1 files changed, 20 insertions, 0 deletions

diff --git a/tools/certtools.py b/tools/certtools.py
index b132caa..0ce8885 100644
--- a/tools/certtools.py
+++ b/tools/certtools.py
@@ -143,6 +143,11 @@ def decode_signature(signature):
     assert rest == ""
     return (hash_alg, signature_alg, unpacked_signature)
 
+def encode_signature(hash_alg, signature_alg, unpacked_signature):
+    signature = struct.pack(">bb", hash_alg, signature_alg)
+    signature += tls_array(unpacked_signature, 2)
+    return signature
+
 def check_signature(baseurl, signature, data):
     publickey = base64.decodestring(publickeys[baseurl])
     (hash_alg, signature_alg, unpacked_signature) = decode_signature(signature)
@@ -155,6 +160,12 @@ def check_signature(baseurl, signature, data):
     vk.verify(unpacked_signature, data, hashfunc=hashlib.sha256,
               sigdecode=ecdsa.util.sigdecode_der)
 
+def create_signature(privatekey, data):
+    sk = ecdsa.SigningKey.from_der(privatekey)
+    unpacked_signature = sk.sign(data, hashfunc=hashlib.sha256,
+                                 sigencode=ecdsa.util.sigencode_der)
+    return encode_signature(4, 3, unpacked_signature)
+
 def check_sth_signature(baseurl, sth):
     signature = base64.decodestring(sth["tree_head_signature"])
 
@@ -167,6 +178,15 @@ def check_sth_signature(baseurl, sth):
 
     check_signature(baseurl, signature, tree_head)
 
+def create_sth_signature(tree_size, timestamp, root_hash, privatekey):
+    version = struct.pack(">b", 0)
+    signature_type = struct.pack(">b", 1)
+    timestamp_packed = struct.pack(">Q", timestamp)
+    tree_size_packed = struct.pack(">Q", tree_size)
+    tree_head = version + signature_type + timestamp_packed + tree_size_packed + root_hash
+
+    return create_signature(privatekey, tree_head)
+
 def check_sct_signature(baseurl, leafcert, sct):
     publickey = base64.decodestring(publickeys[baseurl])
     calculated_logid = hashlib.sha256(publickey).digest()