def __init__(self, server_id, conf_dir): """ :param str server_id: server identifier. :param str conf_dir: configuration directory. """ super().__init__(server_id, conf_dir) self.sendq = Queue() sig_key_file = get_sig_key_file_path(self.conf_dir) self.signing_key = base64.b64decode(read_file(sig_key_file)) self.segments = PathSegmentDB(max_res_no=1) # Maps of {ISD-AS: {steady path id: steady path}} for all incoming # (srcs) and outgoing (dests) steady paths: self.srcs = {} self.dests = {} # Map of SibraState objects by interface ID self.link_states = {} # Map of link types by interface ID self.link_types = {} self.lock = threading.Lock() self.CTRL_PLD_CLASS_MAP = { PayloadClass.PATH: { PMT.REG: self.handle_path_reg, }, PayloadClass.SIBRA: { SIBRAPayloadType.EMPTY: self.handle_sibra_pkt }, } self._find_links() name_addrs = "\0".join( [self.id, str(SCION_UDP_PORT), str(self.addr.host)]) self.zk = Zookeeper(self.addr.isd_as, SIBRA_SERVICE, name_addrs, self.topology.zookeepers) self.zk.retry("Joining party", self.zk.party_setup)
def _gen_as_keys(self, topo_id, as_conf): sig_pub, sig_priv = generate_sign_keypair() enc_pub, enc_priv = generate_enc_keypair() self.sig_priv_keys[topo_id] = sig_priv self.sig_pub_keys[topo_id] = sig_pub self.enc_pub_keys[topo_id] = enc_pub self.enc_priv_keys[topo_id] = enc_priv sig_path = get_sig_key_file_path("") enc_path = get_enc_key_file_path("") self.cert_files[topo_id][sig_path] = base64.b64encode( sig_priv).decode() self.cert_files[topo_id][enc_path] = base64.b64encode( enc_priv).decode() if self.is_core(as_conf): # generate_sign_key_pair uses Ed25519 on_root_pub, on_root_priv = generate_sign_keypair() off_root_pub, off_root_priv = generate_sign_keypair() self.pub_online_root_keys[topo_id] = on_root_pub self.priv_online_root_keys[topo_id] = on_root_priv self.pub_offline_root_keys[topo_id] = off_root_pub self.priv_offline_root_keys[topo_id] = off_root_priv online_key_path = get_online_key_file_path("") offline_key_path = get_offline_key_file_path("") self.cert_files[topo_id][online_key_path] = \ base64.b64encode(on_root_priv).decode() self.cert_files[topo_id][offline_key_path] = \ base64.b64encode(off_root_priv).decode()
def __init__(self, server_id, conf_dir): """ :param str server_id: server identifier. :param str conf_dir: configuration directory. """ super().__init__(server_id, conf_dir) # TODO: add 2 policies self.path_policy = PathPolicy.from_file( os.path.join(conf_dir, PATH_POLICY_FILE)) sig_key_file = get_sig_key_file_path(self.conf_dir) self.signing_key = base64.b64decode(read_file(sig_key_file)) self.of_gen_key = kdf(self.config.master_as_key, b"Derive OF Key") self.hashtree_gen_key = kdf(self.config.master_as_key, b"Derive hashtree Key") logging.info(self.config.__dict__) self._hash_tree = None self._hash_tree_lock = Lock() self._next_tree = None self._init_hash_tree() self.ifid_state = {} for ifid in self.ifid2br: self.ifid_state[ifid] = InterfaceState() self.ifid_state_lock = RLock() self.CTRL_PLD_CLASS_MAP = { PayloadClass.PCB: { None: self.handle_pcb }, PayloadClass.IFID: { None: self.handle_ifid_packet }, PayloadClass.CERT: { CertMgmtType.CERT_CHAIN_REQ: self.process_cert_chain_request, CertMgmtType.CERT_CHAIN_REPLY: self.process_cert_chain_reply, CertMgmtType.TRC_REPLY: self.process_trc_reply, CertMgmtType.TRC_REQ: self.process_trc_request, }, PayloadClass.PATH: { PMT.IFSTATE_REQ: self._handle_ifstate_request, PMT.REVOCATION: self._handle_revocation, }, } self.SCMP_PLD_CLASS_MAP = { SCMPClass.PATH: { SCMPPathClass.REVOKED_IF: self._handle_scmp_revocation, }, } zkid = ZkID.from_values(self.addr.isd_as, self.id, [(self.addr.host, self._port)]).pack() self.zk = Zookeeper(self.addr.isd_as, BEACON_SERVICE, zkid, self.topology.zookeepers) self.zk.retry("Joining party", self.zk.party_setup) self.pcb_cache = ZkSharedCache(self.zk, self.ZK_PCB_CACHE_PATH, self._handle_pcbs_from_zk) self.revobjs_cache = ZkSharedCache(self.zk, self.ZK_REVOCATIONS_PATH, self.process_rev_objects) self.local_rev_cache = ExpiringDict( 1000, HASHTREE_EPOCH_TIME + HASHTREE_EPOCH_TOLERANCE) self._rev_seg_lock = RLock()
def __init__(self, server_id, conf_dir): """ :param str server_id: server identifier. :param str conf_dir: configuration directory. """ super().__init__(server_id, conf_dir) # TODO: add 2 policies self.path_policy = PathPolicy.from_file( os.path.join(conf_dir, PATH_POLICY_FILE)) self.unverified_beacons = deque() self.trc_requests = {} self.trcs = {} sig_key_file = get_sig_key_file_path(self.conf_dir) self.signing_key = base64.b64decode(read_file(sig_key_file)) self.of_gen_key = PBKDF2(self.config.master_as_key, b"Derive OF Key") logging.info(self.config.__dict__) self.if2rev_tokens = {} self._if_rev_token_lock = threading.Lock() self.revs_to_downstream = ExpiringDict(max_len=1000, max_age_seconds=60) self.ifid_state = {} for ifid in self.ifid2er: self.ifid_state[ifid] = InterfaceState() self.CTRL_PLD_CLASS_MAP = { PayloadClass.PCB: { PCBType.SEGMENT: self.handle_pcb }, PayloadClass.IFID: { IFIDType.PAYLOAD: self.handle_ifid_packet }, PayloadClass.CERT: { CertMgmtType.CERT_CHAIN_REPLY: self.process_cert_chain_rep, CertMgmtType.TRC_REPLY: self.process_trc_rep, }, PayloadClass.PATH: { PMT.IFSTATE_REQ: self._handle_ifstate_request }, } # Add more IPs here if we support dual-stack name_addrs = "\0".join( [self.id, str(SCION_UDP_PORT), str(self.addr.host)]) self.zk = Zookeeper(self.addr.isd_as, BEACON_SERVICE, name_addrs, self.topology.zookeepers) self.zk.retry("Joining party", self.zk.party_setup) self.incoming_pcbs = deque() self.pcb_cache = ZkSharedCache(self.zk, self.ZK_PCB_CACHE_PATH, self.process_pcbs) self.revobjs_cache = ZkSharedCache(self.zk, self.ZK_REVOCATIONS_PATH, self.process_rev_objects)
def _gen_as_keys(self, topo_id, as_conf): sig_pub, sig_priv = generate_sign_keypair() enc_pub, enc_priv = generate_enc_keypair() self.sig_priv_keys[topo_id] = sig_priv self.sig_pub_keys[topo_id] = sig_pub self.enc_pub_keys[topo_id] = enc_pub self.enc_priv_keys[topo_id] = enc_priv sig_path = get_sig_key_file_path("") enc_path = get_enc_key_file_path("") self.cert_files[topo_id][sig_path] = base64.b64encode( sig_priv).decode() self.cert_files[topo_id][enc_path] = base64.b64encode( enc_priv).decode()
def _create_ad_marking(self): """ Create an AD Marking with the given ingress and egress interfaces. """ hof = HopOpaqueField.from_values(1, 111, 222) rev_token = HashChain(Random.new().read(32)).next_element() pcbm = PCBMarking.from_values(1, 10, hof) peer_markings = [] signing_key = read_file(get_sig_key_file_path(1, 10)) signing_key = base64.b64decode(signing_key) data_to_sign = (b'11' + pcbm.hof.pack()) signature = sign(data_to_sign, signing_key) return ADMarking.from_values(pcbm, peer_markings, rev_token, signature)
def test(self): """ Create a certificate chain and verify it with a TRC file. Sign a message with the private key of the last certificate in the chain and verify it. """ cert10 = CertificateChain(get_cert_chain_file_path(1, 10, 1, 10, 0)) trc = TRC(get_trc_file_path(1, 10, 1, 0)) print('TRC verification', trc.verify()) print('Cert Chain verification:', cert10.verify('ISD:1-AD:10', trc, 0)) sig_priv10 = read_file(get_sig_key_file_path(1, 10)) sig_priv10 = base64.b64decode(sig_priv10) msg = b'abcd' sig = sign(msg, sig_priv10) print('Sig test:', verify_sig_chain_trc(msg, sig, 'ISD:1-AD:10', cert10, trc, 0)) sig_priv13 = read_file(get_sig_key_file_path(1, 13)) sig_priv13 = base64.b64decode(sig_priv13) msg = b'abd' sig = sign(msg, sig_priv13) CertificateChain.from_values([]) print('Sig test 2:', verify_sig_chain_trc(msg, sig, 'ISD:1-AD:13', cert10, trc, 0), '\n') topology = Topology.from_file( "topology/ISD1/topologies/ISD:1-AD:10.json") src_addr = SCIONAddr.from_values(topology.isd_id, topology.ad_id, IPv4Address("127.0.0.1")) dst_addr = topology.certificate_servers[0].addr sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind((str(src_addr.host_addr), SCION_UDP_PORT)) print("Sending TRC request (ISD:1-V:0) to local CS.") msg = TRCRequest.from_values( PT.TRC_REQ_LOCAL, src_addr, topology.parent_border_routers[0].interface.if_id, topology.isd_id, topology.ad_id, 1, 0).pack() sock.sendto(msg, (str(dst_addr), SCION_UDP_PORT)) temp_file = './temp.txt' timeout = 5 ready = select.select([sock], [], [], timeout) if not ready[0]: print("Error: no TRC reply was received!") sock.close() return data, _ = sock.recvfrom(SCION_BUFLEN) print("Received TRC reply from local CS.") trc_reply = TRCReply(data) write_file(temp_file, trc_reply.trc.decode('utf-8')) trc = TRC(temp_file) assert trc.verify() print("Sending cert chain request (ISD:1-AD:16-V:0) to local CS.") msg = CertChainRequest.from_values( PT.CERT_CHAIN_REQ_LOCAL, src_addr, topology.parent_border_routers[0].interface.if_id, topology.isd_id, topology.ad_id, 1, 16, 0).pack() sock.sendto(msg, (str(dst_addr), SCION_UDP_PORT)) ready = select.select([sock], [], [], timeout) if not ready[0]: print("Error: no cert chain reply was received!") sock.close() return data, _ = sock.recvfrom(SCION_BUFLEN) print("Received cert chain reply from local CS.") cert_chain_reply = CertChainReply(data) write_file(temp_file, cert_chain_reply.cert_chain.decode('utf-8')) cert_chain = CertificateChain(temp_file) assert cert_chain.verify('ISD:1-AD:16', trc, 0) os.remove(temp_file) sock.close()