Cryptography Testing

This document describes how the cryptography related parts of SCION are tested. Indirectly, the correct functionality of the cryptography related parts are always tested when a SCION topology runs, as they are an integral prat of the protocol. The tests described here additionally verify the functionality directly.

Note

All commands listed in this document assume that the project is properly set up (see Setting up the Development Environment), and that the commands are run from the project root.

All-in-one

To run all tests, execute the commands listed below:

go test ./pkg/scrypto/cppki/...
go test ./private/trust/...
go test ./control/trust/...
go test ./scion-pki/...

./scion.sh topology && ./scion.sh run && sleep 10
./bin/end2end_integration

./acceptance/ctl gsetup
PYTHONPATH=. ./acceptance/ctl grun cert_renewal
PYTHONPATH=. ./acceptance/ctl grun trc_update

Unit Tests

The unit test suite ensures that basic functionality works as intended.

1. Control Service

The control service has a trust-related module at control/trust. The module is responsible for creating signers and signatures, drive the trust engine, and handle certificate renewal requests.

To run the test suite, execute:

go test -v ./control/trust/...

2. Trust Engine

The trust engine located at pkg/trust stores and fetches trust material such as certificate chains and TRCs, and provides them during signature verification.

To run the test suite, execute:

go test -v ./pkg/trust/...

3. CP-PKI library

The library pkg/scrypto/cppki is home to the trust material definitions for the SCION control plane certificates and the TRC.

To run the test suite, execute:

go test -v ./pkg/scrypto/cppki/...

4. scion-pki

The scion-pki tool can be used to interact with SCION control plane trust material. For example, it can verify TRC updates, or inspect the TRC contents in a human readable form.

To run the test suite, execute:

go test -v ./scion-pki/...

Acceptance Tests

The acceptance tests ensure that the different components work together as intended. For each acceptance test, a small SCION topology is started and the behavior of the system is examined.

1. Basic End-to-End

This test starts a basic SCION topology with the necessary trust material, and checks that end-to-end connectivity can be established.

To run the test suite, execute:

./scion.sh topology && ./scion.sh run && sleep 10
./bin/end2end_integration

2. Certificate Renewal

This test verifies that the control service in a CA AS is capable of issuing certificate chains correctly for its customer ASes. Furthermore, the test verifies that the customer ASes successfully switch to the renewed certificate chain and the control/data plane continues to work as expected.

To run the test suite, execute:

./acceptance/ctl gsetup
PYTHONPATH=. ./acceptance/ctl grun cert_renewal

3. TRC update

This test verifies that TRC updates are announced in beaconing and the control services fetch them properly.

To run the test suite, execute:

./acceptance/ctl gsetup
PYTHONPATH=. ./acceptance/ctl grun trc_update