| #!/bin/sh |
| |
| . STlsVars |
| |
| # this file contains tests common to both tls and dtls usages |
| |
| TLSDIR=$SNMP_TMPDIR/tls |
| |
| ######################################### |
| # Create the certificates |
| |
| # create the ca |
| CAPTURE $NSCERT genca --cn ca-net-snmp.org $NSCERTARGS |
| |
| # snmpd |
| HOSTNAME=`hostname` |
| CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpd --cn $HOSTNAME $NSCERTARGS |
| SERVERFP=`$NSCERT showcerts --fingerprint --brief snmpd $NSCERTARGS` |
| CHECKVALUEISNT "$SERVERFP" "" "generated fingerprint for snmpd certificate" |
| |
| # user |
| CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpapp --cn 'testuser' $NSCERTARGS |
| TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS` |
| CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate" |
| |
| # user2 |
| CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpapp2 --cn 'testuser2' $NSCERTARGS |
| TESTUSER2FP=`$NSCERT showcerts --fingerprint --brief snmpapp2 $NSCERTARGS` |
| CHECKVALUEISNT "$TESTUSER2FP" "" "generated fingerprint for testuser2 certificate" |
| |
| ######################################## |
| # Configure the .conf files |
| |
| CONFIGAPP serverCert $SERVERFP |
| |
| # common name mappings |
| CONFIGAGENT certSecName 9 $TESTUSERFP --cn |
| CONFIGAGENT certSecName 10 $TESTUSER2FP --cn |
| CONFIGAGENT rwuser -s tsm testuser authpriv |
| CONFIGAGENT rwuser -s tsm testuser2 authpriv |
| |
| CRLFILE=$SNMP_TMPDIR/crlfile.pem |
| |
| # configure the CRL locations |
| CONFIGAGENT '[snmp]' x509crlfile $CRLFILE |
| CONFIGAPP '[snmp]' x509crlfile $CRLFILE |
| |
| CRLCACMD="env DIR=$TLSDIR CN=ca-net-snp.org openssl ca" |
| CRLARGS="-config $TLSDIR/.openssl.conf -keyfile $TLSDIR/private/ca-net-snmp.org.key -cert $TLSDIR/ca-certs/ca-net-snmp.org.crt" |
| |
| # generate the initial CRL |
| touch $TLSDIR/.index |
| echo "01" > $TLSDIR/.crlnumber |
| CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE" |
| |
| # |
| # put the second client into the CRL and it shouldn't work |
| # |
| CAPTURE "$CRLCACMD -revoke $TLSDIR/certs/snmpapp2.crt $CRLARGS -out $CRLFILE" |
| CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE" |
| |
| |
| ###################################################################### |
| # Run the actual list of tests |
| # |
| |
| # start the agent up |
| FLAGS="-Dtls -On $SNMP_FLAGS $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT" |
| AGENT_FLAGS="-Dtls" |
| STARTAGENT |
| |
| # using user 1 - a common name mapped certificate |
| # (using the default "snmpapp" certificate because we don't specify another) |
| CAPTURE "snmpget -Dssl $FLAGS .1.3.6.1.2.1.1.3.0" |
| |
| CHECK ".1.3.6.1.2.1.1.3.0 = Timeticks:" |
| |
| # using user 2 should now fail |
| CAPTURE "snmpget -T our_identity=snmpapp2 -Dssl $FLAGS .1.3.6.1.2.1.1.3.0" |
| |
| CHECKCOUNT 0 ".1.3.6.1.2.1.1.3.0 = Timeticks:" |
| CHECKAGENT "certificate revoked" |
| |
| # |
| # now put the server's cert into the client crl file |
| # |
| CAPTURE "$CRLCACMD -revoke $TLSDIR/certs/snmpd.crt $CRLARGS" |
| CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE" |
| |
| # user 1 should now fail on the client side |
| CAPTURE "snmpget -Dssl $FLAGS .1.3.6.1.2.1.1.3.0" |
| |
| CHECK "certificate revoked" |
| |
| # cleanup |
| STOPAGENT |
| |
| FINISHED |