diff options
author | Rasmus Dahlberg <rasmus@rgdd.se> | 2023-03-18 13:17:40 +0100 |
---|---|---|
committer | Rasmus Dahlberg <rasmus@rgdd.se> | 2023-03-18 13:17:40 +0100 |
commit | 15ffe76847c4c0383c4d0c0a35fb29d5031d093b (patch) | |
tree | 73001d637ef722bcf11562cdc9b10c809d09a66c | |
parent | c96dabe39386d008985566bf689a3735d0a8f1c8 (diff) |
more light refactoring
-rw-r--r-- | collect.go | 14 | ||||
-rw-r--r-- | internal/utils/utils.go | 47 | ||||
-rw-r--r-- | internal/x509/x509.go (renamed from internal/utils/x509.go) | 19 | ||||
-rw-r--r-- | snapshot.go | 43 |
4 files changed, 56 insertions, 67 deletions
@@ -15,7 +15,7 @@ import ( "git.cs.kau.se/rasmoste/ct-sans/internal/chunk" "git.cs.kau.se/rasmoste/ct-sans/internal/merkle" - "git.cs.kau.se/rasmoste/ct-sans/internal/utils" + "git.cs.kau.se/rasmoste/ct-sans/internal/x509" ct "github.com/google/certificate-transparency-go" "github.com/google/certificate-transparency-go/client" "github.com/google/certificate-transparency-go/jsonclient" @@ -59,13 +59,13 @@ func collect(opts options) error { go func() { await.Add(1) defer await.Done() - handleMetrics(ctx, metricsCh, utils.Logs(md)) + handleMetrics(ctx, metricsCh, logs(md)) }() defer cancel() var wg sync.WaitGroup defer wg.Wait() - for _, log := range utils.Logs(md) { + for _, log := range logs(md) { go func(log metadata.Log) { wg.Add(1) defer wg.Done() @@ -128,7 +128,7 @@ func collect(opts options) error { for i := 0; i < len(eb.Entries); i++ { leafHashes = append(leafHashes, merkle.HashLeafNode(eb.Entries[i].LeafInput)) } - sans, errs := utils.SANsFromLeafEntries(eb.Start, eb.Entries) + sans, errs := x509.SANsFromLeafEntries(eb.Start, eb.Entries) for _, err := range errs { logger.Printf("NOTICE: %s: %v", *log.Description, err) } @@ -242,7 +242,7 @@ func persist(c *chunk.Chunk, if p.LeafIndex != c.Start { return false, fmt.Errorf("log says proof for entry %d is at index %d", c.Start, p.LeafIndex) } - if newTH.RootHash, err = merkle.TreeHeadFromRangeProof(c.LeafHashes, uint64(c.Start), utils.Proof(p.AuditPath)); err != nil { + if newTH.RootHash, err = merkle.TreeHeadFromRangeProof(c.LeafHashes, uint64(c.Start), proof(p.AuditPath)); err != nil { return false, err } @@ -253,7 +253,7 @@ func persist(c *chunk.Chunk, return true, nil // try again later } } - if err := merkle.VerifyConsistency(uint64(oldTH.TreeSize), uint64(newTH.TreeSize), oldTH.RootHash, newTH.RootHash, utils.Proof(hashes)); err != nil { + if err := merkle.VerifyConsistency(uint64(oldTH.TreeSize), uint64(newTH.TreeSize), oldTH.RootHash, newTH.RootHash, proof(hashes)); err != nil { return false, fmt.Errorf("%d %x is inconsistent with on-disk state: %v", newTH.TreeSize, newTH.RootHash, err) } @@ -261,7 +261,7 @@ func persist(c *chunk.Chunk, if hashes, err = cli.GetSTHConsistency(ctx, uint64(newTH.TreeSize), sth.TreeSize); err != nil { return true, nil // try again later } - if err := merkle.VerifyConsistency(uint64(newTH.TreeSize), sth.TreeSize, newTH.RootHash, sth.SHA256RootHash, utils.Proof(hashes)); err != nil { + if err := merkle.VerifyConsistency(uint64(newTH.TreeSize), sth.TreeSize, newTH.RootHash, sth.SHA256RootHash, proof(hashes)); err != nil { return false, fmt.Errorf("%d %x is inconsistent with signed tree head: %v", newTH.TreeSize, newTH.RootHash, err) } diff --git a/internal/utils/utils.go b/internal/utils/utils.go deleted file mode 100644 index 5b27868..0000000 --- a/internal/utils/utils.go +++ /dev/null @@ -1,47 +0,0 @@ -package utils - -import ( - "crypto/sha256" - "fmt" - "os" - - "gitlab.torproject.org/rgdd/ct/pkg/metadata" -) - -// Logs select logs that count towards CT-compliance checks. Logs that don't -// have a description are skipped after printing a warning. -func Logs(md metadata.Metadata) (logs []metadata.Log) { - for _, operators := range md.Operators { - for _, log := range operators.Logs { - if log.Description == nil { - fmt.Fprintf(os.Stderr, "WARNING: skipping log without description") - continue - } - if log.State == nil { - continue // skip logs with unknown states - } - if log.State.Name == metadata.LogStatePending { - continue // pending logs do not count towards CT-compliance - } - if log.State.Name == metadata.LogStateRetired { - continue // retired logs are not necessarily reachable - } - if log.State.Name == metadata.LogStateRejected { - continue // rejected logs do not count towards CT-compliance - } - - logs = append(logs, log) - } - } - return -} - -// Proof formats hashes so that they can be passed to the merkle package -func Proof(hashes [][]byte) (p [][sha256.Size]byte) { - for _, hash := range hashes { - var h [sha256.Size]byte - copy(h[:], hash) - p = append(p, h) - } - return -} diff --git a/internal/utils/x509.go b/internal/x509/x509.go index bf99334..949199d 100644 --- a/internal/utils/x509.go +++ b/internal/x509/x509.go @@ -1,13 +1,3 @@ -package utils - -import ( - "fmt" - - ct "github.com/google/certificate-transparency-go" - "github.com/google/certificate-transparency-go/asn1" - "github.com/google/certificate-transparency-go/x509/pkix" -) - // Mozilla Public License Version 2.0 // ================================== // @@ -407,6 +397,15 @@ import ( // https://gitlab.torproject.org/tpo/onion-services/sauteed-onions/monitor/-/blob/main/follow-go/main.go#L115-124 // https://gitlab.torproject.org/tpo/onion-services/sauteed-onions/monitor/-/blob/main/follow-go/x509.go // https://github.com/SSLMate/certspotter/blob/54f34077d3bebe8aafce07dcfbffeb928c6e1d04/x509.go#L380 +package x509 + +import ( + "fmt" + + ct "github.com/google/certificate-transparency-go" + "github.com/google/certificate-transparency-go/asn1" + "github.com/google/certificate-transparency-go/x509/pkix" +) func SANsFromLeafEntries(startIndex int64, leafEntries []ct.LeafEntry) (sans []string, errs []error) { for offset, leafEntry := range leafEntries { diff --git a/snapshot.go b/snapshot.go index 63402ea..5a9c50e 100644 --- a/snapshot.go +++ b/snapshot.go @@ -14,7 +14,6 @@ import ( "time" "git.cs.kau.se/rasmoste/ct-sans/internal/merkle" - "git.cs.kau.se/rasmoste/ct-sans/internal/utils" ct "github.com/google/certificate-transparency-go" "github.com/google/certificate-transparency-go/client" "github.com/google/certificate-transparency-go/jsonclient" @@ -46,7 +45,7 @@ func snapshot(opts options) error { } logger.Printf("INFO: updating signed tree heads\n") - for _, log := range utils.Logs(md) { + for _, log := range logs(md) { id, _ := log.Key.ID() der, _ := x509.MarshalPKIXPublicKey(log.Key) dir := fmt.Sprintf("%s/%x", opts.logDirectory, id) @@ -114,7 +113,7 @@ func snapshot(opts options) error { nextSTH.TreeSize, [sha256.Size]byte(currSTH.SHA256RootHash), [sha256.Size]byte(nextSTH.SHA256RootHash), - utils.Proof(hashes)); err != nil { + proof(hashes)); err != nil { return fmt.Errorf("%s: inconsistent tree: %v", *log.Description, err) } if err := os.WriteFile(sthFile, nextSTHBytes, 0644); err != nil { @@ -124,3 +123,41 @@ func snapshot(opts options) error { } return nil } + +// logs select logs that count towards CT-compliance checks. Logs that don't +// have a description are skipped after printing a warning. +func logs(md metadata.Metadata) (logs []metadata.Log) { + for _, operators := range md.Operators { + for _, log := range operators.Logs { + if log.Description == nil { + fmt.Fprintf(os.Stderr, "WARNING: skipping log without description") + continue + } + if log.State == nil { + continue // skip logs with unknown states + } + if log.State.Name == metadata.LogStatePending { + continue // pending logs do not count towards CT-compliance + } + if log.State.Name == metadata.LogStateRetired { + continue // retired logs are not necessarily reachable + } + if log.State.Name == metadata.LogStateRejected { + continue // rejected logs do not count towards CT-compliance + } + + logs = append(logs, log) + } + } + return +} + +// proof formats hashes so that they can be passed to the merkle package +func proof(hashes [][]byte) (p [][sha256.Size]byte) { + for _, hash := range hashes { + var h [sha256.Size]byte + copy(h[:], hash) + p = append(p, h) + } + return +} |