def test_generate_trc(self): # generate a new TRC using the generate_trc function core_ases = ['ffaa:0:110'] certificates = [ 'voting-sensitive-ff00_0_110.crt', 'voting-regular-ff00_0_110.crt', 'root-ff00_0_110.crt' ] certificates = [ Path(_TESTDATA_DIR, f).read_text() for f in certificates ] signers = _get_signers( ['voting-sensitive-ff00_0_110', 'voting-regular-ff00_0_110']) scerts, skeys = zip(*signers) not_before = datetime.fromtimestamp(1605168000, tz=timezone.utc) not_before = not_before.replace( tzinfo=None) # dates in DB have no timezone (all UTC) not_after = not_before + timedelta(seconds=1800) trc = generate_trc(prev_trc=None, isd_id=1, base=1, serial=1, primary_ases=core_ases, quorum=1, votes=[], grace_period=DEFAULT_TRC_GRACE_PERIOD, not_before=not_before, not_after=not_after, certificates=certificates, signers_certs=scerts, signers_keys=skeys) # test final trc verify_trcs(trc, trc)
def check_trc(testcase, isd, expected_core_ases=None, expected_version=None): """ Check the ISD's latest TRC :param ISD isd: :param [str] expected_core_ases: optional, ISD-AS strings for all core ases :param (int, int) expected_version: optional, expected (serial, base) for current TRC. """ if expected_core_ases is None: expected_core_ases = set(as_.as_id for as_ in isd.ases.filter(is_core=True)) trc = isd.trcs.latest_or_none() if len(expected_core_ases) > 0: testcase.assertIsNotNone(trc) if expected_version is not None: testcase.assertEqual(trc.serial_version, expected_version[0]) testcase.assertEqual(trc.base_version, expected_version[1]) if trc is None: return trc_pld = trcs.decode_trc(trc.trc) trc_dict = trcs.trc_to_dict(trc_pld) testcase.assertEqual(trc_dict['id']['serial_number'], trc.serial_version) testcase.assertEqual(trc_dict['id']['base_number'], trc.base_version) testcase.assertEqual(set(trc_dict['core_ases']), set(expected_core_ases)) if trc.serial_version > 1: # Check that TRC update is valid prev_trc = isd.trcs.get(serial_version=trc.serial_version - 1) prev_trc_pld = trcs.decode_trc(prev_trc.trc) else: prev_trc_pld = trc_pld trcs.verify_trcs(prev_trc_pld, trc_pld)
def validate_crypto(self): """ checks that the crypto material for this object is correct, namely that the trc chain is valid. Returns the number of valid trcs in this ISD. """ ts = [t.trc for t in self.trcs.order_by('serial_version')] verify_trcs(ts[0], *ts) return len(ts)
def test_generate(self): signers = _get_signers( ['voting-sensitive-ff00_0_110', 'voting-regular-ff00_0_110']) conf = TRCConf(**_transform_toml_conf_to_trcconf_args( toml.loads( Path(_TESTDATA_DIR, 'payload-1-config.toml').read_text()), signers)) trc = conf.generate() # verify the trc with a call to scion-pki (would raise if error) verify_trcs(trc, trc)
def test_regular_update(self): # initial TRC in TESTDATA/trc-1.trc predec_trc = Path(_TESTDATA_DIR, 'trc-1.trc').read_text() # update the TRC by just incrementing the serial. That is in payload-2-config.toml signers = _get_signers(['voting-regular-ff00_0_110']) kwargs = _transform_toml_conf_to_trcconf_args( toml.loads( Path(_TESTDATA_DIR, 'payload-2-config.toml').read_text()), signers) conf = TRCConf(**kwargs, predecessor_trc=predec_trc) trc = conf.generate() # verify trc with the old trc as anchor verify_trcs(predec_trc, trc)
def test_combine(self): # list of (cert, key) signers = _get_signers( ['voting-sensitive-ff00_0_110', 'voting-regular-ff00_0_110']) conf = TRCConf(**_transform_toml_conf_to_trcconf_args( toml.loads( Path(_TESTDATA_DIR, 'payload-1-config.toml').read_text()))) signed_payloads = [] with TemporaryDirectory() as temp_dir: conf._dump_certificates_to_files(temp_dir) conf._gen_payload(temp_dir) for (cert, key) in signers: signed_payloads.append(conf._sign_payload(temp_dir, cert, key)) trc = conf._combine(temp_dir, *signed_payloads) # verify the trc with a call to scion-pki (would raise if error) verify_trcs(trc, trc)
def test_sensitive_update(self): # previous TRC in TESTDATA/trc-2.trc predec_trc = Path(_TESTDATA_DIR, 'trc-2.trc').read_text() # add a core-authoritative AS and its sensitive, regular and root certs signers = _get_signers([ 'voting-sensitive-ff00_0_110', 'voting-sensitive-ff00_0_210', 'voting-regular-ff00_0_210' ]) kwargs = _transform_toml_conf_to_trcconf_args( toml.loads( Path(_TESTDATA_DIR, 'payload-3-config.toml').read_text()), signers) conf = TRCConf(**kwargs, predecessor_trc=predec_trc) trc = conf.generate() # verify trc with the old trc as anchor verify_trcs(predec_trc, trc)
def test_generate_trc_regular_update(self): # initial TRC in TESTDATA/trc-1.trc signers = _get_signers(['voting-regular-ff00_0_110']) scerts, skeys = zip(*signers) kwargs = _transform_toml_conf_to_trcconf_args( toml.loads( Path(_TESTDATA_DIR, 'payload-2-config.toml').read_text())) predec_trc = Path(_TESTDATA_DIR, 'trc-1.trc').read_text() _replace_keys(kwargs, [('base', 'base_version'), ('serial', 'serial_version'), ('primary_ases', 'authoritative_ases'), ('primary_ases', 'core_ases')]) del kwargs['signers'] trc = generate_trc(prev_trc=predec_trc, **kwargs, quorum=len(kwargs['primary_ases']) // 2 + 1, signers_certs=scerts, signers_keys=skeys) # test final trc verify_trcs(predec_trc, trc)
def test_sign_other_certificate(self): # list of (cert, key) signers = _get_signers( ['voting-sensitive-ff00_0_110', 'voting-regular-ff00_0_110']) # replace the first certificate with a new, valid, one, generated from the key key = signers[0][1] # key at index 1, cert at index 0 orig_cert = certs.decode_certificate(signers[0][0]) cert = certs.generate_voting_sensitive_certificate( '1-ff00:0:110', keys.decode_key(key), not_before=orig_cert.not_valid_before, not_after=orig_cert.not_valid_after) # sanity check for the new certificate: self.assertEqual(cert.subject, orig_cert.subject) self.assertEqual(cert.issuer, orig_cert.issuer) self.assertEqual(cert.not_valid_before, orig_cert.not_valid_before) self.assertEqual(cert.not_valid_after, orig_cert.not_valid_after) self.assertNotEqual(cert.serial_number, orig_cert.serial_number) self.assertNotEqual(cert.signature, orig_cert.signature) # actually replace the certificate in the signers list, keep the key signers[0] = (certs.encode_certificate(cert), signers[0][1]) # and go on as usual conf = TRCConf(**_transform_toml_conf_to_trcconf_args( toml.loads( Path(_TESTDATA_DIR, 'payload-1-config.toml').read_text()))) signed_payloads = [] with TemporaryDirectory() as temp_dir: conf._dump_certificates_to_files(temp_dir) conf._gen_payload(temp_dir) for (cert, key) in signers: signed_payloads.append(conf._sign_payload(temp_dir, cert, key)) trc = conf._combine(temp_dir, *signed_payloads) # verify the trc with a call to scion-pki (would raise if error) with self.assertRaises(ScionPkiError): verify_trcs(trc, trc)
def _check_trc(trc, anchor): """ Verify a TRC, raises on error """ trcs.verify_trcs(anchor.trc, trc.trc)