SPKI: Generate certificate chains

go/tools/scion-pki/internal/v2/certs/BUILD.bazel

@@ -3,6 +3,7 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 go_library(
     name = "go_default_library",
     srcs = [
+        "chain.go",
         "cmd.go",
         "human.go",
         "issuer.go",
@@ -30,6 +31,7 @@ go_library(
 go_test(
     name = "go_default_test",
     srcs = [
+        "chain_test.go",
         "issuer_test.go",
         "loader_test.go",
         "main_test.go",

go/tools/scion-pki/internal/v2/certs/chain.go

@@ -0,0 +1,254 @@
+// Copyright 2019 Anapaya Systems
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certs
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/scionproto/scion/go/lib/addr"
+	"github.com/scionproto/scion/go/lib/keyconf"
+	"github.com/scionproto/scion/go/lib/scrypto"
+	"github.com/scionproto/scion/go/lib/scrypto/cert/v2"
+	"github.com/scionproto/scion/go/lib/serrors"
+	"github.com/scionproto/scion/go/tools/scion-pki/internal/pkicmn"
+	"github.com/scionproto/scion/go/tools/scion-pki/internal/v2/conf"
+	"github.com/scionproto/scion/go/tools/scion-pki/internal/v2/keys"
+)
+
+type chainMeta struct {
+	Chain   cert.Chain
+	Version scrypto.Version
+}
+
+type chainGen struct {
+	Dirs    pkicmn.Dirs
+	Version scrypto.Version
+}
+
+func (g chainGen) Run(asMap pkicmn.ASMap) error {
+	cfgs, err := loader{Dirs: g.Dirs, Version: g.Version}.LoadASConfigs(asMap)
+	if err != nil {
+		return serrors.WrapStr("unable to load AS certificate configs", err)
+	}
+	certs, err := g.generateAll(cfgs)
+	if err != nil {
+		return serrors.WrapStr("unable to generate AS certificates", err)
+	}
+	if err := g.signAll(certs, cfgs); err != nil {
+		return serrors.WrapStr("unable to sign AS certificates", err)
+	}
+	if err := g.verify(certs); err != nil {
+		return serrors.WrapStr("unable to verify AS certificates", err)
+	}
+	if err := g.createDirs(certs); err != nil {
+		return serrors.WrapStr("unable to create output directories", err)
+	}
+	if err := g.write(certs); err != nil {
+		return serrors.WrapStr("unable to write AS certificates", err)
+	}
+	return nil
+}
+
+func (g chainGen) generateAll(cfgs map[addr.IA]conf.AS) (map[addr.IA]chainMeta, error) {
+	certs := make(map[addr.IA]chainMeta)
+	for ia, cfg := range cfgs {
+		chain, err := g.generate(ia, cfg)
+		if err != nil {
+			return nil, serrors.WrapStr("unable to generate issuer certificate", err,
+				"ia", ia, "version", cfg.Version)
+		}
+		certs[ia] = chain
+	}
+	return certs, nil
+}
+
+func (g chainGen) generate(ia addr.IA, cfg conf.AS) (chainMeta, error) {
+	pubKeys, err := g.loadPubKeys(ia, cfg)
+	if err != nil {
+		return chainMeta{}, serrors.WrapStr("unable to load all public keys", err)
+	}
+	enc, err := cert.EncodeAS(newASCert(ia, cfg, pubKeys))
+	if err != nil {
+		return chainMeta{}, serrors.WrapStr("unable to encode AS certificate", err)
+	}
+	file := IssuerFile(g.Dirs.Out, cfg.IssuerIA, cfg.IssuerCertVersion)
+	raw, err := ioutil.ReadFile(file)
+	if err != nil {
+		return chainMeta{}, serrors.WrapStr("unable to read issuer certificate", err, "file", file)
+	}
+	issuer, err := cert.ParseSignedIssuer(raw)
+	if err != nil {
+		return chainMeta{}, serrors.WrapStr("unable to parse issuer certificate", err, "file", file)
+	}
+	meta := chainMeta{
+		Chain: cert.Chain{
+			Issuer: issuer,
+			AS:     cert.SignedAS{Encoded: enc},
+		},
+		Version: cfg.Version,
+	}
+	return meta, nil
+}
+
+func (g chainGen) loadPubKeys(ia addr.IA, cfg conf.AS) (map[cert.KeyType]keyconf.Key, error) {
+	keys := make(map[cert.KeyType]keyconf.Key)
+	type meta struct {
+		Usage   keyconf.Usage
+		Version scrypto.KeyVersion
+	}
+	load := map[cert.KeyType]keyconf.ID{
+		cert.SigningKey: {
+			IA:      ia,
+			Version: *cfg.SigningKeyVersion,
+			Usage:   keyconf.ASSigningKey,
+		},
+		cert.EncryptionKey: {
+			IA:      ia,
+			Version: *cfg.EncryptionKeyVersion,
+			Usage:   keyconf.ASDecryptionKey,
+		},
+	}
+	if cfg.RevocationKeyVersion != nil {
+		load[cert.RevocationKey] = keyconf.ID{
+			IA:      ia,
+			Version: *cfg.RevocationKeyVersion,
+			Usage:   keyconf.ASRevocationKey,
+		}
+	}
+	for keyType, id := range load {
+		key, err := g.loadPubKey(id)
+		if err != nil {
+			return nil, serrors.WrapStr("unable to load key", err, "usage", id.Usage)
+		}
+		keys[keyType] = key
+	}
+	return keys, nil
+}
+
+func (g chainGen) loadPubKey(id keyconf.ID) (keyconf.Key, error) {
+	key, fromPriv, err := keys.LoadPublicKey(g.Dirs.Out, id)
+	if err != nil {
+		return keyconf.Key{}, err
+	}
+	if fromPriv {
+		pkicmn.QuietPrint("Using private %s key for %s\n", id.Usage, id.IA)
+		return key, nil
+	}
+	pkicmn.QuietPrint("Using public %s key for %s\n", id.Usage, id.IA)
+	return key, nil
+}
+
+func (g chainGen) signAll(protos map[addr.IA]chainMeta, cfgs map[addr.IA]conf.AS) error {
+	for ia, meta := range protos {
+		var err error
+		if meta.Chain, err = g.sign(cfgs[ia], meta.Chain); err != nil {
+			return serrors.WrapStr("unable to sign AS certificate", err, "ia", ia)
+		}
+		protos[ia] = meta
+	}
+	return nil
+}
+
+func (g chainGen) sign(cfg conf.AS, chain cert.Chain) (cert.Chain, error) {
+	file := conf.IssuerFile(g.Dirs.Root, cfg.IssuerIA, cfg.IssuerCertVersion)
+	issCfg, err := conf.LoadIssuer(file)
+	if err != nil {
+		return cert.Chain{}, serrors.WrapStr("unable to load issuer config", err, "file", file)
+	}
+	file = filepath.Join(keys.PrivateDir(g.Dirs.Out, cfg.IssuerIA),
+		keyconf.PrivateKeyFile(keyconf.IssCertSigningKey, *issCfg.IssuingKeyVersion))
+	id := keyconf.ID{
+		IA:      cfg.IssuerIA,
+		Usage:   keyconf.IssCertSigningKey,
+		Version: *issCfg.IssuingKeyVersion,
+	}
+	key, err := keyconf.LoadKeyFromFile(file, keyconf.PrivateKey, id)
+	if err != nil {
+		return cert.Chain{}, serrors.WrapStr("unable to load issuing key", err, "file", file)
+	}
+	protected := cert.ProtectedAS{
+		Algorithm:          key.Algorithm,
+		IA:                 cfg.IssuerIA,
+		CertificateVersion: cfg.IssuerCertVersion,
+	}
+	if chain.AS.EncodedProtected, err = cert.EncodeProtectedAS(protected); err != nil {
+		return cert.Chain{}, serrors.WrapStr("unable to encode protected", err)
+	}
+	chain.AS.Signature, err = scrypto.Sign(chain.AS.SigInput(), key.Bytes, key.Algorithm)
+	if err != nil {
+		return cert.Chain{}, serrors.WrapStr("unable to sign issuer certificate", err)
+	}
+	return chain, nil
+}
+
+func (g chainGen) verify(certs map[addr.IA]chainMeta) error {
+	v := verifier{Dirs: g.Dirs}
+	for ia, meta := range certs {
+		raw, err := meta.Chain.MarshalJSON()
+		if err != nil {
+			return serrors.WrapStr("unable to encode certificate chain", err)
+		}
+		if err := v.VerifyChain(raw); err != nil {
+			return serrors.WrapStr("unable to verify certificate chain", err, "ia", ia)
+		}
+	}
+	return nil
+}
+
+func (g chainGen) createDirs(certs map[addr.IA]chainMeta) error {
+	for ia := range certs {
+		if err := os.MkdirAll(Dir(g.Dirs.Out, ia), 0755); err != nil {
+			return serrors.WrapStr("unable to make certs directory", err, "ia", ia)
+		}
+	}
+	return nil
+}
+
+func (g chainGen) write(certs map[addr.IA]chainMeta) error {
+	for ia, meta := range certs {
+		raw, err := meta.Chain.MarshalJSON()
+		if err != nil {
+			return serrors.WrapStr("unable to encode signed issuer certificate", err)
+		}
+		file := ASFile(g.Dirs.Out, ia, meta.Version)
+		if err := pkicmn.WriteToFile(raw, file, 0644); err != nil {
+			return serrors.WrapStr("unable to write signed issuer certificate", err, "file", file)
+		}
+	}
+	return nil
+}
+
+func newASCert(ia addr.IA, cfg conf.AS, pubKeys map[cert.KeyType]keyconf.Key) *cert.AS {
+	val := cfg.Validity.Eval(time.Now())
+	c := &cert.AS{
+		Base: cert.Base{
+			Subject:                    ia,
+			Version:                    cfg.Version,
+			FormatVersion:              1,
+			Description:                cfg.Description,
+			OptionalDistributionPoints: cfg.OptDistPoints,
+			Validity:                   &val,
+			Keys:                       translateKeys(pubKeys),
+		},
+		Issuer: cert.IssuerCertID{
+			IA:                 cfg.IssuerIA,
+			CertificateVersion: cfg.IssuerCertVersion,
+		},
+	}
+	return c
+}

go/tools/scion-pki/internal/v2/certs/chain_test.go

@@ -0,0 +1,96 @@
+// Copyright 2019 Anapaya Systems
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certs
+
+import (
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/scionproto/scion/go/lib/xtest"
+	"github.com/scionproto/scion/go/tools/scion-pki/internal/pkicmn"
+)
+
+var (
+	ia111      = xtest.MustParseIA("1-ff00:0:111")
+	chainASMap = pkicmn.ASMap{1: {ia111}}
+)
+
+// TestChainGenRun checks that the chain generator creates verifiable chains.
+//
+// Given the folders:
+// - ISD1                   with the trc config
+// - ISD1/trcs              with the issuing TRC
+// - ISD1/ASff00_0_110      with the issuer AS, all its configs, keys and issuer certificate
+// - ISD1/ASff00_0_111      with the AS certifcate config
+//
+// When running chain.Run with the AS map that contains AS 1-ff00:0:111.
+//
+// Then a certificate chain is generated under ISD1/ASff00_0_111/certs.
+// The certificate chain is:
+// - valid
+// - verifiable using TRC ISD1-V1.trc that can be found at ISD1/trcs
+// - Byte for byte the same as the golden file.
+func TestChainGenRun(t *testing.T) {
+	tmpDir, cleanF := xtest.MustTempDir("", "test-certs-chain")
+	defer cleanF()
+
+	isdDir := filepath.Join(tmpDir, "ISD1")
+	require.NoError(t, os.MkdirAll(isdDir, 0777))
+	err := exec.Command("cp", "-r",
+		"./testdata/ISD1/ASff00_0_110",
+		"./testdata/ISD1/trcs",
+		"./testdata/ISD1/trc-v1.toml",
+		isdDir).Run()
+	require.NoError(t, err)
+
+	asDir := filepath.Join(isdDir, "ASff00_0_111")
+	require.NoError(t, os.MkdirAll(asDir, 0777))
+	err = exec.Command("cp", "-r",
+		"./testdata/ISD1/ASff00_0_111/keys",
+		"./testdata/ISD1/ASff00_0_111/as-v1.toml",
+		asDir).Run()
+	require.NoError(t, err)
+
+	g := chainGen{
+		Dirs: pkicmn.Dirs{Root: "./testdata", Out: tmpDir},
+	}
+	err = g.Run(chainASMap)
+	require.NoError(t, err)
+
+	golden, err := ioutil.ReadFile(ASFile("./testdata", ia111, 1))
+	require.NoError(t, err)
+	result, err := ioutil.ReadFile(ASFile(tmpDir, ia111, 1))
+	require.NoError(t, err)
+	assert.Equal(t, golden, result)
+}
+
+// TestUpdateGoldenChain provides an easy way to update the golden file after
+// the format has changed.
+func TestUpdateGoldenChain(t *testing.T) {
+	if *update {
+		force := pkicmn.Force
+		pkicmn.Force = true
+		defer func() { pkicmn.Force = force }()
+		g := chainGen{Dirs: pkicmn.Dirs{Root: "./testdata", Out: "./testdata"}, Version: 1}
+		err := g.Run(chainASMap)
+		require.NoError(t, err)
+	}
+}