summaryrefslogtreecommitdiff
path: root/testing/fulltests/tls/STlsUsers
diff options
context:
space:
mode:
Diffstat (limited to 'testing/fulltests/tls/STlsUsers')
-rw-r--r--testing/fulltests/tls/STlsUsers262
1 files changed, 262 insertions, 0 deletions
diff --git a/testing/fulltests/tls/STlsUsers b/testing/fulltests/tls/STlsUsers
new file mode 100644
index 0000000..2cb03a6
--- /dev/null
+++ b/testing/fulltests/tls/STlsUsers
@@ -0,0 +1,262 @@
+#!/bin/sh
+
+. STlsVars
+
+#########################################
+# CERTIFICATE SETUP
+#
+
+# produce the certificates to use
+
+# snmpd
+HOSTNAME=`hostname`
+CAPTURE $NSCERT gencert -t snmpd --cn $HOSTNAME $NSCERTARGS
+SERVERFP=`$NSCERT showcerts --fingerprint --brief snmpd $NSCERTARGS`
+CHECKVALUEISNT "$SERVERFP" "" "generated fingerprint for snmpd certificate"
+
+# user
+CAPTURE $NSCERT gencert -t snmpapp --cn 'testuser' $NSCERTARGS
+TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS`
+CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate"
+
+# user 1.5
+CAPTURE $NSCERT gencert -t snmpapp2 --cn 'testuser2' $NSCERTARGS
+TESTUSER2FP=`$NSCERT showcerts --fingerprint --brief snmpapp2 $NSCERTARGS`
+CHECKVALUEISNT "$TESTUSER2FP" "" "generated fingerprint for testuser certificate"
+
+# user 2
+CAPTURE $NSCERT gencert -t otheruser --cn 'otheruser' $NSCERTARGS
+OTHERUSERFP=`$NSCERT showcerts --fingerprint --brief otheruser $NSCERTARGS`
+CHECKVALUEISNT "$OTHERUSERFP" "" "generated fingerprint for otheruser certificate"
+
+# user 3
+CAPTURE $NSCERT gencert -t invaliduser --cn 'invaliduser' $NSCERTARGS
+INVALIDUSERFP=`$NSCERT showcerts --fingerprint --brief invaliduser $NSCERTARGS`
+CHECKVALUEISNT "$INVALIDUSERFP" "" "generated fingerprint for otheruser certificate"
+
+# user 4
+CAPTURE $NSCERT gencert -t unmapped --cn 'unmapped' $NSCERTARGS
+UNMAPPEDFP=`$NSCERT showcerts --fingerprint --brief unmapped $NSCERTARGS`
+CHECKVALUEISNT "$UNMAPPEDFP" "" "generated fingerprint for unmapped certificate"
+
+# user 5
+CAPTURE $NSCERT gencert -t mappeduser --cn 'mappeduser' $NSCERTARGS
+MAPPEDUSERFP=`$NSCERT showcerts --fingerprint --brief mappeduser $NSCERTARGS`
+CHECKVALUEISNT "$MAPPEDUSERFP" "" "generated fingerprint for mappeduser certificate"
+
+# user 6: SAN email
+CAPTURE $NSCERT gencert -t email --san email:foobaruser@example.com $NSCERTARGS
+EMAILUSERFP=`$NSCERT showcerts --fingerprint --brief email $NSCERTARGS`
+CHECKVALUEISNT "$EMAILUSERFP" "" "generated fingerprint for email certificate"
+
+# user 7: SAN dns
+CAPTURE $NSCERT gencert -t dns --san DNS:foobar.example.com $NSCERTARGS
+DNSUSERFP=`$NSCERT showcerts --fingerprint --brief dns $NSCERTARGS`
+CHECKVALUEISNT "$DNSUSERFP" "" "generated fingerprint for dns certificate"
+
+# user 8: SAN IPv4
+CAPTURE $NSCERT gencert -t ipaddr --san IP:127.0.0.1 $NSCERTARGS
+IPUSERFP=`$NSCERT showcerts --fingerprint --brief ipaddr $NSCERTARGS`
+CHECKVALUEISNT "$IPUSERFP" "" "generated fingerprint for ipaddr certificate"
+
+# user 8.1: afile
+CAPTURE $NSCERT gencert -t afile --cn afileuser $NSCERTARGS
+AFILEUSERFP=`$NSCERT showcerts --fingerprint --brief afile $NSCERTARGS`
+CHECKVALUEISNT "$AFILEUSERFP" "" "generated fingerprint for afile certificate"
+
+
+# CA certificate
+
+CAPTURE $NSCERT genca --cn ca-net-snmp.org $NSCERTARGS
+CAFP=`$NSCERT showcas --fingerprint --brief ca-net-snmp.org $NSCERTARGS`
+CHECKVALUEISNT "$CAFP" "" "generated fingerprint for ca-net-snmp.org certificate"
+
+# user 9: CA signed user cert
+CAPTURE $NSCERT gencert -t causer --with-ca ca-net-snmp.org --san email:user9@test.net-snmp.org --email user9@test.net-snmp.org $NSCERTARGS
+CAUSERFP=`$NSCERT showcerts --fingerprint --brief causer $NSCERTARGS`
+CHECKVALUEISNT "$CAUSERFP" "" "generated fingerprint for causer certificate"
+
+CAPTURE $NSCERT gencert -t cadirect9b --with-ca ca-net-snmp.org --san email:user9b@test.net-snmp.org --email user9b@test.net-snmp.org $NSCERTARGS
+CADIRECTFP=`$NSCERT showcerts --fingerprint --brief cadirect9b $NSCERTARGS`
+CHECKVALUEISNT "$CADIRECTFP" "" "generated fingerprint for cadirect certificate"
+
+CAPTURE $NSCERT genca --cn ca2-net-snmp.org $NSCERTARGS
+CA2FP=`$NSCERT showcas --fingerprint --brief ca2-net-snmp.org $NSCERTARGS`
+CHECKVALUEISNT "$CA2FP" "" "generated fingerprint for ca2-net-snmp.org certificate"
+
+CAPTURE $NSCERT gencert -t cadirect9c --with-ca ca2-net-snmp.org --san email:user9c@test.net-snmp.org --email user9c@test.net-snmp.org $NSCERTARGS
+CADIRECT9CFP=`$NSCERT showcerts --fingerprint --brief cadirect9c $NSCERTARGS`
+CHECKVALUEISNT "$CADIRECT9CFP" "" "generated fingerprint for cadirect9c certificate"
+
+CAPTURE $NSCERT gencert -t cadirect9d --with-ca ca2-net-snmp.org --san email:user9d@test.net-snmp.org --email user9d@test.net-snmp.org $NSCERTARGS
+CADIRECT9DFP=`$NSCERT showcerts --fingerprint --brief cadirect9d $NSCERTARGS`
+CHECKVALUEISNT "$CADIRECT9DFP" "" "generated fingerprint for cadirect9d certificate"
+
+#########################################
+# AGENT CONFIGURATION
+#
+
+CONFIGAGENT '[snmp]' debugTokens tsm
+# ,tls,ssl,cert,tsm
+CONFIGAGENT '[snmp]' doDebugging 1
+CONFIGAGENT '[snmp]' logTimestamp 1
+CONFIGAGENT '[snmp]' serverCert $SERVERFP
+
+CONFIGAGENT '[snmp]' trustCert $CAFP
+CONFIGAGENT '[snmp]' trustCert $CADIRECT9CFP
+
+# common name mappings
+CONFIGAGENT certSecName 9 $TESTUSERFP --cn
+CONFIGAGENT certSecName 10 $TESTUSER2FP --cn
+CONFIGAGENT certSecName 11 $OTHERUSERFP --cn
+CONFIGAGENT certSecName 12 $INVALIDUSERFP --cn
+
+CONFIGAGENT certSecName 20 $MAPPEDUSERFP --sn aftermapping
+CONFIGAGENT certSecName 21 $EMAILUSERFP --rfc822
+CONFIGAGENT certSecName 22 $DNSUSERFP --dns
+CONFIGAGENT certSecName 23 $IPUSERFP --ip
+CONFIGAGENT certSecName 24 afile --cn
+
+CONFIGAGENT certSecName 100 $CAFP --rfc822
+CONFIGAGENT certSecName 101 $CADIRECTFP --sn causerdirectmap
+CONFIGAGENT certSecName 102 $CADIRECT9CFP --sn causerdirect9cmap
+# intentionally not mapped:
+#CONFIGAGENT certSecName 1001 $CADIRECT9DFP --sn causerdirect9dmap
+
+# *** INTENTIONALLY NOT MAPPING AT ALL: ***
+# CONFIGAGENT certSecName 1000 $UNMAPPEDFP ....
+
+CONFIGAPP serverCert $SERVERFP
+CONFIGAPP defSecurityModel tsm
+CONFIGAPP logTimestamp 1
+
+CONFIGAGENT rwuser -s tsm testuser authpriv
+CONFIGAGENT rwuser -s tsm testuser2 authpriv
+CONFIGAGENT rwuser -s tsm otheruser authpriv
+CONFIGAGENT rwuser -s tsm aftermapping authpriv
+
+CONFIGAGENT rwuser -s tsm foobaruser@example.com authpriv
+CONFIGAGENT rwuser -s tsm foobar.example.com authpriv
+CONFIGAGENT rwuser -s tsm 127.0.0.1 authpriv
+CONFIGAGENT rwuser -s tsm user8@test.net-snmp.org authpriv
+CONFIGAGENT rwuser -s tsm user9@test.net-snmp.org authpriv
+CONFIGAGENT rwuser -s tsm user10@test.net-snmp.org authpriv
+CONFIGAGENT rwuser -s tsm afileuser authpriv
+CONFIGAGENT rwuser -s tsm causerdirectmap authpriv
+CONFIGAGENT rwuser -s tsm causerdirect9cmap authpriv
+
+
+# this file contains tests common to both tls and dtls usages
+
+# start the agent up
+FLAGS="-Dtls -v3 -On $SNMP_FLAGS $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT"
+
+STARTAGENT
+
+# shouldn't have config errors
+CHECKAGENTCOUNT 0 ": Error:"
+
+######################################################################
+# EXTENDED CERTIFICATE SETUP
+#
+# Perform more steps of configuration that should occur *after* the
+# agent has started in order to prevent it from having seen these
+# files ahead of time.
+
+# this user's fingerprint should not be recognized
+CAPTURE $NSCERT gencert -t unknownuser --san email:unknownuser@example.com $NSCERTARGS
+UNKNOWNUSER=`$NSCERT showcerts --fingerprint --brief unknownuser $NSCERTARGS`
+CHECKVALUEISNT "$UNMAPPEDFP" "" "generated fingerprint for unknownuser certificate"
+
+# this user's fingerprint should not be directly recognized, but it's
+# CA should.
+
+# user 10: CA signed cert
+CAPTURE $NSCERT gencert -D -t unknowncauser --cn unknowncauser@net-snmp.org --email unknowncauser@net-snmp.org --with-ca ca-net-snmp.org --san email:user10@test.net-snmp.org $NSCERTARGS
+UNKNOWNCAUSERFP=`$NSCERT showcerts --fingerprint --brief unknowncauser $NSCERTARGS`
+CHECKVALUEISNT "$UNKNOWNCAUSERFP" "" "generated fingerprint for unknowncauser certificate"
+
+######################################################################
+# ACTUAL TESTS
+#
+# Run the actual list of tests
+#
+
+# using user 1 - a common name mapped certificate
+# (using the default "snmpapp" certificate because we don't specify another)
+DOSETTEST user1SnmpApp "$FLAGS"
+
+# now rerun the test after specifying our default using the (same) fingerprint
+CONFIGAPP clientCert $TESTUSER2FP
+DOSETTEST user1ClientPub "$FLAGS"
+
+# using user 2 - a common name mapped certificate with a direct -T FP request
+DOSETTEST user2DashTFPFlag "-T our_identity=$OTHERUSERFP $FLAGS"
+
+CHECKAGENTCOUNT 4 "otheruser"
+
+# using user 2, specifying the file name instead of the fingerprint
+DOSETTEST user2DashTFileFlag "-T our_identity=otheruser $FLAGS"
+
+CHECKAGENTCOUNT 8 "otheruser"
+
+# using user 3 - an invalid certificate (mapped but not authorized)
+DOFAILSETTEST "invalidUnauthorizedCert" "-T our_identity=$INVALIDUSERFP $FLAGS"
+
+CHECK "authorizationError"
+
+# using user 4 - an unmapped certificate
+DOFAILSETTEST "unmappedCertificate" "-T our_identity=$UNMAPPEDFP $FLAGS"
+
+CHECK "failed rfc5343"
+
+# Check *their* certificate with a different one than expected; should fail
+DOFAILSETTEST "incorectServerCertificate" "-r 0 -T our_identity=$OTHERUSERFP -T their_identity=$OTHERUSERFP $FLAGS"
+
+CHECK "failed to verify ssl certificate"
+
+# using user 5 - a completely remapped certificate (direct specified secname)
+DOSETTEST user5RemappedSecname "-T our_identity=$MAPPEDUSERFP $FLAGS"
+
+# using user 6 - a subjectAltName=email certificate mapping
+DOSETTEST user6SANEmail "-T our_identity=$EMAILUSERFP $FLAGS"
+
+# using user 7 - a subjectAltName=dns certificate mapping
+DOSETTEST user7SANDNS "-T our_identity=$DNSUSERFP $FLAGS"
+
+# using user 8 - a subjectAltName=ipv4 certificate mapping
+DOSETTEST user8SANIP "-T our_identity=$IPUSERFP $FLAGS"
+
+# using user 8 - test that certmapping works from a local filename
+DOSETTEST afileuser "-T our_identity=afile $FLAGS"
+
+# using user 9 - a CA signed certificate
+DOSETTEST user9CASignedCert "-T our_identity=$CAUSERFP -T trust_cert=$CAFP $FLAGS"
+
+# using user 9b - a CA signed certificate with a user-based fp mapping
+DOSETTEST user9bCASignedDirectMap "-T our_identity=$CADIRECTFP $FLAGS"
+
+# using user 9c - a CA2 signed certificate with a user-based fp mapping
+DOSETTEST user9cCASignedDirectMap "-T our_identity=$CADIRECT9CFP $FLAGS"
+
+# using user 9d - a CA2 signed certificate no user-based fp mapping
+DOFAILSETTEST user9dCASignedDirectMap "-T our_identity=$CADIRECT9DFP $FLAGS"
+
+# using user unknown - the server will not have seen this fingerprint at all
+CAPTURE "snmpget -T our_identity=$UNKNOWNUSER -T trust_cert=$CAFP $FLAGS .1.3.6.1.2.1.1.6.0"
+
+# different types of failure messaages for tls/dtls...
+if [ $SNMP_TRANSPORT_SPEC = dtlsudp ]; then
+ CHECK "failed rfc5343 contextEngineID probing"
+ CHECKAGENTCOUNT 1 "TLS Error: no certificate returned"
+else
+ CHECK "failed to ssl_connect"
+ CHECKAGENTCOUNT 1 "Failed SSL_accept"
+fi
+
+# using the user without a known fingerprint but with a known CA
+DOSETTEST userNewFromCA " -T trust_cert=$CAFP -T our_identity=$UNKNOWNCAUSERFP $FLAGS"
+
+STOPAGENT
+
+FINISHED
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-22 03:23:39 +0000