def _renewal_request(self, isd_as: scion_addr.ISD_AS, features=""): as_dir = self._to_as_dir(isd_as) csr = as_dir / "crypto/as/csr.json" logger.info("Generating CSR for: %s" % self._rel(csr)) template = { "common_name": "%s InfoSec Squad" % isd_as, "country": "CH", "isd_as": str(isd_as), } with open(csr, "w") as out: json.dump(template, out, indent=4) key = as_dir / "crypto/as/renewed.key" logger.info("Generating new private key: %s" % self._rel(key)) subprocess.run([ "openssl", "genpkey", "-algorithm", "EC", "-pkeyopt", "ec_paramgen_curve:P-256", "-pkeyopt", "ec_param_enc:named_curve", "-out", as_dir / "crypto/as/renewed.key", ]) docker_dir = pathlib.Path("/share") / self._rel(as_dir) chain = docker_dir / "crypto/as/renewed.pem" args = [ "--key", docker_dir / "crypto/as/renewed.key", "--transportkey", docker_dir / "crypto/as/cp-as.key", "--transportcert", docker_dir / ("crypto/as/ISD%s-AS%s.pem" % (isd_as.isd_str(), isd_as.as_file_fmt())), "--trc", docker_dir / "certs/ISD1-B1-S1.trc", "--out", chain, "--sciond", self.execute("tester_%s" % isd_as.file_fmt(), "sh", "-c", "echo $SCION_DAEMON").strip(), *self._local_flags(isd_as), ] if features: args += ["--features", features] logger.info("Requesting certificate chain renewal: %s" % chain.relative_to(docker_dir)) logger.info( self.execute("tester_%s" % isd_as.file_fmt(), "./bin/scion-pki", "certs", "renew", *args)) logger.info("Verify renewed certificate chain") verify_out = self.execute("tester_%s" % isd_as.file_fmt(), "./bin/scion-pki", "certs", "verify", chain, "--trc", "/share/gen/trcs/ISD1-B1-S1.trc") logger.info(str(verify_out).rstrip("\n"))
def _renewal_request(self, cs_config: LocalPath, isd_as: ISD_AS): cs_dir = cs_config.parent csr = cs_dir / 'crypto/as/csr.json' logger.info('Generating CSR for: %s' % rel(csr)) template = { 'common_name': '%s InfoSec Squad' % isd_as, 'country': 'CH', 'isd_as': str(isd_as), } with open(csr, 'w') as out: json.dump(template, out, indent=4) key = cs_dir / 'crypto/as/renewed.key' logger.info('Generating new private key: %s' % rel(key)) local['openssl']( 'genpkey', '-algorithm', 'EC', '-pkeyopt', 'ec_paramgen_curve:P-256', '-pkeyopt', 'ec_param_enc:named_curve', '-out', cs_dir / 'crypto/as/renewed.key', ) chain = cs_dir / 'crypto/as/renewed.pem' args = [ '--key', cs_dir / 'crypto/as/renewed.key', '--transportkey', cs_dir / 'crypto/as/cp-as.key', '--transportcert', cs_dir / ('crypto/as/ISD%s-AS%s.pem' % (isd_as.isd_str(), isd_as.as_file_fmt())), '--trc', cs_dir / 'certs/ISD1-B1-S1.trc', '--out', chain, '--sciond', sciond_addr(isd_as), ] if not self.no_docker: chain.touch() args += ['--local', self._disp_ip(cs_config.stem)] for i in range(len(args)): if isinstance(args[i], LocalPath): args[i] = str(args[i].relative_to(local.path('.'))) logger.info('Requesting certificate chain renewal: %s' % rel(chain)) logger.info( self.scion.execute(isd_as, './bin/scion-pki', 'certs', 'renew', *args)) logger.info('Verify renewed certificate chain') verify_out = local['./bin/scion-pki']('certs', 'verify', chain, '--trc', 'gen/trcs/ISD1-B1-S1.trc') logger.info(str(verify_out).rstrip('\n'))
def _ensure_uniq_ases(self): seen = set() for asStr in self.topo_config["ASes"]: ia = ISD_AS(asStr) if ia.as_str() in seen: logging.critical("Non-unique AS Id '%s'", ia.as_str()) sys.exit(1) seen.add(ia.as_str())
def _renewal_request( self, isd_as: scion_addr.ISD_AS, mode: str = "--force", ): as_dir = self._to_as_dir(isd_as) docker_dir = pathlib.Path("/share") / self._rel(as_dir) def read_file(filename: str) -> str: with open(as_dir / "crypto/as" / filename) as f: return f.read() chain_name = "ISD%s-AS%s.pem" % (isd_as.isd_str(), isd_as.as_file_fmt()) old_chain = read_file(chain_name) old_key = read_file("cp-as.key") chain = docker_dir / "crypto/as" / chain_name args = [ chain, docker_dir / "crypto/as/cp-as.key", mode, "--trc", docker_dir / "certs/ISD1-B1-S1.trc", "--sciond", self.execute("tester_%s" % isd_as.file_fmt(), "sh", "-c", "echo $SCION_DAEMON").strip(), *self._local_flags(isd_as), ] logger.info("Requesting certificate chain renewal: %s" % chain.relative_to(docker_dir)) logger.info( self.execute("tester_%s" % isd_as.file_fmt(), "./bin/scion-pki", "certificate", "renew", *args)) logger.info("Verify renewed certificate chain") verify_out = self.execute("tester_%s" % isd_as.file_fmt(), "./bin/scion-pki", "certificate", "verify", chain, "--trc", "/share/gen/trcs/ISD1-B1-S1.trc") logger.info(str(verify_out).rstrip("\n")) renewed_chain = read_file(chain_name) renewed_key = read_file("cp-as.key") if renewed_chain == old_chain: raise Exception( "renewed chain does not differ from previous chain") if renewed_key == old_key: raise Exception("renewed key does not differ from previous key")
def execute(self, isd_as: ISD_AS, cmd: str, *args: str) -> str: expanded = [] for arg in args: if str(arg).startswith('gen/'): arg = '/share/' + arg expanded.append(arg) return docker('exec', 'tester_%s' % isd_as.file_fmt(), cmd, *expanded)
def main(self): cs_configs = local.path('gen') // 'AS*/cs*.toml' isd_ases = [] logger.info('==> Start renewal process') for cs_config in cs_configs: isd_as = ISD_AS(cs_config.stem[2:len(cs_config.stem) - 2]) isd_ases.append(isd_as) logging.info('===> Start renewal: %s' % isd_as) self._renewal_request(cs_config, isd_as) logger.info('==> Remove original private keys') for cs_config in cs_configs: orig_key = cs_config.parent / 'crypto/as/cp-as.key' logger.info('Removing original private key for %s: %s' % (isd_as, rel(orig_key))) orig_key.delete() logger.info('==> Check key and certificate reloads') self._check_key_cert(cs_configs) logger.info("==> Check connectivity") self.scion.run_end2end() logger.info('==> Shutting down control servers and purging caches') for cs_config in cs_configs: files = local.path('gen-cache') // ('%s*' % cs_config.stem) for db_file in files: db_file.delete() logger.info('Deleted files: %s' % [file.name for file in files]) self.scion.run() time.sleep(5) logger.info('==> Check connectivity') self.scion.run_end2end()
def _local_flags(self, isd_as: scion_addr.ISD_AS) -> List[str]: return [ "--local", self.execute("tester_%s" % isd_as.file_fmt(), "sh", "-c", "echo $SCION_LOCAL_ADDR").strip(), ]
def _to_as_dir(self, isd_as: scion_addr.ISD_AS) -> pathlib.Path: return pathlib.Path("%s/gen/AS%s" % (self.test_state.artifacts, isd_as.as_file_fmt()))