def _verify_drkey_reply(self, rep, meta): """ Verify that the first order DRKey reply is legit. I.e. the signature matches, timestamp is recent. :param DRKeyReply rep: the first order DRKey reply. :param UDPMetadata meta: the metadata. :returns Certificate of the responder. :rtype: Certificate :raises: SCIONVerificationError """ if meta and meta.ia != rep.isd_as: raise SCIONVerificationError("Response from other ISD-AS: %s" % rep.isd_as) if drkey_time() - rep.p.timestamp > DRKEY_REQUEST_TIMEOUT: raise SCIONVerificationError("Expired reply from %s. %ss old. Max %ss" % ( rep.isd_as, drkey_time() - rep.p.timestamp, DRKEY_REQUEST_TIMEOUT)) trc = self.trust_store.get_trc(rep.isd_as[0]) chain = self.trust_store.get_cert(rep.isd_as, rep.p.certVerSrc) err = [] if not chain: self._send_cc_request(rep.isd_as, rep.p.certVerSrc) err.append("Certificate not present for %s(v: %s)" % (rep.isd_as, rep.p.certVerSrc)) if not trc: self._send_trc_request(rep.isd_as[0], rep.p.trcVer, rep.isd_as[1]) err.append("TRC not present for %s(v: %s)" % (rep.isd_as[0], rep.p.trcVer)) if err: raise SCIONVerificationError(", ".join(err)) raw = get_signing_input_rep(rep.isd_as, rep.p.timestamp, rep.p.expTime, rep.p.cipher) try: verify_sig_chain_trc(raw, rep.p.signature, rep.isd_as, chain, trc) except SCIONVerificationError as e: raise SCIONVerificationError(str(e)) return chain.certs[0]
def _verify_drkey_request(self, req, meta): """ Verify that the first order DRKey request is legit. I.e. the signature is valid, the correct ISD AS is queried, timestamp is recent. :param DRKeyRequest req: the first order DRKey request. :param UDPMetadata meta: the metadata. :returns Certificate of the requester. :rtype: Certificate :raises: SCIONVerificationError """ if self.addr.isd_as != req.isd_as: raise SCIONVerificationError("Request for other ISD-AS: %s" % req.isd_as) if drkey_time() - req.p.timestamp > DRKEY_REQUEST_TIMEOUT: raise SCIONVerificationError("Expired request from %s. %ss old. Max %ss" % ( meta.ia, drkey_time() - req.p.timestamp, DRKEY_REQUEST_TIMEOUT)) trc = self.trust_store.get_trc(meta.ia[0]) chain = self.trust_store.get_cert(meta.ia, req.p.certVer) err = [] if not chain: self._send_cc_request(meta.ia, req.p.certVer) err.append("Certificate not present for %s(v: %s)" % (meta.ia, req.p.certVer)) if not trc: self._send_trc_request(meta.ia[0], req.p.trcVer, meta.ia[1]) err.append("TRC not present for %s(v: %s)" % (meta.ia[0], req.p.trcVer)) if err: raise SCIONVerificationError(", ".join(err)) raw = drkey_signing_input_req(req.isd_as, req.p.flags.prefetch, req.p.timestamp) try: verify_sig_chain_trc(raw, req.p.signature, meta.ia, chain, trc) except SCIONVerificationError as e: raise SCIONVerificationError(str(e)) return chain.certs[0]
def _verify_path_seg(self, seg_meta): """ Signature verification for all AS markings within this pcb/path segment. This function is called, when all TRCs and CCs used within this pcb/path segment are available. """ seg = seg_meta.seg ver_seg = PathSegment.from_values(seg.info) for asm in seg.iter_asms(): cert_ia = asm.isd_as() trc = self.trust_store.get_trc(cert_ia[0], asm.p.trcVer) chain = self.trust_store.get_cert(asm.isd_as(), asm.p.certVer) ver_seg.add_asm(asm) verify_sig_chain_trc(ver_seg.sig_pack3(), asm.p.sig, cert_ia, chain, trc)
def _verify_beacon(self, pcb): """ Once the necessary certificate and TRC files have been found, verify the beacons. :param pcb: path segment to verify. :type pcb: PathSegment """ assert isinstance(pcb, PathSegment) asm = pcb.asm(-1) cert_ia = asm.isd_as() trc = self.trust_store.get_trc(cert_ia[0], asm.p.trcVer) return verify_sig_chain_trc(pcb.sig_pack3(), asm.p.sig, str(cert_ia), asm.chain(), trc, asm.p.trcVer)
def _verify_path_seg(self, seg_meta): """ Signature verification for all AS markings within this pcb/path segment. This function is called, when all TRCs and CCs used within this pcb/path segment are available. """ seg = seg_meta.seg ver_seg = PathSegment.from_values(seg.info) for asm in seg.iter_asms(): cert_ia = asm.isd_as() trc = self.trust_store.get_trc(cert_ia[0], asm.p.trcVer) chain = self.trust_store.get_cert(asm.isd_as(), asm.p.certVer) ver_seg.add_asm(asm) if not verify_sig_chain_trc(ver_seg.sig_pack3(), asm.p.sig, str(cert_ia), chain, trc, asm.p.trcVer): logging.error("ASM verification failed: %s" % asm.short_desc()) return False return True