testing: Add scenario with hash-and-URL encoding for intermediate CA certificates
authorTobias Brunner <tobias@strongswan.org>
Thu, 31 Oct 2019 14:18:17 +0000 (15:18 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 26 Nov 2019 10:12:26 +0000 (11:12 +0100)
12 files changed:
testing/scripts/build-certs-chroot
testing/tests/swanctl/rw-hash-and-url-multi-level/description.txt [new file with mode: 0644]
testing/tests/swanctl/rw-hash-and-url-multi-level/evaltest.dat [new file with mode: 0644]
testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/swanctl/rw-hash-and-url-multi-level/posttest.dat [new file with mode: 0644]
testing/tests/swanctl/rw-hash-and-url-multi-level/pretest.dat [new file with mode: 0644]
testing/tests/swanctl/rw-hash-and-url-multi-level/test.conf [new file with mode: 0644]

index acc742e..f49a163 100755 (executable)
@@ -513,6 +513,13 @@ do
   cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
 done
 
+for t in rw-hash-and-url-multi-level
+do
+  TEST="${TEST_DIR}/swanctl/${t}"
+  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+  cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+done
+
 # Convert Research CA certificate into DER format
 openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
 
@@ -562,6 +569,13 @@ do
   cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
 done
 
+for t in rw-hash-and-url-multi-level
+do
+  TEST="${TEST_DIR}/swanctl/${t}"
+  mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+  cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+done
+
 # Convert Sales CA certificate into DER format
 openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
 
@@ -936,7 +950,7 @@ do
   cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
 done
 
-for t in multi-level-ca ocsp-multi-level
+for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
 do
   TEST="${TEST_DIR}/swanctl/${t}"
   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
@@ -1051,7 +1065,7 @@ do
   cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
 done
 
-for t in multi-level-ca ocsp-multi-level
+for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
 do
   TEST="${TEST_DIR}/swanctl/${t}"
   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/description.txt b/testing/tests/swanctl/rw-hash-and-url-multi-level/description.txt
new file mode 100644 (file)
index 0000000..062c4f0
--- /dev/null
@@ -0,0 +1,12 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of two different Intermediate CAs. Access to
+<b>alice</b> is granted to users presenting a certificate issued by the Research CA
+whereas <b>venus</b> can only be reached with a certificate issued by the
+Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
+the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
+<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
+<p/>
+The gateway <b>moon</b> doesn't have the intermediate CA certificate installed
+and instead of sending the actual certificates, the two clients send "Hash and URL"
+certificate payloads. The gateway fetches the certificates via HTTP from server
+<b>winnetou</b>.
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/evaltest.dat b/testing/tests/swanctl/rw-hash-and-url-multi-level/evaltest.dat
new file mode 100644 (file)
index 0000000..5e16338
--- /dev/null
@@ -0,0 +1,22 @@
+carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
+dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*CN=Research CA::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
+dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Sales, CN=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Sales, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..178fa2e
--- /dev/null
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+
+  hash_and_url = yes
+}
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755 (executable)
index 0000000..fdf6ca5
--- /dev/null
@@ -0,0 +1,41 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      cert_uri_base = http://winnetou.strongswan.org/certs/
+   }
+
+   research {
+      cacert = researchCert.pem
+      cert_uri_base = http://winnetou.strongswan.org/certs/research/
+   }
+}
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..178fa2e
--- /dev/null
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+
+  hash_and_url = yes
+}
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755 (executable)
index 0000000..b115869
--- /dev/null
@@ -0,0 +1,41 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      cert_uri_base = http://winnetou.strongswan.org/certs/
+   }
+
+   sales {
+      cacert = salesCert.pem
+      cert_uri_base = http://winnetou.strongswan.org/certs/sales/
+   }
+}
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..178fa2e
--- /dev/null
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+
+  hash_and_url = yes
+}
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755 (executable)
index 0000000..334ecb6
--- /dev/null
@@ -0,0 +1,54 @@
+connections {
+
+   research {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = "C=CH, O=strongSwan Project, OU=Research, CN=*"
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+
+   sales {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = "C=CH, O=strongSwan Project, OU=Sales, CN=*"
+      }
+      children {
+         venus {
+            local_ts  = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      cert_uri_base = http://winnetou.strongswan.org/certs/
+   }
+}
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/posttest.dat b/testing/tests/swanctl/rw-hash-and-url-multi-level/posttest.dat
new file mode 100644 (file)
index 0000000..18e43bf
--- /dev/null
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home 2> /dev/null
+dave::swanctl --terminate --ike home 2> /dev/null
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
\ No newline at end of file
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/pretest.dat b/testing/tests/swanctl/rw-hash-and-url-multi-level/pretest.dat
new file mode 100644 (file)
index 0000000..456938c
--- /dev/null
@@ -0,0 +1,10 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection research
+carol::expect-connection alice
+carol::swanctl --initiate --child alice 2> /dev/null
+carol::swanctl --initiate --child venus 2> /dev/null
+dave::expect-connection alice
+dave::swanctl --initiate --child alice 2> /dev/null
+dave::swanctl --initiate --child venus 2> /dev/null
diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/test.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/test.conf
new file mode 100644 (file)
index 0000000..b8048b4
--- /dev/null
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1