def from_values(cls, subject, subject_sig_key, subject_enc_key, issuer,
iss_priv_key, version):
"""
Generate a Certificate instance.
:param str subject:
the certificate subject. It can either be an AS, an email address or
a domain address.
:param bytes subject_sig_key: the public key of the subject.
:param bytes subject_enc_key: the public part of the encryption key.
:param str issuer: the certificate issuer. It can only be an AS.
:param bytes iss_priv_key:
the issuer's private key. It is used to sign the certificate.
:param int version: the certificate version.
:returns: the newly created Certificate instance.
:rtype: :class:`Certificate`
"""
cert = Certificate()
cert.subject = subject
cert.subject_sig_key = subject_sig_key
cert.subject_enc_key = subject_enc_key
cert.issuer = issuer
cert.version = version
cert.issuing_time = int(time.time())
cert.expiration_time = cert.issuing_time + Certificate.VALIDITY_PERIOD
cert.sign_algorithm = Certificate.SIGN_ALGORITHM
cert.encryption_algorithm = Certificate.ENCRYPT_ALGORITHM
data_to_sign = cert.__str__(with_signature=False)
data_to_sign = data_to_sign.encode('utf-8')
cert.signature = sign(data_to_sign, iss_priv_key)
return cert
def get_drkey_reply(sv, src_ia, dst_ia, priv_key, signing_key, cert_ver,
dst_cert, trc_ver):
"""
Generate a DRKeyReply. The Reply is signed with the signing key.
The contained drkey is encrypted using the public key of the
destination certificate.
:param DRKeySecretValue sv: the local secret value used to derive the DRKey.
:param ISD_AS src_ia: the local ISD-AS address.
:param ISD_AS dst_ia: the ISD-AS for which the DRKey is computed.
:param PrivateKey priv_key: local private key.
:param SigningKey signing_key: local signing key.
:param int cert_ver: version of the certificate, priv_key and signing_key are associated with.
:param Certificate dst_cert: the certificated of the destination ISD-AS.
:param int trc_ver: version of trc associated with cert_ver.
:returns: the resulting DRKeyReply
:rtype: DRKeyReply
"""
drkey = derive_drkey_raw(sv, dst_ia)
cipher = bytes(
encrypt(drkey, priv_key, PublicKey(dst_cert.subject_enc_key_raw)))
timestamp = drkey_time()
signature = sign(
get_signing_input_rep(src_ia, timestamp, sv.exp_time, cipher),
signing_key)
return DRKeyReply.from_values(src_ia, timestamp, sv.exp_time, cipher,
signature, cert_ver, dst_cert.version,
trc_ver)
def _sign_trc(self, topo_id, as_conf):
if not as_conf.get('core', False):
return
trc = self.trcs[topo_id[0]]
trc_str = trc.to_json(with_signatures=False).encode('utf-8')
trc.signatures[str(topo_id)] = sign(trc_str,
self.sig_priv_keys[topo_id])
def sign(self, isd_as, sig_priv_key):
"""
Sign TRC and add computed signature to the TRC.
:param ISD_AS isd_as: the ISD-AS of signer.
:param SigningKey sig_priv_key: the signing key of signer.
"""
data = self._sig_input()
self.signatures[str(isd_as)] = sign(data, sig_priv_key)
def sign(self, key, msg):
assert isinstance(msg, bytes), type(msg)
if len(msg) == 0:
raise ProtoSignError("Message is empty (sign)")
if len(self.p.signature) > 0:
raise ProtoSignError("Signature already present")
if self.p.type == ProtoSignType.ED25519:
self.p.signature = sign(self._sig_input(msg), key)
else:
raise ProtoSignError("Unsupported proto signature type (sign): %s" % self.p.type)
def _create_ad_marking(self):
"""
Create an AD Marking with the given ingress and egress interfaces.
"""
hof = HopOpaqueField.from_values(1, 111, 222)
rev_token = HashChain(Random.new().read(32)).next_element()
pcbm = PCBMarking.from_values(1, 10, hof)
peer_markings = []
signing_key = read_file(get_sig_key_file_path(1, 10))
signing_key = base64.b64decode(signing_key)
data_to_sign = (b'11' + pcbm.hof.pack())
signature = sign(data_to_sign, signing_key)
return ADMarking.from_values(pcbm, peer_markings, rev_token, signature)
def get_drkey_request(dst_ia, prefetch, signing_key, cert_ver, trc_ver):
"""
Generate a DRKeyRequest. The Request is signed with the signing key of the
specified certificate.
:param ISD_AS dst_ia: destination of the DRKey request.
:param Bool prefetch: indicator if prefetch (True) or not (False).
:param SigningKey signing_key: the signing key
:param int cert_ver: version of the certificate associated with singing key
:param int trc_ver: version of the trc associated with the certificate.
:returns: the signed DRKeyRequest.
:rtype: DRKeyRequest
"""
timestamp = drkey_time()
signature = sign(drkey_signing_input_req(dst_ia, prefetch, timestamp),
signing_key)
return DRKeyRequest.from_values(prefetch, dst_ia, timestamp, signature,
cert_ver, trc_ver)
def solve_challenge(challenge):
"""
The parameter challenge comes in binary already
"""
global IA
# 1) get the location of the certificates and keys
SC = os.environ["SC"] if "SC" in os.environ else os.path.join(
str(pathlib.Path.home()), "go", "src", "github.com", "scionproto",
"scion")
SC = os.path.join(SC, "gen")
m = re.match("^([0-9]+)-([0-9]+)$", IA)
if not m:
print("ERROR: could not understand the IA from: ", IA)
sys.exit(1)
I = m.group(1)
A = m.group(2)
filepath = os.path.join(SC, "ISD" + I, "AS" + A, "bs" + I + "-" + A + "-1")
privkey = os.path.join(filepath, "keys")
if not os.path.exists(privkey):
print("ERROR: no such path: ", privkey)
sys.exit(1)
privkeys = [
k for k in sorted(os.listdir(privkey), reverse=True)
if k.endswith(".seed")
]
if len(privkeys) < 1:
print("ERROR: could not find a private key under ", privkey)
sys.exit(1)
privkey = os.path.join(privkey, privkeys[0])
try:
with open(privkey) as f:
privkey = f.read()
except Exception as ex:
print("ERROR: could not read file %s: %s" % (privkey, ex))
sys.exit(1)
privkey = base64.standard_b64decode(privkey)
# 2) instantiate the private key and certificate and sign the challenge
signed = sign(challenge, privkey)
return signed
def sign(self, key, set_=True): # pragma: no cover
assert not self.p.asms[-1].sig
sig = sign(self.sig_pack(3), key)
if set_:
self.p.asms[-1].sig = sig
return sig
def sign(self, isd_as, sig_priv_key):
data = self._sig_input()
self.signatures[isd_as] = sign(data, sig_priv_key)
def sign(self, key, set_=True): # pragma: no cover
sig = sign(self.sig_pack3(), key)
if set_:
self.p.asms[-1].sig = sig
return sig
def sign(self, isd_as, sig_priv_key):
data = self._sig_input()
self.signatures[isd_as] = base64.b64encode(sign(data, sig_priv_key)). \
decode('utf-8')
def sign(self, iss_priv_key):
data = self._sig_input()
self.signature_raw = sign(data, iss_priv_key)
self.signature = base64.b64encode(self.signature_raw).decode('utf-8')
def sign(self, privkey):
inst = copy.copy(self)
inst.signature = b""
self.signature = sign(inst.pack(), privkey)
def test(self):
"""
Create a certificate chain and verify it with a TRC file. Sign a message
with the private key of the last certificate in the chain and verify it.
"""
cert10 = CertificateChain(get_cert_chain_file_path(1, 10, 1, 10, 0))
trc = TRC(get_trc_file_path(1, 10, 1, 0))
print('TRC verification', trc.verify())
print('Cert Chain verification:', cert10.verify('ISD:1-AD:10', trc, 0))
sig_priv10 = read_file(get_sig_key_file_path(1, 10))
sig_priv10 = base64.b64decode(sig_priv10)
msg = b'abcd'
sig = sign(msg, sig_priv10)
print('Sig test:', verify_sig_chain_trc(msg, sig, 'ISD:1-AD:10', cert10,
trc, 0))
sig_priv13 = read_file(get_sig_key_file_path(1, 13))
sig_priv13 = base64.b64decode(sig_priv13)
msg = b'abd'
sig = sign(msg, sig_priv13)
CertificateChain.from_values([])
print('Sig test 2:', verify_sig_chain_trc(msg, sig, 'ISD:1-AD:13',
cert10, trc, 0), '\n')
topology = Topology.from_file(
"topology/ISD1/topologies/ISD:1-AD:10.json")
src_addr = SCIONAddr.from_values(topology.isd_id, topology.ad_id,
IPv4Address("127.0.0.1"))
dst_addr = topology.certificate_servers[0].addr
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind((str(src_addr.host_addr), SCION_UDP_PORT))
print("Sending TRC request (ISD:1-V:0) to local CS.")
msg = TRCRequest.from_values(
PT.TRC_REQ_LOCAL, src_addr,
topology.parent_border_routers[0].interface.if_id,
topology.isd_id, topology.ad_id, 1, 0).pack()
sock.sendto(msg, (str(dst_addr), SCION_UDP_PORT))
temp_file = './temp.txt'
timeout = 5
ready = select.select([sock], [], [], timeout)
if not ready[0]:
print("Error: no TRC reply was received!")
sock.close()
return
data, _ = sock.recvfrom(SCION_BUFLEN)
print("Received TRC reply from local CS.")
trc_reply = TRCReply(data)
write_file(temp_file, trc_reply.trc.decode('utf-8'))
trc = TRC(temp_file)
assert trc.verify()
print("Sending cert chain request (ISD:1-AD:16-V:0) to local CS.")
msg = CertChainRequest.from_values(
PT.CERT_CHAIN_REQ_LOCAL, src_addr,
topology.parent_border_routers[0].interface.if_id,
topology.isd_id, topology.ad_id, 1, 16, 0).pack()
sock.sendto(msg, (str(dst_addr), SCION_UDP_PORT))
ready = select.select([sock], [], [], timeout)
if not ready[0]:
print("Error: no cert chain reply was received!")
sock.close()
return
data, _ = sock.recvfrom(SCION_BUFLEN)
print("Received cert chain reply from local CS.")
cert_chain_reply = CertChainReply(data)
write_file(temp_file, cert_chain_reply.cert_chain.decode('utf-8'))
cert_chain = CertificateChain(temp_file)
assert cert_chain.verify('ISD:1-AD:16', trc, 0)
os.remove(temp_file)
sock.close()
