diff options
author | Linus Nordberg <linus@nordu.net> | 2015-07-16 11:52:27 +0200 |
---|---|---|
committer | Linus Nordberg <linus@nordu.net> | 2016-02-01 11:40:25 +0100 |
commit | 3af793842f9feb2d8ae09075d596ac9e1c50bf99 (patch) | |
tree | a21a35d94129577563273c7fd4f56eb72cc21ea2 | |
parent | f1fb5a44dd8f1560040cccaf455d5786326bf264 (diff) |
Accept any kind of submitted data, not only X.509 certificate chains.
Have add_chain() take a blob instead of a cert leaf and a chain.
Rename ct/v1/add-chain -> add-blob.
Remove ct/v1/add-pre-chain.
Remove chain checking code.
Generate allowed_client config matching new HTTP API.
-rw-r--r-- | src/catlfish.erl | 10 | ||||
-rw-r--r-- | src/v1.erl | 42 | ||||
-rwxr-xr-x | tools/compileconfig.py | 3 |
3 files changed, 14 insertions, 41 deletions
diff --git a/src/catlfish.erl b/src/catlfish.erl index 4bf1cdf..7a28f9f 100644 --- a/src/catlfish.erl +++ b/src/catlfish.erl @@ -2,7 +2,7 @@ %%% See LICENSE for licensing information. -module(catlfish). --export([add_chain/3, entries/2, entry_and_proof/2]). +-export([add_chain/2, entries/2, entry_and_proof/2]). -export([known_roots/0, update_known_roots/0]). -export([init_cache_table/0]). -export([entryhash_from_entry/1, verify_entry/1, verify_entry/2]). @@ -131,15 +131,15 @@ add_to_db(Type, LeafCert, CertChain, EntryHash) -> get_ratelimit_token(Type) -> ratelimit:get_token(Type). --spec add_chain(binary(), [binary()], normal|precert) -> {[{_,_},...]}. -add_chain(LeafCert, CertChain, Type) -> - EntryHash = crypto:hash(sha256, [LeafCert | CertChain]), +-spec add_chain(binary(), normal) -> {[{_,_},...]}. +add_chain(Blob, Type) -> + EntryHash = crypto:hash(sha256, Blob), {TimestampedEntry, Hash} = case plop:get(EntryHash) of notfound -> case get_ratelimit_token(add_chain) of ok -> - add_to_db(Type, LeafCert, CertChain, EntryHash); + add_to_db(Type, Blob, [], EntryHash); _ -> exit({internalerror, "Rate limiting"}) end; @@ -30,13 +30,9 @@ check_valid_sth() -> end. %% Public functions, i.e. part of URL. -request(post, ?APPURL_CT_V1, "add-chain", Input) -> +request(post, ?APPURL_CT_V1, "add-blob", Input) -> check_valid_sth(), - add_chain(Input, normal); - -request(post, ?APPURL_CT_V1, "add-pre-chain", Input) -> - check_valid_sth(), - add_chain(Input, precert); + add_blob(Input); request(get, ?APPURL_CT_V1, "get-sth", _Query) -> check_valid_sth(), @@ -151,34 +147,12 @@ internalerror(Text) -> "~s~n" ++ "</body></html>~n", [Text])}. --spec add_chain(any(), normal|precert) -> any(). -add_chain(Input, Type) -> +-spec add_blob(any()) -> any(). +add_blob(Input) -> case (catch mochijson2:decode(Input)) of {error, E} -> - err400("add-chain: bad input:", E); - {struct, [{<<"chain">>, ChainB64List}]} -> - case decode_chain(ChainB64List) of - [LeafCert | CertChain] -> - case x509:normalise_chain(catlfish:known_roots(), - [LeafCert|CertChain]) of - {ok, [Leaf | Chain]} -> - lager:info("adding ~p cert ~p", - [Type, x509:cert_string(LeafCert)]), - success(catlfish:add_chain(Leaf, Chain, Type)); - {error, Reason} -> - lager:info("rejecting ~p: ~p", - [x509:cert_string(LeafCert), Reason]), - err400("add-chain: invalid chain", Reason) - end; - {invalid, ErrText} -> - err400(io:format("add-chain: ~p", [ErrText]), [ChainB64List]) - end; - _ -> err400("add-chain: missing input: chain", Input) - end. - --spec decode_chain(string()) -> {invalid, string()} | [binary()]. -decode_chain(B64List) -> - case (catch [base64:decode(X) || X <- B64List]) of - {'EXIT', _} -> {invalid, "invalid base64-encoded chain"}; - L -> L + err400("add-blob: bad input:", E); + {struct, [{<<"blob">>, Blob}]} -> + success(catlfish:add_chain(Blob, normal)); + _ -> err400("add-blob: missing input: blob", Input) end. diff --git a/tools/compileconfig.py b/tools/compileconfig.py index 25518ee..b7092f9 100755 --- a/tools/compileconfig.py +++ b/tools/compileconfig.py @@ -147,8 +147,7 @@ def allowed_clients_mergesecondary(primarymergenode): def allowed_clients_public(): noauth = Symbol("noauth") return [ - ("/ct/v1/add-chain", noauth), - ("/ct/v1/add-pre-chain", noauth), + ("/ct/v1/add-blob", noauth), ("/ct/v1/get-sth", noauth), ("/ct/v1/get-sth-consistency", noauth), ("/ct/v1/get-proof-by-hash", noauth), |