aboutsummaryrefslogtreecommitdiff
path: root/reqres.go
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-10-23 18:01:10 +0200
committerRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-10-23 18:01:10 +0200
commit9b38f5a034486c27eaf81062ecdd86a72667e2b0 (patch)
treef2c7a4e4c485214f81aa66882ea69f93c1aa85d1 /reqres.go
parent7d62710808a38102c09c4f18b1309bf63051db5e (diff)
added basic trust-anchor code path
Pretty much the bare minimum to load trust anchors from file and check that the submitter's certificate chains back to something valid.
Diffstat (limited to 'reqres.go')
-rw-r--r--reqres.go20
1 files changed, 17 insertions, 3 deletions
diff --git a/reqres.go b/reqres.go
index d2d40ec..c384d02 100644
--- a/reqres.go
+++ b/reqres.go
@@ -10,6 +10,7 @@ import (
"net/http"
"github.com/google/certificate-transparency-go/tls"
+ "github.com/google/certificate-transparency-go/trillian/ctfe"
"github.com/google/trillian"
)
@@ -143,10 +144,23 @@ func NewGetProofByHashResponse(treeSize uint64, inclusionProof *trillian.Proof)
// VerifyAddEntryRequest determines whether a well-formed AddEntryRequest should
// be inserted into the log. If so, the serialized leaf value is returned.
-func VerifyAddEntryRequest(r AddEntryRequest) ([]byte, error) {
+func VerifyAddEntryRequest(a ctfe.CertValidationOpts, r AddEntryRequest) ([]byte, error) {
item, _ := StItemFromB64(r.Item) // r.Item is a well-formed ChecksumV1
- // TODO: verify r.Signature and r.Certificate
- leaf, _ := tls.Marshal(item) // again, r.Item is well-formed
+ leaf, _ := tls.Marshal(item) // again, r.Item is well-formed
+
+ chainBytes, err := base64.StdEncoding.DecodeString(r.Certificate)
+ if err != nil {
+ return nil, fmt.Errorf("failed decoding certificate: %v", err)
+ }
+
+ chain := make([][]byte, 0, 1)
+ chain = append(chain, chainBytes)
+ _, err = ctfe.ValidateChain(chain, a)
+ if err != nil {
+ return nil, fmt.Errorf("chain verification failed: %v", err)
+ }
+
+ // TODO: verify signature
return leaf, nil
}