File: cert_submission_handler.cc

package info (click to toggle)
golang-github-google-certificate-transparency 0.0~git20160709.0.0f6e3d1~ds1-3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, bullseye, buster
  • size: 5,676 kB
  • sloc: cpp: 35,278; python: 11,838; java: 1,911; sh: 1,885; makefile: 950; xml: 520; ansic: 225
file content (173 lines) | stat: -rw-r--r-- 4,890 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
 
#include "log/cert_submission_handler.h"

#include <glog/logging.h>
#include <string>

#include "log/cert.h"
#include "log/cert_checker.h"
#include "log/ct_extensions.h"
#include "proto/ct.pb.h"
#include "proto/serializer.h"

using cert_trans::Cert;
using cert_trans::CertChain;
using cert_trans::CertChecker;
using cert_trans::PreCertChain;
using cert_trans::TbsCertificate;
using ct::LogEntry;
using ct::PrecertChainEntry;
using ct::X509ChainEntry;
using std::string;
using util::Status;
using util::StatusOr;

namespace cert_trans {
namespace {


bool SerializedTbs(const Cert& cert, string* result) {
  const StatusOr<bool> has_embedded_proof = cert.HasExtension(
      cert_trans::NID_ctEmbeddedSignedCertificateTimestampList);
  if (!has_embedded_proof.ok()) {
    return false;
  }

  // Delete the embedded proof.
  TbsCertificate tbs(cert);
  if (!tbs.IsLoaded()) {
    return false;
  }

  if (has_embedded_proof.ValueOrDie() &&
      !tbs.DeleteExtension(
              cert_trans::NID_ctEmbeddedSignedCertificateTimestampList)
           .ok()) {
    return false;
  }

  string der_tbs;
  if (!tbs.DerEncoding(&der_tbs).ok()) {
    return false;
  }

  result->assign(der_tbs);
  return true;
}


}  // namespace


// TODO(ekasper): handle Cert errors consistently and log some errors here
// if they fail.
CertSubmissionHandler::CertSubmissionHandler(const CertChecker* cert_checker)
    : cert_checker_(CHECK_NOTNULL(cert_checker)) {
}


// static
bool CertSubmissionHandler::X509ChainToEntry(const CertChain& chain,
                                             LogEntry* entry) {
  if (!chain.IsLoaded()) {
    return false;
  }

  const StatusOr<bool> has_embedded_proof = chain.LeafCert()->HasExtension(
      cert_trans::NID_ctEmbeddedSignedCertificateTimestampList);
  if (!has_embedded_proof.ok()) {
    LOG(ERROR) << "Failed to check embedded SCT extension.";
    return false;
  }

  if (has_embedded_proof.ValueOrDie()) {
    if (chain.Length() < 2) {
      // need issuer
      return false;
    }

    entry->set_type(ct::PRECERT_ENTRY);
    string key_hash;
    if (chain.CertAt(1)->SPKISha256Digest(&key_hash) != Status::OK) {
      return false;
    }

    entry->mutable_precert_entry()->mutable_pre_cert()->set_issuer_key_hash(
        key_hash);

    string tbs;
    if (!SerializedTbs(*chain.LeafCert(), &tbs))
      return false;

    entry->mutable_precert_entry()->mutable_pre_cert()->set_tbs_certificate(
        tbs);
    return true;
  } else {
    entry->set_type(ct::X509_ENTRY);
    string der_cert;
    if (chain.LeafCert()->DerEncoding(&der_cert) != Status::OK) {
      return false;
    }

    entry->mutable_x509_entry()->set_leaf_certificate(der_cert);
    return true;
  }
}


Status CertSubmissionHandler::ProcessX509Submission(CertChain* chain,
                                                    LogEntry* entry) const {
  entry->set_type(ct::X509_ENTRY);
  if (!chain->IsLoaded())
    return Status(util::error::INVALID_ARGUMENT, "empty submission");

  const Status status(cert_checker_->CheckCertChain(chain));
  if (!status.ok())
    return status;

  // We have a valid chain; make the entry.
  string der_cert;
  // Nothing should fail anymore as we have validated the chain.
  if (chain->LeafCert()->DerEncoding(&der_cert) != Status::OK) {
    return Status(util::error::INTERNAL, "could not DER-encode the chain");
  }

  X509ChainEntry* x509_entry = entry->mutable_x509_entry();
  x509_entry->set_leaf_certificate(der_cert);
  for (size_t i = 1; i < chain->Length(); ++i) {
    if (chain->CertAt(i)->DerEncoding(&der_cert) != Status::OK) {
      return Status(util::error::INTERNAL, "could not DER-encode the chain");
    }
    x509_entry->add_certificate_chain(der_cert);
  }
  return Status::OK;
}


Status CertSubmissionHandler::ProcessPreCertSubmission(PreCertChain* chain,
                                                       LogEntry* entry) const {
  entry->set_type(ct::PRECERT_ENTRY);
  PrecertChainEntry* precert_entry = entry->mutable_precert_entry();
  const Status status(cert_checker_->CheckPreCertChain(
      chain, precert_entry->mutable_pre_cert()->mutable_issuer_key_hash(),
      precert_entry->mutable_pre_cert()->mutable_tbs_certificate()));

  if (!status.ok())
    return status;

  // We have a valid chain; make the entry.
  string der_cert;
  // Nothing should fail anymore as we have validated the chain.
  if (chain->LeafCert()->DerEncoding(&der_cert) != Status::OK) {
    return Status(util::error::INTERNAL, "could not DER-encode the chain");
  }
  precert_entry->set_pre_certificate(der_cert);
  for (size_t i = 1; i < chain->Length(); ++i) {
    if (chain->CertAt(i)->DerEncoding(&der_cert) != Status::OK)
      return Status(util::error::INTERNAL, "could not DER-encode the chain");
    precert_entry->add_precertificate_chain(der_cert);
  }
  return Status::OK;
}


}  // namespace cert_trans