| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Disallow time travel, tree shrinkage, new tree hash for same sized
tree, new tree size with same tree hash.
Consider an STH seen iff all three attributes -- timestamp, size,
hash -- are identical.
|
| |
|
|
|
|
|
|
|
|
| |
We return !0 for critical errors that need human intervention.
Let's consider a stale log and a log with a bad clock an intermittent
and non critical error for now.
We might want to change requirements on logs to separate freshness
from clock skew. We should reconsider the severeness of those errors
if that change happens.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The rationale behind not allowing --bootstrap-log and
--generate-signing-key when they don't make any difference is that it
should be impossible to use them in scripts that run multiple times
since they're meant for manual "bootstrapping" procedures.
Another reason is that they require user intervention but not until
specific conditions arise (tree head missing, keyfile missing) which
may happen only "after some time". Failing early is helpful.
|
| |
|
|
|
|
|
|
|
| |
Given the importance of sane entropy and other operational security
issues, it makes sense to require --generate-signing-key and user
intervention to generate signing keys.
For automated tests and deployment, a key can be pre-generated by
other means.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Also, create base_dir in time, if it doesn't exist.
Also also, set permission on base_dir when creating it.
|
| |
|
|
|
| |
Since it's devastating to the value of the signature to not require a
consistency proof, make it less likely that it's done inadvertently.
|
| |
|
|
|
|
| |
Also, make the code that is doing hex encoding in ASCII more readable
by splitting up hashing and signing on the one side and hex encoding
and converting bytes to ASCII on the other.
|
|
|
First stab, rough edges, unstable interfaces, will break things, you
don't want to use it.
|
