From: Martin Willi <martin@strongswan.org>
Date: Thu, 28 Nov 2019 09:25:20 +0000 (+0100)
Subject: testing: Use identity based CA restrictions in rw-hash-and-url-multi-level
X-Git-Tag: 5.8.2rc1~6^2~1
X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=commitdiff_plain;h=f95d5122513ab34cd1b3cffc7bb49d69932cd51c

testing: Use identity based CA restrictions in rw-hash-and-url-multi-level

This is a prominent example where the identity based CA constraint is
benefical. While the description of the test claims a strict binding
of the client to the intermediate CA, this is not fully true if CA operators
are not fully trusted: A rogue OU=Sales intermediate may issue certificates
containing a OU=Research.

By binding the connection to the CA, we can avoid this, and using the identity
based constraint still allows moon to receive the intermediate over IKE
or hash-and-url.
---

diff --git a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf
index 334ecb6..a690cf2 100755
--- a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf
@@ -10,7 +10,7 @@ connections {
       }
       remote {
          auth = pubkey
-         id = "C=CH, O=strongSwan Project, OU=Research, CN=*"
+         ca_id = "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
       }
       children {
          alice {
@@ -32,7 +32,7 @@ connections {
       }
       remote {
          auth = pubkey
-         id = "C=CH, O=strongSwan Project, OU=Sales, CN=*"
+         ca_id = "C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
       }
       children {
          venus {