def request_missing_certs(self, seg_meta):
"""
For all missing CCs which are missing to verify this pcb/path segment,
request them. Request is sent to certificate server, if the
pcb/path segment was received by zk. Otherwise the sender of this
pcb/path segment is asked.
"""
missing_certs = set()
with seg_meta.miss_cert_lock:
missing_certs = seg_meta.missing_certs.copy()
if not missing_certs:
return
for isd_as, ver in missing_certs:
with self.req_certs_lock:
if (isd_as, ver) in self.requested_certs:
continue
self.requested_certs.add((isd_as, ver))
cert_req = CertChainRequest.from_values(isd_as, ver)
logging.info("Requesting %sv%s CERTCHAIN", isd_as, ver)
if not seg_meta.meta:
meta = self.get_cs()
if meta:
self.send_meta(cert_req, meta)
else:
self.send_meta(cert_req, seg_meta.meta)
def _request_missing_certs(self, seg_meta):
"""
For all missing CCs which are missing to verify this pcb/path segment,
request them. Request is sent to certificate server, if the
pcb/path segment was received by zk. Otherwise the sender of this
pcb/path segment is asked.
"""
missing_certs = set()
with seg_meta.miss_cert_lock:
missing_certs = seg_meta.missing_certs.copy()
if not missing_certs:
return
for isd_as, ver in missing_certs:
with self.req_certs_lock:
if (isd_as, ver) in self.requested_certs:
continue
cert_req = CertChainRequest.from_values(isd_as, ver, cache_only=True)
meta = seg_meta.meta or self._get_cs()
if not meta:
logging.error("Couldn't find a CS to request CERTCHAIN for PCB %s",
seg_meta.seg.short_id())
continue
logging.info("Requesting %sv%s CERTCHAIN from %s for PCB %s",
isd_as, ver, meta, seg_meta.seg.short_id())
with self.req_certs_lock:
self.requested_certs[(isd_as, ver)] = (time.time(), meta)
self.send_meta(cert_req, meta)
def _send_cc_request(self, isd_as, ver):
req = CertChainRequest.from_values(isd_as, ver, cache_only=True)
path_meta = self._get_path_via_api(isd_as)
if path_meta:
meta = self._build_meta(isd_as, host=SVCType.CS_A, path=path_meta.fwd_path())
self.send_meta(req, meta)
logging.info("Cert chain request sent to %s via [%s]: %s",
meta, path_meta.short_desc(), req.short_desc())
else:
logging.warning("Cert chain request (for %s) not sent: "
"no path found", req.short_desc())
def _fetch_cc(self, key, _):
isd_as, ver = key
req = CertChainRequest.from_values(isd_as, ver)
dst_addr, port = self._get_next_hop(isd_as, True)
req_pkt = self._build_packet(SVCType.CS_A, dst_ia=isd_as, payload=req)
if dst_addr:
self.send(req_pkt, dst_addr, port)
logging.info("Cert chain request sent: %s", req.short_desc())
else:
logging.warning("Cert chain request (for %s) not sent: "
"no destination found", req.short_desc())
def _check_cert_reqs(self):
"""
Checks if certificate requests timeout and resends requests if so.
"""
with self.req_certs_lock:
now = time.time()
for (isd_as, ver), (req_time, meta) in self.requested_certs.items():
if now - req_time >= self.TRC_CC_REQ_TIMEOUT:
cert_req = CertChainRequest.from_values(isd_as, ver, cache_only=True)
logging.info("Re-Requesting CERTCHAIN from %s: %s", meta, cert_req.short_desc())
self.send_meta(cert_req, meta)
self.requested_certs[(isd_as, ver)] = (time.time(), meta)
def _send_cc_request(self, isd_as, ver):
req = CertChainRequest.from_values(isd_as, ver, cache_only=True)
path_meta = self._get_path_via_sciond(isd_as)
if path_meta:
meta = self._build_meta(isd_as,
host=SVCType.CS_A,
path=path_meta.fwd_path())
req_id = mk_ctrl_req_id()
self.send_meta(CtrlPayload(CertMgmt(req), req_id=req_id), meta)
logging.info(
"Cert chain request sent to %s via [%s]: %s [id: %016x]", meta,
path_meta.short_desc(), req.short_desc(), req_id)
else:
logging.warning(
"Cert chain request (for %s) not sent: "
"no path found", req.short_desc())
def _check_local_cert(self):
while self.run_flag.is_set():
chain = self._get_my_cert()
exp = min(chain.as_cert.expiration_time,
chain.core_as_cert.expiration_time)
diff = exp - int(time.time())
if diff > self.config.segment_ttl:
time.sleep(diff - self.config.segment_ttl)
continue
cs_meta = self._get_cs()
req = CertChainRequest.from_values(self.addr.isd_as,
chain.as_cert.version + 1,
cache_only=True)
logging.info("Request new certificate chain. Req: %s", req)
self.send_meta(CtrlPayload(CertMgmt(req)), cs_meta)
cs_meta.close()
time.sleep(self.CERT_REQ_RATE)
def _check_cert_reqs(self):
"""
Checks if certificate requests timeout and resends requests if so.
"""
with self.req_certs_lock:
now = time.time()
for (isd_as, ver), (req_time, meta) in self.requested_certs.items():
if now - req_time >= self.TRC_CC_REQ_TIMEOUT:
cert_req = CertChainRequest.from_values(isd_as, ver, cache_only=True)
meta = meta or self._get_cs()
req_id = mk_ctrl_req_id()
logging.info("Re-Requesting CERTCHAIN from %s: %s [id: %016x]",
meta, cert_req.short_desc(), req_id)
self.send_meta(CtrlPayload(CertMgmt(cert_req), req_id=req_id), meta)
self.requested_certs[(isd_as, ver)] = (time.time(), meta)
if self._labels:
PENDING_CERT_REQS_TOTAL.labels(**self._labels).set(
len(self.requested_certs))
def _request_missing_certs(self, seg_meta):
"""
For all missing CCs which are missing to verify this pcb/path segment,
request them. Request is sent to certificate server, if the
pcb/path segment was received by zk. Otherwise the sender of this
pcb/path segment is asked.
"""
missing_certs = set()
with seg_meta.miss_cert_lock:
missing_certs = seg_meta.missing_certs.copy()
if not missing_certs:
return
for isd_as, ver in missing_certs:
with self.req_certs_lock:
req_time, meta = self.requested_certs.get((isd_as, ver), (None, None))
if meta:
# There is already an outstanding request for the missing cert
# from somewhere else than than the local CS
if seg_meta.meta:
# Update the stored meta with the latest known server that has the cert.
self.requested_certs[(isd_as, ver)] = (req_time, seg_meta.meta)
continue
if req_time and not seg_meta.meta:
# There is already an outstanding request for the missing cert
# to the local CS and we don't have a new meta.
continue
cert_req = CertChainRequest.from_values(isd_as, ver, cache_only=True)
meta = seg_meta.meta or self._get_cs()
if not meta:
logging.error("Couldn't find a CS to request CERTCHAIN for PCB %s",
seg_meta.seg.short_id())
continue
req_id = mk_ctrl_req_id()
logging.info("Requesting %sv%s CERTCHAIN from %s for PCB %s [id: %016x]",
isd_as, ver, meta, seg_meta.seg.short_id(), req_id)
with self.req_certs_lock:
self.requested_certs[(isd_as, ver)] = (time.time(), seg_meta.meta)
if self._labels:
PENDING_CERT_REQS_TOTAL.labels(**self._labels).set(len(self.requested_certs))
self.send_meta(CtrlPayload(CertMgmt(cert_req), req_id=req_id), meta)
def _create_payload(self, _):
if not self.cert_done:
return CertChainRequest.from_values(self.addr.isd_as, 0)
return TRCRequest.from_values(self.addr.isd_as, 0)
def _create_payload(self, _):
if not self.cert:
return CtrlPayload(CertMgmt(CertChainRequest.from_values(
self.dst_ia, CertChainRequest.NEWEST_VERSION)))
return CtrlPayload(
CertMgmt(TRCRequest.from_values(self.dst_ia[0], TRCRequest.NEWEST_VERSION)))