From dd19521190f39a8b1704adb724f5f812040f91e4 Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Tue, 27 Oct 2020 15:16:24 +0100 Subject: decoupled log instance and info Makes things a bit more modular. As part of this process I also replaced ct/x509 with crypto/x509, which already suits our needs. --- reqres.go | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) (limited to 'reqres.go') diff --git a/reqres.go b/reqres.go index 5d4c1bc..a725363 100644 --- a/reqres.go +++ b/reqres.go @@ -6,14 +6,13 @@ import ( "crypto/ecdsa" "crypto/rsa" + "crypto/x509" "encoding/base64" "encoding/json" "io/ioutil" "net/http" "github.com/google/certificate-transparency-go/tls" - "github.com/google/certificate-transparency-go/trillian/ctfe" - "github.com/google/certificate-transparency-go/x509" "github.com/google/trillian" ) @@ -137,9 +136,9 @@ func NewGetEntryResponse(leaf, appendix []byte) (GetEntryResponse, error) { } return GetEntryResponse{ - Leaf: base64.StdEncoding.EncodeToString(leaf), + Leaf: base64.StdEncoding.EncodeToString(leaf), Signature: base64.StdEncoding.EncodeToString(app.Signature), - Chain: chain, + Chain: chain, }, nil } @@ -178,7 +177,7 @@ func NewGetAnchorsResponse(anchors []*x509.Certificate) GetAnchorsResponse { // VerifyAddEntryRequest determines whether a well-formed AddEntryRequest should // be inserted into the log. The corresponding leaf and appendix is returned. -func VerifyAddEntryRequest(anchors ctfe.CertValidationOpts, r AddEntryRequest) ([]byte, []byte, error) { +func VerifyAddEntryRequest(ld *LogParameters, r AddEntryRequest) ([]byte, []byte, error) { item, err := StItemFromB64(r.Item) if err != nil { return nil, nil, fmt.Errorf("failed decoding StItem: %v", err) @@ -193,13 +192,21 @@ func VerifyAddEntryRequest(anchors ctfe.CertValidationOpts, r AddEntryRequest) ( if err != nil { return nil, nil, fmt.Errorf("failed decoding certificate: %v", err) } - chain := make([][]byte, 0, 1) - chain = append(chain, certificate) - x509chain, err := ctfe.ValidateChain(chain, anchors) + c, err := x509.ParseCertificate(certificate) + if err != nil { + return nil, nil, fmt.Errorf("failed decoding certificate: %v", err) + } + opts := x509.VerifyOptions{ + Roots: ld.AnchorPool, + } + chains, err := c.Verify(opts) if err != nil { return nil, nil, fmt.Errorf("chain verification failed: %v", err) } - c := x509chain[0] + if len(chains) == 0 { + return nil, nil, fmt.Errorf("chain verification failed: no chain") + } + x509chain := chains[0] signature, err := base64.StdEncoding.DecodeString(r.Signature) if err != nil { -- cgit v1.2.3