dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

nixos/scion: fix nixosTest dates and validity period for TRCs

Browse Source 
The validity period for TRCs cannot be set to an rfc3339 date, only an
offset from the current system time, which if set to 3650d rather than
36500d will still give us quite a long time before it becomes invalid,
which is acceptable for the time being.
This commit is contained in:
matthewcroughan 2024-11-29 10:21:46 +00:00
parent c55f24450d
commit 1e925a2dfd
1 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
nixos/tests/scion/freestanding-deployment/bootstrap.sh
View File

@ -5,18 +5,18 @@ mkdir AS{1..5}
# Create voting and root keys and (self-signed) certificates for core ASes
pushd AS1
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 regular voting cert"}') regular-voting.pem regular-voting.key
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 cp root cert"}') cp-root.pem cp-root.key
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 regular voting cert"}') regular-voting.pem regular-voting.key
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 cp root cert"}') cp-root.pem cp-root.key
popd
pushd AS2
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 cp root cert"}') cp-root.pem cp-root.key
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 cp root cert"}') cp-root.pem cp-root.key
popd
pushd AS3
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 regular voting cert"}') regular-voting.pem regular-voting.key
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 regular voting cert"}') regular-voting.pem regular-voting.key
popd
# Create the TRC (Trust Root Configuration)
@ -34,7 +34,7 @@ cert_files = ["AS1/sensitive-voting.pem", "AS1/regular-voting.pem", "AS1/cp-root
[validity]
not_before = '0'
validity = "36500d"' \
validity = "3650d"' \
> trc-B1-S1-pld.tmpl
scion-pki trc payload --out=tmp/ISD42-B1-S1.pld.der --template trc-B1-S1-pld.tmpl
@ -51,18 +51,18 @@ rm tmp -r
# Create CA key and certificate for issuing ASes
pushd AS1
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key
popd
pushd AS2
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key
popd
# Create AS key and certificate chains
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 AS cert"}') AS1/cp-as.pem AS1/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 AS cert"}') AS2/cp-as.pem AS2/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 AS cert"}') AS3/cp-as.pem AS3/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:4", "common_name": "42-ffaa:1:4 AS cert"}') AS4/cp-as.pem AS4/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:5", "common_name": "42-ffaa:1:5 AS cert"}') AS5/cp-as.pem AS5/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 AS cert"}') AS1/cp-as.pem AS1/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 AS cert"}') AS2/cp-as.pem AS2/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 AS cert"}') AS3/cp-as.pem AS3/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:4", "common_name": "42-ffaa:1:4 AS cert"}') AS4/cp-as.pem AS4/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:5", "common_name": "42-ffaa:1:5 AS cert"}') AS5/cp-as.pem AS5/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle
for i in {1..5}
do