move entryFromChain to x509util

# Conflicts:
#	internal/hammer/loadtest/workers.go

Author: phbnf

internal/hammer/loadtest/workers.go

@@ -16,7 +16,6 @@ package loadtest
 
 import (
 	"context"
-	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
@@ -32,7 +31,6 @@ import (
 	"github.com/transparency-dev/static-ct/internal/types/rfc6962"
 	"github.com/transparency-dev/static-ct/internal/x509util"
 	"github.com/transparency-dev/trillian-tessera/api/layout"
-	"github.com/transparency-dev/trillian-tessera/ctonly"
 	"k8s.io/klog/v2"
 )
 
@@ -360,7 +358,7 @@ func (v *MMDVerifier) Run(ctx context.Context) {
 		if err != nil {
 			panic(fmt.Sprintf("Failed to parse certificates: %v", err))
 		}
-		entry, err := entryFromChain(certs, false, leafMMD.timestamp)
+		entry, err := x509util.EntryFromChain(certs, false, leafMMD.timestamp)
 		if err != nil {
 			panic(fmt.Sprintf("Failed to create entry from chain: %v", err))
 		}
@@ -380,78 +378,3 @@ func (v *MMDVerifier) Kill() {
 		v.cancel()
 	}
 }
-
-// entryFromChain generates an Entry from a chain and timestamp.
-// Copied from certificate-transparency-go/serialization.go and internal/scti/handlers.go.
-// TODO(phboneff): move in a different file maybe?
-func entryFromChain(chain []*x509.Certificate, isPrecert bool, timestamp uint64) (*ctonly.Entry, error) {
-	leaf := ctonly.Entry{
-		IsPrecert: isPrecert,
-		Timestamp: timestamp,
-	}
-
-	if len(chain) > 1 {
-		issuersChain := make([][32]byte, len(chain)-1)
-		for i, c := range chain[1:] {
-			issuersChain[i] = sha256.Sum256(c.Raw)
-		}
-		leaf.FingerprintsChain = issuersChain
-	}
-
-	if !isPrecert {
-		leaf.Certificate = chain[0].Raw
-		return &leaf, nil
-	}
-
-	// Pre-certs are more complicated. First, parse the leaf pre-cert and its
-	// putative issuer.
-	if len(chain) < 2 {
-		return nil, fmt.Errorf("no issuer cert available for precert leaf building")
-	}
-	issuer := chain[1]
-	cert := chain[0]
-
-	var preIssuer *x509.Certificate
-	if isPreIssuer(issuer) {
-		// Replace the cert's issuance information with details from the pre-issuer.
-		preIssuer = issuer
-
-		// The issuer of the pre-cert is not going to be the issuer of the final
-		// cert.  Change to use the final issuer's key hash.
-		if len(chain) < 3 {
-			return nil, fmt.Errorf("no issuer cert available for pre-issuer")
-		}
-		issuer = chain[2]
-	}
-
-	// Next, post-process the DER-encoded TBSCertificate, to remove the CT poison
-	// extension and possibly update the issuer field.
-	defangedTBS, err := x509util.BuildPrecertTBS(cert.RawTBSCertificate, preIssuer)
-	if err != nil {
-		return nil, fmt.Errorf("failed to remove poison extension: %v", err)
-	}
-
-	leaf.Precertificate = cert.Raw
-	// TODO(phboneff): do we need this?
-	// leaf.PrecertSigningCert = issuer.Raw
-	leaf.Certificate = defangedTBS
-
-	issuerKeyHash := sha256.Sum256(issuer.RawSubjectPublicKeyInfo)
-	leaf.IssuerKeyHash = issuerKeyHash[:]
-	return &leaf, nil
-}
-
-// isPreIssuer indicates whether a certificate is a pre-cert issuer with the specific
-// certificate transparency extended key usage.
-// Copied from certificate-transparency-go/serialization.go and internal/scti/handlers.go.
-// TODO(phboneff): unify these.
-func isPreIssuer(cert *x509.Certificate) bool {
-	// Look for the extension in the Extensions field and not ExtKeyUsage
-	// since crypto/x509 does not recognize this extension as an ExtKeyUsage.
-	for _, ext := range cert.Extensions {
-		if rfc6962.OIDExtKeyUsageCertificateTransparency.Equal(ext.Id) {
-			return true
-		}
-	}
-	return false
-}

internal/scti/handlers.go

@@ -16,7 +16,6 @@ package scti
 
 import (
 	"context"
-	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
@@ -36,7 +35,6 @@ import (
 	"github.com/transparency-dev/static-ct/internal/x509util"
 	"github.com/transparency-dev/static-ct/modules/dedup"
 	tessera "github.com/transparency-dev/trillian-tessera"
-	"github.com/transparency-dev/trillian-tessera/ctonly"
 	"k8s.io/klog/v2"
 )
 
@@ -280,7 +278,7 @@ func addChainInternal(ctx context.Context, opts *HandlerOptions, log *log, w htt
 	nanosPerMilli := int64(time.Millisecond / time.Nanosecond)
 	timeMillis := uint64(opts.TimeSource.Now().UnixNano() / nanosPerMilli)
 
-	entry, err := entryFromChain(chain, isPrecert, timeMillis)
+	entry, err := x509util.EntryFromChain(chain, isPrecert, timeMillis)
 	if err != nil {
 		return http.StatusBadRequest, fmt.Errorf("failed to build MerkleTreeLeaf: %s", err)
 	}
@@ -450,77 +448,3 @@ func marshalAndWriteAddChainResponse(sct *rfc6962.SignedCertificateTimestamp, w
 
 	return nil
 }
-
-// entryFromChain generates an Entry from a chain and timestamp.
-// copied from certificate-transparency-go/serialization.go
-// TODO(phboneff): move to ct.go
-// TODO(phboneff): add tests
-func entryFromChain(chain []*x509.Certificate, isPrecert bool, timestamp uint64) (*ctonly.Entry, error) {
-	leaf := ctonly.Entry{
-		IsPrecert: isPrecert,
-		Timestamp: timestamp,
-	}
-
-	if len(chain) > 1 {
-		issuersChain := make([][32]byte, len(chain)-1)
-		for i, c := range chain[1:] {
-			issuersChain[i] = sha256.Sum256(c.Raw)
-		}
-		leaf.FingerprintsChain = issuersChain
-	}
-
-	if !isPrecert {
-		leaf.Certificate = chain[0].Raw
-		return &leaf, nil
-	}
-
-	// Pre-certs are more complicated. First, parse the leaf pre-cert and its
-	// putative issuer.
-	if len(chain) < 2 {
-		return nil, fmt.Errorf("no issuer cert available for precert leaf building")
-	}
-	issuer := chain[1]
-	cert := chain[0]
-
-	var preIssuer *x509.Certificate
-	if isPreIssuer(issuer) {
-		// Replace the cert's issuance information with details from the pre-issuer.
-		preIssuer = issuer
-
-		// The issuer of the pre-cert is not going to be the issuer of the final
-		// cert.  Change to use the final issuer's key hash.
-		if len(chain) < 3 {
-			return nil, fmt.Errorf("no issuer cert available for pre-issuer")
-		}
-		issuer = chain[2]
-	}
-
-	// Next, post-process the DER-encoded TBSCertificate, to remove the CT poison
-	// extension and possibly update the issuer field.
-	defangedTBS, err := x509util.BuildPrecertTBS(cert.RawTBSCertificate, preIssuer)
-	if err != nil {
-		return nil, fmt.Errorf("failed to remove poison extension: %v", err)
-	}
-
-	leaf.Precertificate = cert.Raw
-	// TODO(phboneff): do we need this?
-	// leaf.PrecertSigningCert = issuer.Raw
-	leaf.Certificate = defangedTBS
-
-	issuerKeyHash := sha256.Sum256(issuer.RawSubjectPublicKeyInfo)
-	leaf.IssuerKeyHash = issuerKeyHash[:]
-	return &leaf, nil
-}
-
-// isPreIssuer indicates whether a certificate is a pre-cert issuer with the specific
-// certificate transparency extended key usage.
-func isPreIssuer(cert *x509.Certificate) bool {
-	// Look for the extension in the Extensions field and not ExtKeyUsage
-	// since crypto/x509 does not recognize this extension as an ExtKeyUsage.
-	for _, ext := range cert.Extensions {
-		if rfc6962.OIDExtKeyUsageCertificateTransparency.Equal(ext.Id) {
-			return true
-		}
-	}
-	return false
-}

internal/scti/handlers_test.go

@@ -326,7 +326,7 @@ func parseChain(t *testing.T, isPrecert bool, pemChain []string, root *x509.Cert
 		fullChain[len(leafChain)] = root
 		leafChain = fullChain
 	}
-	entry, err := entryFromChain(leafChain, isPrecert, fakeTimeMillis)
+	entry, err := x509util.EntryFromChain(leafChain, isPrecert, fakeTimeMillis)
 	if err != nil {
 		t.Fatalf("Failed to create entry")
 	}

internal/scti/signatures_test.go

@@ -255,7 +255,7 @@ func TestBuildV1MerkleTreeLeafForCert(t *testing.T) {
 	}
 
 	// Use the same cert as the issuer for convenience.
-	entry, err := entryFromChain([]*x509.Certificate{cert, cert}, false, fixedTimeMillis)
+	entry, err := x509util.EntryFromChain([]*x509.Certificate{cert, cert}, false, fixedTimeMillis)
 	if err != nil {
 		t.Fatalf("buildV1MerkleTreeLeafForCert()=nil,%v; want _,nil", err)
 	}
@@ -318,7 +318,7 @@ func TestSignV1SCTForPrecertificate(t *testing.T) {
 	}
 
 	// Use the same cert as the issuer for convenience.
-	entry, err := entryFromChain([]*x509.Certificate{cert, cert}, true, fixedTimeMillis)
+	entry, err := x509util.EntryFromChain([]*x509.Certificate{cert, cert}, true, fixedTimeMillis)
 	if err != nil {
 		t.Fatalf("buildV1MerkleTreeLeafForCert()=nil,%v; want _,nil", err)
 	}

internal/x509util/ct.go

@@ -14,13 +14,17 @@
 package x509util
 
 import (
+	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"errors"
 	"fmt"
 	"math/big"
 	"time"
+
+	"github.com/transparency-dev/static-ct/internal/types/rfc6962"
+	"github.com/transparency-dev/trillian-tessera/ctonly"
 )
 
 var (
@@ -191,3 +195,76 @@ func BuildPrecertTBS(tbsData []byte, preIssuer *x509.Certificate) ([]byte, error
 func RemoveCTPoison(tbsData []byte) ([]byte, error) {
 	return BuildPrecertTBS(tbsData, nil)
 }
+
+// EntryFromChain generates an Entry from a chain and timestamp.
+// copied from certificate-transparency-go/serialization.go
+// TODO(phboneff): add tests
+func EntryFromChain(chain []*x509.Certificate, isPrecert bool, timestamp uint64) (*ctonly.Entry, error) {
+	leaf := ctonly.Entry{
+		IsPrecert: isPrecert,
+		Timestamp: timestamp,
+	}
+
+	if len(chain) > 1 {
+		issuersChain := make([][32]byte, len(chain)-1)
+		for i, c := range chain[1:] {
+			issuersChain[i] = sha256.Sum256(c.Raw)
+		}
+		leaf.FingerprintsChain = issuersChain
+	}
+
+	if !isPrecert {
+		leaf.Certificate = chain[0].Raw
+		return &leaf, nil
+	}
+
+	// Pre-certs are more complicated. First, parse the leaf pre-cert and its
+	// putative issuer.
+	if len(chain) < 2 {
+		return nil, fmt.Errorf("no issuer cert available for precert leaf building")
+	}
+	issuer := chain[1]
+	cert := chain[0]
+
+	var preIssuer *x509.Certificate
+	if isPreIssuer(issuer) {
+		// Replace the cert's issuance information with details from the pre-issuer.
+		preIssuer = issuer
+
+		// The issuer of the pre-cert is not going to be the issuer of the final
+		// cert.  Change to use the final issuer's key hash.
+		if len(chain) < 3 {
+			return nil, fmt.Errorf("no issuer cert available for pre-issuer")
+		}
+		issuer = chain[2]
+	}
+
+	// Next, post-process the DER-encoded TBSCertificate, to remove the CT poison
+	// extension and possibly update the issuer field.
+	defangedTBS, err := BuildPrecertTBS(cert.RawTBSCertificate, preIssuer)
+	if err != nil {
+		return nil, fmt.Errorf("failed to remove poison extension: %v", err)
+	}
+
+	leaf.Precertificate = cert.Raw
+	// TODO(phboneff): do we need this?
+	// leaf.PrecertSigningCert = issuer.Raw
+	leaf.Certificate = defangedTBS
+
+	issuerKeyHash := sha256.Sum256(issuer.RawSubjectPublicKeyInfo)
+	leaf.IssuerKeyHash = issuerKeyHash[:]
+	return &leaf, nil
+}
+
+// isPreIssuer indicates whether a certificate is a pre-cert issuer with the specific
+// certificate transparency extended key usage.
+func isPreIssuer(cert *x509.Certificate) bool {
+	// Look for the extension in the Extensions field and not ExtKeyUsage
+	// since crypto/x509 does not recognize this extension as an ExtKeyUsage.
+	for _, ext := range cert.Extensions {
+		if rfc6962.OIDExtKeyUsageCertificateTransparency.Equal(ext.Id) {
+			return true
+		}
+	}
+	return false
+}