summaryrefslogtreecommitdiff
path: root/testing/fulltests/tls/SCrl
diff options
context:
space:
mode:
Diffstat (limited to 'testing/fulltests/tls/SCrl')
-rw-r--r--testing/fulltests/tls/SCrl98
1 files changed, 98 insertions, 0 deletions
diff --git a/testing/fulltests/tls/SCrl b/testing/fulltests/tls/SCrl
new file mode 100644
index 0000000..4167403
--- /dev/null
+++ b/testing/fulltests/tls/SCrl
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+. STlsVars
+
+# this file contains tests common to both tls and dtls usages
+
+TLSDIR=$SNMP_TMPDIR/tls
+
+#########################################
+# Create the certificates
+
+# create the ca
+CAPTURE $NSCERT genca --cn ca-net-snmp.org $NSCERTARGS
+
+# snmpd
+HOSTNAME=`hostname`
+CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpd --cn $HOSTNAME $NSCERTARGS
+SERVERFP=`$NSCERT showcerts --fingerprint --brief snmpd $NSCERTARGS`
+CHECKVALUEISNT "$SERVERFP" "" "generated fingerprint for snmpd certificate"
+
+# user
+CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpapp --cn 'testuser' $NSCERTARGS
+TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS`
+CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate"
+
+# user2
+CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpapp2 --cn 'testuser2' $NSCERTARGS
+TESTUSER2FP=`$NSCERT showcerts --fingerprint --brief snmpapp2 $NSCERTARGS`
+CHECKVALUEISNT "$TESTUSER2FP" "" "generated fingerprint for testuser2 certificate"
+
+########################################
+# Configure the .conf files
+
+CONFIGAPP serverCert $SERVERFP
+
+# common name mappings
+CONFIGAGENT certSecName 9 $TESTUSERFP --cn
+CONFIGAGENT certSecName 10 $TESTUSER2FP --cn
+CONFIGAGENT rwuser -s tsm testuser authpriv
+CONFIGAGENT rwuser -s tsm testuser2 authpriv
+
+CRLFILE=$SNMP_TMPDIR/crlfile.pem
+
+# configure the CRL locations
+CONFIGAGENT '[snmp]' x509crlfile $CRLFILE
+CONFIGAPP '[snmp]' x509crlfile $CRLFILE
+
+CRLCACMD="env DIR=$TLSDIR CN=ca-net-snp.org openssl ca"
+CRLARGS="-config $TLSDIR/.openssl.conf -keyfile $TLSDIR/private/ca-net-snmp.org.key -cert $TLSDIR/ca-certs/ca-net-snmp.org.crt"
+
+# generate the initial CRL
+touch $TLSDIR/.index
+echo "01" > $TLSDIR/.crlnumber
+CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE"
+
+#
+# put the second client into the CRL and it shouldn't work
+#
+CAPTURE "$CRLCACMD -revoke $TLSDIR/certs/snmpapp2.crt $CRLARGS -out $CRLFILE"
+CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE"
+
+
+######################################################################
+# Run the actual list of tests
+#
+
+# start the agent up
+FLAGS="-Dtls -On $SNMP_FLAGS $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT"
+AGENT_FLAGS="-Dtls"
+STARTAGENT
+
+# using user 1 - a common name mapped certificate
+# (using the default "snmpapp" certificate because we don't specify another)
+CAPTURE "snmpget -Dssl $FLAGS .1.3.6.1.2.1.1.3.0"
+
+CHECK ".1.3.6.1.2.1.1.3.0 = Timeticks:"
+
+# using user 2 should now fail
+CAPTURE "snmpget -T our_identity=snmpapp2 -Dssl $FLAGS .1.3.6.1.2.1.1.3.0"
+
+CHECKCOUNT 0 ".1.3.6.1.2.1.1.3.0 = Timeticks:"
+CHECKAGENT "certificate revoked"
+
+#
+# now put the server's cert into the client crl file
+#
+CAPTURE "$CRLCACMD -revoke $TLSDIR/certs/snmpd.crt $CRLARGS"
+CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE"
+
+# user 1 should now fail on the client side
+CAPTURE "snmpget -Dssl $FLAGS .1.3.6.1.2.1.1.3.0"
+
+CHECK "certificate revoked"
+
+# cleanup
+STOPAGENT
+
+FINISHED
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-04 13:43:46 +0000