From fe36969835c2f3be14e90a1ac7632fd4c638afaa Mon Sep 17 00:00:00 2001 From: josef Date: Tue, 25 Aug 2015 16:19:10 +0200 Subject: experimental python auditor added --- tools/josef_experimental.py | 68 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100755 tools/josef_experimental.py (limited to 'tools/josef_experimental.py') diff --git a/tools/josef_experimental.py b/tools/josef_experimental.py new file mode 100755 index 0000000..da3f31e --- /dev/null +++ b/tools/josef_experimental.py @@ -0,0 +1,68 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +import time +from certtools import get_sth, get_consistency_proof, check_sth_signature, get_public_key_from_file, verify_consistency_proof + + +base_urls = ["https://plausible.ct.nordu.net/", + "https://ct1.digicert-ct.com/log/", + "https://ct.izenpe.com/", + "https://log.certly.io/", + "https://ct.googleapis.com/aviator/", + "https://ct.googleapis.com/pilot/", + "https://ct.googleapis.com/rocketeer/", + ] + +logkeys = {} +logkeys["https://plausible.ct.nordu.net/"] = get_public_key_from_file("../../plausible-logkey.pem") +logkeys["https://ct.googleapis.com/rocketeer/"] = get_public_key_from_file("../../rocketeer-logkey.pem") +logkeys["https://ct.googleapis.com/aviator/"] = get_public_key_from_file("../../aviator-logkey.pem") +logkeys["https://ct.googleapis.com/pilot/"] = get_public_key_from_file("../../pilot-logkey.pem") +logkeys["https://log.certly.io/"] = get_public_key_from_file("../../certly-logkey.pem") +logkeys["https://ct.izenpe.com/"] = get_public_key_from_file("../../izenpe-logkey.pem") +logkeys["https://ct1.digicert-ct.com/log/"] = get_public_key_from_file("../../digicert-logkey.pem") +count = 0 +old_sth = {} + +# Get initial sth +for base_url in base_urls: + + old_sth[base_url] = get_sth(base_url) + # print old_sth[base_url]["sha256_root_hash"] + print str(count) + ": Received STH from " + base_url + ", timestamp: " + str(old_sth[base_url]["timestamp"]) + ", size: " + str(old_sth[base_url]["tree_size"]) + + try: + check_sth_signature(base_url, old_sth[base_url], logkeys[base_url]) + except: + print "Could not verify signature!!" + + +while True: + time.sleep(60) + count += 1 + for base_url in base_urls: + new_sth = get_sth(base_url) + print str(count) + ": Received STH from " + base_url + ", timestamp: " + str(old_sth[base_url]["timestamp"]) + ", size: " + str(old_sth[base_url]["tree_size"]) + try: + check_sth_signature(base_url, new_sth, logkeys[base_url]) + except: + print "Could not verify signature!!" + + if old_sth[base_url]["tree_size"] != new_sth["tree_size"]: + print "Wohoo, new STH! Checking..." + try: + consistency_proof = get_consistency_proof(base_url, old_sth[base_url]["tree_size"], new_sth["tree_size"] ) + # print consistency_proof + print verify_consistency_proof(consistency_proof, old_sth[base_url]["tree_size"], new_sth["tree_size"], old_sth[base_url]["sha256_root_hash"]) + except: + print consistency_proof + finally: + old_sth[base_url] = new_sth + + + + + + + -- cgit v1.1 From 45ab48e10763c5e29a7e49c2abe1656798e0e774 Mon Sep 17 00:00:00 2001 From: josef Date: Wed, 26 Aug 2015 12:21:59 +0200 Subject: verifying consistency proofs working --- tools/josef_experimental.py | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) (limited to 'tools/josef_experimental.py') diff --git a/tools/josef_experimental.py b/tools/josef_experimental.py index da3f31e..dc1dc7e 100755 --- a/tools/josef_experimental.py +++ b/tools/josef_experimental.py @@ -2,6 +2,7 @@ # -*- coding: utf-8 -*- import time +import base64 from certtools import get_sth, get_consistency_proof, check_sth_signature, get_public_key_from_file, verify_consistency_proof @@ -22,15 +23,14 @@ logkeys["https://ct.googleapis.com/pilot/"] = get_public_key_from_file("../../pi logkeys["https://log.certly.io/"] = get_public_key_from_file("../../certly-logkey.pem") logkeys["https://ct.izenpe.com/"] = get_public_key_from_file("../../izenpe-logkey.pem") logkeys["https://ct1.digicert-ct.com/log/"] = get_public_key_from_file("../../digicert-logkey.pem") -count = 0 old_sth = {} # Get initial sth +print time.strftime("%H:%M:%S", time.gmtime()) for base_url in base_urls: old_sth[base_url] = get_sth(base_url) - # print old_sth[base_url]["sha256_root_hash"] - print str(count) + ": Received STH from " + base_url + ", timestamp: " + str(old_sth[base_url]["timestamp"]) + ", size: " + str(old_sth[base_url]["tree_size"]) + print "Received STH from " + base_url + ", timestamp: " + str(old_sth[base_url]["timestamp"]) + ", size: " + str(old_sth[base_url]["tree_size"]) try: check_sth_signature(base_url, old_sth[base_url], logkeys[base_url]) @@ -39,24 +39,35 @@ for base_url in base_urls: while True: - time.sleep(60) - count += 1 + time.sleep(1*60-4) + print time.strftime("%H:%M:%S", time.gmtime()) for base_url in base_urls: new_sth = get_sth(base_url) - print str(count) + ": Received STH from " + base_url + ", timestamp: " + str(old_sth[base_url]["timestamp"]) + ", size: " + str(old_sth[base_url]["tree_size"]) + print "Received STH from " + base_url + ", timestamp: " + str(new_sth["timestamp"]) + ", size: " + str(new_sth["tree_size"]) try: check_sth_signature(base_url, new_sth, logkeys[base_url]) except: print "Could not verify signature!!" - if old_sth[base_url]["tree_size"] != new_sth["tree_size"]: + if old_sth[base_url]["tree_size"]!= new_sth["tree_size"]: print "Wohoo, new STH! Checking..." try: + # Hashes are base64 encoded from the server and needs to be decoded before checking proofs. consistency_proof = get_consistency_proof(base_url, old_sth[base_url]["tree_size"], new_sth["tree_size"] ) - # print consistency_proof - print verify_consistency_proof(consistency_proof, old_sth[base_url]["tree_size"], new_sth["tree_size"], old_sth[base_url]["sha256_root_hash"]) - except: - print consistency_proof + decoded_consistency_proof = [] + for item in consistency_proof: + decoded_consistency_proof.append(base64.b64decode(item)) + res = verify_consistency_proof(decoded_consistency_proof, old_sth[base_url]["tree_size"], new_sth["tree_size"], old_sth[base_url]["sha256_root_hash"]) + + if old_sth[base_url]["sha256_root_hash"] != str(base64.b64encode(res[0])): + print "Verification of old hash failed!!!" + print old_sth[base_url]["sha256_root_hash"], str(base64.b64encode(res[0])) + if new_sth["sha256_root_hash"] != str(base64.b64encode(res[1])): + print "Verification of new hash failed!!!" + print new_sth["sha256_root_hash"], str(base64.b64encode(res[1])) + + except Exception, err: + print Exception, err finally: old_sth[base_url] = new_sth -- cgit v1.1 From c44dc8533ece4e000162cae6fd6c6fa376b94602 Mon Sep 17 00:00:00 2001 From: josef Date: Tue, 1 Sep 2015 14:50:33 +0200 Subject: experimental... --- tools/josef_experimental.py | 111 ++++++++++++++++++++++++-------------------- 1 file changed, 61 insertions(+), 50 deletions(-) (limited to 'tools/josef_experimental.py') diff --git a/tools/josef_experimental.py b/tools/josef_experimental.py index dc1dc7e..7f79788 100755 --- a/tools/josef_experimental.py +++ b/tools/josef_experimental.py @@ -3,13 +3,69 @@ import time import base64 -from certtools import get_sth, get_consistency_proof, check_sth_signature, get_public_key_from_file, verify_consistency_proof +import urllib +import urllib2 +import sys +# from pympler.asizeof import asizeof +from certtools import * + +def reduce_leafs_to_root(layer0): + if len(layer0) == 0: + return [[hashlib.sha256().digest()]] + current_layer = layer0 + while len(current_layer) > 1: + current_layer = next_merkle_layer(current_layer) + return current_layer + +def reduce_layer(layer): + new_layer = [] + while len(layer) > 1: + e1 = layer.pop(0) + e2 = layer.pop(0) + new_layer.append(internal_hash((e1,e2))) + return new_layer + +def reduce_tree(entries, layers): + if len(entries) == 0 and layers is []: + return [[hashlib.sha256().digest()]] + + layer_idx = 0 + layers[layer_idx] += entries + + while len(layers[layer_idx]) > 1: + if len(layers) == layer_idx + 1: + layers.append([]) + + layers[layer_idx + 1] += reduce_layer(layers[layer_idx]) + layer_idx += 1 + return layers + +def reduce_subtree_to_root(layers): + while len(layers) > 1: + layers[1] += next_merkle_layer(layers[0]) + del layers[0] + + if len(layers[0]) > 1: + return next_merkle_layer(layers[0]) + return layers[0] + +def get_proof_by_index(baseurl, index, tree_size): + try: + params = urllib.urlencode({"leaf_index":index, + "tree_size":tree_size}) + result = \ + urlopen(baseurl + "ct/v1/get-entry-and-proof?" + params).read() + return json.loads(result) + except urllib2.HTTPError, e: + print "ERROR:", e.read() + sys.exit(1) base_urls = ["https://plausible.ct.nordu.net/", "https://ct1.digicert-ct.com/log/", "https://ct.izenpe.com/", "https://log.certly.io/", + "https://ctlog.api.venafi.com/", "https://ct.googleapis.com/aviator/", "https://ct.googleapis.com/pilot/", "https://ct.googleapis.com/rocketeer/", @@ -23,57 +79,12 @@ logkeys["https://ct.googleapis.com/pilot/"] = get_public_key_from_file("../../pi logkeys["https://log.certly.io/"] = get_public_key_from_file("../../certly-logkey.pem") logkeys["https://ct.izenpe.com/"] = get_public_key_from_file("../../izenpe-logkey.pem") logkeys["https://ct1.digicert-ct.com/log/"] = get_public_key_from_file("../../digicert-logkey.pem") -old_sth = {} - -# Get initial sth -print time.strftime("%H:%M:%S", time.gmtime()) -for base_url in base_urls: - - old_sth[base_url] = get_sth(base_url) - print "Received STH from " + base_url + ", timestamp: " + str(old_sth[base_url]["timestamp"]) + ", size: " + str(old_sth[base_url]["tree_size"]) - - try: - check_sth_signature(base_url, old_sth[base_url], logkeys[base_url]) - except: - print "Could not verify signature!!" - - -while True: - time.sleep(1*60-4) - print time.strftime("%H:%M:%S", time.gmtime()) - for base_url in base_urls: - new_sth = get_sth(base_url) - print "Received STH from " + base_url + ", timestamp: " + str(new_sth["timestamp"]) + ", size: " + str(new_sth["tree_size"]) - try: - check_sth_signature(base_url, new_sth, logkeys[base_url]) - except: - print "Could not verify signature!!" - - if old_sth[base_url]["tree_size"]!= new_sth["tree_size"]: - print "Wohoo, new STH! Checking..." - try: - # Hashes are base64 encoded from the server and needs to be decoded before checking proofs. - consistency_proof = get_consistency_proof(base_url, old_sth[base_url]["tree_size"], new_sth["tree_size"] ) - decoded_consistency_proof = [] - for item in consistency_proof: - decoded_consistency_proof.append(base64.b64decode(item)) - res = verify_consistency_proof(decoded_consistency_proof, old_sth[base_url]["tree_size"], new_sth["tree_size"], old_sth[base_url]["sha256_root_hash"]) - - if old_sth[base_url]["sha256_root_hash"] != str(base64.b64encode(res[0])): - print "Verification of old hash failed!!!" - print old_sth[base_url]["sha256_root_hash"], str(base64.b64encode(res[0])) - if new_sth["sha256_root_hash"] != str(base64.b64encode(res[1])): - print "Verification of new hash failed!!!" - print new_sth["sha256_root_hash"], str(base64.b64encode(res[1])) - - except Exception, err: - print Exception, err - finally: - old_sth[base_url] = new_sth - - +logkeys["https://ctlog.api.venafi.com/"] = get_public_key_from_file("../../venafi-logkey.pem") +from Crypto import Signature +sth = get_sth(base_urls[4]) +print sth -- cgit v1.1