aboutsummaryrefslogtreecommitdiff
path: root/client
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-11-03 13:17:11 +0100
committerRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-11-03 13:17:11 +0100
commit9ab61d6884a9ac26592723523ed2521c79c47a1a (patch)
tree8607208b2a9f386eec1a39cbe219e09088d28bb3 /client
parent4bef11c59c3e28f0f587b710d56d98c0f26591ad (diff)
fixed signature verification and client get-sth
Diffstat (limited to 'client')
-rw-r--r--client/client.go31
-rw-r--r--client/verify.go55
2 files changed, 67 insertions, 19 deletions
diff --git a/client/client.go b/client/client.go
index 34fa8a2..c9aaee3 100644
--- a/client/client.go
+++ b/client/client.go
@@ -92,30 +92,20 @@ func (c *Client) AddEntry(ctx context.Context, name, checksum []byte) (*stfe.StI
return nil, fmt.Errorf("failed creating http request: %v", err)
}
req.Header.Set("Content-Type", "application/json")
- glog.V(2).Infof("created request: %s %s", req.Method, req.URL)
+ glog.V(2).Infof("created http request: %s %s", req.Method, req.URL)
- var itemStr string
- if err := c.doRequest(ctx, req, &itemStr); err != nil {
- return nil, err
- }
- b, err := base64.StdEncoding.DecodeString(itemStr)
+ item, err := c.doRequestWithStItemResponse(ctx, req)
if err != nil {
- return nil, fmt.Errorf("failed decoding base64 body: %v", err)
- }
- var item stfe.StItem
- if err := item.Unmarshal(b); err != nil {
- return nil, fmt.Errorf("failed decoding StItem: %v", err)
+ return nil, err
}
- glog.V(3).Infof("got StItem: %s", item)
-
if item.Format != stfe.StFormatSignedDebugInfoV1 {
return nil, fmt.Errorf("bad StItem format: %v", item.Format)
}
- if err := item.SignedDebugInfoV1.Verify(c.Log.Scheme, c.Log.PublicKey, leaf); err != nil {
+
+ if err := VerifySignedDebugInfoV1(item, c.Log.Scheme, c.Log.Key(), leaf); err != nil {
return nil, fmt.Errorf("bad SignedDebugInfoV1 signature: %v", err)
}
- glog.V(2).Infof("add-entry request succeeded")
- return &item, nil
+ return item, nil
}
func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) {
@@ -123,7 +113,7 @@ func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) {
if err != nil {
return nil, fmt.Errorf("failed creating http request: %v", err)
}
- glog.V(2).Infof("created request: %s %s", req.Method, req.URL)
+ glog.V(2).Infof("created http request: %s %s", req.Method, req.URL)
item, err := c.doRequestWithStItemResponse(ctx, req)
if err != nil {
@@ -132,10 +122,10 @@ func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) {
if item.Format != stfe.StFormatSignedTreeHeadV1 {
return nil, fmt.Errorf("bad StItem format: %v", item.Format)
}
- if err := item.SignedTreeHeadV1.Verify(c.Log.Scheme, c.Log.PublicKey); err != nil {
+
+ if err := VerifySignedTreeHeadV1(item, c.Log.Scheme, c.Log.Key()); err != nil {
return nil, fmt.Errorf("bad SignedDebugInfoV1 signature: %v", err)
}
- glog.V(2).Infof("get-sth request succeeded")
return item, nil
}
@@ -187,6 +177,8 @@ func (c *Client) doRequest(ctx context.Context, req *http.Request, out interface
return nil
}
+// doRequestWithStItemResponse sends an HTTP request and returns a decoded
+// StItem that the resulting HTTP response contained json:ed and marshaled
func (c *Client) doRequestWithStItemResponse(ctx context.Context, req *http.Request) (*stfe.StItem, error) {
var itemStr string
if err := c.doRequest(ctx, req, &itemStr); err != nil {
@@ -200,6 +192,7 @@ func (c *Client) doRequestWithStItemResponse(ctx context.Context, req *http.Requ
if err := item.Unmarshal(b); err != nil {
return nil, fmt.Errorf("failed decoding StItem: %v", err)
}
+ glog.V(3).Infof("got StItem: %s", item)
return &item, nil
}
diff --git a/client/verify.go b/client/verify.go
new file mode 100644
index 0000000..cd2023b
--- /dev/null
+++ b/client/verify.go
@@ -0,0 +1,55 @@
+package client
+
+import (
+ "fmt"
+
+ "crypto"
+ "crypto/ed25519"
+ "crypto/tls"
+
+ "github.com/system-transparency/stfe"
+)
+
+// TODO: fix so that publicKey is already passed as crypto.PublicKey
+//k, err := x509.ParsePKIXPublicKey(publicKey)
+//if err != nil {
+// return fmt.Errorf("failed parsing public key: %v", err)
+//}
+
+func VerifySignedDebugInfoV1(sdi *stfe.StItem, scheme tls.SignatureScheme, key crypto.PublicKey, message []byte) error {
+ if err := supportedScheme(scheme, key); err != nil {
+ return err
+ }
+ if !ed25519.Verify(key.(ed25519.PublicKey), message, sdi.SignedDebugInfoV1.Signature) {
+ return fmt.Errorf("bad signature")
+ }
+ return nil
+}
+
+// VerifySignedTreeHeadV1 verifies an STH signature
+func VerifySignedTreeHeadV1(sth *stfe.StItem, scheme tls.SignatureScheme, key crypto.PublicKey) error {
+ serialized, err := sth.SignedTreeHeadV1.TreeHead.Marshal()
+ if err != nil {
+ return fmt.Errorf("failed marshaling tree head: %v", err)
+ }
+ if err := supportedScheme(scheme, key); err != nil {
+ return err
+ }
+
+ if !ed25519.Verify(key.(ed25519.PublicKey), serialized, sth.SignedTreeHeadV1.Signature) {
+ return fmt.Errorf("bad signature")
+ }
+ return nil
+}
+
+// supportedScheme checks whether the client library supports the log's
+// signature scheme and public key type
+func supportedScheme(scheme tls.SignatureScheme, key crypto.PublicKey) error {
+ if _, ok := key.(ed25519.PublicKey); ok && scheme == tls.Ed25519 {
+ return nil
+ }
+ switch t := key.(type) {
+ default:
+ return fmt.Errorf("unsupported scheme(%v) and key(%v)", scheme, t)
+ }
+}