def _renewal_request(self, isd_as: scion_addr.ISD_AS, features=""):
as_dir = self._to_as_dir(isd_as)
csr = as_dir / "crypto/as/csr.json"
logger.info("Generating CSR for: %s" % self._rel(csr))
template = {
"common_name": "%s InfoSec Squad" % isd_as,
"country": "CH",
"isd_as": str(isd_as),
}
with open(csr, "w") as out:
json.dump(template, out, indent=4)
key = as_dir / "crypto/as/renewed.key"
logger.info("Generating new private key: %s" % self._rel(key))
subprocess.run([
"openssl",
"genpkey",
"-algorithm",
"EC",
"-pkeyopt",
"ec_paramgen_curve:P-256",
"-pkeyopt",
"ec_param_enc:named_curve",
"-out",
as_dir / "crypto/as/renewed.key",
])
docker_dir = pathlib.Path("/share") / self._rel(as_dir)
chain = docker_dir / "crypto/as/renewed.pem"
args = [
"--key",
docker_dir / "crypto/as/renewed.key",
"--transportkey",
docker_dir / "crypto/as/cp-as.key",
"--transportcert",
docker_dir / ("crypto/as/ISD%s-AS%s.pem" %
(isd_as.isd_str(), isd_as.as_file_fmt())),
"--trc",
docker_dir / "certs/ISD1-B1-S1.trc",
"--out",
chain,
"--sciond",
self.execute("tester_%s" % isd_as.file_fmt(), "sh", "-c",
"echo $SCION_DAEMON").strip(),
*self._local_flags(isd_as),
]
if features:
args += ["--features", features]
logger.info("Requesting certificate chain renewal: %s" %
chain.relative_to(docker_dir))
logger.info(
self.execute("tester_%s" % isd_as.file_fmt(), "./bin/scion-pki",
"certs", "renew", *args))
logger.info("Verify renewed certificate chain")
verify_out = self.execute("tester_%s" % isd_as.file_fmt(),
"./bin/scion-pki", "certs", "verify", chain,
"--trc", "/share/gen/trcs/ISD1-B1-S1.trc")
logger.info(str(verify_out).rstrip("\n"))
def _renewal_request(self, cs_config: LocalPath, isd_as: ISD_AS):
cs_dir = cs_config.parent
csr = cs_dir / 'crypto/as/csr.json'
logger.info('Generating CSR for: %s' % rel(csr))
template = {
'common_name': '%s InfoSec Squad' % isd_as,
'country': 'CH',
'isd_as': str(isd_as),
}
with open(csr, 'w') as out:
json.dump(template, out, indent=4)
key = cs_dir / 'crypto/as/renewed.key'
logger.info('Generating new private key: %s' % rel(key))
local['openssl'](
'genpkey',
'-algorithm',
'EC',
'-pkeyopt',
'ec_paramgen_curve:P-256',
'-pkeyopt',
'ec_param_enc:named_curve',
'-out',
cs_dir / 'crypto/as/renewed.key',
)
chain = cs_dir / 'crypto/as/renewed.pem'
args = [
'--key',
cs_dir / 'crypto/as/renewed.key',
'--transportkey',
cs_dir / 'crypto/as/cp-as.key',
'--transportcert',
cs_dir / ('crypto/as/ISD%s-AS%s.pem' %
(isd_as.isd_str(), isd_as.as_file_fmt())),
'--trc',
cs_dir / 'certs/ISD1-B1-S1.trc',
'--out',
chain,
'--sciond',
sciond_addr(isd_as),
]
if not self.no_docker:
chain.touch()
args += ['--local', self._disp_ip(cs_config.stem)]
for i in range(len(args)):
if isinstance(args[i], LocalPath):
args[i] = str(args[i].relative_to(local.path('.')))
logger.info('Requesting certificate chain renewal: %s' % rel(chain))
logger.info(
self.scion.execute(isd_as, './bin/scion-pki', 'certs', 'renew',
*args))
logger.info('Verify renewed certificate chain')
verify_out = local['./bin/scion-pki']('certs', 'verify', chain,
'--trc',
'gen/trcs/ISD1-B1-S1.trc')
logger.info(str(verify_out).rstrip('\n'))
def _ensure_uniq_ases(self):
seen = set()
for asStr in self.topo_config["ASes"]:
ia = ISD_AS(asStr)
if ia.as_str() in seen:
logging.critical("Non-unique AS Id '%s'", ia.as_str())
sys.exit(1)
seen.add(ia.as_str())
def _renewal_request(
self,
isd_as: scion_addr.ISD_AS,
mode: str = "--force",
):
as_dir = self._to_as_dir(isd_as)
docker_dir = pathlib.Path("/share") / self._rel(as_dir)
def read_file(filename: str) -> str:
with open(as_dir / "crypto/as" / filename) as f:
return f.read()
chain_name = "ISD%s-AS%s.pem" % (isd_as.isd_str(),
isd_as.as_file_fmt())
old_chain = read_file(chain_name)
old_key = read_file("cp-as.key")
chain = docker_dir / "crypto/as" / chain_name
args = [
chain,
docker_dir / "crypto/as/cp-as.key",
mode,
"--trc",
docker_dir / "certs/ISD1-B1-S1.trc",
"--sciond",
self.execute("tester_%s" % isd_as.file_fmt(), "sh", "-c",
"echo $SCION_DAEMON").strip(),
*self._local_flags(isd_as),
]
logger.info("Requesting certificate chain renewal: %s" %
chain.relative_to(docker_dir))
logger.info(
self.execute("tester_%s" % isd_as.file_fmt(), "./bin/scion-pki",
"certificate", "renew", *args))
logger.info("Verify renewed certificate chain")
verify_out = self.execute("tester_%s" % isd_as.file_fmt(),
"./bin/scion-pki", "certificate", "verify",
chain, "--trc",
"/share/gen/trcs/ISD1-B1-S1.trc")
logger.info(str(verify_out).rstrip("\n"))
renewed_chain = read_file(chain_name)
renewed_key = read_file("cp-as.key")
if renewed_chain == old_chain:
raise Exception(
"renewed chain does not differ from previous chain")
if renewed_key == old_key:
raise Exception("renewed key does not differ from previous key")
def execute(self, isd_as: ISD_AS, cmd: str, *args: str) -> str:
expanded = []
for arg in args:
if str(arg).startswith('gen/'):
arg = '/share/' + arg
expanded.append(arg)
return docker('exec', 'tester_%s' % isd_as.file_fmt(), cmd, *expanded)
def main(self):
cs_configs = local.path('gen') // 'AS*/cs*.toml'
isd_ases = []
logger.info('==> Start renewal process')
for cs_config in cs_configs:
isd_as = ISD_AS(cs_config.stem[2:len(cs_config.stem) - 2])
isd_ases.append(isd_as)
logging.info('===> Start renewal: %s' % isd_as)
self._renewal_request(cs_config, isd_as)
logger.info('==> Remove original private keys')
for cs_config in cs_configs:
orig_key = cs_config.parent / 'crypto/as/cp-as.key'
logger.info('Removing original private key for %s: %s' %
(isd_as, rel(orig_key)))
orig_key.delete()
logger.info('==> Check key and certificate reloads')
self._check_key_cert(cs_configs)
logger.info("==> Check connectivity")
self.scion.run_end2end()
logger.info('==> Shutting down control servers and purging caches')
for cs_config in cs_configs:
files = local.path('gen-cache') // ('%s*' % cs_config.stem)
for db_file in files:
db_file.delete()
logger.info('Deleted files: %s' % [file.name for file in files])
self.scion.run()
time.sleep(5)
logger.info('==> Check connectivity')
self.scion.run_end2end()
def _local_flags(self, isd_as: scion_addr.ISD_AS) -> List[str]:
return [
"--local",
self.execute("tester_%s" % isd_as.file_fmt(), "sh", "-c",
"echo $SCION_LOCAL_ADDR").strip(),
]
def _to_as_dir(self, isd_as: scion_addr.ISD_AS) -> pathlib.Path:
return pathlib.Path("%s/gen/AS%s" %
(self.test_state.artifacts, isd_as.as_file_fmt()))