From cb8498119a0a3aaf34e09191e5e172173fdbc8ca Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Thu, 5 Nov 2020 12:24:01 +0100 Subject: refactored signing/verification parts that are log specific These methods are now private and attached to LogParameters. --- handler.go | 4 ++-- reqres.go | 4 ++-- x509.go | 55 ++++++++++++++++++++++++++++--------------------------- 3 files changed, 32 insertions(+), 31 deletions(-) diff --git a/handler.go b/handler.go index 7366761..1099527 100644 --- a/handler.go +++ b/handler.go @@ -72,7 +72,7 @@ func addEntry(ctx context.Context, i *Instance, w http.ResponseWriter, r *http.R return status, err } - sdi, err := GenV1SDI(i.LogParameters, trsp.QueuedLeaf.Leaf.LeafValue) + sdi, err := i.LogParameters.genV1Sdi(trsp.QueuedLeaf.Leaf.LeafValue) if err != nil { return http.StatusInternalServerError, fmt.Errorf("failed creating signed debug info: %v", err) } @@ -208,7 +208,7 @@ func getSth(ctx context.Context, i *Instance, w http.ResponseWriter, _ *http.Req if err != nil { return http.StatusInternalServerError, fmt.Errorf("failed creating tree head: %v", err) } - sth, err := GenV1STH(i.LogParameters, th) + sth, err := i.LogParameters.genV1Sth(th) if err != nil { return http.StatusInternalServerError, fmt.Errorf("failed creating signed tree head: %v", err) } diff --git a/reqres.go b/reqres.go index 20721f1..2fcbcfb 100644 --- a/reqres.go +++ b/reqres.go @@ -66,13 +66,13 @@ func (lp *LogParameters) newAddEntryRequest(r *http.Request) ([]byte, []byte, er } // Check that there is a valid trust anchor - chain, err := buildChainFromDerList(lp, entry.Chain) + chain, err := lp.buildChainFromDerList(entry.Chain) if err != nil { return nil, nil, fmt.Errorf("invalid certificate chain: %v", err) } // Check that there is a valid signature - if err := verifySignature(lp, chain[0], tls.SignatureScheme(entry.SignatureScheme), entry.Item, entry.Signature); err != nil { + if err := lp.verifySignature(chain[0], tls.SignatureScheme(entry.SignatureScheme), entry.Item, entry.Signature); err != nil { return nil, nil, fmt.Errorf("invalid signature: %v", err) } diff --git a/x509.go b/x509.go index 87adb80..7f74e93 100644 --- a/x509.go +++ b/x509.go @@ -81,29 +81,6 @@ func ParseEd25519PrivateKey(data []byte) (ed25519.PrivateKey, error) { } } -func GenV1SDI(lp *LogParameters, serialized []byte) (*StItem, error) { - sig, err := lp.Signer.Sign(rand.Reader, serialized, crypto.Hash(0)) // ed25519 - if err != nil { - return nil, fmt.Errorf("ed25519 signature failed: %v", err) - } - lastSdiTimestamp.Set(float64(time.Now().Unix()), lp.id()) - return NewSignedDebugInfoV1(lp.LogId, []byte("reserved"), sig), nil -} - -func GenV1STH(lp *LogParameters, th *TreeHeadV1) (*StItem, error) { - serialized, err := th.Marshal() - if err != nil { - return nil, fmt.Errorf("failed tls marshaling tree head: %v", err) - } - sig, err := lp.Signer.Sign(rand.Reader, serialized, crypto.Hash(0)) // ed25519 - if err != nil { - return nil, fmt.Errorf("ed25519 signature failed: %v", err) - } - lastSthTimestamp.Set(float64(time.Now().Unix()), lp.id()) - lastSthSize.Set(float64(th.TreeSize), lp.id()) - return NewSignedTreeHeadV1(th, lp.LogId, sig), nil -} - // LoadChain loads a PEM-encoded certificate chain from a given path func LoadChain(path string) ([]*x509.Certificate, error) { blob, err := ioutil.ReadFile(path) @@ -159,7 +136,7 @@ func ParseDerChain(chain [][]byte) (*x509.Certificate, *x509.CertPool, error) { return certificate, intermediatePool, nil } -func buildChainFromDerList(lp *LogParameters, derChain [][]byte) ([]*x509.Certificate, error) { +func (lp *LogParameters) buildChainFromDerList(derChain [][]byte) ([]*x509.Certificate, error) { certificate, intermediatePool, err := ParseDerChain(derChain) if err != nil { return nil, err @@ -189,9 +166,8 @@ func buildChainFromDerList(lp *LogParameters, derChain [][]byte) ([]*x509.Certif } // verifySignature checks if signature is valid for some serialized data. The -// only supported signature scheme is ecdsa_secp256r1_sha256(0x0403), see §4.3.2 -// in RFC 8446. -func verifySignature(_ *LogParameters, certificate *x509.Certificate, scheme tls.SignatureScheme, serialized, signature []byte) error { +// only supported signature scheme is ed25519(0x0807), see §4.2.3 in RFC 8446. +func (lp *LogParameters) verifySignature(certificate *x509.Certificate, scheme tls.SignatureScheme, serialized, signature []byte) error { if scheme != tls.Ed25519 { return fmt.Errorf("unsupported signature scheme: %v", scheme) } @@ -200,3 +176,28 @@ func verifySignature(_ *LogParameters, certificate *x509.Certificate, scheme tls } return nil } + +// genV1Sdi issues a new SignedDebugInfoV1 StItem from a serialized leaf value +func (lp *LogParameters) genV1Sdi(serialized []byte) (*StItem, error) { + sig, err := lp.Signer.Sign(rand.Reader, serialized, crypto.Hash(0)) // ed25519 + if err != nil { + return nil, fmt.Errorf("ed25519 signature failed: %v", err) + } + lastSdiTimestamp.Set(float64(time.Now().Unix()), lp.id()) + return NewSignedDebugInfoV1(lp.LogId, []byte("reserved"), sig), nil +} + +// genV1Sth issues a new SignedTreeHeadV1 StItem from a TreeHeadV1 structure +func (lp *LogParameters) genV1Sth(th *TreeHeadV1) (*StItem, error) { + serialized, err := th.Marshal() + if err != nil { + return nil, fmt.Errorf("failed tls marshaling tree head: %v", err) + } + sig, err := lp.Signer.Sign(rand.Reader, serialized, crypto.Hash(0)) // ed25519 + if err != nil { + return nil, fmt.Errorf("ed25519 signature failed: %v", err) + } + lastSthTimestamp.Set(float64(time.Now().Unix()), lp.id()) + lastSthSize.Set(float64(th.TreeSize), lp.id()) + return NewSignedTreeHeadV1(th, lp.LogId, sig), nil +} -- cgit v1.2.3