summaryrefslogtreecommitdiff
path: root/tools/submitcert.py
diff options
context:
space:
mode:
authorMagnus Ahltorp <map@kth.se>2015-03-18 14:27:18 +0100
committerMagnus Ahltorp <map@kth.se>2015-03-18 14:27:18 +0100
commite7c8c50684344ebef54d92efbf4be08b35a06f05 (patch)
tree5589a74e75a98191f242e06031b5396ab7b539c6 /tools/submitcert.py
parentd68d59cfabddaa31ec0b92a8afe451d088cdcbd0 (diff)
Added precert handling for SCT calculation
Diffstat (limited to 'tools/submitcert.py')
-rwxr-xr-xtools/submitcert.py38
1 files changed, 29 insertions, 9 deletions
diff --git a/tools/submitcert.py b/tools/submitcert.py
index 1c79544..2e8cc33 100755
--- a/tools/submitcert.py
+++ b/tools/submitcert.py
@@ -13,6 +13,11 @@ import struct
import hashlib
import itertools
from certtools import *
+from certtools import *
+try:
+ from precerttools import *
+except ImportError:
+ pass
import os
import signal
import select
@@ -51,8 +56,20 @@ def submitcert((certfile, cert)):
try:
if precert:
+ if ext_key_usage_precert_signing_cert in get_ext_key_usage(certchain[0]):
+ issuer_key_hash = get_cert_key_hash(certchain[1])
+ issuer = certchain[1]
+ else:
+ issuer_key_hash = get_cert_key_hash(certchain[0])
+ issuer = None
+ cleanedcert = cleanprecert(precert, issuer=issuer)
+ signed_entry = pack_precert(cleanedcert, issuer_key_hash)
+ leafcert = cleanedcert
result = add_prechain(baseurl, {"chain":map(base64.b64encode, [precert] + certchain)})
else:
+ signed_entry = pack_cert(certchain[0])
+ leafcert = certchain[0]
+ issuer_key_hash = None
result = add_chain(baseurl, {"chain":map(base64.b64encode, certchain)})
except SystemExit:
print "EXIT:", certfile
@@ -67,7 +84,7 @@ def submitcert((certfile, cert)):
try:
if args.check_sct:
- check_sct_signature(baseurl, certchain[0], result)
+ check_sct_signature(baseurl, signed_entry, result, precert=precert)
timing_point(timing, "checksig")
except AssertionError, e:
print "ERROR:", certfile, e
@@ -81,7 +98,7 @@ def submitcert((certfile, cert)):
if lookup_in_log:
- merkle_tree_leaf = pack_mtl(result["timestamp"], certchain[0])
+ merkle_tree_leaf = pack_mtl(result["timestamp"], leafcert)
leaf_hash = get_leaf_hash(merkle_tree_leaf)
@@ -119,7 +136,7 @@ def submitcert((certfile, cert)):
print "and submitted chain has length", len(submittedcertchain)
timing_point(timing, "lookup")
- return ((certchain[0], result), timing["deltatimes"])
+ return ((leafcert, issuer_key_hash, result), timing["deltatimes"])
def get_ncerts(certfiles):
n = 0
@@ -142,9 +159,12 @@ def get_all_certificates(certfiles):
else:
yield (certfile, open(certfile).read())
-def save_sct(sct, sth):
+def save_sct(sct, sth, leafcert, issuer_key_hash):
sctlog = open(args.sct_file, "a")
- json.dump({"leafcert": base64.b64encode(leafcert), "sct": sct, "sth": sth}, sctlog)
+ sctentry = {"leafcert": base64.b64encode(leafcert), "sct": sct, "sth": sth}
+ if issuer_key_hash:
+ sctentry["issuer_key_hash"] = base64.b64encode(issuer_key_hash)
+ json.dump(sctentry, sctlog)
sctlog.write("\n")
sctlog.close()
@@ -163,8 +183,8 @@ certs = get_all_certificates(certfiles)
(result, timing) = submitcert(certs.next())
if result != None:
nsubmitted += 1
- (leafcert, sct) = result
- save_sct(sct, sth)
+ (leafcert, issuer_key_hash, sct) = result
+ save_sct(sct, sth, leafcert, issuer_key_hash)
if args.pre_warm:
select.select([], [], [], 3.0)
@@ -181,8 +201,8 @@ try:
sys.exit(1)
if result != None:
nsubmitted += 1
- (leafcert, sct) = result
- save_sct(sct, sth)
+ (leafcert, issuer_key_hash, sct) = result
+ save_sct(sct, sth, leafcert, issuer_key_hash)
deltatime = datetime.datetime.now() - starttime
deltatime_f = deltatime.seconds + deltatime.microseconds / 1000000.0
rate = nsubmitted / deltatime_f