Add five-zero security engine ID for localized keys

If the user specifies localized keys, but does not specify security engine ID (-e), the magic value of 0x0000000000 will be automatically associated with given localized keys to use them with any unknown authoritative SNMP engine.
etingof · Aug 11, 2019 · d1fceec · d1fceec
1 parent ab4c7ee
commit d1fceec
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 6 deletions.
diff --git a/docs/source/options-protocol-rst.inc b/docs/source/options-protocol-rst.inc
@@ -170,6 +170,15 @@ See :RFC:`3414#section-2.6` for more information on key localization algorithm.
 
 .. note::
 
- Using any of *-3[kKMm]* options effectively disable SNMP engine ID
- discovery mechanism. Therefore authoritative security SNMP engine ID should
- be specified along with *-3[kKMm]* options (via *-e* option).
+ Using any of *-3[kKMm]* options effectively inactivate USM key
+ localization mechanism. As a consequence, local SNMP engine configuration
+ won't get automatically populated with remote SNMP engine's
+ *securityEngineId*.
+
+ Therefore authoritative security SNMP engine ID should be specified
+ along with *-3[kKMm]* options (via *-e* option).
+
+ Otherwise, the magic *securityEngineId* value of five zeros
+ (*0x0000000000*) will be added to local configuration automatically to
+ refer to the localized keys that should be used with any unknown
+ authoritative SNMP engine.
diff --git a/snmpclitools/cli/secmod.py b/snmpclitools/cli/secmod.py
@@ -404,10 +404,10 @@ def _unhexKey(key):
  raise error.PySnmpError('Security level not specified')
 
  if 'securityEngineId' in ctx:
- ctx['securityEngineId'] = _unhexKey(ctx['securityEngineId'])
+ securityEngineId = _unhexKey(ctx['securityEngineId'])
 
  else:
- ctx['securityEngineId'] = None
+ securityEngineId = None
 
  if 'contextEngineId' in ctx:
  ctx['contextEngineId'] = _unhexKey(ctx['contextEngineId'])
@@ -437,6 +437,14 @@ def _unhexKey(key):
  else:
  privKeyType = config.usmKeyTypePassphrase
 
+ if (authKeyType == config.usmKeyTypeLocalized or
+ privKeyType == config.usmKeyTypeLocalized):
+ # Wildcard security engine ID assocciating localized keys
+ # with any authoritative SNMP engine
+ securityEngineId = rfc1902.OctetString(hexValue='0000000000')
+
+ ctx['securityEngineId'] = securityEngineId
+
  if ctx['securityLevel'] == 'noAuthNoPriv':
  if 'authKey' in ctx:
  del ctx['authKey']
@@ -471,7 +479,7 @@ def _unhexKey(key):
  ctx['authKey'],
  ctx['privProtocol'],
  ctx['privKey'],
- securityEngineId=ctx['securityEngineId'],
+ securityEngineId=securityEngineId,
  securityName=ctx['securityName'],
  authKeyType=authKeyType,
  privKeyType=privKeyType