diff options
| -rw-r--r-- | handler.go | 5 | ||||
| -rw-r--r-- | reqres.go | 119 | ||||
| -rw-r--r-- | type.go | 204 | ||||
| -rw-r--r-- | type_test.go | 19 | 
4 files changed, 184 insertions, 163 deletions
| @@ -115,9 +115,8 @@ func unpackRequest(r *http.Request, unpack interface{}) error {  // getEntries provides a list of entries from the Trillian backend  func getEntries(ctx context.Context, i *instance, w http.ResponseWriter, r *http.Request) (int, error) {  	glog.Info("in getEntries") - -	var request GetEntriesRequest -	if err := request.Unpack(r); err != nil { +	request, err := NewGetEntriesRequest(r) +	if err != nil {  		return http.StatusBadRequest, err  	} diff --git a/reqres.go b/reqres.go new file mode 100644 index 0000000..a228c76 --- /dev/null +++ b/reqres.go @@ -0,0 +1,119 @@ +package stfe + +import ( +	"fmt" +	"strconv" + +	"encoding/base64" +	"net/http" + +	"github.com/google/certificate-transparency-go/tls" +	"github.com/google/trillian" +) + +// AddEntryRequest is a collection of add-entry input parameters +type AddEntryRequest struct { +	Item        string `json:"item"` +	Signature   string `json:"signature"` +	Certificate string `json:"certificate"` +} + +// GetEntriesRequest is a collection of get-entry input parameters +type GetEntriesRequest struct { +	Start int64 `json:"start"` +	End   int64 `json:"end"` +} + +// GetProofByHashRequest is a collection of get-proof-by-hash input parameters +type GetProofByHashRequest struct { +	Hash     []byte `json:"hash"` +	TreeSize int64  `json:"tree_size"` +} + +// GetEntryResponse is an assembled log entry and its associated appendix +type GetEntryResponse struct { +	Leaf      string   `json:"leaf"`      // base64-encoded StItem +	Signature string   `json:"signature"` // base64-encoded DigitallySigned +	Chain     []string `json:chain`       // base64-encoded X.509 certificates +} + +// GetEntriesResponse is an assembled get-entries responses +type GetEntriesResponse struct { +	Entries []GetEntryResponse `json:"entries"` +} + +// GetProofByHashResponse is an assembled inclusion proof response +type GetProofByHashResponse struct { +	InclusionProof string `json:"inclusion_proof"` // base64-encoded StItem +} + +// NewGetEntriesRequest parses and sanitizes the URL-encoded get-entries +// parameters from an incoming HTTP request. +func NewGetEntriesRequest(httpRequest *http.Request) (GetEntriesRequest, error) { +	start, err := strconv.ParseInt(httpRequest.FormValue("start"), 10, 64) +	if err != nil { +		return GetEntriesRequest{}, fmt.Errorf("bad start parameter: %v", err) +	} +	end, err := strconv.ParseInt(httpRequest.FormValue("end"), 10, 64) +	if err != nil { +		return GetEntriesRequest{}, fmt.Errorf("bad end parameter: %v", err) +	} + +	if start < 0 { +		return GetEntriesRequest{}, fmt.Errorf("bad parameters: start(%v) must have a non-negative value", start) +	} +	if start > end { +		return GetEntriesRequest{}, fmt.Errorf("bad parameters: start(%v) must be larger than end(%v)", start, end) +	} +	// TODO: check that range is not larger than the max range. Yes -> truncate +	// TODO: check that end is not past the most recent STH. Yes -> truncate +	return GetEntriesRequest{Start: start, End: end}, nil +} + +// NewGetProofByHashRequest parses and sanitizes the URL-encoded +// get-proof-by-hash parameters from an incoming HTTP request. +func NewGetProofByHashRequest(httpRequest *http.Request) (GetProofByHashRequest, error) { +	treeSize, err := strconv.ParseInt(httpRequest.FormValue("tree_size"), 10, 64) +	if err != nil { +		return GetProofByHashRequest{}, fmt.Errorf("bad tree_size parameter: %v", err) +	} +	if treeSize < 0 { +		return GetProofByHashRequest{}, fmt.Errorf("bad tree_size parameter: negative value") +	} +	// TODO: check that tree size is not past STH.tree_size + +	hash, err := base64.StdEncoding.DecodeString(httpRequest.FormValue("hash")) +	if err != nil { +		return GetProofByHashRequest{}, fmt.Errorf("bad hash parameter: %v", err) +	} +	return GetProofByHashRequest{TreeSize: treeSize, Hash: hash}, nil +} + +// NewGetEntryResponse assembles a log entry and its appendix +func NewGetEntryResponse(leaf []byte) GetEntryResponse { +	return GetEntryResponse{ +		Leaf: base64.StdEncoding.EncodeToString(leaf), +		// TODO: add signature and chain +	} +} + +// NewGetEntriesResponse assembles a get-entries response +func NewGetEntriesResponse(leaves []*trillian.LogLeaf) (GetEntriesResponse, error) { +	entries := make([]GetEntryResponse, 0, len(leaves)) +	for _, leaf := range leaves { +		entries = append(entries, NewGetEntryResponse(leaf.GetLeafValue())) // TODO: add signature and chain +	} +	return GetEntriesResponse{entries}, nil +} + +// NewGetProofByHashResponse assembles a get-proof-by-hash response +func NewGetProofByHashResponse(treeSize uint64, inclusionProof *trillian.Proof) (*GetProofByHashResponse, error) { +	item := NewInclusionProofV1([]byte("TODO: add log ID"), treeSize, inclusionProof) +	b, err := tls.Marshal(item) +	if err != nil { +		return nil, fmt.Errorf("tls marshal failed: %v", err) +	} +	return &GetProofByHashResponse{ +		InclusionProof: base64.StdEncoding.EncodeToString(b), +	}, nil +} @@ -2,10 +2,8 @@ package stfe  import (  	"fmt" -	"strconv"  	"encoding/base64" -	"net/http"  	"github.com/google/certificate-transparency-go/tls"  	"github.com/google/trillian" @@ -23,25 +21,6 @@ const (  	StFormatChecksumV1                  = 5  ) -func (f StFormat) String() string { -	switch f { -	case StFormatReserved: -		return "reserved" -	case StFormatSignedTreeHeadV1: -		return "signed_tree_head_v1" -	case StFormatSignedDebugInfoV1: -		return "signed_debug_info_v1" -	case StFormatConsistencyProofV1: -		return "consistency_proof_v1" -	case StFormatInclusionProofV1: -		return "inclusion_proof_v1" -	case StFormatChecksumV1: -		return "checksum_v1" -	default: -		return fmt.Sprintf("Unknown StFormat: %d", f) -	} -} -  // StItem references a versioned item based on a given format specifier.  type StItem struct {  	Format           StFormat          `tls:"maxval:65535"` @@ -50,63 +29,37 @@ type StItem struct {  	// TODO: add more items  } -func (i StItem) String() string { -	switch i.Format { -	case StFormatChecksumV1: -		return fmt.Sprintf("%s %s", i.Format, *i.ChecksumV1) -	default: -		return fmt.Sprintf("unknown StItem: %s", i.Format) -	} -} - -func StItemFromB64(s string) (*StItem, error) { -	b, err := base64.StdEncoding.DecodeString(s) -	if err != nil { -		return nil, fmt.Errorf("base64 decoding failed: %v", err) -	} - -	var item StItem -	extra, err := tls.Unmarshal(b, &item) -	if err != nil { -		return nil, fmt.Errorf("tls unmarshal failed: %v", err) -	} else if len(extra) > 0 { -		return nil, fmt.Errorf("tls unmarshal found extra data: %v", extra) -	} -	return &item, nil -} -  // ChecksumV1 associates a package name with an arbitrary checksum value  type ChecksumV1 struct {  	Package  []byte `tls:"minlen:0,maxlen:255"`  	Checksum []byte `tls:"minlen:32,maxlen:255"`  } -// NewChecksumV1 creates a new StItem of type checksum_v1 -func NewChecksumV1(name string, checksum []byte) (StItem, error) { -	return StItem{ -		Format: StFormatChecksumV1, -		ChecksumV1: &ChecksumV1{ -			Package:  []byte(name), -			Checksum: checksum, -		}, -	}, nil // TODO: error handling -} - -func (i ChecksumV1) String() string { -	return fmt.Sprintf("%v %v", string(i.Package), base64.StdEncoding.EncodeToString(i.Checksum)) +// InclusionProofV1 is a Merkle tree inclusion proof, see RFC 6962/bis (§4.12) +type InclusionProofV1 struct { +	LogID         []byte `tls:"minlen:2,maxlen:127"` +	TreeSize      uint64 +	LeafIndex     uint64 +	InclusionPath []NodeHash `tls:"minlen:1,maxlen:65535"`  } +// NodeHash is a hashed Merkle tree node, see RFC 6962/bis (§4.9)  type NodeHash struct {  	Data []byte `tls:"minlen:32,maxlen:255"`  } -type InclusionProofV1 struct { -	LogID         []byte `tls:"minlen:2,maxlen:127"` -	TreeSize      uint64 -	LeafIndex     uint64 -	InclusionPath []NodeHash `tls:"minlen:1,maxlen:65535"` +// NewChecksumV1 creates a new StItem of type checksum_v1 +func NewChecksumV1(identifier []byte, checksum []byte) StItem { +	return StItem{ +		Format: StFormatChecksumV1, +		ChecksumV1: &ChecksumV1{ +			Package:  identifier, +			Checksum: checksum, +		}, +	}  } +// NewInclusionProofV1 creates a new StItem of type inclusion_proof_v1  func NewInclusionProofV1(logID []byte, treeSize uint64, proof *trillian.Proof) StItem {  	inclusionPath := make([]NodeHash, 0, len(proof.Hashes))  	for _, hash := range proof.Hashes { @@ -124,103 +77,62 @@ func NewInclusionProofV1(logID []byte, treeSize uint64, proof *trillian.Proof) S  	}  } -// AddEntryRequest is a collection of add-entry input parameters -type AddEntryRequest struct { -	Item        string `json:"item"` -	Signature   string `json:"signature"` -	Certificate string `json:"certificate"` -} - -// GetEntriesRequest is a collection of get-entry input parameters -type GetEntriesRequest struct { -	Start int64 -	End   int64 -} - -func (r *GetEntriesRequest) Unpack(httpRequest *http.Request) error { -	var err error - -	r.Start, err = strconv.ParseInt(httpRequest.FormValue("start"), 10, 64) -	if err != nil { -		return fmt.Errorf("bad start parameter: %v", err) -	} -	r.End, err = strconv.ParseInt(httpRequest.FormValue("end"), 10, 64) -	if err != nil { -		return fmt.Errorf("bad end parameter: %v", err) -	} - -	if r.Start < 0 { -		return fmt.Errorf("bad parameters: start(%v) must have a non-negative value", r.Start) -	} -	if r.Start > r.End { -		return fmt.Errorf("bad parameters: start(%v) must be larger than end(%v)", r.Start, r.End) +func (f StFormat) String() string { +	switch f { +	case StFormatReserved: +		return "reserved" +	case StFormatSignedTreeHeadV1: +		return "signed_tree_head_v1" +	case StFormatSignedDebugInfoV1: +		return "signed_debug_info_v1" +	case StFormatConsistencyProofV1: +		return "consistency_proof_v1" +	case StFormatInclusionProofV1: +		return "inclusion_proof_v1" +	case StFormatChecksumV1: +		return "checksum_v1" +	default: +		return fmt.Sprintf("Unknown StFormat: %d", f)  	} -	// TODO: check that range is not larger than the max range. Yes -> truncate -	// TODO: check that end is not past the most recent STH. Yes -> truncate -	return nil -} - -type GetEntryResponse struct { -	Leaf      string   `json:"leaf"` -	Signature string   `json:"signature"` -	Chain     []string `json:chain`  } -func NewGetEntryResponse(leaf []byte) GetEntryResponse { -	return GetEntryResponse{ -		Leaf: base64.StdEncoding.EncodeToString(leaf), -		// TODO: add signature and chain +func (i StItem) String() string { +	switch i.Format { +	case StFormatChecksumV1: +		return fmt.Sprintf("Format(%s): %s", i.Format, *i.ChecksumV1) +	case StFormatInclusionProofV1: +		return fmt.Sprintf("Format(%s): %s", i.Format, *i.InclusionProofV1) +	default: +		return fmt.Sprintf("unknown StItem: %s", i.Format)  	}  } -type GetEntriesResponse struct { -	Entries []GetEntryResponse `json:"entries"` +func (i ChecksumV1) String() string { +	return fmt.Sprintf("Package(%v) Checksum(%v)", string(i.Package), base64.StdEncoding.EncodeToString(i.Checksum))  } -func NewGetEntriesResponse(leaves []*trillian.LogLeaf) (GetEntriesResponse, error) { -	entries := make([]GetEntryResponse, 0, len(leaves)) -	for _, leaf := range leaves { -		entries = append(entries, NewGetEntryResponse(leaf.GetLeafValue())) // TODO: add signature and chain +func (i InclusionProofV1) String() string { +	path := make([]string, 0, len(i.InclusionPath)) +	for _, hash := range i.InclusionPath { +		path = append(path, base64.StdEncoding.EncodeToString(hash.Data))  	} -	return GetEntriesResponse{entries}, nil -} -type GetProofByHashRequest struct { -	Hash     []byte -	TreeSize int64 +	return fmt.Sprintf("LogID(%s) TreeSize(%d) LeafIndex(%d) AuditPath(%v)", base64.StdEncoding.EncodeToString(i.LogID), i.TreeSize, i.LeafIndex, path)  } -func NewGetProofByHashRequest(httpRequest *http.Request) (*GetProofByHashRequest, error) { -	var r GetProofByHashRequest -	var err error - -	r.TreeSize, err = strconv.ParseInt(httpRequest.FormValue("tree_size"), 10, 64) -	if err != nil { -		return nil, fmt.Errorf("bad tree_size parameter: %v", err) -	} -	if r.TreeSize < 0 { -		return nil, fmt.Errorf("bad tree_size parameter: negative value") -	} -	// TODO: check that tree size is not past STH.tree_size - -	r.Hash, err = base64.StdEncoding.DecodeString(httpRequest.FormValue("hash")) +// StItemFromB64 creates an StItem from a serialized and base64-encoded string +func StItemFromB64(s string) (*StItem, error) { +	b, err := base64.StdEncoding.DecodeString(s)  	if err != nil { -		return nil, fmt.Errorf("bad hash parameter: %v", err) +		return nil, fmt.Errorf("base64 decoding failed: %v", err)  	} -	return &r, nil -} -type GetProofByHashResponse struct { -	InclusionProof string `json:"inclusion_proof"` -} - -func NewGetProofByHashResponse(treeSize uint64, inclusionProof *trillian.Proof) (*GetProofByHashResponse, error) { -	item := NewInclusionProofV1([]byte("TODO: add log ID"), treeSize, inclusionProof) -	b, err := tls.Marshal(item) +	var item StItem +	extra, err := tls.Unmarshal(b, &item)  	if err != nil { -		return nil, fmt.Errorf("tls marshal failed: %v", err) +		return nil, fmt.Errorf("tls unmarshal failed: %v", err) +	} else if len(extra) > 0 { +		return nil, fmt.Errorf("tls unmarshal found extra data: %v", extra)  	} -	return &GetProofByHashResponse{ -		InclusionProof: base64.StdEncoding.EncodeToString(b), -	}, nil +	return &item, nil  } diff --git a/type_test.go b/type_test.go index bcd66e6..f4e7b40 100644 --- a/type_test.go +++ b/type_test.go @@ -9,27 +9,18 @@ import (  )  func ExampleNewChecksumV1() { -	name := "foobar-1.2.3" +	name := []byte("foobar-1.2.3")  	hasher := sha256.New()  	hasher.Write([]byte(name))  	checksum := hasher.Sum(nil) // hash of package name -	item, err := NewChecksumV1(name, checksum) -	if err != nil { -		fmt.Printf("failed creating checksum item: %v", err) -		return -	} +	item := NewChecksumV1(name, checksum)  	fmt.Printf("%s\n", item) -	// Output: checksum_v1 foobar-1.2.3 UOeWe84malBvj2FLtQlr66WA0gUEa5GPR9I7LsYm114= +	// Output: Format(checksum_v1): Package(foobar-1.2.3) Checksum(UOeWe84malBvj2FLtQlr66WA0gUEa5GPR9I7LsYm114=)  }  func ExampleMarshalChecksumV1() { -	item, err := NewChecksumV1("foobar-1.2.3", make([]byte, 32)) -	if err != nil { -		fmt.Printf("failed creating checksum item: %v", err) -		return -	} - +	item := NewChecksumV1([]byte("foobar-1.2.3"), make([]byte, 32))  	b, err := tls.Marshal(item)  	if err != nil {  		fmt.Printf("tls.Marshal() failed: %v", err) @@ -52,5 +43,5 @@ func ExampleUnmarshalChecksumV1() {  		return  	}  	fmt.Printf("%v\n", item) -	// Output: checksum_v1 foobar-1.2.3 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= +	// Output: Format(checksum_v1): Package(foobar-1.2.3) Checksum(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=)  } | 
