def _verify_drkey_reply(self, rep, meta):
"""
Verify that the first order DRKey reply is legit.
I.e. the signature matches, timestamp is recent.
:param DRKeyReply rep: the first order DRKey reply.
:param UDPMetadata meta: the metadata.
:returns Certificate of the responder.
:rtype: Certificate
:raises: SCIONVerificationError
"""
if meta and meta.ia != rep.isd_as:
raise SCIONVerificationError("Response from other ISD-AS: %s" % rep.isd_as)
if drkey_time() - rep.p.timestamp > DRKEY_REQUEST_TIMEOUT:
raise SCIONVerificationError("Expired reply from %s. %ss old. Max %ss" % (
rep.isd_as, drkey_time() - rep.p.timestamp, DRKEY_REQUEST_TIMEOUT))
trc = self.trust_store.get_trc(rep.isd_as[0])
chain = self.trust_store.get_cert(rep.isd_as, rep.p.certVerSrc)
err = []
if not chain:
self._send_cc_request(rep.isd_as, rep.p.certVerSrc)
err.append("Certificate not present for %s(v: %s)" % (rep.isd_as, rep.p.certVerSrc))
if not trc:
self._send_trc_request(rep.isd_as[0], rep.p.trcVer, rep.isd_as[1])
err.append("TRC not present for %s(v: %s)" % (rep.isd_as[0], rep.p.trcVer))
if err:
raise SCIONVerificationError(", ".join(err))
raw = get_signing_input_rep(rep.isd_as, rep.p.timestamp, rep.p.expTime, rep.p.cipher)
try:
verify_sig_chain_trc(raw, rep.p.signature, rep.isd_as, chain, trc)
except SCIONVerificationError as e:
raise SCIONVerificationError(str(e))
return chain.certs[0]
def _verify_drkey_request(self, req, meta):
"""
Verify that the first order DRKey request is legit.
I.e. the signature is valid, the correct ISD AS is queried, timestamp is recent.
:param DRKeyRequest req: the first order DRKey request.
:param UDPMetadata meta: the metadata.
:returns Certificate of the requester.
:rtype: Certificate
:raises: SCIONVerificationError
"""
if self.addr.isd_as != req.isd_as:
raise SCIONVerificationError("Request for other ISD-AS: %s" % req.isd_as)
if drkey_time() - req.p.timestamp > DRKEY_REQUEST_TIMEOUT:
raise SCIONVerificationError("Expired request from %s. %ss old. Max %ss" % (
meta.ia, drkey_time() - req.p.timestamp, DRKEY_REQUEST_TIMEOUT))
trc = self.trust_store.get_trc(meta.ia[0])
chain = self.trust_store.get_cert(meta.ia, req.p.certVer)
err = []
if not chain:
self._send_cc_request(meta.ia, req.p.certVer)
err.append("Certificate not present for %s(v: %s)" % (meta.ia, req.p.certVer))
if not trc:
self._send_trc_request(meta.ia[0], req.p.trcVer, meta.ia[1])
err.append("TRC not present for %s(v: %s)" % (meta.ia[0], req.p.trcVer))
if err:
raise SCIONVerificationError(", ".join(err))
raw = drkey_signing_input_req(req.isd_as, req.p.flags.prefetch, req.p.timestamp)
try:
verify_sig_chain_trc(raw, req.p.signature, meta.ia, chain, trc)
except SCIONVerificationError as e:
raise SCIONVerificationError(str(e))
return chain.certs[0]
def _verify_path_seg(self, seg_meta):
"""
Signature verification for all AS markings within this pcb/path segment.
This function is called, when all TRCs and CCs used within this pcb/path
segment are available.
"""
seg = seg_meta.seg
ver_seg = PathSegment.from_values(seg.info)
for asm in seg.iter_asms():
cert_ia = asm.isd_as()
trc = self.trust_store.get_trc(cert_ia[0], asm.p.trcVer)
chain = self.trust_store.get_cert(asm.isd_as(), asm.p.certVer)
ver_seg.add_asm(asm)
verify_sig_chain_trc(ver_seg.sig_pack3(), asm.p.sig, cert_ia, chain, trc)
def _verify_beacon(self, pcb):
"""
Once the necessary certificate and TRC files have been found, verify the
beacons.
:param pcb: path segment to verify.
:type pcb: PathSegment
"""
assert isinstance(pcb, PathSegment)
asm = pcb.asm(-1)
cert_ia = asm.isd_as()
trc = self.trust_store.get_trc(cert_ia[0], asm.p.trcVer)
return verify_sig_chain_trc(pcb.sig_pack3(), asm.p.sig, str(cert_ia),
asm.chain(), trc, asm.p.trcVer)
def _verify_path_seg(self, seg_meta):
"""
Signature verification for all AS markings within this pcb/path segment.
This function is called, when all TRCs and CCs used within this pcb/path
segment are available.
"""
seg = seg_meta.seg
ver_seg = PathSegment.from_values(seg.info)
for asm in seg.iter_asms():
cert_ia = asm.isd_as()
trc = self.trust_store.get_trc(cert_ia[0], asm.p.trcVer)
chain = self.trust_store.get_cert(asm.isd_as(), asm.p.certVer)
ver_seg.add_asm(asm)
if not verify_sig_chain_trc(ver_seg.sig_pack3(), asm.p.sig,
str(cert_ia), chain, trc, asm.p.trcVer):
logging.error("ASM verification failed: %s" % asm.short_desc())
return False
return True
