#!/bin/sh . STlsVars # this file contains tests common to both tls and dtls usages TLSDIR=$SNMP_TMPDIR/tls ######################################### # Create the certificates # create the ca CAPTURE $NSCERT genca --cn ca-net-snmp.org $NSCERTARGS # snmpd HOSTNAME=`hostname` CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpd --cn $HOSTNAME $NSCERTARGS SERVERFP=`$NSCERT showcerts --fingerprint --brief snmpd $NSCERTARGS` CHECKVALUEISNT "$SERVERFP" "" "generated fingerprint for snmpd certificate" # user CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpapp --cn 'testuser' $NSCERTARGS TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS` CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate" # user2 CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpapp2 --cn 'testuser2' $NSCERTARGS TESTUSER2FP=`$NSCERT showcerts --fingerprint --brief snmpapp2 $NSCERTARGS` CHECKVALUEISNT "$TESTUSER2FP" "" "generated fingerprint for testuser2 certificate" ######################################## # Configure the .conf files CONFIGAPP serverCert $SERVERFP # common name mappings CONFIGAGENT certSecName 9 $TESTUSERFP --cn CONFIGAGENT certSecName 10 $TESTUSER2FP --cn CONFIGAGENT rwuser -s tsm testuser authpriv CONFIGAGENT rwuser -s tsm testuser2 authpriv CRLFILE=$SNMP_TMPDIR/crlfile.pem # configure the CRL locations CONFIGAGENT '[snmp]' x509crlfile $CRLFILE CONFIGAPP '[snmp]' x509crlfile $CRLFILE CRLCACMD="env DIR=$TLSDIR CN=ca-net-snp.org openssl ca" CRLARGS="-config $TLSDIR/.openssl.conf -keyfile $TLSDIR/private/ca-net-snmp.org.key -cert $TLSDIR/ca-certs/ca-net-snmp.org.crt" # generate the initial CRL touch $TLSDIR/.index echo "01" > $TLSDIR/.crlnumber CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE" # # put the second client into the CRL and it shouldn't work # CAPTURE "$CRLCACMD -revoke $TLSDIR/certs/snmpapp2.crt $CRLARGS -out $CRLFILE" CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE" ###################################################################### # Run the actual list of tests # # start the agent up FLAGS="-Dtls -On $SNMP_FLAGS $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT" AGENT_FLAGS="-Dtls" STARTAGENT # using user 1 - a common name mapped certificate # (using the default "snmpapp" certificate because we don't specify another) CAPTURE "snmpget -Dssl $FLAGS .1.3.6.1.2.1.1.3.0" CHECK ".1.3.6.1.2.1.1.3.0 = Timeticks:" # using user 2 should now fail CAPTURE "snmpget -T our_identity=snmpapp2 -Dssl $FLAGS .1.3.6.1.2.1.1.3.0" CHECKCOUNT 0 ".1.3.6.1.2.1.1.3.0 = Timeticks:" CHECKAGENT "certificate revoked" # # now put the server's cert into the client crl file # CAPTURE "$CRLCACMD -revoke $TLSDIR/certs/snmpd.crt $CRLARGS" CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE" # user 1 should now fail on the client side CAPTURE "snmpget -Dssl $FLAGS .1.3.6.1.2.1.1.3.0" CHECK "certificate revoked" # cleanup STOPAGENT FINISHED