From 91e5b7f4b85cdbc399ccaa1bb1d813e0d829f3d5 Mon Sep 17 00:00:00 2001 From: Magnus Ahltorp Date: Mon, 27 Oct 2014 14:37:01 +0100 Subject: submitcert.py: submit multiple cert chains --- tools/certtools.py | 14 +++++++ tools/submitcert.py | 104 ++++++++++++++++++++++++++++++++-------------------- 2 files changed, 78 insertions(+), 40 deletions(-) diff --git a/tools/certtools.py b/tools/certtools.py index 8d64ee4..7b901cf 100644 --- a/tools/certtools.py +++ b/tools/certtools.py @@ -10,6 +10,7 @@ import struct import sys import hashlib import ecdsa +import datetime publickeys = { "https://ct.googleapis.com/pilot/": @@ -204,3 +205,16 @@ def get_leaf_hash(merkle_tree_leaf): leaf_hash.update(merkle_tree_leaf) return leaf_hash.digest() + +def timing_point(timer_dict=None, name=None): + t = datetime.datetime.now() + if timer_dict: + starttime = timer_dict["lasttime"] + stoptime = t + deltatime = stoptime - starttime + timer_dict["deltatimes"].append((name, deltatime.seconds * 1000000 + deltatime.microseconds)) + timer_dict["lasttime"] = t + return None + else: + timer_dict = {"deltatimes":[], "lasttime":t} + return timer_dict diff --git a/tools/submitcert.py b/tools/submitcert.py index 4f1609c..80a3e37 100755 --- a/tools/submitcert.py +++ b/tools/submitcert.py @@ -12,63 +12,87 @@ import struct import hashlib import itertools from certtools import * +import os + +from multiprocessing import Pool baseurl = sys.argv[1] -certfile = sys.argv[2] +certfilepath = sys.argv[2] + +lookup_in_log = False +check_sig = False + +if certfilepath[-1] == "/": + certfiles = [certfilepath + filename for filename in sorted(os.listdir(certfilepath))] +else: + certfiles = [certfilepath] + +def submitcert(certfile): + timing = timing_point() + certs = get_certs_from_file(certfile) + timing_point(timing, "readcerts") + + result = add_chain(baseurl, {"chain":map(base64.b64encode, certs)}) + + timing_point(timing, "addchain") + + try: + if check_sig: + check_sct_signature(baseurl, certs[0], result) + timing_point(timing, "checksig") + except AssertionError, e: + print "ERROR:", e + sys.exit(1) + except ecdsa.keys.BadSignatureError, e: + print "ERROR: bad signature" + sys.exit(1) -lookup_in_log = True + if lookup_in_log: -certs = get_certs_from_file(certfile) + merkle_tree_leaf = pack_mtl(result["timestamp"], certs[0]) -result = add_chain(baseurl, {"chain":map(base64.b64encode, certs)}) + leaf_hash = get_leaf_hash(merkle_tree_leaf) -try: - check_sct_signature(baseurl, certs[0], result) -except AssertionError, e: - print "ERROR:", e - sys.exit(1) -except ecdsa.keys.BadSignatureError, e: - print "ERROR: bad signature" - sys.exit(1) -print "signature check succeeded" + sth = get_sth(baseurl) -if lookup_in_log: + proof = get_proof_by_hash(baseurl, leaf_hash, sth["tree_size"]) - merkle_tree_leaf = pack_mtl(result["timestamp"], certs[0]) + leaf_index = proof["leaf_index"] - leaf_hash = get_leaf_hash(merkle_tree_leaf) + entries = get_entries(baseurl, leaf_index, leaf_index) - sth = get_sth(baseurl) + fetched_entry = entries["entries"][0] - proof = get_proof_by_hash(baseurl, leaf_hash, sth["tree_size"]) + print "does the leaf_input of the fetched entry match what we calculated:", \ + base64.decodestring(fetched_entry["leaf_input"]) == merkle_tree_leaf - leaf_index = proof["leaf_index"] + extra_data = fetched_entry["extra_data"] - entries = get_entries(baseurl, leaf_index, leaf_index) + certchain = decode_certificate_chain(base64.decodestring(extra_data)) - fetched_entry = entries["entries"][0] + submittedcertchain = certs[1:] - print "does the leaf_input of the fetched entry match what we calculated:", \ - base64.decodestring(fetched_entry["leaf_input"]) == merkle_tree_leaf + for (submittedcert, fetchedcert, i) in zip(submittedcertchain, + certchain, itertools.count(1)): + print "cert", i, "in chain is the same:", submittedcert == fetchedcert - extra_data = fetched_entry["extra_data"] + if len(certchain) == len(submittedcertchain) + 1: + last_issuer = get_cert_info(certs[-1])["issuer"] + root_subject = get_cert_info(certchain[-1])["subject"] + print "issuer of last cert in submitted chain and " \ + "subject of last cert in fetched chain is the same:", \ + last_issuer == root_subject + elif len(certchain) == len(submittedcertchain): + print "cert chains are the same length" + else: + print "ERROR: fetched cert chain has length", len(certchain), + print "and submitted chain has length", len(submittedcertchain) - certchain = decode_certificate_chain(base64.decodestring(extra_data)) + timing_point(timing, "lookup") + return timing["deltatimes"] - submittedcertchain = certs[1:] +p = Pool(1) - for (submittedcert, fetchedcert, i) in zip(submittedcertchain, - certchain, itertools.count(1)): - print "cert", i, "in chain is the same:", submittedcert == fetchedcert +for timing in p.imap_unordered(submitcert, certfiles): + print timing - if len(certchain) == len(submittedcertchain) + 1: - last_issuer = get_cert_info(certs[-1])["issuer"] - root_subject = get_cert_info(certchain[-1])["subject"] - print "issuer of last cert in submitted chain and " \ - "subject of last cert in fetched chain is the same:", \ - last_issuer == root_subject - elif len(certchain) == len(submittedcertchain): - print "cert chains are the same length" - else: - print "ERROR: fetched cert chain has length", len(certchain), - print "and submitted chain has length", len(submittedcertchain) -- cgit v1.1