summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMagnus Ahltorp <map@kth.se>2014-10-27 16:13:41 +0100
committerMagnus Ahltorp <map@kth.se>2014-10-27 16:13:41 +0100
commitb9c709204da83be2f315664f9f263c6890b1bc8d (patch)
treec55d6f14a5eceb7aa038f3d558ddfa6d74c2461d
parent44f48b0f96aba0009bd43036eea443f07cec71b9 (diff)
fetchallcerts.py: calculate root hash
-rw-r--r--tools/certtools.py24
-rw-r--r--tools/fetchallcerts.py52
2 files changed, 61 insertions, 15 deletions
diff --git a/tools/certtools.py b/tools/certtools.py
index 16c2105..b132caa 100644
--- a/tools/certtools.py
+++ b/tools/certtools.py
@@ -226,3 +226,27 @@ def timing_point(timer_dict=None, name=None):
else:
timer_dict = {"deltatimes":[], "lasttime":t}
return timer_dict
+
+def internal_hash(pair):
+ if len(pair) == 1:
+ return pair[0]
+ else:
+ hash = hashlib.sha256()
+ hash.update(struct.pack(">b", 1))
+ hash.update(pair[0])
+ hash.update(pair[1])
+ return hash.digest()
+
+def chunks(l, n):
+ return [l[i:i+n] for i in range(0, len(l), n)]
+
+def next_merkle_layer(layer):
+ return [internal_hash(pair) for pair in chunks(layer, 2)]
+
+def build_merkle_tree(layer0):
+ layers = []
+ current_layer = layer0
+ while len(current_layer) > 1:
+ current_layer = next_merkle_layer(current_layer)
+ layers.append(current_layer)
+ return layers
diff --git a/tools/fetchallcerts.py b/tools/fetchallcerts.py
index 801e296..dad5241 100644
--- a/tools/fetchallcerts.py
+++ b/tools/fetchallcerts.py
@@ -4,6 +4,7 @@
# Copyright (c) 2014, NORDUnet A/S.
# See LICENSE for licensing information.
+import argparse
import urllib2
import urllib
import json
@@ -14,6 +15,11 @@ import hashlib
import itertools
from certtools import *
+parser = argparse.ArgumentParser(description='')
+parser.add_argument('baseurl', help="Base URL for CT server")
+parser.add_argument('--store', default=None, metavar="dir", help='Store certificates in directory dir')
+args = parser.parse_args()
+
def extract_original_entry(entry):
leaf_input = base64.decodestring(entry["leaf_input"])
(leaf_cert, timestamp) = unpack_mtl(leaf_input)
@@ -23,7 +29,7 @@ def extract_original_entry(entry):
def get_entries_wrapper(baseurl, start, end):
fetched_entries = []
- while len(fetched_entries) < (end - start + 1):
+ while start + len(fetched_entries) < (end + 1):
print "fetching from", start + len(fetched_entries)
entries = get_entries(baseurl, start + len(fetched_entries), end)["entries"]
if len(entries) == 0:
@@ -31,23 +37,39 @@ def get_entries_wrapper(baseurl, start, end):
fetched_entries.extend(entries)
return fetched_entries
-baseurl = sys.argv[1]
-destination_directory = sys.argv[2]
+def print_layer(layer):
+ for entry in layer:
+ print base64.b16encode(entry)
-sth = get_sth(baseurl)
+sth = get_sth(args.baseurl)
tree_size = sth["tree_size"]
+root_hash = base64.decodestring(sth["sha256_root_hash"])
+
+print "tree size", tree_size
+print "root hash", base64.b16encode(root_hash)
+
+entries = get_entries_wrapper(args.baseurl, 0, tree_size - 1)
+
+print "fetched", len(entries), "entries"
+
+layer0 = [get_leaf_hash(base64.decodestring(entry["leaf_input"])) for entry in entries]
+
+tree = build_merkle_tree(layer0)
-print tree_size
+calculated_root_hash = tree[-1][0]
-entries = get_entries_wrapper(baseurl, 0, tree_size)
+print "calculated root hash", base64.b16encode(calculated_root_hash)
-print len(entries)
+if calculated_root_hash != root_hash:
+ print "fetched root hash and calculated root hash different, aborting"
+ sys.exit(1)
-for entry, i in zip(entries, range(0, len(entries))):
- chain = extract_original_entry(entry)
- f = open(destination_directory + "/" + ("%06d" % i), "w")
- for cert in chain:
- print >> f, "-----BEGIN CERTIFICATE-----"
- print >> f, base64.encodestring(cert).rstrip()
- print >> f, "-----END CERTIFICATE-----"
- print >> f, ""
+if args.store:
+ for entry, i in zip(entries, range(0, len(entries))):
+ chain = extract_original_entry(entry)
+ f = open(args.store + "/" + ("%06d" % i), "w")
+ for cert in chain:
+ print >> f, "-----BEGIN CERTIFICATE-----"
+ print >> f, base64.encodestring(cert).rstrip()
+ print >> f, "-----END CERTIFICATE-----"
+ print >> f, ""