/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 /testing/x509/import.sh real/mainca/root.p12
 ipsec pk12util -w nss-pw -i real/mainca/root.p12
pk12util: PKCS12 IMPORT SUCCESSFUL
 ipsec certutil -M -n mainca -t CT,,
 ipsec certutil -O -n mainca
"mainca" [E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
west #
 echo done
done
west #
 # This should fail as the intermediate has no BC=CA; also dump
west #
 # intermediate.
west #
 ./run.sh real/mainca/west-bc-missing-chain-end
begin #
 /testing/x509/import.sh real/mainca/west-bc-missing-chain-end.p12
 ipsec pk12util -w nss-pw -i real/mainca/west-bc-missing-chain-end.p12
pk12util: PKCS12 IMPORT SUCCESSFUL
 ipsec certutil -M -n mainca -t CT,,
 ipsec certutil -O -n west-bc-missing-chain-end
"west-bc-missing-chain-end" [E=west-bc-missing-chain-end@testing.libreswan.org,CN=west-bc-missing-chain-end.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
end #
begin #
 ipsec certutil -L -n west-bc-missing-chain-end
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "E=west-bc-missing-chain-int@testing.libreswan.org,CN=west-bc
            -missing-chain-int.testing.libreswan.org,OU=Test Department,O=Lib
            reswan,L=Toronto,ST=Ontario,C=CA"
        Validity:
            Not Before: TIMESTAMP
            Not After : TIMESTAMP
        Subject: "E=west-bc-missing-chain-end@testing.libreswan.org,CN=west-b
            c-missing-chain-end.testing.libreswan.org,OU=Test Department,O=Li
            breswan,L=Toronto,ST=Ontario,C=CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "west-bc-missing-chain-end.testing.libreswan.org"
            RFC822 Name: "west-bc-missing-chain-end@testing.libreswan.org"
            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://nic.testing.libreswan.org:2560"
            Name: CRL Distribution Points
            Distribution point:
                URI: "http://nic.testing.libreswan.org/revoked.crl"
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
    Fingerprint (SHA-256):
    Fingerprint (SHA1):
    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
begin #
 ipsec addconn --name west-bc-missing-chain-end rightid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org right=192.1.2.23 left=%defaultroute leftid=%fromcert leftcert=west-bc-missing-chain-end
"west-bc-missing-chain-end": added IKEv2 connection
end #
begin #
 ipsec up west-bc-missing-chain-end
"west-bc-missing-chain-end" #1: initiating IKEv2 connection to 192.1.2.23 using UDP
"west-bc-missing-chain-end" #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"west-bc-missing-chain-end" #1: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}, initiating IKE_AUTH
"west-bc-missing-chain-end" #1: sent IKE_AUTH request to 192.1.2.23:UDP/500 with digital-signature and DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west-bc-missing-chain-end.testing.libreswan.org, E=west-bc-missing-chain-end@testing.libreswan.org'; Child SA #2 {ESP <0xESPESP}
"west-bc-missing-chain-end" #1: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
"west-bc-missing-chain-end" #1: encountered fatal error in state IKE_AUTH_I
"west-bc-missing-chain-end" #2: connection is supposed to remain up; revival attempt 1 scheduled in 0 seconds
"west-bc-missing-chain-end" #2: IMPAIR: revival: skip scheduling revival event
"west-bc-missing-chain-end" #1: deleting IKE SA (sent IKE_AUTH request)
end #
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
west #
 ipsec certutil -L -n west-bc-missing-chain-end
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "E=west-bc-missing-chain-int@testing.libreswan.org,CN=west-bc
            -missing-chain-int.testing.libreswan.org,OU=Test Department,O=Lib
            reswan,L=Toronto,ST=Ontario,C=CA"
        Validity:
            Not Before: TIMESTAMP
            Not After : TIMESTAMP
        Subject: "E=west-bc-missing-chain-end@testing.libreswan.org,CN=west-b
            c-missing-chain-end.testing.libreswan.org,OU=Test Department,O=Li
            breswan,L=Toronto,ST=Ontario,C=CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "west-bc-missing-chain-end.testing.libreswan.org"
            RFC822 Name: "west-bc-missing-chain-end@testing.libreswan.org"
            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://nic.testing.libreswan.org:2560"
            Name: CRL Distribution Points
            Distribution point:
                URI: "http://nic.testing.libreswan.org/revoked.crl"
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
    Fingerprint (SHA-256):
    Fingerprint (SHA1):
    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User
west #
 # This should fail as the root CA that signed it, and is in EAST's NSS
west #
 # DB, has CA=no
west #
 ./run.sh bc-n-ca/bc-n-ca-west
begin #
 /testing/x509/import.sh bc-n-ca/bc-n-ca-west.p12
 ipsec pk12util -w nss-pw -i bc-n-ca/bc-n-ca-west.p12
pk12util: PKCS12 IMPORT SUCCESSFUL
 ipsec certutil -M -n bc-n-ca -t CT,,
 ipsec certutil -O -n bc-n-ca-west
"bc-n-ca" [E=testing@libreswan.org,CN=Libreswan test CA for bc-n-ca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
  "bc-n-ca-west" [E=user-bc-n-ca-west@testing.libreswan.org,CN=bc-n-ca-west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
end #
begin #
 ipsec certutil -L -n bc-n-ca-west
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "E=testing@libreswan.org,CN=Libreswan test CA for bc-n-ca,OU=
            Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA"
        Validity:
            Not Before: TIMESTAMP
            Not After : TIMESTAMP
        Subject: "E=user-bc-n-ca-west@testing.libreswan.org,CN=bc-n-ca-west.t
            esting.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=
            Ontario,C=CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "bc-n-ca-west.testing.libreswan.org"
            RFC822 Name: "bc-n-ca-west@testing.libreswan.org"
            IP Address: 192.1.2.45
            IP Address: 2001:db8:1:2::45
            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://nic.testing.libreswan.org:2560"
            Name: CRL Distribution Points
            Distribution point:
                URI: "http://nic.testing.libreswan.org/revoked.crl"
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
    Fingerprint (SHA-256):
    Fingerprint (SHA1):
    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
begin #
 ipsec addconn --name bc-n-ca-west rightid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org right=192.1.2.23 left=%defaultroute leftid=%fromcert leftcert=bc-n-ca-west
"bc-n-ca-west": added IKEv2 connection
end #
begin #
 ipsec up bc-n-ca-west
"bc-n-ca-west" #1: initiating IKEv2 connection to 192.1.2.23 using UDP
"bc-n-ca-west" #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"bc-n-ca-west" #1: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}, initiating IKE_AUTH
"bc-n-ca-west" #1: sent IKE_AUTH request to 192.1.2.23:UDP/500 with digital-signature and DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=bc-n-ca-west.testing.libreswan.org, E=user-bc-n-ca-west@testing.libreswan.org'; Child SA #2 {ESP <0xESPESP}
"bc-n-ca-west" #1: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
"bc-n-ca-west" #1: encountered fatal error in state IKE_AUTH_I
"bc-n-ca-west" #2: connection is supposed to remain up; revival attempt 1 scheduled in 0 seconds
"bc-n-ca-west" #2: IMPAIR: revival: skip scheduling revival event
"bc-n-ca-west" #1: deleting IKE SA (sent IKE_AUTH request)
end #
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
west #
 ipsec certutil -L -n bc-n-ca
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "E=testing@libreswan.org,CN=Libreswan test CA for bc-n-ca,OU=
            Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA"
        Validity:
            Not Before: TIMESTAMP
            Not After : TIMESTAMP
        Subject: "E=testing@libreswan.org,CN=Libreswan test CA for bc-n-ca,OU
            =Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://nic.testing.libreswan.org:2560"
            Name: CRL Distribution Points
            Distribution point:
                URI: "http://nic.testing.libreswan.org/revoked.crl"
            Name: Certificate Basic Constraints
            Data: Is not a CA.
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
    Fingerprint (SHA-256):
    Fingerprint (SHA1):
    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            Trusted Client CA
        Email Flags:
        Object Signing Flags:
west #
 grep '^[^|].*ERROR:' /tmp/pluto.log
west #
