From eabf3612c5efe3b344366802db9f4de36871bacf Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Thu, 16 Jul 2015 11:52:27 +0200 Subject: Accept any kind of submitted data, not only X.509 certificate chains. Have add_chain() take a blob instead of a cert leaf and a chain. Rename ct/v1/add-chain -> add-blob. Remove ct/v1/add-pre-chain. Remove chain checking code. Generate allowed_client config matching new HTTP API. --- src/catlfish.erl | 10 +++++----- src/v1.erl | 42 ++++++++---------------------------------- tools/compileconfig.py | 3 +-- 3 files changed, 14 insertions(+), 41 deletions(-) diff --git a/src/catlfish.erl b/src/catlfish.erl index 4bf1cdf..7a28f9f 100644 --- a/src/catlfish.erl +++ b/src/catlfish.erl @@ -2,7 +2,7 @@ %%% See LICENSE for licensing information. -module(catlfish). --export([add_chain/3, entries/2, entry_and_proof/2]). +-export([add_chain/2, entries/2, entry_and_proof/2]). -export([known_roots/0, update_known_roots/0]). -export([init_cache_table/0]). -export([entryhash_from_entry/1, verify_entry/1, verify_entry/2]). @@ -131,15 +131,15 @@ add_to_db(Type, LeafCert, CertChain, EntryHash) -> get_ratelimit_token(Type) -> ratelimit:get_token(Type). --spec add_chain(binary(), [binary()], normal|precert) -> {[{_,_},...]}. -add_chain(LeafCert, CertChain, Type) -> - EntryHash = crypto:hash(sha256, [LeafCert | CertChain]), +-spec add_chain(binary(), normal) -> {[{_,_},...]}. +add_chain(Blob, Type) -> + EntryHash = crypto:hash(sha256, Blob), {TimestampedEntry, Hash} = case plop:get(EntryHash) of notfound -> case get_ratelimit_token(add_chain) of ok -> - add_to_db(Type, LeafCert, CertChain, EntryHash); + add_to_db(Type, Blob, [], EntryHash); _ -> exit({internalerror, "Rate limiting"}) end; diff --git a/src/v1.erl b/src/v1.erl index e066cdd..d89b521 100644 --- a/src/v1.erl +++ b/src/v1.erl @@ -28,13 +28,9 @@ check_valid_sth() -> end. %% Public functions, i.e. part of URL. -request(post, "ct/v1/add-chain", Input) -> +request(post, "ct/v1/add-blob", Input) -> check_valid_sth(), - add_chain(Input, normal); - -request(post, "ct/v1/add-pre-chain", Input) -> - check_valid_sth(), - add_chain(Input, precert); + add_blob(Input); request(get, "ct/v1/get-sth", _Query) -> check_valid_sth(), @@ -149,34 +145,12 @@ internalerror(Text) -> "~s~n" ++ "~n", [Text])}. --spec add_chain(any(), normal|precert) -> any(). -add_chain(Input, Type) -> +-spec add_blob(any()) -> any(). +add_blob(Input) -> case (catch mochijson2:decode(Input)) of {error, E} -> - err400("add-chain: bad input:", E); - {struct, [{<<"chain">>, ChainB64List}]} -> - case decode_chain(ChainB64List) of - [LeafCert | CertChain] -> - case x509:normalise_chain(catlfish:known_roots(), - [LeafCert|CertChain]) of - {ok, [Leaf | Chain]} -> - lager:info("adding ~p cert ~p", - [Type, x509:cert_string(LeafCert)]), - success(catlfish:add_chain(Leaf, Chain, Type)); - {error, Reason} -> - lager:info("rejecting ~p: ~p", - [x509:cert_string(LeafCert), Reason]), - err400("add-chain: invalid chain", Reason) - end; - {invalid, ErrText} -> - err400(io:format("add-chain: ~p", [ErrText]), [ChainB64List]) - end; - _ -> err400("add-chain: missing input: chain", Input) - end. - --spec decode_chain(string()) -> {invalid, string()} | [binary()]. -decode_chain(B64List) -> - case (catch [base64:decode(X) || X <- B64List]) of - {'EXIT', _} -> {invalid, "invalid base64-encoded chain"}; - L -> L + err400("add-blob: bad input:", E); + {struct, [{<<"blob">>, Blob}]} -> + success(catlfish:add_chain(Blob, normal)); + _ -> err400("add-blob: missing input: blob", Input) end. diff --git a/tools/compileconfig.py b/tools/compileconfig.py index cac1be6..6881705 100755 --- a/tools/compileconfig.py +++ b/tools/compileconfig.py @@ -135,8 +135,7 @@ def allowed_clients_mergesecondary(primarymergenode): def allowed_clients_public(): noauth = Symbol("noauth") return [ - ("/ct/v1/add-chain", noauth), - ("/ct/v1/add-pre-chain", noauth), + ("/ct/v1/add-blob", noauth), ("/ct/v1/get-sth", noauth), ("/ct/v1/get-sth-consistency", noauth), ("/ct/v1/get-proof-by-hash", noauth), -- cgit v1.1