFwqWadmbAAa5PTjKPfwIb1YmCFxGm5CoWdziLbyxVTDHkiCbGA
-QL8ZSu3wvN32ZyGZ4lO48+ZKi3B+uO5IRPN1YfJAa9g4q+Xt7nybS7hQnriZAn/v
-5ff5StjalQ/241U5LUOrfgeUQIp2DxPiUwHiH/HH1KrcR4Vm4dQrZdOSqUHptoc9
-D7PorAJ0cB7m2FdqAUgEKh4ONy11spf1do79Yi2+XaacTgoCoX8E/1+icmfYvQV7
-rWIBasECgYEA3MIvMrOHgqSNQDgpmA5aq2HsjLgL+KBcQWIFAVhNZ8MOtTYdDIXV
-ZKz0HJjaRi4dSvSGPxze9iRmvhydAupJANBJndTrgAoyRo/tLvGBbuYq9B8R+XM/
-gKBUx5/AwenM4JbSodVIzQIJX7lo+Or1H5TuxJ1Xm79rQMg1GOoMSmECgYEAxYxC
-lIWpHrVKoktazeuNF9E56fB/EAAjsmpJE7PM+SFDvGWbRJR5Y7faiCySetCW4/LC
-Urs2IxnkV7Mo+HgIRmp/K8BBIQ7UAC72mU/qlZeTtf0DH4NMSarPB9+pse8lcPrZ
-dyr7q1o2TDd1Q+fFfNWU3KAi2RHtmqKwRECKLnMCgYBPYK9x7qXiLuLvXYJvP3IQ
-v9Q7wQ3k51xk0ib0ldi3X6bRN9T4JMNXQO1BvyB1La2wvv3qgaoWHX6oC0fVvYJk
-fYCK9P18+62aO7RQNdyRkMePIgDnji4eRQhXAzVfRH87nl+8eyGDPaE7P0Lkhi9/
-nKDCJ8VRpmGdWJ/nBnlG4QKBgQC9ZOuwWTT7K/SSBIzaP6rV2tIbZ2dqf7e5pgzJ
-xugNMccvKHrkFTUMVYg+Zf1JohIIGQYVK0eL/5bcPfhZvzqvyAqEd535g63dPylN
-c0EEin4jTJ9h5w+M0SYL9nNLFGxhFR7JEXyXm7XS/JiAsgS02lAN9blzQ6z5RGCa
-DwZr4QKBgBJBG343JQqRNiQDolaiwzWdSmUxBjfEPzP+pvXJ8pazAUeBdugcm59v
-2whpaffSBJzy4ixInTDmAMhIqvkLlc6GrlTPIur4Gts+hssAjsQN0wEPpG1z+ui4
-4KH/klS64465eK40dplWn1akjOb0KaQsjNwffyfzszvh5+8PkzgB
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644 (file)
index 0000000..2d7938a
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu8qaO
+jRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS6ngw
+OEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5WRqV
+VDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbRwjx2
+afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj2uSt
+n7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABAoIBAGuC6UU3NyvYqVc+
+AiVC+r1rdU/052Rj53ahQVPhNXGZDdGkXlkdTgVynk5s+sA65KTl+7ppyAL7vzWe
+QBhRUXCXPxs+3yFwqWadmbAAa5PTjKPfwIb1YmCFxGm5CoWdziLbyxVTDHkiCbGA
+QL8ZSu3wvN32ZyGZ4lO48+ZKi3B+uO5IRPN1YfJAa9g4q+Xt7nybS7hQnriZAn/v
+5ff5StjalQ/241U5LUOrfgeUQIp2DxPiUwHiH/HH1KrcR4Vm4dQrZdOSqUHptoc9
+D7PorAJ0cB7m2FdqAUgEKh4ONy11spf1do79Yi2+XaacTgoCoX8E/1+icmfYvQV7
+rWIBasECgYEA3MIvMrOHgqSNQDgpmA5aq2HsjLgL+KBcQWIFAVhNZ8MOtTYdDIXV
+ZKz0HJjaRi4dSvSGPxze9iRmvhydAupJANBJndTrgAoyRo/tLvGBbuYq9B8R+XM/
+gKBUx5/AwenM4JbSodVIzQIJX7lo+Or1H5TuxJ1Xm79rQMg1GOoMSmECgYEAxYxC
+lIWpHrVKoktazeuNF9E56fB/EAAjsmpJE7PM+SFDvGWbRJR5Y7faiCySetCW4/LC
+Urs2IxnkV7Mo+HgIRmp/K8BBIQ7UAC72mU/qlZeTtf0DH4NMSarPB9+pse8lcPrZ
+dyr7q1o2TDd1Q+fFfNWU3KAi2RHtmqKwRECKLnMCgYBPYK9x7qXiLuLvXYJvP3IQ
+v9Q7wQ3k51xk0ib0ldi3X6bRN9T4JMNXQO1BvyB1La2wvv3qgaoWHX6oC0fVvYJk
+fYCK9P18+62aO7RQNdyRkMePIgDnji4eRQhXAzVfRH87nl+8eyGDPaE7P0Lkhi9/
+nKDCJ8VRpmGdWJ/nBnlG4QKBgQC9ZOuwWTT7K/SSBIzaP6rV2tIbZ2dqf7e5pgzJ
+xugNMccvKHrkFTUMVYg+Zf1JohIIGQYVK0eL/5bcPfhZvzqvyAqEd535g63dPylN
+c0EEin4jTJ9h5w+M0SYL9nNLFGxhFR7JEXyXm7XS/JiAsgS02lAN9blzQ6z5RGCa
+DwZr4QKBgBJBG343JQqRNiQDolaiwzWdSmUxBjfEPzP+pvXJ8pazAUeBdugcm59v
+2whpaffSBJzy4ixInTDmAMhIqvkLlc6GrlTPIur4Gts+hssAjsQN0wEPpG1z+ui4
+4KH/klS64465eK40dplWn1akjOb0KaQsjNwffyfzszvh5+8PkzgB
+-----END RSA PRIVATE KEY-----
index 220bc2c..c6d6235 100644 (file)
@@ -1,4 +1,2 @@
 moon::ipsec stop
 carol::ipsec stop
-carol::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/private/*
index 27af8e7..fa68b2a 100644 (file)
@@ -10,14 +10,14 @@ conn %default
        keyingtries=1
        keyexchange=ikev2
        left=PH_IP_CAROL
-       leftcert=carolCert-ifuri.pem
+       leftcert=carolCert.pem
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
 
 conn alice
        rightsubnet=PH_IP_ALICE/32
        auto=add
-       
+
 conn venus
        rightsubnet=PH_IP_VENUS/32
        auto=add
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
deleted file mode 100644 (file)
index e121032..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID+DCCAuCgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MjM1MloXDTI0MDMyNDE0MjM1
-MlowYTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGDAW
-BgNVBAsTD1Jlc2VhcmNoIG5vIENEUDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXPVagzyvHEGzA
-6jWum0URx2TSMs8cM991OU3n8fkBiLEY9H8DUbjEZlZ0mgcxTOSXSmyqmW+10QCy
-yHPBtR0kxNY/Bl/+QppnB7IpFCR9bsvA4bySYUbdlQWdIPGTmT1polGtoF1mPZ2r
-JqN+Ai5jnFduJ+/189l8chqcz8KlJ2Jp72OaeYqQpgDfo63hqS71OzyY1Cu27vHl
-ay186P+HW75yr5YMwxtYk/rZ6jHRMXFwmI+bq1vgpKYHTomaVCG3zDUD+1XsGVBX
-u3z6qh6FaxxDPizT/fcCbYcYGbKjJw14JOqfddeAHZe+N41Wev0gAhOCIgUiMoxV
-bbx0XkMzAgMBAAGjgcowgccwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
-BBYEFHtMZgnElcGoYKmMUvCkQaloTKKfMG0GA1UdIwRmMGSAFOd18KDyrSDNzWAj
-zMfIDynz3VQgoUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
-b25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEgMB8GA1UdEQQY
-MBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQAC1mG0
-nU2TfmYecE0uK8Dn44a8rn13gNyTxpVk+CTYKjPm83BBaf+/K/D2R6+HF3RMkMg6
-6aBHFUwCzIwgL0lBRKT6FioO83kqUkEulRp0jc4hCdUQcAgzqQ+tgT0beCaVHnMv
-qMtKr7FEPVklFfIUQj2gV5bJAkjrjvawnVRaCz3kjk51c78wrNUXI04F3SaUrPjl
-jcedQvptLspT81A+Itkjn3VOr50M2RVIoLpFBNoPs2RA6iW+R89NhQ3i7aLnbULT
-rh+ra3xs+SS2rkV9gC7qDuHqVG5cyWvLl4Hjmo6nHM5i88qgcOzd0tWmT6H2SE9n
-YYzmZo5QyNJg2qBU
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644 (file)
index 0000000..e121032
--- /dev/null
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID+DCCAuCgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MjM1MloXDTI0MDMyNDE0MjM1
+MlowYTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGDAW
+BgNVBAsTD1Jlc2VhcmNoIG5vIENEUDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXPVagzyvHEGzA
+6jWum0URx2TSMs8cM991OU3n8fkBiLEY9H8DUbjEZlZ0mgcxTOSXSmyqmW+10QCy
+yHPBtR0kxNY/Bl/+QppnB7IpFCR9bsvA4bySYUbdlQWdIPGTmT1polGtoF1mPZ2r
+JqN+Ai5jnFduJ+/189l8chqcz8KlJ2Jp72OaeYqQpgDfo63hqS71OzyY1Cu27vHl
+ay186P+HW75yr5YMwxtYk/rZ6jHRMXFwmI+bq1vgpKYHTomaVCG3zDUD+1XsGVBX
+u3z6qh6FaxxDPizT/fcCbYcYGbKjJw14JOqfddeAHZe+N41Wev0gAhOCIgUiMoxV
+bbx0XkMzAgMBAAGjgcowgccwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
+BBYEFHtMZgnElcGoYKmMUvCkQaloTKKfMG0GA1UdIwRmMGSAFOd18KDyrSDNzWAj
+zMfIDynz3VQgoUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
+b25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEgMB8GA1UdEQQY
+MBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQAC1mG0
+nU2TfmYecE0uK8Dn44a8rn13gNyTxpVk+CTYKjPm83BBaf+/K/D2R6+HF3RMkMg6
+6aBHFUwCzIwgL0lBRKT6FioO83kqUkEulRp0jc4hCdUQcAgzqQ+tgT0beCaVHnMv
+qMtKr7FEPVklFfIUQj2gV5bJAkjrjvawnVRaCz3kjk51c78wrNUXI04F3SaUrPjl
+jcedQvptLspT81A+Itkjn3VOr50M2RVIoLpFBNoPs2RA6iW+R89NhQ3i7aLnbULT
+rh+ra3xs+SS2rkV9gC7qDuHqVG5cyWvLl4Hjmo6nHM5i88qgcOzd0tWmT6H2SE9n
+YYzmZo5QyNJg2qBU
+-----END CERTIFICATE-----
index aa07085..b007f52 100644 (file)
@@ -2,7 +2,7 @@
 
 config setup
        strictcrlpolicy=ifuri
-       
+
 conn %default
        ikelifetime=60m
        keylife=20m
@@ -10,14 +10,14 @@ conn %default
        keyingtries=1
        keyexchange=ikev2
        left=PH_IP_DAVE
-       leftcert=daveCert-ifuri.pem
+       leftcert=daveCert.pem
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
 
 conn alice
        rightsubnet=PH_IP_ALICE/32
        auto=add
-       
+
 conn venus
        rightsubnet=PH_IP_VENUS/32
        auto=add
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
deleted file mode 100644 (file)
index 843f60b..0000000
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIELTCCAxWgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE1MjcwMloXDTI0MDMyNDE1MjcwMlowXTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsT
-DFNhbGVzIG5vIENEUDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7tkn1sXzlBRzSVHoPoct2D0kht
-E/Tf+LnryMsw79IBMfiOU61ijdwx2jCLxUh7t90NEIN4CdpIYqzc/1Yi/LWXD9+G
-8gBwft5nqTIz8S8Lf6Qiy4LjGXV3VWpDMZLLRJL5ZWm+0ZN8Wtp9qglVh4LnQSiy
-+NYTlxnRtPB7xkwia287wn4aQfNJpNhlocXdSpGIF5bNIQm32n84SDMafXtuA+vv
-8/72nBiy2SWhkAd+CiNq5dnZkYGnIFL718V6Zu4kmZQhzM3gi/7POZCkOCeSZVeh
-AJJf1mJI7SJH54XYkZLUS5EG6ad3kBf1nFGRAjPgwxQHhfUlP8njpjsV7WUCAwEA
-AaOCAQgwggEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSYfvgn
-nLJ1nMbHDd2zdo60Qpy0HDBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guT
-KKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x
-GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZl
-QHN0cm9uZ3N3YW4ub3JnMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0
-cDovL29jc3AyLnN0cm9uZ3N3YW4ub3JnOjg4ODIwDQYJKoZIhvcNAQELBQADggEB
-AHsXEeaTYTOW31G8xwq8vhedtha2G5BAS1fvZ0BguTDCxw5eWq9uBqWJl4oazbJi
-WmWNwRB9sbuH6AAddnJsJMUPM3x5PDbc08BOdUmnGHSGxSdY19WI6wIB9n4Hk5up
-fEX4o2CdlQgD5cjtm5vj3rf4QgyY8WmAWnn4l3G/wskOr8iFnGCusjdwmoRdOIxl
-jWF1XM/ztMu29vph5F18BhlNixC1uj5uao3mVJL6WDdcEW3JfdhD7rEw/SNm2dl0
-qwC/S09aRD1cFo957vPUCVmzTwutU9pFBkewXm5f/OfcHd2xojW5V33Ty32CblJm
-4mTYfThX5lQaUUAjmeoh/jA=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644 (file)
index 0000000..843f60b
--- /dev/null
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELTCCAxWgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE1MjcwMloXDTI0MDMyNDE1MjcwMlowXTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsT
+DFNhbGVzIG5vIENEUDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7tkn1sXzlBRzSVHoPoct2D0kht
+E/Tf+LnryMsw79IBMfiOU61ijdwx2jCLxUh7t90NEIN4CdpIYqzc/1Yi/LWXD9+G
+8gBwft5nqTIz8S8Lf6Qiy4LjGXV3VWpDMZLLRJL5ZWm+0ZN8Wtp9qglVh4LnQSiy
++NYTlxnRtPB7xkwia287wn4aQfNJpNhlocXdSpGIF5bNIQm32n84SDMafXtuA+vv
+8/72nBiy2SWhkAd+CiNq5dnZkYGnIFL718V6Zu4kmZQhzM3gi/7POZCkOCeSZVeh
+AJJf1mJI7SJH54XYkZLUS5EG6ad3kBf1nFGRAjPgwxQHhfUlP8njpjsV7WUCAwEA
+AaOCAQgwggEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSYfvgn
+nLJ1nMbHDd2zdo60Qpy0HDBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guT
+KKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x
+GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZl
+QHN0cm9uZ3N3YW4ub3JnMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0
+cDovL29jc3AyLnN0cm9uZ3N3YW4ub3JnOjg4ODIwDQYJKoZIhvcNAQELBQADggEB
+AHsXEeaTYTOW31G8xwq8vhedtha2G5BAS1fvZ0BguTDCxw5eWq9uBqWJl4oazbJi
+WmWNwRB9sbuH6AAddnJsJMUPM3x5PDbc08BOdUmnGHSGxSdY19WI6wIB9n4Hk5up
+fEX4o2CdlQgD5cjtm5vj3rf4QgyY8WmAWnn4l3G/wskOr8iFnGCusjdwmoRdOIxl
+jWF1XM/ztMu29vph5F18BhlNixC1uj5uao3mVJL6WDdcEW3JfdhD7rEw/SNm2dl0
+qwC/S09aRD1cFo957vPUCVmzTwutU9pFBkewXm5f/OfcHd2xojW5V33Ty32CblJm
+4mTYfThX5lQaUUAjmeoh/jA=
+-----END CERTIFICATE-----
index 02db316..1ed94f9 100644 (file)
@@ -16,11 +16,11 @@ conn %default
 conn alice
        leftsubnet=PH_IP_ALICE/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+       rightca="C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
        auto=add
-       
+
 conn venus
        leftsubnet=PH_IP_VENUS/32
        right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+       rightca="C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
        auto=add
index 816db6e..74d363f 100644 (file)
@@ -8,7 +8,7 @@ ca strongswan-ca
         ocspuri1=http://bob.strongswan.org:8800
        ocspuri2=http://ocsp.strongswan.org:8880
        auto=add
-                       
+
 conn %default
        keyexchange=ikev2
        ikelifetime=60m
@@ -16,7 +16,7 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        left=PH_IP_CAROL
-       leftcert=carolCert-ocsp.pem
+       leftcert=carolCert.pem
        leftid=carol@strongswan.org
 
 conn home
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
deleted file mode 100644 (file)
index d1e85db..0000000
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEWzCCA0OgAwIBAgIBODANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTE3MDMyMDIwNTI0NFoXDTE5MDkwNjIwNTI0NFowVjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
-HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu
-8qaOjRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS
-6ngwOEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5
-WRqVVDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbR
-wjx2afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj
-2uStn7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABo4IBQzCCAT8wCQYD
-VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFJCYo8BXG9mSEkp2ag3HiT74
-TT+4MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
-VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
-b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
-b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
-b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
-cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCo
-tFCDUTmBfPjeaDQVCv7uBausS0sZCw+Pw7zypqo3vyRm0R2Ds2eymfVI4/Zc1NwW
-hYCy9D1f1r2gukI2jDWHdDwNMQPptyx0Kxr98SIlm9ms8jGT7GZ5l0SdkGe5GDMO
-vq7FscqQZX/KkdFk3ye/ONffFS/ukjVRHu8971BNODcRbG0OBhEI2TQsIyxf/iir
-taI23m8b9dclikqZx3FqoxfTHSN5T5KHntpH7KVIS00hrlavxkLLMn5oePRnkBWu
-feSmpfbOBbnEpElLtJM5K8AjArGOx8nxrtw/KNjMiOsyfCim1r0ff1tnZGtHhHCq
-ZCZKA5DsRXZVWasv1CIz
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644 (file)
index 0000000..d1e85db
--- /dev/null
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEWzCCA0OgAwIBAgIBODANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE3MDMyMDIwNTI0NFoXDTE5MDkwNjIwNTI0NFowVjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
+HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu
+8qaOjRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS
+6ngwOEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5
+WRqVVDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbR
+wjx2afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj
+2uStn7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFJCYo8BXG9mSEkp2ag3HiT74
+TT+4MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
+b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
+b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
+b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCo
+tFCDUTmBfPjeaDQVCv7uBausS0sZCw+Pw7zypqo3vyRm0R2Ds2eymfVI4/Zc1NwW
+hYCy9D1f1r2gukI2jDWHdDwNMQPptyx0Kxr98SIlm9ms8jGT7GZ5l0SdkGe5GDMO
+vq7FscqQZX/KkdFk3ye/ONffFS/ukjVRHu8971BNODcRbG0OBhEI2TQsIyxf/iir
+taI23m8b9dclikqZx3FqoxfTHSN5T5KHntpH7KVIS00hrlavxkLLMn5oePRnkBWu
+feSmpfbOBbnEpElLtJM5K8AjArGOx8nxrtw/KNjMiOsyfCim1r0ff1tnZGtHhHCq
+ZCZKA5DsRXZVWasv1CIz
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
deleted file mode 100644 (file)
index 2d7938a..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu8qaO
-jRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS6ngw
-OEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5WRqV
-VDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbRwjx2
-afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj2uSt
-n7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABAoIBAGuC6UU3NyvYqVc+
-AiVC+r1rdU/052Rj53ahQVPhNXGZDdGkXlkdTgVynk5s+sA65KTl+7ppyAL7vzWe
-QBhRUXCXPxs+3yFwqWadmbAAa5PTjKPfwIb1YmCFxGm5CoWdziLbyxVTDHkiCbGA
-QL8ZSu3wvN32ZyGZ4lO48+ZKi3B+uO5IRPN1YfJAa9g4q+Xt7nybS7hQnriZAn/v
-5ff5StjalQ/241U5LUOrfgeUQIp2DxPiUwHiH/HH1KrcR4Vm4dQrZdOSqUHptoc9
-D7PorAJ0cB7m2FdqAUgEKh4ONy11spf1do79Yi2+XaacTgoCoX8E/1+icmfYvQV7
-rWIBasECgYEA3MIvMrOHgqSNQDgpmA5aq2HsjLgL+KBcQWIFAVhNZ8MOtTYdDIXV
-ZKz0HJjaRi4dSvSGPxze9iRmvhydAupJANBJndTrgAoyRo/tLvGBbuYq9B8R+XM/
-gKBUx5/AwenM4JbSodVIzQIJX7lo+Or1H5TuxJ1Xm79rQMg1GOoMSmECgYEAxYxC
-lIWpHrVKoktazeuNF9E56fB/EAAjsmpJE7PM+SFDvGWbRJR5Y7faiCySetCW4/LC
-Urs2IxnkV7Mo+HgIRmp/K8BBIQ7UAC72mU/qlZeTtf0DH4NMSarPB9+pse8lcPrZ
-dyr7q1o2TDd1Q+fFfNWU3KAi2RHtmqKwRECKLnMCgYBPYK9x7qXiLuLvXYJvP3IQ
-v9Q7wQ3k51xk0ib0ldi3X6bRN9T4JMNXQO1BvyB1La2wvv3qgaoWHX6oC0fVvYJk
-fYCK9P18+62aO7RQNdyRkMePIgDnji4eRQhXAzVfRH87nl+8eyGDPaE7P0Lkhi9/
-nKDCJ8VRpmGdWJ/nBnlG4QKBgQC9ZOuwWTT7K/SSBIzaP6rV2tIbZ2dqf7e5pgzJ
-xugNMccvKHrkFTUMVYg+Zf1JohIIGQYVK0eL/5bcPfhZvzqvyAqEd535g63dPylN
-c0EEin4jTJ9h5w+M0SYL9nNLFGxhFR7JEXyXm7XS/JiAsgS02lAN9blzQ6z5RGCa
-DwZr4QKBgBJBG343JQqRNiQDolaiwzWdSmUxBjfEPzP+pvXJ8pazAUeBdugcm59v
-2whpaffSBJzy4ixInTDmAMhIqvkLlc6GrlTPIur4Gts+hssAjsQN0wEPpG1z+ui4
-4KH/klS64465eK40dplWn1akjOb0KaQsjNwffyfzszvh5+8PkzgB
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644 (file)
index 0000000..2d7938a
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu8qaO
+jRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS6ngw
+OEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5WRqV
+VDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbRwjx2
+afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj2uSt
+n7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABAoIBAGuC6UU3NyvYqVc+
+AiVC+r1rdU/052Rj53ahQVPhNXGZDdGkXlkdTgVynk5s+sA65KTl+7ppyAL7vzWe
+QBhRUXCXPxs+3yFwqWadmbAAa5PTjKPfwIb1YmCFxGm5CoWdziLbyxVTDHkiCbGA
+QL8ZSu3wvN32ZyGZ4lO48+ZKi3B+uO5IRPN1YfJAa9g4q+Xt7nybS7hQnriZAn/v
+5ff5StjalQ/241U5LUOrfgeUQIp2DxPiUwHiH/HH1KrcR4Vm4dQrZdOSqUHptoc9
+D7PorAJ0cB7m2FdqAUgEKh4ONy11spf1do79Yi2+XaacTgoCoX8E/1+icmfYvQV7
+rWIBasECgYEA3MIvMrOHgqSNQDgpmA5aq2HsjLgL+KBcQWIFAVhNZ8MOtTYdDIXV
+ZKz0HJjaRi4dSvSGPxze9iRmvhydAupJANBJndTrgAoyRo/tLvGBbuYq9B8R+XM/
+gKBUx5/AwenM4JbSodVIzQIJX7lo+Or1H5TuxJ1Xm79rQMg1GOoMSmECgYEAxYxC
+lIWpHrVKoktazeuNF9E56fB/EAAjsmpJE7PM+SFDvGWbRJR5Y7faiCySetCW4/LC
+Urs2IxnkV7Mo+HgIRmp/K8BBIQ7UAC72mU/qlZeTtf0DH4NMSarPB9+pse8lcPrZ
+dyr7q1o2TDd1Q+fFfNWU3KAi2RHtmqKwRECKLnMCgYBPYK9x7qXiLuLvXYJvP3IQ
+v9Q7wQ3k51xk0ib0ldi3X6bRN9T4JMNXQO1BvyB1La2wvv3qgaoWHX6oC0fVvYJk
+fYCK9P18+62aO7RQNdyRkMePIgDnji4eRQhXAzVfRH87nl+8eyGDPaE7P0Lkhi9/
+nKDCJ8VRpmGdWJ/nBnlG4QKBgQC9ZOuwWTT7K/SSBIzaP6rV2tIbZ2dqf7e5pgzJ
+xugNMccvKHrkFTUMVYg+Zf1JohIIGQYVK0eL/5bcPfhZvzqvyAqEd535g63dPylN
+c0EEin4jTJ9h5w+M0SYL9nNLFGxhFR7JEXyXm7XS/JiAsgS02lAN9blzQ6z5RGCa
+DwZr4QKBgBJBG343JQqRNiQDolaiwzWdSmUxBjfEPzP+pvXJ8pazAUeBdugcm59v
+2whpaffSBJzy4ixInTDmAMhIqvkLlc6GrlTPIur4Gts+hssAjsQN0wEPpG1z+ui4
+4KH/klS64465eK40dplWn1akjOb0KaQsjNwffyfzszvh5+8PkzgB
+-----END RSA PRIVATE KEY-----
index 220bc2c..c6d6235 100644 (file)
@@ -1,4 +1,2 @@
 moon::ipsec stop
 carol::ipsec stop
-carol::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
new file mode 100755 (executable)
index 0000000..bce963f
--- /dev/null
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/ca
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+       -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
+       -nmin 5 \
+       -reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
deleted file mode 100755 (executable)
index 72aa7a6..0000000
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-cd /etc/openssl
-
-echo "Content-type: application/ocsp-response"
-echo ""
-
-cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-       -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
-       -nmin 5 \
-       -reqin /dev/stdin -respout /dev/stdout | cat
index 6b609f8..e1993fd 100644 (file)
@@ -2,7 +2,7 @@ carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
@@ -17,7 +17,7 @@ dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*CN=moo
 moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED::NO
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO 
+dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index dd1b893..5d99639 100644 (file)
@@ -15,7 +15,7 @@ conn home
        leftauth=eap
        leftfirewall=yes
        right=PH_IP_MOON
-       rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+       rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org"
        rightauth=any
        rightsubnet=10.1.0.0/16
        rightsendcert=never
index a46071a..93acb09 100644 (file)
@@ -15,7 +15,7 @@ conn home
        leftauth=eap
        leftfirewall=yes
        right=PH_IP_MOON
-       rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+       rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org"
        rightauth=any
        rightsubnet=10.1.0.0/16
        rightsendcert=never
index f77c31c..7cf9edd 100644 (file)
@@ -2,7 +2,7 @@ carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
index dd1b893..5d99639 100644 (file)
@@ -15,7 +15,7 @@ conn home
        leftauth=eap
        leftfirewall=yes
        right=PH_IP_MOON
-       rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+       rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org"
        rightauth=any
        rightsubnet=10.1.0.0/16
        rightsendcert=never
index a46071a..93acb09 100644 (file)
@@ -15,7 +15,7 @@ conn home
        leftauth=eap
        leftfirewall=yes
        right=PH_IP_MOON
-       rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+       rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org"
        rightauth=any
        rightsubnet=10.1.0.0/16
        rightsendcert=never
index 944546f..f343e59 100644 (file)
@@ -18,5 +18,5 @@ conn home
        rightid=@moon.strongswan.org
        rightsubnet=10.1.0.0/16
        rightauth=pubkey
-       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+       aaa_identity="C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
        auto=add
index b1a22e7..aa4b9d2 100644 (file)
@@ -18,5 +18,5 @@ conn home
        rightid=@moon.strongswan.org
        rightsubnet=10.1.0.0/16
        rightauth=pubkey
-       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+       aaa_identity="C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
        auto=add
index b2e3ce6..2c1b69e 100644 (file)
@@ -1,8 +1,8 @@
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
index 756e383..c4f8c27 100644 (file)
@@ -13,7 +13,7 @@ conn home
        leftauth=eap
        leftfirewall=yes
        right=PH_IP_MOON
-       rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+       rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org"
        rightauth=any
        rightsubnet=10.1.0.0/16
        rightsendcert=never
index b53b085..36c0544 100644 (file)
@@ -1,7 +1,7 @@
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
index 6aaeb16..05702c4 100644 (file)
@@ -13,8 +13,8 @@ conn home
        leftauth=eap
        leftfirewall=yes
        right=PH_IP_MOON
-       rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+       rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org"
        rightsubnet=10.1.0.0/16
        rightauth=pubkey
-       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+       aaa_identity="C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
        auto=add
index deadcff..d82b0d5 100644 (file)
@@ -15,7 +15,7 @@ conn rw-eap
        leftcert=moonCert.pem
        leftauth=pubkey
        leftfirewall=yes
-       rightid="C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
+       rightid="C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
        rightauth=eap-radius
        rightsendcert=never
        right=%any
index 2285608..48aaf24 100644 (file)
@@ -2,7 +2,7 @@ carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
 dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
index 576d2cb..9f093b7 100644 (file)
@@ -13,7 +13,7 @@ conn home
        leftauth=eap
        leftfirewall=yes
        right=PH_IP_MOON
-       rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+       rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org"
        rightauth=any
        rightsubnet=10.1.0.0/16
        rightsendcert=never
index ba52ec3..5f53072 100644 (file)
@@ -13,7 +13,7 @@ conn home
        leftauth=eap
        leftfirewall=yes
        right=PH_IP_MOON
-       rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+       rightid="C=CH, O=strongSwan Project, CN=moon.strongswan.org"
        rightauth=any
        rightsubnet=10.1.0.0/16
        rightsendcert=never
index c18df1c..5013cfe 100644 (file)
@@ -16,5 +16,5 @@ conn home
        rightid=@moon.strongswan.org
        rightsubnet=10.1.0.0/16
        rightauth=pubkey
-       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+       aaa_identity="C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
        auto=add
index 2b58fbf..7e1a6e2 100644 (file)
@@ -16,5 +16,5 @@ conn home
        rightid=@moon.strongswan.org
        rightsubnet=10.1.0.0/16
        rightauth=pubkey
-       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+       aaa_identity="C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
        auto=add
index d5d817f..84dd414 100644 (file)
@@ -1,8 +1,8 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>
 and matching RSA private keys stored in the <b>PKCS#8</b> format. <b>moon</b>'s key
 is unencrypted, <b>carol</b>'s key is encrypted with the default PKCS#5 v1.5
-DES algorithm and <b>dave</b>'s key with the PKCS#5 v2.0 3DES algorithm.
+DES algorithm and <b>dave</b>'s key with the PKCS#5 v2.0 AES-128 algorithm.
 <p/>
 Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
 automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
index fc12807..0847159 100644 (file)
@@ -1,7 +1,7 @@
 This scenario is derived from <a href="../rw-cert"><b>ikev2/rw-cert</b></a>.
-The gateway <b>moon</b> uses a 2048 bit RSA private key protected by <b>AES-128</b>
+The gateway <b>moon</b> uses a 3072 bit RSA private key protected by <b>AES-128</b>
 encryption whereas the roadwarriors <b>carol</b> and <b>dave</b> have an
-<b>AES-192</b> and <b>AES-256</b> envelope, respectively. 
+<b>AES-192</b> and <b>AES-256</b> envelope, respectively.
 The X.509 certificate of the gateway <b>moon</b> uses a <b>SHA-224</b> hash in
 its signature whereas the certificates of the roadwarriors <b>carol</b>
 and <b>dave</b> use <b>SHA-384</b> and <b>SHA-512</b>, respectively.
index a8183f5..ce9e384 100644 (file)
@@ -15,12 +15,12 @@ conn %default
 conn alice
        leftsubnet=PH_IP_ALICE/32
        right=%any
-       rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
+       rightid="C=CH, O=strongSwan Project, OU=Research, CN=*"
        auto=add
-       
+
 conn venus
        leftsubnet=PH_IP_VENUS/32
        right=%any
-       rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
+       rightid="C=CH, O=strongSwan Project, OU=Accounting, CN=*"
        auto=add
-       
+
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
deleted file mode 100644 (file)
index 24f07b5..0000000
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B
-qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb
-Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ
-7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd
-lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/pkcs8/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/pkcs8/moonKey.pem
new file mode 100644 (file)
index 0000000..24f07b5
--- /dev/null
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B
+qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb
+Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ
+7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd
+lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA==
+-----END EC PRIVATE KEY-----
index fa61f19..91e3457 100644 (file)
@@ -1,8 +1,8 @@
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO
 moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO
-moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
-moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def_delta.crl::YES
-carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
-carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def_delta.crl::YES
+moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*.crl::YES
+moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*_delta.crl::YES
+carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*.crl::YES
+carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/.*_delta.crl::YES
 carol::cat /var/log/daemon.log::certificate was revoked::YES
 carol::cat /var/log/daemon.log::no trusted RSA public key found for.*moon.strongswan.org::YES
diff --git a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/x509ca/researchCert.pem b/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/x509ca/researchCert.pem
deleted file mode 100644 (file)
index d53365f..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
-FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
-zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
-/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
-C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
-+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
-BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
-VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
-BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
-FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
-cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
-POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
-xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
-dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
-8sFmiZI=
------END CERTIFICATE-----
diff --git a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/x509ca/salesCert.pem b/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/x509ca/salesCert.pem
deleted file mode 100644 (file)
index a10a18c..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
-MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
-GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
-Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
-uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
-sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
-vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
-MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
-VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
-MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
-IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
-Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
-CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
-AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
-RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
-M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
------END CERTIFICATE-----
diff --git a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index 3a5aaa6..0000000
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri=http://crl.strongswan.org/strongswan.crl
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftsendcert=ifasked
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
-       auto=add
-       
-conn venus
-       leftsubnet=PH_IP_VENUS/32
-       right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
-       auto=add
index 574887d..8905ebe 100755 (executable)
@@ -11,11 +11,11 @@ connections {
       remote {
          auth = pubkey
          cacerts = researchCert.pem
-         revocation = ifuri 
+         revocation = ifuri
       }
       children {
          alice {
-            local_ts  = 10.1.0.10/32 
+            local_ts  = 10.1.0.10/32
             esp_proposals = aes128-sha256-ecp256
          }
       }
@@ -34,7 +34,7 @@ connections {
       remote {
          auth = pubkey
          cacerts = salesCert.pem
-         revocation = ifuri 
+         revocation = ifuri
       }
       children {
          venus {
@@ -46,11 +46,3 @@ connections {
       proposals = aes128-sha256-ecp256
    }
 }
-
-authorities {
-
-   strongswan {
-      cacert = strongswanCert.pem
-      crl_uris = http://crl.strongswan.org/strongswan.crl
-   }
-}
index 73bb5f6..f93e30f 100755 (executable)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+  load = random pem pkcs1 sha1 sha3 gmp x509 revocation constraints pubkey
 }
 
 charon-systemd {
index 73bb5f6..f93e30f 100755 (executable)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+  load = random pem pkcs1 sha1 sha3 gmp x509 revocation constraints pubkey
 }
 
 charon-systemd {
diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/ipsec.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index 3a5aaa6..0000000
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
-       cacert=strongswanCert.pem
-       crluri=http://crl.strongswan.org/strongswan.crl
-       auto=add
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftsendcert=ifasked
-       leftid=@moon.strongswan.org
-
-conn alice
-       leftsubnet=PH_IP_ALICE/32
-       right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
-       auto=add
-       
-conn venus
-       leftsubnet=PH_IP_VENUS/32
-       right=%any
-       rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
-       auto=add
diff --git a/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-cert-ppk/hosts/carol/etc/swanctl/rsa/carolKey.pem
deleted file mode 100644 (file)
index 1454ec5..0000000
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F
-
-1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b
-/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ
-/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o
-Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+
-f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6
-LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv
-06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC
-e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr
-3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC
-sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily
-c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy
-UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h
-XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T
-iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO
-Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO
-v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO
-t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H
-8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA
-jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p
-p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS
-7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk
-GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+
-4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0
-yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd
-+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem
deleted file mode 100644 (file)
index 1454ec5..0000000
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F
-
-1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b
-/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ
-/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o
-Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+
-f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6
-LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv
-06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC
-e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr
-3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC
-sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily
-c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy
-UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h
-XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T
-iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO
-Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO
-v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO
-t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H
-8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA
-jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p
-p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS
-7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk
-GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+
-4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0
-yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd
-+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC
------END RSA PRIVATE KEY-----
index 20ec156..247aabe 100644 (file)
@@ -2,7 +2,7 @@ carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
@@ -11,7 +11,7 @@ moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongs
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index db82791..c4e4784 100755 (executable)
@@ -10,7 +10,7 @@ connections {
       }
       remote {
          auth = eap-peap
-         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+         id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
       }
       children {
          home {
index 7f3b810..b718667 100755 (executable)
@@ -10,7 +10,7 @@ connections {
       }
       remote {
          auth = eap-peap
-         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+         id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
       }
       children {
          home {
index dc56ba8..1093e51 100644 (file)
@@ -2,7 +2,7 @@ carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
@@ -11,7 +11,7 @@ moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongs
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index db82791..c4e4784 100755 (executable)
@@ -10,7 +10,7 @@ connections {
       }
       remote {
          auth = eap-peap
-         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+         id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
       }
       children {
          home {
index 7f3b810..b718667 100755 (executable)
@@ -10,7 +10,7 @@ connections {
       }
       remote {
          auth = eap-peap
-         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+         id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
       }
       children {
          home {
index 7ffdd1f..54849ae 100755 (executable)
@@ -7,7 +7,7 @@ connections {
       local {
          auth = eap
          id = carol@strongswan.org
-         aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+         aaa_id = "C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
      }
       remote {
          auth = pubkey
index 97c0b70..da69a51 100755 (executable)
@@ -7,7 +7,7 @@ connections {
       local {
          auth = eap
          id = dave@strongswan.org
-         aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+         aaa_id = "C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
       }
       remote {
          auth = pubkey
index 52dc51a..48a706d 100644 (file)
@@ -1,10 +1,10 @@
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index cc3e770..f556f8e 100755 (executable)
@@ -10,7 +10,7 @@ connections {
       }
       remote {
          auth = eap-tls
-         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+         id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
       }
       children {
          home {
index e3b7cf3..46d8814 100644 (file)
@@ -1,9 +1,9 @@
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index 58786ba..d8212a4 100755 (executable)
@@ -7,11 +7,11 @@ connections {
       local {
          auth = eap
          certs = carolCert.pem
-         aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+         aaa_id = "C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
       }
       remote {
          auth = pubkey
-         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+         id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
        }
       children {
          home {
index ebe5ffa..afed192 100755 (executable)
@@ -9,7 +9,7 @@ connections {
       }
       remote {
          auth = eap-radius
-         id = "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
+         id = "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
       }
       children {
          net {
index cae0025..e426bda 100755 (executable)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+  load = random pem pkcs1 sha1 sha3 gmp x509 revocation constraints pubkey
 }
 
 charon-systemd {
index cae0025..e426bda 100755 (executable)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+  load = random pem pkcs1 sha1 sha3 gmp x509 revocation constraints pubkey
 }
 
 charon-systemd {
index 9c4e819..3b2845d 100755 (executable)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+  load = random pem pkcs1 sha1 sha3 gmp x509 revocation constraints pubkey
 }
 
 charon-systemd {
index 00282ab..46d6be4 100644 (file)
@@ -2,7 +2,7 @@ carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
 dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
@@ -11,7 +11,7 @@ moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongs
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index 184aaa5..96c30e3 100755 (executable)
@@ -10,7 +10,7 @@ connections {
       }
       remote {
          auth = eap-ttls
-         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+         id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
       }
       children {
          home {
index a77bd00..64b711d 100755 (executable)
@@ -10,7 +10,7 @@ connections {
       }
       remote {
          auth = eap-ttls
-         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+         id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
       }
       children {
          home {
index 7ffdd1f..54849ae 100755 (executable)
@@ -7,7 +7,7 @@ connections {
       local {
          auth = eap
          id = carol@strongswan.org
-         aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+         aaa_id = "C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
      }
       remote {
          auth = pubkey
index 97c0b70..da69a51 100755 (executable)
@@ -7,7 +7,7 @@ connections {
       local {
          auth = eap
          id = dave@strongswan.org
-         aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+         aaa_id = "C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
       }
       remote {
          auth = pubkey
index b295891..dc9abe5 100755 (executable)
@@ -1,9 +1,9 @@
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
 alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=0d:36:.*:cc:90 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=67:f6:.*:40:80 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.100 remote-port=4500 remote-id=0d:36:.*:cc:90.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.200 remote-port=4500 remote-id=67:f6:.*:40:80.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=..:..:.* remote-host=192.168.0.1 remote-port=4500 remote-id=..:..:.* initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=..:..:.* remote-host=192.168.0.1 remote-port=4500 remote-id=..:..:.* initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=..:..:.* remote-host=192.168.0.100 remote-port=4500 remote-id=..:..:.* encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=..:..:.* remote-host=192.168.0.200 remote-port=4500 remote-id=..:..:.* encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/rsa/carolKey.pem
deleted file mode 100644 (file)
index 1454ec5..0000000
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F
-
-1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b
-/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ
-/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o
-Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+
-f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6
-LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv
-06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC
-e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr
-3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC
-sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily
-c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy
-UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h
-XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T
-iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO
-Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO
-v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO
-t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H
-8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA
-jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p
-p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS
-7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk
-GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+
-4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0
-yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd
-+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC
------END RSA PRIVATE KEY-----
index f1a074f..a322ca1 100755 (executable)
@@ -2,7 +2,7 @@ connections {
 
    home {
       local_addrs  = 192.168.0.100
-      remote_addrs = 192.168.0.1 
+      remote_addrs = 192.168.0.1
 
       local {
          auth = pubkey
@@ -10,11 +10,11 @@ connections {
       }
       remote {
          auth = pubkey
-         pubkeys = moonPub.pem 
+         pubkeys = moonPub.pem
       }
       children {
          home {
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 10.1.0.0/16
 
             updown = /usr/local/libexec/ipsec/_updown iptables
             esp_proposals = aes128gcm128-ecp256
@@ -24,11 +24,3 @@ connections {
       proposals = aes128-sha256-ecp256
    }
 }
-
-secrets {
-
-   rsa-carol {
-      file = carolKey.pem
-      secret = "nH5ZQEWtku0RJEZ6"
-   }
-}
index 2dfc3cf..1b172ee 100755 (executable)
@@ -1,9 +1,9 @@
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
 alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=0d:36:.*:cc:90 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=67:f6:.*:40:80 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-carol.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.100 remote-port=4500 remote-id=0d:36:.*:cc:90.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-dave.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.200 remote-port=4500 remote-id=67:f6:.*:40:80.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=..:..:.* remote-host=192.168.0.1 remote-port=4500 remote-id=..:..:.* initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=..:..:.* remote-host=192.168.0.1 remote-port=4500 remote-id=..:..:.* initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-carol.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=..:..:.* remote-host=192.168.0.100 remote-port=4500 remote-id=..:..:.* encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-dave.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=..:..:.* remote-host=192.168.0.200 remote-port=4500 remote-id=..:..:.* encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/rsa/carolKey.pem
deleted file mode 100644 (file)
index 1454ec5..0000000
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F
-
-1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b
-/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ
-/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o
-Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+
-f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6
-LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv
-06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC
-e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr
-3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC
-sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily
-c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy
-UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h
-XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T
-iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO
-Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO
-v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO
-t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H
-8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA
-jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p
-p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS
-7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk
-GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+
-4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0
-yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd
-+85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC
------END RSA PRIVATE KEY-----
index f1a074f..a322ca1 100755 (executable)
@@ -2,7 +2,7 @@ connections {
 
    home {
       local_addrs  = 192.168.0.100
-      remote_addrs = 192.168.0.1 
+      remote_addrs = 192.168.0.1
 
       local {
          auth = pubkey
@@ -10,11 +10,11 @@ connections {
       }
       remote {
          auth = pubkey
-         pubkeys = moonPub.pem 
+         pubkeys = moonPub.pem
       }
       children {
          home {
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 10.1.0.0/16
 
             updown = /usr/local/libexec/ipsec/_updown iptables
             esp_proposals = aes128gcm128-ecp256
@@ -24,11 +24,3 @@ connections {
       proposals = aes128-sha256-ecp256
    }
 }
-
-secrets {
-
-   rsa-carol {
-      file = carolKey.pem
-      secret = "nH5ZQEWtku0RJEZ6"
-   }
-}
index a327dae..d5d6fa5 100644 (file)
@@ -5,10 +5,10 @@ carol::cat /var/log/auth.log::received SASL Success result::YES
 carol::cat /var/log/auth.log::collected ... SW ID events::YES
 carol::cat /var/log/auth.log::collected 3 SW records::YES
 alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
-alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
+alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org::YES
 alice::cat /var/log/daemon.log::certificate status is good::YES
 alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
-alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
+alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
 alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES
 alice::cat /var/log/daemon.log::role=.softwareCreator licensor tagCreator::YES
 alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES
index bded669..2e40603 100644 (file)
@@ -5,10 +5,10 @@ carol::cat /var/log/auth.log::collected ... SW ID records::YES
 carol::cat /var/log/auth.log::strongswan.org__strongSwan.*swidtag::YES
 carol::cat /var/log/auth.log::collected 1 SW record::YES
 alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
-alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
+alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org::YES
 alice::cat /var/log/daemon.log::certificate status is good::YES
 alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
-alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
+alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
 alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES
 alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES
 moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES
index bed92fc..3cf7e6b 100644 (file)
@@ -5,13 +5,13 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org' with EAP successful::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES