From 1075b68f287e957cd73c8cdb9517293b4c920eec Mon Sep 17 00:00:00 2001
From: Magnus Ahltorp <map@kth.se>
Date: Mon, 16 Mar 2015 10:06:42 +0100
Subject: Add submission of precerts

---
 tools/submitcert.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'tools/submitcert.py')

diff --git a/tools/submitcert.py b/tools/submitcert.py
index 9f0be67..1c79544 100755
--- a/tools/submitcert.py
+++ b/tools/submitcert.py
@@ -44,10 +44,16 @@ sth = get_sth(baseurl)
 def submitcert((certfile, cert)):
     timing = timing_point()
     certchain = get_certs_from_string(cert)
+    precerts = get_precerts_from_string(cert)
+    assert len(precerts) == 0 or len(precerts) == 1
+    precert = precerts[0] if precerts else None
     timing_point(timing, "readcerts")
 
     try:
-        result = add_chain(baseurl, {"chain":map(base64.b64encode, certchain)})
+        if precert:
+            result = add_prechain(baseurl, {"chain":map(base64.b64encode, [precert] + certchain)})
+        else:
+            result = add_chain(baseurl, {"chain":map(base64.b64encode, certchain)})
     except SystemExit:
         print "EXIT:", certfile
         select.select([], [], [], 1.0)
-- 
cgit v1.1


From 0a76e4d080a8349456d04434dcb2d4b381eb8ec4 Mon Sep 17 00:00:00 2001
From: Magnus Ahltorp <map@kth.se>
Date: Wed, 18 Mar 2015 14:27:18 +0100
Subject: Added precert handling for SCT calculation

---
 tools/submitcert.py | 38 +++++++++++++++++++++++++++++---------
 1 file changed, 29 insertions(+), 9 deletions(-)

(limited to 'tools/submitcert.py')

diff --git a/tools/submitcert.py b/tools/submitcert.py
index 1c79544..2e8cc33 100755
--- a/tools/submitcert.py
+++ b/tools/submitcert.py
@@ -13,6 +13,11 @@ import struct
 import hashlib
 import itertools
 from certtools import *
+from certtools import *
+try:
+    from precerttools import *
+except ImportError:
+    pass
 import os
 import signal
 import select
@@ -51,8 +56,20 @@ def submitcert((certfile, cert)):
 
     try:
         if precert:
+            if ext_key_usage_precert_signing_cert in get_ext_key_usage(certchain[0]):
+                issuer_key_hash = get_cert_key_hash(certchain[1])
+                issuer = certchain[1]
+            else:
+                issuer_key_hash = get_cert_key_hash(certchain[0])
+                issuer = None
+            cleanedcert = cleanprecert(precert, issuer=issuer)
+            signed_entry = pack_precert(cleanedcert, issuer_key_hash)
+            leafcert = cleanedcert
             result = add_prechain(baseurl, {"chain":map(base64.b64encode, [precert] + certchain)})
         else:
+            signed_entry = pack_cert(certchain[0])
+            leafcert = certchain[0]
+            issuer_key_hash = None
             result = add_chain(baseurl, {"chain":map(base64.b64encode, certchain)})
     except SystemExit:
         print "EXIT:", certfile
@@ -67,7 +84,7 @@ def submitcert((certfile, cert)):
 
     try:
         if args.check_sct:
-            check_sct_signature(baseurl, certchain[0], result)
+            check_sct_signature(baseurl, signed_entry, result, precert=precert)
             timing_point(timing, "checksig")
     except AssertionError, e:
         print "ERROR:", certfile, e
@@ -81,7 +98,7 @@ def submitcert((certfile, cert)):
 
     if lookup_in_log:
 
-        merkle_tree_leaf = pack_mtl(result["timestamp"], certchain[0])
+        merkle_tree_leaf = pack_mtl(result["timestamp"], leafcert)
 
         leaf_hash = get_leaf_hash(merkle_tree_leaf)
 
@@ -119,7 +136,7 @@ def submitcert((certfile, cert)):
             print "and submitted chain has length", len(submittedcertchain)
 
     timing_point(timing, "lookup")
-    return ((certchain[0], result), timing["deltatimes"])
+    return ((leafcert, issuer_key_hash, result), timing["deltatimes"])
 
 def get_ncerts(certfiles):
     n = 0
@@ -142,9 +159,12 @@ def get_all_certificates(certfiles):
         else:
             yield (certfile, open(certfile).read())
 
-def save_sct(sct, sth):
+def save_sct(sct, sth, leafcert, issuer_key_hash):
     sctlog = open(args.sct_file, "a")
-    json.dump({"leafcert": base64.b64encode(leafcert), "sct": sct, "sth": sth}, sctlog)
+    sctentry = {"leafcert": base64.b64encode(leafcert), "sct": sct, "sth": sth}
+    if issuer_key_hash:
+        sctentry["issuer_key_hash"] = base64.b64encode(issuer_key_hash)
+    json.dump(sctentry, sctlog)
     sctlog.write("\n")
     sctlog.close()
 
@@ -163,8 +183,8 @@ certs = get_all_certificates(certfiles)
 (result, timing) = submitcert(certs.next())
 if result != None:
     nsubmitted += 1
-    (leafcert, sct) = result
-    save_sct(sct, sth)
+    (leafcert, issuer_key_hash, sct) = result
+    save_sct(sct, sth, leafcert, issuer_key_hash)
 
 if args.pre_warm:
     select.select([], [], [], 3.0)
@@ -181,8 +201,8 @@ try:
             sys.exit(1)
         if result != None:
             nsubmitted += 1
-            (leafcert, sct) = result
-            save_sct(sct, sth)
+            (leafcert, issuer_key_hash, sct) = result
+            save_sct(sct, sth, leafcert, issuer_key_hash)
         deltatime = datetime.datetime.now() - starttime
         deltatime_f = deltatime.seconds + deltatime.microseconds / 1000000.0
         rate = nsubmitted / deltatime_f
-- 
cgit v1.1


From 6b62ebbf1de5b9e55b04e9cfafd0620f1374c2d4 Mon Sep 17 00:00:00 2001
From: Magnus Ahltorp <map@kth.se>
Date: Tue, 31 Mar 2015 14:27:23 +0200
Subject: Cleanup tests and use urllib2.build_opener Remove unused files
 Generate test config files directly in release directory Move test database
 files to "tests" directory Generate log key when preparing tests Report error
 when STH not found in v1.erl Make merge, fetchallcerts, submitcert,
 verifysct, and testcase1 take log key as argument

---
 tools/submitcert.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'tools/submitcert.py')

diff --git a/tools/submitcert.py b/tools/submitcert.py
index 2e8cc33..ba4b337 100755
--- a/tools/submitcert.py
+++ b/tools/submitcert.py
@@ -30,6 +30,7 @@ parser.add_argument('--sct-file', default=None, metavar="file", help='Store SCT:
 parser.add_argument('--parallel', type=int, default=16, metavar="n", help="Number of parallel submits")
 parser.add_argument('--check-sct', action='store_true', help="Check SCT signature")
 parser.add_argument('--pre-warm', action='store_true', help="Wait 3 seconds after first submit")
+parser.add_argument('--publickey', default=None, metavar="file", help='Public key for the CT log')
 args = parser.parse_args()
 
 from multiprocessing import Pool
@@ -37,6 +38,8 @@ from multiprocessing import Pool
 baseurl = args.baseurl
 certfilepath = args.store
 
+logpublickey = get_public_key_from_file(args.publickey) if args.publickey else None
+
 lookup_in_log = False
 
 if certfilepath[-1] == "/":
@@ -84,7 +87,7 @@ def submitcert((certfile, cert)):
 
     try:
         if args.check_sct:
-            check_sct_signature(baseurl, signed_entry, result, precert=precert)
+            check_sct_signature(baseurl, signed_entry, result, precert=precert, publickey=logpublickey)
             timing_point(timing, "checksig")
     except AssertionError, e:
         print "ERROR:", certfile, e
-- 
cgit v1.1