diff options
Diffstat (limited to 'monitor/josef_experimental.py')
| -rwxr-xr-x | monitor/josef_experimental.py | 121 |
1 files changed, 87 insertions, 34 deletions
diff --git a/monitor/josef_experimental.py b/monitor/josef_experimental.py index 3e34584..97ea876 100755 --- a/monitor/josef_experimental.py +++ b/monitor/josef_experimental.py @@ -2,6 +2,7 @@ # -*- coding: utf-8 -*- import sys +import os from josef_lib import * import leveldb import argparse @@ -9,51 +10,103 @@ import json from josef_leveldb import * from datetime import datetime as dt from josef_monitor import verify_inclusion_by_hash - - -def verify_sct(baseurl, sctentry, key, sth_in=None): - if sth_in is None: - if baseurl: - sth = get_sth(baseurl) - else: - print "No sth provided!" - else: - sth = sth_in - - # Verify signature - leafcert = base64.b64decode(sctentry["leafcert"]) - if "issuer_key_hash" in sctentry: - issuer_key_hash = base64.b64decode(sctentry["issuer_key_hash"]) - else: - issuer_key_hash = None - try: - if issuer_key_hash: - signed_entry = pack_precert(leafcert, issuer_key_hash) - else: - signed_entry = pack_cert(leafcert) - check_sct_signature(baseurl, signed_entry, sctentry["sct"], precert=issuer_key_hash, publickey=key) - print "Signature OK" - except AssertionError, e: - print "ERROR:", e - except urllib2.HTTPError, e: - print "ERROR:", e - except ecdsa.keys.BadSignatureError, e: - print "ERROR: bad signature" +from monitor_conf import * + + +# def verify_sct(baseurl, sctentry, key, sth_in=None): +# if sth_in is None: +# if baseurl: +# sth = get_sth(baseurl) +# else: +# print "No sth provided!" +# else: +# sth = sth_in + +# # Verify signature +# leafcert = base64.b64decode(sctentry["leafcert"]) +# if "issuer_key_hash" in sctentry: +# issuer_key_hash = base64.b64decode(sctentry["issuer_key_hash"]) +# else: +# issuer_key_hash = None +# try: +# if issuer_key_hash: +# signed_entry = pack_precert(leafcert, issuer_key_hash) +# else: +# signed_entry = pack_cert(leafcert) +# check_sct_signature(baseurl, signed_entry, sctentry["sct"], precert=issuer_key_hash, publickey=key) +# print "Signature OK" +# except AssertionError, e: +# print "ERROR:", e +# except urllib2.HTTPError, e: +# print "ERROR:", e +# except ecdsa.keys.BadSignatureError, e: +# print "ERROR: bad signature" - # Verify inclusion - h = get_leaf_hash(base64.b64decode(sctentry["leafcert"])) +# # Verify inclusion +# h = get_leaf_hash(base64.b64decode(sctentry["leafcert"])) - verify_inclusion_by_hash("https://localhost:8080/", h) +# verify_inclusion_by_hash("https://localhost:8080/", h) +def update_roots(log): + roots_hash = None + roots = get_all_roots(log["url"]) + new_roots_hash = str(hash(str(roots))) -if __name__ == '__main__': + if new_roots_hash != roots_hash: + cert_dir = OUTPUT_DIR + log["name"] + "-roots" + if not os.path.exists(cert_dir): + os.makedirs(cert_dir) + + hash_list = [] + for cert in roots: + h = str(hash(str(cert))) + hash_list.append(h) + + loaded_list = os.listdir(cert_dir) + + added, removed = compare_lists(hash_list[:-1], loaded_list) + # TODO log changes + if len(added) != 0: + print str(len(added)) + " new roots found!" + if len(removed) != 0: + print str(len(removed)) + " roots removed!" + for item in removed: + data = open(cert_dir + "/" + item).read() + root_cert = base64.decodestring(data) + subject = get_cert_info(root_cert)["subject"] + issuer = get_cert_info(root_cert)["issuer"] + if subject == issuer: + print "Removed Root: " + item + ", " + subject + else: + print "WTF? Not a root..." + + + for item in added: + root_cert = base64.decodestring(roots[hash_list.index(item)]) + subject = get_cert_info(root_cert)["subject"] + issuer = get_cert_info(root_cert)["issuer"] + if subject == issuer: + print "New Root: " + item + ", " + subject + else: + print "WTF? Not a root..." + + fn = cert_dir + "/" + item + tempname = fn + ".new" + data = roots[hash_list.index(item)] + open(tempname, 'w').write(data) + mv_file(tempname, fn) + + +if __name__ == '__main__': + for log in ctlogs: + update_roots(log) |