diff options
Diffstat (limited to 'testing/fulltests/tls/SCrl')
-rw-r--r-- | testing/fulltests/tls/SCrl | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/testing/fulltests/tls/SCrl b/testing/fulltests/tls/SCrl new file mode 100644 index 0000000..4167403 --- /dev/null +++ b/testing/fulltests/tls/SCrl @@ -0,0 +1,98 @@ +#!/bin/sh + +. STlsVars + +# this file contains tests common to both tls and dtls usages + +TLSDIR=$SNMP_TMPDIR/tls + +######################################### +# Create the certificates + +# create the ca +CAPTURE $NSCERT genca --cn ca-net-snmp.org $NSCERTARGS + +# snmpd +HOSTNAME=`hostname` +CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpd --cn $HOSTNAME $NSCERTARGS +SERVERFP=`$NSCERT showcerts --fingerprint --brief snmpd $NSCERTARGS` +CHECKVALUEISNT "$SERVERFP" "" "generated fingerprint for snmpd certificate" + +# user +CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpapp --cn 'testuser' $NSCERTARGS +TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS` +CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate" + +# user2 +CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpapp2 --cn 'testuser2' $NSCERTARGS +TESTUSER2FP=`$NSCERT showcerts --fingerprint --brief snmpapp2 $NSCERTARGS` +CHECKVALUEISNT "$TESTUSER2FP" "" "generated fingerprint for testuser2 certificate" + +######################################## +# Configure the .conf files + +CONFIGAPP serverCert $SERVERFP + +# common name mappings +CONFIGAGENT certSecName 9 $TESTUSERFP --cn +CONFIGAGENT certSecName 10 $TESTUSER2FP --cn +CONFIGAGENT rwuser -s tsm testuser authpriv +CONFIGAGENT rwuser -s tsm testuser2 authpriv + +CRLFILE=$SNMP_TMPDIR/crlfile.pem + +# configure the CRL locations +CONFIGAGENT '[snmp]' x509crlfile $CRLFILE +CONFIGAPP '[snmp]' x509crlfile $CRLFILE + +CRLCACMD="env DIR=$TLSDIR CN=ca-net-snp.org openssl ca" +CRLARGS="-config $TLSDIR/.openssl.conf -keyfile $TLSDIR/private/ca-net-snmp.org.key -cert $TLSDIR/ca-certs/ca-net-snmp.org.crt" + +# generate the initial CRL +touch $TLSDIR/.index +echo "01" > $TLSDIR/.crlnumber +CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE" + +# +# put the second client into the CRL and it shouldn't work +# +CAPTURE "$CRLCACMD -revoke $TLSDIR/certs/snmpapp2.crt $CRLARGS -out $CRLFILE" +CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE" + + +###################################################################### +# Run the actual list of tests +# + +# start the agent up +FLAGS="-Dtls -On $SNMP_FLAGS $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT" +AGENT_FLAGS="-Dtls" +STARTAGENT + +# using user 1 - a common name mapped certificate +# (using the default "snmpapp" certificate because we don't specify another) +CAPTURE "snmpget -Dssl $FLAGS .1.3.6.1.2.1.1.3.0" + +CHECK ".1.3.6.1.2.1.1.3.0 = Timeticks:" + +# using user 2 should now fail +CAPTURE "snmpget -T our_identity=snmpapp2 -Dssl $FLAGS .1.3.6.1.2.1.1.3.0" + +CHECKCOUNT 0 ".1.3.6.1.2.1.1.3.0 = Timeticks:" +CHECKAGENT "certificate revoked" + +# +# now put the server's cert into the client crl file +# +CAPTURE "$CRLCACMD -revoke $TLSDIR/certs/snmpd.crt $CRLARGS" +CAPTURE "$CRLCACMD -gencrl $CRLARGS -out $CRLFILE" + +# user 1 should now fail on the client side +CAPTURE "snmpget -Dssl $FLAGS .1.3.6.1.2.1.1.3.0" + +CHECK "certificate revoked" + +# cleanup +STOPAGENT + +FINISHED |