aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-11-05 12:24:01 +0100
committerRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-11-05 12:24:01 +0100
commitcb8498119a0a3aaf34e09191e5e172173fdbc8ca (patch)
treeddf4cd77b348ba133586fd60fc0a749a2d472165
parent8bb721bed66d09e27c9577d88d40cb1e48a8783d (diff)
refactored signing/verification parts that are log specific
These methods are now private and attached to LogParameters.
-rw-r--r--handler.go4
-rw-r--r--reqres.go4
-rw-r--r--x509.go55
3 files changed, 32 insertions, 31 deletions
diff --git a/handler.go b/handler.go
index 7366761..1099527 100644
--- a/handler.go
+++ b/handler.go
@@ -72,7 +72,7 @@ func addEntry(ctx context.Context, i *Instance, w http.ResponseWriter, r *http.R
return status, err
}
- sdi, err := GenV1SDI(i.LogParameters, trsp.QueuedLeaf.Leaf.LeafValue)
+ sdi, err := i.LogParameters.genV1Sdi(trsp.QueuedLeaf.Leaf.LeafValue)
if err != nil {
return http.StatusInternalServerError, fmt.Errorf("failed creating signed debug info: %v", err)
}
@@ -208,7 +208,7 @@ func getSth(ctx context.Context, i *Instance, w http.ResponseWriter, _ *http.Req
if err != nil {
return http.StatusInternalServerError, fmt.Errorf("failed creating tree head: %v", err)
}
- sth, err := GenV1STH(i.LogParameters, th)
+ sth, err := i.LogParameters.genV1Sth(th)
if err != nil {
return http.StatusInternalServerError, fmt.Errorf("failed creating signed tree head: %v", err)
}
diff --git a/reqres.go b/reqres.go
index 20721f1..2fcbcfb 100644
--- a/reqres.go
+++ b/reqres.go
@@ -66,13 +66,13 @@ func (lp *LogParameters) newAddEntryRequest(r *http.Request) ([]byte, []byte, er
}
// Check that there is a valid trust anchor
- chain, err := buildChainFromDerList(lp, entry.Chain)
+ chain, err := lp.buildChainFromDerList(entry.Chain)
if err != nil {
return nil, nil, fmt.Errorf("invalid certificate chain: %v", err)
}
// Check that there is a valid signature
- if err := verifySignature(lp, chain[0], tls.SignatureScheme(entry.SignatureScheme), entry.Item, entry.Signature); err != nil {
+ if err := lp.verifySignature(chain[0], tls.SignatureScheme(entry.SignatureScheme), entry.Item, entry.Signature); err != nil {
return nil, nil, fmt.Errorf("invalid signature: %v", err)
}
diff --git a/x509.go b/x509.go
index 87adb80..7f74e93 100644
--- a/x509.go
+++ b/x509.go
@@ -81,29 +81,6 @@ func ParseEd25519PrivateKey(data []byte) (ed25519.PrivateKey, error) {
}
}
-func GenV1SDI(lp *LogParameters, serialized []byte) (*StItem, error) {
- sig, err := lp.Signer.Sign(rand.Reader, serialized, crypto.Hash(0)) // ed25519
- if err != nil {
- return nil, fmt.Errorf("ed25519 signature failed: %v", err)
- }
- lastSdiTimestamp.Set(float64(time.Now().Unix()), lp.id())
- return NewSignedDebugInfoV1(lp.LogId, []byte("reserved"), sig), nil
-}
-
-func GenV1STH(lp *LogParameters, th *TreeHeadV1) (*StItem, error) {
- serialized, err := th.Marshal()
- if err != nil {
- return nil, fmt.Errorf("failed tls marshaling tree head: %v", err)
- }
- sig, err := lp.Signer.Sign(rand.Reader, serialized, crypto.Hash(0)) // ed25519
- if err != nil {
- return nil, fmt.Errorf("ed25519 signature failed: %v", err)
- }
- lastSthTimestamp.Set(float64(time.Now().Unix()), lp.id())
- lastSthSize.Set(float64(th.TreeSize), lp.id())
- return NewSignedTreeHeadV1(th, lp.LogId, sig), nil
-}
-
// LoadChain loads a PEM-encoded certificate chain from a given path
func LoadChain(path string) ([]*x509.Certificate, error) {
blob, err := ioutil.ReadFile(path)
@@ -159,7 +136,7 @@ func ParseDerChain(chain [][]byte) (*x509.Certificate, *x509.CertPool, error) {
return certificate, intermediatePool, nil
}
-func buildChainFromDerList(lp *LogParameters, derChain [][]byte) ([]*x509.Certificate, error) {
+func (lp *LogParameters) buildChainFromDerList(derChain [][]byte) ([]*x509.Certificate, error) {
certificate, intermediatePool, err := ParseDerChain(derChain)
if err != nil {
return nil, err
@@ -189,9 +166,8 @@ func buildChainFromDerList(lp *LogParameters, derChain [][]byte) ([]*x509.Certif
}
// verifySignature checks if signature is valid for some serialized data. The
-// only supported signature scheme is ecdsa_secp256r1_sha256(0x0403), see §4.3.2
-// in RFC 8446.
-func verifySignature(_ *LogParameters, certificate *x509.Certificate, scheme tls.SignatureScheme, serialized, signature []byte) error {
+// only supported signature scheme is ed25519(0x0807), see §4.2.3 in RFC 8446.
+func (lp *LogParameters) verifySignature(certificate *x509.Certificate, scheme tls.SignatureScheme, serialized, signature []byte) error {
if scheme != tls.Ed25519 {
return fmt.Errorf("unsupported signature scheme: %v", scheme)
}
@@ -200,3 +176,28 @@ func verifySignature(_ *LogParameters, certificate *x509.Certificate, scheme tls
}
return nil
}
+
+// genV1Sdi issues a new SignedDebugInfoV1 StItem from a serialized leaf value
+func (lp *LogParameters) genV1Sdi(serialized []byte) (*StItem, error) {
+ sig, err := lp.Signer.Sign(rand.Reader, serialized, crypto.Hash(0)) // ed25519
+ if err != nil {
+ return nil, fmt.Errorf("ed25519 signature failed: %v", err)
+ }
+ lastSdiTimestamp.Set(float64(time.Now().Unix()), lp.id())
+ return NewSignedDebugInfoV1(lp.LogId, []byte("reserved"), sig), nil
+}
+
+// genV1Sth issues a new SignedTreeHeadV1 StItem from a TreeHeadV1 structure
+func (lp *LogParameters) genV1Sth(th *TreeHeadV1) (*StItem, error) {
+ serialized, err := th.Marshal()
+ if err != nil {
+ return nil, fmt.Errorf("failed tls marshaling tree head: %v", err)
+ }
+ sig, err := lp.Signer.Sign(rand.Reader, serialized, crypto.Hash(0)) // ed25519
+ if err != nil {
+ return nil, fmt.Errorf("ed25519 signature failed: %v", err)
+ }
+ lastSthTimestamp.Set(float64(time.Now().Unix()), lp.id())
+ lastSthSize.Set(float64(th.TreeSize), lp.id())
+ return NewSignedTreeHeadV1(th, lp.LogId, sig), nil
+}