From 0a76e4d080a8349456d04434dcb2d4b381eb8ec4 Mon Sep 17 00:00:00 2001
From: Magnus Ahltorp <map@kth.se>
Date: Wed, 18 Mar 2015 14:27:18 +0100
Subject: Added precert handling for SCT calculation

---
 tools/submitcert.py | 38 +++++++++++++++++++++++++++++---------
 1 file changed, 29 insertions(+), 9 deletions(-)

(limited to 'tools/submitcert.py')

diff --git a/tools/submitcert.py b/tools/submitcert.py
index 1c79544..2e8cc33 100755
--- a/tools/submitcert.py
+++ b/tools/submitcert.py
@@ -13,6 +13,11 @@ import struct
 import hashlib
 import itertools
 from certtools import *
+from certtools import *
+try:
+    from precerttools import *
+except ImportError:
+    pass
 import os
 import signal
 import select
@@ -51,8 +56,20 @@ def submitcert((certfile, cert)):
 
     try:
         if precert:
+            if ext_key_usage_precert_signing_cert in get_ext_key_usage(certchain[0]):
+                issuer_key_hash = get_cert_key_hash(certchain[1])
+                issuer = certchain[1]
+            else:
+                issuer_key_hash = get_cert_key_hash(certchain[0])
+                issuer = None
+            cleanedcert = cleanprecert(precert, issuer=issuer)
+            signed_entry = pack_precert(cleanedcert, issuer_key_hash)
+            leafcert = cleanedcert
             result = add_prechain(baseurl, {"chain":map(base64.b64encode, [precert] + certchain)})
         else:
+            signed_entry = pack_cert(certchain[0])
+            leafcert = certchain[0]
+            issuer_key_hash = None
             result = add_chain(baseurl, {"chain":map(base64.b64encode, certchain)})
     except SystemExit:
         print "EXIT:", certfile
@@ -67,7 +84,7 @@ def submitcert((certfile, cert)):
 
     try:
         if args.check_sct:
-            check_sct_signature(baseurl, certchain[0], result)
+            check_sct_signature(baseurl, signed_entry, result, precert=precert)
             timing_point(timing, "checksig")
     except AssertionError, e:
         print "ERROR:", certfile, e
@@ -81,7 +98,7 @@ def submitcert((certfile, cert)):
 
     if lookup_in_log:
 
-        merkle_tree_leaf = pack_mtl(result["timestamp"], certchain[0])
+        merkle_tree_leaf = pack_mtl(result["timestamp"], leafcert)
 
         leaf_hash = get_leaf_hash(merkle_tree_leaf)
 
@@ -119,7 +136,7 @@ def submitcert((certfile, cert)):
             print "and submitted chain has length", len(submittedcertchain)
 
     timing_point(timing, "lookup")
-    return ((certchain[0], result), timing["deltatimes"])
+    return ((leafcert, issuer_key_hash, result), timing["deltatimes"])
 
 def get_ncerts(certfiles):
     n = 0
@@ -142,9 +159,12 @@ def get_all_certificates(certfiles):
         else:
             yield (certfile, open(certfile).read())
 
-def save_sct(sct, sth):
+def save_sct(sct, sth, leafcert, issuer_key_hash):
     sctlog = open(args.sct_file, "a")
-    json.dump({"leafcert": base64.b64encode(leafcert), "sct": sct, "sth": sth}, sctlog)
+    sctentry = {"leafcert": base64.b64encode(leafcert), "sct": sct, "sth": sth}
+    if issuer_key_hash:
+        sctentry["issuer_key_hash"] = base64.b64encode(issuer_key_hash)
+    json.dump(sctentry, sctlog)
     sctlog.write("\n")
     sctlog.close()
 
@@ -163,8 +183,8 @@ certs = get_all_certificates(certfiles)
 (result, timing) = submitcert(certs.next())
 if result != None:
     nsubmitted += 1
-    (leafcert, sct) = result
-    save_sct(sct, sth)
+    (leafcert, issuer_key_hash, sct) = result
+    save_sct(sct, sth, leafcert, issuer_key_hash)
 
 if args.pre_warm:
     select.select([], [], [], 3.0)
@@ -181,8 +201,8 @@ try:
             sys.exit(1)
         if result != None:
             nsubmitted += 1
-            (leafcert, sct) = result
-            save_sct(sct, sth)
+            (leafcert, issuer_key_hash, sct) = result
+            save_sct(sct, sth, leafcert, issuer_key_hash)
         deltatime = datetime.datetime.now() - starttime
         deltatime_f = deltatime.seconds + deltatime.microseconds / 1000000.0
         rate = nsubmitted / deltatime_f
-- 
cgit v1.1