-
Notifications
You must be signed in to change notification settings - Fork 20
Lab2Milestone2
| Assigned | 4/22/2019 |
| Due | 5/1/2019 |
| Points | 100 |
Adding on to the first milestone, you will need to finish the protocol by enabling the bulk data transfer and certificate checking.
As with the previous protocol, once the handshake is finished, you should call the higher protocol's connection_made. The passed-up transport should encrypt data upon transport.write which is decrypted on the other side in data_received.
This part of the lab also adds in real certificate checking as described below.
YOU MUST USE THE PRFC FOR YOUR STANDARD
If you find an error, a mistake, or any other problem with the PRFC that would prevent you from completing the assignment, alert the PETF and include a proposed fix to the document. Assuming that the error is real (i.e., you didn't miss something) and your fix solves the problem, they will update the PRFC with your edits.
In this part of the lab, you need to do correct certificate handling, both in terms of sending and in receiving.
You first need to send me a certificate for signing that is your group's intermediate CA. The "common name" for your subject name is "20191.." where "x" is your group number. The staff's number, by the way, is 0.
For any Playground address you plan to use, you need to create a certificate with the full address as the common name and sign it with your intermediate CA's private key. So, if you want to use "20191.x.y.z", create a certificate with "20191.x.y.z" as the subject name, then sign it with your private key for "20191.x".
Remember when transmitting your certificate chain, to transmit first the address's cert, then any intermediate certs, followed by the root cert (in github).
When I am testing your code on my machines, I won't have your certificates and keys. To make this modular, you need to provide a cert_factory.py file inside your PLS module that has an API for getting the credentials for a given address. The code should work like this:
from . import cert_factory
private_key, cert_chain = cert_factory.get_credentials(address)
Where address is the playground address being used. Your protocol can figure out it's address by interrogating the transport's get_extra_info("sockname").
def connection_made(self, transport):
address, port = transport.get_extra_info("sockname")
mykey, mychain = cert_factory.get_credentials(address)
The get_credentials function must return two values: the private key for the address, and a chain of x509 objects from the cryptography module (not the PEM-encoded bytes).
If you cannot or will not provide a key/cert-chain for an address, your get_credentials function must throw an exception.
When you receive a peer's credentials, you need to ensure that they are correctly authorized. I'm not going to tell you everything to check for (you think about it!). But here are a few:
- Check
transport.get_extra_info("peername")to get their address - Verify that each subject's issuer is a proper prefix of the subject's name
- Ensure that certificates have not been revoked.
For revocation, you need to provide another function in your cert_factory module called get_revocation_list. This function should return a CRL object from the cryptography module. I will publish revoked certificate serial numbers in a revocations.txt file on github that you should load into this CRL returned from this function. This file will be in the same directory as the root certificate with one serial number per line. You can submit a revoked serial number to me by using a pull request on this file.
You should already have a pls_roast module in your github. Make sure to add the cert_factory.py file directly into this module:
<github repo>/src/lab2/pls_roast/cert_factory.py
When I check out your code, I will actually replace your cert_factory.py with my own, but I need yours in case something goes wrong and I need to see what you did wrong.
Grading for this lab is as follows:
- 50 points for correctly sending bulk data (e.g., application layer sent over
transport.write) - 25 points for correctly shutting down
- 25 points "correctly" using certificates. We will not check this thoroughly. If it "work" (connections can be made, data can go through), you will get these points.