Коренберг Марк
d8e4a2a777
identification: Change abbreviation for surname/serialNumber RDNs
...
To align with RFC 4519, section 2.31/32, the abbreviation for surname
is changed to "SN" that was previously used for serialNumber, which does
not have an abbreviation.
This mapping had its origins in the X.509 patch for FreeS/WAN that was
started in 2000. It was aligned with how OpenSSL did this in earlier
versions. However, there it was changed already in March 2002 (commit
ffbe98b7630d604263cfb1118c67ca2617a8e222) to make it compatible with
RFC 2256 (predecessor of RFC 4519).
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
Closes strongswan/strongswan#179 .
2021-01-18 17:41:37 +01:00
Tobias Brunner
5ef10ec326
testing: Add scenarios that use a CA with two intermediate CA certificates
...
Mainly to test TKM's ability for handling multiple CAs and that the
received intermediate CA certificates are passed in the right order.
But also added a regular scenario where two intermediate CA certificates
are sent by one of the clients.
2021-01-11 15:28:10 +01:00
Tobias Brunner
16fcdb460a
charon-tkm: Don't use starter/stroke with charon-tkm anymore
...
For the tests, the unused init script that was used before switching to
charon-systemd is repurposed to manage the daemon.
2021-01-11 15:28:01 +01:00
Tobias Brunner
b322539ef5
charon-tkm: Deinitialize IKE tkm-rpc client
...
This is necessary if tkm-rpc supports multiple parallel client requests.
2021-01-08 17:22:37 +01:00
Adrian-Ken Rueegsegger
a0a0571bd1
charon-tkm: Reverse cert chain processing order
...
Verify certificate chains starting from the root CA certificate and
moving towards the leaf/user certificate.
Also update TKM-RPC and TKM in testing scripts to version supporting the
reworked CC handling.
2021-01-08 17:22:36 +01:00
Adrian-Ken Rueegsegger
532023dcf1
testing: Use latest TKM RPC library
...
Brings some cleanups and minor improvements.
2021-01-08 17:22:36 +01:00
Adrian-Ken Rueegsegger
eccca505aa
testing: Use multi-CA aware TKM
...
Also add CA ID to tkm_keymanager command.
2021-01-08 17:22:36 +01:00
Adrian-Ken Rueegsegger
d6cf4a165b
testing: Add CA ID mappings to TKM tests
...
Extend the build-certs-chroot script is to fill in the public key
fingerprint of the CA certificate in the appropriate strongswan.con
files.
2021-01-08 17:22:36 +01:00
Adrian-Ken Rueegsegger
524751ae76
testing: Switch to https for codelabs recipes
2021-01-08 17:22:36 +01:00
Tobias Brunner
fde5374a86
testing: Explicitly encode backing image format in metadata
...
Apparently, there is no probing anymore in newer versions of qemu due
to security considerations.
2021-01-08 11:39:44 +01:00
Tobias Brunner
b58740996f
testing: Use build-strongswan to implement build-rootimage
2020-11-27 12:05:22 +01:00
Tobias Brunner
88c94063d2
testing: Make building guest images after strongSwan optional
...
This is basically only for the build-rootimage use case.
2020-11-27 12:05:22 +01:00
Tobias Brunner
386e9a96a1
testing: Optionally build strongSwan from a release tarball
...
This will allow us to replace the build-rootimage script.
2020-11-27 12:05:22 +01:00
Tobias Brunner
a7d920059e
testing: Optionally replace root image when building strongSwan
2020-11-27 12:05:22 +01:00
Tobias Brunner
c1dc7c4149
testing: Optionally use a new strongSwan build directory
...
This can be useful when building completely different versions for the
first time to avoid issues with build artifacts of previous builds.
2020-11-27 12:05:22 +01:00
Tobias Brunner
543d09c4b4
testing: Add option to build all software recipes when building strongSwan
...
This is like building the root image but using a specific strongSwan
source tree, which is helpful if code changes depend on other software
packages (e.g. TKM-related or testing new crypto libraries). If the script
is called and the root image does not exist, the new option is enabled
automatically.
The option to build in a specific guest image is now also moved to an
explicit command line option so that the source dir path is the only
remaining positional argument (see --help for details).
2020-11-27 12:05:22 +01:00
Tobias Brunner
edc55f0876
testing: Create root image if it does not exist yet when building strongSwan
...
This allows running the script directly after building the base image.
2020-11-27 12:05:22 +01:00
Tobias Brunner
29c59885ca
Use Botan 2.17.1 for tests
2020-11-27 12:05:22 +01:00
Tobias Brunner
1c2f5eea2c
testing: Improve building different revisions of Git-recipes
...
If we check out and build a certain revision of a dependency in a branch and
switch to another that requires a different revision and then switch back,
the previous approach installed the wrong revision as it would incorrectly
assume the required revision was already built and ready to install.
2020-11-27 12:05:22 +01:00
Tobias Brunner
60caa4f6c6
testing: Use silent rules to build strongSwan
2020-10-27 16:42:00 +01:00
Tobias Brunner
78015d14ac
Use Botan 2.16.0 for tests
2020-10-07 12:38:52 +02:00
Tobias Brunner
64148f046e
testing: Fix dependency issue with strongTNC
...
Apparently, djangorestframework-camel-case, in the referenced version,
uses `six` but does not itself require/install it (later versions removed
Python 2 support altogether).
2020-09-04 14:56:58 +02:00
Tobias Brunner
1f97415fe7
testing: Use latest x509-ada release
...
This fixes an issue with newer compiler versions where crashes would be
caused if functions of the generated C X.509 parser are not aligned.
2020-09-03 15:24:37 +02:00
Tobias Brunner
fb78b0e533
testing: Add man, valgrind and strace to base image
2020-09-03 13:34:19 +02:00
Tobias Brunner
dcd8327933
testing: Install vici Python module manually
...
easy_install is not included in Debian's python-setuptools package
anymore, so we install it manually using setup.py.
2020-09-03 13:34:19 +02:00
Tobias Brunner
d9785b36a3
testing: Replace deprecated/removed `pip install --download` command
...
It was deprecated for a while and has been replaced by `pip download`.
2020-09-03 13:34:19 +02:00
Tobias Brunner
94eebc9c2c
testing: Use legacy iptables on Debian buster
...
The iptables-nft wrapper that uses the nftables framework can't handle
the CLUSTERIP target (plus we'd require nftables in the kernel).
2020-09-03 13:34:19 +02:00
Tobias Brunner
3d1e2c56df
testing: Use pkill to reload rsyslogd config/recreate log files
...
The PID location changes with newer Debian releases so it's more
portable this way.
2020-09-03 13:34:19 +02:00
Tobias Brunner
ad7d712cb5
testing: Support build with Debian buster base image
2020-09-03 13:33:32 +02:00
Tobias Brunner
59455137b4
Use Botan 2.15.0 for tests
2020-07-20 16:58:03 +02:00
Tobias Brunner
e0b1b12028
Use Botan 2.14.0 for tests
...
Requires at least GCC 5.0 to build with `--amalgamation`, so it's
disabled for our Ubuntu 16.04 build.
2020-04-07 16:37:27 +02:00
Josh Soref
b3ab7a48cc
Spelling fixes
...
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior
Closes strongswan/strongswan#164 .
2020-02-11 18:23:07 +01:00
Tobias Brunner
b0b928dd0a
Use Botan 2.13.0 for tests
2020-01-16 08:30:47 +01:00
Tobias Brunner
91dabace11
testing: Add scenario with hash-and-URL encoding for intermediate CA certificates
2019-11-26 11:12:26 +01:00
Tobias Brunner
9cc24ca39e
Use Botan 2.12.1 for tests
2019-10-14 11:43:58 +02:00
Tobias Brunner
0736882678
Use Botan 2.12.0 for tests
2019-10-07 14:31:40 +02:00
Tobias Brunner
17c9972252
Fixed some typos, courtesy of codespell
2019-08-28 14:03:41 +02:00
Tobias Brunner
b9949e98c2
Some whitespace fixes
...
Didn't change some of the larger testing scripts that use an inconsistent
indentation style.
2019-08-22 15:18:06 +02:00
Tobias Brunner
de07b77442
Use Botan 2.11.0 for tests
2019-07-02 11:35:21 +02:00
Andreas Steffen
c9d898c9f4
testing: Copy keys and certs to swanctl/rw-newhope-bliss scenario
2019-05-10 12:53:33 +02:00
Tobias Brunner
27f6d37544
testing: Return an error if any command in the certificate build script fails
2019-05-08 14:56:48 +02:00
Tobias Brunner
d3f678c08f
testing: Build certificates before guests after building strongSwan
...
If the script is run on a clean working copy, building the guests will
fail if the certificates don't exist.
2019-05-08 14:56:48 +02:00
Tobias Brunner
287149cbf9
testing: Automatically build guest images after generating certificates
...
This (re-)generates the CRLs on winnetou.
2019-05-08 14:56:48 +02:00
Tobias Brunner
ac66ca25f9
testing: Use custom plugin configuration to build SHA-3 CA
2019-05-08 14:56:48 +02:00
Tobias Brunner
21280da9f5
testing: Fix ikev2/net2net-rsa scenario
2019-05-08 14:56:48 +02:00
Tobias Brunner
da8e33f3ca
testing: Add wrapper script to build certificates in root image
...
This does not modify the root image but uses the strongSwan version
installed there (avoids build dependencies on version installed on the
host to use pki to generate all the keys and certificates).
2019-05-08 14:56:48 +02:00
Andreas Steffen
b213204b3b
testing: Updated build-certs script
2019-05-08 14:56:48 +02:00
Andreas Steffen
92c001f766
testing: Remove dynamic keys and certs from repository
2019-05-08 14:56:48 +02:00
Andreas Steffen
00f1d09729
testing: Build data.sql files for SQL test cases
2019-05-08 14:56:48 +02:00
Tobias Brunner
05275905ef
testing: Build CERT and IPSECKEY RRs for strongswan.org zone
...
Also copy generated keys to DNSSEC test cases.
2019-05-08 14:56:48 +02:00