package stfe
import (
"fmt"
"time"
"encoding/base64"
"github.com/google/certificate-transparency-go/tls"
"github.com/google/trillian/types"
"github.com/system-transparency/stfe/namespace"
)
// StFormat defines a particular StItem type that is versioned
type StFormat tls.Enum
const (
StFormatReserved StFormat = 0
StFormatSignedTreeHeadV1 StFormat = 1
StFormatSignedDebugInfoV1 StFormat = 2
StFormatConsistencyProofV1 StFormat = 3
StFormatInclusionProofV1 StFormat = 4
StFormatChecksumV1 = 5
StFormatCosignedTreeHeadV1 = 6
)
// StItem references a versioned item based on a given format specifier
type StItem struct {
Format StFormat `tls:"maxval:65535"`
SignedTreeHeadV1 *SignedTreeHeadV1 `tls:"selector:Format,val:1"`
SignedDebugInfoV1 *SignedDebugInfoV1 `tls:"selector:Format,val:2"`
ConsistencyProofV1 *ConsistencyProofV1 `tls:"selector:Format,val:3"`
InclusionProofV1 *InclusionProofV1 `tls:"selector:Format,val:4"`
ChecksumV1 *ChecksumV1 `tls:"selector:Format,val:5"`
CosignedTreeHeadV1 *CosignedTreeHeadV1 `tls:"selector:Format,val:6"`
}
// SignedTreeHeadV1 is a signed tree head as defined by RFC 6962/bis, §4.10
type SignedTreeHeadV1 struct {
LogId []byte `tls:"minlen:35,maxlen:35"`
TreeHead TreeHeadV1
Signature []byte `tls:"minlen:1,maxlen:65535"`
}
// SignedDebugInfoV1 is a signed statement that we intend (but do not promise)
// to insert an entry into the log as defined by markdown/api.md
type SignedDebugInfoV1 struct {
LogId []byte `tls:"minlen:35,maxlen:35"`
Message []byte `tls:"minlen:0,maxlen:65535"`
Signature []byte `tls:"minlen:1,maxlen:65535"`
}
// ConsistencyProofV1 is a consistency proof as defined by RFC 6962/bis, §4.11
type ConsistencyProofV1 struct {
LogId []byte `tls:"minlen:35,maxlen:35"`
TreeSize1 uint64
TreeSize2 uint64
ConsistencyPath []NodeHash `tls:"minlen:0,maxlen:65535"`
}
// InclusionProofV1 is an inclusion proof as defined by RFC 6962/bis, §4.12
type InclusionProofV1 struct {
LogId []byte `tls:"minlen:35,maxlen:35"`
TreeSize uint64
LeafIndex uint64
InclusionPath []NodeHash `tls:"minlen:0,maxlen:65535"`
}
// ChecksumV1 associates a leaf type as defined by markdown/api.md
type ChecksumV1 struct {
Package []byte `tls:"minlen:1,maxlen:255"`
Checksum []byte `tls:"minlen:1,maxlen:64"`
Namespace namespace.Namespace
}
// TreeHeadV1 is a tree head as defined by RFC 6962/bis, §4.10
type TreeHeadV1 struct {
Timestamp uint64
TreeSize uint64
RootHash NodeHash
Extension []byte `tls:"minlen:0,maxlen:65535"`
}
// CosignedTreeheadV1 is a cosigned STH
type CosignedTreeHeadV1 struct {
SignedTreeHeadV1 SignedTreeHeadV1
SignatureV1 []SignatureV1 `tls:"minlen:0,maxlen:4294967295"`
}
// SignatureV1 is a detached signature that was produced by a namespace
type SignatureV1 struct {
Namespace namespace.Namespace
Signature []byte `tls:"minlen:1,maxlen:65535"`
}
// NodeHash is a Merkle tree hash as defined by RFC 6962/bis, §4.9
type NodeHash struct {
Data []byte `tls:"minlen:32,maxlen:255"`
}
// RawCertificate is a serialized X.509 certificate
type RawCertificate struct {
Data []byte `tls:"minlen:0,maxlen:65535"`
}
func (f StFormat) String() string {
switch f {
case StFormatReserved:
return "reserved"
case StFormatSignedTreeHeadV1:
return "signed_tree_head_v1"
case StFormatSignedDebugInfoV1:
return "signed_debug_info_v1"
case StFormatConsistencyProofV1:
return "consistency_proof_v1"
case StFormatInclusionProofV1:
return "inclusion_proof_v1"
case StFormatChecksumV1:
return "checksum_v1"
case StFormatCosignedTreeHeadV1:
return "cosigned_tree_head_v1"
default:
return fmt.Sprintf("Unknown StFormat: %d", f)
}
}
func (i StItem) String() string {
switch i.Format {
case StFormatChecksumV1:
return fmt.Sprintf("Format(%s): %s", i.Format, i.ChecksumV1)
case StFormatConsistencyProofV1:
return fmt.Sprintf("Format(%s): %s", i.Format, i.ConsistencyProofV1)
case StFormatInclusionProofV1:
return fmt.Sprintf("Format(%s): %s", i.Format, i.InclusionProofV1)
case StFormatSignedDebugInfoV1:
return fmt.Sprintf("Format(%s): %s", i.Format, i.SignedDebugInfoV1)
case StFormatSignedTreeHeadV1:
return fmt.Sprintf("Format(%s): %s", i.Format, i.SignedTreeHeadV1)
case StFormatCosignedTreeHeadV1:
return fmt.Sprintf("Format(%s): %s", i.Format, i.CosignedTreeHeadV1)
default:
return fmt.Sprintf("unknown StItem: %s", i.Format)
}
}
func (i SignedTreeHeadV1) String() string {
return fmt.Sprintf("LogId(%s) TreeHead(%s) Signature(%s)", b64(i.LogId), i.TreeHead, b64(i.Signature))
}
func (i SignedDebugInfoV1) String() string {
return fmt.Sprintf("LogId(%s) Message(%s) Signature(%s)", b64(i.LogId), string(i.Message), b64(i.Signature))
}
func (i ConsistencyProofV1) String() string {
return fmt.Sprintf("LogID(%s) TreeSize1(%d) TreeSize2(%d) ConsistencyPath(%v)", b64(i.LogId), i.TreeSize1, i.TreeSize2, B64EncodePath(i.ConsistencyPath))
}
func (i InclusionProofV1) String() string {
return fmt.Sprintf("LogID(%s) TreeSize(%d) LeafIndex(%d) AuditPath(%v)", b64(i.LogId), i.TreeSize, i.LeafIndex, B64EncodePath(i.InclusionPath))
}
func (i ChecksumV1) String() string {
return fmt.Sprintf("Package(%s) Checksum(%s) Namespace(%s)", string(i.Package), string(i.Checksum), i.Namespace.String())
}
func (th TreeHeadV1) String() string {
return fmt.Sprintf("Timestamp(%s) TreeSize(%d) RootHash(%s)", time.Unix(int64(th.Timestamp/1000), 0), th.TreeSize, b64(th.RootHash.Data))
}
func (i CosignedTreeHeadV1) String() string {
return fmt.Sprintf("SignedTreeHead(%s) #Cosignatures(%d)", i.SignedTreeHeadV1.String(), len(i.SignatureV1))
}
// Marshal serializes an Stitem as defined by RFC 5246
func (i *StItem) Marshal() ([]byte, error) {
serialized, err := tls.Marshal(*i)
if err != nil {
return nil, fmt.Errorf("marshal failed for StItem(%s): %v", i.Format, err)
}
return serialized, nil
}
// MarshalB64 base64-encodes a serialized StItem
func (i *StItem) MarshalB64() (string, error) {
serialized, err := i.Marshal()
if err != nil {
return "", err
}
return b64(serialized), nil
}
// Unmarshal unpacks a serialized StItem
func (i *StItem) Unmarshal(serialized []byte) error {
extra, err := tls.Unmarshal(serialized, i)
if err != nil {
return fmt.Errorf("unmarshal failed for StItem(%s): %v", i.Format, err)
} else if len(extra) > 0 {
return fmt.Errorf("unmarshal found extra data for StItem(%s): %v", i.Format, extra)
}
return nil
}
// UnmarshalB64 unpacks a base64-encoded serialized StItem
func (i *StItem) UnmarshalB64(s string) error {
serialized, err := deb64(s)
if err != nil {
return fmt.Errorf("base64 decoding failed for StItem(%s): %v", i.Format, err)
}
return i.Unmarshal(serialized)
}
// Marshal serializes a TreeHeadV1 as defined by RFC 5246
func (th *TreeHeadV1) Marshal() ([]byte, error) {
serialized, err := tls.Marshal(*th)
if err != nil {
return nil, fmt.Errorf("marshal failed for TreeHeadV1: %v", err)
}
return serialized, nil
}
// B64EncodePath encodes a path of node hashes as a list of base64 strings
func B64EncodePath(path []NodeHash) []string {
p := make([]string, 0, len(path))
for _, hash := range path {
p = append(p, b64(hash.Data))
}
return p
}
// NewSignedTreeHead creates a new StItem of type signed_tree_head_v1
func NewSignedTreeHeadV1(th *TreeHeadV1, logId, signature []byte) *StItem {
return &StItem{
Format: StFormatSignedTreeHeadV1,
SignedTreeHeadV1: &SignedTreeHeadV1{logId, *th, signature},
}
}
// NewSignedDebugInfoV1 creates a new StItem of type inclusion_proof_v1
func NewSignedDebugInfoV1(logId, message, signature []byte) *StItem {
return &StItem{
Format: StFormatSignedDebugInfoV1,
SignedDebugInfoV1: &SignedDebugInfoV1{logId, message, signature},
}
}
// NewInclusionProofV1 creates a new StItem of type inclusion_proof_v1
func NewInclusionProofV1(logID []byte, treeSize, index uint64, proof [][]byte) *StItem {
path := make([]NodeHash, 0, len(proof))
for _, hash := range proof {
path = append(path, NodeHash{Data: hash})
}
return &StItem{
Format: StFormatInclusionProofV1,
InclusionProofV1: &InclusionProofV1{logID, treeSize, index, path},
}
}
// NewConsistencyProofV1 creates a new StItem of type consistency_proof_v1
func NewConsistencyProofV1(logId []byte, first, second uint64, proof [][]byte) *StItem {
path := make([]NodeHash, 0, len(proof))
for _, hash := range proof {
path = append(path, NodeHash{Data: hash})
}
return &StItem{
Format: StFormatConsistencyProofV1,
ConsistencyProofV1: &ConsistencyProofV1{logId, uint64(first), uint64(second), path},
}
}
// NewChecksumV1 creates a new StItem of type checksum_v1
func NewChecksumV1(identifier, checksum []byte, namespace *namespace.Namespace) *StItem {
return &StItem{
Format: StFormatChecksumV1,
ChecksumV1: &ChecksumV1{identifier, checksum, *namespace},
}
}
// NewTreeHead creates a new TreeHeadV1 from a Trillian-signed log root without
// verifying any signature. In other words, Trillian <-> STFE must be trusted.
func NewTreeHeadV1(lr *types.LogRootV1) *TreeHeadV1 {
return &TreeHeadV1{
uint64(lr.TimestampNanos / 1000 / 1000),
uint64(lr.TreeSize),
NodeHash{lr.RootHash},
make([]byte, 0),
}
}
// NewCosignedTreeHeadV1 creates a new StItem of type cosigned_tree_head_v1
func NewCosignedTreeHeadV1(sth *SignedTreeHeadV1, sigs []SignatureV1) *StItem {
return &StItem{
Format: StFormatCosignedTreeHeadV1,
CosignedTreeHeadV1: &CosignedTreeHeadV1{
SignedTreeHeadV1: *sth,
SignatureV1: sigs,
},
}
}
func b64(b []byte) string {
return base64.StdEncoding.EncodeToString(b)
}
func deb64(str string) ([]byte, error) {
return base64.StdEncoding.DecodeString(str)
}