summaryrefslogtreecommitdiff
path: root/testing/tests/ikev1/ocsp-revoked
diff options
context:
space:
mode:
Diffstat (limited to 'testing/tests/ikev1/ocsp-revoked')
-rw-r--r--testing/tests/ikev1/ocsp-revoked/description.txt7
-rw-r--r--testing/tests/ikev1/ocsp-revoked/evaltest.dat6
-rwxr-xr-xtesting/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf28
-rw-r--r--testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem25
-rw-r--r--testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem27
-rw-r--r--testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets3
-rwxr-xr-xtesting/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf39
-rw-r--r--testing/tests/ikev1/ocsp-revoked/posttest.dat4
-rw-r--r--testing/tests/ikev1/ocsp-revoked/pretest.dat4
-rw-r--r--testing/tests/ikev1/ocsp-revoked/test.conf21
10 files changed, 164 insertions, 0 deletions
diff --git a/testing/tests/ikev1/ocsp-revoked/description.txt b/testing/tests/ikev1/ocsp-revoked/description.txt
new file mode 100644
index 000000000..cbdd1305a
--- /dev/null
+++ b/testing/tests/ikev1/ocsp-revoked/description.txt
@@ -0,0 +1,7 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
+the connection and no current revocation information is available, the Main Mode
+negotiation fails but an OCSP request issued to the OCSP server <b>winnetou</b>.
+When the second Main Mode trial comes around the OCSP response will be available
+but because the certificate presented by carol has been revoked,
+the IKE negotatiation will fail..
diff --git a/testing/tests/ikev1/ocsp-revoked/evaltest.dat b/testing/tests/ikev1/ocsp-revoked/evaltest.dat
new file mode 100644
index 000000000..f5286cb61
--- /dev/null
+++ b/testing/tests/ikev1/ocsp-revoked/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/auth.log::X.509 certificate rejected::YES
+moon::cat /var/log/auth.log::certificate was revoked::YES
+carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+moon::ipsec listocsp:: revoked::YES
+moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
+carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5b32ef007
--- /dev/null
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutodebug=control
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ charonstart=no
+
+ca strongswan
+ cacert=strongswanCert.pem
+ ocspuri=http://ocsp.strongswan.org:8880
+ auto=add
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ left=PH_IP_CAROL
+ leftnexthop=%direct
+ leftcert=carolRevokedCert.pem
+ leftid=carol@strongswan.org
+
+conn home
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
new file mode 100644
index 000000000..5b742fc9e
--- /dev/null
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
+mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
+5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
+VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
+IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
+K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
+OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
+56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
+2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
+O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
+LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
+wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
+9IcgYi5x
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
new file mode 100644
index 000000000..8aefcc5a6
--- /dev/null
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn
+hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb
+v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7
+HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx
+vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE
+UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU
+WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf
+OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu
+og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2
+MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/
+khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx
+uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07
+a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt
+7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+
+rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y
+ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf
+IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi
+CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3
+baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R
+TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP
+r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i
+jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH
+46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva
+o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa
+9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..8e31be4cb
--- /dev/null
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolRevokedKey.pem
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d9da3f78a
--- /dev/null
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,39 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutodebug=control
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ charonstart=no
+
+ca strongswan
+ cacert=strongswanCert.pem
+ ocspuri=http://ocsp.strongswan.org:8880
+ auto=add
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ left=PH_IP_MOON
+ leftnexthop=%direct
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+
+conn net-net
+ leftsubnet=10.1.0.0/16
+ right=PH_IP_SUN
+ rightsubnet=10.2.0.0/16
+ rightid=@sun.strongswan.org
+ auto=add
+
+conn host-host
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ auto=add
+
+conn rw
+ leftsubnet=10.1.0.0/16
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev1/ocsp-revoked/posttest.dat b/testing/tests/ikev1/ocsp-revoked/posttest.dat
new file mode 100644
index 000000000..d742e8410
--- /dev/null
+++ b/testing/tests/ikev1/ocsp-revoked/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/ocsp-revoked/pretest.dat b/testing/tests/ikev1/ocsp-revoked/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/ikev1/ocsp-revoked/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/ocsp-revoked/test.conf b/testing/tests/ikev1/ocsp-revoked/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev1/ocsp-revoked/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 05:51:52 +0000