def register(self):
now = datetime.utcnow()
key = self.keygen.get_key()
csr = x509.CSR.new(key, f'CN={self.addr}', hashlib.sha256())
self.runtime_cert = self.sss.runtime_ca_cert.sign(
csr, self.sss.runtime_ca_key,
not_before=now, not_after=now + timedelta(hours=8),
serial_number=self.addr
)
ca_der = self.sss.runtime_ca_cert.export(format="DER")
crt_der = self.runtime_cert.export(format="DER")
pk_der = key.export_key(format="DER")
sync_key = self.sss.scum_sync_key
sync_salt = self.sss.scum_sync_salt
data_key = self.sss.scum_data_key
data_salt = self.sss.scum_data_salt
entropy = token_bytes(ENTROPY_POOL_SIZE)
first_sed = b'\x01' if (self.sss.reg_count == 0) else b'\x00'
self.sss.reg_count += 1
# SCUM keys/salts/sync indicator have fixed length
return struct.pack('<HhHHHHHHHHH', self.addr, REG, len(ca_der), len(crt_der), len(pk_der), \
len(sync_key), len(sync_salt), len(data_key), len(data_salt), len(first_sed), len(entropy)) \
+ ca_der + crt_der + pk_der + sync_key + sync_salt + data_key + data_salt + first_sed + entropy
def ca1_crt(self, ca1_key, ca0_crt, ca0_key, now):
ca1_csr = CSR.new(ca1_key, "CN=Intermediate CA", hashlib.sha256())
return ca0_crt.sign(
ca1_csr,
ca0_key,
now,
now + dt.timedelta(days=90),
0x234567,
basic_constraints=BasicConstraints(True, 1),
)
def ca0_crt(self, ca0_key, now):
ca0_csr = CSR.new(ca0_key, "CN=Trusted CA", hashlib.sha256())
return CRT.selfsign(
ca0_csr,
ca0_key,
not_before=now,
not_after=now + dt.timedelta(days=90),
serial_number=0x123456,
basic_constraints=BasicConstraints(True, -1),
)
def __init__(self, sockf):
# Make sure the socket does not already exist
try:
os.unlink(sockf)
except OSError:
if os.path.exists(sockf):
raise
# Load provisioning CA certificate and key
self.provision_ca_cert = x509.CRT.from_file('/secrets/sss/ca.crt')
with open('/secrets/sss/ca.key', 'r') as keyfile:
self.provision_ca_key = pk.RSA.from_buffer(x509.PEM_to_DER(keyfile.read()))
# Generate runtime CA certificate and key
now = datetime.utcnow()
self.runtime_ca_key = pk.RSA()
self.runtime_ca_key.generate()
csr = x509.CSR.new(self.runtime_ca_key, "CN=SSS", hashlib.sha256())
self.runtime_ca_cert = x509.CRT.selfsign(
csr, self.runtime_ca_key,
not_before=now, not_after=now + timedelta(hours=8),
serial_number=0x1,
basic_constraints=x509.BasicConstraints(ca=True, max_path_length=1)
)
# Trust store for registration
trust_store = tls.TrustStore()
trust_store.add(self.provision_ca_cert)
# DTLS server configuration
self.dtls_conf = tls.DTLSConfiguration(
trust_store=trust_store,
certificate_chain=([self.provision_ca_cert], self.provision_ca_key),
validate_certificates=True
)
tls._set_debug_level(DEBUG_LEVEL)
tls._enable_debug_output(self.dtls_conf)
# Generate SCUM keys
self.scum_data_key = token_bytes(SCUM_KEY_LENGTH)
self.scum_data_salt = token_bytes(SCUM_SALT_LENGTH)
self.scum_sync_key = token_bytes(SCUM_KEY_LENGTH)
self.scum_sync_salt = token_bytes(SCUM_SALT_LENGTH)
# Registered device count
self.reg_count = 0
# Socket
self.sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.sock.bind(sockf)
self.devs = {}
def algorithm(self):
return hashlib.sha256()
def Sha256(Input):
Hash = hashlib.sha256()
Hash.update(Input)
return Hash.digest()
def ee0_crt(self, ee0_key, ca1_crt, ca1_key, now):
ee0_csr = CSR.new(ee0_key, "CN=End Entity", hashlib.sha256())
return ca1_crt.sign(ee0_csr, ca1_key, now, now + dt.timedelta(days=90),
0x345678)
def digestmod(self):
return hashlib.sha256()
