nixos/scion: fix nixosTest dates and validity period for TRCs

MatthewCroughan · MatthewCroughan · commit 1e925a2dfd14 · 2024-11-29T10:22:40.000Z
The validity period for TRCs cannot be set to an rfc3339 date, only an
offset from the current system time, which if set to 3650d rather than
36500d will still give us quite a long time before it becomes invalid,
which is acceptable for the time being.
diff --git a/nixos/tests/scion/freestanding-deployment/bootstrap.sh b/nixos/tests/scion/freestanding-deployment/bootstrap.sh
@@ -5,18 +5,18 @@ mkdir AS{1..5}
 
 # Create voting and root keys and (self-signed) certificates for core ASes
 pushd AS1
-scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key
-scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 regular voting cert"}') regular-voting.pem regular-voting.key
-scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 cp root cert"}') cp-root.pem cp-root.key
+scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key
+scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 regular voting cert"}') regular-voting.pem regular-voting.key
+scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 cp root cert"}') cp-root.pem cp-root.key
 popd
 
 pushd AS2
-scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 cp root cert"}') cp-root.pem cp-root.key
+scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 cp root cert"}') cp-root.pem cp-root.key
 popd
 
 pushd AS3
-scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key
-scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 regular voting cert"}') regular-voting.pem regular-voting.key
+scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key
+scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 regular voting cert"}') regular-voting.pem regular-voting.key
 popd
 
 # Create the TRC (Trust Root Configuration)
@@ -34,7 +34,7 @@ cert_files = ["AS1/sensitive-voting.pem", "AS1/regular-voting.pem", "AS1/cp-root
 
 [validity]
 not_before = '0'
-validity = "36500d"' \
+validity = "3650d"' \
 > trc-B1-S1-pld.tmpl
 
 scion-pki trc payload --out=tmp/ISD42-B1-S1.pld.der --template trc-B1-S1-pld.tmpl
@@ -51,18 +51,18 @@ rm tmp -r
 
 # Create CA key and certificate for issuing ASes
 pushd AS1
-scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key
+scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key
 popd
 pushd AS2
-scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key
+scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key
 popd
 
 # Create AS key and certificate chains
-scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 AS cert"}') AS1/cp-as.pem AS1/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
-scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 AS cert"}') AS2/cp-as.pem AS2/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle
-scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 AS cert"}') AS3/cp-as.pem AS3/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
-scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:4", "common_name": "42-ffaa:1:4 AS cert"}') AS4/cp-as.pem AS4/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
-scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-11-02T15:41:22Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:5", "common_name": "42-ffaa:1:5 AS cert"}') AS5/cp-as.pem AS5/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle
+scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 AS cert"}') AS1/cp-as.pem AS1/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
+scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 AS cert"}') AS2/cp-as.pem AS2/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle
+scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 AS cert"}') AS3/cp-as.pem AS3/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
+scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:4", "common_name": "42-ffaa:1:4 AS cert"}') AS4/cp-as.pem AS4/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
+scion-pki certificate create --not-before="1970-01-01T00:00:00Z" --not-after="2124-01-01T00:00:00Z" --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:5", "common_name": "42-ffaa:1:5 AS cert"}') AS5/cp-as.pem AS5/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle
 
 for i in {1..5}
 do
