added basic trust-anchor code path

Pretty much the bare minimum to load trust anchors from file and check
that the submitter's certificate chains back to something valid.

1 files changed, 17 insertions, 3 deletions

diff --git a/reqres.go b/reqres.go
index d2d40ec..c384d02 100644
--- a/reqres.go
+++ b/reqres.go
@@ -10,6 +10,7 @@ import (
 	"net/http"
 
 	"github.com/google/certificate-transparency-go/tls"
+	"github.com/google/certificate-transparency-go/trillian/ctfe"
 	"github.com/google/trillian"
 )
 
@@ -143,10 +144,23 @@ func NewGetProofByHashResponse(treeSize uint64, inclusionProof *trillian.Proof)
 
 // VerifyAddEntryRequest determines whether a well-formed AddEntryRequest should
 // be inserted into the log.  If so, the serialized leaf value is returned.
-func VerifyAddEntryRequest(r AddEntryRequest) ([]byte, error) {
+func VerifyAddEntryRequest(a ctfe.CertValidationOpts, r AddEntryRequest) ([]byte, error) {
 	item, _ := StItemFromB64(r.Item) // r.Item is a well-formed ChecksumV1
-	// TODO: verify r.Signature and r.Certificate
-	leaf, _ := tls.Marshal(item) // again, r.Item is well-formed
+	leaf, _ := tls.Marshal(item)     // again, r.Item is well-formed
+
+	chainBytes, err := base64.StdEncoding.DecodeString(r.Certificate)
+	if err != nil {
+		return nil, fmt.Errorf("failed decoding certificate: %v", err)
+	}
+
+	chain := make([][]byte, 0, 1)
+	chain = append(chain, chainBytes)
+	_, err = ctfe.ValidateChain(chain, a)
+	if err != nil {
+		return nil, fmt.Errorf("chain verification failed: %v", err)
+	}
+
+	// TODO: verify signature
 	return leaf, nil
 }