testing/fulltests/tls/STlsServer - vendor/opensource/netsnmp - Git at Google

 #!/bin/sh

 . STlsVars

 # create a CA

 CAPTURE $NSCERT genca --cn ca-net-snmp.org  $NSCERTARGS
 CAFP=`$NSCERT showcas --fingerprint --brief ca-net-snmp.org $NSCERTARGS`
 CHECKVALUEISNT "$CAFP" "" "generated fingerprint for ca-net-snmp.org certificate"

 # create a server certificate using the CA certificate
 CAPTURE $NSCERT gencert -t snmpd --with-ca ca-net-snmp.org $checknametype ${checknameprefix}a.b.example.com $NSCERTARGS
 SNMPDFP=`$NSCERT showcert --fingerprint --brief snmpd $NSCERTARGS`

 CONFIGAGENT '[snmp]' serverCert $SNMPDFP

 # create a user certificate
 CAPTURE $NSCERT gencert -t snmpapp --cn 'testuser'  $NSCERTARGS
 TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS`
 CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate"

 CONFIGAGENT  certSecName 10  $TESTUSERFP     --cn
 CONFIGAGENT  rwuser -s tsm testuser authpriv

 CONFIGAPP   clientCert  	  $TESTUSERFP

 # start the agent up
 FLAGS="-On $SNMP_FLAGS $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT"

 # start up the agent
 STARTAGENT

 ########################################
 # Positive tests
 #    (should work)

 # ensure we can access it via a direct FP check
 DOSETTEST fingerprintIdentity "-T their_identity=$SNMPDFP $FLAGS"

 # ensure we can access it via a file based identity check
 DOSETTEST filenameIdentity "-T their_identity=snmpd $FLAGS"

 # ensure we can access it via trusting their CA certificate and a
 # matching commoname
 DOSETTEST hostnameIdentity "-T trust_cert=$CAFP -T their_hostname=a.b.example.com $FLAGS"

 ########################################
 # Negative tests
 #    (should fail)

 # if we don't load the CA certificate we shouldn't connect
 DOFAILSETTEST noTrustCACert  "-T their_hostname=a.b.example.com $FLAGS"

 # if we specify a different hostname we should fail hostname test
 # ("localhos" without the "t" is intentional here)
 DOFAILSETTEST incorrectNameA.B.Example.Co  "-T their_hostname=a.b.example.co $FLAGS"
 DOFAILSETTEST incorrectNameA.B.Example.Comt  "-T their_hostname=a.b.example.comt $FLAGS"

 # if we specify the CA cert's but don't specify the hostname, it
 # should fail (this may change in the future if we pull the hostname
 # from the transport specifier)
 DOFAILSETTEST certWithoutHost  "-T trust_cert=$CAFP $FLAGS"

 ########################################
 # Wildcard tests
 #
 DOSETTEST wildcardMatch "-T trust_cert=$CAFP -T their_hostname=*.b.example.com $FLAGS"

 DOFAILSETTEST noDoubleWildcard "-T trust_cert=$CAFP -T their_hostname=*.example.com $FLAGS"


 ########################################
 # DONE

 STOPAGENT

 FINISHED
	#!/bin/sh

	. STlsVars

	# create a CA

	CAPTURE $NSCERT genca --cn ca-net-snmp.org $NSCERTARGS
	CAFP=`$NSCERT showcas --fingerprint --brief ca-net-snmp.org $NSCERTARGS`
	CHECKVALUEISNT "$CAFP" "" "generated fingerprint for ca-net-snmp.org certificate"

	# create a server certificate using the CA certificate
	CAPTURE $NSCERT gencert -t snmpd --with-ca ca-net-snmp.org $checknametype ${checknameprefix}a.b.example.com $NSCERTARGS
	SNMPDFP=`$NSCERT showcert --fingerprint --brief snmpd $NSCERTARGS`

	CONFIGAGENT '[snmp]' serverCert $SNMPDFP

	# create a user certificate
	CAPTURE $NSCERT gencert -t snmpapp --cn 'testuser' $NSCERTARGS
	TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS`
	CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate"

	CONFIGAGENT certSecName 10 $TESTUSERFP --cn
	CONFIGAGENT rwuser -s tsm testuser authpriv

	CONFIGAPP clientCert $TESTUSERFP

	# start the agent up
	FLAGS="-On $SNMP_FLAGS $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT"

	# start up the agent
	STARTAGENT

	########################################
	# Positive tests
	# (should work)

	# ensure we can access it via a direct FP check
	DOSETTEST fingerprintIdentity "-T their_identity=$SNMPDFP $FLAGS"

	# ensure we can access it via a file based identity check
	DOSETTEST filenameIdentity "-T their_identity=snmpd $FLAGS"

	# ensure we can access it via trusting their CA certificate and a
	# matching commoname
	DOSETTEST hostnameIdentity "-T trust_cert=$CAFP -T their_hostname=a.b.example.com $FLAGS"

	########################################
	# Negative tests
	# (should fail)

	# if we don't load the CA certificate we shouldn't connect
	DOFAILSETTEST noTrustCACert "-T their_hostname=a.b.example.com $FLAGS"

	# if we specify a different hostname we should fail hostname test
	# ("localhos" without the "t" is intentional here)
	DOFAILSETTEST incorrectNameA.B.Example.Co "-T their_hostname=a.b.example.co $FLAGS"
	DOFAILSETTEST incorrectNameA.B.Example.Comt "-T their_hostname=a.b.example.comt $FLAGS"

	# if we specify the CA cert's but don't specify the hostname, it
	# should fail (this may change in the future if we pull the hostname
	# from the transport specifier)
	DOFAILSETTEST certWithoutHost "-T trust_cert=$CAFP $FLAGS"

	########################################
	# Wildcard tests
	#
	DOSETTEST wildcardMatch "-T trust_cert=$CAFP -T their_hostname=*.b.example.com $FLAGS"

	DOFAILSETTEST noDoubleWildcard "-T trust_cert=$CAFP -T their_hostname=*.example.com $FLAGS"


	########################################
	# DONE

	STOPAGENT

	FINISHED