drop MerkleTreeLeafFromChain

Author: phbnf

internal/scti/signatures.go

@@ -64,6 +64,7 @@ func serializeSCTSignatureInput(sct types.SignedCertificateTimestamp, entry type
 }
 
 // TODO(phboneff): create an SCTSigner object
+// TODO(phboneff): see if we can change leaf to idx and entry
 func buildV1SCT(signer crypto.Signer, leaf *types.MerkleTreeLeaf) (*types.SignedCertificateTimestamp, error) {
 	// Serialize SCT signature input to get the bytes that need to be signed
 	sctInput := types.SignedCertificateTimestamp{
@@ -131,61 +132,6 @@ func serializeSTHSignatureInput(sth types.SignedTreeHead) ([]byte, error) {
 	}
 }
 
-// MerkleTreeLeafFromChain generates a MerkleTreeLeaf from a chain and timestamp.
-// TODO(phboneff): delete this function and use entryFromChain instead.
-func MerkleTreeLeafFromChain(chain []*x509.Certificate, etype types.LogEntryType, timestamp uint64) (*types.MerkleTreeLeaf, error) {
-	leaf := types.MerkleTreeLeaf{
-		Version:  types.V1,
-		LeafType: types.TimestampedEntryLeafType,
-		TimestampedEntry: &types.TimestampedEntry{
-			EntryType: etype,
-			Timestamp: timestamp,
-		},
-	}
-	if etype == types.X509LogEntryType {
-		leaf.TimestampedEntry.X509Entry = &types.ASN1Cert{Data: chain[0].Raw}
-		return &leaf, nil
-	}
-	if etype != types.PrecertLogEntryType {
-		return nil, fmt.Errorf("unknown LogEntryType %d", etype)
-	}
-
-	// Pre-certs are more complicated. First, parse the leaf pre-cert and its
-	// putative issuer.
-	if len(chain) < 2 {
-		return nil, fmt.Errorf("no issuer cert available for precert leaf building")
-	}
-	issuer := chain[1]
-	cert := chain[0]
-
-	var preIssuer *x509.Certificate
-	if isPreIssuer(issuer) {
-		// Replace the cert's issuance information with details from the pre-issuer.
-		preIssuer = issuer
-
-		// The issuer of the pre-cert is not going to be the issuer of the final
-		// cert.  Change to use the final issuer's key hash.
-		if len(chain) < 3 {
-			return nil, fmt.Errorf("no issuer cert available for pre-issuer")
-		}
-		issuer = chain[2]
-	}
-
-	// Next, post-process the DER-encoded TBSCertificate, to remove the CT poison
-	// extension and possibly update the issuer field.
-	defangedTBS, err := x509.BuildPrecertTBS(cert.RawTBSCertificate, preIssuer)
-	if err != nil {
-		return nil, fmt.Errorf("failed to remove poison extension: %v", err)
-	}
-
-	leaf.TimestampedEntry.EntryType = types.PrecertLogEntryType
-	leaf.TimestampedEntry.PrecertEntry = &types.PreCert{
-		IssuerKeyHash:  sha256.Sum256(issuer.RawSubjectPublicKeyInfo),
-		TBSCertificate: defangedTBS,
-	}
-	return &leaf, nil
-}
-
 // buildCp builds a https://c2sp.org/static-ct-api checkpoint.
 // TODO(phboneff): add tests
 func buildCp(signer crypto.Signer, size uint64, timeMilli uint64, hash []byte) ([]byte, error) {

internal/scti/signatures_test.go

@@ -46,6 +46,7 @@ const (
 	defaultPrecertIssuerHashString string = "iamapublickeyshatwofivesixdigest"
 	defaultPrecertTBSString        string = "tbs"
 
+	// TODO(phboneff): add extension and regenerate data
 	defaultCertificateSCTSignatureInputHexString string =
 	// version, 1 byte
 	"00" +
@@ -80,6 +81,7 @@ const (
 		// tbs certificate, 3 bytes
 		"746273" +
 		// extensions length, 2 bytes
+		// TODO(phboneff)
 		"0000" +
 		// extensions, 0 bytes
 		""
@@ -251,11 +253,19 @@ func TestBuildV1MerkleTreeLeafForCert(t *testing.T) {
 		t.Fatalf("could not create signer: %v", err)
 	}
 
-	leaf, err := MerkleTreeLeafFromChain([]*x509.Certificate{cert}, types.X509LogEntryType, fixedTimeMillis)
+	// Use the same cert as the issuer for convenience.
+	entry, err := entryFromChain([]*x509.Certificate{cert, cert}, false, fixedTimeMillis)
 	if err != nil {
 		t.Fatalf("buildV1MerkleTreeLeafForCert()=nil,%v; want _,nil", err)
 	}
-	got, err := buildV1SCT(signer, leaf)
+	var leaf types.MerkleTreeLeaf
+	leafValue := entry.MerkleTreeLeaf(0)
+	if rest, err := tls.Unmarshal(leafValue, &leaf); err != nil {
+		t.Fatalf("failed to reconstruct MerkleTreeLeaf: %s", err)
+	} else if len(rest) > 0 {
+		t.Fatalf("extra data (%d bytes) on reconstructing MerkleTreeLeaf", len(rest))
+	}
+	got, err := buildV1SCT(signer, &leaf)
 	if err != nil {
 		t.Fatalf("buildV1SCT()=nil,%v; want _,nil", err)
 	}
@@ -264,6 +274,7 @@ func TestBuildV1MerkleTreeLeafForCert(t *testing.T) {
 		SCTVersion: 0,
 		LogID:      types.LogID{KeyID: demoLogID},
 		Timestamp:  fixedTimeMillis,
+		// TODO(phboneff): add extension
 		Extensions: types.CTExtensions{},
 		Signature: types.DigitallySigned{
 			Algorithm: tls.SignatureAndHashAlgorithm{
@@ -307,11 +318,19 @@ func TestSignV1SCTForPrecertificate(t *testing.T) {
 	}
 
 	// Use the same cert as the issuer for convenience.
-	leaf, err := MerkleTreeLeafFromChain([]*x509.Certificate{cert, cert}, types.PrecertLogEntryType, fixedTimeMillis)
+	entry, err := entryFromChain([]*x509.Certificate{cert, cert}, true, fixedTimeMillis)
 	if err != nil {
 		t.Fatalf("buildV1MerkleTreeLeafForCert()=nil,%v; want _,nil", err)
 	}
-	got, err := buildV1SCT(signer, leaf)
+	var leaf types.MerkleTreeLeaf
+	leafValue := entry.MerkleTreeLeaf(0)
+	if rest, err := tls.Unmarshal(leafValue, &leaf); err != nil {
+		t.Fatalf("failed to reconstruct MerkleTreeLeaf: %s", err)
+	} else if len(rest) > 0 {
+		t.Fatalf("extra data (%d bytes) on reconstructing MerkleTreeLeaf", len(rest))
+	}
+
+	got, err := buildV1SCT(signer, &leaf)
 	if err != nil {
 		t.Fatalf("buildV1SCT()=nil,%v; want _,nil", err)
 	}
@@ -320,6 +339,7 @@ func TestSignV1SCTForPrecertificate(t *testing.T) {
 		SCTVersion: 0,
 		LogID:      types.LogID{KeyID: demoLogID},
 		Timestamp:  fixedTimeMillis,
+		// TODO(phboneff): add extension
 		Extensions: types.CTExtensions{},
 		Signature: types.DigitallySigned{
 			Algorithm: tls.SignatureAndHashAlgorithm{