From 4e1bcab3f91f975a19710a4350bbee0e9af5168e Mon Sep 17 00:00:00 2001
From: Magnus Ahltorp <map@kth.se>
Date: Tue, 3 Mar 2015 14:03:05 +0100
Subject: Move http_request to certtools

---
 tools/certtools.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'tools/certtools.py')

diff --git a/tools/certtools.py b/tools/certtools.py
index 2fb1492..ad90e5c 100644
--- a/tools/certtools.py
+++ b/tools/certtools.py
@@ -6,6 +6,7 @@ import json
 import base64
 import urllib
 import urllib2
+import urlparse
 import struct
 import sys
 import hashlib
@@ -182,6 +183,23 @@ def check_signature(baseurl, signature, data):
     vk.verify(unpacked_signature, data, hashfunc=hashlib.sha256,
               sigdecode=ecdsa.util.sigdecode_der)
 
+def http_request(url, data=None, key=None):
+    req = urllib2.Request(url, data)
+    (keyname, keyfile) = key
+    privatekey = get_eckey_from_file(keyfile)
+    sk = ecdsa.SigningKey.from_der(privatekey)
+    parsed_url = urlparse.urlparse(url)
+    if data == None:
+        data = parsed_url.query
+        method = "GET"
+    else:
+        method = "POST"
+    signature = sk.sign("%s\0%s\0%s" % (method, parsed_url.path, data), hashfunc=hashlib.sha256,
+                        sigencode=ecdsa.util.sigencode_der)
+    req.add_header('X-Catlfish-Auth', base64.b64encode(signature) + ";key=" + keyname)
+    result = urllib2.urlopen(req).read()
+    return result
+
 def create_signature(privatekey, data):
     sk = ecdsa.SigningKey.from_der(privatekey)
     unpacked_signature = sk.sign(data, hashfunc=hashlib.sha256,
-- 
cgit v1.1


From ff18e0fdd57a6b485f427173fe7febee03345037 Mon Sep 17 00:00:00 2001
From: Magnus Ahltorp <map@kth.se>
Date: Tue, 3 Mar 2015 15:33:39 +0100
Subject: merge.py: use external signing

---
 tools/certtools.py | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

(limited to 'tools/certtools.py')

diff --git a/tools/certtools.py b/tools/certtools.py
index ad90e5c..222497f 100644
--- a/tools/certtools.py
+++ b/tools/certtools.py
@@ -200,10 +200,18 @@ def http_request(url, data=None, key=None):
     result = urllib2.urlopen(req).read()
     return result
 
-def create_signature(privatekey, data):
-    sk = ecdsa.SigningKey.from_der(privatekey)
-    unpacked_signature = sk.sign(data, hashfunc=hashlib.sha256,
-                                 sigencode=ecdsa.util.sigencode_der)
+def get_signature(baseurl, data, key=None):
+    try:
+        params = json.dumps({"plop_version":1, "data": base64.b64encode(data)})
+        result = http_request(baseurl + "ct/signing/sth", params, key=key)
+        parsed_result = json.loads(result)
+        return base64.b64decode(parsed_result.get(u"result"))
+    except urllib2.HTTPError, e:
+        print "ERROR: get_signature", e.read()
+        sys.exit(1)
+
+def create_signature(baseurl, data, key=None):
+    unpacked_signature = get_signature(baseurl, data, key)
     return encode_signature(4, 3, unpacked_signature)
 
 def check_sth_signature(baseurl, sth):
@@ -218,14 +226,14 @@ def check_sth_signature(baseurl, sth):
 
     check_signature(baseurl, signature, tree_head)
 
-def create_sth_signature(tree_size, timestamp, root_hash, privatekey):
+def create_sth_signature(tree_size, timestamp, root_hash, baseurl, key=None):
     version = struct.pack(">b", 0)
     signature_type = struct.pack(">b", 1)
     timestamp_packed = struct.pack(">Q", timestamp)
     tree_size_packed = struct.pack(">Q", tree_size)
     tree_head = version + signature_type + timestamp_packed + tree_size_packed + root_hash
 
-    return create_signature(privatekey, tree_head)
+    return create_signature(baseurl, tree_head, key=key)
 
 def check_sct_signature(baseurl, leafcert, sct):
     publickey = base64.decodestring(publickeys[baseurl])
-- 
cgit v1.1


From d1d2185b420d873a97bc78c5e07482accaf574fc Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@nordberg.se>
Date: Thu, 19 Mar 2015 17:49:41 +0100
Subject: Add precert handling.

---
 tools/certtools.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'tools/certtools.py')

diff --git a/tools/certtools.py b/tools/certtools.py
index 222497f..0e639f2 100644
--- a/tools/certtools.py
+++ b/tools/certtools.py
@@ -6,6 +6,7 @@ import json
 import base64
 import urllib
 import urllib2
+import ssl
 import urlparse
 import struct
 import sys
@@ -79,7 +80,7 @@ def get_root_cert(issuer):
     return root_cert
 
 def get_sth(baseurl):
-    result = urllib2.urlopen(baseurl + "ct/v1/get-sth").read()
+    result = urllib2.urlopen(baseurl + "ct/v1/get-sth", context=ssl.SSLContext(ssl.PROTOCOL_TLSv1)).read()
     return json.loads(result)
 
 def get_proof_by_hash(baseurl, hash, tree_size):
@@ -87,7 +88,7 @@ def get_proof_by_hash(baseurl, hash, tree_size):
         params = urllib.urlencode({"hash":base64.b64encode(hash),
                                    "tree_size":tree_size})
         result = \
-          urllib2.urlopen(baseurl + "ct/v1/get-proof-by-hash?" + params).read()
+          urllib2.urlopen(baseurl + "ct/v1/get-proof-by-hash?" + params, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1)).read()
         return json.loads(result)
     except urllib2.HTTPError, e:
         print "ERROR:", e.read()
@@ -98,7 +99,7 @@ def get_consistency_proof(baseurl, tree_size1, tree_size2):
         params = urllib.urlencode({"first":tree_size1,
                                    "second":tree_size2})
         result = \
-          urllib2.urlopen(baseurl + "ct/v1/get-sth-consistency?" + params).read()
+          urllib2.urlopen(baseurl + "ct/v1/get-sth-consistency?" + params, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1)).read()
         return json.loads(result)["consistency"]
     except urllib2.HTTPError, e:
         print "ERROR:", e.read()
@@ -121,8 +122,7 @@ def unpack_tls_array(packed_data, length_len):
 
 def add_chain(baseurl, submission):
     try:
-        result = urllib2.urlopen(baseurl + "ct/v1/add-chain",
-            json.dumps(submission)).read()
+        result = urllib2.urlopen(baseurl + "ct/v1/add-chain", json.dumps(submission), context=ssl.SSLContext(ssl.PROTOCOL_TLSv1)).read()
         return json.loads(result)
     except urllib2.HTTPError, e:
         print "ERROR", e.code,":", e.read()
@@ -140,7 +140,7 @@ def add_chain(baseurl, submission):
 def get_entries(baseurl, start, end):
     try:
         params = urllib.urlencode({"start":start, "end":end})
-        result = urllib2.urlopen(baseurl + "ct/v1/get-entries?" + params).read()
+        result = urllib2.urlopen(baseurl + "ct/v1/get-entries?" + params, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1)).read()
         return json.loads(result)
     except urllib2.HTTPError, e:
         print "ERROR:", e.read()
@@ -197,7 +197,7 @@ def http_request(url, data=None, key=None):
     signature = sk.sign("%s\0%s\0%s" % (method, parsed_url.path, data), hashfunc=hashlib.sha256,
                         sigencode=ecdsa.util.sigencode_der)
     req.add_header('X-Catlfish-Auth', base64.b64encode(signature) + ";key=" + keyname)
-    result = urllib2.urlopen(req).read()
+    result = urllib2.urlopen(req, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1)).read()
     return result
 
 def get_signature(baseurl, data, key=None):
-- 
cgit v1.1