ocsp-no-signer-cert added

testing/tests/ikev2/ocsp-no-signer-cert/description.txt

@@ -0,0 +1,5 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
+is checked via the OCSP server <b>winnetou</b> which is sending a normal host
+certificate not containing an OCSPSigning extended key usage flag. As a consequence
+the OCSP signing certificate is not accepted and the connection setup is aborted.

testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat

@@ -0,0 +1,5 @@
+moon::cat /var/log/daemon.log::received valid http response::YES
+moon::cat /var/log/daemon.log::received certificate is no ocsp signer - rejected::YES
+moon::cat /var/log/daemon.log::certificate status unknown::YES
+moon::ipsec status::rw.*ESTABLISHED::NO
+carol::ipsec status::home.*ESTABLISHED::NO

testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf

@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add

testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf

@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan-ca
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add

testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/openssl
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+                      -rkey winnetouKey.pem -rsigner winnetouCert.pem \
+		      -nmin 5 \
+		      -reqin /dev/stdin -respout /dev/stdout

testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat

@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop

testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat

@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home

testing/tests/ikev2/ocsp-no-signer-cert/test.conf

@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"