From b87783cc3dc39d5b2aa1c170cf5afaefc289c85a Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@nordu.net>
Date: Sat, 26 Sep 2015 21:14:38 +0200
Subject: Base64-decode submitted blobs and treat them as leaf certs.

---
 src/catlfish.erl | 29 ++++++++++++-----------------
 src/v1.erl       | 10 ++++++++--
 2 files changed, 20 insertions(+), 19 deletions(-)

diff --git a/src/catlfish.erl b/src/catlfish.erl
index 7a28f9f..e3b5939 100644
--- a/src/catlfish.erl
+++ b/src/catlfish.erl
@@ -2,7 +2,7 @@
 %%% See LICENSE for licensing information.
 
 -module(catlfish).
--export([add_chain/2, entries/2, entry_and_proof/2]).
+-export([add_chain/3, entries/2, entry_and_proof/2]).
 -export([known_roots/0, update_known_roots/0]).
 -export([init_cache_table/0]).
 -export([entryhash_from_entry/1, verify_entry/1, verify_entry/2]).
@@ -131,15 +131,15 @@ add_to_db(Type, LeafCert, CertChain, EntryHash) ->
 get_ratelimit_token(Type) ->
     ratelimit:get_token(Type).
 
--spec add_chain(binary(), normal) -> {[{_,_},...]}.
-add_chain(Blob, Type) ->
-    EntryHash = crypto:hash(sha256, Blob),
+-spec add_chain(binary(), [binary()], normal|precert) -> {[{_,_},...]}.
+add_chain(LeafCert, CertChain, Type) ->
+    EntryHash = crypto:hash(sha256, [LeafCert | CertChain]),
     {TimestampedEntry, Hash} =
         case plop:get(EntryHash) of
             notfound ->
                 case get_ratelimit_token(add_chain) of
                     ok ->
-                        add_to_db(Type, Blob, [], EntryHash);
+                        add_to_db(Type, LeafCert, CertChain, EntryHash);
                     _ ->
                         exit({internalerror, "Rate limiting"})
                 end;
@@ -271,18 +271,13 @@ verify_entry(Entry) ->
     verify_entry(Entry, RootCerts).
 
 %% Used from plop.
-verify_entry(PackedEntry, RootCerts) ->
-    {_Type, MTLText, Cert, Chain} = unpack_entry(PackedEntry),
-    case x509:normalise_chain(RootCerts, [Cert | Chain]) of
-        {ok, [Cert | FullChain]} ->
-            case verify_mtl(deserialise_mtl(MTLText), Cert, FullChain) of
-                ok ->
-                    {ok, ht:leaf_hash(MTLText)};
-                error ->
-                    {error, "MTL verification failed"}
-            end;
-        {error, Reason} ->
-            {error, Reason}
+verify_entry(PackedEntry, _RootCerts) ->
+    {_Type, MTLText, Cert, _Chain} = unpack_entry(PackedEntry),
+    case verify_mtl(deserialise_mtl(MTLText), Cert, []) of
+        ok ->
+            {ok, ht:leaf_hash(MTLText)};
+        error ->
+            {error, "MTL verification failed"}
     end.
 
 %% Used from plop.
diff --git a/src/v1.erl b/src/v1.erl
index eb35ee7..40e93f2 100644
--- a/src/v1.erl
+++ b/src/v1.erl
@@ -153,6 +153,12 @@ add_blob(Input) ->
         {error, E} ->
             err400("add-blob: bad input:", E);
         {struct, [{<<"blob">>, Blob}]} ->
-            success(catlfish:add_chain(Blob, normal));
-        _ -> err400("add-blob: missing input: blob", Input)
+            case (catch base64:decode(Blob)) of
+                {'EXIT', _} ->
+                    err400("add-blob: invalid base64-encoded blob", Blob);
+                DecodedBlob ->
+                    success(catlfish:add_chain(DecodedBlob, [], normal))
+            end;
+        _ ->
+            err400("add-blob: missing input: blob", Input)
     end.
-- 
cgit v1.1