diff options
Diffstat (limited to 'tools/submitcert.py')
-rwxr-xr-x | tools/submitcert.py | 80 |
1 files changed, 31 insertions, 49 deletions
diff --git a/tools/submitcert.py b/tools/submitcert.py index 702ffb3..e8d8901 100755 --- a/tools/submitcert.py +++ b/tools/submitcert.py @@ -6,6 +6,7 @@ import base64 import sys import struct import hashlib +import itertools from certtools import * baseurl = sys.argv[1] @@ -13,62 +14,29 @@ certfile = sys.argv[2] lookup_in_log = True -publickeys = { - "https://ct.googleapis.com/pilot/": - "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfahLEimAoz2t01p3uMziiLOl/fHTD" - "M0YDOhBRuiBARsV4UvxG2LdNgoIGLrtCzWE0J5APC2em4JlvR8EEEFMoA==", - - "https://127.0.0.1:8080/": - "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4qWq6afhBUi0OdcWUYhyJLNXTkGqQ9" - "PMS5lqoCgkV2h1ZvpNjBH2u8UbgcOQwqDo66z6BWQJGolozZYmNHE2kQ==", - - "https://flimsy.ct.nordu.net/": - "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4qWq6afhBUi0OdcWUYhyJLNXTkGqQ9" - "PMS5lqoCgkV2h1ZvpNjBH2u8UbgcOQwqDo66z6BWQJGolozZYmNHE2kQ==", -} - - certs = get_certs_from_file(certfile) -result = add_chain(baseurl, {"chain":certs}) - -print result - -publickey = base64.decodestring(publickeys[baseurl]) - -check_signature(publickey, base64.decodestring(certs[0]), result) +result = add_chain(baseurl, {"chain":map(base64.b64encode, certs)}) -for cert in certs: - print get_cert_info(base64.decodestring(cert)) +try: + check_signature(baseurl, certs[0], result) +except AssertionError, e: + print "ERROR:", e + sys.exit(1) +except ecdsa.keys.BadSignatureError, e: + print "ERROR: bad signature" + sys.exit(1) +print "signature check succeeded" if lookup_in_log: - last_issuer = get_cert_info(base64.decodestring(certs[-1]))["issuer"] - last_subject = get_cert_info(base64.decodestring(certs[-1]))["subject"] - entry_type = struct.pack(">H", 0) + merkle_tree_leaf = pack_mtl(result["timestamp"], certs[0]) - extensions = "" - - timestamped_entry = struct.pack(">Q", result["timestamp"]) + entry_type + \ - tls_array(base64.decodestring(certs[0]), 3) + tls_array(extensions, 2) - version = struct.pack(">b", 0) - leaf_type = struct.pack(">b", 0) - merkle_tree_leaf = version + leaf_type + timestamped_entry - - print "merkle_tree_leaf:", base64.b64encode(merkle_tree_leaf) - - leaf_hash = hashlib.sha256() - leaf_hash.update(struct.pack(">b", 0)) - leaf_hash.update(merkle_tree_leaf) - - print base64.b64encode(leaf_hash.digest()) + leaf_hash = get_leaf_hash(merkle_tree_leaf) sth = get_sth(baseurl) - print sth - - proof = get_proof_by_hash(baseurl, leaf_hash.digest(), sth["tree_size"]) - print proof + proof = get_proof_by_hash(baseurl, leaf_hash, sth["tree_size"]) leaf_index = proof["leaf_index"] @@ -76,8 +44,6 @@ if lookup_in_log: fetched_entry = entries["entries"][0] - print fetched_entry - print "does the leaf_input of the fetched entry match what we calculated:", \ base64.decodestring(fetched_entry["leaf_input"]) == merkle_tree_leaf @@ -85,4 +51,20 @@ if lookup_in_log: certchain = decode_certificate_chain(base64.decodestring(extra_data)) - print [base64.b64encode(cert) for cert in certchain] + submittedcertchain = certs[1:] + + for (submittedcert, fetchedcert, i) in zip(submittedcertchain, + certchain, itertools.count(1)): + print "cert", i, "in chain is the same:", submittedcert == fetchedcert + + if len(certchain) == len(submittedcertchain) + 1: + last_issuer = get_cert_info(certs[-1])["issuer"] + root_subject = get_cert_info(certchain[-1])["subject"] + print "issuer of last cert in submitted chain and " \ + "subject of last cert in fetched chain is the same:", \ + last_issuer == root_subject + elif len(certchain) == len(submittedcertchain): + print "cert chains are the same length" + else: + print "ERROR: fetched cert chain has length", len(certchain), + print "and submitted chain has length", len(submittedcertchain) |