diff options
Diffstat (limited to 'tools/certtools.py')
-rw-r--r-- | tools/certtools.py | 49 |
1 files changed, 36 insertions, 13 deletions
diff --git a/tools/certtools.py b/tools/certtools.py index fe345cd..a62d58f 100644 --- a/tools/certtools.py +++ b/tools/certtools.py @@ -100,11 +100,19 @@ def unpack_tls_array(packed_data, length_len): def add_chain(baseurl, submission): try: - return json.loads(urllib2.urlopen(baseurl + "ct/v1/add-chain", - json.dumps(submission)).read()) + result = urllib2.urlopen(baseurl + "ct/v1/add-chain", + json.dumps(submission)).read() + return json.loads(result) except urllib2.HTTPError, e: print "ERROR:", e.read() sys.exit(1) + except ValueError, e: + print "==== FAILED REQUEST ====" + print submission + print "======= RESPONSE =======" + print result + print "========================" + raise e def get_entries(baseurl, start, end): try: @@ -131,7 +139,31 @@ def decode_signature(signature): assert rest == "" return (hash_alg, signature_alg, unpacked_signature) -def check_signature(baseurl, leafcert, sct): +def check_signature(baseurl, signature, data): + publickey = base64.decodestring(publickeys[baseurl]) + (hash_alg, signature_alg, unpacked_signature) = decode_signature(signature) + assert hash_alg == 4, \ + "hash_alg is %d, expected 4" % (hash_alg,) # sha256 + assert signature_alg == 3, \ + "signature_alg is %d, expected 3" % (signature_alg,) # ecdsa + + vk = ecdsa.VerifyingKey.from_der(publickey) + vk.verify(unpacked_signature, data, hashfunc=hashlib.sha256, + sigdecode=ecdsa.util.sigdecode_der) + +def check_sth_signature(baseurl, sth): + signature = base64.decodestring(sth["tree_head_signature"]) + + version = struct.pack(">b", 0) + signature_type = struct.pack(">b", 1) + timestamp = struct.pack(">Q", sth["timestamp"]) + tree_size = struct.pack(">Q", sth["tree_size"]) + hash = base64.decodestring(sth["sha256_root_hash"]) + tree_head = version + signature_type + timestamp + tree_size + hash + + check_signature(baseurl, signature, tree_head) + +def check_sct_signature(baseurl, leafcert, sct): publickey = base64.decodestring(publickeys[baseurl]) calculated_logid = hashlib.sha256(publickey).digest() received_logid = base64.decodestring(sct["id"]) @@ -150,16 +182,7 @@ def check_signature(baseurl, leafcert, sct): entry_type + tls_array(leafcert, 3) + \ tls_array(base64.decodestring(sct["extensions"]), 2) - (hash_alg, signature_alg, unpacked_signature) = decode_signature(signature) - assert hash_alg == 4 # sha256 - assert signature_alg == 3 # ecdsa - - hash = hashlib.sha256() - hash.update(signed_struct) - - vk = ecdsa.VerifyingKey.from_der(publickey) - vk.verify(unpacked_signature, signed_struct, hashfunc=hashlib.sha256, - sigdecode=ecdsa.util.sigdecode_der) + check_signature(baseurl, signature, signed_struct) def pack_mtl(timestamp, leafcert): entry_type = struct.pack(">H", 0) |