diff options
author | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2020-10-23 18:01:10 +0200 |
---|---|---|
committer | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2020-10-23 18:01:10 +0200 |
commit | 9b38f5a034486c27eaf81062ecdd86a72667e2b0 (patch) | |
tree | f2c7a4e4c485214f81aa66882ea69f93c1aa85d1 /reqres.go | |
parent | 7d62710808a38102c09c4f18b1309bf63051db5e (diff) |
added basic trust-anchor code path
Pretty much the bare minimum to load trust anchors from file and check
that the submitter's certificate chains back to something valid.
Diffstat (limited to 'reqres.go')
-rw-r--r-- | reqres.go | 20 |
1 files changed, 17 insertions, 3 deletions
@@ -10,6 +10,7 @@ import ( "net/http" "github.com/google/certificate-transparency-go/tls" + "github.com/google/certificate-transparency-go/trillian/ctfe" "github.com/google/trillian" ) @@ -143,10 +144,23 @@ func NewGetProofByHashResponse(treeSize uint64, inclusionProof *trillian.Proof) // VerifyAddEntryRequest determines whether a well-formed AddEntryRequest should // be inserted into the log. If so, the serialized leaf value is returned. -func VerifyAddEntryRequest(r AddEntryRequest) ([]byte, error) { +func VerifyAddEntryRequest(a ctfe.CertValidationOpts, r AddEntryRequest) ([]byte, error) { item, _ := StItemFromB64(r.Item) // r.Item is a well-formed ChecksumV1 - // TODO: verify r.Signature and r.Certificate - leaf, _ := tls.Marshal(item) // again, r.Item is well-formed + leaf, _ := tls.Marshal(item) // again, r.Item is well-formed + + chainBytes, err := base64.StdEncoding.DecodeString(r.Certificate) + if err != nil { + return nil, fmt.Errorf("failed decoding certificate: %v", err) + } + + chain := make([][]byte, 0, 1) + chain = append(chain, chainBytes) + _, err = ctfe.ValidateChain(chain, a) + if err != nil { + return nil, fmt.Errorf("chain verification failed: %v", err) + } + + // TODO: verify signature return leaf, nil } |