testing/fulltests/tls/STsmPrefix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

#!/bin/sh

. STlsVars

# this file contains tests common to both tls and dtls usages

export NET_SNMP_CRT_CFGTOOL="${builddir}/net-snmp-config"
NSCERT="perl $SNMP_BASEDIR/../../../local/net-snmp-cert"
NSCERTARGS="-I -C $SNMP_TMPDIR"

TLSDIR=$SNMP_TMPDIR/tls

#########################################
# Create the certificates

# create the ca
CAPTURE $NSCERT genca --cn ca-net-snmp.org  $NSCERTARGS

# snmpd
HOSTNAME=`hostname`
CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpd --cn $HOSTNAME $NSCERTARGS
SERVERFP=`$NSCERT showcerts --fingerprint --brief snmpd  $NSCERTARGS`
CHECKVALUEISNT "$SERVERFP" "" "generated fingerprint for snmpd certificate"

# user
CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpapp --cn 'testuser'  $NSCERTARGS
TESTUSERFP=`$NSCERT showcerts --fingerprint --brief snmpapp $NSCERTARGS`
CHECKVALUEISNT "$TESTUSERFP" "" "generated fingerprint for testuser certificate"

# user2
CAPTURE $NSCERT gencert --with-ca ca-net-snmp.org -t snmpapp2 --cn 'testuser2'  $NSCERTARGS
TESTUSER2FP=`$NSCERT showcerts --fingerprint --brief snmpapp2 $NSCERTARGS`
CHECKVALUEISNT "$TESTUSER2FP" "" "generated fingerprint for testuser2 certificate"

CONFIGAPP serverCert $SERVERFP
CONFIGAGENT certSecName 9  $TESTUSERFP     --cn
CONFIGAGENT certSecName 10  $TESTUSER2FP     --cn
CONFIGAGENT  rwuser -s tsm testuser authpriv
CONFIGAGENT  rwuser -s tsm $TSM_PREFIX:testuser2 authpriv
CONFIGAGENT rocommunity public

#
# Start the agent
#
AGENT_FLAGS="-Dtsm udp:9999"
FLAGS="-On $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT"
STARTAGENT

CAPTURE "snmpget -Dssl $FLAGS .1.3.6.1.2.1.190.1.2.1.0"
CHECK ".1.3.6.1.2.1.190.1.2.1.0 = INTEGER: false"

# using user 1 - a common name mapped certificate
# (using the default "snmpapp" certificate because we don't specify another)
CAPTURE "snmpget -Dssl $FLAGS .1.3.6.1.2.1.1.3.0"

CHECK       ".1.3.6.1.2.1.1.3.0 = Timeticks:"

# using user 2 should now fail because no prefix is applied
CAPTURE "snmpget -T our_identity=snmpapp2 -Dssl $FLAGS .1.3.6.1.2.1.1.3.0"

CHECKCOUNT 0 ".1.3.6.1.2.1.1.3.0 = Timeticks:"
CHECK "authorizationError"

# set the TSM prefix scalar to 1 to turn on prefixing
CAPTURE "snmpset -Dssl $FLAGS .1.3.6.1.2.1.190.1.2.1.0 i 1"


# using user 2 should now work and the prefix should have been added
# to the securityName, so the agent now accepts it
CAPTURE "snmpget -T our_identity=snmpapp2 -Dssl $FLAGS .1.3.6.1.2.1.190.1.2.1.0"

CHECK ".1.3.6.1.2.1.190.1.2.1.0 = INTEGER: true"

# using user 1 should now fail because the prefix has added to the
# securityName, so the agent now accepts it
CAPTURE "snmpget -Dssl $FLAGS .1.3.6.1.2.1.1.3.0"

CHECKCOUNT 0 ".1.3.6.1.2.1.1.3.0 = Timeticks:"
CHECK "authorizationError"

CAPTURE "snmpget -v 1 -c public 127.0.0.1:9999 .1.3.6.1.2.1.190.1.2.1.0"

# cleanup
STOPAGENT

FINISHED