summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordu.net>2015-07-16 11:52:27 +0200
committerLinus Nordberg <linus@nordu.net>2015-11-13 17:02:23 +0100
commit35e92d56f1d6085c2fc413adaf8189d55c62cab5 (patch)
tree1b9ee9b3801011c260716c8c4a46d7b073aaf884
parent1a9625f9fb0fb369246188e047a3919b8f69c845 (diff)
Accept any kind of submitted data, not only X.509 certificate chains.
Have add_chain() take a blob instead of a cert leaf and a chain. Rename ct/v1/add-chain -> add-blob. Remove ct/v1/add-pre-chain. Remove chain checking code. Generate allowed_client config matching new HTTP API.
-rw-r--r--src/catlfish.erl10
-rw-r--r--src/v1.erl42
-rwxr-xr-xtools/compileconfig.py3
3 files changed, 14 insertions, 41 deletions
diff --git a/src/catlfish.erl b/src/catlfish.erl
index 4bf1cdf..7a28f9f 100644
--- a/src/catlfish.erl
+++ b/src/catlfish.erl
@@ -2,7 +2,7 @@
%%% See LICENSE for licensing information.
-module(catlfish).
--export([add_chain/3, entries/2, entry_and_proof/2]).
+-export([add_chain/2, entries/2, entry_and_proof/2]).
-export([known_roots/0, update_known_roots/0]).
-export([init_cache_table/0]).
-export([entryhash_from_entry/1, verify_entry/1, verify_entry/2]).
@@ -131,15 +131,15 @@ add_to_db(Type, LeafCert, CertChain, EntryHash) ->
get_ratelimit_token(Type) ->
ratelimit:get_token(Type).
--spec add_chain(binary(), [binary()], normal|precert) -> {[{_,_},...]}.
-add_chain(LeafCert, CertChain, Type) ->
- EntryHash = crypto:hash(sha256, [LeafCert | CertChain]),
+-spec add_chain(binary(), normal) -> {[{_,_},...]}.
+add_chain(Blob, Type) ->
+ EntryHash = crypto:hash(sha256, Blob),
{TimestampedEntry, Hash} =
case plop:get(EntryHash) of
notfound ->
case get_ratelimit_token(add_chain) of
ok ->
- add_to_db(Type, LeafCert, CertChain, EntryHash);
+ add_to_db(Type, Blob, [], EntryHash);
_ ->
exit({internalerror, "Rate limiting"})
end;
diff --git a/src/v1.erl b/src/v1.erl
index 447b36e..eb35ee7 100644
--- a/src/v1.erl
+++ b/src/v1.erl
@@ -30,13 +30,9 @@ check_valid_sth() ->
end.
%% Public functions, i.e. part of URL.
-request(post, ?APPURL_CT_V1, "add-chain", Input) ->
+request(post, ?APPURL_CT_V1, "add-blob", Input) ->
check_valid_sth(),
- add_chain(Input, normal);
-
-request(post, ?APPURL_CT_V1, "add-pre-chain", Input) ->
- check_valid_sth(),
- add_chain(Input, precert);
+ add_blob(Input);
request(get, ?APPURL_CT_V1, "get-sth", _Query) ->
check_valid_sth(),
@@ -151,34 +147,12 @@ internalerror(Text) ->
"~s~n" ++
"</body></html>~n", [Text])}.
--spec add_chain(any(), normal|precert) -> any().
-add_chain(Input, Type) ->
+-spec add_blob(any()) -> any().
+add_blob(Input) ->
case (catch mochijson2:decode(Input)) of
{error, E} ->
- err400("add-chain: bad input:", E);
- {struct, [{<<"chain">>, ChainB64List}]} ->
- case decode_chain(ChainB64List) of
- [LeafCert | CertChain] ->
- case x509:normalise_chain(catlfish:known_roots(),
- [LeafCert|CertChain]) of
- {ok, [Leaf | Chain]} ->
- lager:info("adding ~p cert ~p",
- [Type, x509:cert_string(LeafCert)]),
- success(catlfish:add_chain(Leaf, Chain, Type));
- {error, Reason} ->
- lager:info("rejecting ~p: ~p",
- [x509:cert_string(LeafCert), Reason]),
- err400("add-chain: invalid chain", Reason)
- end;
- {invalid, ErrText} ->
- err400(io:format("add-chain: ~p", [ErrText]), [ChainB64List])
- end;
- _ -> err400("add-chain: missing input: chain", Input)
- end.
-
--spec decode_chain(string()) -> {invalid, string()} | [binary()].
-decode_chain(B64List) ->
- case (catch [base64:decode(X) || X <- B64List]) of
- {'EXIT', _} -> {invalid, "invalid base64-encoded chain"};
- L -> L
+ err400("add-blob: bad input:", E);
+ {struct, [{<<"blob">>, Blob}]} ->
+ success(catlfish:add_chain(Blob, normal));
+ _ -> err400("add-blob: missing input: blob", Input)
end.
diff --git a/tools/compileconfig.py b/tools/compileconfig.py
index 25518ee..b7092f9 100755
--- a/tools/compileconfig.py
+++ b/tools/compileconfig.py
@@ -147,8 +147,7 @@ def allowed_clients_mergesecondary(primarymergenode):
def allowed_clients_public():
noauth = Symbol("noauth")
return [
- ("/ct/v1/add-chain", noauth),
- ("/ct/v1/add-pre-chain", noauth),
+ ("/ct/v1/add-blob", noauth),
("/ct/v1/get-sth", noauth),
("/ct/v1/get-sth-consistency", noauth),
("/ct/v1/get-proof-by-hash", noauth),