pyrox.dev
1set -euo pipefail
2
3mkdir /tmp/tutorial-scion-certs && cd /tmp/tutorial-scion-certs
4mkdir AS{1..5}
5
6# Create voting and root keys and (self-signed) certificates for core ASes
7pushd AS1
8scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key
9scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 regular voting cert"}') regular-voting.pem regular-voting.key
10scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 cp root cert"}') cp-root.pem cp-root.key
11popd
12
13pushd AS2
14scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 cp root cert"}') cp-root.pem cp-root.key
15popd
16
17pushd AS3
18scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key
19scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 regular voting cert"}') regular-voting.pem regular-voting.key
20popd
21
22# Create the TRC (Trust Root Configuration)
23mkdir tmp
24echo '
25isd = 42
26description = "Demo ISD 42"
27serial_version = 1
28base_version = 1
29voting_quorum = 2
30
31core_ases = ["ffaa:1:1", "ffaa:1:2", "ffaa:1:3"]
32authoritative_ases = ["ffaa:1:1", "ffaa:1:2", "ffaa:1:3"]
33cert_files = ["AS1/sensitive-voting.pem", "AS1/regular-voting.pem", "AS1/cp-root.pem", "AS2/cp-root.pem", "AS3/sensitive-voting.pem", "AS3/regular-voting.pem"]
34
35[validity]
36not_before = '0'
37validity = "3650d"' \
38> trc-B1-S1-pld.tmpl
39
40scion-pki trc payload --out=tmp/ISD42-B1-S1.pld.der --template trc-B1-S1-pld.tmpl
41rm trc-B1-S1-pld.tmpl
42
43# Sign and bundle the TRC
44scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS1/sensitive-voting.{pem,key} --out tmp/ISD42-B1-S1.AS1-sensitive.trc
45scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS1/regular-voting.{pem,key} --out tmp/ISD42-B1-S1.AS1-regular.trc
46scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS3/sensitive-voting.{pem,key} --out tmp/ISD42-B1-S1.AS3-sensitive.trc
47scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS3/regular-voting.{pem,key} --out tmp/ISD42-B1-S1.AS3-regular.trc
48
49scion-pki trc combine tmp/ISD42-B1-S1.AS{1,3}-{sensitive,regular}.trc --payload tmp/ISD42-B1-S1.pld.der --out ISD42-B1-S1.trc
50rm tmp -r
51
52# Create CA key and certificate for issuing ASes
53pushd AS1
54scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key
55popd
56pushd AS2
57scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key
58popd
59
60# Create AS key and certificate chains
61scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 AS cert"}') AS1/cp-as.pem AS1/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
62scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 AS cert"}') AS2/cp-as.pem AS2/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle
63scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 AS cert"}') AS3/cp-as.pem AS3/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
64scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:4", "common_name": "42-ffaa:1:4 AS cert"}') AS4/cp-as.pem AS4/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
65scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:5", "common_name": "42-ffaa:1:5 AS cert"}') AS5/cp-as.pem AS5/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle
66
67for i in {1..5}
68do
69 mkdir -p $out/AS$i
70 cp AS$i/cp-as.{key,pem} $out/AS$i
71done
72
73mv *.trc $out