tools/josef_experimental.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

#!/usr/bin/python
# -*- coding: utf-8 -*-		

import time
import base64
from certtools import get_sth, get_consistency_proof, check_sth_signature, get_public_key_from_file, verify_consistency_proof


base_urls = ["https://plausible.ct.nordu.net/",
			"https://ct1.digicert-ct.com/log/", 
			"https://ct.izenpe.com/",
			"https://log.certly.io/", 
			"https://ct.googleapis.com/aviator/", 
			"https://ct.googleapis.com/pilot/",
			"https://ct.googleapis.com/rocketeer/",
			]

logkeys = {}
logkeys["https://plausible.ct.nordu.net/"] = get_public_key_from_file("../../plausible-logkey.pem")
logkeys["https://ct.googleapis.com/rocketeer/"] = get_public_key_from_file("../../rocketeer-logkey.pem")
logkeys["https://ct.googleapis.com/aviator/"] = get_public_key_from_file("../../aviator-logkey.pem")
logkeys["https://ct.googleapis.com/pilot/"] = get_public_key_from_file("../../pilot-logkey.pem")
logkeys["https://log.certly.io/"] = get_public_key_from_file("../../certly-logkey.pem")
logkeys["https://ct.izenpe.com/"] = get_public_key_from_file("../../izenpe-logkey.pem")
logkeys["https://ct1.digicert-ct.com/log/"] = get_public_key_from_file("../../digicert-logkey.pem")
old_sth = {}

# Get initial sth
print time.strftime("%H:%M:%S", time.gmtime())
for base_url in base_urls:
	
	old_sth[base_url] =  get_sth(base_url)
	print "Received STH from " + base_url + ", timestamp: " + str(old_sth[base_url]["timestamp"]) + ", size: " + str(old_sth[base_url]["tree_size"]) 

	try:
		check_sth_signature(base_url, old_sth[base_url], logkeys[base_url])
	except:
		print "Could not verify signature!!"


while True:
	time.sleep(1*60-4)
	print time.strftime("%H:%M:%S", time.gmtime())
	for base_url in base_urls:
		new_sth =  get_sth(base_url)
		print "Received STH from " + base_url + ", timestamp: " + str(new_sth["timestamp"]) + ", size: " + str(new_sth["tree_size"])
		try:
			check_sth_signature(base_url, new_sth, logkeys[base_url])
		except:
			print "Could not verify signature!!"

		if old_sth[base_url]["tree_size"]!= new_sth["tree_size"]:
			print "Wohoo, new STH! Checking..."
			try:
				# Hashes are base64 encoded from the server and needs to be decoded before checking proofs.
				consistency_proof = get_consistency_proof(base_url, old_sth[base_url]["tree_size"], new_sth["tree_size"] )
				decoded_consistency_proof = []
				for item in consistency_proof:
					decoded_consistency_proof.append(base64.b64decode(item))
				res = verify_consistency_proof(decoded_consistency_proof, old_sth[base_url]["tree_size"], new_sth["tree_size"], old_sth[base_url]["sha256_root_hash"])
				
				if old_sth[base_url]["sha256_root_hash"] != str(base64.b64encode(res[0])):
					print "Verification of old hash failed!!!"
					print old_sth[base_url]["sha256_root_hash"], str(base64.b64encode(res[0]))
				if new_sth["sha256_root_hash"] != str(base64.b64encode(res[1])):
					print "Verification of new hash failed!!!"
					print new_sth["sha256_root_hash"], str(base64.b64encode(res[1]))

			except Exception, err:
				print Exception, err
			finally:
				old_sth[base_url] = new_sth