From ff18e0fdd57a6b485f427173fe7febee03345037 Mon Sep 17 00:00:00 2001 From: Magnus Ahltorp Date: Tue, 3 Mar 2015 15:33:39 +0100 Subject: merge.py: use external signing --- tools/certtools.py | 20 ++++++++++++++------ tools/merge.py | 5 ++--- tools/testcase1.py | 2 +- 3 files changed, 17 insertions(+), 10 deletions(-) (limited to 'tools') diff --git a/tools/certtools.py b/tools/certtools.py index ad90e5c..222497f 100644 --- a/tools/certtools.py +++ b/tools/certtools.py @@ -200,10 +200,18 @@ def http_request(url, data=None, key=None): result = urllib2.urlopen(req).read() return result -def create_signature(privatekey, data): - sk = ecdsa.SigningKey.from_der(privatekey) - unpacked_signature = sk.sign(data, hashfunc=hashlib.sha256, - sigencode=ecdsa.util.sigencode_der) +def get_signature(baseurl, data, key=None): + try: + params = json.dumps({"plop_version":1, "data": base64.b64encode(data)}) + result = http_request(baseurl + "ct/signing/sth", params, key=key) + parsed_result = json.loads(result) + return base64.b64decode(parsed_result.get(u"result")) + except urllib2.HTTPError, e: + print "ERROR: get_signature", e.read() + sys.exit(1) + +def create_signature(baseurl, data, key=None): + unpacked_signature = get_signature(baseurl, data, key) return encode_signature(4, 3, unpacked_signature) def check_sth_signature(baseurl, sth): @@ -218,14 +226,14 @@ def check_sth_signature(baseurl, sth): check_signature(baseurl, signature, tree_head) -def create_sth_signature(tree_size, timestamp, root_hash, privatekey): +def create_sth_signature(tree_size, timestamp, root_hash, baseurl, key=None): version = struct.pack(">b", 0) signature_type = struct.pack(">b", 1) timestamp_packed = struct.pack(">Q", timestamp) tree_size_packed = struct.pack(">Q", tree_size) tree_head = version + signature_type + timestamp_packed + tree_size_packed + root_hash - return create_signature(privatekey, tree_head) + return create_signature(baseurl, tree_head, key=key) def check_sct_signature(baseurl, leafcert, sct): publickey = base64.decodestring(publickeys[baseurl]) diff --git a/tools/merge.py b/tools/merge.py index c9f99af..0996ec9 100755 --- a/tools/merge.py +++ b/tools/merge.py @@ -21,7 +21,7 @@ parser.add_argument("--baseurl", metavar="url", help="Base URL for CT server", r parser.add_argument("--frontend", action="append", metavar="url", help="Base URL for frontend server", required=True) parser.add_argument("--storage", action="append", metavar="url", help="Base URL for storage server", required=True) parser.add_argument("--mergedb", metavar="dir", help="Merge database directory", required=True) -parser.add_argument("--keyfile", metavar="keyfile", help="File containing log key", required=True) +parser.add_argument("--signing", metavar="url", help="Base URL for signing server", required=True) parser.add_argument("--own-keyname", metavar="keyname", help="The key name of the merge node", required=True) parser.add_argument("--own-keyfile", metavar="keyfile", help="The file containing the private key of the merge node", required=True) parser.add_argument("--nomerge", action='store_true', help="Don't actually do merge") @@ -215,10 +215,9 @@ tree = build_merkle_tree(logorder) tree_size = len(logorder) root_hash = tree[-1][0] timestamp = int(time.time() * 1000) -privatekey = get_eckey_from_file(args.keyfile) tree_head_signature = create_sth_signature(tree_size, timestamp, - root_hash, privatekey) + root_hash, args.signing, key=own_key) sth = {"tree_size": tree_size, "timestamp": timestamp, "sha256_root_hash": base64.b64encode(root_hash), diff --git a/tools/testcase1.py b/tools/testcase1.py index c87e8eb..0c0f728 100755 --- a/tools/testcase1.py +++ b/tools/testcase1.py @@ -136,7 +136,7 @@ def get_and_check_entry(timestamp, chain, leaf_index): len(submittedcertchain)) def merge(): - return subprocess.call(["./merge.py", "--baseurl", "https://127.0.0.1:8080/", "--frontend", "https://127.0.0.1:8082/", "--storage", "https://127.0.0.1:8081/", "--mergedb", "../rel/mergedb", "--keyfile", "../rel/test/eckey.pem", "--own-keyname", "merge-1", "--own-keyfile", "../rel/privatekeys/merge-1-private.pem"]) + return subprocess.call(["./merge.py", "--baseurl", "https://127.0.0.1:8080/", "--frontend", "https://127.0.0.1:8082/", "--storage", "https://127.0.0.1:8081/", "--mergedb", "../rel/mergedb", "--signing", "https://127.0.0.1:8088/", "--own-keyname", "merge-1", "--own-keyfile", "../rel/privatekeys/merge-1-private.pem"]) print_and_check_tree_size(0) -- cgit v1.1