strongswan测试证书生成

server/2024/12/23 6:19:04/

环境如下

$ openssl version 
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
$ 
$ openssl version | sed -re 's/^OpenSSL ([0-9]+)\..*/\1/'
3

生成证书的目录及证书文件。

testing/hosts/winnetou/etc/ca$ ls 
bliss                             ed25519             keys          ocspCert-self.pem  sales               strongswanKey.pem
certs                             generate-crl        levels        ocspKey.pem        sha3-rsa            winnetouCert.pem
db.strongswan.org.certs-and-keys  index.html          monster       ocspKey-self.pem   strongswanCert.der  winnetouKey.pem
duck                              index.txt           ocsp          research           strongswanCert.pem
ecdsa                             index.txt.template  ocspCert.pem  rfc3779            strongswan.crl
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls certs/
01.pem  03.pem  05.pem  07.pem  0A.pem  0C.pem  0E.pem  10.pem  12.pem  14.pem  16.pem  18.pem
02.pem  04.pem  06.pem  09.pem  0B.pem  0D.pem  0F.pem  11.pem  13.pem  15.pem  17.pem  88.pem
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls keys/
aliceKey.der  bobKey.der  carolKey.der  daveKey.der  moonKey.der  sunKey.der  venusKey.der 
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls ocsp
ocsp.cgi

strongswan的证书位于目录CA_DIR:testing/hosts/winnetou/etc/ca/。以下定义全局变量,包括:CA私钥CA_KEY,CA证书CA_CERT,CA的证书吊销列表CA_CRL,CA的证书吊销列表分发点CA_CDP(CRL Distribution Point),CA在线证书状态协议的地址CA_OSCP(Online Certificate Status Protocol)。

# Define some global variables
PROJECT="strongSwan Project"
CA_DIR="${DIR}/hosts/winnetou/etc/ca"
CA_KEY="${CA_DIR}/strongswanKey.pem"
CA_CERT="${CA_DIR}/strongswanCert.pem"
CA_CERT_DER="${CA_DIR}/strongswanCert.der"
CA_CRL="${CA_DIR}/strongswan.crl"
CA_LAST_CRL="${CA_DIR}/strongswan_last.crl"
CA_CDP="http://crl.strongswan.org/strongswan.crl"
CA_BASE_CDP="http://crl.strongswan.org/strongswan_base.crl"
CA_OCSP="http://ocsp.strongswan.org:8880"

证书时间变量,之后生成证书是需要使用。证书起始时间START,为系统时间的两天之前。SH_END xxxx。CA证书结束时间CA_END为当前时间的10年之后。中间证书的过期时间IM_END为9年之后。终端证书过期时间EE_END为8年之后。

  31 START=`date  -d "-2 day"    "+%d.%m.%y %T"`32 SH_END=`date -d "-1 day"    "+%d.%m.%y %T"`    #  1 day 33 CA_END=`date -d "+3651 day" "+%d.%m.%y %T"`    # 10 years34 IM_END=`date -d "+3286 day" "+%d.%m.%y %T"`    #  9 years35 EE_END=`date -d "+2920 day" "+%d.%m.%y %T"`    #  8 years36 SH_EXP=`date -d "-1 day"    "+%y%m%d%H%M%SZ"`  #  1 day37 IM_EXP=`date -d "+3286 day" "+%y%m%d%H%M%SZ"`  #  9 years38 EE_EXP=`date -d "+2920 day" "+%y%m%d%H%M%SZ"`  #  8 years39 NOW=`date "+%y%m%d%H%M%SZ"`

研发部门证书。

  41 RESEARCH_DIR="${CA_DIR}/research"42 RESEARCH_KEY="${RESEARCH_DIR}/researchKey.pem"43 RESEARCH_CERT="${RESEARCH_DIR}/researchCert.pem"44 RESEARCH_CERT_DER="${RESEARCH_DIR}/researchCert.der"45 RESEARCH_CDP="http://crl.strongswan.org/research.crl"

生成的证书位于如下目录。

testing/hosts/winnetou/etc/ca$ ls research/
certs  index.txt  index.txt.template  keys  ocsp  ocspCert.pem  ocspKey.pem  researchCert.der  researchCert.pem  researchKey.pem
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls research/certs/
01.pem  02.pem  03.pem  04.pem
testing/hosts/winnetou/etc/ca$ ls research/keys/
01.der
testing/hosts/winnetou/etc/ca$ ls research/ocsp
ocsp.cgi

销售部门证书。

  47 SALES_DIR="${CA_DIR}/sales"48 SALES_KEY="${SALES_DIR}/salesKey.pem"49 SALES_CERT="${SALES_DIR}/salesCert.pem"50 SALES_CERT_DER="${SALES_DIR}/salesCert.der"51 SALES_CDP="http://crl.strongswan.org/sales.crl"

生成的证书位于如下目录。

testing/hosts/winnetou/etc/ca$ ls sales/
certs  index.txt  index.txt.template  keys  ocsp  ocspCert.pem  ocspKey.pem  salesCert.der  salesCert.pem  salesKey.pem
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls sales/certs/
01.pem  02.pem  03.pem
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls sales/keys/
01.der
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls sales/ocsp
ocsp.cgi

三级证书。

  53 LEVELS_DIR="${CA_DIR}/levels"54 LEVELS_KEY="${LEVELS_DIR}/levelsKey.pem"55 LEVELS_CERT="${LEVELS_DIR}/levelsCert.pem"56 LEVELS_CDP="http://crl.strongswan.org/levels.crl"57 LEVELS_L2_KEY="${LEVELS_DIR}/levelsKey_l2.pem"58 LEVELS_L2_CERT="${LEVELS_DIR}/levelsCert_l2.pem"59 LEVELS_L2_CDP="http://crl.strongswan.org/levels_l2.crl"60 LEVELS_L3_KEY="${LEVELS_DIR}/levelsKey_l3.pem"61 LEVELS_L3_CERT="${LEVELS_DIR}/levelsCert_l3.pem"62 LEVELS_L3_CDP="http://crl.strongswan.org/levels_l3.crl"

生成的证书位于如下目录。

testing/hosts/winnetou/etc/ca$ ls levels/
certs  levelsCert_l2.pem  levelsCert_l3.pem  levelsCert.pem  levelsKey_l2.pem  levelsKey_l3.pem  levelsKey.pem
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls levels/certs/
01.pem

不同的证书类型

通用名称CN为“Duck Research CA”的证书。

  64 DUCK_DIR="${CA_DIR}/duck"65 DUCK_KEY="${DUCK_DIR}/duckKey.pem"66 DUCK_CERT="${DUCK_DIR}/duckCert.pem"

生成的证书位于如下目录。

testing/hosts/winnetou/etc/ca$ ls duck/
certs  duckCert.pem  duckKey.pem
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls duck/certs/
01.pem

椭圆曲线数字签名算法ECDSA的证书。

  68 ECDSA_DIR="${CA_DIR}/ecdsa"69 ECDSA_KEY="${ECDSA_DIR}/strongswanKey.pem"70 ECDSA_CERT="${ECDSA_DIR}/strongswanCert.pem"71 ECDSA_CDP="http://crl.strongswan.org/strongswan_ecdsa.crl"

生成的证书位于如下目录。

testing/hosts/winnetou/etc/ca$ ls ecdsa/
certs  strongswanCert.pem  strongswanKey.pem
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls ecdsa/certs/
01.pem  02.pem  03.pem

符合RFC3779扩展的证书,证书中包含IP地址扩展。

  73 RFC3779_DIR="${CA_DIR}/rfc3779"74 RFC3779_KEY="${RFC3779_DIR}/strongswanKey.pem"75 RFC3779_CERT="${RFC3779_DIR}/strongswanCert.pem"76 RFC3779_CDP="http://crl.strongswan.org/strongswan_rfc3779.crl"

生成的证书位于如下目录。

testing/hosts/winnetou/etc/ca$ ls rfc3779/
certs  strongswanCert.pem  strongswanKey.pem
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls rfc3779/certs/
01.pem  02.pem  03.pem  04.pem

使用SHA3摘要算法的RSA证书。

  78 SHA3_RSA_DIR="${CA_DIR}/sha3-rsa"79 SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem"80 SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem"81 SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl"

生成的证书位于如下目录。

testing/hosts/winnetou/etc/ca$ ls sha3-rsa/
certs  strongswanCert.pem  strongswanKey.pem
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls sha3-rsa/certs/
01.pem  02.pem  03.pem  04.pem

ED25519曲线数字签名算法 (Edwards-curve Digital Signature Algorithm) 的证书。

  83 ED25519_DIR="${CA_DIR}/ed25519"84 ED25519_KEY="${ED25519_DIR}/strongswanKey.pem"85 ED25519_CERT="${ED25519_DIR}/strongswanCert.pem"86 ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl"

生成的证书位于如下目录。

testing/hosts/winnetou/etc/ca$ ls ed25519/
certs  strongswanCert.pem  strongswanKey.pem
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls ed25519/certs/
01.pem  02.pem  03.pem  04.pem

通用名称CN为“strongSwan Monster CA”的证书。

  88 MONSTER_DIR="${CA_DIR}/monster"89 MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem"90 MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem"91 MONSTER_CDP="http://crl.strongswan.org/strongswan_monster.crl"92 MONSTER_CA_RSA_SIZE="8192"93 MONSTER_EE_RSA_SIZE="4096"

生成的证书位于如下目录。

testing/hosts/winnetou/etc/ca$ ls monster/
certs  strongswanCert.pem  strongswanKey.pem
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls monster/certs/
01.pem  02.pem

BLISS(Bimodal Lattice Signature Scheme)算法的签名证书。BLISS是一种后量子签名方案(post-quantum signature scheme)。

  95 BLISS_DIR="${CA_DIR}/bliss"96 BLISS_KEY="${BLISS_DIR}/strongswan_blissKey.der"97 BLISS_CERT="${BLISS_DIR}/strongswan_blissCert.der"98 BLISS_CDP="http://crl.strongswan.org/strongswan_bliss.crl"

生成的证书位于如下目录。

testing/hosts/winnetou/etc/ca$ ls bliss/
certs  strongswan_blissCert.der  strongswan_blissKey.der
testing/hosts/winnetou/etc/ca$ 
testing/hosts/winnetou/etc/ca$ ls bliss/certs/
01.der  02.der  03.der

RSA证书的私钥长度RSA_SIZE。

 100 RSA_SIZE="3072"101 IPSEC_DIR="etc/ipsec.d"102 SWANCTL_DIR="etc/swanctl"103 TKM_DIR="etc/tkm"104 HOSTS="carol dave moon sun alice venus bob"105 TEST_DIR="${DIR}/tests"

创建以上提及的各种证书的证书和私钥的存放目录。

mkdir -p ${CA_DIR}/certs
mkdir -p ${CA_DIR}/keys
mkdir -p ${RESEARCH_DIR}/certs
mkdir -p ${RESEARCH_DIR}/keys
mkdir -p ${SALES_DIR}/certs
mkdir -p ${SALES_DIR}/keys
mkdir -p ${LEVELS_DIR}/certs
mkdir -p ${DUCK_DIR}/certs
mkdir -p ${ECDSA_DIR}/certs
mkdir -p ${RFC3779_DIR}/certs
mkdir -p ${SHA3_RSA_DIR}/certs
mkdir -p ${ED25519_DIR}/certs
mkdir -p ${MONSTER_DIR}/certs
mkdir -p ${BLISS_DIR}/certs

strongswan CA根证书

生成strongswan根CA证书。首先,生成3072比特(RSA_SIZE)的私钥(hosts/winnetou/etc/ca/strongswanKey.pem),格式为PEM(Privacy Enhanced Mail),是一种基于ASCII编码的文本文件格式。

其次,生成自签名的根CA证书(CA_CERT=hosts/winnetou/etc/ca/strongswanCert.pem),格式为PEM。根CA证书有效期为10年。

最后,将CA根证书拷贝到各个客户机(HOSTS)目录,例如,对于moon主机,拷贝到目录hosts/moon/etc/ipsec.d/cacerts和目录hosts/moon/etc/swanctl/x509ca。

# Generate strongSwan Root CA
pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${CA_KEY}
pki --self --type rsa --in ${CA_KEY} --not-before "${START}" --not-after "${CA_END}" \--ca --pathlen 1 --dn "C=CH, O=${PROJECT}, CN=strongSwan Root CA" \--outform pem > ${CA_CERT}# Distribute strongSwan Root CA certificate
for h in ${HOSTS}
doHOST_DIR="${DIR}/hosts/${h}"mkdir -p ${HOST_DIR}/${IPSEC_DIR}/cacertsmkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509cacp ${CA_CERT} ${HOST_DIR}/${IPSEC_DIR}/cacertscp ${CA_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509ca
done

对于主机alice,将CA根证书拷贝到其目录hosts/alice/etc/raddb/certs下。
strongSwan Root CA根证书生成DER(Distinguished Encoding Rules)格式,其为二进制格式的文件。

使用CA证书和私钥,发布一个CRL(Certificate Revocation List)证书,ikev2/crl-ldap测试用例需要使用。

# Put a copy onto the alice FreeRADIUS server
mkdir -p ${DIR}/hosts/alice/etc/raddb/certs
cp ${CA_CERT} ${DIR}/hosts/alice/etc/raddb/certs# Convert strongSwan Root CA certificate into DER format
openssl x509 -in ${CA_CERT} -outform der -out ${CA_CERT_DER}# Generate a stale CRL
pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} \--this-update "${START}" --lifetime 1 > ${CA_LAST_CRL}# Put a CRL copy into the ikev2/crl-ldap scenario to be used as a stale crl
TEST="${TEST_DIR}/ikev2/crl-ldap"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509crl
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509crl
cp ${CA_LAST_CRL} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509crl/stale.crl
cp ${CA_LAST_CRL} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509crl/stale.crl

生成每个客户主机的私钥。例如对于moon主机,生成私钥:hosts/moon/etc/ipsec.d/private/moonKey.pem,拷贝一份到hosts/moon/etc/swanctl/rsa目录下。

生成DER格式的私钥,例如对于moon主机,文件为:hosts/winnetou/etc/ca/keys/moonKey.der。

# Generate host keys
for h in ${HOSTS}
doHOST_DIR="${DIR}/hosts/${h}"HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${h}Key.pem"mkdir -p ${HOST_DIR}/${IPSEC_DIR}/privatepki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}# Put a copy into swanctl directory treemkdir -p ${HOST_DIR}/${SWANCTL_DIR}/rsacp ${HOST_KEY} ${HOST_DIR}/${SWANCTL_DIR}/rsa# Convert host key into DER formatopenssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \${TRAD} 2> /dev/null
done

moon客户机的私钥和根CA证书拷贝到以下指定的测试用例目录中。例如,对于第一个host2host-initiator用例,将moon的私钥以及DER格式CA根证书CA_CERT_DER(hosts/winnetou/etc/ca/strongswanCert.der)拷贝到目录tests/tkm/host2host-initiator/hosts/moon/etc/tkm下。

# Put DER-encoded moon private key and Root CA certificate into tkm scenarios
for t in host2host-initiator host2host-responder host2host-xfrmproxy \multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \xfrmproxy-rekey
doTEST="${TEST_DIR}/tkm/${t}"mkdir -p ${TEST}/hosts/moon/${TKM_DIR}cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR}
done

如下为拷贝之后的测试用例host2host-initiator/hosts/moon/etc/tkm目录内容:

strongswan-5.9.14/testing$ ls tests/tkm/host2host-initiator/hosts/moon/etc/tkm
moonKey.der  strongswanCert.der  tkm.conf

tkm/multiple-clients测试用例

与以上类似,将sun主机的私钥以及DER格式CA根证书CA_CERT_DER(hosts/winnetou/etc/ca/strongswanCert.der)拷贝到目录tests/tkm/multiple-clients/hosts/sun/etc/tkm下。以便测试用例multiple-clients使用。

# Put DER_encoded sun private key and Root CA certificate into tkm scenarios
TEST="${TEST_DIR}/tkm/multiple-clients"
mkdir -p ${TEST}/hosts/sun/${TKM_DIR}
cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR}

ikev2/rw-pkcs8测试用例

需要moon客户机的私钥转换为不加密的PKCS#8格式。原私钥hosts/moon/etc/swanctl/rsa/moonKey.pem,新的私钥tests/ikev2/rw-pkcs8/hosts/moon/etc/swanctl/pkcs8/moonKey.pem。

# Convert moon private key into unencrypted PKCS#8 format
TEST="${TEST_DIR}/ikev2/rw-pkcs8"
HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -out ${TEST_KEY}

carol客户机的私钥转换为v1.5 DES加密PKCS#8格式。原私钥hosts/carol/etc/swanctl/rsa/carolKey.pem,转换之后的私钥tests/ikev2/rw-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem。

# Convert carol private key into v1.5 DES encrypted PKCS#8 format
HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \-passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}

dave客户机的私钥转换为v2.0 AES-128加密的PKCS#8格式。原私钥hosts/dave/etc/swanctl/rsa/daveKey.pem,转换之后的私钥tests/ikev2/rw-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem。

# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
openssl pkcs8 -in ${HOST_KEY} -nocrypt -topk8  -v2 aes128 \-passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}

moon公钥

由moon主机的私钥hosts/moon/etc/swanctl/rsa/moonKey.pem,导出公钥ikev2/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/moonPub.pem,并且将公钥拷贝到tests/ikev2/net2net-pubkey/hosts/sun/etc/swanctl/pubkey目录下。

# Extract the raw moon public key for the ikev2/net2net-pubkey scenario
TEST="${TEST_DIR}/ikev2/net2net-pubkey"
TEST_PUB="${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey/moonPub.pem"
HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey

将moon公钥拷贝到目录tests/ikev2/net2net-dnssec/hosts/moon/etc/swanctl/pubkey目录下,和 tests/ikev2/rw-dnssec/hosts/moon/etc/swanctl/pubkey目录下。

# Put a copy into the  following ikev2 scenarios
for t in net2net-dnssec rw-dnssec
doTEST="${TEST_DIR}/ikev2/${t}"mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkeycp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey
done

将moon公钥拷贝到目录tests/ikev2/{rw-pubkey-anon rw-pubkey-keyid}/hosts/{moon carol dave}/etc/swanctl/pubkey目录下。

# Put a copy into the following ikev2 scenarios
for t in rw-pubkey-anon rw-pubkey-keyid
doTEST="${TEST_DIR}/ikev2/${t}"for h in moon carol davedomkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkeycp ${TEST_PUB} ${TEST}/hosts/${h}/${SWANCTL_DIR}/pubkeydone
done

sun公钥

由sun主机的私钥hosts/sun/etc/swanctl/rsa/sunKey.pem导出公钥tests/ikev2/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/sunPub.pem。

# Extract the raw sun public key for the ikev2/net2net-pubkey scenario
TEST="${TEST_DIR}/ikev2/net2net-pubkey"
TEST_PUB="${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey/sunPub.pem"
HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}
cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey

将sun的公钥拷贝到目录tests/ikev2/net2net-dnssec/hosts/sun/etc/swanctl/pubkey目录。

# Put a copy into the ikev2/net2net-dnssec scenario
TEST="${TEST_DIR}/ikev2/net2net-dnssec"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey
cp ${TEST_PUB} ${TEST}/hosts/sun/${SWANCTL_DIR}/pubkey

将sun的公钥拷贝到目录tests/ikev2/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey目录。

# Put a copy into the ikev2/rw-pubkey-anon scenario
TEST="${TEST_DIR}/ikev2/rw-pubkey-anon"
cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey

carol公钥

由carol主机的私钥hosts/carol/etc/swanctl/rsa/carolKey.pem导出公钥tests/ikev2/rw-dnssec/hosts/carol/etc/swanctl/pubkey/carolPub.pem。

# Extract the raw carol public key for the ikev2/rw-dnssec scenario
TEST="${TEST_DIR}/ikev2/rw-dnssec"
TEST_PUB="${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey/carolPub.pem"
HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}

将carol的公钥拷贝到目录tests/ikev2/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey下。

# Put a copy into the ikev2/rw-pubkey-anon scenario
TEST="${TEST_DIR}/ikev2/rw-pubkey-anon"
cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey

将carol的公钥拷贝到目录tests/ikev2/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey。
将carol的公钥拷贝到目录tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey。

# Put a copy into the ikev2/rw-pubkey-keyid scenario
TEST="${TEST_DIR}/ikev2/rw-pubkey-keyid"
cp ${TEST_PUB} ${TEST}/hosts/carol/${SWANCTL_DIR}/pubkey
cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey

dave公钥

由dave主机的私钥hosts/dave/etc/swanctl/rsa/daveKey.pem导出公钥tests/ikev2/rw-dnssec/hosts/dave/etc/swanctl/pubkey/davePub.pem。

# Extract the raw dave public key for the ikev2/rw-dnssec scenario
TEST="${TEST_DIR}/ikev2/rw-dnssec"
TEST_PUB="${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey/davePub.pem"
HOST_KEY="${DIR}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
pki --pub --type rsa --in ${HOST_KEY} --outform pem > ${TEST_PUB}

将dave的公钥拷贝到目录tests/ikev2/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey。
将dave的公钥拷贝到目录tests/ikev2/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey。

# Put a copy into the ikev2/rw-pubkey-anon scenario
TEST="${TEST_DIR}/ikev2/rw-pubkey-anon"
cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey

将dave的公钥拷贝到目录tests/ikev2/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey。
将dave的公钥拷贝到目录tests/ikev2/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey。

# Put a copy into the ikev2/rw-pubkey-keyid scenario
TEST="${TEST_DIR}/ikev2/rw-pubkey-keyid"
cp ${TEST_PUB} ${TEST}/hosts/dave/${SWANCTL_DIR}/pubkey
cp ${TEST_PUB} ${TEST}/hosts/moon/${SWANCTL_DIR}/pubkey

主机证书

主机私钥目录hosts/{carol,dave,moon,sun,alice,venus,bob}/etc/ipsec.d/private/{carol … bob}Key.pem,主机证书目录hosts/{carol,dave,moon,sun,alice,venus,bob}/etc/ipsec.d/certs/{carol … bob}Cert.pem。

# function issue_cert: serial host cn [ou]
issue_cert()
{# does optional OU argument exist?if [ -z "${4}" ]thenOU=""elseOU=" OU=${4},"fiHOST_DIR="${DIR}/hosts/${2}"HOST_KEY="${HOST_DIR}/${IPSEC_DIR}/private/${2}Key.pem"HOST_CERT="${HOST_DIR}/${IPSEC_DIR}/certs/${2}Cert.pem"mkdir -p ${HOST_DIR}/${IPSEC_DIR}/certs

使用CA根证书为每个主机签发主机证书(HOST_CERT),并且将主机证书拷贝到目录hosts/winnetou/etc/ca/certs下,使用主机序号作为文件名称。

最后,将主机证书拷贝一份到hosts/{carol,dave,moon,sun,alice,venus,bob}/etc/swanctl/x509目录下。

  pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${3} \--serial ${1} --dn "C=CH, O=${PROJECT},${OU} CN=${3}" \--outform pem > ${HOST_CERT}cp ${HOST_CERT} ${CA_DIR}/certs/${1}.pem# Put a certificate copy into swanctl directory treemkdir -p ${HOST_DIR}/${SWANCTL_DIR}/x509cp ${HOST_CERT} ${HOST_DIR}/${SWANCTL_DIR}/x509
}

使用以上issue_cert函数生成客户机的主机证书,参数为证书序号serial,主机名称host,CommonName和组织名OU(可选)。

# Generate host certificates
issue_cert 01 carol carol@strongswan.org Research
issue_cert 02 dave dave@strongswan.org Accounting
issue_cert 03 moon moon.strongswan.org
issue_cert 04 sun sun.strongswan.org
issue_cert 05 alice alice@strongswan.org Sales
issue_cert 06 venus venus.strongswan.org
issue_cert 07 bob bob@strongswan.org Research

dave的credentials

测试用例ikev2/dynamic-initiator,ikev1/dynamic-initiator和ikev1/dynamic-responder需要使用dave的私钥和证书。

# Copy carol's credentials into the dave directory of the following scenarios
for t in ikev2/dynamic-initiator ikev1/dynamic-initiator ikev1/dynamic-responder
doTEST="${TEST_DIR}/${t}"mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsamkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509cp ${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem ${TEST}/hosts/dave/${SWANCTL_DIR}/rsacp ${DIR}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
done

PKCS#12

PKCS #12 是一种存档文件格式,可用于将许多密码学对象保存为单个文件。通常用于保存私钥和X.509证书,或者证书链。为moon主机生成PKCS#12格式证书,位置tests/ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12。

# Create PKCS#12 file for moon
TEST="${TEST_DIR}/ikev2/net2net-pkcs12"
HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
HOST_CERT="${DIR}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
MOON_PKCS12="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12/moonCert.p12"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12
openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "moon" \-certfile ${CA_CERT} -caname "strongSwan Root CA" -keypbe aes-128-cbc \-certpbe aes-128-cbc -macalg sha256 -passout "pass:kUqd8O7mzbjXNJKQ" > ${MOON_PKCS12}

为sun生成PKCS#12格式证书,位置tests/ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12。

# Create PKCS#12 file for sun
HOST_KEY="${DIR}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
HOST_CERT="${DIR}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
SUN_PKCS12="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12/sunCert.p12"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
openssl pkcs12 -export -inkey ${HOST_KEY} -in ${HOST_CERT} -name "sun" \-certfile ${CA_CERT} -caname "strongSwan Root CA" -keypbe aes-128-cbc \-certpbe aes-128-cbc -macalg sha256 -passout "pass:IxjQVCF3JGI+MoPi" > ${SUN_PKCS12}

将moon和sun的PKCS#12格式证书拷贝到:tests/botan/net2net-pkcs12/hosts/{moon sun}/etc/swanctl/pkcs12目录,和tests/openssl-ikev2/net2net-pkcs12/hosts/{moon sun}/etc/swanctl/pkcs12目录。

# Put a PKCS#12 copy into the botan/net2net-pkcs12 scenario
for t in botan/net2net-pkcs12 openssl-ikev2/net2net-pkcs12
doTEST="${TEST_DIR}/${t}"mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12cp ${MOON_PKCS12} ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs12cp ${SUN_PKCS12}  ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs12
done

区文件

将moon和sun的证书保存到文件hosts/winnetou/etc/ca/db.strongswan.org.certs-and-keys。

# Store moon and sun certificates in strongswan.org zone
ZONE_FILE="${CA_DIR}/db.strongswan.org.certs-and-keys"
echo "; Automatically generated for inclusion in zone file" > ${ZONE_FILE}
for h in moon sun
doHOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pemcert=$(grep --invert-match ^----- ${HOST_CERT}| sed -e 's/^/\t\t\t\t/')echo -e "${h}\tIN\tCERT\t( 1 0 0\n${cert}\n\t\t\t\t)" >> ${ZONE_FILE}
done

将moon,sun,carol和dave的公钥保存到区文件hosts/winnetou/etc/ca/db.strongswan.org.certs-and-keys。

# Store public keys in strongswan.org zone
echo ";" >> ${ZONE_FILE}
for h in moon sun carol dave
doHOST_CERT=${DIR}/hosts/${h}/${SWANCTL_DIR}/x509/${h}Cert.pempubkey=$(pki --pub --type x509 --in ${HOST_CERT} --outform dnskey | sed 's/\(.\{0,64\}\)/\t\t\t\t\1\n/g')echo -e "${h}\tIN\tIPSECKEY\t( 10 3 2 ${h}.strongswan.org.\n${pubkey}\n\t\t\t\t)" >> ${ZONE_FILE}
done

如下内容:

testing$ cat hosts/winnetou/etc/ca/db.strongswan.org.certs-and-keys   
; Automatically generated for inclusion in zone file
moon    IN      CERT    ( 1 0 0MIIEiDCCAvCgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJDSDEb... ...96UKD6BK0LczffM/)
sun     IN      CERT    ( 1 0 0MIIEhjCCAu6gAwIBAgIBBDANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJDSDEb... ...w31UeNAt3y2e2Q==)
;
moon    IN      IPSECKEY        ( 10 3 2 moon.strongswan.org.AwEAAbw2kQ4a21xAFNLSK0kDIF7LFWLZQrQ6FLX9Dthe2hFuAA90IHBOwuZrsyEH... ...nlrDlw==)
sun     IN      IPSECKEY        ( 10 3 2 sun.strongswan.org.AwEAAZg9FddPYQsv2qVMQWsefPVHzEIN/w5Fp6se+22Bc9lKYVhn5V2QA+8vfTYo... ...uVbwKw==)
carol   IN      IPSECKEY        ( 10 3 2 carol.strongswan.org.AwEAAa8TDQliWKdz9XFBcPsDFeAQ4DUnOi9zX2OmiJhvt93em9OWJT9LbwlQcWXo... ...JtqlMw==)
dave    IN      IPSECKEY        ( 10 3 2 dave.strongswan.org.AwEAAZUr6u84nJ8/KttYxSU8OyvQiSLIIormnt7SMEzSl8pHhJ9JRU9UQjP7+2SI... ...oSwtvw==)

ikev2/crl-to-cache测试用例

为carol生成测试用的证书,在证书中包含CA_BASE_CDP地址(http://crl.strongswan.org/strongswan_base.crl)。

# Generate a carol certificate for the ikev2/crl-to-cache scenario with base CDP
TEST="${TEST_DIR}/ikev2/crl-to-cache"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
HOST_KEY="${DIR}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
CN="carol@strongswan.org"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \--in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial 01 --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \--outform pem > ${TEST_CERT}

为moon生成测试用的证书,在证书中包含CA_BASE_CDP地址(http://crl.strongswan.org/strongswan_base.crl)。

# Generate a moon certificate for the ikev2/crl-to-cache scenario with base CDP
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
CN="moon.strongswan.org"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rsa \--in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial 03 --dn "C=CH, O=${PROJECT}, CN=${CN}" \--outform pem > ${TEST_CERT}

carol加密证书

carol的私钥加密。

# Encrypt carolKey.pem
HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
KEY_PWD="nH5ZQEWtku0RJEZ6"
openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \${TRAD} 2> /dev/null

拷贝到目录:tests/{ikev2 botan wolfssl}/rw-cert/hosts/carol/etc/swanctl/rsa。

# Put a copy into the ikev2, botan and wolfssl rw-cert scenarios
for d in ikev2 botan wolfssl
doTEST="${TEST_DIR}/${d}/rw-cert"mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsacp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
done

carol吊销证书

为carol生成测试用证书,TEST_CERT:tests/ikev2/crl-revoked/hosts/carol/etc/swanctl/x509/carolCert.pem,

# Generate another carol certificate and revoke it
TEST="${TEST_DIR}/ikev2/crl-revoked"
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="88"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \--outform pem > ${TEST_CERT}

按照惯例,在hosts/winnetou/etc/ca/certs目录下保存一份以序号命名的证书。签发一个CRL证书,吊销序号为88的证书。

cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "key-compromise" \--serial ${SERIAL} > ${CA_CRL}
cp ${CA_CRL} ${CA_LAST_CRL}

ocsp-revoked测试用例中的carol之间需要以上的测试私钥和证书。

# Put a copy into the ikev2/ocsp-revoked scenario
TEST="${TEST_DIR}/ikev2/ocsp-revoked"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
cp ${TEST_KEY}  ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509

IKEv2/two-certs

为carol生成第二个证书:tests/hosts/carol/etc/swanctl/x509/carolCert-002.pem,证书序号09。按照惯例,在hosts/winnetou/etc/ca/certs目录下保存一份以序号命名的证书。

# Generate another carol certificate with serialNumber=002
TEST="${TEST_DIR}/ikev2/two-certs"
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey-002.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert-002.pem"
SERIAL="09"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, serialNumber=002, CN=${CN}" \--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem

Research证书

生成Research测试证书,通用名称CN为Research CA。将次证书的序号追加到证书吊销列表。

# Generate a Research CA certificate signed by the Root CA and revoke it
TEST="${TEST_DIR}/ikev2-multi-ca/revoked"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/researchCert.pem"
SERIAL="0A"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${RESEARCH_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
pki --signcrl --cakey ${CA_KEY} --cacert ${CA_CERT} --reason "ca-compromise" \--serial ${SERIAL} --lastcrl ${CA_LAST_CRL} > ${CA_CRL}
rm ${CA_LAST_CRL}

使用以上的私钥创建Reseach CA证书,按照惯例,在hosts/winnetou/etc/ca/certs目录下保存一份以序号命名的证书。

# Generate Research CA with the same private key as above signed by Root CA
SERIAL="0B"
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \--outform pem > ${RESEARCH_CERT}
cp ${RESEARCH_CERT} ${CA_DIR}/certs/${SERIAL}.pem

将Research证书拷贝到以下测试用例相应的主机(moon或者carol)目录下。

# Put a certificate copy into the following scenarios
for t in ikev1-multi-ca/crls ikev2-multi-ca/crls ikev2-multi-ca/ldap \ikev2-multi-ca/pathlen ikev2-multi-ca/ocsp-signers \ikev2-multi-ca/ocsp-strict-ifuri
doTEST="${TEST_DIR}/${t}"mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509cacp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
donefor t in ikev1-multi-ca/certreq-init ikev1-multi-ca/certreq-resp \ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \ikev2-multi-ca/rw-hash-and-url
doTEST="${TEST_DIR}/${t}"mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509cacp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
done

相同私钥生成Research CA证书,这次使用不可用的CDP地址,用于ikev2-multi-ca/skipped测试用例。

# Convert Research CA certificate into DER format
openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}# Generate Research CA with the same private key as above but invalid CDP
TEST="${TEST_DIR}/ikev2-multi-ca/skipped"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/researchCert.pem"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --type rsa \--crl "http://crl.strongswan.org/not-available.crl" \--in ${RESEARCH_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \--outform pem > ${TEST_CERT}

Sales证书

生成Sales CA证书,序号为0C。

# Generate Sales CA signed by Root CA
SERIAL="0C"
pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SALES_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${SALES_KEY} --not-before "${START}" --not-after "${IM_END}" --ca \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \--outform pem > ${SALES_CERT}
cp ${SALES_CERT} ${CA_DIR}/certs/${SERIAL}.pem

将Sales证书拷贝到以下测试用例相应的主机(moon或者dave)目录下。

# Put a certificate copy into the following scenarios
for t in ikev1-multi-ca/crls ikev2-multi-ca/crls ikev2-multi-ca/ldap \ikev2-multi-ca/ocsp-signers ikev2-multi-ca/ocsp-strict-ifuri
doTEST="${TEST_DIR}/${t}"cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
donefor t in ikev1-multi-ca/certreq-init ikev1-multi-ca/certreq-resp \ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \ikev2-multi-ca/rw-hash-and-url
doTEST="${TEST_DIR}/${t}"mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509cacp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
done# Convert Sales CA certificate into DER format
openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}

多级证书

生成通用名称CN为“strongSwan Levels Root CA”的证书,位置hosts/winnetou/etc/ca/certs/levels/levelsCert.pem。

# Generate Levels Root CA (pathlen is higher than the regular root)
pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_KEY}
pki --self --type rsa --in ${LEVELS_KEY} --not-before "${START}" --not-after "${CA_END}" \--ca --pathlen 2 --dn "C=CH, O=${PROJECT}, CN=strongSwan Levels Root CA" \--outform pem > ${LEVELS_CERT}

获取秘钥标识,spk为subjectPublicKey的SHA-1哈希。

# For TKM's CA ID mapping
LEVELS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${LEVELS_KEY}`

由以上的一级证书签发二级证书(LEVELS_L2_CERT: hosts/winnetou/etc/ca/certs/levels/levelsCert_l2.pem),再由二级证书签发三级证书((LEVELS_L3_CERT: hosts/winnetou/etc/ca/certs/levels/levelsCert_l3.pem))。

# Generate Levels L2 CA signed by Levels Root CA
pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L2_KEY}
pki --issue --cakey ${LEVELS_KEY} --cacert ${LEVELS_CERT} --crl ${LEVELS_CDP} \--type rsa --in ${LEVELS_L2_KEY} --not-before "${START}" --not-after "${IM_END}" \--ca --dn "C=CH, O=${PROJECT}, OU=L2, CN=Levels L2 CA" \--outform pem > ${LEVELS_L2_CERT}# Generate Levels L3 CA signed by Levels L2 CA
pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L3_KEY}
pki --issue --cakey ${LEVELS_L2_KEY} --cacert ${LEVELS_L2_CERT} --crl ${LEVELS_L2_CDP} \--type rsa --in ${LEVELS_L3_KEY} --not-before "${START}" --not-after "${IM_END}" \--ca --dn "C=CH, O=${PROJECT}, OU=L3, CN=Levels L3 CA" \--outform pem > ${LEVELS_L3_CERT}

将多级证书拷贝到测试用例ikev2-multi-ca/crls-l3和tkm/multi-level-ca的相应主机目录。

for t in ikev2-multi-ca/crls-l3 tkm/multi-level-ca
doTEST="${TEST_DIR}/${t}"for h in moon caroldomkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509cacp ${LEVELS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509cadonecp ${LEVELS_L2_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509cacp ${LEVELS_L3_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
done

生成DER编码格式的一级证书,保存到测试用例tests/tkm/multi-level-ca/hosts/moon/etc/tkm/levelsCert.der。

# Put DER-encoded Levels CA certificate into tkm scenario
TEST="${TEST_DIR}/tkm/multi-level-ca"
mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
openssl x509 -in ${LEVELS_CERT} -outform der -out ${TEST}/hosts/moon/${TKM_DIR}/levelsCert.der

ikev2/strong-keys-certs

为主机moon生成测试证书,序号0D,摘要算法sha224。使用aes128加密秘钥。

# Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
TEST="${TEST_DIR}/ikev2/strong-keys-certs"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey-aes128.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert-sha224.pem"
KEY_PWD="gOQHdrSWeFuiZtYPetWuyzHW"
CN="moon.strongswan.org"
SERIAL="0D"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \--digest sha224 --outform pem > ${TEST_CERT}
openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \${TRAD} 2> /dev/null
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem

为主机carol生成测试证书,序号0E,摘要算法sha384。使用aes192加密秘钥。

# Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey-aes192.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert-sha384.pem"
KEY_PWD="ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
CN="carol@strongswan.org"
SERIAL="0E"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \--digest sha384 --outform pem > ${TEST_CERT}
openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \${TRAD} 2> /dev/null
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem

为主机dave生成测试证书,序号0F,摘要算法sha512。使用aes256加密秘钥。

# Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey-aes256.pem"
TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert-sha512.pem"
KEY_PWD="MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
CN="dave@strongswan.org"
SERIAL="0F"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \--digest sha512 --outform pem > ${TEST_CERT}
openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \${TRAD} 2> /dev/null
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem

ikev2/ocsp-signer-cert

生成carol测试证书,序号为10,OCSP URL地址为"http://ocsp.strongswan.org:8880",

 661 # Generate another carol certificate with an OCSP URI662 TEST="${TEST_DIR}/ikev2/ocsp-signer-cert"663 TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"664 TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"665 CN="carol@strongswan.org"666 SERIAL="10"667 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa668 mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509669 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}670 pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \671     --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \672     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=OCSP, CN=${CN}" \673     --ocsp ${CA_OCSP} --outform pem > ${TEST_CERT}674 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem

将证书拷贝到以下测试用例的carol主机目录。

# Put a copy into the following ikev2 scenarios
for t in ocsp-timeouts-good ocsp-disabled ocsp-no-signer-cert ocsp-root-cert \ocsp-untrusted-cert ocsp-rfc4806-signer ocsp-rfc4806-both
doTEST="${TEST_DIR}/ikev2/${t}"mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsamkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509cp ${TEST_KEY}  ${TEST}/hosts/carol/${SWANCTL_DIR}/rsacp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
done

生成根证书签名的OCSP签名证书(tests/hosts/winnetou/etc/ca/ocspCert.pem),PKI命令指定标志ocspSigning。

# Generate an OCSP Signing certificate for the strongSwan Root CA
TEST_KEY="${CA_DIR}/ocspKey.pem"
TEST_CERT="${CA_DIR}/ocspCert.pem"
CN="ocsp.strongswan.org"
OU="OCSP Signing Authority"
SERIAL="11"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \--flag ocspSigning --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem

生成自签名的OCSP证书(tests/hosts/winnetou/etc/ca/ocspCert-self.pem)。

# Generate a self-signed OCSP Signing certificate
TEST_KEY="${CA_DIR}/ocspKey-self.pem"
TEST_CERT="${CA_DIR}/ocspCert-self.pem"
OU="OCSP Self-Signed Authority"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --self --type rsa --in ${TEST_KEY} --flag ocspSigning \--not-before "${START}" --not-after "${CA_END}" --san ${CN} \--dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \--outform pem > ${TEST_CERT}

将自签名OCSP证书拷贝到测试用例ikev2/ocsp-local-cert和ikev2/ocsp-rfc4806-local的相应目录下。

# Put a copy into the following ikev2 scenarios
for t in ocsp-local-cert ocsp-rfc4806-local
doTEST="${TEST_DIR}/ikev2/${t}"mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ocspmkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ocspcp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ocspcp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ocsp
done

ha/both-active

生成火星虚拟服务器证书,序号12,证书用途serverAuth。

# Generate mars virtual server certificate
TEST="${TEST_DIR}/ha/both-active"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/marsKey.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/marsCert.pem"
CN="mars.strongswan.org"
OU="Virtual VPN Gateway"
SERIAL="12"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \--flag serverAuth --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem

拷贝一份到测试用例的alice主机目录下。

# Put a copy into the mirrored gateway
mkdir -p ${TEST}/hosts/alice/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/alice/${SWANCTL_DIR}/x509
cp ${TEST_KEY}  ${TEST}/hosts/alice/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/alice/${SWANCTL_DIR}/x509

拷贝一份到测试用例ha/active-passive和ikev2/redirect-active目录下。

# Put a copy into the ha/active-passive and swanctl/redirect-active scenarios
for t in ha/active-passive ikev2/redirect-active
doTEST="${TEST_DIR}/${t}"for h in alice moondomkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/rsamkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509cp ${TEST_KEY}  ${TEST}/hosts/${h}/${SWANCTL_DIR}/rsacp ${TEST_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509done
done

ikev2/critical-extension

创建moon测试证书,–critical指定不支持的OID:1.3.6.1.4.1.36906.1。

# Generate moon certificate with an unsupported critical X.509 extension
TEST="${TEST_DIR}/ikev2/critical-extension"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
CN="moon.strongswan.org"
SERIAL="13"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \--critical 1.3.6.1.4.1.36906.1 --flag serverAuth \--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem

拷贝一份到测试用例openssl-ikev2/critical-extension。

# Put a copy in the openssl-ikev2/critical extension scenario
TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
cp ${TEST_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509

创建sun测试证书,–critical指定不支持的OID:1.3.6.1.4.1.36906.1。

# Generate sun certificate with an unsupported critical X.509 extension
TEST="${TEST_DIR}/ikev2/critical-extension"
TEST_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
TEST_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
CN="sun.strongswan.org"
SERIAL="14"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Critical Extension, CN=${CN}" \--critical 1.3.6.1.4.1.36906.1 --flag serverAuth \--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem

拷贝一份到测试用例openssl-ikev2/critical-extension。

# Put a copy in the openssl-ikev2/critical extension scenario
TEST="${TEST_DIR}/openssl-ikev2/critical-extension"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
cp ${TEST_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509

winnetou服务器证书

生成winnetou服务器证书,用于服务器认证serverAuth。

# Generate winnetou server certificate
HOST_KEY="${CA_DIR}/winnetouKey.pem"
HOST_CERT="${CA_DIR}/winnetouCert.pem"
CN="winnetou.strongswan.org"
SERIAL="15"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${HOST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${HOST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \--flag serverAuth --outform pem > ${HOST_CERT}
cp ${HOST_CERT} ${CA_DIR}/certs/${SERIAL}.pem

tnc/tnccs-20-pdp-eap

创建AAA服务器证书。

# Generate AAA server certificate
TEST="${TEST_DIR}/tnc/tnccs-20-pdp-eap"
TEST_KEY="${TEST}/hosts/alice/${SWANCTL_DIR}/rsa/aaaKey.pem"
TEST_CERT="${TEST}/hosts/alice/${SWANCTL_DIR}/x509/aaaCert.pem"
CN="aaa.strongswan.org"
SERIAL="16"
cd "${TEST}/hosts/alice/${SWANCTL_DIR}"
mkdir -p rsa x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \--flag serverAuth --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem

拷贝一份到如下的测试用例中。

# Put a copy into various tnc scenarios
for t in tnccs-20-pdp-pt-tls tnccs-20-ev-pt-tls tnccs-20-hcd-eap
docd "${TEST_DIR}/tnc/${t}/hosts/alice/${SWANCTL_DIR}"mkdir -p rsa x509cp ${TEST_KEY}  rsacp ${TEST_CERT} x509
done# Put a copy into the alice FreeRADIUS server
cp ${TEST_KEY} ${TEST_CERT} ${DIR}/hosts/alice/etc/raddb/certs

属性证书Attribute Authority

生成属性证书,序列号17。

# Generate Attribute Authority certificate
TEST="${TEST_DIR}/ikev2/acert-cached"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/aaKey.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa/aaCert.pem"
CN="strongSwan Attribute Authority"
SERIAL="17"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${IM_END}" \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem

使用以上证书签发属性证书,应用于hosts/winnetou/etc/ca/certs/01.pem证书(carol)。属性值为sales和finance。

# Generate carol's attribute certificate for sales and finance
ACERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac/carol-sales-finance.pem"
pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \--in ${CA_DIR}/certs/01.pem --group sales --group finance \--not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}

为dave(02.pem)生成过期的属性证书,属性为sales。

# Generate dave's expired attribute certificate for sales
ACERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac/dave-sales-expired.pem"
pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \--in ${CA_DIR}/certs/02.pem --group sales \--not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}

为dave(02.pem)生成属性证书,属性为marketing。

# Generate dave's attribute certificate for marketing
ACERT_DM="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac/dave-marketing.pem"
pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \--in ${CA_DIR}/certs/02.pem --group marketing \--not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_DM}

将属性证书的CA证书拷贝到测试用例ikev2/acert-fallback目录下。

# Put a copy into the ikev2/acert-fallback scenario
TEST="${TEST_DIR}/ikev2/acert-fallback"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ac
cp ${TEST_KEY}  ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa

为carol(01.pem)生成过期的属性证书,属性为finance。

# Generate carol's expired attribute certificate for finance
ACERT=${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac/carol-finance-expired.pem
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac
pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \--in ${CA_DIR}/certs/01.pem --group finance \--not-before "${START}" --not-after "${SH_END}" --outform pem  > ${ACERT}

为caril(01.pem)生成有效的属性证书,属性为sales。

# Generate carol's valid attribute certificate for sales
ACERT_CS=${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac/carol-sales.pem
pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \--in ${CA_DIR}/certs/01.pem --group sales \--not-before "${SH_END}" --not-after "${EE_END}" --outform pem > ${ACERT_CS}

将属性证书的CA证书,和carol的Sales属性证书,已经dave的Marketing属性证书拷贝到测试用例ikev2/acert-inline。

# Put a copy into the ikev2/acert-inline scenario
TEST="${TEST_DIR}/ikev2/acert-inline"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac
cp ${TEST_KEY}  ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa
cp ${ACERT_CS}  ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ac
cp ${ACERT_DM}  ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac

生成短期的属性CA证书,序号为18。测试用例ikev2/acert-inline使用。

# Generate a short-lived Attribute Authority certificate
CN="strongSwan Legacy AA"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/aaKey-expired.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509aa/aaCert-expired.pem"
SERIAL="18"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${SH_END}" \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, CN=${CN}" \--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem

使用以上过期的证书为dave(02.pem)签发属性证书,属性值为sales。

# Generate dave's attribute certificate for sales from expired AA
ACERT=${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac/dave-expired-aa.pem
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ac
pki --acert --issuerkey ${TEST_KEY} --issuercert ${TEST_CERT} \--in ${CA_DIR}/certs/02.pem --group sales \--not-before "${START}" --not-after "${EE_END}" --outform pem > ${ACERT}
```### 索引文件将index.txt.template文件中变量(EE_EXPIRATION、IM_EXPIRATION、SH_EXPIRATION、REVOCATION)的进行替换。```
################################################################################
# strongSwan Root CA index for OCSP server                                     #
################################################################################# generate index.txt file for Root OCSP server
cp ${CA_DIR}/index.txt.template ${CA_DIR}/index.txt
sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${CA_DIR}/index.txt
sed -i -e "s/IM_EXPIRATION/${IM_EXP}/g" ${CA_DIR}/index.txt
sed -i -e "s/SH_EXPIRATION/${SH_EXP}/g" ${CA_DIR}/index.txt
sed -i -e "s/REVOCATION/${NOW}/g" ${CA_DIR}/index.txt
```替换之后的文件内容如下。```
$ cat hosts/winnetou/etc/ca/index.txt
V       321208023839Z           01      unknown /C=CH/O=strongSwan Project/OU=Research/CN=carol@strongswan.org
V       321208023839Z           02      unknown /C=CH/O=strongSwan Project/OU=Accounting/CN=dave@strongswan.org
V       321208023839Z           03      unknown /C=CH/O=strongSwan Project/CN=moon.strongswan.org
V       321208023839Z           04      unknown /C=CH/O=strongSwan Project/CN=sun.strongswan.org
V       321208023839Z           05      unknown /C=CH/O=strongSwan Project/OU=Sales/CN=alice@strongswan.org
V       321208023839Z           06      unknown /C=CH/O=strongSwan Project/CN=venus.strongswan.org
V       321208023839Z           07      unknown /C=CH/O=strongSwan Project/OU=Research/CN=bob@strongswan.org
R       321208023839Z   241210023839Z,keyCompromise     88      unknown /C=CH/O=strongSwan Project/OU=Research/CN=carol@strongswan.org
V       321208023839Z           09      unknown /C=CH/O=strongSwan Project/OU=Research/serialNumber=002/CN=carol@strongswan.org
R       331209023839Z   241210023839Z,CACompromise      0A      unknown /C=CH/O=strongSwan Project/OU=Research/CN=Research CA
V       331209023839Z           0B      unknown /C=CH/O=strongSwan Project/OU=Research/CN=Research CA
V       331209023839Z           0C      unknown /C=CH/O=strongSwan Project/OU=Sales/CN=Sales CA
V       321208023839Z           0D      unknown /C=CH/O=strongSwan Project/OU=SHA-224/CN=moon.strongswan.org
V       321208023839Z           0E      unknown /C=CH/O=strongSwan Project/OU=SHA-384/CN=carol@strongswan.org
V       321208023839Z           0F      unknown /C=CH/O=strongSwan Project/OU=SHA-512/CN=dave@strongswan.org
V       321208023839Z           10      unknown /C=CH/O=strongSwan Project/OU=OCSP/CN=carol@strongswan.org
V       321208023839Z           11      unknown /C=CH/O=strongSwan Project/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
V       321208023839Z           12      unknown /C=CH/O=strongSwan Project/OU=Virtual VPN Gateway/CN=mars.strongswan.org
V       321208023839Z           13      unknown /C=CH/O=strongSwan Project/OU=Critical Extension/CN=moon.strongswan.org
V       321208023839Z           14      unknown /C=CH/O=strongSwan Project/OU=Critical Extension/CN=sun.strongswan.org
V       321208023839Z           15      unknown /C=CH/O=strongSwan Project/CN=winnetou.strongswan.org
V       321208023839Z           16      unknown /C=CH/O=strongSwan Project/CN=aaa.strongswan.org
V       331209023839Z           17      unknown /C=CH/O=strongSwan Project/CN=strongSwan Attribute Authority
V       241209023839Z           18      unknown /C=CH/O=strongSwan Project/CN=strongSwan Legacy AA
```### Research CA 对于测试用例ikev2-multi-ca/crls,使用RESEARCH_CERT为carol签发测试证书,CDP地址为RESEARCH_CDP:"http://crl.strongswan.org/research.crl"。```
# Generate a carol research certificate
TEST="${TEST_DIR}/ikev2-multi-ca/crls"
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \--crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
```将测试证书拷贝到如下测试用例的目录下。```
# Save a copy of the private key in DER format
openssl rsa -in ${TEST_KEY} -outform der -out ${RESEARCH_DIR}/keys/${SERIAL}.der ${TRAD} 2> /dev/null# Put a copy in the following scenarios
for t in ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \ikev2-multi-ca/ldap ikev2-multi-ca/ocsp-signers \ikev2-multi-ca/loop ikev2-multi-ca/revoked \ikev2-multi-ca/skipped ikev2-multi-ca/rw-hash-and-url \ikev1-multi-ca/crls ikev1-multi-ca/certreq-init \ikev1-multi-ca/certreq-resp
doTEST="${TEST_DIR}/${t}"mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsamkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsacp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
done
```对于测试用例ikev2-multi-ca/ocsp-strict-ifuri,使用RESEARCH_CERT为carol签发测试证书,不使用CDP(没有--crl参数)。```
# Generate a carol research certificate without a CDP
TEST="${TEST_DIR}/ikev2-multi-ca/ocsp-strict-ifuri"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=${CN}" \--outform pem > ${TEST_CERT}
cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
```使用RESEARCH_CERT证书签发OCSP签名证书。用途为ocspSigning。```
# Generate an OCSP Signing certificate for the Research CA
TEST_KEY="${RESEARCH_DIR}/ocspKey.pem"
TEST_CERT="${RESEARCH_DIR}/ocspCert.pem"
OU="Research OCSP Signing Authority"
CN="ocsp.research.strongswan.org"
SERIAL="02"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \--crl ${RESEARCH_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
```使用RESEARCH_CERT签发Sales CA证书。```
# Generate a Sales CA certificate signed by the Research CA
TEST="${TEST_DIR}/ikev2-multi-ca/loop"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/sales_by_researchCert.pem"
SERIAL="03"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \--in ${SALES_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=Sales CA" \--crl ${RESEARCH_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
```### Duck Research CA使用RESEARCH_CERT证书签发Duck Research CA证书。```
# Generate a Duck Research CA certificate signed by the Research CA
SERIAL="04"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${DUCK_KEY}
pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \--in ${DUCK_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Duck Research CA" \--crl ${RESEARCH_CDP} --outform pem > ${DUCK_CERT}
cp ${DUCK_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
```将证书拷贝到测试用例ikev2-multi-ca/pathlen目录下。```
# Put a certificate copy in the ikev2-multi-ca/pathlen scenario
TEST="${TEST_DIR}/ikev2-multi-ca/pathlen"
cp ${DUCK_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
```使用新生成的DUCK_CERT证书,为carol签发测试证书。```
# Generate a carol certificate signed by the Duck Research CA
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${DUCK_KEY} --cacert ${DUCK_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Duck Research, CN=${CN}" \--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${DUCK_DIR}/certs/${SERIAL}.pem# Generate index.txt file for Research OCSP server
cp ${RESEARCH_DIR}/index.txt.template ${RESEARCH_DIR}/index.txt
sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${RESEARCH_DIR}/index.txt
```### Sales CA证书对于测试用例ikev2-multi-ca/crls,生成Sales CA证书,CDP地址为SALES_CDP:"http://crl.strongswan.org/sales.crl"。```
# Generate a dave sales certificate
TEST="${TEST_DIR}/ikev2-multi-ca/crls"
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
CN="dave@strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \--crl ${SALES_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
```将证书拷贝到以下测试用例的dave主机目录。```
# Save a copy of the private key in DER format
openssl rsa -in ${TEST_KEY} -outform der -out ${SALES_DIR}/keys/${SERIAL}.der \${TRAD} 2> /dev/null# Put a copy in the following scenarios
for t in ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \ikev2-multi-ca/ldap ikev2-multi-ca/ocsp-signers \ikev2-multi-ca/rw-hash-and-url ikev1-multi-ca/crls \ikev1-multi-ca/certreq-init ikev1-multi-ca/certreq-resp
doTEST="${TEST_DIR}/${t}"mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsamkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsacp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
done
```使用SALES_CERT证书签发测试证书,指定不可用的OCSP地址:"http://ocsp2.strongswan.org:8882",没有使用CDP。```
# Generate a dave sales certificate with an inactive OCSP URI and no CDP
TEST="${TEST_DIR}/ikev2-multi-ca/ocsp-strict-ifuri"
TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Sales, CN=${CN}" \--ocsp "http://ocsp2.strongswan.org:8882" --outform pem > ${TEST_CERT}
cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
```使用SALES_CERT证书签发OCSP签名证书。```
# Generate an OCSP Signing certificate for the Sales CA
TEST_KEY="${SALES_DIR}/ocspKey.pem"
TEST_CERT="${SALES_DIR}/ocspCert.pem"
OU="Sales OCSP Signing Authority"
CN="ocsp.sales.strongswan.org"
SERIAL="02"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=${OU}, CN=${CN}" \--crl ${SALES_CDP} --flag ocspSigning --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
```使用SALES_CERT证书签发Research CA证书。```
# Generate a Research CA certificate signed by the Sales CA
TEST="${TEST_DIR}/ikev2-multi-ca/loop"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca/research_by_salesCert.pem"
SERIAL="03"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \--in ${RESEARCH_KEY} --not-before "${START}" --not-after "${EE_END}" --ca \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, CN=Research CA" \--crl ${SALES_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem# generate index.txt file for Sales OCSP server
cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
```### 三级L3证书使用三级证书LEVELS_L3_KEY为carol签发证书。```
# Generate a carol l3 certificate
TEST="${TEST_DIR}/ikev2-multi-ca/crls-l3"
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${LEVELS_L3_KEY} --cacert ${LEVELS_L3_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=L3, CN=${CN}" \--crl ${LEVELS_L3_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${LEVELS_DIR}/certs/${SERIAL}.pem
```将证书拷贝到测试用例tkm/multi-level-ca的carol目录下。```
for t in tkm/multi-level-ca
doTEST="${TEST_DIR}/${t}"mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsamkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsacp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
done
```### ECDSA证书生成椭圆曲线根证书,拷贝到测试用例openssl-ikev2/ecdsa-certs和openssl-ikev2/ecdsa-pkcs8的相应目录下。```
# Generate strongSwan EC Root CA
pki --gen  --type ecdsa --size 521 --outform pem > ${ECDSA_KEY}
pki --self --type ecdsa --in ${ECDSA_KEY} \--not-before "${START}" --not-after "${CA_END}" --ca \--dn "C=CH, O=${PROJECT}, CN=strongSwan EC Root CA" \--outform pem > ${ECDSA_CERT}# Put a copy in the openssl-ikev2/ecdsa-certs scenario
for t in ecdsa-certs ecdsa-pkcs8
doTEST="${TEST_DIR}/openssl-ikev2/${t}"for h in moon carol davedomkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509cacp ${ECDSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509cadone
done
```使用ECDSA_CERT根证书为moon签发证书,CDP地址:"http://crl.strongswan.org/strongswan_ecdsa.crl"。```
# Generate a moon ECDSA 521 bit certificate
TEST="${TEST_DIR}/openssl-ikev2/ecdsa-certs"
MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa/moonKey.pem"
MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
CN="moon.strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/ecdsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type ecdsa --size 521 --outform pem > ${MOON_KEY}
pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \--in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 512 bit, CN=${CN}" \--crl ${ECDSA_CDP} --outform pem > ${MOON_CERT}
cp ${MOON_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
```为carol签发ECDSA证书。```
# Generate a carol ECDSA 256 bit certificate
CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa/carolKey.pem"
CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="02"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/ecdsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type ecdsa --size 256 --outform pem > ${CAROL_KEY}
pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \--in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 256 bit, CN=${CN}" \--crl ${ECDSA_CDP} --outform pem > ${CAROL_CERT}
cp ${CAROL_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
```为dave签发ECDSA证书。```
# Generate a dave ECDSA 384 bit certificate
DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa/daveKey.pem"
DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
CN="dave@strongswan.org"
SERIAL="03"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/ecdsa
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
pki --gen --type ecdsa --size 384 --outform pem > ${DAVE_KEY}
pki --issue --cakey ${ECDSA_KEY} --cacert ${ECDSA_CERT} --type ecdsa \--in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ECDSA 384 bit, CN=${CN}" \--crl ${ECDSA_CDP} --outform pem > ${DAVE_CERT}
cp ${DAVE_CERT} ${ECDSA_DIR}/certs/${SERIAL}.pem
```将以上签发的三个证书:MOON_CERT,CAROL_CERT和DAVE_CERT拷贝到openssl-ikev2/ecdsa-pkcs8测试用例。```
# Put CA and EE certificate copies in the openssl-ikev2/ecdsa-pkcs8 scenario
TEST="${TEST_DIR}/openssl-ikev2/ecdsa-pkcs8"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
cp ${MOON_CERT}  ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
cp ${CAROL_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
cp ${DAVE_CERT}  ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
```以下将moon私钥转换为不加密的PKCS#8格式。将carol私钥转换为v1.5 DES加密的PKCS#8格式。将dave的私钥转换为v2.0 AES-28加密的PKCS#8格式。```
# Convert moon private key into unencrypted PKCS#8 format
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
openssl pkcs8 -in ${MOON_KEY} -nocrypt -topk8 -out ${TEST_KEY}# Convert carol private key into v1.5 DES encrypted PKCS#8 format
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
openssl pkcs8 -in ${CAROL_KEY} -nocrypt -topk8 -v1 PBE-MD5-DES \-passout "pass:nH5ZQEWtku0RJEZ6" -out ${TEST_KEY}# Convert dave private key into v2.0 AES-128 encrypted PKCS#8 format
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
openssl pkcs8 -in ${DAVE_KEY} -nocrypt -topk8  -v2 aes128 \-passout "pass:OJlNZBx+80dLh4wC6fw5LmBd" -out ${TEST_KEY}
```将CA和终端证书拷贝到openssl-ikev1/ecdsa-certs测试用例下。```
# Put CA and EE certificate copies in the openssl-ikev1/ecdsa-certs scenario
TEST="${TEST_DIR}/openssl-ikev1/ecdsa-certs"
cd ${TEST}/hosts/moon/${SWANCTL_DIR}
mkdir -p ecdsa x509 x509ca
cp ${MOON_KEY}   ecdsa
cp ${MOON_CERT}  x509
cp ${ECDSA_CERT} x509ca
cd ${TEST}/hosts/carol/${SWANCTL_DIR}
mkdir -p ecdsa x509 x509ca
cp ${CAROL_KEY}  ecdsa
cp ${CAROL_CERT} x509
cp ${ECDSA_CERT} x509ca
cd ${TEST}/hosts/dave/${SWANCTL_DIR}
mkdir -p ecdsa x509 x509ca
cp ${DAVE_KEY}   ecdsa
cp ${DAVE_CERT}  x509
cp ${ECDSA_CERT} x509ca
```### RFC3779证书生成RFC3779根证书,指定以下4个地址块。```
# Generate strongSwan RFC3779 Root CA
pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${RFC3779_KEY}
pki --self --type rsa --in ${RFC3779_KEY} \--not-before "${START}" --not-after "${CA_END}" --ca \--dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=strongSwan RFC3779 Root CA" \--addrblock "10.1.0.0-10.2.255.255" \--addrblock "10.3.0.1-10.3.3.232" \--addrblock "192.168.0.0/24" \--addrblock "fec0::-fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff" \--outform pem > ${RFC3779_CERT}
```拷贝到测试用例ikev2/net2net-rfc3779和ipv6/rw-rfc3779-ikev2目录下。```
# Put a copy in the ikev2/net2net-rfc3779 scenario
TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
cp ${RFC3779_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
cp ${RFC3779_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca# Put a copy in the ipv6/rw-rfc3779-ikev2 scenario
TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
cp ${RFC3779_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
cp ${RFC3779_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
```使用RFC3779_CERT为moon签发证书,指定四个地址块"10.1.0.0/16","192.168.0.1/32","fec0::1/128"和"fec1::/16"。```
# Generate a moon RFC3779 certificate
TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
CN="moon.strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \--addrblock "10.1.0.0/16" --addrblock "192.168.0.1/32" \--addrblock "fec0::1/128" --addrblock "fec1::/16" \--crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
```新签发证书拷贝到测试用例ipv6/net2net-rfc3779-ikev2和ipv6/rw-rfc3779-ikev2目录下。```
# Put a copy in the ipv6 scenarios
for t in net2net-rfc3779-ikev2 rw-rfc3779-ikev2
docd "${TEST_DIR}/ipv6/${t}/hosts/moon/${SWANCTL_DIR}"mkdir -p rsa x509 x509cacp ${TEST_KEY}  rsacp ${TEST_CERT} x509cp ${RFC3779_CERT} x509ca
done
```为sun主机签发证书,指定地址块:"10.2.0.0/16","192.168.0.2/32","fec0::2/128"和"fec2::/16"。```
# Generate a sun RFC3779 certificate
TEST="${TEST_DIR}/ikev2/net2net-rfc3779"
TEST_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
TEST_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
CN="sun.strongswan.org"
SERIAL="02"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \--addrblock "10.2.0.0/16" --addrblock "192.168.0.2/32" \--addrblock "fec0::2/128" --addrblock "fec2::/16" \--crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
```拷贝到测试用例ipv6/net2net-rfc3779-ikev2目录下。```
# Put a copy in the ipv6/net2net-rfc3779-ikev2 scenario
cd "${TEST_DIR}/ipv6/net2net-rfc3779-ikev2/hosts/sun/${SWANCTL_DIR}"
mkdir -p rsa x509 x509ca
cp ${TEST_KEY} rsa
cp ${TEST_CERT} x509
cp ${RFC3779_CERT} x509ca
```为carol生成rfc3779证书。```
# Generate a carol RFC3779 certificate
TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="03"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \--addrblock "10.3.0.1/32" --addrblock "192.168.0.100/32" \--addrblock "fec0::10/128" \--crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
```为dave生成rfc3779证书。```
# Generate a carol RFC3779 certificate
TEST="${TEST_DIR}/ipv6/rw-rfc3779-ikev2"
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
CN="dave@strongswan.org"
SERIAL="04"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${RFC3779_KEY} --cacert ${RFC3779_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=RFC3779, CN=${CN}" \--addrblock "10.3.0.2/32" --addrblock "192.168.0.200/32" \--addrblock "fec0::20/128" \--crl ${RFC3779_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem
```### SHA3-RSA证书。生成sha3_256摘要算法的自签名根证书。```
SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509"# Generate strongSwan SHA3-RSA Root CA
pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY}
PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --self --type rsa --in ${SHA3_RSA_KEY} --digest sha3_256 \--not-before "${START}" --not-after "${CA_END}" --ca \--dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=strongSwan Root CA" \--outform pem > ${SHA3_RSA_CERT}
```拷贝到测试用例ikev2/net2net-sha3-rsa-cert。```
# Put a copy in the ikev2/net2net-sha3-rsa-cert scenario
TEST="${TEST_DIR}/ikev2/net2net-sha3-rsa-cert"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
cp ${SHA3_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
cp ${SHA3_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
```为sun生成SHA3-RSA证书。```
# Generate a sun SHA3-RSA certificate
SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem"
SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
CN="sun.strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY}
PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \--in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \--crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${SUN_CERT}
cp ${SUN_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
```为moon生成SHA3-RSA证书。```
# Generate a moon SHA3-RSA certificate
MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
CN="moon.strongswan.org"
SERIAL="02"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${MOON_KEY}
PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \--in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \--crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
```拷贝证书到测试用例botan/net2net-sha3-rsa-cert, openssl-ikev2/net2net-sha3-rsa-cert, wolfssl/net2net-sha3-rsa-cert目录下。```
# Put a copy in the botan openssl-ikev2 and wolfssl net2net-sha3-rsa-cert scenarios
for d in botan openssl-ikev2 wolfssl
doTEST="${TEST_DIR}/${d}/net2net-sha3-rsa-cert"cd ${TEST}/hosts/moon/${SWANCTL_DIR}mkdir -p rsa x509 x509cacp ${MOON_KEY}      rsacp ${MOON_CERT}     x509cp ${SHA3_RSA_CERT} x509cacd ${TEST}/hosts/sun/${SWANCTL_DIR}mkdir -p rsa x509 x509cacp ${SUN_KEY}       rsacp ${SUN_CERT}      x509cp ${SHA3_RSA_CERT} x509ca
done
```拷贝moon证书到测试用例ikev2/rw-eap-tls-sha3-rsa。```
# Put a copy in the ikev2/rw-eap-tls-sha3-rsa scenario
TEST="${TEST_DIR}/ikev2/rw-eap-tls-sha3-rsa"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
cp ${MOON_KEY} ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
```为carol生成SHA3-RSA证书。```
# Generate a carol SHA3-RSA certificate
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="03"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \--crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
```为dave生成SHA3-RSA证书。```
# Generate a dave SHA3-RSA certificate
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem"
TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
CN="dave@strongswan.org"
SERIAL="04"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
PKI_PLUGINS="${SHA3_PKI_PLUGINS}" \
pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-3, CN=${CN}" \--crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pemfor h in moon carol dave
domkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509cacp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
done
```### Ed25519证书生成Ed25519类型自签名根证书。```
# Generate strongSwan Ed25519 Root CA
pki --gen  --type ed25519 --outform pem > ${ED25519_KEY}
pki --self --type ed25519 --in ${ED25519_KEY} \--not-before "${START}" --not-after "${CA_END}" --ca \--dn "C=CH, O=${PROJECT}, CN=strongSwan Ed25519 Root CA" \--cert-policy "1.3.6.1.4.1.36906.1.1.1" \--cert-policy "1.3.6.1.4.1.36906.1.1.2" \--outform pem > ${ED25519_CERT}
```拷贝到测试用例ikev2/net2net-ed25519目录下。```
# Put a copy in the ikev2/net2net-ed25519 scenario
TEST="${TEST_DIR}/ikev2/net2net-ed25519"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
cp ${ED25519_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
cp ${ED25519_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca
```为sun签名Ed25519证书。```
# Generate a sun Ed25519 certificate
SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8/sunKey.pem"
SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem"
CN="sun.strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/pkcs8
mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509
pki --gen --type ed25519 --outform pem > ${SUN_KEY}
pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \--in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \--cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "serverAuth" \--crl ${ED25519_CDP} --outform pem > ${SUN_CERT}
cp ${SUN_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
```为moon签名Ed25519证书。```
# Generate a moon Ed25519 certificate
MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem"
MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
CN="moon.strongswan.org"
SERIAL="02"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type ed25519 --outform pem > ${MOON_KEY}
pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \--in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \--cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "serverAuth" \--crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
```拷贝到测试用例botan/net2net-ed25519, wolfssl/net2net-ed25519。```
# Put a copy in the botan and wolfssl net2net-ed25519 scenarios
for d in botan wolfssl
doTEST="${TEST_DIR}/${d}/net2net-ed25519"cd ${TEST}/hosts/moon/${SWANCTL_DIR}mkdir -p pkcs8 x509 x509cacp ${MOON_KEY}     pkcs8cp ${MOON_CERT}    x509cp ${ED25519_CERT} x509cacd ${TEST}/hosts/sun/${SWANCTL_DIR}mkdir -p pkcs8 x509 x509cacp ${SUN_KEY}      pkcs8cp ${SUN_CERT}     x509cp ${ED25519_CERT} x509ca
done
```拷贝到测试用例ikev2/rw-ed25519-certpol。```
# Put a copy in the ikev2/rw-ed25519-certpol scenario
TEST="${TEST_DIR}/ikev2/rw-ed25519-certpol"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
cp ${MOON_KEY}  ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8
cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509for h in moon carol dave
domkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509cacp ${ED25519_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
done
```为carol签发ed25519证书。```
# Generate a carol Ed25519 certificate
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="03"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type ed25519 --outform pem > ${TEST_KEY}
pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \--cert-policy "1.3.6.1.4.1.36906.1.1.1" --flag "clientAuth" \--crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
```为dave签发ed25519证书。```
# Generate a dave Ed25519 certificate
TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem"
TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem"
CN="dave@strongswan.org"
SERIAL="04"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509
pki --gen --type ed25519 --outform pem > ${TEST_KEY}
pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Ed25519, CN=${CN}" \--cert-policy "1.3.6.1.4.1.36906.1.1.2" --flag "clientAuth" \--crl ${ED25519_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
```
### Monster证书生成Monster证书,私钥长度MONSTER_CA_RSA_SIZE为8192。拷贝到测试用例ikev2/after-2038-certs。```
# Generate strongSwan Monster Root CA
pki --gen  --type rsa --size ${MONSTER_CA_RSA_SIZE} --outform pem > ${MONSTER_KEY}
pki --self --type rsa --in ${MONSTER_KEY} \--not-before "01.05.09 15:00:00" --not-after "01.05.59 15:00:00" --ca \--dn "C=CH, O=${PROJECT}, CN=strongSwan Monster CA" \--outform pem > ${MONSTER_CERT}# Put a copy in the ikev2/after-2038-certs scenario
TEST="${TEST_DIR}/ikev2/after-2038-certs"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
cp ${MONSTER_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
cp ${MONSTER_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
```使用MONSTER_CERT为moon签发证书。终端私钥的长度MONSTER_EE_RSA_SIZE为4096。```
# Generate a moon Monster certificate
TEST_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem"
TEST_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem"
CN="moon.strongswan.org"
SERIAL="01"
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \--in ${TEST_KEY} --san ${CN} \--not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \--crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
```使用MONSTER_CERT为carol签发证书。```
# Generate a carol Monster certificate
TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
CN="carol@strongswan.org"
SERIAL="02"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
pki --gen --type rsa --size ${MONSTER_EE_RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${MONSTER_KEY} --cacert ${MONSTER_CERT} --type rsa \--in ${TEST_KEY} --san ${CN} \--not-before "01.05.09 15:00:00" --not-after "01.05.39 15:00:00" - \--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Monster, CN=${CN}" \--crl ${MONSTER_CDP} --outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${MONSTER_DIR}/certs/${SERIAL}.pem
```

http://www.ppmy.cn/server/152424.html

相关文章

2.6 网络面试问题

tcp 与 udp的区别 1.tcp 是基于连接的 UDP是基于数据包 2.处理并发的方式不通 a.tcp用epoll进行监听的 b. udp是模拟tcp的连接过程,服务端开放一个IP端口,收到连接后,服务端用另一个IP和端口发包给客户端。 3.tcp根据协议MTU黏包及…

递归实现指数型枚举(递归)

92. 递归实现指数型枚举 - AcWing题库 每个数有选和不选两种情况 我们把每个数看成每层,可以画出一个递归搜索树 叶子节点就是我们的答案 很容易写出每dfs函数 dfs传入一个u表示层数 当层数大于我们n时,去判断每个数字的选择情况,输出被选…

Python实现应用最小二乘法融合SVM-LSTM回归模型电力负荷预测项目实战

说明:这是一个机器学习实战项目(附带数据代码文档视频讲解),如需数据代码文档视频讲解可以直接到文章最后关注获取。 1.项目背景 随着全球能源需求的不断增长,电力系统的稳定性和效率变得至关重要。准确的电力负荷预测…

web实操8-cookie

会话技术 会话: 一次会话中包含多次请求和响应。 客户端浏览器访问服务器的资源,只要客户端或者服务器端不关闭,这始终在一次会话范围内,这一次会话范围内可以包含多次请求并且收到多次相应。 一次会话:浏览器第一…

POI-TL插件开发-表格分组插件

POI-TL版本:1.12.2 改造于:LoopRowTableRenderPolicy 模板设计: 分组之前: 分组之后: 代码实现: public class LoopRowGroupTableRenderPolicy implements RenderPolicy {private String prefix;privat…

设计模式の命令访问者迭代器模式

文章目录 前言一、命令模式二、访问者模式三、迭代器模式 前言 本篇是关于设计模式中命令模式、访问者模式、以及迭代器模式的学习笔记。 一、命令模式 命令模式是一种行为型设计模式,其核心目的在于将命令的发送者和接受者解耦,提供一个中间层对命令进行…

android recycleview 中倒计时数据错乱

原因 recyceleview 当页面划出屏幕外后,默认会有两条进入缓存区,这些item的结构会被保存,数据被清除,方便其他新进入屏幕的数据复用item,超过两条外的item会进入缓存池被完全销毁重用。 如果我们的页面上有editText 或…

经典系统重塑(sql层)

内容 这个音乐门户网站是我一直在写的一个项目,因为周期较长,虽然功能都给予了大体实现,但是确实无论是sql层面还是业务层面都有很大缺陷。 先看最主要的music表,这music字段指的是音乐地址,名字需要改一下&#xff0…