Cryptography Testing
This document describes how the cryptography related parts of SCION are tested. Indirectly, the correct functionality of the cryptography related parts are always tested when a SCION topology runs, as they are an integral prat of the protocol. The tests described here additionally verify the functionality directly.
Note
All commands listed in this document assume that the project is properly set up (see Setting up the Development Environment), and that the commands are run from the project root.
All-in-one
To run all tests, execute the commands listed below:
go test ./pkg/scrypto/cppki/...
go test ./private/trust/...
go test ./control/trust/...
go test ./scion-pki/...
./scion.sh topology && ./scion.sh run && sleep 10
./bin/end2end_integration
./acceptance/ctl gsetup
PYTHONPATH=. ./acceptance/ctl grun cert_renewal
PYTHONPATH=. ./acceptance/ctl grun trc_update
Unit Tests
The unit test suite ensures that basic functionality works as intended.
1. Control Service
The control service has a trust-related module at control/trust
. The
module is responsible for creating signers and signatures, drive the trust
engine, and handle certificate renewal requests.
To run the test suite, execute:
go test -v ./control/trust/...
2. Trust Engine
The trust engine located at pkg/trust
stores and fetches trust material
such as certificate chains and TRCs, and provides them during signature
verification.
To run the test suite, execute:
go test -v ./pkg/trust/...
3. CP-PKI library
The library pkg/scrypto/cppki
is home to the trust material definitions
for the SCION control plane certificates and the TRC.
To run the test suite, execute:
go test -v ./pkg/scrypto/cppki/...
4. scion-pki
The scion-pki tool can be used to interact with SCION control plane trust material. For example, it can verify TRC updates, or inspect the TRC contents in a human readable form.
To run the test suite, execute:
go test -v ./scion-pki/...
Acceptance Tests
The acceptance tests ensure that the different components work together as intended. For each acceptance test, a small SCION topology is started and the behavior of the system is examined.
1. Basic End-to-End
This test starts a basic SCION topology with the necessary trust material, and checks that end-to-end connectivity can be established.
To run the test suite, execute:
./scion.sh topology && ./scion.sh run && sleep 10
./bin/end2end_integration
2. Certificate Renewal
This test verifies that the control service in a CA AS is capable of issuing certificate chains correctly for its customer ASes. Furthermore, the test verifies that the customer ASes successfully switch to the renewed certificate chain and the control/data plane continues to work as expected.
To run the test suite, execute:
./acceptance/ctl gsetup
PYTHONPATH=. ./acceptance/ctl grun cert_renewal
3. TRC update
This test verifies that TRC updates are announced in beaconing and the control services fetch them properly.
To run the test suite, execute:
./acceptance/ctl gsetup
PYTHONPATH=. ./acceptance/ctl grun trc_update