Wrap entries in plop wrapper

4 files changed, 44 insertions, 26 deletions

diff --git a/src/catlfish.erl b/src/catlfish.erl
index d940147..68e96ea 100644
--- a/src/catlfish.erl
+++ b/src/catlfish.erl
@@ -293,27 +293,26 @@ entryhash_from_entry(PackedEntry) ->
 %% Private functions.
 -spec pack_entry(normal|precert, binary(), binary(), [binary()]) -> binary().
 pack_entry(Type, MTLText, EndEntityCert, CertChain) ->
-    list_to_binary(
-      [tlv:encode(<<"MTL1">>, MTLText),
-       tlv:encode(case Type of
-                      normal -> <<"EEC1">>;
-                      precert -> <<"PRC1">>
-                  end, EndEntityCert),
-       tlv:encode(<<"CHN1">>,
-                  list_to_binary(
-                    [tlv:encode(<<"X509">>, E) || E <- CertChain]))]).
+    [{<<"MTL1">>, MTLText},
+     {case Type of
+          normal -> <<"EEC1">>;
+          precert -> <<"PRC1">>
+      end, EndEntityCert},
+     {<<"CHN1">>,
+      list_to_binary(
+        [tlv:encode(<<"X509">>, E) || E <- CertChain])}].
 
 -spec unpack_entry(binary()) -> {normal|precert, binary(), binary(), [binary()]}.
 unpack_entry(Entry) ->
-    {<<"MTL1">>, MTLText, Rest1} = tlv:decode(Entry),
-    {EECType, EndEntityCert, Rest2} = tlv:decode(Rest1),
+    [{<<"MTL1">>, MTLText}|Rest1] = Entry,
+    [{EECType, EndEntityCert}|Rest2] = Rest1,
     Type = case EECType of
                <<"EEC1">> ->
                    normal;
                <<"PRC1">> ->
                    precert
            end,
-    {<<"CHN1">>, PackedChain, _Rest3} = tlv:decode(Rest2), % Ignore rest.
+    [{<<"CHN1">>, PackedChain}|_Rest3] = Rest2,
     Chain = unpack_certchain(PackedChain),
     {Type, MTLText, EndEntityCert, Chain}.
 
diff --git a/tools/merge.py b/tools/merge.py
index 7453fa4..f02ce39 100755
--- a/tools/merge.py
+++ b/tools/merge.py
@@ -22,7 +22,7 @@ from certtools import build_merkle_tree, create_sth_signature, \
     check_sth_signature, get_eckey_from_file, timing_point, http_request, \
     get_public_key_from_file, get_leaf_hash, decode_certificate_chain, \
     create_ssl_context
-from mergetools import parselogrow, get_logorder, read_chain, unpack_entry, \
+from mergetools import parselogrow, get_logorder, read_chain, \
     verify_entry
 
 parser = argparse.ArgumentParser(description="")
diff --git a/tools/mergetools.py b/tools/mergetools.py
index 9f5feee..c3e9688 100644
--- a/tools/mergetools.py
+++ b/tools/mergetools.py
@@ -1,6 +1,7 @@
 # Copyright (c) 2015, NORDUnet A/S.
 # See LICENSE for licensing information.
 import base64
+import hashlib
 import sys
 import struct
 from certtools import get_leaf_hash
@@ -27,21 +28,39 @@ def read_chain(chainsdir, key):
     f.close()
     return value
 
-def unpack_entry(entry):
-    pieces = []
-    while len(entry):
-        (length,) = struct.unpack(">I", entry[0:4])
-        type = entry[4:8]
-        data = entry[8:length]
-        entry = entry[length:]
-        pieces.append(data)
-    return pieces
+def tlv_decode(data):
+    (length,) = struct.unpack(">I", data[0:4])
+    type = data[4:8]
+    value = data[8:length]
+    rest = data[length:]
+    return (type, value, rest)
+
+def tlv_decodelist(data):
+    l = []
+    while len(data):
+        (type, value, rest) = tlv_decode(data)
+        l.append((type, value))
+        data = rest
+    return l
+
+def unwrap_entry(entry):
+    ploplevel = tlv_decodelist(entry)
+    assert(len(ploplevel) == 2)
+    (ploptype, plopdata) = ploplevel[0]
+    (plopchecksumtype, plopchecksum) = ploplevel[1]
+    assert(ploptype == "PLOP")
+    assert(plopchecksumtype == "S256")
+    computedchecksum = hashlib.sha256(plopdata).digest()
+    assert(computedchecksum == plopchecksum)
+    return plopdata
 
 def verify_entry(verifycert, entry, hash):
-    unpacked = unpack_entry(entry)
-    mtl = unpacked[0]
+    packed = unwrap_entry(entry)
+    unpacked = tlv_decodelist(packed)
+    (mtltype, mtl) = unpacked[0]
     assert hash == get_leaf_hash(mtl)
-    s = struct.pack(">I", len(entry)) + entry
+    assert mtltype == "MTL1"
+    s = struct.pack(">I", len(packed)) + packed
     try:
         verifycert.stdin.write(s)
     except IOError, e:
diff --git a/verifycert.erl b/verifycert.erl
index 5ff77c3..0db0051 100755
--- a/verifycert.erl
+++ b/verifycert.erl
@@ -8,7 +8,7 @@ write_reply(Bin) ->
 
 verify(RootCerts, DBEntry) ->
     try
-        case catlfish:verify_entry(DBEntry, RootCerts) of
+        case catlfish:verify_entry(tlv:decodelist(DBEntry), RootCerts) of
             {ok, _MTLHash} ->
                 write_reply(<<0:8>>);
             {error, Reason} ->