summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* add README and LICENSEv0.1.0Linus Nordberg2021-06-162-0/+34
|
* rename files signed_tree_head and signing_keyLinus Nordberg2021-06-161-7/+5
| | | | | | | | | | | NOTE: BREAKING COMPATIBILITY with old filenames To keep a config working after applying this change, do mv signed_tree_head signed-tree-head mv signing_key signing-key in the config directory.
* be explicit when we return NoneLinus Nordberg2021-06-161-0/+1
|
* don't fetch consistency proof when tree hasn't grownLinus Nordberg2021-06-161-1/+7
|
* use @properties in TreeHeadLinus Nordberg2021-06-161-38/+50
|
* refactoring log history validationLinus Nordberg2021-06-161-63/+63
|
* fix --base-dirLinus Nordberg2021-06-161-10/+10
|
* validate tree heads harderLinus Nordberg2021-06-161-6/+37
| | | | | | | | Disallow time travel, tree shrinkage, new tree hash for same sized tree, new tree size with same tree hash. Consider an STH seen iff all three attributes -- timestamp, size, hash -- are identical.
* a too old or too new tree head is not an errorLinus Nordberg2021-06-161-4/+5
| | | | | | | | | | We return !0 for critical errors that need human intervention. Let's consider a stale log and a log with a bad clock an intermittent and non critical error for now. We might want to change requirements on logs to separate freshness from clock skew. We should reconsider the severeness of those errors if that change happens.
* don't sign a tree head that's too old or too far in the futureLinus Nordberg2021-06-151-12/+26
|
* be less permissive of --bootstrap-logLinus Nordberg2021-06-151-0/+4
| | | | | | | | | | | The rationale behind not allowing --bootstrap-log and --generate-signing-key when they don't make any difference is that it should be impossible to use them in scripts that run multiple times since they're meant for manual "bootstrapping" procedures. Another reason is that they require user intervention but not until specific conditions arise (tree head missing, keyfile missing) which may happen only "after some time". Failing early is helpful.
* don't generate signing key just like thatLinus Nordberg2021-06-151-17/+44
| | | | | | | | | Given the importance of sane entropy and other operational security issues, it makes sense to require --generate-signing-key and user intervention to generate signing keys. For automated tests and deployment, a key can be pre-generated by other means.
* handle empty responseLinus Nordberg2021-06-151-1/+2
|
* readability: more explanatory variable namesLinus Nordberg2021-06-031-18/+18
|
* remove spurious assignmentLinus Nordberg2021-06-031-1/+0
|
* readabilityLinus Nordberg2021-06-031-1/+2
|
* get the logic for --bootstrap-log rightLinus Nordberg2021-06-031-57/+93
|
* error handling cleaned up a bitLinus Nordberg2021-06-031-70/+98
| | | | | Also, create base_dir in time, if it doesn't exist. Also also, set permission on base_dir when creating it.
* disallow the short form for --bootstrap-logLinus Nordberg2021-06-031-1/+1
| | | | | Since it's devastating to the value of the signature to not require a consistency proof, make it less likely that it's done inadvertently.
* exit with error if uploading the signature failsLinus Nordberg2021-06-031-13/+15
| | | | | | Also, make the code that is doing hex encoding in ASCII more readable by splitting up hashing and signing on the one side and hex encoding and converting bytes to ASCII on the other.
* implement witnessLinus Nordberg2021-06-021-0/+341
First stab, rough edges, unstable interfaces, will break things, you don't want to use it.