1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
#!/usr/bin/python
# -*- coding: utf-8 -*-
import sys
import os
from josef_lib import *
import leveldb
import argparse
import json
from josef_leveldb import *
from datetime import datetime as dt
from josef_monitor import verify_inclusion_by_hash
from monitor_conf import *
# def verify_sct(baseurl, sctentry, key, sth_in=None):
# if sth_in is None:
# if baseurl:
# sth = get_sth(baseurl)
# else:
# print "No sth provided!"
# else:
# sth = sth_in
# # Verify signature
# leafcert = base64.b64decode(sctentry["leafcert"])
# if "issuer_key_hash" in sctentry:
# issuer_key_hash = base64.b64decode(sctentry["issuer_key_hash"])
# else:
# issuer_key_hash = None
# try:
# if issuer_key_hash:
# signed_entry = pack_precert(leafcert, issuer_key_hash)
# else:
# signed_entry = pack_cert(leafcert)
# check_sct_signature(baseurl, signed_entry, sctentry["sct"], precert=issuer_key_hash, publickey=key)
# print "Signature OK"
# except AssertionError, e:
# print "ERROR:", e
# except urllib2.HTTPError, e:
# print "ERROR:", e
# except ecdsa.keys.BadSignatureError, e:
# print "ERROR: bad signature"
# # Verify inclusion
# h = get_leaf_hash(base64.b64decode(sctentry["leafcert"]))
# verify_inclusion_by_hash("https://localhost:8080/", h)
def update_roots(log):
roots_hash = None
roots = get_all_roots(log["url"])
new_roots_hash = str(hash(str(roots)))
if new_roots_hash != roots_hash:
cert_dir = OUTPUT_DIR + log["name"] + "-roots"
if not os.path.exists(cert_dir):
os.makedirs(cert_dir)
hash_list = []
for cert in roots:
h = str(hash(str(cert)))
hash_list.append(h)
loaded_list = os.listdir(cert_dir)
added, removed = compare_lists(hash_list[:-1], loaded_list)
# TODO log changes
if len(added) != 0:
print str(len(added)) + " new roots found!"
if len(removed) != 0:
print str(len(removed)) + " roots removed!"
for item in removed:
data = open(cert_dir + "/" + item).read()
root_cert = base64.decodestring(data)
subject = get_cert_info(root_cert)["subject"]
issuer = get_cert_info(root_cert)["issuer"]
if subject == issuer:
print "Removed Root: " + item + ", " + subject
else:
print "WTF? Not a root..."
for item in added:
root_cert = base64.decodestring(roots[hash_list.index(item)])
subject = get_cert_info(root_cert)["subject"]
issuer = get_cert_info(root_cert)["issuer"]
if subject == issuer:
print "New Root: " + item + ", " + subject
else:
print "WTF? Not a root..."
fn = cert_dir + "/" + item
tempname = fn + ".new"
data = roots[hash_list.index(item)]
open(tempname, 'w').write(data)
mv_file(tempname, fn)
if __name__ == '__main__':
for log in ctlogs:
update_roots(log)
|
