Merge branch 'genauthkeys'

author: Magnus Ahltorp <map@kth.se> 2015-03-31 19:18:30 +0200
committer: Magnus Ahltorp <map@kth.se> 2015-03-31 19:18:30 +0200
commit: ab924f51f254d1bdd6f752f8c19c4cbcc55cf0e4 (patch)
tree: 91261dcf3047c735207d706862bd9136f003230a /tools/submitcert.py
parent: a706e79fa722f681320fe1b05824352b6b9a63fc (diff)
parent: 13c3789add4f1630c4bc8dfccb229ebc7d4bfa38 (diff)
1 files changed, 39 insertions, 10 deletions
diff --git a/tools/submitcert.py b/tools/submitcert.py
index 9f0be67..ba4b337 100755
--- a/tools/submitcert.py
+++ b/tools/submitcert.py
@@ -13,6 +13,11 @@ import struct
 import hashlib
 import itertools
 from certtools import *
+from certtools import *
+try:
+    from precerttools import *
+except ImportError:
+    pass
 import os
 import signal
 import select
@@ -25,6 +30,7 @@ parser.add_argument('--sct-file', default=None, metavar="file", help='Store SCT:
 parser.add_argument('--parallel', type=int, default=16, metavar="n", help="Number of parallel submits")
 parser.add_argument('--check-sct', action='store_true', help="Check SCT signature")
 parser.add_argument('--pre-warm', action='store_true', help="Wait 3 seconds after first submit")
+parser.add_argument('--publickey', default=None, metavar="file", help='Public key for the CT log')
 args = parser.parse_args()
 
 from multiprocessing import Pool
@@ -32,6 +38,8 @@ from multiprocessing import Pool
 baseurl = args.baseurl
 certfilepath = args.store
 
+logpublickey = get_public_key_from_file(args.publickey) if args.publickey else None
+
 lookup_in_log = False
 
 if certfilepath[-1] == "/":
@@ -44,10 +52,28 @@ sth = get_sth(baseurl)
 def submitcert((certfile, cert)):
     timing = timing_point()
     certchain = get_certs_from_string(cert)
+    precerts = get_precerts_from_string(cert)
+    assert len(precerts) == 0 or len(precerts) == 1
+    precert = precerts[0] if precerts else None
     timing_point(timing, "readcerts")
 
     try:
-        result = add_chain(baseurl, {"chain":map(base64.b64encode, certchain)})
+        if precert:
+            if ext_key_usage_precert_signing_cert in get_ext_key_usage(certchain[0]):
+                issuer_key_hash = get_cert_key_hash(certchain[1])
+                issuer = certchain[1]
+            else:
+                issuer_key_hash = get_cert_key_hash(certchain[0])
+                issuer = None
+            cleanedcert = cleanprecert(precert, issuer=issuer)
+            signed_entry = pack_precert(cleanedcert, issuer_key_hash)
+            leafcert = cleanedcert
+            result = add_prechain(baseurl, {"chain":map(base64.b64encode, [precert] + certchain)})
+        else:
+            signed_entry = pack_cert(certchain[0])
+            leafcert = certchain[0]
+            issuer_key_hash = None
+            result = add_chain(baseurl, {"chain":map(base64.b64encode, certchain)})
     except SystemExit:
         print "EXIT:", certfile
         select.select([], [], [], 1.0)
@@ -61,7 +87,7 @@ def submitcert((certfile, cert)):
 
     try:
         if args.check_sct:
-            check_sct_signature(baseurl, certchain[0], result)
+            check_sct_signature(baseurl, signed_entry, result, precert=precert, publickey=logpublickey)
             timing_point(timing, "checksig")
     except AssertionError, e:
         print "ERROR:", certfile, e
@@ -75,7 +101,7 @@ def submitcert((certfile, cert)):
 
     if lookup_in_log:
 
-        merkle_tree_leaf = pack_mtl(result["timestamp"], certchain[0])
+        merkle_tree_leaf = pack_mtl(result["timestamp"], leafcert)
 
         leaf_hash = get_leaf_hash(merkle_tree_leaf)
 
@@ -113,7 +139,7 @@ def submitcert((certfile, cert)):
             print "and submitted chain has length", len(submittedcertchain)
 
     timing_point(timing, "lookup")
-    return ((certchain[0], result), timing["deltatimes"])
+    return ((leafcert, issuer_key_hash, result), timing["deltatimes"])
 
 def get_ncerts(certfiles):
     n = 0
@@ -136,9 +162,12 @@ def get_all_certificates(certfiles):
         else:
             yield (certfile, open(certfile).read())
 
-def save_sct(sct, sth):
+def save_sct(sct, sth, leafcert, issuer_key_hash):
     sctlog = open(args.sct_file, "a")
-    json.dump({"leafcert": base64.b64encode(leafcert), "sct": sct, "sth": sth}, sctlog)
+    sctentry = {"leafcert": base64.b64encode(leafcert), "sct": sct, "sth": sth}
+    if issuer_key_hash:
+        sctentry["issuer_key_hash"] = base64.b64encode(issuer_key_hash)
+    json.dump(sctentry, sctlog)
     sctlog.write("\n")
     sctlog.close()
 
@@ -157,8 +186,8 @@ certs = get_all_certificates(certfiles)
 (result, timing) = submitcert(certs.next())
 if result != None:
     nsubmitted += 1
-    (leafcert, sct) = result
-    save_sct(sct, sth)
+    (leafcert, issuer_key_hash, sct) = result
+    save_sct(sct, sth, leafcert, issuer_key_hash)
 
 if args.pre_warm:
     select.select([], [], [], 3.0)
@@ -175,8 +204,8 @@ try:
             sys.exit(1)
         if result != None:
             nsubmitted += 1
-            (leafcert, sct) = result
-            save_sct(sct, sth)
+            (leafcert, issuer_key_hash, sct) = result
+            save_sct(sct, sth, leafcert, issuer_key_hash)
         deltatime = datetime.datetime.now() - starttime
         deltatime_f = deltatime.seconds + deltatime.microseconds / 1000000.0
         rate = nsubmitted / deltatime_f
author	Magnus Ahltorp <map@kth.se>	2015-03-31 19:18:30 +0200
committer	Magnus Ahltorp <map@kth.se>	2015-03-31 19:18:30 +0200
commit	ab924f51f254d1bdd6f752f8c19c4cbcc55cf0e4 (patch)
tree	91261dcf3047c735207d706862bd9136f003230a /tools/submitcert.py
parent	a706e79fa722f681320fe1b05824352b6b9a63fc (diff)
parent	13c3789add4f1630c4bc8dfccb229ebc7d4bfa38 (diff)