def prep_approved_join_reply(request, join_rep_dict, own_isdas, own_as_obj):
"""
Prepares the join reply for the APPROVED case.
"""
logger.info("New AS ID = %s", request.POST['newASId'])
joining_as = request.POST['newASId']
is_core = request.POST['join_as_a_core']
sig_pub_key = from_b64(request.POST['sig_pub_key'])
enc_pub_key = from_b64(request.POST['enc_pub_key'])
signing_as_sig_priv_key = from_b64(own_as_obj.sig_priv_key)
joining_ia = TopoID.from_values(own_isdas[0], joining_as)
if is_core.lower() == "true":
validity = Certificate.CORE_AS_VALIDITY_PERIOD
comment = "Core AS Certificate"
else:
validity = Certificate.AS_VALIDITY_PERIOD
comment = "AS Certificate"
cert = Certificate.from_values(
str(joining_ia), str(own_isdas), INITIAL_TRC_VERSION, INITIAL_CERT_VERSION, comment,
is_core, validity, enc_pub_key, sig_pub_key, SigningKey(signing_as_sig_priv_key)
)
respond_ia_chain = CertificateChain.from_raw(own_as_obj.certificate)
request_ia_chain = CertificateChain([cert, respond_ia_chain.core_as_cert])
join_rep_dict['JoiningIA'] = str(joining_ia)
join_rep_dict['IsCore'] = is_core.lower() == "true"
join_rep_dict['RespondIA'] = str(own_isdas)
join_rep_dict['JoiningIACertificate'] = request_ia_chain.to_json()
join_rep_dict['RespondIACertificate'] = respond_ia_chain.to_json()
join_rep_dict['TRC'] = TRC.from_raw(own_as_obj.trc).to_json()
logger.debug("Accepting Join Request = %s", join_rep_dict)
def generate_certificate(joining_ia, core_ia, core_sign_priv_key_file, core_cert_file, trc_file):
"""
"""
core_ia_chain = CertificateChain.from_raw(read_file(core_cert_file))
# AS cert is always expired one second before the expiration of the Core AS cert
validity = core_ia_chain.core_as_cert.expiration_time - int(time.time()) - 1
comment = "AS Certificate"
core_ia_sig_priv_key = base64.b64decode(read_file(core_sign_priv_key_file))
public_key_sign, private_key_sign = generate_sign_keypair()
public_key_encr, private_key_encr = generate_enc_keypair()
cert = Certificate.from_values(
str(joining_ia), str(core_ia), INITIAL_TRC_VERSION, INITIAL_CERT_VERSION, comment,
False, validity, public_key_encr, public_key_sign, core_ia_sig_priv_key)
sig_priv_key = base64.b64encode(private_key_sign).decode()
enc_priv_key = base64.b64encode(private_key_encr).decode()
sig_priv_key_raw = base64.b64encode(SigningKey(private_key_sign)._signing_key).decode()
joining_ia_chain = CertificateChain([cert, core_ia_chain.core_as_cert]).to_json()
trc = open(trc_file).read()
master_as_key = base64.b64encode(Random.new().read(16)).decode('utf-8')
key_dict = {
'enc_key': enc_priv_key,
'sig_key': sig_priv_key,
'sig_key_raw': sig_priv_key_raw,
'master_as_key': master_as_key,
}
as_obj = ASCredential(joining_ia_chain, trc, key_dict)
return as_obj
def check_cert_chain(testcase, as_, trc):
"""
Check that the AS's certificate chain can be verified with the TRC.
"""
testcase.assertIsNotNone(as_.certificate_chain)
json_cert_chain = json.dumps(as_.certificate_chain)
cert_chain = CertificateChain.from_raw(json_cert_chain)
cert_chain.verify(as_.isd_as_str(), TRC(trc))
def _init_certs(self): # pragma: no cover
certfiles = list(glob.glob("%s/*.crt" % self._dir))
certfiles.extend(
glob.glob("%s/%s-*.crt" % (self._cachedir, self._ename)))
for path in certfiles:
cert_raw = read_file(path)
self.add_cert(CertificateChain.from_raw(cert_raw), write=False)
logging.debug("Loaded: %s" % path)
def _cached_certs_handler(self, raw_entries):
"""
Handles cached (through ZK) chains, passed as a list.
"""
for raw in raw_entries:
cert = CertificateChain.from_raw(raw.decode('utf-8'))
rep = CertChainReply.from_values(cert)
self.process_cert_chain_reply(rep, None, from_zk=True)
logging.debug("Processed %s certs from ZK", len(raw_entries))
def _build_chains(self):
for topo_id, cert in self.certs.items():
chain = [cert]
issuer = TopoID(cert.issuer)
chain.append(self.core_certs[issuer])
cert_path = get_cert_chain_file_path("", topo_id,
INITIAL_CERT_VERSION)
self.cert_files[topo_id][cert_path] = CertificateChain(
chain).to_json()
def _build_chains(self):
for topo_id, cert in self.certs.items():
chain = [cert]
issuer = TopoID(cert.issuer)
chain.append(self.core_certs[issuer])
cert_path = get_cert_chain_file_path("", topo_id, INITIAL_CERT_VERSION)
self.cert_files[topo_id][cert_path] = CertificateChain(chain).to_json()
map_path = os.path.join("customers", '%s-%s-V%d.key' % (
topo_id.ISD(), topo_id.AS(), INITIAL_CERT_VERSION))
self.cust_files[issuer][map_path] = base64.b64encode(
self.sig_pub_keys[topo_id]).decode()
def _build_chains(self):
for topo_id, cert in self.certs.items():
chain = [cert]
issuer = TopoID(cert.issuer)
while issuer in self.certs:
cert = self.certs[issuer]
if str(issuer) == cert.issuer:
break
chain.append(cert)
issuer = TopoID(cert.issuer)
cert_path = get_cert_chain_file_path("", topo_id,
INITIAL_CERT_VERSION)
self.cert_files[topo_id][cert_path] = \
CertificateChain(chain).to_json()
def generate_certificate(joining_ia, core_ia, core_sign_priv_key_file,
core_cert_file, trc_file):
"""
"""
validity = Certificate.AS_VALIDITY_PERIOD
comment = "AS Certificate"
core_ia_sig_priv_key = base64.b64decode(read_file(core_sign_priv_key_file))
public_key_sign, private_key_sign = generate_sign_keypair()
public_key_encr, private_key_encr = generate_enc_keypair()
cert = Certificate.from_values(str(joining_ia), str(core_ia),
INITIAL_TRC_VERSION, INITIAL_CERT_VERSION,
comment, False, validity, public_key_encr,
public_key_sign, core_ia_sig_priv_key)
core_ia_chain = CertificateChain.from_raw(read_file(core_cert_file))
sig_priv_key = base64.b64encode(private_key_sign).decode()
enc_priv_key = base64.b64encode(private_key_encr).decode()
joining_ia_chain = CertificateChain([cert, core_ia_chain.core_as_cert
]).to_json()
trc = open(trc_file).read()
master_as_key = base64.b64encode(Random.new().read(16)).decode('utf-8')
as_obj = ASCredential(sig_priv_key, enc_priv_key, joining_ia_chain, trc,
master_as_key)
return as_obj
def prep_approved_join_reply(request, join_rep_dict, own_isdas, own_as_obj):
"""
Prepares the join reply for the APPROVED case.
"""
logger.info("New AS ID = %s", request.POST['newASId'])
joining_as = request.POST['newASId']
is_core = request.POST['join_as_a_core']
sig_pub_key = from_b64(request.POST['sig_pub_key'])
enc_pub_key = from_b64(request.POST['enc_pub_key'])
signing_as_sig_priv_key = from_b64(own_as_obj.sig_priv_key)
joining_ia = ISD_AS.from_values(own_isdas[0], joining_as)
cert = Certificate.from_values(str(joining_ia), str(own_isdas),
INITIAL_CERT_VERSION, "", False,
enc_pub_key, sig_pub_key,
SigningKey(signing_as_sig_priv_key))
respond_ia_chain = CertificateChain.from_raw(own_as_obj.certificate)
request_ia_chain = CertificateChain([cert, respond_ia_chain.certs[0]])
join_rep_dict['JoiningIA'] = str(joining_ia)
join_rep_dict['IsCore'] = is_core.lower() == "true"
join_rep_dict['RespondIA'] = str(own_isdas)
join_rep_dict['JoiningIACertificate'] = request_ia_chain.to_json()
join_rep_dict['RespondIACertificate'] = respond_ia_chain.to_json()
join_rep_dict['TRC'] = TRC.from_raw(own_as_obj.trc).to_json()
logger.debug("Accepting Join Request = %s", join_rep_dict)
def send_connection_reply(request, con_req_id, status, respond_as, data):
"""
Sends connection reply to SCION Coordination Service.
:param HttpRequest request: Django HTTP Request.
:param str con_req_id: The ID of the connection request to be replied to.
:param str status: The status of the the request. (e.g APPROVED)
:param str respond_as: The AS responding to the connection request.
:param dict data: Dictionary object containing the reply parameters.
"""
coord = get_object_or_404(OrganisationAdmin,
user_id=request.user.id)
con_rep_dict = {
"RequestId": int(con_req_id),
"Status": status,
"RequestIA": data['RequestIA'],
"RespondIA": str(respond_as)
}
if status == REQ_APPROVED:
router_info = data['router_info']
overlay_type = data['accepted_overlay_type']
con_rep_dict["IP"] = router_info.split(':')[0]
if "UDP" in overlay_type:
con_rep_dict["Port"] = int(router_info.split(':')[1])
con_rep_dict["OverlayType"] = overlay_type
con_rep_dict["MTU"] = int(data['accepted_mtu'])
con_rep_dict["Bandwidth"] = int(data['accepted_bandwidth'])
cert_chain = CertificateChain.from_raw(respond_as.certificate)
con_rep_dict["Certificate"] = cert_chain.to_json()
request_url = urljoin(COORD_SERVICE_URI, posixpath.join(
UPLOAD_CONN_REPLY_SVC, coord.account_id,
coord.secret))
_, error = post_req_to_scion_coord(request_url, con_rep_dict,
"connection reply %s" % con_req_id)
if error:
return error
logging.info("Connection reply %s successfully sent.",
con_rep_dict['RequestId'])
def prep_con_req_dict(con_req, isd_id, as_id):
"""
Prepares the connection request as a dictionary to be sent to the SCION
coordination service.
:param ConnectionRequest con_req: Connection request object.
:returns: Connection request as a dictionary.
:rtype: dict
"""
isd_as = TopoID.from_values(isd_id, as_id)
as_obj = get_object_or_404(AD, isd_id=isd_id, as_id=as_id)
cert_chain = CertificateChain.from_raw(as_obj.certificate)
con_req_dict = {
"RequestId": con_req.id,
"Info": con_req.info,
"RequestIA": str(isd_as),
"RespondIA": con_req.connect_to,
"IP": con_req.router_public_ip,
"OverlayType": con_req.overlay_type,
"MTU": int(con_req.mtu),
"Bandwidth": int(con_req.bandwidth),
"Timestamp": iso_timestamp(time.time()),
"Signature": "", # TODO(ercanucan): generate and set the signature
"Certificate": cert_chain.to_json()
}
if con_req.router_public_port:
con_req_dict["Port"] = int(con_req.router_public_port)
# Adjust the link type for the receiving party (i.e if the requestIA
# wants to have the respondIA as a PARENT, then the respondIA should
# see it as a request to have a CHILD AS.
if con_req.link_type == LinkType.PARENT:
con_req_dict["LinkType"] = LinkType.CHILD
elif con_req.link_type == LinkType.CHILD:
con_req_dict["LinkType"] = LinkType.PARENT
else:
con_req_dict["LinkType"] = con_req.link_type
return con_req_dict
def chain(self): # pragma: no cover
return CertificateChain.from_raw(self.p.chain, lz4_=True)
def _init_certs(self): # pragma: no cover
for path in glob.glob("%s/*.crt" % self._dir):
cert_raw = read_file(path)
self.add_cert(CertificateChain.from_raw(cert_raw), write=False)
logging.debug("Loaded: %s" % path)
def __init__(self, p):
super().__init__(p)
self.chain = CertificateChain.from_raw(p.chain, lz4_=True)
def _check_cert_chain(self, as_, trc):
self.assertIsNotNone(as_.certificate_chain)
json_cert_chain = json.dumps(as_.certificate_chain)
cert_chain = CertificateChain.from_raw(json_cert_chain)
cert_chain.verify(as_.isd_as_str(), TRC(trc))
