def _fetch_drkey(self, drkey, _):
"""
Fetch missing first order DRKey with the same (SrcIA, DstIA, expTime).
:param FirstOrderDRKey drkey: The missing DRKey.
"""
cert = self.trust_store.get_cert(self.addr.isd_as)
trc = self.trust_store.get_trc(self.addr.isd_as[0])
if not cert or not trc:
logging.warning(
"DRKeyRequest for %s not sent. Own CertChain/TRC not present.",
drkey.src_ia)
return
req = get_drkey_request(drkey.src_ia, False, self.signing_key,
cert.certs[0].version, trc.version)
path_meta = self._get_path_via_sciond(drkey.src_ia)
if path_meta:
meta = self._build_meta(drkey.src_ia,
host=SVCType.CS_A,
path=path_meta.fwd_path())
req_id = mk_ctrl_req_id()
self.send_meta(CtrlPayload(DRKeyMgmt(req)), meta)
logging.info("DRKeyRequest (%s) sent to %s via %s [id: %016x]",
req.short_desc(), meta, path_meta, req_id)
else:
logging.warning("DRKeyRequest (for %s) not sent", req.short_desc())
def _fetch_segments(self, req):
"""
Called to fetch the requested path.
"""
try:
addr, port = self.dns_query_topo(ServiceType.PS)[0]
except SCIONServiceLookupError:
log_exception("Error querying path service:")
return
req_id = mk_ctrl_req_id()
logging.debug("Sending path request (%s) to [%s]:%s [id: %016x]",
req.short_desc(), addr, port, req_id)
meta = self._build_meta(host=addr, port=port)
self.send_meta(CtrlPayload(PathMgmt(req), req_id=req_id), meta)
def _send_trc_request(self, isd, ver):
trc_req = TRCRequest.from_values(isd, ver, cache_only=True)
path_meta = self._get_path_via_sciond(trc_req.isd_as())
if path_meta:
meta = self._build_meta(path_meta.dst_ia(),
host=SVCType.CS_A,
path=path_meta.fwd_path())
req_id = mk_ctrl_req_id()
self.send_meta(CtrlPayload(CertMgmt(trc_req), req_id=req_id), meta)
logging.info("TRC request sent to %s via [%s]: %s [id: %016x]",
meta, path_meta.short_desc(), trc_req.short_desc(),
req_id)
else:
logging.warning("TRC request not sent for %s: no path found.",
trc_req.short_desc())
def _send_cc_request(self, isd_as, ver):
req = CertChainRequest.from_values(isd_as, ver, cache_only=True)
path_meta = self._get_path_via_sciond(isd_as)
if path_meta:
meta = self._build_meta(isd_as,
host=SVCType.CS_A,
path=path_meta.fwd_path())
req_id = mk_ctrl_req_id()
self.send_meta(CtrlPayload(CertMgmt(req), req_id=req_id), meta)
logging.info(
"Cert chain request sent to %s via [%s]: %s [id: %016x]", meta,
path_meta.short_desc(), req.short_desc(), req_id)
else:
logging.warning(
"Cert chain request (for %s) not sent: "
"no path found", req.short_desc())
def _send_waiting_queries(self, dst_isd, pcb):
targets = self.waiting_targets[dst_isd]
if not targets:
return
path = pcb.get_path(reverse_direction=True)
src_ia = pcb.first_ia()
while targets:
(seg_req, logger) = targets.pop(0)
meta = self._build_meta(ia=src_ia,
path=path,
host=SVCType.PS_A,
reuse=True)
req_id = mk_ctrl_req_id()
self.send_meta(CtrlPayload(PathMgmt(seg_req), req_id=req_id), meta)
logger.info("Waiting request (%s) sent to %s via %s [id: %016x]",
seg_req.short_desc(), meta, pcb.short_desc(), req_id)
def _check_trc_reqs(self):
"""
Checks if TRC requests timeout and resends requests if so.
"""
with self.req_trcs_lock:
now = time.time()
for (isd, ver), (req_time, meta) in self.requested_trcs.items():
if now - req_time >= self.TRC_CC_REQ_TIMEOUT:
trc_req = TRCRequest.from_values(isd, ver, cache_only=True)
meta = meta or self._get_cs()
req_id = mk_ctrl_req_id()
logging.info("Re-Requesting TRC from %s: %s [id: %016x]",
meta, trc_req.short_desc(), req_id)
self.send_meta(CtrlPayload(CertMgmt(trc_req), req_id=req_id), meta)
self.requested_trcs[(isd, ver)] = (time.time(), meta)
if self._labels:
PENDING_TRC_REQS_TOTAL.labels(**self._labels).set(len(self.requested_trcs))
def _check_cert_reqs(self):
"""
Checks if certificate requests timeout and resends requests if so.
"""
with self.req_certs_lock:
now = time.time()
for (isd_as, ver), (req_time, meta) in self.requested_certs.items():
if now - req_time >= self.TRC_CC_REQ_TIMEOUT:
cert_req = CertChainRequest.from_values(isd_as, ver, cache_only=True)
meta = meta or self._get_cs()
req_id = mk_ctrl_req_id()
logging.info("Re-Requesting CERTCHAIN from %s: %s [id: %016x]",
meta, cert_req.short_desc(), req_id)
self.send_meta(CtrlPayload(CertMgmt(cert_req), req_id=req_id), meta)
self.requested_certs[(isd_as, ver)] = (time.time(), meta)
if self._labels:
PENDING_CERT_REQS_TOTAL.labels(**self._labels).set(
len(self.requested_certs))
def _request_missing_certs(self, seg_meta):
"""
For all missing CCs which are missing to verify this pcb/path segment,
request them. Request is sent to certificate server, if the
pcb/path segment was received by zk. Otherwise the sender of this
pcb/path segment is asked.
"""
missing_certs = set()
with seg_meta.miss_cert_lock:
missing_certs = seg_meta.missing_certs.copy()
if not missing_certs:
return
for isd_as, ver in missing_certs:
with self.req_certs_lock:
req_time, meta = self.requested_certs.get((isd_as, ver), (None, None))
if meta:
# There is already an outstanding request for the missing cert
# from somewhere else than than the local CS
if seg_meta.meta:
# Update the stored meta with the latest known server that has the cert.
self.requested_certs[(isd_as, ver)] = (req_time, seg_meta.meta)
continue
if req_time and not seg_meta.meta:
# There is already an outstanding request for the missing cert
# to the local CS and we don't have a new meta.
continue
cert_req = CertChainRequest.from_values(isd_as, ver, cache_only=True)
meta = seg_meta.meta or self._get_cs()
if not meta:
logging.error("Couldn't find a CS to request CERTCHAIN for PCB %s",
seg_meta.seg.short_id())
continue
req_id = mk_ctrl_req_id()
logging.info("Requesting %sv%s CERTCHAIN from %s for PCB %s [id: %016x]",
isd_as, ver, meta, seg_meta.seg.short_id(), req_id)
with self.req_certs_lock:
self.requested_certs[(isd_as, ver)] = (time.time(), seg_meta.meta)
if self._labels:
PENDING_CERT_REQS_TOTAL.labels(**self._labels).set(len(self.requested_certs))
self.send_meta(CtrlPayload(CertMgmt(cert_req), req_id=req_id), meta)
