refactored signing/verification parts that are log specific

These methods are now private and attached to LogParameters.

3 files changed, 32 insertions, 31 deletions

diff --git a/handler.go b/handler.go
index 7366761..1099527 100644
--- a/handler.go
+++ b/handler.go
@@ -72,7 +72,7 @@ func addEntry(ctx context.Context, i *Instance, w http.ResponseWriter, r *http.R
 		return status, err
 	}
 
-	sdi, err := GenV1SDI(i.LogParameters, trsp.QueuedLeaf.Leaf.LeafValue)
+	sdi, err := i.LogParameters.genV1Sdi(trsp.QueuedLeaf.Leaf.LeafValue)
 	if err != nil {
 		return http.StatusInternalServerError, fmt.Errorf("failed creating signed debug info: %v", err)
 	}
@@ -208,7 +208,7 @@ func getSth(ctx context.Context, i *Instance, w http.ResponseWriter, _ *http.Req
 	if err != nil {
 		return http.StatusInternalServerError, fmt.Errorf("failed creating tree head: %v", err)
 	}
-	sth, err := GenV1STH(i.LogParameters, th)
+	sth, err := i.LogParameters.genV1Sth(th)
 	if err != nil {
 		return http.StatusInternalServerError, fmt.Errorf("failed creating signed tree head: %v", err)
 	}
diff --git a/reqres.go b/reqres.go
index 20721f1..2fcbcfb 100644
--- a/reqres.go
+++ b/reqres.go
@@ -66,13 +66,13 @@ func (lp *LogParameters) newAddEntryRequest(r *http.Request) ([]byte, []byte, er
 	}
 
 	// Check that there is a valid trust anchor
-	chain, err := buildChainFromDerList(lp, entry.Chain)
+	chain, err := lp.buildChainFromDerList(entry.Chain)
 	if err != nil {
 		return nil, nil, fmt.Errorf("invalid certificate chain: %v", err)
 	}
 
 	// Check that there is a valid signature
-	if err := verifySignature(lp, chain[0], tls.SignatureScheme(entry.SignatureScheme), entry.Item, entry.Signature); err != nil {
+	if err := lp.verifySignature(chain[0], tls.SignatureScheme(entry.SignatureScheme), entry.Item, entry.Signature); err != nil {
 		return nil, nil, fmt.Errorf("invalid signature: %v", err)
 	}
 
diff --git a/x509.go b/x509.go
index 87adb80..7f74e93 100644
--- a/x509.go
+++ b/x509.go
@@ -81,29 +81,6 @@ func ParseEd25519PrivateKey(data []byte) (ed25519.PrivateKey, error) {
 	}
 }
 
-func GenV1SDI(lp *LogParameters, serialized []byte) (*StItem, error) {
-	sig, err := lp.Signer.Sign(rand.Reader, serialized, crypto.Hash(0)) // ed25519
-	if err != nil {
-		return nil, fmt.Errorf("ed25519 signature failed: %v", err)
-	}
-	lastSdiTimestamp.Set(float64(time.Now().Unix()), lp.id())
-	return NewSignedDebugInfoV1(lp.LogId, []byte("reserved"), sig), nil
-}
-
-func GenV1STH(lp *LogParameters, th *TreeHeadV1) (*StItem, error) {
-	serialized, err := th.Marshal()
-	if err != nil {
-		return nil, fmt.Errorf("failed tls marshaling tree head: %v", err)
-	}
-	sig, err := lp.Signer.Sign(rand.Reader, serialized, crypto.Hash(0)) // ed25519
-	if err != nil {
-		return nil, fmt.Errorf("ed25519 signature failed: %v", err)
-	}
-	lastSthTimestamp.Set(float64(time.Now().Unix()), lp.id())
-	lastSthSize.Set(float64(th.TreeSize), lp.id())
-	return NewSignedTreeHeadV1(th, lp.LogId, sig), nil
-}
-
 // LoadChain loads a PEM-encoded certificate chain from a given path
 func LoadChain(path string) ([]*x509.Certificate, error) {
 	blob, err := ioutil.ReadFile(path)
@@ -159,7 +136,7 @@ func ParseDerChain(chain [][]byte) (*x509.Certificate, *x509.CertPool, error) {
 	return certificate, intermediatePool, nil
 }
 
-func buildChainFromDerList(lp *LogParameters, derChain [][]byte) ([]*x509.Certificate, error) {
+func (lp *LogParameters) buildChainFromDerList(derChain [][]byte) ([]*x509.Certificate, error) {
 	certificate, intermediatePool, err := ParseDerChain(derChain)
 	if err != nil {
 		return nil, err
@@ -189,9 +166,8 @@ func buildChainFromDerList(lp *LogParameters, derChain [][]byte) ([]*x509.Certif
 }
 
 // verifySignature checks if signature is valid for some serialized data.  The
-// only supported signature scheme is ecdsa_secp256r1_sha256(0x0403), see §4.3.2
-// in RFC 8446.
-func verifySignature(_ *LogParameters, certificate *x509.Certificate, scheme tls.SignatureScheme, serialized, signature []byte) error {
+// only supported signature scheme is ed25519(0x0807), see §4.2.3 in RFC 8446.
+func (lp *LogParameters) verifySignature(certificate *x509.Certificate, scheme tls.SignatureScheme, serialized, signature []byte) error {
 	if scheme != tls.Ed25519 {
 		return fmt.Errorf("unsupported signature scheme: %v", scheme)
 	}
@@ -200,3 +176,28 @@ func verifySignature(_ *LogParameters, certificate *x509.Certificate, scheme tls
 	}
 	return nil
 }
+
+// genV1Sdi issues a new SignedDebugInfoV1 StItem from a serialized leaf value
+func (lp *LogParameters) genV1Sdi(serialized []byte) (*StItem, error) {
+	sig, err := lp.Signer.Sign(rand.Reader, serialized, crypto.Hash(0)) // ed25519
+	if err != nil {
+		return nil, fmt.Errorf("ed25519 signature failed: %v", err)
+	}
+	lastSdiTimestamp.Set(float64(time.Now().Unix()), lp.id())
+	return NewSignedDebugInfoV1(lp.LogId, []byte("reserved"), sig), nil
+}
+
+// genV1Sth issues a new SignedTreeHeadV1 StItem from a TreeHeadV1 structure
+func (lp *LogParameters) genV1Sth(th *TreeHeadV1) (*StItem, error) {
+	serialized, err := th.Marshal()
+	if err != nil {
+		return nil, fmt.Errorf("failed tls marshaling tree head: %v", err)
+	}
+	sig, err := lp.Signer.Sign(rand.Reader, serialized, crypto.Hash(0)) // ed25519
+	if err != nil {
+		return nil, fmt.Errorf("ed25519 signature failed: %v", err)
+	}
+	lastSthTimestamp.Set(float64(time.Now().Unix()), lp.id())
+	lastSthSize.Set(float64(th.TreeSize), lp.id())
+	return NewSignedTreeHeadV1(th, lp.LogId, sig), nil
+}