环境如下
$ openssl version
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
$
$ openssl version | sed -re 's/^OpenSSL ([0-9]+)\..*/\1/'
3
生成证书的目录及证书文件。
testing/hosts/winnetou/etc/ca$ ls
bliss ed25519 keys ocspCert-self.pem sales strongswanKey.pem
certs generate-crl levels ocspKey.pem sha3-rsa winnetouCert.pem
db.strongswan.org.certs-and-keys index.html monster ocspKey-self.pem strongswanCert.der winnetouKey.pem
duck index.txt ocsp research strongswanCert.pem
ecdsa index.txt.template ocspCert.pem rfc3779 strongswan.crl
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls certs/
01.pem 03.pem 05.pem 07.pem 0A.pem 0C.pem 0E.pem 10.pem 12.pem 14.pem 16.pem 18.pem
02.pem 04.pem 06.pem 09.pem 0B.pem 0D.pem 0F.pem 11.pem 13.pem 15.pem 17.pem 88.pem
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls keys/
aliceKey.der bobKey.der carolKey.der daveKey.der moonKey.der sunKey.der venusKey.der
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls ocsp
ocsp.cgi
strongswan的证书位于目录CA_DIR:testing/hosts/winnetou/etc/ca/。以下定义全局变量,包括:CA私钥CA_KEY,CA证书CA_CERT,CA的证书吊销列表CA_CRL,CA的证书吊销列表分发点CA_CDP(CRL Distribution Point),CA在线证书状态协议的地址CA_OSCP(Online Certificate Status Protocol)。
# Define some global variables
PROJECT="strongSwan Project"
CA_DIR="${DIR}/hosts/winnetou/etc/ca"
CA_KEY="${CA_DIR}/strongswanKey.pem"
CA_CERT="${CA_DIR}/strongswanCert.pem"
CA_CERT_DER="${CA_DIR}/strongswanCert.der"
CA_CRL="${CA_DIR}/strongswan.crl"
CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
CA_CDP="http://crl.strongswan.org/strongswan.crl"
CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
CA_OCSP="http://ocsp.strongswan.org:8880"
证书时间变量,之后生成证书是需要使用。证书起始时间START,为系统时间的两天之前。SH_END xxxx。CA证书结束时间CA_END为当前时间的10年之后。中间证书的过期时间IM_END为9年之后。终端证书过期时间EE_END为8年之后。
31 START=`date -d "-2 day" "+%d.%m.%y %T"`
32 SH_END=`date -d "-1 day" "+%d.%m.%y %T"` # 1 day
33 CA_END=`date -d "+3651 day" "+%d.%m.%y %T"` # 10 years
34 IM_END=`date -d "+3286 day" "+%d.%m.%y %T"` # 9 years
35 EE_END=`date -d "+2920 day" "+%d.%m.%y %T"` # 8 years
36 SH_EXP=`date -d "-1 day" "+%y%m%d%H%M%SZ"` # 1 day
37 IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"` # 9 years
38 EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"` # 8 years
39 NOW=`date "+%y%m%d%H%M%SZ"`
研发部门证书。
41 RESEARCH_DIR="${CA_DIR}/research"
42 RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"
43 RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"
44 RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"
45 RESEARCH_CDP="http://crl.strongswan.org/research.crl"
生成的证书位于如下目录。
testing/hosts/winnetou/etc/ca$ ls research/
certs index.txt index.txt.template keys ocsp ocspCert.pem ocspKey.pem researchCert.der researchCert.pem researchKey.pem
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls research/certs/
01.pem 02.pem 03.pem 04.pem
testing/hosts/winnetou/etc/ca$ ls research/keys/
01.der
testing/hosts/winnetou/etc/ca$ ls research/ocsp
ocsp.cgi
销售部门证书。
47 SALES_DIR="${CA_DIR}/sales"
48 SALES_KEY="${SALES_DIR}/salesKey.pem"
49 SALES_CERT="${SALES_DIR}/salesCert.pem"
50 SALES_CERT_DER="${SALES_DIR}/salesCert.der"
51 SALES_CDP="http://crl.strongswan.org/sales.crl"
生成的证书位于如下目录。
testing/hosts/winnetou/etc/ca$ ls sales/
certs index.txt index.txt.template keys ocsp ocspCert.pem ocspKey.pem salesCert.der salesCert.pem salesKey.pem
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls sales/certs/
01.pem 02.pem 03.pem
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls sales/keys/
01.der
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls sales/ocsp
ocsp.cgi
三级证书。
53 LEVELS_DIR="${CA_DIR}/levels"
54 LEVELS_KEY="${LEVELS_DIR}/levelsKey.pem"
55 LEVELS_CERT="${LEVELS_DIR}/levelsCert.pem"
56 LEVELS_CDP="http://crl.strongswan.org/levels.crl"
57 LEVELS_L2_KEY="${LEVELS_DIR}/levelsKey_l2.pem"
58 LEVELS_L2_CERT="${LEVELS_DIR}/levelsCert_l2.pem"
59 LEVELS_L2_CDP="http://crl.strongswan.org/levels_l2.crl"
60 LEVELS_L3_KEY="${LEVELS_DIR}/levelsKey_l3.pem"
61 LEVELS_L3_CERT="${LEVELS_DIR}/levelsCert_l3.pem"
62 LEVELS_L3_CDP="http://crl.strongswan.org/levels_l3.crl"
生成的证书位于如下目录。
testing/hosts/winnetou/etc/ca$ ls levels/
certs levelsCert_l2.pem levelsCert_l3.pem levelsCert.pem levelsKey_l2.pem levelsKey_l3.pem levelsKey.pem
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls levels/certs/
01.pem
不同的证书类型
通用名称CN为“Duck Research CA”的证书。
64 DUCK_DIR="${CA_DIR}/duck"
65 DUCK_KEY="${DUCK_DIR}/duckKey.pem"
66 DUCK_CERT="${DUCK_DIR}/duckCert.pem"
生成的证书位于如下目录。
testing/hosts/winnetou/etc/ca$ ls duck/
certs duckCert.pem duckKey.pem
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls duck/certs/
01.pem
椭圆曲线数字签名算法ECDSA的证书。
68 ECDSA_DIR="${CA_DIR}/ecdsa"
69 ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"
70 ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"
71 ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"
生成的证书位于如下目录。
testing/hosts/winnetou/etc/ca$ ls ecdsa/
certs strongswanCert.pem strongswanKey.pem
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls ecdsa/certs/
01.pem 02.pem 03.pem
符合RFC3779扩展的证书,证书中包含IP地址扩展。
73 RFC3779_DIR="${CA_DIR}/rfc3779"
74 RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"
75 RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"
76 RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"
生成的证书位于如下目录。
testing/hosts/winnetou/etc/ca$ ls rfc3779/
certs strongswanCert.pem strongswanKey.pem
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls rfc3779/certs/
01.pem 02.pem 03.pem 04.pem
使用SHA3摘要算法的RSA证书。
78 SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"
79 SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"
80 SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"
81 SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"
生成的证书位于如下目录。
testing/hosts/winnetou/etc/ca$ ls sha3-rsa/
certs strongswanCert.pem strongswanKey.pem
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls sha3-rsa/certs/
01.pem 02.pem 03.pem 04.pem
ED25519曲线数字签名算法 (Edwards-curve Digital Signature Algorithm) 的证书。
83 ED25519_DIR="${CA_DIR}/ed25519"
84 ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"
85 ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"
86 ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"
生成的证书位于如下目录。
testing/hosts/winnetou/etc/ca$ ls ed25519/
certs strongswanCert.pem strongswanKey.pem
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls ed25519/certs/
01.pem 02.pem 03.pem 04.pem
通用名称CN为“strongSwan Monster CA”的证书。
88 MONSTER_DIR="${CA_DIR}/monster"
89 MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"
90 MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"
91 MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"
92 MONSTER_CA_RSA_SIZE="8192"
93 MONSTER_EE_RSA_SIZE="4096"
生成的证书位于如下目录。
testing/hosts/winnetou/etc/ca$ ls monster/
certs strongswanCert.pem strongswanKey.pem
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls monster/certs/
01.pem 02.pem
BLISS(Bimodal Lattice Signature Scheme)算法的签名证书。BLISS是一种后量子签名方案(post-quantum signature scheme)。
95 BLISS_DIR="${CA_DIR}/bliss"
96 BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"
97 BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"
98 BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"
生成的证书位于如下目录。
testing/hosts/winnetou/etc/ca$ ls bliss/
certs strongswan_blissCert.der strongswan_blissKey.der
testing/hosts/winnetou/etc/ca$
testing/hosts/winnetou/etc/ca$ ls bliss/certs/
01.der 02.der 03.der
RSA证书的私钥长度RSA_SIZE。
100 RSA_SIZE="3072"
101 IPSEC_DIR="etc/ipsec.d"
102 SWANCTL_DIR="etc/swanctl"
103 TKM_DIR="etc/tkm"
104 HOSTS="carol dave moon sun alice venus bob"
105 TEST_DIR="${DIR}/tests"
创建以上提及的各种证书的证书和私钥的存放目录。
mkdir -p ${CA_DIR}/certs
mkdir -p ${CA_DIR}/keys
mkdir -p ${RESEARCH_DIR}/certs
mkdir -p ${RESEARCH_DIR}/keys
mkdir -p ${SALES_DIR}/certs
mkdir -p ${SALES_DIR}/keys
mkdir -p ${LEVELS_DIR}/certs
mkdir -p ${DUCK_DIR}/certs
mkdir -p ${ECDSA_DIR}/certs
mkdir -p ${RFC3779_DIR}/certs
mkdir -p ${SHA3_RSA_DIR}/certs
mkdir -p ${ED25519_DIR}/certs
mkdir -p ${MONSTER_DIR}/certs
mkdir -p ${BLISS_DIR}/certs
strongswan CA根证书
生成strongswan根CA证书。首先,生成3072比特(RSA_SIZE)的私钥(hosts/winnetou/etc/ca/strongswanKey.pem),格式为PEM(Privacy Enhanced Mail),是一种基于ASCII编码的文本文件格式。
其次,生成自签名的根CA证书(CA_CERT=hosts/winnetou/etc/ca/strongswanCert.pem),格式为PEM。根CA证书有效期为10年。
最后,将CA根证书拷贝到各个客户机(HOSTS)目录,例如,对于moon主机,拷贝到目录hosts/moon/etc/ipsec.d/cacerts和目录hosts/moon/etc/swanctl/x509ca。
# Generate strongSwan Root CA
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \
--ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \
--outform pem > ${CA_CERT}
# Distribute strongSwan Root CA certificate
for h in ${HOSTS}
do
HOST_DIR="${DIR}/hosts/${h}"
mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacerts
mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509ca
cp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacerts
cp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
done
对于主机alice,将CA根证书拷贝到其目录hosts/alice/etc/raddb/certs下。
strongSwan Root CA根证书生成DER(Distinguished Encoding Rules)格式,其为二进制格式的文件。
使用CA证书和私钥,发布一个CRL(Certificate Revocation List)证书,ikev2/crl-ldap测试用例需要使用。
# Put a copy onto the alice FreeRADIUS server
mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs
# Convert strongSwan Root CA certificate into DER format
openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}
# Generate a stale CRL
pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \
--this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}
# Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
TEST="${TEST_DIR}/ikev2/crl-ldap"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509crl
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509crl
cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509crl/stale.crl
cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509crl/stale.crl
生成每个客户主机的私钥。例如对于moon主机,生成私钥:hosts/moon/etc/ipsec.d/private/moonKey.pem,拷贝一份到hosts/moon/etc/swanctl/rsa目录下。
生成DER格式的私钥,例如对于moon主机,文件为:hosts/winnetou/etc/ca/keys/moonKey.der。
# Generate host keys
for h in ${HOSTS}
do
HOST_DIR="${DIR}/hosts/${h}"
HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"
mkdir -p ${HOST_DIR}/${IPSEC_DIR}/private
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
# Put a copy into swanctl directory tree
mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsa
cp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa
# Convert host key into DER format
openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
${TRAD} 2> /dev/null
done
moon客户机的私钥和根CA证书拷贝到以下指定的测试用例目录中。例如,对于第一个host2host-initiator用例,将moon的私钥以及DER格式CA根证书CA_CERT_DER(hosts/winnetou/etc/ca/strongswanCert.der)拷贝到目录tests/tkm/host2host-initiator/hosts/moon/etc/tkm下。
# Put DER-encoded moon private key and Root CA certificate into tkm scenarios
for t in host2host-initiator host2host-responder host2host-xfrmproxy \
multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
xfrmproxy-rekey
do
TEST="${TEST_DIR}/tkm/${t}"
mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
done
如下为拷贝之后的测试用例host2host-initiator/hosts/moon/etc/tkm目录内容:
strongswan-5.9.14/testing$ ls tests/tkm/host2host-initiator/hosts/moon/etc/tkm
moonKey.der strongswanCert.der tkm.conf
tkm/multiple-clients测试用例
与以上类似,将sun主机的私钥以及DER格式CA根证书CA_CERT_DER(hosts/winnetou/etc/ca/strongswanCert.der)拷贝到目录tests/tkm/multiple-clients/hosts/sun/etc/tkm下。以便测试用例multiple-clients使用。
# Put DER_encoded sun private key and Root CA certificate into tkm scenarios
TEST="${TEST_DIR}/tkm/multiple-clients"
mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}
ikev2/rw-pkcs8测试用例
需要moon客户机的私钥转换为不加密的PKCS#8格式。原私钥hosts/moon/etc/swanctl/rsa/moonKey.pem,新的私钥tests/ikev2/rw-pkcs8/hosts/moon/etc/swanctl/pkcs8/moonKey.pem。
# Convert moon private key into unencrypted PKCS#8 format
TEST="${TEST_DIR}/ikev2/rw-pkcs8"
HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}
carol客户机的私钥转换为v1.5 DES加密PKCS#8格式。原私钥hosts/carol/etc/swanctl/rsa/carolKey.pem,转换之后的私钥tests/ikev2/rw-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem。
# Convert carol private key into v1.5 DES encrypted PKCS#8 format
HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
-passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
dave客户机的私钥转换为v2.0 AES-128加密的PKCS#8格式。原私钥hosts/dave/etc/swanctl/rsa/daveKey.pem,转换之后的私钥tests/ikev2/rw-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem。
# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v2 aes128 \
-passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
moon公钥
由moon主机的私钥hosts/moon/etc/swanctl/rsa/moonKey.pem,导出公钥ikev2/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/moonPub.pem,并且将公钥拷贝到tests/ikev2/net2net-pubkey/hosts/sun/etc/swanctl/pubkey目录下。
# Extract the raw moon public key for the ikev2/net2net-pubkey scenario
TEST="${TEST_DIR}/ikev2/net2net-pubkey"
TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
将moon公钥拷贝到目录tests/ikev2/net2net-dnssec/hosts/moon/etc/swanctl/pubkey目录下,和 tests/ikev2/rw-dnssec/hosts/moon/etc/swanctl/pubkey目录下。
# Put a copy into the following ikev2 scenarios
for t in net2net-dnssec rw-dnssec
do
TEST="${TEST_DIR}/ikev2/${t}"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
done
将moon公钥拷贝到目录tests/ikev2/{rw-pubkey-anon rw-pubkey-keyid}/hosts/{moon carol dave}/etc/swanctl/pubkey目录下。
# Put a copy into the following ikev2 scenarios
for t in rw-pubkey-anon rw-pubkey-keyid
do
TEST="${TEST_DIR}/ikev2/${t}"
for h in moon carol dave
do
mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
cp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkey
done
done
sun公钥
由sun主机的私钥hosts/sun/etc/swanctl/rsa/sunKey.pem导出公钥tests/ikev2/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/sunPub.pem。
# Extract the raw sun public key for the ikev2/net2net-pubkey scenario
TEST="${TEST_DIR}/ikev2/net2net-pubkey"
TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
将sun的公钥拷贝到目录tests/ikev2/net2net-dnssec/hosts/sun/etc/swanctl/pubkey目录。
# Put a copy into the ikev2/net2net-dnssec scenario
TEST="${TEST_DIR}/ikev2/net2net-dnssec"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
将sun的公钥拷贝到目录tests/ikev2/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey目录。
# Put a copy into the ikev2/rw-pubkey-anon scenario
TEST="${TEST_DIR}/ikev2/rw-pubkey-anon"
cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
carol公钥
由carol主机的私钥hosts/carol/etc/swanctl/rsa/carolKey.pem导出公钥tests/ikev2/rw-dnssec/hosts/carol/etc/swanctl/pubkey/carolPub.pem。
# Extract the raw carol public key for the ikev2/rw-dnssec scenario
TEST="${TEST_DIR}/ikev2/rw-dnssec"
TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
将carol的公钥拷贝到目录tests/ikev2/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey下。
# Put a copy into the ikev2/rw-pubkey-anon scenario
TEST="${TEST_DIR}/ikev2/rw-pubkey-anon"
cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
将carol的公钥拷贝到目录tests/ikev2/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey。
将carol的公钥拷贝到目录tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey。
# Put a copy into the ikev2/rw-pubkey-keyid scenario
TEST="${TEST_DIR}/ikev2/rw-pubkey-keyid"
cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
dave公钥
由dave主机的私钥hosts/dave/etc/swanctl/rsa/daveKey.pem导出公钥tests/ikev2/rw-dnssec/hosts/dave/etc/swanctl/pubkey/davePub.pem。
# Extract the raw dave public key for the ikev2/rw-dnssec scenario
TEST="${TEST_DIR}/ikev2/rw-dnssec"
TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
将dave的公钥拷贝到目录tests/ikev2/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey。
将dave的公钥拷贝到目录tests/ikev2/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey。
# Put a copy into the ikev2/rw-pubkey-anon scenario
TEST="${TEST_DIR}/ikev2/rw-pubkey-anon"
cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
将dave的公钥拷贝到目录tests/ikev2/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey。
将dave的公钥拷贝到目录tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey。
# Put a copy into the ikev2/rw-pubkey-keyid scenario
TEST="${TEST_DIR}/ikev2/rw-pubkey-keyid"
cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
主机证书
主机私钥目录hosts/{carol,dave,moon,sun,alice,venus,bob}/etc/ipsec.d/private/{carol … bob}Key.pem,主机证书目录hosts/{carol,dave,moon,sun,alice,venus,bob}/etc/ipsec.d/certs/{carol … bob}Cert.pem。
# function issue_cert: serial host cn [ou]
issue_cert()
{
# does optional OU argument exist?
if [ -z "${4}" ]
then
OU=""
else
OU=" OU=${4},"
fi
HOST_DIR="${DIR}/hosts/${2}"
HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"
HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"
mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs
使用CA根证书为每个主机签发主机证书(HOST_CERT),并且将主机证书拷贝到目录hosts/winnetou/etc/ca/certs下,使用主机序号作为文件名称。
最后,将主机证书拷贝一份到hosts/{carol,dave,moon,sun,alice,venus,bob}/etc/swanctl/x509目录下。
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \
--serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \
--outform pem > ${HOST_CERT}
cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem
# Put a certificate copy into swanctl directory tree
mkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509
cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
}
使用以上issue_cert函数生成客户机的主机证书,参数为证书序号serial,主机名称host,CommonName和组织名OU(可选)。
# Generate host certificates
issue_cert 01 carol carol@strongswan.org Research
issue_cert 02 dave dave@strongswan.org Accounting
issue_cert 03 moon moon.strongswan.org
issue_cert 04 sun sun.strongswan.org
issue_cert 05 alice alice@strongswan.org Sales
issue_cert 06 venus venus.strongswan.org
issue_cert 07 bob bob@strongswan.org Research
dave的credentials
测试用例ikev2/dynamic-initiator,ikev1/dynamic-initiator和ikev1/dynamic-responder需要使用dave的私钥和证书。
# Copy carol's credentials into the dave directory of the following scenarios
for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
do
TEST="${TEST_DIR}/${t}"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
cp ${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
cp ${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
done
PKCS#12
PKCS #12 是一种存档文件格式,可用于将许多密码学对象保存为单个文件。通常用于保存私钥和X.509证书,或者证书链。为moon主机生成PKCS#12格式证书,位置tests/ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12。
# Create PKCS#12 file for moon
TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
MOON_PKCS12="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12/moonCert.p12"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \
-certfile ${CA_CERT} -caname "strongSwan Root CA" -keypbe aes-128-cbc \
-certpbe aes-128-cbc -macalg sha256 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12}
为sun生成PKCS#12格式证书,位置tests/ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12。
# Create PKCS#12 file for sun
HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
SUN_PKCS12="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12/sunCert.p12"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \
-certfile ${CA_CERT} -caname "strongSwan Root CA" -keypbe aes-128-cbc \
-certpbe aes-128-cbc -macalg sha256 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12}
将moon和sun的PKCS#12格式证书拷贝到:tests/botan/net2net-pkcs12/hosts/{moon sun}/etc/swanctl/pkcs12目录,和tests/openssl-ikev2/net2net-pkcs12/hosts/{moon sun}/etc/swanctl/pkcs12目录。
# Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
do
TEST="${TEST_DIR}/${t}"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
cp ${SUN_PKCS12} ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
done
区文件
将moon和sun的证书保存到文件hosts/winnetou/etc/ca/db.strongswan.org.certs-and-keys。
# Store moon and sun certificates in strongswan.org zone
ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
for h in moon sun
do
HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
cert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')
echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
done
将moon,sun,carol和dave的公钥保存到区文件hosts/winnetou/etc/ca/db.strongswan.org.certs-and-keys。
# Store public keys in strongswan.org zone
echo ";" >> ${ZONE_FILE}
for h in moon sun carol dave
do
HOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pem
pubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')
echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
done
如下内容:
testing$ cat hosts/winnetou/etc/ca/db.strongswan.org.certs-and-keys
; Automatically generated for inclusion in zone file
moon IN CERT ( 1 0 0
MIIEiDCCAvCgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJDSDEb
... ...
96UKD6BK0LczffM/
)
sun IN CERT ( 1 0 0
MIIEhjCCAu6gAwIBAgIBBDANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJDSDEb
... ...
w31UeNAt3y2e2Q==
)
;
moon IN IPSECKEY ( 10 3 2 moon.strongswan.org.
AwEAAbw2kQ4a21xAFNLSK0kDIF7LFWLZQrQ6FLX9Dthe2hFuAA90IHBOwuZrsyEH
... ...
nlrDlw==
)
sun IN IPSECKEY ( 10 3 2 sun.strongswan.org.
AwEAAZg9FddPYQsv2qVMQWsefPVHzEIN/w5Fp6se+22Bc9lKYVhn5V2QA+8vfTYo
... ...
uVbwKw==
)
carol IN IPSECKEY ( 10 3 2 carol.strongswan.org.
AwEAAa8TDQliWKdz9XFBcPsDFeAQ4DUnOi9zX2OmiJhvt93em9OWJT9LbwlQcWXo
... ...
JtqlMw==
)
dave IN IPSECKEY ( 10 3 2 dave.strongswan.org.
AwEAAZUr6u84nJ8/KttYxSU8OyvQiSLIIormnt7SMEzSl8pHhJ9JRU9UQjP7+2SI
... ...
oSwtvw==
)
ikev2/crl-to-cache测试用例
为carol生成测试用的证书,在证书中包含CA_BASE_CDP地址(http://crl.strongswan.org/strongswan_base.crl)。
# Generate a carol certificate for the ikev2/crl-to-cache scenario with base CDP
TEST="${TEST_DIR}/ikev2/crl-to-cache"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
CN="carol@strongswan.org"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
--in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
--outform pem > ${TEST_CERT}
为moon生成测试用的证书,在证书中包含CA_BASE_CDP地址(http://crl.strongswan.org/strongswan_base.crl)。
# Generate a moon certificate for the ikev2/crl-to-cache scenario with base CDP
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
CN="moon.strongswan.org"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \
--in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \
--outform pem > ${TEST_CERT}
carol加密证书
carol的私钥加密。
# Encrypt carolKey.pem
HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
KEY_PWD="nH5ZQEWtku0RJEZ6"
openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
${TRAD} 2> /dev/null
拷贝到目录:tests/{ikev2 botan wolfssl}/rw-cert/hosts/carol/etc/swanctl/rsa。
# Put a copy into the ikev2, botan and wolfssl rw-cert scenarios
for d in ikev2 botan wolfssl
do
TEST="${TEST_DIR}/${d}/rw-cert"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
done
carol吊销证书
为carol生成测试用证书,TEST_CERT:tests/ikev2/crl-revoked/hosts/carol/etc/swanctl/x509/carolCert.pem,
# Generate another carol certificate and revoke it
TEST="${TEST_DIR}/ikev2/crl-revoked"
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="88"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
--outform pem > ${TEST_CERT}
按照惯例,在hosts/winnetou/etc/ca/certs目录下保存一份以序号命名的证书。签发一个CRL证书,吊销序号为88的证书。
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \
--serial ${SERIAL} > ${CA_CRL}
cp ${CA_CRL} ${CA_LAST_CRL}
ocsp-revoked测试用例中的carol之间需要以上的测试私钥和证书。
# Put a copy into the ikev2/ocsp-revoked scenario
TEST="${TEST_DIR}/ikev2/ocsp-revoked"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
IKEv2/two-certs
为carol生成第二个证书:tests/hosts/carol/etc/swanctl/x509/carolCert-002.pem,证书序号09。按照惯例,在hosts/winnetou/etc/ca/certs目录下保存一份以序号命名的证书。
# Generate another carol certificate with serialNumber=002
TEST="${TEST_DIR}/ikev2/two-certs"
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey-002.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert-002.pem"
SERIAL="09"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, serialNumber=002, CN=${CN}" \
--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
Research证书
生成Research测试证书,通用名称CN为Research CA。将次证书的序号追加到证书吊销列表。
# Generate a Research CA certificate signed by the Root CA and revoke it
TEST="${TEST_DIR}/ikev2-multi-ca/revoked"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/researchCert.pem"
SERIAL="0A"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \
--serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
rm ${CA_LAST_CRL}
使用以上的私钥创建Reseach CA证书,按照惯例,在hosts/winnetou/etc/ca/certs目录下保存一份以序号命名的证书。
# Generate Research CA with the same private key as above signed by Root CA
SERIAL="0B"
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
--outform pem > ${RESEARCH_CERT}
cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem
将Research证书拷贝到以下测试用例相应的主机(moon或者carol)目录下。
# Put a certificate copy into the following scenarios
for t in ikev1-multi-ca/crls ikev2-multi-ca/crls ikev2-multi-ca/ldap \
ikev2-multi-ca/pathlen ikev2-multi-ca/ocsp-signers \
ikev2-multi-ca/ocsp-strict-ifuri
do
TEST="${TEST_DIR}/${t}"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
done
for t in ikev1-multi-ca/certreq-init ikev1-multi-ca/certreq-resp \
ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \
ikev2-multi-ca/rw-hash-and-url
do
TEST="${TEST_DIR}/${t}"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
done
相同私钥生成Research CA证书,这次使用不可用的CDP地址,用于ikev2-multi-ca/skipped测试用例。
# Convert Research CA certificate into DER format
openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
# Generate Research CA with the same private key as above but invalid CDP
TEST="${TEST_DIR}/ikev2-multi-ca/skipped"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/researchCert.pem"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \
--crl "http://crl.strongswan.org/not-available.crl" \
--in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
--outform pem > ${TEST_CERT}
Sales证书
生成Sales CA证书,序号为0C。
# Generate Sales CA signed by Root CA
SERIAL="0C"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
--outform pem > ${SALES_CERT}
cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem
将Sales证书拷贝到以下测试用例相应的主机(moon或者dave)目录下。
# Put a certificate copy into the following scenarios
for t in ikev1-multi-ca/crls ikev2-multi-ca/crls ikev2-multi-ca/ldap \
ikev2-multi-ca/ocsp-signers ikev2-multi-ca/ocsp-strict-ifuri
do
TEST="${TEST_DIR}/${t}"
cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
done
for t in ikev1-multi-ca/certreq-init ikev1-multi-ca/certreq-resp \
ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \
ikev2-multi-ca/rw-hash-and-url
do
TEST="${TEST_DIR}/${t}"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
done
# Convert Sales CA certificate into DER format
openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
多级证书
生成通用名称CN为“strongSwan Levels Root CA”的证书,位置hosts/winnetou/etc/ca/certs/levels/levelsCert.pem。
# Generate Levels Root CA (pathlen is higher than the regular root)
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_KEY}
pki --self --type rsa --in ${LEVELS_KEY} --not-before "${START}" --not-after "${CA_END}" \
--ca --pathlen 2 --dn "C=CH, O=${PROJECT}, CN=strongSwan Levels Root CA" \
--outform pem > ${LEVELS_CERT}
获取秘钥标识,spk为subjectPublicKey的SHA-1哈希。
# For TKM's CA ID mapping
LEVELS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${LEVELS_KEY}`
由以上的一级证书签发二级证书(LEVELS_L2_CERT: hosts/winnetou/etc/ca/certs/levels/levelsCert_l2.pem),再由二级证书签发三级证书((LEVELS_L3_CERT: hosts/winnetou/etc/ca/certs/levels/levelsCert_l3.pem))。
# Generate Levels L2 CA signed by Levels Root CA
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L2_KEY}
pki --issue --cakey ${LEVELS_KEY} --cacert ${LEVELS_CERT} --crl ${LEVELS_CDP} \
--type rsa --in ${LEVELS_L2_KEY} --not-before "${START}" --not-after "${IM_END}" \
--ca --dn "C=CH, O=${PROJECT}, OU=L2, CN=Levels L2 CA" \
--outform pem > ${LEVELS_L2_CERT}
# Generate Levels L3 CA signed by Levels L2 CA
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L3_KEY}
pki --issue --cakey ${LEVELS_L2_KEY} --cacert ${LEVELS_L2_CERT} --crl ${LEVELS_L2_CDP} \
--type rsa --in ${LEVELS_L3_KEY} --not-before "${START}" --not-after "${IM_END}" \
--ca --dn "C=CH, O=${PROJECT}, OU=L3, CN=Levels L3 CA" \
--outform pem > ${LEVELS_L3_CERT}
将多级证书拷贝到测试用例ikev2-multi-ca/crls-l3和tkm/multi-level-ca的相应主机目录。
for t in ikev2-multi-ca/crls-l3 tkm/multi-level-ca
do
TEST="${TEST_DIR}/${t}"
for h in moon carol
do
mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
cp ${LEVELS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
done
cp ${LEVELS_L2_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
cp ${LEVELS_L3_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
done
生成DER编码格式的一级证书,保存到测试用例tests/tkm/multi-level-ca/hosts/moon/etc/tkm/levelsCert.der。
# Put DER-encoded Levels CA certificate into tkm scenario
TEST="${TEST_DIR}/tkm/multi-level-ca"
mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
openssl x509 -in ${LEVELS_CERT} -outform der -out ${TEST}/hosts/moon/${TKM_DIR}/levelsCert.der
ikev2/strong-keys-certs
为主机moon生成测试证书,序号0D,摘要算法sha224。使用aes128加密秘钥。
# Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
TEST="${TEST_DIR}/ikev2/strong-keys-certs"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey-aes128.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert-sha224.pem"
KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
CN="moon.strongswan.org"
SERIAL="0D"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
--digest sha224 --outform pem > ${TEST_CERT}
openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
${TRAD} 2> /dev/null
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
为主机carol生成测试证书,序号0E,摘要算法sha384。使用aes192加密秘钥。
# Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey-aes192.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert-sha384.pem"
KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
CN="carol@strongswan.org"
SERIAL="0E"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
--digest sha384 --outform pem > ${TEST_CERT}
openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
${TRAD} 2> /dev/null
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
为主机dave生成测试证书,序号0F,摘要算法sha512。使用aes256加密秘钥。
# Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey-aes256.pem"
TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert-sha512.pem"
KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
CN="dave@strongswan.org"
SERIAL="0F"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
--digest sha512 --outform pem > ${TEST_CERT}
openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
${TRAD} 2> /dev/null
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
ikev2/ocsp-signer-cert
生成carol测试证书,序号为10,OCSP URL地址为"http://ocsp.strongswan.org:8880",
661 # Generate another carol certificate with an OCSP URI
662 TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"
663 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
664 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
665 CN="carol@strongswan.org"
666 SERIAL="10"
667 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
668 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
669 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
670 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
671 --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
672 --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \
673 --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}
674 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
将证书拷贝到以下测试用例的carol主机目录。
# Put a copy into the following ikev2 scenarios
for t in ocsp-timeouts-good ocsp-disabled ocsp-no-signer-cert ocsp-root-cert \
ocsp-untrusted-cert ocsp-rfc4806-signer ocsp-rfc4806-both
do
TEST="${TEST_DIR}/ikev2/${t}"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
done
生成根证书签名的OCSP签名证书(tests/hosts/winnetou/etc/ca/ocspCert.pem),PKI命令指定标志ocspSigning。
# Generate an OCSP Signing certificate for the strongSwan Root CA
TEST_KEY="${CA_DIR}/ocspKey.pem"
TEST_CERT="${CA_DIR}/ocspCert.pem"
CN="ocsp.strongswan.org"
OU="OCSP Signing Authority"
SERIAL="11"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
--flag ocspSigning --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
生成自签名的OCSP证书(tests/hosts/winnetou/etc/ca/ocspCert-self.pem)。
# Generate a self-signed OCSP Signing certificate
TEST_KEY="${CA_DIR}/ocspKey-self.pem"
TEST_CERT="${CA_DIR}/ocspCert-self.pem"
OU="OCSP Self-Signed Authority"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \
--not-before "${START}" --not-after "${CA_END}" --san ${CN} \
--dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
--outform pem > ${TEST_CERT}
将自签名OCSP证书拷贝到测试用例ikev2/ocsp-local-cert和ikev2/ocsp-rfc4806-local的相应目录下。
# Put a copy into the following ikev2 scenarios
for t in ocsp-local-cert ocsp-rfc4806-local
do
TEST="${TEST_DIR}/ikev2/${t}"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ocsp
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ocsp
cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ocsp
cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ocsp
done
ha/both-active
生成火星虚拟服务器证书,序号12,证书用途serverAuth。
# Generate mars virtual server certificate
TEST="${TEST_DIR}/ha/both-active"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/marsKey.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/marsCert.pem"
CN="mars.strongswan.org"
OU="Virtual VPN Gateway"
SERIAL="12"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
--flag serverAuth --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
拷贝一份到测试用例的alice主机目录下。
# Put a copy into the mirrored gateway
mkdir -p ${TEST}/hosts/alice/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/alice/${SWANCTL_DIR}/x509
cp ${TEST_KEY} ${TEST}/hosts/alice/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/alice/${SWANCTL_DIR}/x509
拷贝一份到测试用例ha/active-passive和ikev2/redirect-active目录下。
# Put a copy into the ha/active-passive and swanctl/redirect-active scenarios
for t in ha/active-passive ikev2/redirect-active
do
TEST="${TEST_DIR}/${t}"
for h in alice moon
do
mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509
cp ${TEST_KEY} ${TEST}/hosts/${h}/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509
done
done
ikev2/critical-extension
创建moon测试证书,–critical指定不支持的OID:1.3.6.1.4.1.36906.1。
# Generate moon certificate with an unsupported critical X.509 extension
TEST="${TEST_DIR}/ikev2/critical-extension"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
CN="moon.strongswan.org"
SERIAL="13"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
--critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
拷贝一份到测试用例openssl-ikev2/critical-extension。
# Put a copy in the openssl-ikev2/critical extension scenario
TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
创建sun测试证书,–critical指定不支持的OID:1.3.6.1.4.1.36906.1。
# Generate sun certificate with an unsupported critical X.509 extension
TEST="${TEST_DIR}/ikev2/critical-extension"
TEST_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
TEST_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
CN="sun.strongswan.org"
SERIAL="14"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \
--critical 1.3.6.1.4.1.36906.1 --flag serverAuth \
--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
拷贝一份到测试用例openssl-ikev2/critical-extension。
# Put a copy in the openssl-ikev2/critical extension scenario
TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
winnetou服务器证书
生成winnetou服务器证书,用于服务器认证serverAuth。
# Generate winnetou server certificate
HOST_KEY="${CA_DIR}/winnetouKey.pem"
HOST_CERT="${CA_DIR}/winnetouCert.pem"
CN="winnetou.strongswan.org"
SERIAL="15"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
--flag serverAuth --outform pem > ${HOST_CERT}
cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
tnc/tnccs-20-pdp-eap
创建AAA服务器证书。
# Generate AAA server certificate
TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
CN="aaa.strongswan.org"
SERIAL="16"
cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
mkdir -p rsa x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
--flag serverAuth --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
拷贝一份到如下的测试用例中。
# Put a copy into various tnc scenarios
for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
do
cd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"
mkdir -p rsa x509
cp ${TEST_KEY} rsa
cp ${TEST_CERT} x509
done
# Put a copy into the alice FreeRADIUS server
cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs
属性证书Attribute Authority
生成属性证书,序列号17。
# Generate Attribute Authority certificate
TEST="${TEST_DIR}/ikev2/acert-cached"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/aaKey.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa/aaCert.pem"
CN="strongSwan Attribute Authority"
SERIAL="17"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
使用以上证书签发属性证书,应用于hosts/winnetou/etc/ca/certs/01.pem证书(carol)。属性值为sales和finance。
# Generate carol's attribute certificate for sales and finance
ACERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac/carol-sales-finance.pem"
pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
--in ${CA_DIR}/certs/01.pem --group sales --group finance \
--not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
为dave(02.pem)生成过期的属性证书,属性为sales。
# Generate dave's expired attribute certificate for sales
ACERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac/dave-sales-expired.pem"
pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
--in ${CA_DIR}/certs/02.pem --group sales \
--not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
为dave(02.pem)生成属性证书,属性为marketing。
# Generate dave's attribute certificate for marketing
ACERT_DM="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac/dave-marketing.pem"
pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
--in ${CA_DIR}/certs/02.pem --group marketing \
--not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}
将属性证书的CA证书拷贝到测试用例ikev2/acert-fallback目录下。
# Put a copy into the ikev2/acert-fallback scenario
TEST="${TEST_DIR}/ikev2/acert-fallback"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac
cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
为carol(01.pem)生成过期的属性证书,属性为finance。
# Generate carol's expired attribute certificate for finance
ACERT=${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac/carol-finance-expired.pem
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac
pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
--in ${CA_DIR}/certs/01.pem --group finance \
--not-before "${START}" --not-after "${SH_END}" --outform pem > ${ACERT}
为caril(01.pem)生成有效的属性证书,属性为sales。
# Generate carol's valid attribute certificate for sales
ACERT_CS=${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac/carol-sales.pem
pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
--in ${CA_DIR}/certs/01.pem --group sales \
--not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}
将属性证书的CA证书,和carol的Sales属性证书,已经dave的Marketing属性证书拷贝到测试用例ikev2/acert-inline。
# Put a copy into the ikev2/acert-inline scenario
TEST="${TEST_DIR}/ikev2/acert-inline"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac
cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
cp ${ACERT_CS} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac
cp ${ACERT_DM} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac
生成短期的属性CA证书,序号为18。测试用例ikev2/acert-inline使用。
# Generate a short-lived Attribute Authority certificate
CN="strongSwan Legacy AA"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/aaKey-expired.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa/aaCert-expired.pem"
SERIAL="18"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \
--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
使用以上过期的证书为dave(02.pem)签发属性证书,属性值为sales。
# Generate dave's attribute certificate for sales from expired AA
ACERT=${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac/dave-expired-aa.pem
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac
pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \
--in ${CA_DIR}/certs/02.pem --group sales \
--not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
```
### 索引文件
将index.txt.template文件中变量(EE_EXPIRATION、IM_EXPIRATION、SH_EXPIRATION、REVOCATION)的进行替换。
```
################################################################################
# strongSwan Root CA index for OCSP server #
################################################################################
# generate index.txt file for Root OCSP server
cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
```
替换之后的文件内容如下。
```
$ cat hosts/winnetou/etc/ca/index.txt
V 321208023839Z 01 unknown /C=CH/O=strongSwan Project/OU=Research/CN=carol@strongswan.org
V 321208023839Z 02 unknown /C=CH/O=strongSwan Project/OU=Accounting/CN=dave@strongswan.org
V 321208023839Z 03 unknown /C=CH/O=strongSwan Project/CN=moon.strongswan.org
V 321208023839Z 04 unknown /C=CH/O=strongSwan Project/CN=sun.strongswan.org
V 321208023839Z 05 unknown /C=CH/O=strongSwan Project/OU=Sales/CN=alice@strongswan.org
V 321208023839Z 06 unknown /C=CH/O=strongSwan Project/CN=venus.strongswan.org
V 321208023839Z 07 unknown /C=CH/O=strongSwan Project/OU=Research/CN=bob@strongswan.org
R 321208023839Z 241210023839Z,keyCompromise 88 unknown /C=CH/O=strongSwan Project/OU=Research/CN=carol@strongswan.org
V 321208023839Z 09 unknown /C=CH/O=strongSwan Project/OU=Research/serialNumber=002/CN=carol@strongswan.org
R 331209023839Z 241210023839Z,CACompromise 0A unknown /C=CH/O=strongSwan Project/OU=Research/CN=Research CA
V 331209023839Z 0B unknown /C=CH/O=strongSwan Project/OU=Research/CN=Research CA
V 331209023839Z 0C unknown /C=CH/O=strongSwan Project/OU=Sales/CN=Sales CA
V 321208023839Z 0D unknown /C=CH/O=strongSwan Project/OU=SHA-224/CN=moon.strongswan.org
V 321208023839Z 0E unknown /C=CH/O=strongSwan Project/OU=SHA-384/CN=carol@strongswan.org
V 321208023839Z 0F unknown /C=CH/O=strongSwan Project/OU=SHA-512/CN=dave@strongswan.org
V 321208023839Z 10 unknown /C=CH/O=strongSwan Project/OU=OCSP/CN=carol@strongswan.org
V 321208023839Z 11 unknown /C=CH/O=strongSwan Project/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
V 321208023839Z 12 unknown /C=CH/O=strongSwan Project/OU=Virtual VPN Gateway/CN=mars.strongswan.org
V 321208023839Z 13 unknown /C=CH/O=strongSwan Project/OU=Critical Extension/CN=moon.strongswan.org
V 321208023839Z 14 unknown /C=CH/O=strongSwan Project/OU=Critical Extension/CN=sun.strongswan.org
V 321208023839Z 15 unknown /C=CH/O=strongSwan Project/CN=winnetou.strongswan.org
V 321208023839Z 16 unknown /C=CH/O=strongSwan Project/CN=aaa.strongswan.org
V 331209023839Z 17 unknown /C=CH/O=strongSwan Project/CN=strongSwan Attribute Authority
V 241209023839Z 18 unknown /C=CH/O=strongSwan Project/CN=strongSwan Legacy AA
```
### Research CA
对于测试用例ikev2-multi-ca/crls,使用RESEARCH_CERT为carol签发测试证书,CDP地址为RESEARCH_CDP:"http://crl.strongswan.org/research.crl"。
```
# Generate a carol research certificate
TEST="${TEST_DIR}/ikev2-multi-ca/crls"
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
--crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
```
将测试证书拷贝到如下测试用例的目录下。
```
# Save a copy of the private key in DER format
openssl rsa -in ${TEST_KEY} -outform der -out ${RESEARCH_DIR}/keys/${SERIAL}.der ${TRAD} 2> /dev/null
# Put a copy in the following scenarios
for t in ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \
ikev2-multi-ca/ldap ikev2-multi-ca/ocsp-signers \
ikev2-multi-ca/loop ikev2-multi-ca/revoked \
ikev2-multi-ca/skipped ikev2-multi-ca/rw-hash-and-url \
ikev1-multi-ca/crls ikev1-multi-ca/certreq-init \
ikev1-multi-ca/certreq-resp
do
TEST="${TEST_DIR}/${t}"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
done
```
对于测试用例ikev2-multi-ca/ocsp-strict-ifuri,使用RESEARCH_CERT为carol签发测试证书,不使用CDP(没有--crl参数)。
```
# Generate a carol research certificate without a CDP
TEST="${TEST_DIR}/ikev2-multi-ca/ocsp-strict-ifuri"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \
--outform pem > ${TEST_CERT}
cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
```
使用RESEARCH_CERT证书签发OCSP签名证书。用途为ocspSigning。
```
# Generate an OCSP Signing certificate for the Research CA
TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
OU="Research OCSP Signing Authority"
CN="ocsp.research.strongswan.org"
SERIAL="02"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
--crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
```
使用RESEARCH_CERT签发Sales CA证书。
```
# Generate a Sales CA certificate signed by the Research CA
TEST="${TEST_DIR}/ikev2-multi-ca/loop"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/sales_by_researchCert.pem"
SERIAL="03"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
--in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \
--crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
```
### Duck Research CA
使用RESEARCH_CERT证书签发Duck Research CA证书。
```
# Generate a Duck Research CA certificate signed by the Research CA
SERIAL="04"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
--in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \
--crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
```
将证书拷贝到测试用例ikev2-multi-ca/pathlen目录下。
```
# Put a certificate copy in the ikev2-multi-ca/pathlen scenario
TEST="${TEST_DIR}/ikev2-multi-ca/pathlen"
cp ${DUCK_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
```
使用新生成的DUCK_CERT证书,为carol签发测试证书。
```
# Generate a carol certificate signed by the Duck Research CA
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \
--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem
# Generate index.txt file for Research OCSP server
cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
```
### Sales CA证书
对于测试用例ikev2-multi-ca/crls,生成Sales CA证书,CDP地址为SALES_CDP:"http://crl.strongswan.org/sales.crl"。
```
# Generate a dave sales certificate
TEST="${TEST_DIR}/ikev2-multi-ca/crls"
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
CN="dave@strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
--crl ${SALES_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
```
将证书拷贝到以下测试用例的dave主机目录。
```
# Save a copy of the private key in DER format
openssl rsa -in ${TEST_KEY} -outform der -out ${SALES_DIR}/keys/${SERIAL}.der \
${TRAD} 2> /dev/null
# Put a copy in the following scenarios
for t in ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \
ikev2-multi-ca/ldap ikev2-multi-ca/ocsp-signers \
ikev2-multi-ca/rw-hash-and-url ikev1-multi-ca/crls \
ikev1-multi-ca/certreq-init ikev1-multi-ca/certreq-resp
do
TEST="${TEST_DIR}/${t}"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
done
```
使用SALES_CERT证书签发测试证书,指定不可用的OCSP地址:"http://ocsp2.strongswan.org:8882",没有使用CDP。
```
# Generate a dave sales certificate with an inactive OCSP URI and no CDP
TEST="${TEST_DIR}/ikev2-multi-ca/ocsp-strict-ifuri"
TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \
--ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
```
使用SALES_CERT证书签发OCSP签名证书。
```
# Generate an OCSP Signing certificate for the Sales CA
TEST_KEY="${SALES_DIR}/ocspKey.pem"
TEST_CERT="${SALES_DIR}/ocspCert.pem"
OU="Sales OCSP Signing Authority"
CN="ocsp.sales.strongswan.org"
SERIAL="02"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \
--crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
```
使用SALES_CERT证书签发Research CA证书。
```
# Generate a Research CA certificate signed by the Sales CA
TEST="${TEST_DIR}/ikev2-multi-ca/loop"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/research_by_salesCert.pem"
SERIAL="03"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
--in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \
--crl ${SALES_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
# generate index.txt file for Sales OCSP server
cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
```
### 三级L3证书
使用三级证书LEVELS_L3_KEY为carol签发证书。
```
# Generate a carol l3 certificate
TEST="${TEST_DIR}/ikev2-multi-ca/crls-l3"
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${LEVELS_L3_KEY} --cacert ${LEVELS_L3_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=L3, CN=${CN}" \
--crl ${LEVELS_L3_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${LEVELS_DIR}/certs/${SERIAL}.pem
```
将证书拷贝到测试用例tkm/multi-level-ca的carol目录下。
```
for t in tkm/multi-level-ca
do
TEST="${TEST_DIR}/${t}"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
done
```
### ECDSA证书
生成椭圆曲线根证书,拷贝到测试用例openssl-ikev2/ecdsa-certs和openssl-ikev2/ecdsa-pkcs8的相应目录下。
```
# Generate strongSwan EC Root CA
pki --gen --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
pki --self --type ecdsa --in ${ECDSA_KEY} \
--not-before "${START}" --not-after "${CA_END}" --ca \
--dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \
--outform pem > ${ECDSA_CERT}
# Put a copy in the openssl-ikev2/ecdsa-certs scenario
for t in ecdsa-certs ecdsa-pkcs8
do
TEST="${TEST_DIR}/openssl-ikev2/${t}"
for h in moon carol dave
do
mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
cp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
done
done
```
使用ECDSA_CERT根证书为moon签发证书,CDP地址:"http://crl.strongswan.org/strongswan_ecdsa.crl"。
```
# Generate a moon ECDSA 521 bit certificate
TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
CN="moon.strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
--in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \
--crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
```
为carol签发ECDSA证书。
```
# Generate a carol ECDSA 256 bit certificate
CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="02"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
--in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \
--crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
```
为dave签发ECDSA证书。
```
# Generate a dave ECDSA 384 bit certificate
DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
CN="dave@strongswan.org"
SERIAL="03"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \
--in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \
--crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
```
将以上签发的三个证书:MOON_CERT,CAROL_CERT和DAVE_CERT拷贝到openssl-ikev2/ecdsa-pkcs8测试用例。
```
# Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
cp ${DAVE_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
```
以下将moon私钥转换为不加密的PKCS#8格式。将carol私钥转换为v1.5 DES加密的PKCS#8格式。将dave的私钥转换为v2.0 AES-28加密的PKCS#8格式。
```
# Convert moon private key into unencrypted PKCS#8 format
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}
# Convert carol private key into v1.5 DES encrypted PKCS#8 format
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \
-passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}
# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8 -v2 aes128 \
-passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
```
将CA和终端证书拷贝到openssl-ikev1/ecdsa-certs测试用例下。
```
# Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
cd ${TEST}/hosts/moon/${SWANCTL_DIR}
mkdir -p ecdsa x509 x509ca
cp ${MOON_KEY} ecdsa
cp ${MOON_CERT} x509
cp ${ECDSA_CERT} x509ca
cd ${TEST}/hosts/carol/${SWANCTL_DIR}
mkdir -p ecdsa x509 x509ca
cp ${CAROL_KEY} ecdsa
cp ${CAROL_CERT} x509
cp ${ECDSA_CERT} x509ca
cd ${TEST}/hosts/dave/${SWANCTL_DIR}
mkdir -p ecdsa x509 x509ca
cp ${DAVE_KEY} ecdsa
cp ${DAVE_CERT} x509
cp ${ECDSA_CERT} x509ca
```
### RFC3779证书
生成RFC3779根证书,指定以下4个地址块。
```
# Generate strongSwan RFC3779 Root CA
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
pki --self --type rsa --in ${RFC3779_KEY} \
--not-before "${START}" --not-after "${CA_END}" --ca \
--dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \
--addrblock "10.1.0.0-10.2.255.255" \
--addrblock "10.3.0.1-10.3.3.232" \
--addrblock "192.168.0.0/24" \
--addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \
--outform pem > ${RFC3779_CERT}
```
拷贝到测试用例ikev2/net2net-rfc3779和ipv6/rw-rfc3779-ikev2目录下。
```
# Put a copy in the ikev2/net2net-rfc3779 scenario
TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
cp ${RFC3779_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
cp ${RFC3779_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
# Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
```
使用RFC3779_CERT为moon签发证书,指定四个地址块"10.1.0.0/16","192.168.0.1/32","fec0::1/128"和"fec1::/16"。
```
# Generate a moon RFC3779 certificate
TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
CN="moon.strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
--addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \
--addrblock "fec0::1/128" --addrblock "fec1::/16" \
--crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
```
新签发证书拷贝到测试用例ipv6/net2net-rfc3779-ikev2和ipv6/rw-rfc3779-ikev2目录下。
```
# Put a copy in the ipv6 scenarios
for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
do
cd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"
mkdir -p rsa x509 x509ca
cp ${TEST_KEY} rsa
cp ${TEST_CERT} x509
cp ${RFC3779_CERT} x509ca
done
```
为sun主机签发证书,指定地址块:"10.2.0.0/16","192.168.0.2/32","fec0::2/128"和"fec2::/16"。
```
# Generate a sun RFC3779 certificate
TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
TEST_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
TEST_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
CN="sun.strongswan.org"
SERIAL="02"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
--addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \
--addrblock "fec0::2/128" --addrblock "fec2::/16" \
--crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
```
拷贝到测试用例ipv6/net2net-rfc3779-ikev2目录下。
```
# Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
mkdir -p rsa x509 x509ca
cp ${TEST_KEY} rsa
cp ${TEST_CERT} x509
cp ${RFC3779_CERT} x509ca
```
为carol生成rfc3779证书。
```
# Generate a carol RFC3779 certificate
TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="03"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
--addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \
--addrblock "fec0::10/128" \
--crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
```
为dave生成rfc3779证书。
```
# Generate a carol RFC3779 certificate
TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
CN="dave@strongswan.org"
SERIAL="04"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \
--addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \
--addrblock "fec0::20/128" \
--crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
```
### SHA3-RSA证书。
生成sha3_256摘要算法的自签名根证书。
```
SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509"
# Generate strongSwan SHA3-RSA Root CA
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \
--not-before "${START}" --not-after "${CA_END}" --ca \
--dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \
--outform pem > ${SHA3_RSA_CERT}
```
拷贝到测试用例ikev2/net2net-sha3-rsa-cert。
```
# Put a copy in the ikev2/net2net-sha3-rsa-cert scenario
TEST="${TEST_DIR}/ikev2/net2net-sha3-rsa-cert"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
```
为sun生成SHA3-RSA证书。
```
# Generate a sun SHA3-RSA certificate
SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
CN="sun.strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
--in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
--crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
```
为moon生成SHA3-RSA证书。
```
# Generate a moon SHA3-RSA certificate
MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
CN="moon.strongswan.org"
SERIAL="02"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
--in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
--crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
```
拷贝证书到测试用例botan/net2net-sha3-rsa-cert, openssl-ikev2/net2net-sha3-rsa-cert, wolfssl/net2net-sha3-rsa-cert目录下。
```
# Put a copy in the botan openssl-ikev2 and wolfssl net2net-sha3-rsa-cert scenarios
for d in botan openssl-ikev2 wolfssl
do
TEST="${TEST_DIR}/${d}/net2net-sha3-rsa-cert"
cd ${TEST}/hosts/moon/${SWANCTL_DIR}
mkdir -p rsa x509 x509ca
cp ${MOON_KEY} rsa
cp ${MOON_CERT} x509
cp ${SHA3_RSA_CERT} x509ca
cd ${TEST}/hosts/sun/${SWANCTL_DIR}
mkdir -p rsa x509 x509ca
cp ${SUN_KEY} rsa
cp ${SUN_CERT} x509
cp ${SHA3_RSA_CERT} x509ca
done
```
拷贝moon证书到测试用例ikev2/rw-eap-tls-sha3-rsa。
```
# Put a copy in the ikev2/rw-eap-tls-sha3-rsa scenario
TEST="${TEST_DIR}/ikev2/rw-eap-tls-sha3-rsa"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
```
为carol生成SHA3-RSA证书。
```
# Generate a carol SHA3-RSA certificate
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="03"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
--crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
```
为dave生成SHA3-RSA证书。
```
# Generate a dave SHA3-RSA certificate
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
CN="dave@strongswan.org"
SERIAL="04"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \
--crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
for h in moon carol dave
do
mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
done
```
### Ed25519证书
生成Ed25519类型自签名根证书。
```
# Generate strongSwan Ed25519 Root CA
pki --gen --type ed25519 --outform pem > ${ED25519_KEY}
pki --self --type ed25519 --in ${ED25519_KEY} \
--not-before "${START}" --not-after "${CA_END}" --ca \
--dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \
--cert-policy "1.3.6.1.4.1.36906.1.1.1" \
--cert-policy "1.3.6.1.4.1.36906.1.1.2" \
--outform pem > ${ED25519_CERT}
```
拷贝到测试用例ikev2/net2net-ed25519目录下。
```
# Put a copy in the ikev2/net2net-ed25519 scenario
TEST="${TEST_DIR}/ikev2/net2net-ed25519"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
```
为sun签名Ed25519证书。
```
# Generate a sun Ed25519 certificate
SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
CN="sun.strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
pki --gen --type ed25519 --outform pem > ${SUN_KEY}
pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
--in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
--cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \
--crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
```
为moon签名Ed25519证书。
```
# Generate a moon Ed25519 certificate
MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
CN="moon.strongswan.org"
SERIAL="02"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type ed25519 --outform pem > ${MOON_KEY}
pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
--in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
--cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \
--crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
```
拷贝到测试用例botan/net2net-ed25519, wolfssl/net2net-ed25519。
```
# Put a copy in the botan and wolfssl net2net-ed25519 scenarios
for d in botan wolfssl
do
TEST="${TEST_DIR}/${d}/net2net-ed25519"
cd ${TEST}/hosts/moon/${SWANCTL_DIR}
mkdir -p pkcs8 x509 x509ca
cp ${MOON_KEY} pkcs8
cp ${MOON_CERT} x509
cp ${ED25519_CERT} x509ca
cd ${TEST}/hosts/sun/${SWANCTL_DIR}
mkdir -p pkcs8 x509 x509ca
cp ${SUN_KEY} pkcs8
cp ${SUN_CERT} x509
cp ${ED25519_CERT} x509ca
done
```
拷贝到测试用例ikev2/rw-ed25519-certpol。
```
# Put a copy in the ikev2/rw-ed25519-certpol scenario
TEST="${TEST_DIR}/ikev2/rw-ed25519-certpol"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
for h in moon carol dave
do
mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
cp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
done
```
为carol签发ed25519证书。
```
# Generate a carol Ed25519 certificate
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="03"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type ed25519 --outform pem > ${TEST_KEY}
pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
--cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \
--crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
```
为dave签发ed25519证书。
```
# Generate a dave Ed25519 certificate
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
CN="dave@strongswan.org"
SERIAL="04"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
pki --gen --type ed25519 --outform pem > ${TEST_KEY}
pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \
--cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \
--crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
```
### Monster证书
生成Monster证书,私钥长度MONSTER_CA_RSA_SIZE为8192。拷贝到测试用例ikev2/after-2038-certs。
```
# Generate strongSwan Monster Root CA
pki --gen --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
pki --self --type rsa --in ${MONSTER_KEY} \
--not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \
--dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \
--outform pem > ${MONSTER_CERT}
# Put a copy in the ikev2/after-2038-certs scenario
TEST="${TEST_DIR}/ikev2/after-2038-certs"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
cp ${MONSTER_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
cp ${MONSTER_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
```
使用MONSTER_CERT为moon签发证书。终端私钥的长度MONSTER_EE_RSA_SIZE为4096。
```
# Generate a moon Monster certificate
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
CN="moon.strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
--in ${TEST_KEY} --san ${CN} \
--not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
--crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
```
使用MONSTER_CERT为carol签发证书。
```
# Generate a carol Monster certificate
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="02"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \
--in ${TEST_KEY} --san ${CN} \
--not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \
--crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
```
