testing: Added swanctl/ocsp-signer-cert scenario

author: Andreas Steffen <andreas.steffen@strongswan.org> 2017-01-02 14:08:21 +0100
committer: Andreas Steffen <andreas.steffen@strongswan.org> 2017-01-02 14:34:18 +0100
commit: db0953d41fee94ffd578a73e35968aa0f18001fa (patch)
tree: befc6924bc967fdfb05eec947b31c2a2c5ee2338 /testing
parent: e3f63c646914a24355eb63b7873123312549b7a4 (diff)
download: strongswan-db0953d41fee94ffd578a73e35968aa0f18001fa.tar.bz2
strongswan-db0953d41fee94ffd578a73e35968aa0f18001fa.tar.xz
11 files changed, 257 insertions, 0 deletions
diff --git a/testing/tests/swanctl/ocsp-signer-cert/description.txt b/testing/tests/swanctl/ocsp-signer-cert/description.txt
new file mode 100644
index 000000000..22496f1cb
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/description.txt
@@ -0,0 +1,10 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
+is checked via the OCSP server <b>winnetou</b> which possesses an OCSP signer certificate
+issued by the strongSwan CA. This certificate contains an <b>OCSPSigning</b>
+extended key usage flag. <b>carol</b>'s certificate includes an <b>OCSP URI</b>
+in an authority information access extension pointing to <b>winnetou</b>. 
+Therefore no special authorities section information is needed in moon's swanctl.conf.
+<p>
+<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
+the status of both certificates is <b>good</b>.
diff --git a/testing/tests/swanctl/ocsp-signer-cert/evaltest.dat b/testing/tests/swanctl/ocsp-signer-cert/evaltest.dat
new file mode 100644
index 000000000..45972168d
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/evaltest.dat
@@ -0,0 +1,11 @@
+carol::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::YES
+moon:: cat /var/log/daemon.log::requesting ocsp status::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon:: cat /var/log/daemon.log::ocsp response is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::requesting ocsp status::YES
+carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+carol::cat /var/log/daemon.log::ocsp response is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..9ea516013
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+    auths = /usr/local/sbin/swanctl --load-authorities
+  } 
+}
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem
new file mode 100644
index 000000000..d6a762b1b
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAsDPd7cDWnQHe6wjE+WrpRhD2pM19qnlLwjMfYUBA3gafuCqw
+hM2necjupyRpCASJ+HtifgOeCtnf/3wgPKexhn/M5q0Mfm/EmzFVV5Lfe5SG8Sc6
+DvoLklitZIpARl2HyhEgA62GaKUMihnONtBVvx8AR8kar8WtFDzXDJ4o2WEboqi3
+8Van2Tv6CQgsm3XjMGRek4BIlDUNl8qsV2YChrYba/FKhjB0SDhGGn0HYTAVM7Cd
+UPxNjBYeMBOfBwR6O5JUM8c6C2fiukawsw15f+Ttgb00y+Uw86/U3VI+9RMOwHn4
+Q8f1ubASakY422FEyEpoe3c0aGPviBa+ron/iQIDAQABAoIBAEEGwy5M7mb/G79t
+exP5CqHa/MsRMwFIxlai+z+usMG/fA5BYud/5gCh0MFKRKC63BghoNWUjCzA/1OQ
+AW2hDXjvjTTMREIdCVekuzQYdfVreOliaqDAUqjtpP/nrZTKS6Sc8U2qKmJQFvKY
+V2wPMrXXwQi9BOY9c4R2d36ml7iw6veYhPj0XHy3spJc3V6k7YmbApOQgWDqRwid
+GGnnvDpdD0gAGAOxadCCpV+N9NK+AMSk03Qpcc2ki4THEn2e8Rs1/dH1k5nics/E
+cG9VT9pZtvGXjEX7Wo06v0lXsTRWGWLKhHvzfhIb6uWnC/YUR+7Cv8JYRz+RZn98
+bv5lXokCgYEA1iRf3gH8qwvxQjLtaNKRyr8Bheo3tsOLh2tYriWaUTXqeKAd46zI
+KcWAKtYWJQenVyFvnsMwKNFvFq/HgJGhKTOvZRwsrTb2wXgxcAleOBO+Ts4Vhb9J
+xil8/WcWCKU+GPf8hQOkwVnhv4CxLscCXT2g9zxTpP/JCKmHaucQog8CgYEA0qUC
+NBRMh55bjiHaqsSRvr45iwxzNzd8KK5A/xKyScEl+A4HWdqDpZ+8w9YC4GUQClvH
+cHn5NpWfq9hrNAXPjBzVGXk+JqFcJM/yPImH+Vg8MupJprwVSHJ1mqQ/MPSpxxhy
+iNaWeJX6bhPAgQSOAYbH22uNOGePmMQ8kk3v/OcCgYA7ZzPA3kQ9Hr76Yi5Bmcgf
+ugSuJV73MB+QnVKoXH4GcTJt69zev5t3GvaG64SRGSJupTPVksfVSuPKI1DwdXWD
+fHb3UW2DT2/8E1+DeNXOMIvmSHzn8TyB4BhwIxyVoWEsg/5k17HogQqCmSyNkV8y
+hloUu4NojhwybvTFzvtqOQKBgDL0IVVRt7Vyk/kMrWVziUHXp/m/uDsaG9mHVUee
+USxQIYwgcJzGo+OzgSjqIuX+7GNlEhheGO+gP/CEuGHsKeldrBquXl9f1vc8qf8E
+0bR6KI20aL6BbrCIp3QR2QtRk6QKgOIi7mEa/moUMxPCc0thPAUSviVvv6eXiINn
+gO7vAoGAcvwVy9gDcGTL+4mMjZ07jc/TmQPmOpqosXuDTQZITuovpzY0Nf9KPNJs
+0dTuCaO+N5ZjttxIm6L9h/Ah0BN2Ir+JbplJ5uScWldz0MFJXm1wz7KJCRZQpVIO
+6SJCLSmh4nZ0TIL8V0ABhaFVQK0qq2z/ASljIF6iC68DBEDfuzY=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..4b19e9384
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            esp_proposals = aes128gcm128-curve25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-curve25519
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      ocsp_uris = http://ocsp.strongswan.org:8880
+   }
+}
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/x509/carolCert.pem
new file mode 100644
index 000000000..a1c57b0f0
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/x509/carolCert.pem
@@ -0,0 +1,95 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 39 (0x27)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=CH, O=Linux strongSwan, CN=strongSwan Root CA
+        Validity
+            Not Before: Mar 15 06:42:00 2012 GMT
+            Not After : Mar 14 06:42:00 2017 GMT
+        Subject: C=CH, O=Linux strongSwan, OU=OCSP, CN=carol@strongswan.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:b0:33:dd:ed:c0:d6:9d:01:de:eb:08:c4:f9:6a:
+                    e9:46:10:f6:a4:cd:7d:aa:79:4b:c2:33:1f:61:40:
+                    40:de:06:9f:b8:2a:b0:84:cd:a7:79:c8:ee:a7:24:
+                    69:08:04:89:f8:7b:62:7e:03:9e:0a:d9:df:ff:7c:
+                    20:3c:a7:b1:86:7f:cc:e6:ad:0c:7e:6f:c4:9b:31:
+                    55:57:92:df:7b:94:86:f1:27:3a:0e:fa:0b:92:58:
+                    ad:64:8a:40:46:5d:87:ca:11:20:03:ad:86:68:a5:
+                    0c:8a:19:ce:36:d0:55:bf:1f:00:47:c9:1a:af:c5:
+                    ad:14:3c:d7:0c:9e:28:d9:61:1b:a2:a8:b7:f1:56:
+                    a7:d9:3b:fa:09:08:2c:9b:75:e3:30:64:5e:93:80:
+                    48:94:35:0d:97:ca:ac:57:66:02:86:b6:1b:6b:f1:
+                    4a:86:30:74:48:38:46:1a:7d:07:61:30:15:33:b0:
+                    9d:50:fc:4d:8c:16:1e:30:13:9f:07:04:7a:3b:92:
+                    54:33:c7:3a:0b:67:e2:ba:46:b0:b3:0d:79:7f:e4:
+                    ed:81:bd:34:cb:e5:30:f3:af:d4:dd:52:3e:f5:13:
+                    0e:c0:79:f8:43:c7:f5:b9:b0:12:6a:46:38:db:61:
+                    44:c8:4a:68:7b:77:34:68:63:ef:88:16:be:ae:89:
+                    ff:89
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Subject Key Identifier: 
+                C5:E8:58:D7:63:B0:B8:D4:2E:22:04:E1:CB:35:34:95:DA:74:F0:E6
+            X509v3 Authority Key Identifier: 
+                keyid:5D:A7:DD:70:06:51:32:7E:E7:B6:6D:B3:B5:E5:E0:60:EA:2E:4D:EF
+                DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA
+                serial:00
+
+            X509v3 Subject Alternative Name: 
+                email:carol@strongswan.org
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.strongswan.org:8880
+
+            X509v3 CRL Distribution Points: 
+                URI:http://crl.strongswan.org/strongswan.crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+        b6:2d:d8:bb:40:e9:cf:a9:33:31:6c:91:c7:40:79:8c:5f:89:
+        8e:26:d8:ef:91:67:da:71:75:f9:27:84:21:c3:6c:d1:a5:fb:
+        50:de:b2:02:ad:3c:a4:6b:40:58:30:41:c7:bd:31:ca:df:77:
+        00:c9:ac:5b:10:e3:66:71:6c:be:4a:49:7e:58:92:de:f4:16:
+        51:12:00:2c:33:e2:2c:b5:e5:d4:6e:36:a2:50:ba:86:e3:c6:
+        bb:50:a2:e5:11:69:c4:86:91:fc:4d:65:7e:09:49:bd:d2:ae:
+        cd:70:f8:98:5d:a8:b6:cf:38:c3:19:49:fd:8b:72:3b:1a:cc:
+        fc:19:c9:c1:36:b2:39:ba:ed:9a:cd:db:2d:27:15:b0:ba:8a:
+        64:4a:5c:8f:ff:db:78:7d:cd:78:c3:c6:13:ba:93:7b:b7:57:
+        da:a3:f2:16:9f:f7:24:95:57:df:f4:4f:c5:9f:d6:12:b1:69:
+        39:a7:5a:88:9c:74:be:f7:b0:f3:b4:89:82:46:57:de:7d:a1:
+        42:a2:c2:de:1c:37:19:66:60:2a:df:ed:25:e3:72:d3:f9:9b:
+        84:05:b6:97:6a:63:63:5c:30:5d:01:7a:15:c4:6e:2c:a0:21:
+        d2:31:30:98:60:94:26:44:9a:08:b4:85:8d:52:00:98:ef:cb:
+        07:4f:b7:8e
+-----BEGIN CERTIFICATE-----
+MIIEWzCCA0OgAwIBAgIBJzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEyMDMxNTA2NDIwMFoXDTE3MDMxNDA2NDIwMFowVjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
+HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAsDPd7cDWnQHe6wjE+WrpRhD2pM19qnlLwjMfYUBA3gaf
+uCqwhM2necjupyRpCASJ+HtifgOeCtnf/3wgPKexhn/M5q0Mfm/EmzFVV5Lfe5SG
+8Sc6DvoLklitZIpARl2HyhEgA62GaKUMihnONtBVvx8AR8kar8WtFDzXDJ4o2WEb
+oqi38Van2Tv6CQgsm3XjMGRek4BIlDUNl8qsV2YChrYba/FKhjB0SDhGGn0HYTAV
+M7CdUPxNjBYeMBOfBwR6O5JUM8c6C2fiukawsw15f+Ttgb00y+Uw86/U3VI+9RMO
+wHn4Q8f1ubASakY422FEyEpoe3c0aGPviBa+ron/iQIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFMXoWNdjsLjULiIE4cs1NJXa
+dPDmMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
+b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
+b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
+b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC2
+Ldi7QOnPqTMxbJHHQHmMX4mOJtjvkWfacXX5J4Qhw2zRpftQ3rICrTyka0BYMEHH
+vTHK33cAyaxbEONmcWy+Skl+WJLe9BZREgAsM+IsteXUbjaiULqG48a7UKLlEWnE
+hpH8TWV+CUm90q7NcPiYXai2zzjDGUn9i3I7Gsz8GcnBNrI5uu2azdstJxWwuopk
+SlyP/9t4fc14w8YTupN7t1fao/IWn/cklVff9E/Fn9YSsWk5p1qInHS+97DztImC
+RlfefaFCosLeHDcZZmAq3+0l43LT+ZuEBbaXamNjXDBdAXoVxG4soCHSMTCYYJQm
+RJoItIWNUgCY78sHT7eO
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9ba617c0a
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..7593ab087
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         revocation = strict
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            esp_proposals = aes128gcm128-curve25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-curve25519
+   }
+}
diff --git a/testing/tests/swanctl/ocsp-signer-cert/posttest.dat b/testing/tests/swanctl/ocsp-signer-cert/posttest.dat
new file mode 100644
index 000000000..672f4188c
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/posttest.dat
@@ -0,0 +1,3 @@
+carol::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
diff --git a/testing/tests/swanctl/ocsp-signer-cert/pretest.dat b/testing/tests/swanctl/ocsp-signer-cert/pretest.dat
new file mode 100644
index 000000000..e6d60458d
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/pretest.dat
@@ -0,0 +1,5 @@
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/swanctl/ocsp-signer-cert/test.conf b/testing/tests/swanctl/ocsp-signer-cert/test.conf
new file mode 100644
index 000000000..c5b3ecc43
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
author	Andreas Steffen <andreas.steffen@strongswan.org>	2017-01-02 14:08:21 +0100
committer	Andreas Steffen <andreas.steffen@strongswan.org>	2017-01-02 14:34:18 +0100
commit	db0953d41fee94ffd578a73e35968aa0f18001fa (patch)
tree	befc6924bc967fdfb05eec947b31c2a2c5ee2338 /testing
parent	e3f63c646914a24355eb63b7873123312549b7a4 (diff)
download	strongswan-db0953d41fee94ffd578a73e35968aa0f18001fa.tar.bz2 strongswan-db0953d41fee94ffd578a73e35968aa0f18001fa.tar.xz