def test_generate_trc(self):
# generate a new TRC using the generate_trc function
core_ases = ['ffaa:0:110']
certificates = [
'voting-sensitive-ff00_0_110.crt', 'voting-regular-ff00_0_110.crt',
'root-ff00_0_110.crt'
]
certificates = [
Path(_TESTDATA_DIR, f).read_text() for f in certificates
]
signers = _get_signers(
['voting-sensitive-ff00_0_110', 'voting-regular-ff00_0_110'])
scerts, skeys = zip(*signers)
not_before = datetime.fromtimestamp(1605168000, tz=timezone.utc)
not_before = not_before.replace(
tzinfo=None) # dates in DB have no timezone (all UTC)
not_after = not_before + timedelta(seconds=1800)
trc = generate_trc(prev_trc=None,
isd_id=1,
base=1,
serial=1,
primary_ases=core_ases,
quorum=1,
votes=[],
grace_period=DEFAULT_TRC_GRACE_PERIOD,
not_before=not_before,
not_after=not_after,
certificates=certificates,
signers_certs=scerts,
signers_keys=skeys)
# test final trc
verify_trcs(trc, trc)
def check_trc(testcase, isd, expected_core_ases=None, expected_version=None):
"""
Check the ISD's latest TRC
:param ISD isd:
:param [str] expected_core_ases: optional, ISD-AS strings for all core ases
:param (int, int) expected_version: optional, expected (serial, base) for current TRC.
"""
if expected_core_ases is None:
expected_core_ases = set(as_.as_id
for as_ in isd.ases.filter(is_core=True))
trc = isd.trcs.latest_or_none()
if len(expected_core_ases) > 0:
testcase.assertIsNotNone(trc)
if expected_version is not None:
testcase.assertEqual(trc.serial_version, expected_version[0])
testcase.assertEqual(trc.base_version, expected_version[1])
if trc is None:
return
trc_pld = trcs.decode_trc(trc.trc)
trc_dict = trcs.trc_to_dict(trc_pld)
testcase.assertEqual(trc_dict['id']['serial_number'], trc.serial_version)
testcase.assertEqual(trc_dict['id']['base_number'], trc.base_version)
testcase.assertEqual(set(trc_dict['core_ases']), set(expected_core_ases))
if trc.serial_version > 1:
# Check that TRC update is valid
prev_trc = isd.trcs.get(serial_version=trc.serial_version - 1)
prev_trc_pld = trcs.decode_trc(prev_trc.trc)
else:
prev_trc_pld = trc_pld
trcs.verify_trcs(prev_trc_pld, trc_pld)
def validate_crypto(self):
"""
checks that the crypto material for this object is correct,
namely that the trc chain is valid.
Returns the number of valid trcs in this ISD.
"""
ts = [t.trc for t in self.trcs.order_by('serial_version')]
verify_trcs(ts[0], *ts)
return len(ts)
def test_generate(self):
signers = _get_signers(
['voting-sensitive-ff00_0_110', 'voting-regular-ff00_0_110'])
conf = TRCConf(**_transform_toml_conf_to_trcconf_args(
toml.loads(
Path(_TESTDATA_DIR, 'payload-1-config.toml').read_text()),
signers))
trc = conf.generate()
# verify the trc with a call to scion-pki (would raise if error)
verify_trcs(trc, trc)
def test_regular_update(self):
# initial TRC in TESTDATA/trc-1.trc
predec_trc = Path(_TESTDATA_DIR, 'trc-1.trc').read_text()
# update the TRC by just incrementing the serial. That is in payload-2-config.toml
signers = _get_signers(['voting-regular-ff00_0_110'])
kwargs = _transform_toml_conf_to_trcconf_args(
toml.loads(
Path(_TESTDATA_DIR, 'payload-2-config.toml').read_text()),
signers)
conf = TRCConf(**kwargs, predecessor_trc=predec_trc)
trc = conf.generate()
# verify trc with the old trc as anchor
verify_trcs(predec_trc, trc)
def test_combine(self):
# list of (cert, key)
signers = _get_signers(
['voting-sensitive-ff00_0_110', 'voting-regular-ff00_0_110'])
conf = TRCConf(**_transform_toml_conf_to_trcconf_args(
toml.loads(
Path(_TESTDATA_DIR, 'payload-1-config.toml').read_text())))
signed_payloads = []
with TemporaryDirectory() as temp_dir:
conf._dump_certificates_to_files(temp_dir)
conf._gen_payload(temp_dir)
for (cert, key) in signers:
signed_payloads.append(conf._sign_payload(temp_dir, cert, key))
trc = conf._combine(temp_dir, *signed_payloads)
# verify the trc with a call to scion-pki (would raise if error)
verify_trcs(trc, trc)
def test_sensitive_update(self):
# previous TRC in TESTDATA/trc-2.trc
predec_trc = Path(_TESTDATA_DIR, 'trc-2.trc').read_text()
# add a core-authoritative AS and its sensitive, regular and root certs
signers = _get_signers([
'voting-sensitive-ff00_0_110', 'voting-sensitive-ff00_0_210',
'voting-regular-ff00_0_210'
])
kwargs = _transform_toml_conf_to_trcconf_args(
toml.loads(
Path(_TESTDATA_DIR, 'payload-3-config.toml').read_text()),
signers)
conf = TRCConf(**kwargs, predecessor_trc=predec_trc)
trc = conf.generate()
# verify trc with the old trc as anchor
verify_trcs(predec_trc, trc)
def test_generate_trc_regular_update(self):
# initial TRC in TESTDATA/trc-1.trc
signers = _get_signers(['voting-regular-ff00_0_110'])
scerts, skeys = zip(*signers)
kwargs = _transform_toml_conf_to_trcconf_args(
toml.loads(
Path(_TESTDATA_DIR, 'payload-2-config.toml').read_text()))
predec_trc = Path(_TESTDATA_DIR, 'trc-1.trc').read_text()
_replace_keys(kwargs, [('base', 'base_version'),
('serial', 'serial_version'),
('primary_ases', 'authoritative_ases'),
('primary_ases', 'core_ases')])
del kwargs['signers']
trc = generate_trc(prev_trc=predec_trc,
**kwargs,
quorum=len(kwargs['primary_ases']) // 2 + 1,
signers_certs=scerts,
signers_keys=skeys)
# test final trc
verify_trcs(predec_trc, trc)
def test_sign_other_certificate(self):
# list of (cert, key)
signers = _get_signers(
['voting-sensitive-ff00_0_110', 'voting-regular-ff00_0_110'])
# replace the first certificate with a new, valid, one, generated from the key
key = signers[0][1] # key at index 1, cert at index 0
orig_cert = certs.decode_certificate(signers[0][0])
cert = certs.generate_voting_sensitive_certificate(
'1-ff00:0:110',
keys.decode_key(key),
not_before=orig_cert.not_valid_before,
not_after=orig_cert.not_valid_after)
# sanity check for the new certificate:
self.assertEqual(cert.subject, orig_cert.subject)
self.assertEqual(cert.issuer, orig_cert.issuer)
self.assertEqual(cert.not_valid_before, orig_cert.not_valid_before)
self.assertEqual(cert.not_valid_after, orig_cert.not_valid_after)
self.assertNotEqual(cert.serial_number, orig_cert.serial_number)
self.assertNotEqual(cert.signature, orig_cert.signature)
# actually replace the certificate in the signers list, keep the key
signers[0] = (certs.encode_certificate(cert), signers[0][1])
# and go on as usual
conf = TRCConf(**_transform_toml_conf_to_trcconf_args(
toml.loads(
Path(_TESTDATA_DIR, 'payload-1-config.toml').read_text())))
signed_payloads = []
with TemporaryDirectory() as temp_dir:
conf._dump_certificates_to_files(temp_dir)
conf._gen_payload(temp_dir)
for (cert, key) in signers:
signed_payloads.append(conf._sign_payload(temp_dir, cert, key))
trc = conf._combine(temp_dir, *signed_payloads)
# verify the trc with a call to scion-pki (would raise if error)
with self.assertRaises(ScionPkiError):
verify_trcs(trc, trc)
def _check_trc(trc, anchor):
""" Verify a TRC, raises on error """
trcs.verify_trcs(anchor.trc, trc.trc)
