#!/bin/sh
. STlsVars
#########################################
# CERTIFICATE SETUP
#
# produce the certificates to use
# snmpd
HOSTNAME=`hostname`
CAPTURE $NSCERT gencert -t snmpd --cn $HOSTNAME $NSCERTARGS
SERVERFP=`$NSCERT showcerts --fingerprint --brief snmpd $NSCERTARGS`
CHECKVALUEISNT "$SERVERFP" "" "generated fingerprint for snmpd certificate"
# user
CAPTURE $NSCERT gencert -t snmpapp --cn 'testuser' $NSCERTARGS
TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS`
CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate"
# user 1.5
CAPTURE $NSCERT gencert -t snmpapp2 --cn 'testuser2' $NSCERTARGS
TESTUSER2FP=`$NSCERT showcerts --fingerprint --brief snmpapp2 $NSCERTARGS`
CHECKVALUEISNT "$TESTUSER2FP" "" "generated fingerprint for testuser certificate"
# user 2
CAPTURE $NSCERT gencert -t otheruser --cn 'otheruser' $NSCERTARGS
OTHERUSERFP=`$NSCERT showcerts --fingerprint --brief otheruser $NSCERTARGS`
CHECKVALUEISNT "$OTHERUSERFP" "" "generated fingerprint for otheruser certificate"
# user 3
CAPTURE $NSCERT gencert -t invaliduser --cn 'invaliduser' $NSCERTARGS
INVALIDUSERFP=`$NSCERT showcerts --fingerprint --brief invaliduser $NSCERTARGS`
CHECKVALUEISNT "$INVALIDUSERFP" "" "generated fingerprint for otheruser certificate"
# user 4
CAPTURE $NSCERT gencert -t unmapped --cn 'unmapped' $NSCERTARGS
UNMAPPEDFP=`$NSCERT showcerts --fingerprint --brief unmapped $NSCERTARGS`
CHECKVALUEISNT "$UNMAPPEDFP" "" "generated fingerprint for unmapped certificate"
# user 5
CAPTURE $NSCERT gencert -t mappeduser --cn 'mappeduser' $NSCERTARGS
MAPPEDUSERFP=`$NSCERT showcerts --fingerprint --brief mappeduser $NSCERTARGS`
CHECKVALUEISNT "$MAPPEDUSERFP" "" "generated fingerprint for mappeduser certificate"
# user 6: SAN email
CAPTURE $NSCERT gencert -t email --san email:foobaruser@example.com $NSCERTARGS
EMAILUSERFP=`$NSCERT showcerts --fingerprint --brief email $NSCERTARGS`
CHECKVALUEISNT "$EMAILUSERFP" "" "generated fingerprint for email certificate"
# user 7: SAN dns
CAPTURE $NSCERT gencert -t dns --san DNS:foobar.example.com $NSCERTARGS
DNSUSERFP=`$NSCERT showcerts --fingerprint --brief dns $NSCERTARGS`
CHECKVALUEISNT "$DNSUSERFP" "" "generated fingerprint for dns certificate"
# user 8: SAN IPv4
CAPTURE $NSCERT gencert -t ipaddr --san IP:127.0.0.1 $NSCERTARGS
IPUSERFP=`$NSCERT showcerts --fingerprint --brief ipaddr $NSCERTARGS`
CHECKVALUEISNT "$IPUSERFP" "" "generated fingerprint for ipaddr certificate"
# user 8.1: afile
CAPTURE $NSCERT gencert -t afile --cn afileuser $NSCERTARGS
AFILEUSERFP=`$NSCERT showcerts --fingerprint --brief afile $NSCERTARGS`
CHECKVALUEISNT "$AFILEUSERFP" "" "generated fingerprint for afile certificate"
# CA certificate
CAPTURE $NSCERT genca --cn ca-net-snmp.org $NSCERTARGS
CAFP=`$NSCERT showcas --fingerprint --brief ca-net-snmp.org $NSCERTARGS`
CHECKVALUEISNT "$CAFP" "" "generated fingerprint for ca-net-snmp.org certificate"
# user 9: CA signed user cert
CAPTURE $NSCERT gencert -t causer --with-ca ca-net-snmp.org --san email:user9@test.net-snmp.org --email user9@test.net-snmp.org $NSCERTARGS
CAUSERFP=`$NSCERT showcerts --fingerprint --brief causer $NSCERTARGS`
CHECKVALUEISNT "$CAUSERFP" "" "generated fingerprint for causer certificate"
CAPTURE $NSCERT gencert -t cadirect9b --with-ca ca-net-snmp.org --san email:user9b@test.net-snmp.org --email user9b@test.net-snmp.org $NSCERTARGS
CADIRECTFP=`$NSCERT showcerts --fingerprint --brief cadirect9b $NSCERTARGS`
CHECKVALUEISNT "$CADIRECTFP" "" "generated fingerprint for cadirect certificate"
CAPTURE $NSCERT genca --cn ca2-net-snmp.org $NSCERTARGS
CA2FP=`$NSCERT showcas --fingerprint --brief ca2-net-snmp.org $NSCERTARGS`
CHECKVALUEISNT "$CA2FP" "" "generated fingerprint for ca2-net-snmp.org certificate"
CAPTURE $NSCERT gencert -t cadirect9c --with-ca ca2-net-snmp.org --san email:user9c@test.net-snmp.org --email user9c@test.net-snmp.org $NSCERTARGS
CADIRECT9CFP=`$NSCERT showcerts --fingerprint --brief cadirect9c $NSCERTARGS`
CHECKVALUEISNT "$CADIRECT9CFP" "" "generated fingerprint for cadirect9c certificate"
CAPTURE $NSCERT gencert -t cadirect9d --with-ca ca2-net-snmp.org --san email:user9d@test.net-snmp.org --email user9d@test.net-snmp.org $NSCERTARGS
CADIRECT9DFP=`$NSCERT showcerts --fingerprint --brief cadirect9d $NSCERTARGS`
CHECKVALUEISNT "$CADIRECT9DFP" "" "generated fingerprint for cadirect9d certificate"
#########################################
# AGENT CONFIGURATION
#
CONFIGAGENT '[snmp]' debugTokens tsm
# ,tls,ssl,cert,tsm
CONFIGAGENT '[snmp]' doDebugging 1
CONFIGAGENT '[snmp]' logTimestamp 1
CONFIGAGENT '[snmp]' serverCert $SERVERFP
CONFIGAGENT '[snmp]' trustCert $CAFP
CONFIGAGENT '[snmp]' trustCert $CADIRECT9CFP
# common name mappings
CONFIGAGENT certSecName 9 $TESTUSERFP --cn
CONFIGAGENT certSecName 10 $TESTUSER2FP --cn
CONFIGAGENT certSecName 11 $OTHERUSERFP --cn
CONFIGAGENT certSecName 12 $INVALIDUSERFP --cn
CONFIGAGENT certSecName 20 $MAPPEDUSERFP --sn aftermapping
CONFIGAGENT certSecName 21 $EMAILUSERFP --rfc822
CONFIGAGENT certSecName 22 $DNSUSERFP --dns
CONFIGAGENT certSecName 23 $IPUSERFP --ip
CONFIGAGENT certSecName 24 afile --cn
CONFIGAGENT certSecName 100 $CAFP --rfc822
CONFIGAGENT certSecName 101 $CADIRECTFP --sn causerdirectmap
CONFIGAGENT certSecName 102 $CADIRECT9CFP --sn causerdirect9cmap
# intentionally not mapped:
#CONFIGAGENT certSecName 1001 $CADIRECT9DFP --sn causerdirect9dmap
# *** INTENTIONALLY NOT MAPPING AT ALL: ***
# CONFIGAGENT certSecName 1000 $UNMAPPEDFP ....
CONFIGAPP serverCert $SERVERFP
CONFIGAPP defSecurityModel tsm
CONFIGAPP logTimestamp 1
CONFIGAGENT rwuser -s tsm testuser authpriv
CONFIGAGENT rwuser -s tsm testuser2 authpriv
CONFIGAGENT rwuser -s tsm otheruser authpriv
CONFIGAGENT rwuser -s tsm aftermapping authpriv
CONFIGAGENT rwuser -s tsm foobaruser@example.com authpriv
CONFIGAGENT rwuser -s tsm foobar.example.com authpriv
CONFIGAGENT rwuser -s tsm 127.0.0.1 authpriv
CONFIGAGENT rwuser -s tsm user8@test.net-snmp.org authpriv
CONFIGAGENT rwuser -s tsm user9@test.net-snmp.org authpriv
CONFIGAGENT rwuser -s tsm user10@test.net-snmp.org authpriv
CONFIGAGENT rwuser -s tsm afileuser authpriv
CONFIGAGENT rwuser -s tsm causerdirectmap authpriv
CONFIGAGENT rwuser -s tsm causerdirect9cmap authpriv
# this file contains tests common to both tls and dtls usages
# start the agent up
FLAGS="-Dtls -v3 -On $SNMP_FLAGS $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT"
STARTAGENT
# shouldn't have config errors
CHECKAGENTCOUNT 0 ": Error:"
######################################################################
# EXTENDED CERTIFICATE SETUP
#
# Perform more steps of configuration that should occur *after* the
# agent has started in order to prevent it from having seen these
# files ahead of time.
# this user's fingerprint should not be recognized
CAPTURE $NSCERT gencert -t unknownuser --san email:unknownuser@example.com $NSCERTARGS
UNKNOWNUSER=`$NSCERT showcerts --fingerprint --brief unknownuser $NSCERTARGS`
CHECKVALUEISNT "$UNMAPPEDFP" "" "generated fingerprint for unknownuser certificate"
# this user's fingerprint should not be directly recognized, but it's
# CA should.
# user 10: CA signed cert
CAPTURE $NSCERT gencert -D -t unknowncauser --cn unknowncauser@net-snmp.org --email unknowncauser@net-snmp.org --with-ca ca-net-snmp.org --san email:user10@test.net-snmp.org $NSCERTARGS
UNKNOWNCAUSERFP=`$NSCERT showcerts --fingerprint --brief unknowncauser $NSCERTARGS`
CHECKVALUEISNT "$UNKNOWNCAUSERFP" "" "generated fingerprint for unknowncauser certificate"
######################################################################
# ACTUAL TESTS
#
# Run the actual list of tests
#
# using user 1 - a common name mapped certificate
# (using the default "snmpapp" certificate because we don't specify another)
DOSETTEST user1SnmpApp "$FLAGS"
# now rerun the test after specifying our default using the (same) fingerprint
CONFIGAPP clientCert $TESTUSER2FP
DOSETTEST user1ClientPub "$FLAGS"
# using user 2 - a common name mapped certificate with a direct -T FP request
DOSETTEST user2DashTFPFlag "-T our_identity=$OTHERUSERFP $FLAGS"
CHECKAGENTCOUNT 4 "otheruser"
# using user 2, specifying the file name instead of the fingerprint
DOSETTEST user2DashTFileFlag "-T our_identity=otheruser $FLAGS"
CHECKAGENTCOUNT 8 "otheruser"
# using user 3 - an invalid certificate (mapped but not authorized)
DOFAILSETTEST "invalidUnauthorizedCert" "-T our_identity=$INVALIDUSERFP $FLAGS"
CHECK "authorizationError"
# using user 4 - an unmapped certificate
DOFAILSETTEST "unmappedCertificate" "-T our_identity=$UNMAPPEDFP $FLAGS"
CHECK "failed rfc5343"
# Check *their* certificate with a different one than expected; should fail
DOFAILSETTEST "incorectServerCertificate" "-r 0 -T our_identity=$OTHERUSERFP -T their_identity=$OTHERUSERFP $FLAGS"
CHECK "failed to verify ssl certificate"
# using user 5 - a completely remapped certificate (direct specified secname)
DOSETTEST user5RemappedSecname "-T our_identity=$MAPPEDUSERFP $FLAGS"
# using user 6 - a subjectAltName=email certificate mapping
DOSETTEST user6SANEmail "-T our_identity=$EMAILUSERFP $FLAGS"
# using user 7 - a subjectAltName=dns certificate mapping
DOSETTEST user7SANDNS "-T our_identity=$DNSUSERFP $FLAGS"
# using user 8 - a subjectAltName=ipv4 certificate mapping
DOSETTEST user8SANIP "-T our_identity=$IPUSERFP $FLAGS"
# using user 8 - test that certmapping works from a local filename
DOSETTEST afileuser "-T our_identity=afile $FLAGS"
# using user 9 - a CA signed certificate
DOSETTEST user9CASignedCert "-T our_identity=$CAUSERFP -T trust_cert=$CAFP $FLAGS"
# using user 9b - a CA signed certificate with a user-based fp mapping
DOSETTEST user9bCASignedDirectMap "-T our_identity=$CADIRECTFP $FLAGS"
# using user 9c - a CA2 signed certificate with a user-based fp mapping
DOSETTEST user9cCASignedDirectMap "-T our_identity=$CADIRECT9CFP $FLAGS"
# using user 9d - a CA2 signed certificate no user-based fp mapping
DOFAILSETTEST user9dCASignedDirectMap "-T our_identity=$CADIRECT9DFP $FLAGS"
# using user unknown - the server will not have seen this fingerprint at all
CAPTURE "snmpget -T our_identity=$UNKNOWNUSER -T trust_cert=$CAFP $FLAGS .1.3.6.1.2.1.1.6.0"
# different types of failure messaages for tls/dtls...
if [ $SNMP_TRANSPORT_SPEC = dtlsudp ]; then
CHECK "failed rfc5343 contextEngineID probing"
CHECKAGENTCOUNT 1 "TLS Error: no certificate returned"
else
CHECK "failed to ssl_connect"
CHECKAGENTCOUNT 1 "Failed SSL_accept"
fi
# using the user without a known fingerprint but with a known CA
DOSETTEST userNewFromCA " -T trust_cert=$CAFP -T our_identity=$UNKNOWNCAUSERFP $FLAGS"
STOPAGENT
FINISHED