API keys are now provided in config fileconfig-api-key

Also added CA cert verification for internal TLS connections.
author: Magnus Ahltorp <map@kth.se> 2017-01-20 00:30:36 +0100
committer: Magnus Ahltorp <map@kth.se> 2017-01-20 00:30:36 +0100
commit: 784f116ba3fad8e28ef2fefd86d5df71801dbe6f (patch)
tree: 409e53de64335664b2944baa1e1880b9f5565ece /src/sign.erl
parent: 109fc863b5ebec2d502c55df1f763c8f0ecb4722 (diff)
1 files changed, 9 insertions, 14 deletions
diff --git a/src/sign.erl b/src/sign.erl
index 2c55429..492279f 100644
--- a/src/sign.erl
+++ b/src/sign.erl
@@ -9,7 +9,7 @@
 %% API.
 -export([start_link/0, stop/0]).
 -export([sign_sct/1, sign_sth/1, get_pubkey/0, get_logid/0, verify_sth/2]).
--export([read_keyfile_ec/1]).
+-export([read_keyfile_ec/1, pem_entry_decode/1]).
 %% API for tests.
 -export([read_keyfile_rsa/2]).
 %% gen_server callbacks.
@@ -37,6 +37,9 @@ start_link() ->
 stop() ->
     call(?MODULE, stop).
 
+get_log_public_key() ->
+    Der = application:get_env(plop, log_public_key, none),
+    pem_entry_decode({'SubjectPublicKeyInfo', Der, []}).
 
 init([]) ->
     %% Read RSA keypair.
@@ -44,9 +47,8 @@ init([]) ->
     %% LogID = crypto:hash(sha256,
     %%                     public_key:der_encode('RSAPublicKey', Public_key)),
     %% Read EC keypair.
-    PubKeyfile = application:get_env(plop, log_public_key, none),
-    Public_key = read_keyfile_ec(PubKeyfile),
-    LogID = read_keyfile_ec_logid(PubKeyfile),
+    Public_key = get_log_public_key(),
+    LogID = get_logid(),
 
     case application:get_env(plop, hsm) of
         {ok, Args} ->
@@ -84,12 +86,6 @@ read_keyfile_ec(KeyFile) ->
     [KeyPem] = filter_pem_types(public_key:pem_decode(PemBin), ['ECPrivateKey', 'SubjectPublicKeyInfo']),
     decode_key(KeyPem).
 
-read_keyfile_ec_logid(KeyFile) ->
-    lager:debug("reading file ~p", [KeyFile]),
-    {ok, PemBin} = file:read_file(KeyFile),
-    [{'SubjectPublicKeyInfo', Der, _}] = filter_pem_types(public_key:pem_decode(PemBin), ['SubjectPublicKeyInfo']),
-    crypto:hash(sha256, Der).
-
 pem_entry_decode({'SubjectPublicKeyInfo', Der, _}) ->
     SPKI = public_key:der_decode('SubjectPublicKeyInfo', Der),
     {Octets, Algorithm} = plop_compat:unpack_spki(SPKI),
@@ -182,13 +178,12 @@ get_pubkey() ->
     call(?MODULE, {get, pubkey}).
 
 get_logid() ->
-    PubKeyfile = application:get_env(plop, log_public_key, none),
-    read_keyfile_ec_logid(PubKeyfile).
+    Der = application:get_env(plop, log_public_key, none),
+    crypto:hash(sha256, Der).
 
 verify_sth(STH, Signature) ->
     lager:debug("verifying ~p: ~p", [STH, Signature]),
-    PubKeyfile = application:get_env(plop, log_public_key, none),
-    PublicKey = read_keyfile_ec(PubKeyfile),
+    PublicKey = get_log_public_key(),
     public_key:verify(STH, sha256, Signature, PublicKey).
 
 encode_ec_signature(RawSignature, SignatureLength) ->
author	Magnus Ahltorp <map@kth.se>	2017-01-20 00:30:36 +0100
committer	Magnus Ahltorp <map@kth.se>	2017-01-20 00:30:36 +0100
commit	784f116ba3fad8e28ef2fefd86d5df71801dbe6f (patch)
tree	409e53de64335664b2944baa1e1880b9f5565ece /src/sign.erl
parent	109fc863b5ebec2d502c55df1f763c8f0ecb4722 (diff)