def prep_approved_join_reply(request, join_rep_dict, own_isdas, own_as_obj): """ Prepares the join reply for the APPROVED case. """ logger.info("New AS ID = %s", request.POST['newASId']) joining_as = request.POST['newASId'] is_core = request.POST['join_as_a_core'] sig_pub_key = from_b64(request.POST['sig_pub_key']) enc_pub_key = from_b64(request.POST['enc_pub_key']) signing_as_sig_priv_key = from_b64(own_as_obj.sig_priv_key) joining_ia = TopoID.from_values(own_isdas[0], joining_as) if is_core.lower() == "true": validity = Certificate.CORE_AS_VALIDITY_PERIOD comment = "Core AS Certificate" else: validity = Certificate.AS_VALIDITY_PERIOD comment = "AS Certificate" cert = Certificate.from_values( str(joining_ia), str(own_isdas), INITIAL_TRC_VERSION, INITIAL_CERT_VERSION, comment, is_core, validity, enc_pub_key, sig_pub_key, SigningKey(signing_as_sig_priv_key) ) respond_ia_chain = CertificateChain.from_raw(own_as_obj.certificate) request_ia_chain = CertificateChain([cert, respond_ia_chain.core_as_cert]) join_rep_dict['JoiningIA'] = str(joining_ia) join_rep_dict['IsCore'] = is_core.lower() == "true" join_rep_dict['RespondIA'] = str(own_isdas) join_rep_dict['JoiningIACertificate'] = request_ia_chain.to_json() join_rep_dict['RespondIACertificate'] = respond_ia_chain.to_json() join_rep_dict['TRC'] = TRC.from_raw(own_as_obj.trc).to_json() logger.debug("Accepting Join Request = %s", join_rep_dict)
def generate_certificate(joining_ia, core_ia, core_sign_priv_key_file, core_cert_file, trc_file): """ """ core_ia_chain = CertificateChain.from_raw(read_file(core_cert_file)) # AS cert is always expired one second before the expiration of the Core AS cert validity = core_ia_chain.core_as_cert.expiration_time - int(time.time()) - 1 comment = "AS Certificate" core_ia_sig_priv_key = base64.b64decode(read_file(core_sign_priv_key_file)) public_key_sign, private_key_sign = generate_sign_keypair() public_key_encr, private_key_encr = generate_enc_keypair() cert = Certificate.from_values( str(joining_ia), str(core_ia), INITIAL_TRC_VERSION, INITIAL_CERT_VERSION, comment, False, validity, public_key_encr, public_key_sign, core_ia_sig_priv_key) sig_priv_key = base64.b64encode(private_key_sign).decode() enc_priv_key = base64.b64encode(private_key_encr).decode() sig_priv_key_raw = base64.b64encode(SigningKey(private_key_sign)._signing_key).decode() joining_ia_chain = CertificateChain([cert, core_ia_chain.core_as_cert]).to_json() trc = open(trc_file).read() master_as_key = base64.b64encode(Random.new().read(16)).decode('utf-8') key_dict = { 'enc_key': enc_priv_key, 'sig_key': sig_priv_key, 'sig_key_raw': sig_priv_key_raw, 'master_as_key': master_as_key, } as_obj = ASCredential(joining_ia_chain, trc, key_dict) return as_obj
def check_cert_chain(testcase, as_, trc): """ Check that the AS's certificate chain can be verified with the TRC. """ testcase.assertIsNotNone(as_.certificate_chain) json_cert_chain = json.dumps(as_.certificate_chain) cert_chain = CertificateChain.from_raw(json_cert_chain) cert_chain.verify(as_.isd_as_str(), TRC(trc))
def _init_certs(self): # pragma: no cover certfiles = list(glob.glob("%s/*.crt" % self._dir)) certfiles.extend( glob.glob("%s/%s-*.crt" % (self._cachedir, self._ename))) for path in certfiles: cert_raw = read_file(path) self.add_cert(CertificateChain.from_raw(cert_raw), write=False) logging.debug("Loaded: %s" % path)
def _cached_certs_handler(self, raw_entries): """ Handles cached (through ZK) chains, passed as a list. """ for raw in raw_entries: cert = CertificateChain.from_raw(raw.decode('utf-8')) rep = CertChainReply.from_values(cert) self.process_cert_chain_reply(rep, None, from_zk=True) logging.debug("Processed %s certs from ZK", len(raw_entries))
def _build_chains(self): for topo_id, cert in self.certs.items(): chain = [cert] issuer = TopoID(cert.issuer) chain.append(self.core_certs[issuer]) cert_path = get_cert_chain_file_path("", topo_id, INITIAL_CERT_VERSION) self.cert_files[topo_id][cert_path] = CertificateChain( chain).to_json()
def _build_chains(self): for topo_id, cert in self.certs.items(): chain = [cert] issuer = TopoID(cert.issuer) chain.append(self.core_certs[issuer]) cert_path = get_cert_chain_file_path("", topo_id, INITIAL_CERT_VERSION) self.cert_files[topo_id][cert_path] = CertificateChain(chain).to_json() map_path = os.path.join("customers", '%s-%s-V%d.key' % ( topo_id.ISD(), topo_id.AS(), INITIAL_CERT_VERSION)) self.cust_files[issuer][map_path] = base64.b64encode( self.sig_pub_keys[topo_id]).decode()
def _build_chains(self): for topo_id, cert in self.certs.items(): chain = [cert] issuer = TopoID(cert.issuer) while issuer in self.certs: cert = self.certs[issuer] if str(issuer) == cert.issuer: break chain.append(cert) issuer = TopoID(cert.issuer) cert_path = get_cert_chain_file_path("", topo_id, INITIAL_CERT_VERSION) self.cert_files[topo_id][cert_path] = \ CertificateChain(chain).to_json()
def generate_certificate(joining_ia, core_ia, core_sign_priv_key_file, core_cert_file, trc_file): """ """ validity = Certificate.AS_VALIDITY_PERIOD comment = "AS Certificate" core_ia_sig_priv_key = base64.b64decode(read_file(core_sign_priv_key_file)) public_key_sign, private_key_sign = generate_sign_keypair() public_key_encr, private_key_encr = generate_enc_keypair() cert = Certificate.from_values(str(joining_ia), str(core_ia), INITIAL_TRC_VERSION, INITIAL_CERT_VERSION, comment, False, validity, public_key_encr, public_key_sign, core_ia_sig_priv_key) core_ia_chain = CertificateChain.from_raw(read_file(core_cert_file)) sig_priv_key = base64.b64encode(private_key_sign).decode() enc_priv_key = base64.b64encode(private_key_encr).decode() joining_ia_chain = CertificateChain([cert, core_ia_chain.core_as_cert ]).to_json() trc = open(trc_file).read() master_as_key = base64.b64encode(Random.new().read(16)).decode('utf-8') as_obj = ASCredential(sig_priv_key, enc_priv_key, joining_ia_chain, trc, master_as_key) return as_obj
def prep_approved_join_reply(request, join_rep_dict, own_isdas, own_as_obj): """ Prepares the join reply for the APPROVED case. """ logger.info("New AS ID = %s", request.POST['newASId']) joining_as = request.POST['newASId'] is_core = request.POST['join_as_a_core'] sig_pub_key = from_b64(request.POST['sig_pub_key']) enc_pub_key = from_b64(request.POST['enc_pub_key']) signing_as_sig_priv_key = from_b64(own_as_obj.sig_priv_key) joining_ia = ISD_AS.from_values(own_isdas[0], joining_as) cert = Certificate.from_values(str(joining_ia), str(own_isdas), INITIAL_CERT_VERSION, "", False, enc_pub_key, sig_pub_key, SigningKey(signing_as_sig_priv_key)) respond_ia_chain = CertificateChain.from_raw(own_as_obj.certificate) request_ia_chain = CertificateChain([cert, respond_ia_chain.certs[0]]) join_rep_dict['JoiningIA'] = str(joining_ia) join_rep_dict['IsCore'] = is_core.lower() == "true" join_rep_dict['RespondIA'] = str(own_isdas) join_rep_dict['JoiningIACertificate'] = request_ia_chain.to_json() join_rep_dict['RespondIACertificate'] = respond_ia_chain.to_json() join_rep_dict['TRC'] = TRC.from_raw(own_as_obj.trc).to_json() logger.debug("Accepting Join Request = %s", join_rep_dict)
def send_connection_reply(request, con_req_id, status, respond_as, data): """ Sends connection reply to SCION Coordination Service. :param HttpRequest request: Django HTTP Request. :param str con_req_id: The ID of the connection request to be replied to. :param str status: The status of the the request. (e.g APPROVED) :param str respond_as: The AS responding to the connection request. :param dict data: Dictionary object containing the reply parameters. """ coord = get_object_or_404(OrganisationAdmin, user_id=request.user.id) con_rep_dict = { "RequestId": int(con_req_id), "Status": status, "RequestIA": data['RequestIA'], "RespondIA": str(respond_as) } if status == REQ_APPROVED: router_info = data['router_info'] overlay_type = data['accepted_overlay_type'] con_rep_dict["IP"] = router_info.split(':')[0] if "UDP" in overlay_type: con_rep_dict["Port"] = int(router_info.split(':')[1]) con_rep_dict["OverlayType"] = overlay_type con_rep_dict["MTU"] = int(data['accepted_mtu']) con_rep_dict["Bandwidth"] = int(data['accepted_bandwidth']) cert_chain = CertificateChain.from_raw(respond_as.certificate) con_rep_dict["Certificate"] = cert_chain.to_json() request_url = urljoin(COORD_SERVICE_URI, posixpath.join( UPLOAD_CONN_REPLY_SVC, coord.account_id, coord.secret)) _, error = post_req_to_scion_coord(request_url, con_rep_dict, "connection reply %s" % con_req_id) if error: return error logging.info("Connection reply %s successfully sent.", con_rep_dict['RequestId'])
def prep_con_req_dict(con_req, isd_id, as_id): """ Prepares the connection request as a dictionary to be sent to the SCION coordination service. :param ConnectionRequest con_req: Connection request object. :returns: Connection request as a dictionary. :rtype: dict """ isd_as = TopoID.from_values(isd_id, as_id) as_obj = get_object_or_404(AD, isd_id=isd_id, as_id=as_id) cert_chain = CertificateChain.from_raw(as_obj.certificate) con_req_dict = { "RequestId": con_req.id, "Info": con_req.info, "RequestIA": str(isd_as), "RespondIA": con_req.connect_to, "IP": con_req.router_public_ip, "OverlayType": con_req.overlay_type, "MTU": int(con_req.mtu), "Bandwidth": int(con_req.bandwidth), "Timestamp": iso_timestamp(time.time()), "Signature": "", # TODO(ercanucan): generate and set the signature "Certificate": cert_chain.to_json() } if con_req.router_public_port: con_req_dict["Port"] = int(con_req.router_public_port) # Adjust the link type for the receiving party (i.e if the requestIA # wants to have the respondIA as a PARENT, then the respondIA should # see it as a request to have a CHILD AS. if con_req.link_type == LinkType.PARENT: con_req_dict["LinkType"] = LinkType.CHILD elif con_req.link_type == LinkType.CHILD: con_req_dict["LinkType"] = LinkType.PARENT else: con_req_dict["LinkType"] = con_req.link_type return con_req_dict
def chain(self): # pragma: no cover return CertificateChain.from_raw(self.p.chain, lz4_=True)
def _init_certs(self): # pragma: no cover for path in glob.glob("%s/*.crt" % self._dir): cert_raw = read_file(path) self.add_cert(CertificateChain.from_raw(cert_raw), write=False) logging.debug("Loaded: %s" % path)
def __init__(self, p): super().__init__(p) self.chain = CertificateChain.from_raw(p.chain, lz4_=True)
def _check_cert_chain(self, as_, trc): self.assertIsNotNone(as_.certificate_chain) json_cert_chain = json.dumps(as_.certificate_chain) cert_chain = CertificateChain.from_raw(json_cert_chain) cert_chain.verify(as_.isd_as_str(), TRC(trc))