diff options
Diffstat (limited to 'tools/verifysct.py')
-rwxr-xr-x | tools/verifysct.py | 123 |
1 files changed, 0 insertions, 123 deletions
diff --git a/tools/verifysct.py b/tools/verifysct.py deleted file mode 100755 index 71ea4e9..0000000 --- a/tools/verifysct.py +++ /dev/null @@ -1,123 +0,0 @@ -#!/usr/bin/env python - -# Copyright (c) 2014, NORDUnet A/S. -# See LICENSE for licensing information. - -import argparse -import urllib2 -import urllib -import json -import base64 -import sys -import struct -import hashlib -import itertools -from certtools import * -import os -import signal -import select -import zipfile - -parser = argparse.ArgumentParser(description='') -parser.add_argument('baseurl', help="Base URL for CT server") -parser.add_argument('--sct-file', default=None, metavar="dir", help='SCT:s to verify') -parser.add_argument('--parallel', type=int, default=16, metavar="n", help="Number of parallel verifications") -parser.add_argument('--publickey', default=None, metavar="file", help='Public key for the CT log') -parser.add_argument('--cafile', default=None, metavar="file", help='File containing the CA cert') -args = parser.parse_args() - -create_ssl_context(cafile=args.cafile) - -from multiprocessing import Pool - -baseurl = args.baseurl - -logpublickey = get_public_key_from_file(args.publickey) if args.publickey else None - -sth = get_sth(baseurl) - -def verifysct(sctentry): - timing = timing_point() - - leafcert = base64.b64decode(sctentry["leafcert"]) - if "issuer_key_hash" in sctentry: - issuer_key_hash = base64.b64decode(sctentry["issuer_key_hash"]) - else: - issuer_key_hash = None - try: - if issuer_key_hash: - signed_entry = pack_precert(leafcert, issuer_key_hash) - else: - signed_entry = pack_cert(leafcert) - check_sct_signature(baseurl, signed_entry, sctentry["sct"], precert=issuer_key_hash, publickey=logpublickey) - timing_point(timing, "checksig") - except AssertionError, e: - print "ERROR:", e - return (None, None) - except urllib2.HTTPError, e: - print "ERROR:", e - return (None, None) - except ecdsa.keys.BadSignatureError, e: - print "ERROR: bad signature" - return (None, None) - - if issuer_key_hash: - merkle_tree_leaf = pack_mtl_precert(sctentry["sct"]["timestamp"], leafcert, issuer_key_hash) - else: - merkle_tree_leaf = pack_mtl(sctentry["sct"]["timestamp"], leafcert) - - leaf_hash = get_leaf_hash(merkle_tree_leaf) - - try: - proof = get_proof_by_hash(baseurl, leaf_hash, sth["tree_size"]) - except SystemExit: - return (None, None) - - #print proof - - leaf_index = proof["leaf_index"] - inclusion_proof = [base64.b64decode(e) for e in proof["audit_path"]] - - calc_root_hash = verify_inclusion_proof(inclusion_proof, leaf_index, sth["tree_size"], leaf_hash) - - root_hash = base64.b64decode(sth["sha256_root_hash"]) - if root_hash != calc_root_hash: - print "sth" - print base64.b16encode(root_hash) - print base64.b16encode(calc_root_hash) - assert root_hash == calc_root_hash - - timing_point(timing, "lookup") - return (True, timing["deltatimes"]) - -p = Pool(args.parallel, lambda: signal.signal(signal.SIGINT, signal.SIG_IGN)) - -sctfile = open(args.sct_file) -scts = (json.loads(row) for row in sctfile) - -nverified = 0 -lastprinted = 0 - -starttime = datetime.datetime.now() - -try: - for result, timing in p.imap_unordered(verifysct, scts): - if timing == None: - print "error" - print "verified", nverified - p.terminate() - p.join() - sys.exit(1) - if result != None: - nverified += 1 - deltatime = datetime.datetime.now() - starttime - deltatime_f = deltatime.seconds + deltatime.microseconds / 1000000.0 - rate = nverified / deltatime_f - if nverified > lastprinted + 100: - print nverified, "rate %.1f" % rate - lastprinted = nverified - #print timing, "rate %.1f" % rate - print "verified", nverified -except KeyboardInterrupt: - p.terminate() - p.join() |