Merge pull request #25 from netsys-lab/ee-pki

Integrating the new authentication architecture

README.md

@@ -29,8 +29,8 @@ Further information:
 The baseline RAINS relies on DNSSEC-style authentication that comes with inherent limitations. We seek to replace it with a new authentication architecture based on SCION end-entity PKI for better security and performance.
 
 ### Milestones
-- [ ] Design documents with rationale and expected properties of the new authentication architecture as well as suggested modifications to the baseline RAINS
-- [ ] Specifications of the modified and new RAINS protocols in formal language
+- [x] [Design documents](https://github.com/netsys-lab/scion-rains/tree/ee-pki/docs/auth-arch) with rationale and expected properties of the new authentication architecture as well as suggested modifications to the baseline RAINS
+- [x] [Specifications](https://github.com/netsys-lab/scion-rains/tree/ee-pki/docs/auth-arch/tamarin) of the modified and new RAINS protocols in formal language
 
 ## [Task 3.](https://github.com/netsys-lab/scion-rains/projects/4) Make use of DRKey system to develop mechanisms for secure and highly available RAINS communication
 

cmd/rdig/rdig.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+	"github.com/netsec-ethz/rains/internal/pkg/siglib"
 	"log"
 	"net"
 	"strings"
@@ -27,6 +28,8 @@ var expires = flag.Int64P("expires", "e", time.Now().Add(time.Second).Unix(),
 	"expires sets the valid until timestamp of the query in unix seconds since 1970. (default current timestamp + 1 second)")
 var insecureTLS = flag.BoolP("insecureTLS", "i", false,
 	"when set it does not check the validity of the server's TLS certificate. (default false)")
+var rhineVerification = flag.BoolP("rhineVerify", "r", false,
+	"when set it does validate received assertions with the key in the rhine certificate. Adds type cert to query types. (default false)")
 var tok = flag.StringP("token", "t", "",
 	"specifies a token to be used in the query instead of using a randomly generated one.")
 var timeout = flag.Duration("timeout", 10*time.Second, "timeout before query fails")
@@ -76,6 +79,20 @@ func main() {
 		log.Fatal("Error: default server not yet implemented. Please specify a server addr")
 	}
 
+	// if rhineVerify set but type cert missing, add type cert
+	var foundcert = false
+	if flag.Lookup("rhineVerify").Changed && len(types) > 0 {
+		for _, qtype := range types {
+			if qtype == object.OTCertInfo {
+				foundcert = true
+				break
+			}
+		}
+		if !foundcert {
+			types = append(types, object.OTCertInfo)
+		}
+	}
+
 	var serverAddr net.Addr
 	serverAddr, err := snet.ParseUDPAddr(fmt.Sprintf("%s:%d", server, *port))
 	if err != nil {
@@ -103,7 +120,24 @@ func main() {
 	if err != nil {
 		log.Fatalf("was not able to send query: %v", err)
 	}
+
 	fmt.Println(zonefile.IO{}.Encode(answerMsg.Content))
+
+	if flag.Lookup("rhineVerify").Changed {
+		ok := siglib.RhineCertVerification(answerMsg)
+		fmt.Println()
+		if ok {
+			fmt.Println("===================================")
+			fmt.Println("=== RHINE CERT VERIFICATION: OK ===")
+			fmt.Println("===================================")
+
+		} else {
+			fmt.Println("================================================")
+			fmt.Println("=== WARNING: RHINE CERT VERIFICATION FAILED! ===")
+			fmt.Println("================================================")
+
+		}
+	}
 }
 
 func parseAllQueryOptions() []query.Option {