/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 # Import the root CA, and use that to generate a cert+pubkey that's
west #
 # valid in 1 month (-w 1) and expires in 12 months (-v 12).
west #
 /testing/x509/import.sh real/mainca/root.p12
 ipsec pk12util -w nss-pw -i real/mainca/root.p12
pk12util: PKCS12 IMPORT SUCCESSFUL
 ipsec certutil -M -n mainca -t CT,,
 ipsec certutil -O -n mainca
"mainca" [E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
west #
 ipsec certutil -m 2 -S -k rsa -c mainca -n west-expired -s CN=west-expired -w -12 -v 6 -t CT,, -z ipsec.conf
Generating key.  This may take a few moments...
west #
 ipsec certutil -L
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
mainca                                                       CTu,u,u
west-expired                                                 CTu,u,u
west #
 # verify the result
west #
 ipsec certutil -L -a -n west-expired -o OUTPUT/west-expired.crt
west #
 ! ipsec vfychain -v -u 12 -p -p -p -a OUTPUT/west-expired.crt
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. west-expired :
  ERROR -8181: Peer's Certificate has expired.
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add west
"west": WARNING: left is a groundhog
"west": WARNING: groundhog left certificate 'west-expired' has expired
"west": added IKEv2 connection
west #
 ipsec checkpubkeys
TIMESTAMP, 2048 RSA Key AwXXXXXXX (has private key), until TIMESTAMP fatal (expired)
       DER_ASN1_DN 'CN=west-expired'
       Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
west #
 echo "initdone"
initdone
west #
 ipsec whack --impair suppress_retransmits
west #
 ipsec whack --impair revival
west #
 # This is expected to fail because remote cert is not yet valid.
west #
 ipsec auto --up west
"west" #1: initiating IKEv2 connection to 192.1.2.23 using UDP
"west" #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"west" #1: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}, initiating IKE_AUTH
"west" #1: sent IKE_AUTH request to 192.1.2.23:UDP/500 with digital-signature and DER_ASN1_DN 'CN=west-expired'; Child SA #2 {ESP <0xESPESP}
"west" #1: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
"west" #1: encountered fatal error in state IKE_AUTH_I
"west" #2: connection is supposed to remain up; revival attempt 1 scheduled in 0 seconds
"west" #2: IMPAIR: revival: skip scheduling revival event
"west" #1: deleting IKE SA (sent IKE_AUTH request)
west #
 echo done
done
west #
 # only expected to show failure on west
west #
 grep -e '^[^|].*ERROR' /tmp/pluto.log
west #
