def __init__(self, server_id, conf_dir):
"""
:param str server_id: server identifier.
:param str conf_dir: configuration directory.
"""
super().__init__(server_id, conf_dir)
self.sendq = Queue()
sig_key_file = get_sig_key_file_path(self.conf_dir)
self.signing_key = base64.b64decode(read_file(sig_key_file))
self.segments = PathSegmentDB(max_res_no=1)
# Maps of {ISD-AS: {steady path id: steady path}} for all incoming
# (srcs) and outgoing (dests) steady paths:
self.srcs = {}
self.dests = {}
# Map of SibraState objects by interface ID
self.link_states = {}
# Map of link types by interface ID
self.link_types = {}
self.lock = threading.Lock()
self.CTRL_PLD_CLASS_MAP = {
PayloadClass.PATH: {
PMT.REG: self.handle_path_reg,
},
PayloadClass.SIBRA: {
SIBRAPayloadType.EMPTY: self.handle_sibra_pkt
},
}
self._find_links()
name_addrs = "\0".join(
[self.id, str(SCION_UDP_PORT),
str(self.addr.host)])
self.zk = Zookeeper(self.addr.isd_as, SIBRA_SERVICE, name_addrs,
self.topology.zookeepers)
self.zk.retry("Joining party", self.zk.party_setup)
def _gen_as_keys(self, topo_id, as_conf):
sig_pub, sig_priv = generate_sign_keypair()
enc_pub, enc_priv = generate_enc_keypair()
self.sig_priv_keys[topo_id] = sig_priv
self.sig_pub_keys[topo_id] = sig_pub
self.enc_pub_keys[topo_id] = enc_pub
self.enc_priv_keys[topo_id] = enc_priv
sig_path = get_sig_key_file_path("")
enc_path = get_enc_key_file_path("")
self.cert_files[topo_id][sig_path] = base64.b64encode(
sig_priv).decode()
self.cert_files[topo_id][enc_path] = base64.b64encode(
enc_priv).decode()
if self.is_core(as_conf):
# generate_sign_key_pair uses Ed25519
on_root_pub, on_root_priv = generate_sign_keypair()
off_root_pub, off_root_priv = generate_sign_keypair()
self.pub_online_root_keys[topo_id] = on_root_pub
self.priv_online_root_keys[topo_id] = on_root_priv
self.pub_offline_root_keys[topo_id] = off_root_pub
self.priv_offline_root_keys[topo_id] = off_root_priv
online_key_path = get_online_key_file_path("")
offline_key_path = get_offline_key_file_path("")
self.cert_files[topo_id][online_key_path] = \
base64.b64encode(on_root_priv).decode()
self.cert_files[topo_id][offline_key_path] = \
base64.b64encode(off_root_priv).decode()
def __init__(self, server_id, conf_dir):
"""
:param str server_id: server identifier.
:param str conf_dir: configuration directory.
"""
super().__init__(server_id, conf_dir)
# TODO: add 2 policies
self.path_policy = PathPolicy.from_file(
os.path.join(conf_dir, PATH_POLICY_FILE))
sig_key_file = get_sig_key_file_path(self.conf_dir)
self.signing_key = base64.b64decode(read_file(sig_key_file))
self.of_gen_key = kdf(self.config.master_as_key, b"Derive OF Key")
self.hashtree_gen_key = kdf(self.config.master_as_key,
b"Derive hashtree Key")
logging.info(self.config.__dict__)
self._hash_tree = None
self._hash_tree_lock = Lock()
self._next_tree = None
self._init_hash_tree()
self.ifid_state = {}
for ifid in self.ifid2br:
self.ifid_state[ifid] = InterfaceState()
self.ifid_state_lock = RLock()
self.CTRL_PLD_CLASS_MAP = {
PayloadClass.PCB: {
None: self.handle_pcb
},
PayloadClass.IFID: {
None: self.handle_ifid_packet
},
PayloadClass.CERT: {
CertMgmtType.CERT_CHAIN_REQ: self.process_cert_chain_request,
CertMgmtType.CERT_CHAIN_REPLY: self.process_cert_chain_reply,
CertMgmtType.TRC_REPLY: self.process_trc_reply,
CertMgmtType.TRC_REQ: self.process_trc_request,
},
PayloadClass.PATH: {
PMT.IFSTATE_REQ: self._handle_ifstate_request,
PMT.REVOCATION: self._handle_revocation,
},
}
self.SCMP_PLD_CLASS_MAP = {
SCMPClass.PATH: {
SCMPPathClass.REVOKED_IF: self._handle_scmp_revocation,
},
}
zkid = ZkID.from_values(self.addr.isd_as, self.id,
[(self.addr.host, self._port)]).pack()
self.zk = Zookeeper(self.addr.isd_as, BEACON_SERVICE, zkid,
self.topology.zookeepers)
self.zk.retry("Joining party", self.zk.party_setup)
self.pcb_cache = ZkSharedCache(self.zk, self.ZK_PCB_CACHE_PATH,
self._handle_pcbs_from_zk)
self.revobjs_cache = ZkSharedCache(self.zk, self.ZK_REVOCATIONS_PATH,
self.process_rev_objects)
self.local_rev_cache = ExpiringDict(
1000, HASHTREE_EPOCH_TIME + HASHTREE_EPOCH_TOLERANCE)
self._rev_seg_lock = RLock()
def __init__(self, server_id, conf_dir):
"""
:param str server_id: server identifier.
:param str conf_dir: configuration directory.
"""
super().__init__(server_id, conf_dir)
# TODO: add 2 policies
self.path_policy = PathPolicy.from_file(
os.path.join(conf_dir, PATH_POLICY_FILE))
self.unverified_beacons = deque()
self.trc_requests = {}
self.trcs = {}
sig_key_file = get_sig_key_file_path(self.conf_dir)
self.signing_key = base64.b64decode(read_file(sig_key_file))
self.of_gen_key = PBKDF2(self.config.master_as_key, b"Derive OF Key")
logging.info(self.config.__dict__)
self.if2rev_tokens = {}
self._if_rev_token_lock = threading.Lock()
self.revs_to_downstream = ExpiringDict(max_len=1000,
max_age_seconds=60)
self.ifid_state = {}
for ifid in self.ifid2er:
self.ifid_state[ifid] = InterfaceState()
self.CTRL_PLD_CLASS_MAP = {
PayloadClass.PCB: {
PCBType.SEGMENT: self.handle_pcb
},
PayloadClass.IFID: {
IFIDType.PAYLOAD: self.handle_ifid_packet
},
PayloadClass.CERT: {
CertMgmtType.CERT_CHAIN_REPLY: self.process_cert_chain_rep,
CertMgmtType.TRC_REPLY: self.process_trc_rep,
},
PayloadClass.PATH: {
PMT.IFSTATE_REQ: self._handle_ifstate_request
},
}
# Add more IPs here if we support dual-stack
name_addrs = "\0".join(
[self.id, str(SCION_UDP_PORT),
str(self.addr.host)])
self.zk = Zookeeper(self.addr.isd_as, BEACON_SERVICE, name_addrs,
self.topology.zookeepers)
self.zk.retry("Joining party", self.zk.party_setup)
self.incoming_pcbs = deque()
self.pcb_cache = ZkSharedCache(self.zk, self.ZK_PCB_CACHE_PATH,
self.process_pcbs)
self.revobjs_cache = ZkSharedCache(self.zk, self.ZK_REVOCATIONS_PATH,
self.process_rev_objects)
def _gen_as_keys(self, topo_id, as_conf):
sig_pub, sig_priv = generate_sign_keypair()
enc_pub, enc_priv = generate_enc_keypair()
self.sig_priv_keys[topo_id] = sig_priv
self.sig_pub_keys[topo_id] = sig_pub
self.enc_pub_keys[topo_id] = enc_pub
self.enc_priv_keys[topo_id] = enc_priv
sig_path = get_sig_key_file_path("")
enc_path = get_enc_key_file_path("")
self.cert_files[topo_id][sig_path] = base64.b64encode(
sig_priv).decode()
self.cert_files[topo_id][enc_path] = base64.b64encode(
enc_priv).decode()
def _create_ad_marking(self):
"""
Create an AD Marking with the given ingress and egress interfaces.
"""
hof = HopOpaqueField.from_values(1, 111, 222)
rev_token = HashChain(Random.new().read(32)).next_element()
pcbm = PCBMarking.from_values(1, 10, hof)
peer_markings = []
signing_key = read_file(get_sig_key_file_path(1, 10))
signing_key = base64.b64decode(signing_key)
data_to_sign = (b'11' + pcbm.hof.pack())
signature = sign(data_to_sign, signing_key)
return ADMarking.from_values(pcbm, peer_markings, rev_token, signature)
def test(self):
"""
Create a certificate chain and verify it with a TRC file. Sign a message
with the private key of the last certificate in the chain and verify it.
"""
cert10 = CertificateChain(get_cert_chain_file_path(1, 10, 1, 10, 0))
trc = TRC(get_trc_file_path(1, 10, 1, 0))
print('TRC verification', trc.verify())
print('Cert Chain verification:', cert10.verify('ISD:1-AD:10', trc, 0))
sig_priv10 = read_file(get_sig_key_file_path(1, 10))
sig_priv10 = base64.b64decode(sig_priv10)
msg = b'abcd'
sig = sign(msg, sig_priv10)
print('Sig test:', verify_sig_chain_trc(msg, sig, 'ISD:1-AD:10', cert10,
trc, 0))
sig_priv13 = read_file(get_sig_key_file_path(1, 13))
sig_priv13 = base64.b64decode(sig_priv13)
msg = b'abd'
sig = sign(msg, sig_priv13)
CertificateChain.from_values([])
print('Sig test 2:', verify_sig_chain_trc(msg, sig, 'ISD:1-AD:13',
cert10, trc, 0), '\n')
topology = Topology.from_file(
"topology/ISD1/topologies/ISD:1-AD:10.json")
src_addr = SCIONAddr.from_values(topology.isd_id, topology.ad_id,
IPv4Address("127.0.0.1"))
dst_addr = topology.certificate_servers[0].addr
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind((str(src_addr.host_addr), SCION_UDP_PORT))
print("Sending TRC request (ISD:1-V:0) to local CS.")
msg = TRCRequest.from_values(
PT.TRC_REQ_LOCAL, src_addr,
topology.parent_border_routers[0].interface.if_id,
topology.isd_id, topology.ad_id, 1, 0).pack()
sock.sendto(msg, (str(dst_addr), SCION_UDP_PORT))
temp_file = './temp.txt'
timeout = 5
ready = select.select([sock], [], [], timeout)
if not ready[0]:
print("Error: no TRC reply was received!")
sock.close()
return
data, _ = sock.recvfrom(SCION_BUFLEN)
print("Received TRC reply from local CS.")
trc_reply = TRCReply(data)
write_file(temp_file, trc_reply.trc.decode('utf-8'))
trc = TRC(temp_file)
assert trc.verify()
print("Sending cert chain request (ISD:1-AD:16-V:0) to local CS.")
msg = CertChainRequest.from_values(
PT.CERT_CHAIN_REQ_LOCAL, src_addr,
topology.parent_border_routers[0].interface.if_id,
topology.isd_id, topology.ad_id, 1, 16, 0).pack()
sock.sendto(msg, (str(dst_addr), SCION_UDP_PORT))
ready = select.select([sock], [], [], timeout)
if not ready[0]:
print("Error: no cert chain reply was received!")
sock.close()
return
data, _ = sock.recvfrom(SCION_BUFLEN)
print("Received cert chain reply from local CS.")
cert_chain_reply = CertChainReply(data)
write_file(temp_file, cert_chain_reply.cert_chain.decode('utf-8'))
cert_chain = CertificateChain(temp_file)
assert cert_chain.verify('ISD:1-AD:16', trc, 0)
os.remove(temp_file)
sock.close()
