| #!/bin/sh |
| |
| . STlsVars |
| |
| # create a CA |
| |
| CAPTURE $NSCERT genca --cn ca-net-snmp.org $NSCERTARGS |
| CAFP=`$NSCERT showcas --fingerprint --brief ca-net-snmp.org $NSCERTARGS` |
| CHECKVALUEISNT "$CAFP" "" "generated fingerprint for ca-net-snmp.org certificate" |
| |
| # create a server certificate using the CA certificate |
| CAPTURE $NSCERT gencert -t snmpd --with-ca ca-net-snmp.org $checknametype ${checknameprefix}a.b.example.com $NSCERTARGS |
| SNMPDFP=`$NSCERT showcert --fingerprint --brief snmpd $NSCERTARGS` |
| |
| CONFIGAGENT '[snmp]' serverCert $SNMPDFP |
| |
| # create a user certificate |
| CAPTURE $NSCERT gencert -t snmpapp --cn 'testuser' $NSCERTARGS |
| TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS` |
| CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate" |
| |
| CONFIGAGENT certSecName 10 $TESTUSERFP --cn |
| CONFIGAGENT rwuser -s tsm testuser authpriv |
| |
| CONFIGAPP clientCert $TESTUSERFP |
| |
| # start the agent up |
| FLAGS="-On $SNMP_FLAGS $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT" |
| |
| # start up the agent |
| STARTAGENT |
| |
| ######################################## |
| # Positive tests |
| # (should work) |
| |
| # ensure we can access it via a direct FP check |
| DOSETTEST fingerprintIdentity "-T their_identity=$SNMPDFP $FLAGS" |
| |
| # ensure we can access it via a file based identity check |
| DOSETTEST filenameIdentity "-T their_identity=snmpd $FLAGS" |
| |
| # ensure we can access it via trusting their CA certificate and a |
| # matching commoname |
| DOSETTEST hostnameIdentity "-T trust_cert=$CAFP -T their_hostname=a.b.example.com $FLAGS" |
| |
| ######################################## |
| # Negative tests |
| # (should fail) |
| |
| # if we don't load the CA certificate we shouldn't connect |
| DOFAILSETTEST noTrustCACert "-T their_hostname=a.b.example.com $FLAGS" |
| |
| # if we specify a different hostname we should fail hostname test |
| # ("localhos" without the "t" is intentional here) |
| DOFAILSETTEST incorrectNameA.B.Example.Co "-T their_hostname=a.b.example.co $FLAGS" |
| DOFAILSETTEST incorrectNameA.B.Example.Comt "-T their_hostname=a.b.example.comt $FLAGS" |
| |
| # if we specify the CA cert's but don't specify the hostname, it |
| # should fail (this may change in the future if we pull the hostname |
| # from the transport specifier) |
| DOFAILSETTEST certWithoutHost "-T trust_cert=$CAFP $FLAGS" |
| |
| ######################################## |
| # Wildcard tests |
| # |
| DOSETTEST wildcardMatch "-T trust_cert=$CAFP -T their_hostname=*.b.example.com $FLAGS" |
| |
| DOFAILSETTEST noDoubleWildcard "-T trust_cert=$CAFP -T their_hostname=*.example.com $FLAGS" |
| |
| |
| ######################################## |
| # DONE |
| |
| STOPAGENT |
| |
| FINISHED |