def _renewal_request( self, isd_as: ISD_AS, mode: str = "--force", ): as_dir = self._to_as_dir(isd_as) docker_dir = pathlib.Path("/share") / self._rel(as_dir) def read_file(filename: str) -> str: with open(as_dir / "crypto/as" / filename) as f: return f.read() chain_name = "ISD%s-AS%s.pem" % (isd_as.isd_str(), isd_as.as_file_fmt()) old_chain = read_file(chain_name) old_key = read_file("cp-as.key") chain = docker_dir / "crypto/as" / chain_name args = [ chain, docker_dir / "crypto/as/cp-as.key", mode, "--trc", docker_dir / "certs/ISD1-B1-S1.trc", "--sciond", self.execute("tester_%s" % isd_as.file_fmt(), "sh", "-c", "echo $SCION_DAEMON").strip(), *self._local_flags(isd_as), ] logger.info("Requesting certificate chain renewal: %s" % chain.relative_to(docker_dir)) logger.info( self.execute("tester_%s" % isd_as.file_fmt(), "./bin/scion-pki", "certificate", "renew", *args)) logger.info("Verify renewed certificate chain") verify_out = self.execute("tester_%s" % isd_as.file_fmt(), "./bin/scion-pki", "certificate", "verify", chain, "--trc", "/share/gen/trcs/ISD1-B1-S1.trc") logger.info(str(verify_out).rstrip("\n")) renewed_chain = read_file(chain_name) renewed_key = read_file("cp-as.key") if renewed_chain == old_chain: raise Exception( "renewed chain does not differ from previous chain") if renewed_key == old_key: raise Exception("renewed key does not differ from previous key")
def _check_key_cert(self, cs_configs: List[pathlib.Path]): not_ready = [*cs_configs] for _ in range(5): logger.info( "Checking if all control servers have reloaded the key and certificate..." ) for cs_config in not_ready: conn = client.HTTPConnection(self._http_endpoint(cs_config)) conn.request("GET", "/signer") resp = conn.getresponse() if resp.status != 200: logger.info("Unexpected response: %d %s", resp.status, resp.reason) continue isd_as = ISD_AS(cs_config.stem[2:-2]) as_dir = self._to_as_dir(isd_as) chain_name = "ISD%s-AS%s.pem" % (isd_as.isd_str(), isd_as.as_file_fmt()) pld = json.loads(resp.read().decode("utf-8")) if pld["subject_key_id"] != self._extract_skid( as_dir / "crypto/as" / chain_name): continue logger.info( "Control server successfully loaded new key and certificate: %s" % self._rel(cs_config)) not_ready.remove(cs_config) if not not_ready: break time.sleep(3) else: logger.error( "Control servers without reloaded key and certificate: %s" % [cs_config.name for cs_config in not_ready]) sys.exit(1)