def _renewal_request(self, isd_as: scion_addr.ISD_AS, features=""): as_dir = self._to_as_dir(isd_as) csr = as_dir / "crypto/as/csr.json" logger.info("Generating CSR for: %s" % self._rel(csr)) template = { "common_name": "%s InfoSec Squad" % isd_as, "country": "CH", "isd_as": str(isd_as), } with open(csr, "w") as out: json.dump(template, out, indent=4) key = as_dir / "crypto/as/renewed.key" logger.info("Generating new private key: %s" % self._rel(key)) subprocess.run([ "openssl", "genpkey", "-algorithm", "EC", "-pkeyopt", "ec_paramgen_curve:P-256", "-pkeyopt", "ec_param_enc:named_curve", "-out", as_dir / "crypto/as/renewed.key", ]) docker_dir = pathlib.Path("/share") / self._rel(as_dir) chain = docker_dir / "crypto/as/renewed.pem" args = [ "--key", docker_dir / "crypto/as/renewed.key", "--transportkey", docker_dir / "crypto/as/cp-as.key", "--transportcert", docker_dir / ("crypto/as/ISD%s-AS%s.pem" % (isd_as.isd_str(), isd_as.as_file_fmt())), "--trc", docker_dir / "certs/ISD1-B1-S1.trc", "--out", chain, "--sciond", self.execute("tester_%s" % isd_as.file_fmt(), "sh", "-c", "echo $SCION_DAEMON").strip(), *self._local_flags(isd_as), ] if features: args += ["--features", features] logger.info("Requesting certificate chain renewal: %s" % chain.relative_to(docker_dir)) logger.info( self.execute("tester_%s" % isd_as.file_fmt(), "./bin/scion-pki", "certs", "renew", *args)) logger.info("Verify renewed certificate chain") verify_out = self.execute("tester_%s" % isd_as.file_fmt(), "./bin/scion-pki", "certs", "verify", chain, "--trc", "/share/gen/trcs/ISD1-B1-S1.trc") logger.info(str(verify_out).rstrip("\n"))
def _renewal_request(self, cs_config: LocalPath, isd_as: ISD_AS): cs_dir = cs_config.parent csr = cs_dir / 'crypto/as/csr.json' logger.info('Generating CSR for: %s' % rel(csr)) template = { 'common_name': '%s InfoSec Squad' % isd_as, 'country': 'CH', 'isd_as': str(isd_as), } with open(csr, 'w') as out: json.dump(template, out, indent=4) key = cs_dir / 'crypto/as/renewed.key' logger.info('Generating new private key: %s' % rel(key)) local['openssl']( 'genpkey', '-algorithm', 'EC', '-pkeyopt', 'ec_paramgen_curve:P-256', '-pkeyopt', 'ec_param_enc:named_curve', '-out', cs_dir / 'crypto/as/renewed.key', ) chain = cs_dir / 'crypto/as/renewed.pem' args = [ '--key', cs_dir / 'crypto/as/renewed.key', '--transportkey', cs_dir / 'crypto/as/cp-as.key', '--transportcert', cs_dir / ('crypto/as/ISD%s-AS%s.pem' % (isd_as.isd_str(), isd_as.as_file_fmt())), '--trc', cs_dir / 'certs/ISD1-B1-S1.trc', '--out', chain, '--sciond', sciond_addr(isd_as), ] if not self.no_docker: chain.touch() args += ['--local', self._disp_ip(cs_config.stem)] for i in range(len(args)): if isinstance(args[i], LocalPath): args[i] = str(args[i].relative_to(local.path('.'))) logger.info('Requesting certificate chain renewal: %s' % rel(chain)) logger.info( self.scion.execute(isd_as, './bin/scion-pki', 'certs', 'renew', *args)) logger.info('Verify renewed certificate chain') verify_out = local['./bin/scion-pki']('certs', 'verify', chain, '--trc', 'gen/trcs/ISD1-B1-S1.trc') logger.info(str(verify_out).rstrip('\n'))
def _renewal_request( self, isd_as: scion_addr.ISD_AS, mode: str = "--force", ): as_dir = self._to_as_dir(isd_as) docker_dir = pathlib.Path("/share") / self._rel(as_dir) def read_file(filename: str) -> str: with open(as_dir / "crypto/as" / filename) as f: return f.read() chain_name = "ISD%s-AS%s.pem" % (isd_as.isd_str(), isd_as.as_file_fmt()) old_chain = read_file(chain_name) old_key = read_file("cp-as.key") chain = docker_dir / "crypto/as" / chain_name args = [ chain, docker_dir / "crypto/as/cp-as.key", mode, "--trc", docker_dir / "certs/ISD1-B1-S1.trc", "--sciond", self.execute("tester_%s" % isd_as.file_fmt(), "sh", "-c", "echo $SCION_DAEMON").strip(), *self._local_flags(isd_as), ] logger.info("Requesting certificate chain renewal: %s" % chain.relative_to(docker_dir)) logger.info( self.execute("tester_%s" % isd_as.file_fmt(), "./bin/scion-pki", "certificate", "renew", *args)) logger.info("Verify renewed certificate chain") verify_out = self.execute("tester_%s" % isd_as.file_fmt(), "./bin/scion-pki", "certificate", "verify", chain, "--trc", "/share/gen/trcs/ISD1-B1-S1.trc") logger.info(str(verify_out).rstrip("\n")) renewed_chain = read_file(chain_name) renewed_key = read_file("cp-as.key") if renewed_chain == old_chain: raise Exception( "renewed chain does not differ from previous chain") if renewed_key == old_key: raise Exception("renewed key does not differ from previous key")
def _to_as_dir(self, isd_as: scion_addr.ISD_AS) -> pathlib.Path: return pathlib.Path("%s/gen/AS%s" % (self.test_state.artifacts, isd_as.as_file_fmt()))