Skip to content

Commit 3c48113

Browse files
authored
Delete MerkleTreeLeafFromChain (#118)
* drop MerkleTreeLeafFromChain * add extension in relevant tests
1 parent b89eb8a commit 3c48113

File tree

2 files changed

+26
-61
lines changed

2 files changed

+26
-61
lines changed

internal/scti/signatures.go

Lines changed: 1 addition & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,7 @@ func serializeSCTSignatureInput(sct types.SignedCertificateTimestamp, entry type
6464
}
6565

6666
// TODO(phboneff): create an SCTSigner object
67+
// TODO(phboneff): see if we can change leaf to idx and entry
6768
func buildV1SCT(signer crypto.Signer, leaf *types.MerkleTreeLeaf) (*types.SignedCertificateTimestamp, error) {
6869
// Serialize SCT signature input to get the bytes that need to be signed
6970
sctInput := types.SignedCertificateTimestamp{
@@ -131,61 +132,6 @@ func serializeSTHSignatureInput(sth types.SignedTreeHead) ([]byte, error) {
131132
}
132133
}
133134

134-
// MerkleTreeLeafFromChain generates a MerkleTreeLeaf from a chain and timestamp.
135-
// TODO(phboneff): delete this function and use entryFromChain instead.
136-
func MerkleTreeLeafFromChain(chain []*x509.Certificate, etype types.LogEntryType, timestamp uint64) (*types.MerkleTreeLeaf, error) {
137-
leaf := types.MerkleTreeLeaf{
138-
Version: types.V1,
139-
LeafType: types.TimestampedEntryLeafType,
140-
TimestampedEntry: &types.TimestampedEntry{
141-
EntryType: etype,
142-
Timestamp: timestamp,
143-
},
144-
}
145-
if etype == types.X509LogEntryType {
146-
leaf.TimestampedEntry.X509Entry = &types.ASN1Cert{Data: chain[0].Raw}
147-
return &leaf, nil
148-
}
149-
if etype != types.PrecertLogEntryType {
150-
return nil, fmt.Errorf("unknown LogEntryType %d", etype)
151-
}
152-
153-
// Pre-certs are more complicated. First, parse the leaf pre-cert and its
154-
// putative issuer.
155-
if len(chain) < 2 {
156-
return nil, fmt.Errorf("no issuer cert available for precert leaf building")
157-
}
158-
issuer := chain[1]
159-
cert := chain[0]
160-
161-
var preIssuer *x509.Certificate
162-
if isPreIssuer(issuer) {
163-
// Replace the cert's issuance information with details from the pre-issuer.
164-
preIssuer = issuer
165-
166-
// The issuer of the pre-cert is not going to be the issuer of the final
167-
// cert. Change to use the final issuer's key hash.
168-
if len(chain) < 3 {
169-
return nil, fmt.Errorf("no issuer cert available for pre-issuer")
170-
}
171-
issuer = chain[2]
172-
}
173-
174-
// Next, post-process the DER-encoded TBSCertificate, to remove the CT poison
175-
// extension and possibly update the issuer field.
176-
defangedTBS, err := x509.BuildPrecertTBS(cert.RawTBSCertificate, preIssuer)
177-
if err != nil {
178-
return nil, fmt.Errorf("failed to remove poison extension: %v", err)
179-
}
180-
181-
leaf.TimestampedEntry.EntryType = types.PrecertLogEntryType
182-
leaf.TimestampedEntry.PrecertEntry = &types.PreCert{
183-
IssuerKeyHash: sha256.Sum256(issuer.RawSubjectPublicKeyInfo),
184-
TBSCertificate: defangedTBS,
185-
}
186-
return &leaf, nil
187-
}
188-
189135
// buildCp builds a https://c2sp.org/static-ct-api checkpoint.
190136
// TODO(phboneff): add tests
191137
func buildCp(signer crypto.Signer, size uint64, timeMilli uint64, hash []byte) ([]byte, error) {

internal/scti/signatures_test.go

Lines changed: 25 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,8 @@ var (
3535
fixedTime = time.Date(2017, 9, 7, 12, 15, 23, 0, time.UTC)
3636
fixedTimeMillis = uint64(fixedTime.UnixNano() / nanosPerMilli)
3737
demoLogID = [32]byte{19, 56, 222, 93, 229, 36, 102, 128, 227, 214, 3, 121, 93, 175, 126, 236, 97, 217, 34, 32, 40, 233, 98, 27, 46, 179, 164, 251, 84, 10, 60, 57}
38+
fakeIndex = uint8(8)
39+
fakeExtension = []byte{0, 0, 5, 0, 0, 0, 0, fakeIndex}
3840
fakeSignature = []byte("signed")
3941
)
4042

@@ -46,6 +48,7 @@ const (
4648
defaultPrecertIssuerHashString string = "iamapublickeyshatwofivesixdigest"
4749
defaultPrecertTBSString string = "tbs"
4850

51+
// TODO(phboneff): add extension and regenerate data
4952
defaultCertificateSCTSignatureInputHexString string =
5053
// version, 1 byte
5154
"00" +
@@ -251,11 +254,19 @@ func TestBuildV1MerkleTreeLeafForCert(t *testing.T) {
251254
t.Fatalf("could not create signer: %v", err)
252255
}
253256

254-
leaf, err := MerkleTreeLeafFromChain([]*x509.Certificate{cert}, types.X509LogEntryType, fixedTimeMillis)
257+
// Use the same cert as the issuer for convenience.
258+
entry, err := entryFromChain([]*x509.Certificate{cert, cert}, false, fixedTimeMillis)
255259
if err != nil {
256260
t.Fatalf("buildV1MerkleTreeLeafForCert()=nil,%v; want _,nil", err)
257261
}
258-
got, err := buildV1SCT(signer, leaf)
262+
var leaf types.MerkleTreeLeaf
263+
leafValue := entry.MerkleTreeLeaf(uint64(fakeIndex))
264+
if rest, err := tls.Unmarshal(leafValue, &leaf); err != nil {
265+
t.Fatalf("failed to reconstruct MerkleTreeLeaf: %s", err)
266+
} else if len(rest) > 0 {
267+
t.Fatalf("extra data (%d bytes) on reconstructing MerkleTreeLeaf", len(rest))
268+
}
269+
got, err := buildV1SCT(signer, &leaf)
259270
if err != nil {
260271
t.Fatalf("buildV1SCT()=nil,%v; want _,nil", err)
261272
}
@@ -264,7 +275,7 @@ func TestBuildV1MerkleTreeLeafForCert(t *testing.T) {
264275
SCTVersion: 0,
265276
LogID: types.LogID{KeyID: demoLogID},
266277
Timestamp: fixedTimeMillis,
267-
Extensions: types.CTExtensions{},
278+
Extensions: types.CTExtensions(fakeExtension),
268279
Signature: types.DigitallySigned{
269280
Algorithm: tls.SignatureAndHashAlgorithm{
270281
Hash: tls.SHA256,
@@ -307,11 +318,19 @@ func TestSignV1SCTForPrecertificate(t *testing.T) {
307318
}
308319

309320
// Use the same cert as the issuer for convenience.
310-
leaf, err := MerkleTreeLeafFromChain([]*x509.Certificate{cert, cert}, types.PrecertLogEntryType, fixedTimeMillis)
321+
entry, err := entryFromChain([]*x509.Certificate{cert, cert}, true, fixedTimeMillis)
311322
if err != nil {
312323
t.Fatalf("buildV1MerkleTreeLeafForCert()=nil,%v; want _,nil", err)
313324
}
314-
got, err := buildV1SCT(signer, leaf)
325+
var leaf types.MerkleTreeLeaf
326+
leafValue := entry.MerkleTreeLeaf(uint64(fakeIndex))
327+
if rest, err := tls.Unmarshal(leafValue, &leaf); err != nil {
328+
t.Fatalf("failed to reconstruct MerkleTreeLeaf: %s", err)
329+
} else if len(rest) > 0 {
330+
t.Fatalf("extra data (%d bytes) on reconstructing MerkleTreeLeaf", len(rest))
331+
}
332+
333+
got, err := buildV1SCT(signer, &leaf)
315334
if err != nil {
316335
t.Fatalf("buildV1SCT()=nil,%v; want _,nil", err)
317336
}
@@ -320,7 +339,7 @@ func TestSignV1SCTForPrecertificate(t *testing.T) {
320339
SCTVersion: 0,
321340
LogID: types.LogID{KeyID: demoLogID},
322341
Timestamp: fixedTimeMillis,
323-
Extensions: types.CTExtensions{},
342+
Extensions: types.CTExtensions(fakeExtension),
324343
Signature: types.DigitallySigned{
325344
Algorithm: tls.SignatureAndHashAlgorithm{
326345
Hash: tls.SHA256,

0 commit comments

Comments
 (0)