scion-pki

command
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 30, 2020 License: Apache-2.0 Imports: 1 Imported by: 0

README

scion-pki

Overview

scion-pki is a tool to generate keys, certificates, and trust root configuration files used in the SCION control plane PKI.

Usage

Run scion-pki -h and scion-pki help [command] for detailed documentation for each command.

How to setup a new ISD

This section explains how to generate all keys, certificates, and the TRC for an example ISD.

ISD 1 contains the following ASes:

  • AS ff00:0:10, AS ff00:0:20, AS ff00:0:30: core ASes
  • AS ff00:0:11: customer of AS ff00:0:10
  • AS ff00:0:21: customer of AS ff00:0:20
  • AS ff00:0:31: customer of AS ff00:0:30
Setting up the directory structure

scion-pki works on a root directory <root> that where it will put and look for all the necessary keys, certificates, TRCs, and configuration files needed for the generation of the PKI entities. The expected structure is the following:

<root>/
    ISD1/
        isd.ini
        ASff00_0_10/
            as.ini
            certs/
            keys/
        AS.../
        ...
    ISD2/
        AS.../
        ...
    ...

Thus, the first step is to generate the appropriate directory structure. Let's assume for this example that <root> is the current directory, i.e., ..

mkdir -p ISD1/ASff00_0_{10,20,30,11,21,31}

Creating the configuration files

The next step is to create all the necessary isd.ini files. We can generate templates with

scion-pki tmpl isd 1

to generate a template config file in ISD1/isd.ini. Now, we can adjust the values in ISD1/isd.iniuntil they look like this:

Description = "Test ISD 1"

[TRC]
GracePeriod = 0s
CoreASes = 1-ff00:0:10,1-ff00:0:20,1-ff00:0:30
Version = 1
QuorumTRC = 2
Validity = 365d

Refer to scion-pki help trc for documentation on all available parameters.

Now we are ready to generate all as.ini files. Again, templates can be generated using

scion-pki tmpl as 1-*

Below are examples for ISD1/ASff00_0_10/as.ini and ISD1/ASff00_0_21/as.ini

[AS Certificate]
EncAlgorithm  = curve25519xsalsa20poly1305
SignAlgorithm = ed25519
Issuer        = 1-ff00:0:10
TRCVersion    = 1
Version       = 1
Validity      = 3d

[Issuer Certificate]
EncAlgorithm  = curve25519xsalsa20poly1305
SignAlgorithm = ed25519
Issuer        = 1-ff00:0:10
TRCVersion    = 1
Version       = 1
Validity      = 7d

[Key Algorithms]
; Signing algorithm used by Online Key, e.g., ed25519
Online  = ed25519
; Signing algorithm used by Offline Key, e.g., ed25519
Offline = ed25519
[AS Certificate]
EncAlgorithm  = curve25519xsalsa20poly1305
SignAlgorithm = ed25519
Issuer        = 1-ff00:0:20
TRCVersion    = 1
Version       = 1
Validity      = 3d

Refer to scion-pki help certs for documentation on all available parameters.

Generating the keys, the TRC, and the certificates

Now that we have the necessary config files and the directory structure in place (keys and certs directories will be generated on demand by scion-pki), we can generate the keys.

scion-pki keys gen 1-*

the TRC

scion-pki trc gen 1

and the certificates

scion-pki certs gen 1-*

scion-pki certs gen verifies all generated certificates against the TRC to ensure correctness. If that is not desired for any reason it can be turned of with -verify=false.

How to add a new customer AS

Building on the previous example, AS 1-ff00:0:20 wants to connect a new customer, AS 1-ff00:0:22. To that end, we first create the appropriate subdirectory:

mkdir ISD1/ASff00_0_22

Then we can create the template configuration and make the necessary changes:

scion-pki tmpl as 1-ff00:0:22

The next step is to create the keys for AS 1-ff00:0:22:

scion-pki keys gen 1-ff00:0:22

Finally, we can generate the new certificate:

scion-pki certs gen 1-ff00:0:22

Autocompleting scion-pki commands

For bash follow the following instructions

./bin/scion-pki autocomplete
sudo mv scion_pki_bash /etc/bash_completion.d
source ~/.bashrc

For zsh follow the following instructions

./bin/scion-pki autocomplete --zsh
mkdir -p ~/.zsh/completion
mv _scion-pki ~/.zsh/completion
echo "fpath=(~/.zsh/completion \$fpath)\nautload -U compinit\ncompinit\nzstyle ':completion:*' menu select=2" >> ~/.zshrc
source ~/.zshrc

Documentation

Overview

Tool to generate and verify control-plane PKI primitives.

Directories

Path Synopsis
internal
certs
Package certs defines the commands to generate issuer and AS certificates from the configuration files.
Package certs defines the commands to generate issuer and AS certificates from the configuration files.
cmd
conf
Package conf defines the configuration files for the scion-pki tool.
Package conf defines the configuration files for the scion-pki tool.
keys
Package keys defines the commands to generate the private and public keys from the key configuration files.
Package keys defines the commands to generate the private and public keys from the key configuration files.
pkicmn
Package pkicmn contains some commonly used functionality and definitions.
Package pkicmn contains some commonly used functionality and definitions.
trcs
Package trcs defines the commands to generate base TRC and TRC updates from the configuration files.
Package trcs defines the commands to generate base TRC and TRC updates from the configuration files.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL