Delete MerkleTreeLeafFromChain (#118)

* drop MerkleTreeLeafFromChain

* add extension in relevant tests

Author: phbnf

internal/scti/signatures.go

@@ -64,6 +64,7 @@ func serializeSCTSignatureInput(sct types.SignedCertificateTimestamp, entry type
 }
 
 // TODO(phboneff): create an SCTSigner object
+// TODO(phboneff): see if we can change leaf to idx and entry
 func buildV1SCT(signer crypto.Signer, leaf *types.MerkleTreeLeaf) (*types.SignedCertificateTimestamp, error) {
 	// Serialize SCT signature input to get the bytes that need to be signed
 	sctInput := types.SignedCertificateTimestamp{
@@ -131,61 +132,6 @@ func serializeSTHSignatureInput(sth types.SignedTreeHead) ([]byte, error) {
 	}
 }
 
-// MerkleTreeLeafFromChain generates a MerkleTreeLeaf from a chain and timestamp.
-// TODO(phboneff): delete this function and use entryFromChain instead.
-func MerkleTreeLeafFromChain(chain []*x509.Certificate, etype types.LogEntryType, timestamp uint64) (*types.MerkleTreeLeaf, error) {
-	leaf := types.MerkleTreeLeaf{
-		Version:  types.V1,
-		LeafType: types.TimestampedEntryLeafType,
-		TimestampedEntry: &types.TimestampedEntry{
-			EntryType: etype,
-			Timestamp: timestamp,
-		},
-	}
-	if etype == types.X509LogEntryType {
-		leaf.TimestampedEntry.X509Entry = &types.ASN1Cert{Data: chain[0].Raw}
-		return &leaf, nil
-	}
-	if etype != types.PrecertLogEntryType {
-		return nil, fmt.Errorf("unknown LogEntryType %d", etype)
-	}
-
-	// Pre-certs are more complicated. First, parse the leaf pre-cert and its
-	// putative issuer.
-	if len(chain) < 2 {
-		return nil, fmt.Errorf("no issuer cert available for precert leaf building")
-	}
-	issuer := chain[1]
-	cert := chain[0]
-
-	var preIssuer *x509.Certificate
-	if isPreIssuer(issuer) {
-		// Replace the cert's issuance information with details from the pre-issuer.
-		preIssuer = issuer
-
-		// The issuer of the pre-cert is not going to be the issuer of the final
-		// cert.  Change to use the final issuer's key hash.
-		if len(chain) < 3 {
-			return nil, fmt.Errorf("no issuer cert available for pre-issuer")
-		}
-		issuer = chain[2]
-	}
-
-	// Next, post-process the DER-encoded TBSCertificate, to remove the CT poison
-	// extension and possibly update the issuer field.
-	defangedTBS, err := x509.BuildPrecertTBS(cert.RawTBSCertificate, preIssuer)
-	if err != nil {
-		return nil, fmt.Errorf("failed to remove poison extension: %v", err)
-	}
-
-	leaf.TimestampedEntry.EntryType = types.PrecertLogEntryType
-	leaf.TimestampedEntry.PrecertEntry = &types.PreCert{
-		IssuerKeyHash:  sha256.Sum256(issuer.RawSubjectPublicKeyInfo),
-		TBSCertificate: defangedTBS,
-	}
-	return &leaf, nil
-}
-
 // buildCp builds a https://c2sp.org/static-ct-api checkpoint.
 // TODO(phboneff): add tests
 func buildCp(signer crypto.Signer, size uint64, timeMilli uint64, hash []byte) ([]byte, error) {

internal/scti/signatures_test.go

@@ -35,6 +35,8 @@ var (
 	fixedTime       = time.Date(2017, 9, 7, 12, 15, 23, 0, time.UTC)
 	fixedTimeMillis = uint64(fixedTime.UnixNano() / nanosPerMilli)
 	demoLogID       = [32]byte{19, 56, 222, 93, 229, 36, 102, 128, 227, 214, 3, 121, 93, 175, 126, 236, 97, 217, 34, 32, 40, 233, 98, 27, 46, 179, 164, 251, 84, 10, 60, 57}
+	fakeIndex       = uint8(8)
+	fakeExtension   = []byte{0, 0, 5, 0, 0, 0, 0, fakeIndex}
 	fakeSignature   = []byte("signed")
 )
 
@@ -46,6 +48,7 @@ const (
 	defaultPrecertIssuerHashString string = "iamapublickeyshatwofivesixdigest"
 	defaultPrecertTBSString        string = "tbs"
 
+	// TODO(phboneff): add extension and regenerate data
 	defaultCertificateSCTSignatureInputHexString string =
 	// version, 1 byte
 	"00" +
@@ -251,11 +254,19 @@ func TestBuildV1MerkleTreeLeafForCert(t *testing.T) {
 		t.Fatalf("could not create signer: %v", err)
 	}
 
-	leaf, err := MerkleTreeLeafFromChain([]*x509.Certificate{cert}, types.X509LogEntryType, fixedTimeMillis)
+	// Use the same cert as the issuer for convenience.
+	entry, err := entryFromChain([]*x509.Certificate{cert, cert}, false, fixedTimeMillis)
 	if err != nil {
 		t.Fatalf("buildV1MerkleTreeLeafForCert()=nil,%v; want _,nil", err)
 	}
-	got, err := buildV1SCT(signer, leaf)
+	var leaf types.MerkleTreeLeaf
+	leafValue := entry.MerkleTreeLeaf(uint64(fakeIndex))
+	if rest, err := tls.Unmarshal(leafValue, &leaf); err != nil {
+		t.Fatalf("failed to reconstruct MerkleTreeLeaf: %s", err)
+	} else if len(rest) > 0 {
+		t.Fatalf("extra data (%d bytes) on reconstructing MerkleTreeLeaf", len(rest))
+	}
+	got, err := buildV1SCT(signer, &leaf)
 	if err != nil {
 		t.Fatalf("buildV1SCT()=nil,%v; want _,nil", err)
 	}
@@ -264,7 +275,7 @@ func TestBuildV1MerkleTreeLeafForCert(t *testing.T) {
 		SCTVersion: 0,
 		LogID:      types.LogID{KeyID: demoLogID},
 		Timestamp:  fixedTimeMillis,
-		Extensions: types.CTExtensions{},
+		Extensions: types.CTExtensions(fakeExtension),
 		Signature: types.DigitallySigned{
 			Algorithm: tls.SignatureAndHashAlgorithm{
 				Hash:      tls.SHA256,
@@ -307,11 +318,19 @@ func TestSignV1SCTForPrecertificate(t *testing.T) {
 	}
 
 	// Use the same cert as the issuer for convenience.
-	leaf, err := MerkleTreeLeafFromChain([]*x509.Certificate{cert, cert}, types.PrecertLogEntryType, fixedTimeMillis)
+	entry, err := entryFromChain([]*x509.Certificate{cert, cert}, true, fixedTimeMillis)
 	if err != nil {
 		t.Fatalf("buildV1MerkleTreeLeafForCert()=nil,%v; want _,nil", err)
 	}
-	got, err := buildV1SCT(signer, leaf)
+	var leaf types.MerkleTreeLeaf
+	leafValue := entry.MerkleTreeLeaf(uint64(fakeIndex))
+	if rest, err := tls.Unmarshal(leafValue, &leaf); err != nil {
+		t.Fatalf("failed to reconstruct MerkleTreeLeaf: %s", err)
+	} else if len(rest) > 0 {
+		t.Fatalf("extra data (%d bytes) on reconstructing MerkleTreeLeaf", len(rest))
+	}
+
+	got, err := buildV1SCT(signer, &leaf)
 	if err != nil {
 		t.Fatalf("buildV1SCT()=nil,%v; want _,nil", err)
 	}
@@ -320,7 +339,7 @@ func TestSignV1SCTForPrecertificate(t *testing.T) {
 		SCTVersion: 0,
 		LogID:      types.LogID{KeyID: demoLogID},
 		Timestamp:  fixedTimeMillis,
-		Extensions: types.CTExtensions{},
+		Extensions: types.CTExtensions(fakeExtension),
 		Signature: types.DigitallySigned{
 			Algorithm: tls.SignatureAndHashAlgorithm{
 				Hash:      tls.SHA256,