package stfe import ( "fmt" "strconv" "encoding/base64" "net/http" "github.com/google/certificate-transparency-go/tls" "github.com/google/trillian" ) // StFormat defines a particular StItem type that is versioned type StFormat tls.Enum const ( StFormatReserved StFormat = 0 StFormatSignedTreeHeadV1 StFormat = 1 StFormatSignedDebugInfoV1 StFormat = 2 StFormatConsistencyProofV1 StFormat = 3 StFormatInclusionProofV1 StFormat = 4 StFormatChecksumV1 = 5 ) func (f StFormat) String() string { switch f { case StFormatReserved: return "reserved" case StFormatSignedTreeHeadV1: return "signed_tree_head_v1" case StFormatSignedDebugInfoV1: return "signed_debug_info_v1" case StFormatConsistencyProofV1: return "consistency_proof_v1" case StFormatInclusionProofV1: return "inclusion_proof_v1" case StFormatChecksumV1: return "checksum_v1" default: return fmt.Sprintf("Unknown StFormat: %d", f) } } // StItem references a versioned item based on a given format specifier. type StItem struct { Format StFormat `tls:"maxval:65535"` ChecksumV1 *ChecksumV1 `tls:"selector:Format,val:5"` // TODO: add more items } func (i StItem) String() string { switch i.Format { case StFormatChecksumV1: return fmt.Sprintf("%s %s", i.Format, *i.ChecksumV1) default: return fmt.Sprintf("unknown StItem: %s", i.Format) } } func StItemFromB64(s string) (*StItem, error) { b, err := base64.StdEncoding.DecodeString(s) if err != nil { return nil, fmt.Errorf("base64 decoding failed: %v", err) } var item StItem extra, err := tls.Unmarshal(b, &item) if err != nil { return nil, fmt.Errorf("tls unmarshal failed: %v", err) } else if len(extra) > 0 { return nil, fmt.Errorf("tls unmarshal found extra data: %v", extra) } return &item, nil } // ChecksumV1 associates a package name with an arbitrary checksum value type ChecksumV1 struct { Package []byte `tls:"minlen:0,maxlen:255"` Checksum []byte `tls:"minlen:32,maxlen:255"` } // NewChecksumV1 creates a new StItem of type checksum_v1 func NewChecksumV1(name string, checksum []byte) (StItem, error) { return StItem{ Format: StFormatChecksumV1, ChecksumV1: &ChecksumV1{ Package: []byte(name), Checksum: checksum, }, }, nil // TODO: error handling } func (i ChecksumV1) String() string { return fmt.Sprintf("%v %v", string(i.Package), base64.StdEncoding.EncodeToString(i.Checksum)) } type NodeHash struct { Data []byte `tls:"minlen:32,maxlen:255"` } type InclusionProofV1 struct { LogID []byte `tls:"minlen:2,maxlen:127"` TreeSize uint64 LeafIndex uint64 InclusionPath []NodeHash `tls:"minlen:1,maxlen:65535"` } func NewInclusionProofV1(logID []byte, treeSize uint64, proof *trillian.Proof) InclusionProofV1 { inclusionPath := make([]NodeHash, 0, len(proof.Hashes)) for _, hash := range proof.Hashes { inclusionPath = append(inclusionPath, NodeHash{Data: hash}) } return InclusionProofV1{ LogID: logID, TreeSize: treeSize, LeafIndex: uint64(proof.LeafIndex), InclusionPath: inclusionPath, } } // AddEntryRequest is a collection of add-entry input parameters type AddEntryRequest struct { Item string `json:"item"` Signature string `json:"signature"` Certificate string `json:"certificate"` } // GetEntriesRequest is a collection of get-entry input parameters type GetEntriesRequest struct { Start int64 End int64 } func (r *GetEntriesRequest) Unpack(httpRequest *http.Request) error { var err error r.Start, err = strconv.ParseInt(httpRequest.FormValue("start"), 10, 64) if err != nil { return fmt.Errorf("bad start parameter: %v", err) } r.End, err = strconv.ParseInt(httpRequest.FormValue("end"), 10, 64) if err != nil { return fmt.Errorf("bad end parameter: %v", err) } if r.Start < 0 { return fmt.Errorf("bad parameters: start(%v) must have a non-negative value", r.Start) } if r.Start > r.End { return fmt.Errorf("bad parameters: start(%v) must be larger than end(%v)", r.Start, r.End) } // TODO: check that range is not larger than the max range. Yes -> truncate // TODO: check that end is not past the most recent STH. Yes -> truncate return nil } type GetEntryResponse struct { Leaf string `json:"leaf"` Signature string `json:"signature"` Chain []string `json:chain` } func NewGetEntryResponse(leaf []byte) GetEntryResponse { return GetEntryResponse{ Leaf: base64.StdEncoding.EncodeToString(leaf), // TODO: add signature and chain } } type GetEntriesResponse struct { Entries []GetEntryResponse `json:"entries"` } func NewGetEntriesResponse(leaves []*trillian.LogLeaf) (GetEntriesResponse, error) { entries := make([]GetEntryResponse, 0, len(leaves)) for _, leaf := range leaves { entries = append(entries, NewGetEntryResponse(leaf.GetLeafValue())) // TODO: add signature and chain } return GetEntriesResponse{entries}, nil } type GetProofByHashRequest struct { Hash []byte TreeSize int64 } func NewGetProofByHashRequest(httpRequest *http.Request) (*GetProofByHashRequest, error) { var r GetProofByHashRequest var err error r.TreeSize, err = strconv.ParseInt(httpRequest.FormValue("tree_size"), 10, 64) if err != nil { return nil, fmt.Errorf("bad tree_size parameter: %v", err) } if r.TreeSize < 0 { return nil, fmt.Errorf("bad tree_size parameter: negative value") } // TODO: check that tree size is not past STH.tree_size r.Hash, err = base64.StdEncoding.DecodeString(httpRequest.FormValue("hash")) if err != nil { return nil, fmt.Errorf("bad hash parameter: %v", err) } return &r, nil } type GetProofByHashResponse struct { InclusionProof string `json:"inclusion_proof"` } func NewGetProofByHashResponse(treeSize uint64, inclusionProof *trillian.Proof) (*GetProofByHashResponse, error) { item := NewInclusionProofV1([]byte("TODO: add log ID"), treeSize, inclusionProof) b, err := tls.Marshal(item) if err != nil { return nil, fmt.Errorf("tls marshal failed: %v", err) } return &GetProofByHashResponse{ InclusionProof: base64.StdEncoding.EncodeToString(b), }, nil }