From b9c709204da83be2f315664f9f263c6890b1bc8d Mon Sep 17 00:00:00 2001 From: Magnus Ahltorp Date: Mon, 27 Oct 2014 16:13:41 +0100 Subject: fetchallcerts.py: calculate root hash --- tools/certtools.py | 24 +++++++++++++++++++++++ tools/fetchallcerts.py | 52 +++++++++++++++++++++++++++++++++++--------------- 2 files changed, 61 insertions(+), 15 deletions(-) diff --git a/tools/certtools.py b/tools/certtools.py index 16c2105..b132caa 100644 --- a/tools/certtools.py +++ b/tools/certtools.py @@ -226,3 +226,27 @@ def timing_point(timer_dict=None, name=None): else: timer_dict = {"deltatimes":[], "lasttime":t} return timer_dict + +def internal_hash(pair): + if len(pair) == 1: + return pair[0] + else: + hash = hashlib.sha256() + hash.update(struct.pack(">b", 1)) + hash.update(pair[0]) + hash.update(pair[1]) + return hash.digest() + +def chunks(l, n): + return [l[i:i+n] for i in range(0, len(l), n)] + +def next_merkle_layer(layer): + return [internal_hash(pair) for pair in chunks(layer, 2)] + +def build_merkle_tree(layer0): + layers = [] + current_layer = layer0 + while len(current_layer) > 1: + current_layer = next_merkle_layer(current_layer) + layers.append(current_layer) + return layers diff --git a/tools/fetchallcerts.py b/tools/fetchallcerts.py index 801e296..dad5241 100644 --- a/tools/fetchallcerts.py +++ b/tools/fetchallcerts.py @@ -4,6 +4,7 @@ # Copyright (c) 2014, NORDUnet A/S. # See LICENSE for licensing information. +import argparse import urllib2 import urllib import json @@ -14,6 +15,11 @@ import hashlib import itertools from certtools import * +parser = argparse.ArgumentParser(description='') +parser.add_argument('baseurl', help="Base URL for CT server") +parser.add_argument('--store', default=None, metavar="dir", help='Store certificates in directory dir') +args = parser.parse_args() + def extract_original_entry(entry): leaf_input = base64.decodestring(entry["leaf_input"]) (leaf_cert, timestamp) = unpack_mtl(leaf_input) @@ -23,7 +29,7 @@ def extract_original_entry(entry): def get_entries_wrapper(baseurl, start, end): fetched_entries = [] - while len(fetched_entries) < (end - start + 1): + while start + len(fetched_entries) < (end + 1): print "fetching from", start + len(fetched_entries) entries = get_entries(baseurl, start + len(fetched_entries), end)["entries"] if len(entries) == 0: @@ -31,23 +37,39 @@ def get_entries_wrapper(baseurl, start, end): fetched_entries.extend(entries) return fetched_entries -baseurl = sys.argv[1] -destination_directory = sys.argv[2] +def print_layer(layer): + for entry in layer: + print base64.b16encode(entry) -sth = get_sth(baseurl) +sth = get_sth(args.baseurl) tree_size = sth["tree_size"] +root_hash = base64.decodestring(sth["sha256_root_hash"]) + +print "tree size", tree_size +print "root hash", base64.b16encode(root_hash) + +entries = get_entries_wrapper(args.baseurl, 0, tree_size - 1) + +print "fetched", len(entries), "entries" + +layer0 = [get_leaf_hash(base64.decodestring(entry["leaf_input"])) for entry in entries] + +tree = build_merkle_tree(layer0) -print tree_size +calculated_root_hash = tree[-1][0] -entries = get_entries_wrapper(baseurl, 0, tree_size) +print "calculated root hash", base64.b16encode(calculated_root_hash) -print len(entries) +if calculated_root_hash != root_hash: + print "fetched root hash and calculated root hash different, aborting" + sys.exit(1) -for entry, i in zip(entries, range(0, len(entries))): - chain = extract_original_entry(entry) - f = open(destination_directory + "/" + ("%06d" % i), "w") - for cert in chain: - print >> f, "-----BEGIN CERTIFICATE-----" - print >> f, base64.encodestring(cert).rstrip() - print >> f, "-----END CERTIFICATE-----" - print >> f, "" +if args.store: + for entry, i in zip(entries, range(0, len(entries))): + chain = extract_original_entry(entry) + f = open(args.store + "/" + ("%06d" % i), "w") + for cert in chain: + print >> f, "-----BEGIN CERTIFICATE-----" + print >> f, base64.encodestring(cert).rstrip() + print >> f, "-----END CERTIFICATE-----" + print >> f, "" -- cgit v1.1