aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-11-02 23:28:58 +0100
committerRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-11-02 23:28:58 +0100
commitc210c80e80231143f6eaa0f39e8e1d3303983791 (patch)
tree83b3bb9cbe4947bfd3ddbebb7694f9442834a22c
parent801afaa9147c4f70fc00fde1993f6ce0c91bd450 (diff)
added start on stfe client
ChecksumV1 entries can be submitted using client-side ed25519 signatures. The resulting SignedDebugInfoV1 is then verified using the log's announced signature scheme and public key (currently only ed25519).
-rw-r--r--client/add-entry/main.go150
-rw-r--r--client/client.go139
-rw-r--r--server/descriptor/.descriptor.go.swpbin0 -> 12288 bytes
-rw-r--r--server/descriptor/stfe.json4
-rw-r--r--server/testdata/chain/ee.csr7
-rw-r--r--server/testdata/chain/ee.key3
-rw-r--r--server/testdata/chain/ee.pem9
-rw-r--r--server/testdata/chain/rgdd-root.srl2
-rw-r--r--verify.go32
-rw-r--r--x509.go6
10 files changed, 346 insertions, 6 deletions
diff --git a/client/add-entry/main.go b/client/add-entry/main.go
new file mode 100644
index 0000000..693aca8
--- /dev/null
+++ b/client/add-entry/main.go
@@ -0,0 +1,150 @@
+package main
+
+import (
+ "context"
+ "flag"
+ "fmt"
+
+ "crypto/ed25519"
+ "crypto/x509"
+ "encoding/base64"
+ "encoding/json"
+ "encoding/pem"
+ "io/ioutil"
+ "net/http"
+
+ "github.com/golang/glog"
+ "github.com/system-transparency/stfe/client"
+ "github.com/system-transparency/stfe/server/descriptor"
+)
+
+var (
+ operators = flag.String("operators", "../../server/descriptor/stfe.json", "path to json-encoded list of log operators")
+ logId = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier")
+ chain = flag.String("chain", "../../server/testdata/chain/ee.pem", "path to pem-encoded certificate chain that the log accepts")
+ key = flag.String("key", "../../server/testdata/chain/ee.key", "path to ed25519 private key that corresponds to the chain's end-entity certificate")
+ name = flag.String("name", "foobar-1.2.3", "package name")
+ checksum = flag.String("checksum", "50e7967bce266a506f8f614bb5096beba580d205046b918f47d23b2ec626d75e", "base64-encoded package checksum")
+)
+
+func main() {
+ flag.Parse()
+
+ client, err := setup()
+ if err != nil {
+ glog.Fatal(err)
+ }
+
+ pname, psum, err := params()
+ if err != nil {
+ glog.Fatal(err)
+ }
+
+ sdi, err := client.AddEntry(context.Background(), pname, psum)
+ if err != nil {
+ glog.Fatalf("add-entry failed: %v", err)
+ }
+ glog.Infof("got valid StItem: %v", sdi)
+ glog.Flush()
+}
+
+func params() ([]byte, []byte, error) {
+ b, err := base64.StdEncoding.DecodeString(*checksum)
+ if err != nil {
+ return nil, nil, fmt.Errorf("failed decoding checksum: %v", err)
+ }
+ return []byte(*name), b, nil
+}
+
+func setup() (*client.Client, error) {
+ blob, err := ioutil.ReadFile(*chain)
+ if err != nil {
+ return nil, fmt.Errorf("failed reading certificate chain: %v", err)
+ }
+ c, err := parseChain(blob)
+ if err != nil {
+ return nil, fmt.Errorf("failed loading certificate chain: %v", err)
+ }
+
+ blob, err = ioutil.ReadFile(*key)
+ if err != nil {
+ return nil, fmt.Errorf("failed reading ed25519 private key: %v", err)
+ }
+ k, err := parseEd25519PrivateKey(blob)
+ if err != nil {
+ return nil, fmt.Errorf("failed decoding ed25519 private key: %v", err)
+ }
+
+ blob, err = ioutil.ReadFile(*operators)
+ if err != nil {
+ return nil, fmt.Errorf("failed reading log operators: %v", err)
+ }
+ var ops []descriptor.Operator
+ if err := json.Unmarshal(blob, &ops); err != nil {
+ return nil, fmt.Errorf("failed decoding log operators: %v", err)
+ }
+
+ id, err := base64.StdEncoding.DecodeString(*logId)
+ if err != nil {
+ return nil, fmt.Errorf("failed decoding log identifier: %v", err)
+ }
+
+ // TODO: define FindLog() for []Operator
+ var log *descriptor.Log
+ for _, op := range ops {
+ l, err := op.FindLog(id)
+ if err == nil {
+ log = l
+ break
+ }
+ }
+ if log == nil {
+ return nil, fmt.Errorf("unknown log identifier: %v", err)
+ }
+ return client.NewClient(log, &http.Client{}, c, &k), nil
+}
+
+func parseEd25519PrivateKey(data []byte) (ed25519.PrivateKey, error) {
+ block, rest := pem.Decode(data)
+ if block == nil {
+ return nil, fmt.Errorf("pem block: is empty")
+ }
+ if block.Type != "PRIVATE KEY" {
+ return nil, fmt.Errorf("bad pem block type: %v", block.Type)
+ }
+ if len(rest) != 0 {
+ return nil, fmt.Errorf("pem block: trailing data")
+ }
+
+ key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+ if err != nil {
+ fmt.Errorf("x509 parser failed: %v", err)
+ }
+ switch t := key.(type) {
+ case ed25519.PrivateKey:
+ return key.(ed25519.PrivateKey), nil
+ default:
+ return nil, fmt.Errorf("unexpected signing key type: %v", t)
+ }
+}
+
+func parseChain(rest []byte) ([]*x509.Certificate, error) {
+ var chain []*x509.Certificate
+ for len(rest) > 0 {
+ var block *pem.Block
+ block, rest = pem.Decode(rest)
+ if block == nil {
+ break
+ }
+ if block.Type != "CERTIFICATE" {
+ return nil, fmt.Errorf("unexpected pem block type: %v", block.Type)
+ }
+
+ certificate, err := x509.ParseCertificate(block.Bytes)
+ if err != nil {
+ return nil, fmt.Errorf("failed parsing x509 certificate: %v", err)
+ }
+ chain = append(chain, certificate)
+ }
+ return chain, nil
+}
diff --git a/client/client.go b/client/client.go
new file mode 100644
index 0000000..e1663a0
--- /dev/null
+++ b/client/client.go
@@ -0,0 +1,139 @@
+package client
+
+import (
+ "bytes"
+ "context"
+ "fmt"
+
+ "crypto/ed25519"
+ "crypto/tls"
+ "crypto/x509"
+ "encoding/base64"
+ "encoding/json"
+ "io/ioutil"
+ "net/http"
+
+ "github.com/golang/glog"
+ "github.com/system-transparency/stfe"
+ "github.com/system-transparency/stfe/server/descriptor"
+ "golang.org/x/net/context/ctxhttp"
+)
+
+type Client struct {
+ Log *descriptor.Log
+ Client *http.Client
+ Chain []*x509.Certificate
+ PrivateKey *ed25519.PrivateKey
+}
+
+// NewClient returns a new log client
+func NewClient(log *descriptor.Log, client *http.Client, chain []*x509.Certificate, privateKey *ed25519.PrivateKey) *Client {
+ return &Client{
+ Log: log,
+ Chain: chain,
+ Client: client,
+ PrivateKey: privateKey,
+ }
+}
+
+func (c *Client) AddEntry(ctx context.Context, name, checksum []byte) (*stfe.StItem, error) {
+ glog.V(3).Info("creating add-entry request")
+ leaf, err := stfe.NewChecksumV1(name, checksum).Marshal()
+ if err != nil {
+ return nil, fmt.Errorf("failed marshaling StItem: %v", err)
+ }
+ data, err := json.Marshal(struct {
+ Item string `json:"item"`
+ Scheme uint16 `json:"signature_scheme"`
+ Signature string `json:"signature"`
+ Chain []string `json:"chain"`
+ }{
+ Item: base64.StdEncoding.EncodeToString(leaf),
+ Scheme: uint16(tls.Ed25519),
+ Signature: base64.StdEncoding.EncodeToString(ed25519.Sign(*c.PrivateKey, serialized)),
+ Chain: c.b64Chain(),
+ })
+ if err != nil {
+ return nil, fmt.Errorf("failed creating post data: %v", err)
+ }
+ // TODO: make http(s) config option
+ req, err := http.NewRequest("POST", "http://"+c.Log.BaseUrl+"/add-entry", bytes.NewBuffer(data))
+ if err != nil {
+ return nil, fmt.Errorf("failed creating http request: %v", err)
+ }
+ req.Header.Set("Content-Type", "application/json")
+
+ var itemStr string
+ if err := c.doRequest(ctx, req, &itemStr); err != nil {
+ return nil, err
+ }
+ b, err := base64.StdEncoding.DecodeString(itemStr)
+ if err != nil {
+ return nil, fmt.Errorf("failed decoding base64 body: %v", err)
+ }
+ var item stfe.StItem
+ if err := item.Unmarshal(b); err != nil {
+ return nil, fmt.Errorf("failed decoding StItem: %v", err)
+ }
+
+ if item.Format != stfe.StFormatSignedDebugInfoV1 {
+ return nil, fmt.Errorf("bad StItem format: %v", item.Format)
+ }
+ if err := item.SignedDebugInfoV1.Verify(c.Log.Scheme, c.Log.PublicKey, serialized); err != nil {
+ return nil, fmt.Errorf("bad SignedDebugInfoV1 signature: %v", err)
+ }
+ return &item, nil
+}
+
+func (c *Client) doRequest(ctx context.Context, req *http.Request, out interface{}) error {
+ glog.V(3).Infof("sending request: %v %v", req.Method, req.URL)
+ rsp, err := ctxhttp.Do(ctx, c.Client, req)
+ if err != nil {
+ return fmt.Errorf("http request failed: %v", err)
+ }
+ body, err := ioutil.ReadAll(rsp.Body)
+ rsp.Body.Close()
+ if err != nil {
+ return fmt.Errorf("http body read failed: %v", err)
+ }
+ if rsp.StatusCode != http.StatusOK {
+ return fmt.Errorf("http status code not ok: %v", rsp.StatusCode)
+ }
+ if err := json.Unmarshal(body, out); err != nil {
+ return fmt.Errorf("failed decoding json body: %v", err)
+ }
+ return nil
+}
+
+func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) {
+ glog.V(2).Info("creating get-sth request")
+ return nil, fmt.Errorf("TODO")
+}
+
+func (c *Client) GetConsistencyProof(ctx context.Context, first, second uint64) (*stfe.StItem, error) {
+ glog.V(2).Info("creating get-consistency-proof request")
+ return nil, fmt.Errorf("TODO")
+}
+
+func (c *Client) GetProofByHash(ctx context.Context, treeSize uint64, hash []byte) (*stfe.StItem, error) {
+ glog.V(2).Info("creating get-proof-by-hash request")
+ return nil, fmt.Errorf("TODO")
+}
+
+func (c *Client) GetEntries(ctx context.Context, start, end uint64) (*stfe.StItem, error) {
+ glog.V(2).Info("creating get-entries request")
+ return nil, fmt.Errorf("TODO")
+}
+
+func (c *Client) GetAnchors(ctx context.Context, start, end uint64) ([]*x509.Certificate, error) {
+ glog.V(2).Info("creating get-anchors request")
+ return nil, fmt.Errorf("TODO")
+}
+
+func (c *Client) b64Chain() []string {
+ chain := make([]string, 0, len(c.Chain))
+ for _, cert := range c.Chain {
+ chain = append(chain, base64.StdEncoding.EncodeToString(cert.Raw))
+ }
+ return chain
+}
diff --git a/server/descriptor/.descriptor.go.swp b/server/descriptor/.descriptor.go.swp
new file mode 100644
index 0000000..e12d5cd
--- /dev/null
+++ b/server/descriptor/.descriptor.go.swp
Binary files differ
diff --git a/server/descriptor/stfe.json b/server/descriptor/stfe.json
index 69e84a0..d987c47 100644
--- a/server/descriptor/stfe.json
+++ b/server/descriptor/stfe.json
@@ -5,11 +5,11 @@
"logs": [
{
"max_chain": 3,
- "log_id": "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=",
+ "id": "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=",
"signature_schemes": [
2055
],
- "base_url": "example.com/st/v1",
+ "base_url": "localhost:6965/st/v1",
"signature_scheme": 2055,
"public_key": "MCowBQYDK2VwAyEAqM4b/SHOCRId9xgiCPn8D8r6+Nrk9JTZZqW6vj7TGa0="
}
diff --git a/server/testdata/chain/ee.csr b/server/testdata/chain/ee.csr
new file mode 100644
index 0000000..d3b6059
--- /dev/null
+++ b/server/testdata/chain/ee.csr
@@ -0,0 +1,7 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIHEMHgCAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAf
+BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAqMAUGAytlcAMhAN2ydopX
+PU0rUaZg/tLvkc/5rKf5YcE1KU8mvMKRTTS1oAAwBQYDK2VwA0EAW3tF+3WqTY90
+0vVJCKEEokWfGFJGXwelJu0qMOIiZ3i5tVJGNtnzamALIEm5MwZX9XxFJnDUZ/G1
+OS8P7r2wBg==
+-----END CERTIFICATE REQUEST-----
diff --git a/server/testdata/chain/ee.key b/server/testdata/chain/ee.key
new file mode 100644
index 0000000..e0d4e18
--- /dev/null
+++ b/server/testdata/chain/ee.key
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEICoNwxwXHgfQsmCP3bcmyCr2qPnk4s602txur6Fv18+b
+-----END PRIVATE KEY-----
diff --git a/server/testdata/chain/ee.pem b/server/testdata/chain/ee.pem
new file mode 100644
index 0000000..a3de1db
--- /dev/null
+++ b/server/testdata/chain/ee.pem
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE-----
+MIIBRDCB9wIUDVhYPJbWJnID0hWjpfR51SpAM/owBQYDK2VwMEUxCzAJBgNVBAYT
+AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
+aXRzIFB0eSBMdGQwHhcNMjAxMTAyMTkwMzMzWhcNMjMwODIzMTkwMzMzWjBFMQsw
+CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMCowBQYDK2VwAyEA3bJ2ilc9TStRpmD+0u+Rz/ms
+p/lhwTUpTya8wpFNNLUwBQYDK2VwA0EARtet9+teezrMe6ACgIvTHgFrIsnyNr+N
+nu6m5oNnGKzmSnyGdrPGY8RlaEBwEn/6tb/ahI6+VLDaDEJjW8BVAA==
+-----END CERTIFICATE-----
diff --git a/server/testdata/chain/rgdd-root.srl b/server/testdata/chain/rgdd-root.srl
index dac138f..a0a5632 100644
--- a/server/testdata/chain/rgdd-root.srl
+++ b/server/testdata/chain/rgdd-root.srl
@@ -1 +1 @@
-0D58583C96D6267203D215A3A5F479D52A4033F9
+0D58583C96D6267203D215A3A5F479D52A4033FA
diff --git a/verify.go b/verify.go
new file mode 100644
index 0000000..fbcf6df
--- /dev/null
+++ b/verify.go
@@ -0,0 +1,32 @@
+package stfe
+
+import (
+ "fmt"
+
+ "crypto/ed25519"
+ "crypto/tls"
+ "crypto/x509"
+)
+
+func (sdi *SignedDebugInfoV1) Verify(scheme tls.SignatureScheme, publicKey, message []byte) error {
+ if scheme != tls.Ed25519 {
+ return fmt.Errorf("unsupported signature scheme: %v", scheme)
+ }
+
+ // TODO: fix so that publicKey is already passed as crypto.PublicKey
+ k, err := x509.ParsePKIXPublicKey(publicKey)
+ if err != nil {
+ return fmt.Errorf("failed parsing public key: %v", err)
+ }
+
+ switch t := k.(type) {
+ case ed25519.PublicKey:
+ vk := k.(ed25519.PublicKey)
+ if !ed25519.Verify(vk, message, sdi.Signature) {
+ return fmt.Errorf("invalid signature: PublicKey(%v) Message(%v) Signature(%v)", vk, message, sdi.Signature)
+ }
+ return nil
+ default:
+ return fmt.Errorf("Unsupported public key: %s", t)
+ }
+}
diff --git a/x509.go b/x509.go
index be7d150..46728f2 100644
--- a/x509.go
+++ b/x509.go
@@ -156,12 +156,12 @@ func buildChainFromB64List(lp *LogParameters, b64chain []string) ([]*x509.Certif
// verifySignature checks if signature is valid for some serialized data. The
// only supported signature scheme is ecdsa_secp256r1_sha256(0x0403), see ยง4.3.2
-// in RFC 8446. TODO: replace ECDSA with ed25519(0x0807)
+// in RFC 8446.
func verifySignature(_ *LogParameters, certificate *x509.Certificate, scheme tls.SignatureScheme, serialized, signature []byte) error {
- if scheme != tls.ECDSAWithP256AndSHA256 {
+ if scheme != tls.Ed25519 {
return fmt.Errorf("unsupported signature scheme: %v", scheme)
}
- if err := certificate.CheckSignature(x509.ECDSAWithSHA256, serialized, signature); err != nil {
+ if err := certificate.CheckSignature(x509.PureEd25519, serialized, signature); err != nil {
return fmt.Errorf("invalid signature: %v", err)
}
return nil