From 7f4f3e0cf8e6a8ec996fd179aba92c63ef9b0236 Mon Sep 17 00:00:00 2001
From: Magnus Ahltorp <map@kth.se>
Date: Wed, 5 Aug 2015 00:12:50 +0200
Subject: Fix precert storage bug (CATLFISH-56).

---
 Makefile         |  2 ++
 src/catlfish.erl | 28 ++++++++++++++++++----------
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/Makefile b/Makefile
index 4762424..f7f27a9 100644
--- a/Makefile
+++ b/Makefile
@@ -90,6 +90,8 @@ tests-run:
 	@(cd $(INSTDIR) && python ../tools/merge.py --config ../test/catlfish-test.cfg --localconfig ../test/catlfish-test-local-merge.cfg) || (echo "Merge failed" ; false)
 	@diff -r -x nursery -x verifiedsize catlfish/tests/mergedb catlfish/tests/mergedb-secondary || (echo "Merge databases not matching" ; false)
 	@(cd $(INSTDIR) && python ../tools/check-sth.py --publickey=tests/keys/logkey.pem --cafile tests/httpsca/demoCA/cacert.pem https://localhost:8080/) || (echo "Check failed" ; false)
+	@(cd $(INSTDIR) && mkdir fetchcertstore)
+	@(cd $(INSTDIR) && python ../tools/fetchallcerts.py $(BASEURL) --store fetchcertstore --publickey=tests/keys/logkey.pem --cafile tests/httpsca/demoCA/cacert.pem) || (echo "Verification failed" ; false)
 
 tests-run2:
 	@(cd $(INSTDIR) ; python ../tools/verifysct.py --sct-file=submittedcerts --parallel 1 $(BASEURL) --publickey=tests/keys/logkey.pem --cafile tests/httpsca/demoCA/cacert.pem) || echo "Verification of SCT:s failed"
diff --git a/src/catlfish.erl b/src/catlfish.erl
index e48f788..c6e16bb 100644
--- a/src/catlfish.erl
+++ b/src/catlfish.erl
@@ -126,17 +126,22 @@ add_to_db(Type, LeafCert, CertChain, EntryHash) ->
     MTLHash = ht:leaf_hash(MTLText),
     ExtraData =
         case Type of
-            normal -> CertChain;
-            precert -> [LeafCert | CertChain]
+            normal -> encode_tls_vector(
+               list_to_binary(
+                 [encode_tls_vector(C, 3) || C <- CertChain]),
+               3);
+            precert ->
+               list_to_binary(
+                 [encode_tls_vector(LeafCert, 3),
+                  encode_tls_vector(
+                    list_to_binary(
+                      [encode_tls_vector(C, 3) || C <- CertChain]), 3)])
         end,
     LogEntry =
         list_to_binary(
           [encode_tls_vector(MTLText, 4),
            encode_tls_vector(
-             encode_tls_vector(
-               list_to_binary(
-                 [encode_tls_vector(C, 3) || C <- ExtraData]),
-               3),
+             ExtraData,
              4)]),
     ok = plop:add(LogEntry, MTLHash, EntryHash),
     {TSE, MTLHash}.
@@ -261,20 +266,23 @@ deserialise_extra_data(ExtraData) ->
 
 chain_from_mtl_extradata(MTL, ExtraData) ->
     TimestampedEntry = MTL#mtl.entry,
-    Chain = deserialise_extra_data(ExtraData),
     case TimestampedEntry#timestamped_entry.entry_type of
         x509_entry ->
+            {CHN, <<>>} = decode_tls_vector(ExtraData, 3),
+            Chain = deserialise_extra_data(CHN),
             SignedEntry = TimestampedEntry#timestamped_entry.signed_entry,
             [SignedEntry#signed_x509_entry.asn1_cert | Chain];
         precert_entry ->
-            Chain
+            {EEC, Rest} = decode_tls_vector(ExtraData, 3),
+            {CHN, <<>>} = decode_tls_vector(Rest, 3),
+            Chain = deserialise_extra_data(CHN),
+            [EEC | Chain]
     end.
 
 mtl_and_extra_from_entry(Entry) ->
     {MTLText, ExtraDataPacked} = unpack_entry(Entry),
-    {ExtraData, <<>>} = decode_tls_vector(ExtraDataPacked, 3),
     MTL = deserialise_mtl(MTLText),
-    {MTL, ExtraData}.
+    {MTL, ExtraDataPacked}.
 
 verify_mtl(MTL, LeafCert, CertChain) ->
     Timestamp = MTL#mtl.entry#timestamped_entry.timestamp,
-- 
cgit v1.1