diff options
Diffstat (limited to 'testing/fulltests/tls/STlsUsers')
-rw-r--r-- | testing/fulltests/tls/STlsUsers | 262 |
1 files changed, 262 insertions, 0 deletions
diff --git a/testing/fulltests/tls/STlsUsers b/testing/fulltests/tls/STlsUsers new file mode 100644 index 0000000..2cb03a6 --- /dev/null +++ b/testing/fulltests/tls/STlsUsers @@ -0,0 +1,262 @@ +#!/bin/sh + +. STlsVars + +######################################### +# CERTIFICATE SETUP +# + +# produce the certificates to use + +# snmpd +HOSTNAME=`hostname` +CAPTURE $NSCERT gencert -t snmpd --cn $HOSTNAME $NSCERTARGS +SERVERFP=`$NSCERT showcerts --fingerprint --brief snmpd $NSCERTARGS` +CHECKVALUEISNT "$SERVERFP" "" "generated fingerprint for snmpd certificate" + +# user +CAPTURE $NSCERT gencert -t snmpapp --cn 'testuser' $NSCERTARGS +TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS` +CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate" + +# user 1.5 +CAPTURE $NSCERT gencert -t snmpapp2 --cn 'testuser2' $NSCERTARGS +TESTUSER2FP=`$NSCERT showcerts --fingerprint --brief snmpapp2 $NSCERTARGS` +CHECKVALUEISNT "$TESTUSER2FP" "" "generated fingerprint for testuser certificate" + +# user 2 +CAPTURE $NSCERT gencert -t otheruser --cn 'otheruser' $NSCERTARGS +OTHERUSERFP=`$NSCERT showcerts --fingerprint --brief otheruser $NSCERTARGS` +CHECKVALUEISNT "$OTHERUSERFP" "" "generated fingerprint for otheruser certificate" + +# user 3 +CAPTURE $NSCERT gencert -t invaliduser --cn 'invaliduser' $NSCERTARGS +INVALIDUSERFP=`$NSCERT showcerts --fingerprint --brief invaliduser $NSCERTARGS` +CHECKVALUEISNT "$INVALIDUSERFP" "" "generated fingerprint for otheruser certificate" + +# user 4 +CAPTURE $NSCERT gencert -t unmapped --cn 'unmapped' $NSCERTARGS +UNMAPPEDFP=`$NSCERT showcerts --fingerprint --brief unmapped $NSCERTARGS` +CHECKVALUEISNT "$UNMAPPEDFP" "" "generated fingerprint for unmapped certificate" + +# user 5 +CAPTURE $NSCERT gencert -t mappeduser --cn 'mappeduser' $NSCERTARGS +MAPPEDUSERFP=`$NSCERT showcerts --fingerprint --brief mappeduser $NSCERTARGS` +CHECKVALUEISNT "$MAPPEDUSERFP" "" "generated fingerprint for mappeduser certificate" + +# user 6: SAN email +CAPTURE $NSCERT gencert -t email --san email:foobaruser@example.com $NSCERTARGS +EMAILUSERFP=`$NSCERT showcerts --fingerprint --brief email $NSCERTARGS` +CHECKVALUEISNT "$EMAILUSERFP" "" "generated fingerprint for email certificate" + +# user 7: SAN dns +CAPTURE $NSCERT gencert -t dns --san DNS:foobar.example.com $NSCERTARGS +DNSUSERFP=`$NSCERT showcerts --fingerprint --brief dns $NSCERTARGS` +CHECKVALUEISNT "$DNSUSERFP" "" "generated fingerprint for dns certificate" + +# user 8: SAN IPv4 +CAPTURE $NSCERT gencert -t ipaddr --san IP:127.0.0.1 $NSCERTARGS +IPUSERFP=`$NSCERT showcerts --fingerprint --brief ipaddr $NSCERTARGS` +CHECKVALUEISNT "$IPUSERFP" "" "generated fingerprint for ipaddr certificate" + +# user 8.1: afile +CAPTURE $NSCERT gencert -t afile --cn afileuser $NSCERTARGS +AFILEUSERFP=`$NSCERT showcerts --fingerprint --brief afile $NSCERTARGS` +CHECKVALUEISNT "$AFILEUSERFP" "" "generated fingerprint for afile certificate" + + +# CA certificate + +CAPTURE $NSCERT genca --cn ca-net-snmp.org $NSCERTARGS +CAFP=`$NSCERT showcas --fingerprint --brief ca-net-snmp.org $NSCERTARGS` +CHECKVALUEISNT "$CAFP" "" "generated fingerprint for ca-net-snmp.org certificate" + +# user 9: CA signed user cert +CAPTURE $NSCERT gencert -t causer --with-ca ca-net-snmp.org --san email:user9@test.net-snmp.org --email user9@test.net-snmp.org $NSCERTARGS +CAUSERFP=`$NSCERT showcerts --fingerprint --brief causer $NSCERTARGS` +CHECKVALUEISNT "$CAUSERFP" "" "generated fingerprint for causer certificate" + +CAPTURE $NSCERT gencert -t cadirect9b --with-ca ca-net-snmp.org --san email:user9b@test.net-snmp.org --email user9b@test.net-snmp.org $NSCERTARGS +CADIRECTFP=`$NSCERT showcerts --fingerprint --brief cadirect9b $NSCERTARGS` +CHECKVALUEISNT "$CADIRECTFP" "" "generated fingerprint for cadirect certificate" + +CAPTURE $NSCERT genca --cn ca2-net-snmp.org $NSCERTARGS +CA2FP=`$NSCERT showcas --fingerprint --brief ca2-net-snmp.org $NSCERTARGS` +CHECKVALUEISNT "$CA2FP" "" "generated fingerprint for ca2-net-snmp.org certificate" + +CAPTURE $NSCERT gencert -t cadirect9c --with-ca ca2-net-snmp.org --san email:user9c@test.net-snmp.org --email user9c@test.net-snmp.org $NSCERTARGS +CADIRECT9CFP=`$NSCERT showcerts --fingerprint --brief cadirect9c $NSCERTARGS` +CHECKVALUEISNT "$CADIRECT9CFP" "" "generated fingerprint for cadirect9c certificate" + +CAPTURE $NSCERT gencert -t cadirect9d --with-ca ca2-net-snmp.org --san email:user9d@test.net-snmp.org --email user9d@test.net-snmp.org $NSCERTARGS +CADIRECT9DFP=`$NSCERT showcerts --fingerprint --brief cadirect9d $NSCERTARGS` +CHECKVALUEISNT "$CADIRECT9DFP" "" "generated fingerprint for cadirect9d certificate" + +######################################### +# AGENT CONFIGURATION +# + +CONFIGAGENT '[snmp]' debugTokens tsm +# ,tls,ssl,cert,tsm +CONFIGAGENT '[snmp]' doDebugging 1 +CONFIGAGENT '[snmp]' logTimestamp 1 +CONFIGAGENT '[snmp]' serverCert $SERVERFP + +CONFIGAGENT '[snmp]' trustCert $CAFP +CONFIGAGENT '[snmp]' trustCert $CADIRECT9CFP + +# common name mappings +CONFIGAGENT certSecName 9 $TESTUSERFP --cn +CONFIGAGENT certSecName 10 $TESTUSER2FP --cn +CONFIGAGENT certSecName 11 $OTHERUSERFP --cn +CONFIGAGENT certSecName 12 $INVALIDUSERFP --cn + +CONFIGAGENT certSecName 20 $MAPPEDUSERFP --sn aftermapping +CONFIGAGENT certSecName 21 $EMAILUSERFP --rfc822 +CONFIGAGENT certSecName 22 $DNSUSERFP --dns +CONFIGAGENT certSecName 23 $IPUSERFP --ip +CONFIGAGENT certSecName 24 afile --cn + +CONFIGAGENT certSecName 100 $CAFP --rfc822 +CONFIGAGENT certSecName 101 $CADIRECTFP --sn causerdirectmap +CONFIGAGENT certSecName 102 $CADIRECT9CFP --sn causerdirect9cmap +# intentionally not mapped: +#CONFIGAGENT certSecName 1001 $CADIRECT9DFP --sn causerdirect9dmap + +# *** INTENTIONALLY NOT MAPPING AT ALL: *** +# CONFIGAGENT certSecName 1000 $UNMAPPEDFP .... + +CONFIGAPP serverCert $SERVERFP +CONFIGAPP defSecurityModel tsm +CONFIGAPP logTimestamp 1 + +CONFIGAGENT rwuser -s tsm testuser authpriv +CONFIGAGENT rwuser -s tsm testuser2 authpriv +CONFIGAGENT rwuser -s tsm otheruser authpriv +CONFIGAGENT rwuser -s tsm aftermapping authpriv + +CONFIGAGENT rwuser -s tsm foobaruser@example.com authpriv +CONFIGAGENT rwuser -s tsm foobar.example.com authpriv +CONFIGAGENT rwuser -s tsm 127.0.0.1 authpriv +CONFIGAGENT rwuser -s tsm user8@test.net-snmp.org authpriv +CONFIGAGENT rwuser -s tsm user9@test.net-snmp.org authpriv +CONFIGAGENT rwuser -s tsm user10@test.net-snmp.org authpriv +CONFIGAGENT rwuser -s tsm afileuser authpriv +CONFIGAGENT rwuser -s tsm causerdirectmap authpriv +CONFIGAGENT rwuser -s tsm causerdirect9cmap authpriv + + +# this file contains tests common to both tls and dtls usages + +# start the agent up +FLAGS="-Dtls -v3 -On $SNMP_FLAGS $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT" + +STARTAGENT + +# shouldn't have config errors +CHECKAGENTCOUNT 0 ": Error:" + +###################################################################### +# EXTENDED CERTIFICATE SETUP +# +# Perform more steps of configuration that should occur *after* the +# agent has started in order to prevent it from having seen these +# files ahead of time. + +# this user's fingerprint should not be recognized +CAPTURE $NSCERT gencert -t unknownuser --san email:unknownuser@example.com $NSCERTARGS +UNKNOWNUSER=`$NSCERT showcerts --fingerprint --brief unknownuser $NSCERTARGS` +CHECKVALUEISNT "$UNMAPPEDFP" "" "generated fingerprint for unknownuser certificate" + +# this user's fingerprint should not be directly recognized, but it's +# CA should. + +# user 10: CA signed cert +CAPTURE $NSCERT gencert -D -t unknowncauser --cn unknowncauser@net-snmp.org --email unknowncauser@net-snmp.org --with-ca ca-net-snmp.org --san email:user10@test.net-snmp.org $NSCERTARGS +UNKNOWNCAUSERFP=`$NSCERT showcerts --fingerprint --brief unknowncauser $NSCERTARGS` +CHECKVALUEISNT "$UNKNOWNCAUSERFP" "" "generated fingerprint for unknowncauser certificate" + +###################################################################### +# ACTUAL TESTS +# +# Run the actual list of tests +# + +# using user 1 - a common name mapped certificate +# (using the default "snmpapp" certificate because we don't specify another) +DOSETTEST user1SnmpApp "$FLAGS" + +# now rerun the test after specifying our default using the (same) fingerprint +CONFIGAPP clientCert $TESTUSER2FP +DOSETTEST user1ClientPub "$FLAGS" + +# using user 2 - a common name mapped certificate with a direct -T FP request +DOSETTEST user2DashTFPFlag "-T our_identity=$OTHERUSERFP $FLAGS" + +CHECKAGENTCOUNT 4 "otheruser" + +# using user 2, specifying the file name instead of the fingerprint +DOSETTEST user2DashTFileFlag "-T our_identity=otheruser $FLAGS" + +CHECKAGENTCOUNT 8 "otheruser" + +# using user 3 - an invalid certificate (mapped but not authorized) +DOFAILSETTEST "invalidUnauthorizedCert" "-T our_identity=$INVALIDUSERFP $FLAGS" + +CHECK "authorizationError" + +# using user 4 - an unmapped certificate +DOFAILSETTEST "unmappedCertificate" "-T our_identity=$UNMAPPEDFP $FLAGS" + +CHECK "failed rfc5343" + +# Check *their* certificate with a different one than expected; should fail +DOFAILSETTEST "incorectServerCertificate" "-r 0 -T our_identity=$OTHERUSERFP -T their_identity=$OTHERUSERFP $FLAGS" + +CHECK "failed to verify ssl certificate" + +# using user 5 - a completely remapped certificate (direct specified secname) +DOSETTEST user5RemappedSecname "-T our_identity=$MAPPEDUSERFP $FLAGS" + +# using user 6 - a subjectAltName=email certificate mapping +DOSETTEST user6SANEmail "-T our_identity=$EMAILUSERFP $FLAGS" + +# using user 7 - a subjectAltName=dns certificate mapping +DOSETTEST user7SANDNS "-T our_identity=$DNSUSERFP $FLAGS" + +# using user 8 - a subjectAltName=ipv4 certificate mapping +DOSETTEST user8SANIP "-T our_identity=$IPUSERFP $FLAGS" + +# using user 8 - test that certmapping works from a local filename +DOSETTEST afileuser "-T our_identity=afile $FLAGS" + +# using user 9 - a CA signed certificate +DOSETTEST user9CASignedCert "-T our_identity=$CAUSERFP -T trust_cert=$CAFP $FLAGS" + +# using user 9b - a CA signed certificate with a user-based fp mapping +DOSETTEST user9bCASignedDirectMap "-T our_identity=$CADIRECTFP $FLAGS" + +# using user 9c - a CA2 signed certificate with a user-based fp mapping +DOSETTEST user9cCASignedDirectMap "-T our_identity=$CADIRECT9CFP $FLAGS" + +# using user 9d - a CA2 signed certificate no user-based fp mapping +DOFAILSETTEST user9dCASignedDirectMap "-T our_identity=$CADIRECT9DFP $FLAGS" + +# using user unknown - the server will not have seen this fingerprint at all +CAPTURE "snmpget -T our_identity=$UNKNOWNUSER -T trust_cert=$CAFP $FLAGS .1.3.6.1.2.1.1.6.0" + +# different types of failure messaages for tls/dtls... +if [ $SNMP_TRANSPORT_SPEC = dtlsudp ]; then + CHECK "failed rfc5343 contextEngineID probing" + CHECKAGENTCOUNT 1 "TLS Error: no certificate returned" +else + CHECK "failed to ssl_connect" + CHECKAGENTCOUNT 1 "Failed SSL_accept" +fi + +# using the user without a known fingerprint but with a known CA +DOSETTEST userNewFromCA " -T trust_cert=$CAFP -T our_identity=$UNKNOWNCAUSERFP $FLAGS" + +STOPAGENT + +FINISHED |