summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/catlfish.erl23
-rwxr-xr-xtools/merge.py2
-rw-r--r--tools/mergetools.py43
-rwxr-xr-xverifycert.erl2
4 files changed, 44 insertions, 26 deletions
diff --git a/src/catlfish.erl b/src/catlfish.erl
index d940147..68e96ea 100644
--- a/src/catlfish.erl
+++ b/src/catlfish.erl
@@ -293,27 +293,26 @@ entryhash_from_entry(PackedEntry) ->
%% Private functions.
-spec pack_entry(normal|precert, binary(), binary(), [binary()]) -> binary().
pack_entry(Type, MTLText, EndEntityCert, CertChain) ->
- list_to_binary(
- [tlv:encode(<<"MTL1">>, MTLText),
- tlv:encode(case Type of
- normal -> <<"EEC1">>;
- precert -> <<"PRC1">>
- end, EndEntityCert),
- tlv:encode(<<"CHN1">>,
- list_to_binary(
- [tlv:encode(<<"X509">>, E) || E <- CertChain]))]).
+ [{<<"MTL1">>, MTLText},
+ {case Type of
+ normal -> <<"EEC1">>;
+ precert -> <<"PRC1">>
+ end, EndEntityCert},
+ {<<"CHN1">>,
+ list_to_binary(
+ [tlv:encode(<<"X509">>, E) || E <- CertChain])}].
-spec unpack_entry(binary()) -> {normal|precert, binary(), binary(), [binary()]}.
unpack_entry(Entry) ->
- {<<"MTL1">>, MTLText, Rest1} = tlv:decode(Entry),
- {EECType, EndEntityCert, Rest2} = tlv:decode(Rest1),
+ [{<<"MTL1">>, MTLText}|Rest1] = Entry,
+ [{EECType, EndEntityCert}|Rest2] = Rest1,
Type = case EECType of
<<"EEC1">> ->
normal;
<<"PRC1">> ->
precert
end,
- {<<"CHN1">>, PackedChain, _Rest3} = tlv:decode(Rest2), % Ignore rest.
+ [{<<"CHN1">>, PackedChain}|_Rest3] = Rest2,
Chain = unpack_certchain(PackedChain),
{Type, MTLText, EndEntityCert, Chain}.
diff --git a/tools/merge.py b/tools/merge.py
index 7453fa4..f02ce39 100755
--- a/tools/merge.py
+++ b/tools/merge.py
@@ -22,7 +22,7 @@ from certtools import build_merkle_tree, create_sth_signature, \
check_sth_signature, get_eckey_from_file, timing_point, http_request, \
get_public_key_from_file, get_leaf_hash, decode_certificate_chain, \
create_ssl_context
-from mergetools import parselogrow, get_logorder, read_chain, unpack_entry, \
+from mergetools import parselogrow, get_logorder, read_chain, \
verify_entry
parser = argparse.ArgumentParser(description="")
diff --git a/tools/mergetools.py b/tools/mergetools.py
index 9f5feee..c3e9688 100644
--- a/tools/mergetools.py
+++ b/tools/mergetools.py
@@ -1,6 +1,7 @@
# Copyright (c) 2015, NORDUnet A/S.
# See LICENSE for licensing information.
import base64
+import hashlib
import sys
import struct
from certtools import get_leaf_hash
@@ -27,21 +28,39 @@ def read_chain(chainsdir, key):
f.close()
return value
-def unpack_entry(entry):
- pieces = []
- while len(entry):
- (length,) = struct.unpack(">I", entry[0:4])
- type = entry[4:8]
- data = entry[8:length]
- entry = entry[length:]
- pieces.append(data)
- return pieces
+def tlv_decode(data):
+ (length,) = struct.unpack(">I", data[0:4])
+ type = data[4:8]
+ value = data[8:length]
+ rest = data[length:]
+ return (type, value, rest)
+
+def tlv_decodelist(data):
+ l = []
+ while len(data):
+ (type, value, rest) = tlv_decode(data)
+ l.append((type, value))
+ data = rest
+ return l
+
+def unwrap_entry(entry):
+ ploplevel = tlv_decodelist(entry)
+ assert(len(ploplevel) == 2)
+ (ploptype, plopdata) = ploplevel[0]
+ (plopchecksumtype, plopchecksum) = ploplevel[1]
+ assert(ploptype == "PLOP")
+ assert(plopchecksumtype == "S256")
+ computedchecksum = hashlib.sha256(plopdata).digest()
+ assert(computedchecksum == plopchecksum)
+ return plopdata
def verify_entry(verifycert, entry, hash):
- unpacked = unpack_entry(entry)
- mtl = unpacked[0]
+ packed = unwrap_entry(entry)
+ unpacked = tlv_decodelist(packed)
+ (mtltype, mtl) = unpacked[0]
assert hash == get_leaf_hash(mtl)
- s = struct.pack(">I", len(entry)) + entry
+ assert mtltype == "MTL1"
+ s = struct.pack(">I", len(packed)) + packed
try:
verifycert.stdin.write(s)
except IOError, e:
diff --git a/verifycert.erl b/verifycert.erl
index 5ff77c3..0db0051 100755
--- a/verifycert.erl
+++ b/verifycert.erl
@@ -8,7 +8,7 @@ write_reply(Bin) ->
verify(RootCerts, DBEntry) ->
try
- case catlfish:verify_entry(DBEntry, RootCerts) of
+ case catlfish:verify_entry(tlv:decodelist(DBEntry), RootCerts) of
{ok, _MTLHash} ->
write_reply(<<0:8>>);
{error, Reason} ->