summaryrefslogtreecommitdiff
path: root/tools/submitcert.py
blob: 4f1609cbed4be4653ef1cc4ede62d13d22be66b3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/usr/bin/env python

# Copyright (c) 2014, NORDUnet A/S.
# See LICENSE for licensing information.

import urllib2
import urllib
import json
import base64
import sys
import struct
import hashlib
import itertools
from certtools import *

baseurl = sys.argv[1]
certfile = sys.argv[2]

lookup_in_log = True

certs = get_certs_from_file(certfile)

result = add_chain(baseurl, {"chain":map(base64.b64encode, certs)})

try:
    check_sct_signature(baseurl, certs[0], result)
except AssertionError, e:
    print "ERROR:", e
    sys.exit(1)
except ecdsa.keys.BadSignatureError, e:
    print "ERROR: bad signature"
    sys.exit(1)
print "signature check succeeded"

if lookup_in_log:

    merkle_tree_leaf = pack_mtl(result["timestamp"], certs[0])

    leaf_hash = get_leaf_hash(merkle_tree_leaf)

    sth = get_sth(baseurl)

    proof = get_proof_by_hash(baseurl, leaf_hash, sth["tree_size"])

    leaf_index = proof["leaf_index"]

    entries = get_entries(baseurl, leaf_index, leaf_index)

    fetched_entry = entries["entries"][0]

    print "does the leaf_input of the fetched entry match what we calculated:", \
      base64.decodestring(fetched_entry["leaf_input"]) == merkle_tree_leaf

    extra_data = fetched_entry["extra_data"]

    certchain = decode_certificate_chain(base64.decodestring(extra_data))

    submittedcertchain = certs[1:]

    for (submittedcert, fetchedcert, i) in zip(submittedcertchain,
                                               certchain, itertools.count(1)):
        print "cert", i, "in chain is the same:", submittedcert == fetchedcert

    if len(certchain) == len(submittedcertchain) + 1:
        last_issuer = get_cert_info(certs[-1])["issuer"]
        root_subject = get_cert_info(certchain[-1])["subject"]
        print "issuer of last cert in submitted chain and " \
            "subject of last cert in fetched chain is the same:", \
            last_issuer == root_subject
    elif len(certchain) == len(submittedcertchain):
        print "cert chains are the same length"
    else:
        print "ERROR: fetched cert chain has length", len(certchain),
        print "and submitted chain has length", len(submittedcertchain)