Verify that database entry actually contains the certificate

3 files changed, 47 insertions, 4 deletions

diff --git a/src/catlfish.erl b/src/catlfish.erl
index ed75495..d98e741 100644
--- a/src/catlfish.erl
+++ b/src/catlfish.erl
@@ -5,7 +5,7 @@
 -export([add_chain/3, entries/2, entry_and_proof/2]).
 -export([known_roots/0, update_known_roots/0]).
 -export([init_cache_table/0]).
--export([entryhash_from_entry/1]).
+-export([entryhash_from_entry/1, chain_from_entry/1]).
 -include_lib("eunit/include/eunit.hrl").
 
 -define(PROTOCOL_VERSION, 0).
@@ -252,7 +252,7 @@ deserialise_extra_data(ExtraData) ->
             [E | deserialise_extra_data(Rest)]
     end.
 
-entryhash_from_entry(Entry) ->
+chain_from_entry(Entry) ->
     {MTLText, ExtraDataPacked} = unpack_entry(Entry),
     {ExtraData, <<>>} = decode_tls_vector(ExtraDataPacked, 3),
     MTL = deserialise_mtl(MTLText),
@@ -266,7 +266,10 @@ entryhash_from_entry(Entry) ->
             precert_entry ->
                 Chain
         end,
-    crypto:hash(sha256, Data).
+    Data.
+
+entryhash_from_entry(Entry) ->
+    crypto:hash(sha256, chain_from_entry(Entry)).
 
 %% Private functions.
 -spec unpack_entry(binary()) -> {binary(), binary()}.
diff --git a/tools/merge.py b/tools/merge.py
index 5ceb245..a016b35 100755
--- a/tools/merge.py
+++ b/tools/merge.py
@@ -17,9 +17,10 @@ import urlparse
 import os
 import yaml
 import select
+import struct
 from certtools import build_merkle_tree, create_sth_signature, \
     check_sth_signature, get_eckey_from_file, timing_point, http_request, \
-    get_public_key_from_file
+    get_public_key_from_file, get_leaf_hash, decode_certificate_chain
 
 parser = argparse.ArgumentParser(description="")
 parser.add_argument('--config', help="System configuration", required=True)
@@ -207,6 +208,29 @@ for storagenode in storagenodes:
     new_entries.update(new_entries_per_node[storagenode["name"]])
     entries_to_fetch[storagenode["name"]] = []
 
+def unpack_entry(entry):
+    pieces = []
+    while len(entry):
+        (length,) = struct.unpack(">I", entry[0:4])
+        data = entry[4:4+length]
+        entry = entry[4+length:]
+        pieces.append(data)
+    return pieces
+
+import subprocess
+
+def verify_entry(entry, hash):
+    unpacked = unpack_entry(entry)
+    mtl = unpacked[0]
+    assert hash == get_leaf_hash(mtl)
+    p = subprocess.Popen(
+        ["../verifycert.erl"],
+        stdin=subprocess.PIPE, stdout=subprocess.PIPE)
+    (verify_result, _) = p.communicate(entry)
+    if verify_result != "ok\n":
+        print >>sys.stderr, verify_result
+        sys.exit(1)
+
 timing_point(timing, "get new entries")
 
 new_entries -= certsinlog
@@ -230,6 +254,7 @@ for storagenode in storagenodes:
         entries = get_entries(storagenode["name"], "https://%s/" % storagenode["address"], chunk)
         for hash in chunk:
             entry = entries[hash]
+            verify_entry(entry, hash)
             write_chain(hash, entry)
             add_to_logorder(hash)
             logorder.append(hash)
diff --git a/verifycert.erl b/verifycert.erl
new file mode 100755
index 0000000..2fafca9
--- /dev/null
+++ b/verifycert.erl
@@ -0,0 +1,15 @@
+#!/usr/bin/env escript
+%% -*- erlang -*-
+%%! -pa ebin -pa lib/catlfish-0.2.0-dev.ez/catlfish-0.2.0-dev/ebin -pa lib/lager-2.0.3.ez/lager-2.0.3/ebin
+
+main(_) ->
+    {ok, DBEntry} = file:read(standard_io, 100000),
+    %io:format("~p~n", [DBEntry]),
+    Certs = x509:read_pemfiles_from_dir("tests/known_roots/"),
+    Chain = catlfish:chain_from_entry(list_to_binary(DBEntry)),
+    case x509:normalise_chain(Certs, Chain) of
+        {ok, _} ->
+            io:format("ok~n", []);
+        {error, Reason} ->
+            io:format("error: ~p~n", [Reason])
+    end.