netsec-ethz / fpki

4 stars 1 forks source link

FPKI

Setting up local mapserver for testing

TODO: The information below is old and outdated.

Features

Dir structure

.
├── cert                                  # certificates for testing. Eg. cert for PCA
├── cmd                                   # Executables. Log server and log signer
├── config                                # Config file for PCA and policy log
├── doc                                   # FPKI design
│   ├── images
│   └── performance_test_output           # Some results of the policy log performance
├── pkg                                   # Packages of the project
├── scripts                               # Scripts to clean and build the executables
└── tests                                 # Some integration tests. Unit tests are in the individual pkg

Overview

Alt text

The figure above illustrates the components so far. The domain owner sends RCSR to the PCA, and PCA signs the RCSR to generate an RPC. Then the PCA sends the RPC to the policy log to get an SPT. The log verifier will verify the SPT and the consistency between the old tree head and the newest tree head.

Policy log

Trillian is used in the policy log.

The policy log is the most complex component so far. It consists of four sub-components:

Within the policy log, the log client and admin client only communicate with the log server via grpc. Log signer only communicates with the log server, and the communication is internal, so we don't have access to it. For other components outside the policy log, they can only have access to the log client to add leaves of fetch proof of inclusion. Admin client should only be accessed internally.

How to run the integration tests

There are two integration tests which require the setup of Trillian server.

Download trillian and setup database (more information on https://github.com/google/trillian#mysql-setup)

git clone https://github.com/google/trillian.git
cd scripts
./resetdb.sh

Download the FPKI

Conpile the executable

   make
   make test_folders

Open two terminals, run "cmd/logserver_exec" and "cmd/logsigner_exec"

Run the tests:

   cd fpki
   go test ./...

Integration tests and benchmark

There are some integration tests and benchmark under the tests folders.

.
├── benchmark                                  # benchmark for each components
│  ├── db_benchmark
│  └── logserver_benchmark           
│  └── smt_benchmark          
│  └── mapserver_benchmark 
│  │  └── updater_benchmark    
│  │  └── responder_benchmark           
├── integration_tests  
│  └── db    
│  └── domainowner_pca_policy_interaction    
│  └── mapserver    
│  └── policy_interaction                                    
│  └── smt   

For map server, you might be interested in the following tests:

Benchmark/db_benchmark

This benchmark evaluates the inserting speed, reading speed and deleting speed of a key-value store.

Benchmark/smt_benchmark

This benchmark evaluates the speed of Sparse Merkle Tree. For example, the updating speed of SMT, and time to commit the changes to the DB.

Benchmark/mapserver_benchmark

This folder contains two folders, one for updater and one for responder. The updater is responsible for updating the SMT and changing the domain entries table. The responder is responsible for generating the proof, and distributing the proof to client. Currently, the updater and responder are evaluated seperately. If you want to combine the two benchmarks together, please send me a message and I can do some modification. It's trivial.

integration_tests/mapserver

domain materials: Bytes which contain all the certificates which are related to this domain name.

This test is the integration test for mapserver. The test first starts an updater, fetches 1000 certificates from CT log, and adds them to the SMT and domain entries tables. Then the test starts a responder, re-collects the previously-added certificates, and queries the proof for corresponding domain name. Then the proof is checked against individual certificate(whether the certificate is included in the domain materials, and whether SMT proof is correct).