aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus@rgdd.se>2023-03-18 13:17:40 +0100
committerRasmus Dahlberg <rasmus@rgdd.se>2023-03-18 13:17:40 +0100
commit15ffe76847c4c0383c4d0c0a35fb29d5031d093b (patch)
tree73001d637ef722bcf11562cdc9b10c809d09a66c
parentc96dabe39386d008985566bf689a3735d0a8f1c8 (diff)
more light refactoring
-rw-r--r--collect.go14
-rw-r--r--internal/utils/utils.go47
-rw-r--r--internal/x509/x509.go (renamed from internal/utils/x509.go)19
-rw-r--r--snapshot.go43
4 files changed, 56 insertions, 67 deletions
diff --git a/collect.go b/collect.go
index 44130c3..3c548db 100644
--- a/collect.go
+++ b/collect.go
@@ -15,7 +15,7 @@ import (
"git.cs.kau.se/rasmoste/ct-sans/internal/chunk"
"git.cs.kau.se/rasmoste/ct-sans/internal/merkle"
- "git.cs.kau.se/rasmoste/ct-sans/internal/utils"
+ "git.cs.kau.se/rasmoste/ct-sans/internal/x509"
ct "github.com/google/certificate-transparency-go"
"github.com/google/certificate-transparency-go/client"
"github.com/google/certificate-transparency-go/jsonclient"
@@ -59,13 +59,13 @@ func collect(opts options) error {
go func() {
await.Add(1)
defer await.Done()
- handleMetrics(ctx, metricsCh, utils.Logs(md))
+ handleMetrics(ctx, metricsCh, logs(md))
}()
defer cancel()
var wg sync.WaitGroup
defer wg.Wait()
- for _, log := range utils.Logs(md) {
+ for _, log := range logs(md) {
go func(log metadata.Log) {
wg.Add(1)
defer wg.Done()
@@ -128,7 +128,7 @@ func collect(opts options) error {
for i := 0; i < len(eb.Entries); i++ {
leafHashes = append(leafHashes, merkle.HashLeafNode(eb.Entries[i].LeafInput))
}
- sans, errs := utils.SANsFromLeafEntries(eb.Start, eb.Entries)
+ sans, errs := x509.SANsFromLeafEntries(eb.Start, eb.Entries)
for _, err := range errs {
logger.Printf("NOTICE: %s: %v", *log.Description, err)
}
@@ -242,7 +242,7 @@ func persist(c *chunk.Chunk,
if p.LeafIndex != c.Start {
return false, fmt.Errorf("log says proof for entry %d is at index %d", c.Start, p.LeafIndex)
}
- if newTH.RootHash, err = merkle.TreeHeadFromRangeProof(c.LeafHashes, uint64(c.Start), utils.Proof(p.AuditPath)); err != nil {
+ if newTH.RootHash, err = merkle.TreeHeadFromRangeProof(c.LeafHashes, uint64(c.Start), proof(p.AuditPath)); err != nil {
return false, err
}
@@ -253,7 +253,7 @@ func persist(c *chunk.Chunk,
return true, nil // try again later
}
}
- if err := merkle.VerifyConsistency(uint64(oldTH.TreeSize), uint64(newTH.TreeSize), oldTH.RootHash, newTH.RootHash, utils.Proof(hashes)); err != nil {
+ if err := merkle.VerifyConsistency(uint64(oldTH.TreeSize), uint64(newTH.TreeSize), oldTH.RootHash, newTH.RootHash, proof(hashes)); err != nil {
return false, fmt.Errorf("%d %x is inconsistent with on-disk state: %v", newTH.TreeSize, newTH.RootHash, err)
}
@@ -261,7 +261,7 @@ func persist(c *chunk.Chunk,
if hashes, err = cli.GetSTHConsistency(ctx, uint64(newTH.TreeSize), sth.TreeSize); err != nil {
return true, nil // try again later
}
- if err := merkle.VerifyConsistency(uint64(newTH.TreeSize), sth.TreeSize, newTH.RootHash, sth.SHA256RootHash, utils.Proof(hashes)); err != nil {
+ if err := merkle.VerifyConsistency(uint64(newTH.TreeSize), sth.TreeSize, newTH.RootHash, sth.SHA256RootHash, proof(hashes)); err != nil {
return false, fmt.Errorf("%d %x is inconsistent with signed tree head: %v", newTH.TreeSize, newTH.RootHash, err)
}
diff --git a/internal/utils/utils.go b/internal/utils/utils.go
deleted file mode 100644
index 5b27868..0000000
--- a/internal/utils/utils.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package utils
-
-import (
- "crypto/sha256"
- "fmt"
- "os"
-
- "gitlab.torproject.org/rgdd/ct/pkg/metadata"
-)
-
-// Logs select logs that count towards CT-compliance checks. Logs that don't
-// have a description are skipped after printing a warning.
-func Logs(md metadata.Metadata) (logs []metadata.Log) {
- for _, operators := range md.Operators {
- for _, log := range operators.Logs {
- if log.Description == nil {
- fmt.Fprintf(os.Stderr, "WARNING: skipping log without description")
- continue
- }
- if log.State == nil {
- continue // skip logs with unknown states
- }
- if log.State.Name == metadata.LogStatePending {
- continue // pending logs do not count towards CT-compliance
- }
- if log.State.Name == metadata.LogStateRetired {
- continue // retired logs are not necessarily reachable
- }
- if log.State.Name == metadata.LogStateRejected {
- continue // rejected logs do not count towards CT-compliance
- }
-
- logs = append(logs, log)
- }
- }
- return
-}
-
-// Proof formats hashes so that they can be passed to the merkle package
-func Proof(hashes [][]byte) (p [][sha256.Size]byte) {
- for _, hash := range hashes {
- var h [sha256.Size]byte
- copy(h[:], hash)
- p = append(p, h)
- }
- return
-}
diff --git a/internal/utils/x509.go b/internal/x509/x509.go
index bf99334..949199d 100644
--- a/internal/utils/x509.go
+++ b/internal/x509/x509.go
@@ -1,13 +1,3 @@
-package utils
-
-import (
- "fmt"
-
- ct "github.com/google/certificate-transparency-go"
- "github.com/google/certificate-transparency-go/asn1"
- "github.com/google/certificate-transparency-go/x509/pkix"
-)
-
// Mozilla Public License Version 2.0
// ==================================
//
@@ -407,6 +397,15 @@ import (
// https://gitlab.torproject.org/tpo/onion-services/sauteed-onions/monitor/-/blob/main/follow-go/main.go#L115-124
// https://gitlab.torproject.org/tpo/onion-services/sauteed-onions/monitor/-/blob/main/follow-go/x509.go
// https://github.com/SSLMate/certspotter/blob/54f34077d3bebe8aafce07dcfbffeb928c6e1d04/x509.go#L380
+package x509
+
+import (
+ "fmt"
+
+ ct "github.com/google/certificate-transparency-go"
+ "github.com/google/certificate-transparency-go/asn1"
+ "github.com/google/certificate-transparency-go/x509/pkix"
+)
func SANsFromLeafEntries(startIndex int64, leafEntries []ct.LeafEntry) (sans []string, errs []error) {
for offset, leafEntry := range leafEntries {
diff --git a/snapshot.go b/snapshot.go
index 63402ea..5a9c50e 100644
--- a/snapshot.go
+++ b/snapshot.go
@@ -14,7 +14,6 @@ import (
"time"
"git.cs.kau.se/rasmoste/ct-sans/internal/merkle"
- "git.cs.kau.se/rasmoste/ct-sans/internal/utils"
ct "github.com/google/certificate-transparency-go"
"github.com/google/certificate-transparency-go/client"
"github.com/google/certificate-transparency-go/jsonclient"
@@ -46,7 +45,7 @@ func snapshot(opts options) error {
}
logger.Printf("INFO: updating signed tree heads\n")
- for _, log := range utils.Logs(md) {
+ for _, log := range logs(md) {
id, _ := log.Key.ID()
der, _ := x509.MarshalPKIXPublicKey(log.Key)
dir := fmt.Sprintf("%s/%x", opts.logDirectory, id)
@@ -114,7 +113,7 @@ func snapshot(opts options) error {
nextSTH.TreeSize,
[sha256.Size]byte(currSTH.SHA256RootHash),
[sha256.Size]byte(nextSTH.SHA256RootHash),
- utils.Proof(hashes)); err != nil {
+ proof(hashes)); err != nil {
return fmt.Errorf("%s: inconsistent tree: %v", *log.Description, err)
}
if err := os.WriteFile(sthFile, nextSTHBytes, 0644); err != nil {
@@ -124,3 +123,41 @@ func snapshot(opts options) error {
}
return nil
}
+
+// logs select logs that count towards CT-compliance checks. Logs that don't
+// have a description are skipped after printing a warning.
+func logs(md metadata.Metadata) (logs []metadata.Log) {
+ for _, operators := range md.Operators {
+ for _, log := range operators.Logs {
+ if log.Description == nil {
+ fmt.Fprintf(os.Stderr, "WARNING: skipping log without description")
+ continue
+ }
+ if log.State == nil {
+ continue // skip logs with unknown states
+ }
+ if log.State.Name == metadata.LogStatePending {
+ continue // pending logs do not count towards CT-compliance
+ }
+ if log.State.Name == metadata.LogStateRetired {
+ continue // retired logs are not necessarily reachable
+ }
+ if log.State.Name == metadata.LogStateRejected {
+ continue // rejected logs do not count towards CT-compliance
+ }
+
+ logs = append(logs, log)
+ }
+ }
+ return
+}
+
+// proof formats hashes so that they can be passed to the merkle package
+func proof(hashes [][]byte) (p [][sha256.Size]byte) {
+ for _, hash := range hashes {
+ var h [sha256.Size]byte
+ copy(h[:], hash)
+ p = append(p, h)
+ }
+ return
+}