\core\diagRFC6614Tests

Test suite to verify that a given NAI realm has NAPTR records according to consortium-agreed criteria Can only be used if CONFIG_DIAGNOSTICS['RADIUSTESTS'] is configured.

Its main purpose is to initialise some error messages.

Summary

Methods
Properties
Constants
__construct()
__destruct()
createTemporaryDirectory()
rrmdir()
allChecks()
cApathCheck()
tlsClientSideCheck()
$returnCodes
$possibleFailureReasons
$additionalFindings
$TLS_CA_checks_result
$TLS_clients_checks_result
RETVAL_OK
RETVAL_NOTCONFIGURED
RETVAL_SKIPPED
RETVAL_INVALID
RETVAL_NO_RESPONSE
RETVAL_SERVER_UNFINISHED_COMM
RETVAL_IMMEDIATE_REJECT
RETVAL_CONVERSATION_REJECT
RETVAL_CONNECTION_REFUSED
RETVAL_INCOMPLETE_DATA
RETVAL_WRONG_PKCS12_PASSWORD
CERTPROB_ROOT_INCLUDED
CERTPROB_TOO_MANY_SERVER_CERTS
CERTPROB_NO_SERVER_CERT
CERTPROB_MD5_SIGNATURE
CERTPROB_SHA1_SIGNATURE
CERTPROB_LOW_KEY_LENGTH
CERTPROB_NO_TLS_WEBSERVER_OID
CERTPROB_NO_CDP
CERTPROB_NO_CDP_HTTP
CERTPROB_NO_CRL_AT_CDP_URL
CERTPROB_SERVER_CERT_REVOKED
CERTPROB_OUTSIDE_VALIDITY_PERIOD
CERTPROB_OUTSIDE_VALIDITY_PERIOD_WARN
CERTPROB_TRUST_ROOT_NOT_REACHED
CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES
CERTPROB_SERVER_NAME_MISMATCH
CERTPROB_SERVER_NAME_PARTIAL_MATCH
CERTPROB_NOT_A_HOSTNAME
CERTPROB_WILDCARD_IN_NAME
CERTPROB_NO_BASICCONSTRAINTS
CERTPROB_UNKNOWN_CA
CERTPROB_WRONGLY_ACCEPTED
CERTPROB_WRONGLY_NOT_ACCEPTED
CERTPROB_NOT_ACCEPTED
CERTPROB_UNABLE_TO_GET_CRL
CERTPROB_NO_COMMON_EAP_METHOD
CERTPROB_DH_GROUP_TOO_SMALL
CERTPROB_MULTIPLE_CN
INFRA_ETLR
INFRA_LINK_ETLR_NRO_IDP
INFRA_LINK_ETLR_NRO_SP
INFRA_NRO_SP
INFRA_NRO_IDP
INFRA_SP_RADIUS
INFRA_IDP_RADIUS
INFRA_IDP_AUTHBACKEND
INFRA_SP_80211
INFRA_SP_LAN
INFRA_DEVICE
INFRA_NONEXISTENTREALM
STATUS_GOOD
STATUS_PARTIAL
STATUS_DOWN
STATUS_MONITORINGFAIL
L_OK
L_REMARK
L_WARN
L_ERROR
normaliseResultSet()
$loggerInstance
$languageInstance
N/A
openssl_s_client()
opensslCAResult()
opensslClientsResult()
propertyCheckPolicy()
getCertificateIssuer()
getCertificatePropertyField()
$TLS_certkeys
$candidateIPs
N/A

Constants

RETVAL_OK

RETVAL_OK = 0

Test was executed and the result was as expected.

RETVAL_NOTCONFIGURED

RETVAL_NOTCONFIGURED = -100

Test could not be run because CAT software isn't configured for it

RETVAL_SKIPPED

RETVAL_SKIPPED = -101

Test skipped because there was nothing to be done

RETVAL_INVALID

RETVAL_INVALID = -103

test executed, and there were errors

RETVAL_NO_RESPONSE

RETVAL_NO_RESPONSE = -106

no reply at all from remote RADIUS server

RETVAL_SERVER_UNFINISHED_COMM

RETVAL_SERVER_UNFINISHED_COMM = -107

auth flow stopped somewhere in the middle of a conversation

RETVAL_IMMEDIATE_REJECT

RETVAL_IMMEDIATE_REJECT = -108

a RADIUS server did not want to talk EAP with us, but at least replied with a Reject

RETVAL_CONVERSATION_REJECT

RETVAL_CONVERSATION_REJECT = -109

a RADIUS server talked EAP with us, but didn't like us in the end

RETVAL_CONNECTION_REFUSED

RETVAL_CONNECTION_REFUSED = -110

a RADIUS server refuses connection

RETVAL_INCOMPLETE_DATA

RETVAL_INCOMPLETE_DATA = -111

not enough data provided to perform an authentication

RETVAL_WRONG_PKCS12_PASSWORD

RETVAL_WRONG_PKCS12_PASSWORD = -112

PKCS12 password does not match the certificate file

CERTPROB_ROOT_INCLUDED

CERTPROB_ROOT_INCLUDED = -200

The root CA certificate was sent by the EAP server.

CERTPROB_TOO_MANY_SERVER_CERTS

CERTPROB_TOO_MANY_SERVER_CERTS = -201

There was more than one server certificate in the EAP server's chain.

CERTPROB_NO_SERVER_CERT

CERTPROB_NO_SERVER_CERT = -202

There was no server certificate in the EAP server's chain.

CERTPROB_MD5_SIGNATURE

CERTPROB_MD5_SIGNATURE = -204

The/a server certificate was signed with an MD5 signature.

CERTPROB_SHA1_SIGNATURE

CERTPROB_SHA1_SIGNATURE = -227

The/a server certificate was signed with an MD5 signature.

CERTPROB_LOW_KEY_LENGTH

CERTPROB_LOW_KEY_LENGTH = -220

one of the keys in the cert chain was smaller than 1024 bits

CERTPROB_NO_TLS_WEBSERVER_OID

CERTPROB_NO_TLS_WEBSERVER_OID = -205

The server certificate did not contain the TLS Web Server OID, creating compat problems with many Windows versions.

CERTPROB_NO_CDP

CERTPROB_NO_CDP = -206

The server certificate did not include a CRL Distribution Point, creating compat problems with Windows Phone 8.

CERTPROB_NO_CDP_HTTP

CERTPROB_NO_CDP_HTTP = -207

The server certificate did a CRL Distribution Point, but not to a HTTP/HTTPS URL. Possible compat problems.

CERTPROB_NO_CRL_AT_CDP_URL

CERTPROB_NO_CRL_AT_CDP_URL = -208

The server certificate's CRL Distribution Point URL couldn't be accessed and/or did not contain a CRL.

CERTPROB_SERVER_CERT_REVOKED

CERTPROB_SERVER_CERT_REVOKED = -222

certificate is not currently valid (expired/not yet valid)

CERTPROB_OUTSIDE_VALIDITY_PERIOD

CERTPROB_OUTSIDE_VALIDITY_PERIOD = -221

The received server certificate is revoked.

CERTPROB_OUTSIDE_VALIDITY_PERIOD_WARN

CERTPROB_OUTSIDE_VALIDITY_PERIOD_WARN = -225

At least one certificate is outside its validity period (not yet valid, or already expired)!

CERTPROB_TRUST_ROOT_NOT_REACHED

CERTPROB_TRUST_ROOT_NOT_REACHED = -209

At least one certificate is outside its validity period, but this certificate does not take part in servder validation

CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES

CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES = -216

The received certificate chain did not carry the necessary intermediate CAs in the EAP conversation. Only the CAT Intermediate CA installation can complete the chain.

CERTPROB_SERVER_NAME_MISMATCH

CERTPROB_SERVER_NAME_MISMATCH = -210

The received server certificate's name did not match the configured name in the profile properties.

CERTPROB_SERVER_NAME_PARTIAL_MATCH

CERTPROB_SERVER_NAME_PARTIAL_MATCH = -217

The received server certificate's name did not match the configured name in the profile properties.

CERTPROB_NOT_A_HOSTNAME

CERTPROB_NOT_A_HOSTNAME = -218

One of the names in the cert was not a hostname.

CERTPROB_WILDCARD_IN_NAME

CERTPROB_WILDCARD_IN_NAME = -219

One of the names contained a wildcard character.

CERTPROB_NO_BASICCONSTRAINTS

CERTPROB_NO_BASICCONSTRAINTS = -211

The certificate does not set any BasicConstraints; particularly no CA = TRUE|FALSE

CERTPROB_UNKNOWN_CA

CERTPROB_UNKNOWN_CA = -212

The server presented a certificate which is from an unknown authority

CERTPROB_WRONGLY_ACCEPTED

CERTPROB_WRONGLY_ACCEPTED = -213

The server accepted this client certificate, but should not have

CERTPROB_WRONGLY_NOT_ACCEPTED

CERTPROB_WRONGLY_NOT_ACCEPTED = -214

The server does not accept this client certificate, but should have

CERTPROB_NOT_ACCEPTED

CERTPROB_NOT_ACCEPTED = -215

The server does accept this client certificate

CERTPROB_UNABLE_TO_GET_CRL

CERTPROB_UNABLE_TO_GET_CRL = 223

the CRL of a certificate could not be found

CERTPROB_NO_COMMON_EAP_METHOD

CERTPROB_NO_COMMON_EAP_METHOD = -224

no EAP method could be agreed on, certs could not be extraced

CERTPROB_DH_GROUP_TOO_SMALL

CERTPROB_DH_GROUP_TOO_SMALL = -225

Diffie-Hellman groups need to be 1024 bit at least, starting with OS X 10.11

CERTPROB_MULTIPLE_CN

CERTPROB_MULTIPLE_CN = -226

There is more than one CN in the certificate

INFRA_ETLR

INFRA_ETLR = INFRA_ETLR

INFRA_NRO_SP

INFRA_NRO_SP = INFRA_NRO_SP

INFRA_NRO_IDP

INFRA_NRO_IDP = INFRA_NRO_IdP

INFRA_SP_RADIUS

INFRA_SP_RADIUS = INFRA_SP_RADIUS

INFRA_IDP_RADIUS

INFRA_IDP_RADIUS = INFRA_IdP_RADIUS

INFRA_IDP_AUTHBACKEND

INFRA_IDP_AUTHBACKEND = INFRA_IDP_AUTHBACKEND

INFRA_SP_80211

INFRA_SP_80211 = INFRA_SP_80211

INFRA_SP_LAN

INFRA_SP_LAN = INFRA_SP_LAN

INFRA_DEVICE

INFRA_DEVICE = INFRA_DEVICE

INFRA_NONEXISTENTREALM

INFRA_NONEXISTENTREALM = INFRA_NONEXISTENTREALM

STATUS_GOOD

STATUS_GOOD = 0

STATUS_PARTIAL

STATUS_PARTIAL = -1

STATUS_DOWN

STATUS_DOWN = -2

STATUS_MONITORINGFAIL

STATUS_MONITORINGFAIL = -3

L_OK

L_OK = 0

L_REMARK

L_REMARK = 4

L_WARN

L_WARN = 32

L_ERROR

L_ERROR = 256

Properties

$returnCodes

$returnCodes : mixed|string|int

generic return codes

Type

mixed|string|int —

$possibleFailureReasons

$possibleFailureReasons : 

Type

$additionalFindings

$additionalFindings : 

Type

$TLS_CA_checks_result

$TLS_CA_checks_result : mixed|string|int

associative array holding the server-side cert test results for a given IP (IP is the key)

Type

mixed|string|int —

$TLS_clients_checks_result

$TLS_clients_checks_result : mixed|string|int

associative array holding the client-side cert test results for a given IP (IP is the key)

Type

mixed|string|int —

$loggerInstance

$loggerInstance : \core\common\Logging

We occasionally log stuff (debug/audit). Have an initialised Logging instance nearby is sure helpful.

Type

\core\common\Logging —

$languageInstance

$languageInstance : \core\common\Language

access to language settings to be able to switch textDomain

Type

\core\common\Language —

$TLS_certkeys

$TLS_certkeys : mixed|string|int

dictionary of translatable texts around the certificates we check

Type

mixed|string|int —

$candidateIPs

$candidateIPs : mixed|string|int

list of IP addresses which are candidates for dynamic discovery targets

Type

mixed|string|int —

Methods

__construct()

__construct(mixed|string|int  listOfIPs) 

Sets up the instance for testing of a number of candidate IPs

Logs the start of lifetime of the entity to the debug log on levels 3 and higher.

Parameters

mixed|string|int listOfIPs

candidates to test

__destruct()

__destruct() 

destroys the entity.

Logs the end of lifetime of the entity to the debug log on level 5.

createTemporaryDirectory()

createTemporaryDirectory(  purpose = installer,   failIsFatal = 1) : mixed|string|int

create a temporary directory and return the location

Parameters

purpose

one of 'installer', 'logo', 'test' defined the purpose of the directory

failIsFatal

decides if a creation failure should cause an error; defaults to true

Returns

mixed|string|int —

the tuple of: base path, absolute path for directory, directory name

rrmdir()

rrmdir(  dir) 

this direcory delete function has been copied from PHP documentation

Parameters

dir

name of the directory to delete

allChecks()

allChecks() 

run all checks on all candidates

cApathCheck()

cApathCheck(  host) : 

This function executes openssl s_clientends command to check if a server accepts a CA

Parameters

host

IP:port

Returns

returncode

tlsClientSideCheck()

tlsClientSideCheck(  host) : 

This function executes openssl s_client command to check if a server accepts a client certificate

Parameters

host

IP:port

Returns

returncode

normaliseResultSet()

normaliseResultSet() 

turns $this->possibleFailureReasons into something where the sum of all occurence factors is 1. A bit like a probability distribution, but they are not actual probabilities.

openssl_s_client()

openssl_s_client(  host,   arg, mixed|string|int  testresults) : mixed|string|int

This function executes openssl s_client command

Parameters

host

IP address

arg

arguments to add to the openssl command

mixed|string|int testresults

by-reference: the testresults array we are writing into

Returns

mixed|string|int —

result of openssl s_client ...

opensslCAResult()

opensslCAResult(  host, mixed|string|int  opensslbabble, mixed|string|int  testresults) : 

This function parses openssl s_client result

Parameters

host

IP:port

mixed|string|int opensslbabble

openssl command output

mixed|string|int testresults

by-reference: pointer to results array we write into

Returns

return code

opensslClientsResult()

opensslClientsResult(  host, mixed|string|int  opensslbabble, mixed|string|int  testresults,   type,   resultArrayKey) : 

This function parses openssl s_client result

Parameters

host

IP:port

mixed|string|int opensslbabble

openssl command output

mixed|string|int testresults

by-reference: pointer to results array we write into

type

type of certificate

resultArrayKey

results array key

Returns

return code

propertyCheckPolicy()

propertyCheckPolicy(mixed|string|int  cert) : mixed|string|int

This function parses a X.509 cert and returns all certificatePolicies OIDs

Parameters

mixed|string|int cert

(returned from openssl_x509_parse)

Returns

mixed|string|int —

of OIDs

getCertificateIssuer()

getCertificateIssuer(mixed|string|int  cert) : 

This function parses a X.509 cert and returns the value of $field

Parameters

mixed|string|int cert

(returned from openssl_x509_parse)

Returns

value of the issuer field or ''

getCertificatePropertyField()

getCertificatePropertyField(mixed|string|int  cert,   field) : 

This function parses a X.509 cert and returns the value of $field

Parameters

mixed|string|int cert

(returned from openssl_x509_parse)

field

Returns

value of the extention named $field or ''