#!/bin/sh . STlsVars ######################################### # CERTIFICATE SETUP # # produce the certificates to use # snmpd HOSTNAME=`hostname` CAPTURE $NSCERT gencert -t snmpd --cn $HOSTNAME $NSCERTARGS SERVERFP=`$NSCERT showcerts --fingerprint --brief snmpd $NSCERTARGS` CHECKVALUEISNT "$SERVERFP" "" "generated fingerprint for snmpd certificate" # user CAPTURE $NSCERT gencert -t snmpapp --cn 'testuser' $NSCERTARGS TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS` CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate" # user 1.5 CAPTURE $NSCERT gencert -t snmpapp2 --cn 'testuser2' $NSCERTARGS TESTUSER2FP=`$NSCERT showcerts --fingerprint --brief snmpapp2 $NSCERTARGS` CHECKVALUEISNT "$TESTUSER2FP" "" "generated fingerprint for testuser certificate" # user 2 CAPTURE $NSCERT gencert -t otheruser --cn 'otheruser' $NSCERTARGS OTHERUSERFP=`$NSCERT showcerts --fingerprint --brief otheruser $NSCERTARGS` CHECKVALUEISNT "$OTHERUSERFP" "" "generated fingerprint for otheruser certificate" # user 3 CAPTURE $NSCERT gencert -t invaliduser --cn 'invaliduser' $NSCERTARGS INVALIDUSERFP=`$NSCERT showcerts --fingerprint --brief invaliduser $NSCERTARGS` CHECKVALUEISNT "$INVALIDUSERFP" "" "generated fingerprint for otheruser certificate" # user 4 CAPTURE $NSCERT gencert -t unmapped --cn 'unmapped' $NSCERTARGS UNMAPPEDFP=`$NSCERT showcerts --fingerprint --brief unmapped $NSCERTARGS` CHECKVALUEISNT "$UNMAPPEDFP" "" "generated fingerprint for unmapped certificate" # user 5 CAPTURE $NSCERT gencert -t mappeduser --cn 'mappeduser' $NSCERTARGS MAPPEDUSERFP=`$NSCERT showcerts --fingerprint --brief mappeduser $NSCERTARGS` CHECKVALUEISNT "$MAPPEDUSERFP" "" "generated fingerprint for mappeduser certificate" # user 6: SAN email CAPTURE $NSCERT gencert -t email --san email:foobaruser@example.com $NSCERTARGS EMAILUSERFP=`$NSCERT showcerts --fingerprint --brief email $NSCERTARGS` CHECKVALUEISNT "$EMAILUSERFP" "" "generated fingerprint for email certificate" # user 7: SAN dns CAPTURE $NSCERT gencert -t dns --san DNS:foobar.example.com $NSCERTARGS DNSUSERFP=`$NSCERT showcerts --fingerprint --brief dns $NSCERTARGS` CHECKVALUEISNT "$DNSUSERFP" "" "generated fingerprint for dns certificate" # user 8: SAN IPv4 CAPTURE $NSCERT gencert -t ipaddr --san IP:127.0.0.1 $NSCERTARGS IPUSERFP=`$NSCERT showcerts --fingerprint --brief ipaddr $NSCERTARGS` CHECKVALUEISNT "$IPUSERFP" "" "generated fingerprint for ipaddr certificate" # user 8.1: afile CAPTURE $NSCERT gencert -t afile --cn afileuser $NSCERTARGS AFILEUSERFP=`$NSCERT showcerts --fingerprint --brief afile $NSCERTARGS` CHECKVALUEISNT "$AFILEUSERFP" "" "generated fingerprint for afile certificate" # CA certificate CAPTURE $NSCERT genca --cn ca-net-snmp.org $NSCERTARGS CAFP=`$NSCERT showcas --fingerprint --brief ca-net-snmp.org $NSCERTARGS` CHECKVALUEISNT "$CAFP" "" "generated fingerprint for ca-net-snmp.org certificate" # user 9: CA signed user cert CAPTURE $NSCERT gencert -t causer --with-ca ca-net-snmp.org --san email:user9@test.net-snmp.org --email user9@test.net-snmp.org $NSCERTARGS CAUSERFP=`$NSCERT showcerts --fingerprint --brief causer $NSCERTARGS` CHECKVALUEISNT "$CAUSERFP" "" "generated fingerprint for causer certificate" CAPTURE $NSCERT gencert -t cadirect9b --with-ca ca-net-snmp.org --san email:user9b@test.net-snmp.org --email user9b@test.net-snmp.org $NSCERTARGS CADIRECTFP=`$NSCERT showcerts --fingerprint --brief cadirect9b $NSCERTARGS` CHECKVALUEISNT "$CADIRECTFP" "" "generated fingerprint for cadirect certificate" CAPTURE $NSCERT genca --cn ca2-net-snmp.org $NSCERTARGS CA2FP=`$NSCERT showcas --fingerprint --brief ca2-net-snmp.org $NSCERTARGS` CHECKVALUEISNT "$CA2FP" "" "generated fingerprint for ca2-net-snmp.org certificate" CAPTURE $NSCERT gencert -t cadirect9c --with-ca ca2-net-snmp.org --san email:user9c@test.net-snmp.org --email user9c@test.net-snmp.org $NSCERTARGS CADIRECT9CFP=`$NSCERT showcerts --fingerprint --brief cadirect9c $NSCERTARGS` CHECKVALUEISNT "$CADIRECT9CFP" "" "generated fingerprint for cadirect9c certificate" CAPTURE $NSCERT gencert -t cadirect9d --with-ca ca2-net-snmp.org --san email:user9d@test.net-snmp.org --email user9d@test.net-snmp.org $NSCERTARGS CADIRECT9DFP=`$NSCERT showcerts --fingerprint --brief cadirect9d $NSCERTARGS` CHECKVALUEISNT "$CADIRECT9DFP" "" "generated fingerprint for cadirect9d certificate" ######################################### # AGENT CONFIGURATION # CONFIGAGENT '[snmp]' debugTokens tsm # ,tls,ssl,cert,tsm CONFIGAGENT '[snmp]' doDebugging 1 CONFIGAGENT '[snmp]' logTimestamp 1 CONFIGAGENT '[snmp]' serverCert $SERVERFP CONFIGAGENT '[snmp]' trustCert $CAFP CONFIGAGENT '[snmp]' trustCert $CADIRECT9CFP # common name mappings CONFIGAGENT certSecName 9 $TESTUSERFP --cn CONFIGAGENT certSecName 10 $TESTUSER2FP --cn CONFIGAGENT certSecName 11 $OTHERUSERFP --cn CONFIGAGENT certSecName 12 $INVALIDUSERFP --cn CONFIGAGENT certSecName 20 $MAPPEDUSERFP --sn aftermapping CONFIGAGENT certSecName 21 $EMAILUSERFP --rfc822 CONFIGAGENT certSecName 22 $DNSUSERFP --dns CONFIGAGENT certSecName 23 $IPUSERFP --ip CONFIGAGENT certSecName 24 afile --cn CONFIGAGENT certSecName 100 $CAFP --rfc822 CONFIGAGENT certSecName 101 $CADIRECTFP --sn causerdirectmap CONFIGAGENT certSecName 102 $CADIRECT9CFP --sn causerdirect9cmap # intentionally not mapped: #CONFIGAGENT certSecName 1001 $CADIRECT9DFP --sn causerdirect9dmap # *** INTENTIONALLY NOT MAPPING AT ALL: *** # CONFIGAGENT certSecName 1000 $UNMAPPEDFP .... CONFIGAPP serverCert $SERVERFP CONFIGAPP defSecurityModel tsm CONFIGAPP logTimestamp 1 CONFIGAGENT rwuser -s tsm testuser authpriv CONFIGAGENT rwuser -s tsm testuser2 authpriv CONFIGAGENT rwuser -s tsm otheruser authpriv CONFIGAGENT rwuser -s tsm aftermapping authpriv CONFIGAGENT rwuser -s tsm foobaruser@example.com authpriv CONFIGAGENT rwuser -s tsm foobar.example.com authpriv CONFIGAGENT rwuser -s tsm 127.0.0.1 authpriv CONFIGAGENT rwuser -s tsm user8@test.net-snmp.org authpriv CONFIGAGENT rwuser -s tsm user9@test.net-snmp.org authpriv CONFIGAGENT rwuser -s tsm user10@test.net-snmp.org authpriv CONFIGAGENT rwuser -s tsm afileuser authpriv CONFIGAGENT rwuser -s tsm causerdirectmap authpriv CONFIGAGENT rwuser -s tsm causerdirect9cmap authpriv # this file contains tests common to both tls and dtls usages # start the agent up FLAGS="-Dtls -v3 -On $SNMP_FLAGS $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT" STARTAGENT # shouldn't have config errors CHECKAGENTCOUNT 0 ": Error:" ###################################################################### # EXTENDED CERTIFICATE SETUP # # Perform more steps of configuration that should occur *after* the # agent has started in order to prevent it from having seen these # files ahead of time. # this user's fingerprint should not be recognized CAPTURE $NSCERT gencert -t unknownuser --san email:unknownuser@example.com $NSCERTARGS UNKNOWNUSER=`$NSCERT showcerts --fingerprint --brief unknownuser $NSCERTARGS` CHECKVALUEISNT "$UNMAPPEDFP" "" "generated fingerprint for unknownuser certificate" # this user's fingerprint should not be directly recognized, but it's # CA should. # user 10: CA signed cert CAPTURE $NSCERT gencert -D -t unknowncauser --cn unknowncauser@net-snmp.org --email unknowncauser@net-snmp.org --with-ca ca-net-snmp.org --san email:user10@test.net-snmp.org $NSCERTARGS UNKNOWNCAUSERFP=`$NSCERT showcerts --fingerprint --brief unknowncauser $NSCERTARGS` CHECKVALUEISNT "$UNKNOWNCAUSERFP" "" "generated fingerprint for unknowncauser certificate" ###################################################################### # ACTUAL TESTS # # Run the actual list of tests # # using user 1 - a common name mapped certificate # (using the default "snmpapp" certificate because we don't specify another) DOSETTEST user1SnmpApp "$FLAGS" # now rerun the test after specifying our default using the (same) fingerprint CONFIGAPP clientCert $TESTUSER2FP DOSETTEST user1ClientPub "$FLAGS" # using user 2 - a common name mapped certificate with a direct -T FP request DOSETTEST user2DashTFPFlag "-T our_identity=$OTHERUSERFP $FLAGS" CHECKAGENTCOUNT 4 "otheruser" # using user 2, specifying the file name instead of the fingerprint DOSETTEST user2DashTFileFlag "-T our_identity=otheruser $FLAGS" CHECKAGENTCOUNT 8 "otheruser" # using user 3 - an invalid certificate (mapped but not authorized) DOFAILSETTEST "invalidUnauthorizedCert" "-T our_identity=$INVALIDUSERFP $FLAGS" CHECK "authorizationError" # using user 4 - an unmapped certificate DOFAILSETTEST "unmappedCertificate" "-T our_identity=$UNMAPPEDFP $FLAGS" CHECK "failed rfc5343" # Check *their* certificate with a different one than expected; should fail DOFAILSETTEST "incorectServerCertificate" "-r 0 -T our_identity=$OTHERUSERFP -T their_identity=$OTHERUSERFP $FLAGS" CHECK "failed to verify ssl certificate" # using user 5 - a completely remapped certificate (direct specified secname) DOSETTEST user5RemappedSecname "-T our_identity=$MAPPEDUSERFP $FLAGS" # using user 6 - a subjectAltName=email certificate mapping DOSETTEST user6SANEmail "-T our_identity=$EMAILUSERFP $FLAGS" # using user 7 - a subjectAltName=dns certificate mapping DOSETTEST user7SANDNS "-T our_identity=$DNSUSERFP $FLAGS" # using user 8 - a subjectAltName=ipv4 certificate mapping DOSETTEST user8SANIP "-T our_identity=$IPUSERFP $FLAGS" # using user 8 - test that certmapping works from a local filename DOSETTEST afileuser "-T our_identity=afile $FLAGS" # using user 9 - a CA signed certificate DOSETTEST user9CASignedCert "-T our_identity=$CAUSERFP -T trust_cert=$CAFP $FLAGS" # using user 9b - a CA signed certificate with a user-based fp mapping DOSETTEST user9bCASignedDirectMap "-T our_identity=$CADIRECTFP $FLAGS" # using user 9c - a CA2 signed certificate with a user-based fp mapping DOSETTEST user9cCASignedDirectMap "-T our_identity=$CADIRECT9CFP $FLAGS" # using user 9d - a CA2 signed certificate no user-based fp mapping DOFAILSETTEST user9dCASignedDirectMap "-T our_identity=$CADIRECT9DFP $FLAGS" # using user unknown - the server will not have seen this fingerprint at all CAPTURE "snmpget -T our_identity=$UNKNOWNUSER -T trust_cert=$CAFP $FLAGS .1.3.6.1.2.1.1.6.0" # different types of failure messaages for tls/dtls... if [ $SNMP_TRANSPORT_SPEC = dtlsudp ]; then CHECK "failed rfc5343 contextEngineID probing" CHECKAGENTCOUNT 1 "TLS Error: no certificate returned" else CHECK "failed to ssl_connect" CHECKAGENTCOUNT 1 "Failed SSL_accept" fi # using the user without a known fingerprint but with a known CA DOSETTEST userNewFromCA " -T trust_cert=$CAFP -T our_identity=$UNKNOWNCAUSERFP $FLAGS" STOPAGENT FINISHED