certspotter/auditing.go

package ctwatch

import (
	"github.com/google/certificate-transparency/go"
	"bytes"
	"crypto/sha256"
)

func reverseHashes (hashes []ct.MerkleTreeNode) {
	for i := 0; i < len(hashes) / 2; i++ {
		j := len(hashes) - i - 1
		hashes[i], hashes[j] = hashes[j], hashes[i]
	}
}

func VerifyConsistencyProof (proof ct.ConsistencyProof, first *ct.SignedTreeHead, second *ct.SignedTreeHead) (bool, []ct.MerkleTreeNode) {
	if second.TreeSize < first.TreeSize {
		// Can't be consistent if tree got smaller
		return false, nil
	}
	if first.TreeSize == second.TreeSize {
		return bytes.Equal(first.SHA256RootHash[:], second.SHA256RootHash[:]) && len(proof) == 0, nil
	}
	if first.TreeSize == 0 {
		// The purpose of the consistency proof is to ensure the append-only
		// nature of the tree; i.e. that the first tree is a "prefix" of the
		// second tree.  If the first tree is empty, then it's trivially a prefix
		// of the second tree, so no proof is needed.
		return len(proof) == 0, nil
	}
	// Guaranteed that 0 < first.TreeSize < second.TreeSize

	node := first.TreeSize - 1
	lastNode := second.TreeSize - 1

	// While we're the right child, everything is in both trees, so move one level up.
	for node % 2 == 1 {
		node /= 2
		lastNode /= 2
	}

	var leftHashes []ct.MerkleTreeNode
	var newHash ct.MerkleTreeNode
	var oldHash ct.MerkleTreeNode
	if node > 0 {
		if len(proof) == 0 {
			return false, nil
		}
		newHash = proof[0]
		proof = proof[1:]
	} else {
		// The old tree was balanced, so we already know the first hash to use
		newHash = first.SHA256RootHash[:]
	}
	oldHash = newHash
	leftHashes = append(leftHashes, newHash)

	for node > 0 {
		if node % 2 == 1 {
			// node is a right child; left sibling exists in both trees
			if len(proof) == 0 {
				return false, nil
			}
			newHash = hashChildren(proof[0], newHash)
			oldHash = hashChildren(proof[0], oldHash)
			leftHashes = append(leftHashes, proof[0])
			proof = proof[1:]
		} else if node < lastNode {
			// node is a left child; rigth sibling only exists in the new tree
			if len(proof) == 0 {
				return false, nil
			}
			newHash = hashChildren(newHash, proof[0])
			proof = proof[1:]
		} // else node == lastNode: node is a let child with no sibling in either tree
		node /= 2
		lastNode /= 2
	}

	if !bytes.Equal(oldHash, first.SHA256RootHash[:]) {
		return false, nil
	}

	// If trees have different height, continue up the path to reach the new root
	for lastNode > 0 {
		if len(proof) == 0 {
			return false, nil
		}
		newHash = hashChildren(newHash, proof[0])
		proof = proof[1:]
		lastNode /= 2
	}

	if !bytes.Equal(newHash, second.SHA256RootHash[:]) {
		return false, nil
	}

	reverseHashes(leftHashes)

	return true, leftHashes
}

func hashLeaf (leafBytes []byte) ct.MerkleTreeNode {
	hasher := sha256.New()
	hasher.Write([]byte{0x00})
	hasher.Write(leafBytes)
	return hasher.Sum(nil)
}

func hashChildren (left ct.MerkleTreeNode, right ct.MerkleTreeNode) ct.MerkleTreeNode {
	hasher := sha256.New()
	hasher.Write([]byte{0x01})
	hasher.Write(left)
	hasher.Write(right)
	return hasher.Sum(nil)
}

type MerkleBuilder struct {
	stack		[]ct.MerkleTreeNode
	size		uint64 // number of hashes added so far
}

func ResumedMerkleBuilder (hashes []ct.MerkleTreeNode, size uint64) *MerkleBuilder {
	return &MerkleBuilder{
		stack: hashes,
		size: size,
	}
}

func (builder *MerkleBuilder) Add (hash ct.MerkleTreeNode) {
	builder.stack = append(builder.stack, hash)
	builder.size++
	size := builder.size
	for size % 2 == 0 {
		left, right := builder.stack[len(builder.stack)-2], builder.stack[len(builder.stack)-1]
		builder.stack = builder.stack[:len(builder.stack)-2]
		builder.stack = append(builder.stack, hashChildren(left, right))
		size /= 2
	}
}

func (builder *MerkleBuilder) Finish () ct.MerkleTreeNode {
	if len(builder.stack) == 0 {
		panic("MerkleBuilder.Finish called on an empty tree")
	}
	for len(builder.stack) > 1 {
		left, right := builder.stack[len(builder.stack)-2], builder.stack[len(builder.stack)-1]
		builder.stack = builder.stack[:len(builder.stack)-2]
		builder.stack = append(builder.stack, hashChildren(left, right))
	}
	return builder.stack[0]
}
Audit Merkle tree when retrieving entries Also add an -all_time command line option to retrieve all certificates, not just the ones since the last scan. 2016-02-17 23:54:25 +01:00			`package ctwatch`

			`import (`
			`"github.com/google/certificate-transparency/go"`
			`"bytes"`
			`"crypto/sha256"`
			`)`

			`func reverseHashes (hashes []ct.MerkleTreeNode) {`
			`for i := 0; i < len(hashes) / 2; i++ {`
			`j := len(hashes) - i - 1`
			`hashes[i], hashes[j] = hashes[j], hashes[i]`
			`}`
			`}`

			`func VerifyConsistencyProof (proof ct.ConsistencyProof, first ct.SignedTreeHead, second ct.SignedTreeHead) (bool, []ct.MerkleTreeNode) {`
			`if second.TreeSize < first.TreeSize {`
			`// Can't be consistent if tree got smaller`
			`return false, nil`
			`}`
			`if first.TreeSize == second.TreeSize {`
			`return bytes.Equal(first.SHA256RootHash[:], second.SHA256RootHash[:]) && len(proof) == 0, nil`
			`}`
			`if first.TreeSize == 0 {`
			`// The purpose of the consistency proof is to ensure the append-only`
			`// nature of the tree; i.e. that the first tree is a "prefix" of the`
			`// second tree. If the first tree is empty, then it's trivially a prefix`
			`// of the second tree, so no proof is needed.`
			`return len(proof) == 0, nil`
			`}`
			`// Guaranteed that 0 < first.TreeSize < second.TreeSize`

			`node := first.TreeSize - 1`
			`lastNode := second.TreeSize - 1`

			`// While we're the right child, everything is in both trees, so move one level up.`
			`for node % 2 == 1 {`
			`node /= 2`
			`lastNode /= 2`
			`}`

			`var leftHashes []ct.MerkleTreeNode`
			`var newHash ct.MerkleTreeNode`
			`var oldHash ct.MerkleTreeNode`
			`if node > 0 {`
			`if len(proof) == 0 {`
			`return false, nil`
			`}`
			`newHash = proof[0]`
			`proof = proof[1:]`
			`} else {`
			`// The old tree was balanced, so we already know the first hash to use`
			`newHash = first.SHA256RootHash[:]`
			`}`
			`oldHash = newHash`
			`leftHashes = append(leftHashes, newHash)`

			`for node > 0 {`
			`if node % 2 == 1 {`
			`// node is a right child; left sibling exists in both trees`
			`if len(proof) == 0 {`
			`return false, nil`
			`}`
			`newHash = hashChildren(proof[0], newHash)`
			`oldHash = hashChildren(proof[0], oldHash)`
			`leftHashes = append(leftHashes, proof[0])`
			`proof = proof[1:]`
			`} else if node < lastNode {`
			`// node is a left child; rigth sibling only exists in the new tree`
			`if len(proof) == 0 {`
			`return false, nil`
			`}`
			`newHash = hashChildren(newHash, proof[0])`
			`proof = proof[1:]`
			`} // else node == lastNode: node is a let child with no sibling in either tree`
			`node /= 2`
			`lastNode /= 2`
			`}`

			`if !bytes.Equal(oldHash, first.SHA256RootHash[:]) {`
			`return false, nil`
			`}`

			`// If trees have different height, continue up the path to reach the new root`
			`for lastNode > 0 {`
			`if len(proof) == 0 {`
			`return false, nil`
			`}`
			`newHash = hashChildren(newHash, proof[0])`
			`proof = proof[1:]`
			`lastNode /= 2`
			`}`

			`if !bytes.Equal(newHash, second.SHA256RootHash[:]) {`
			`return false, nil`
			`}`

			`reverseHashes(leftHashes)`

			`return true, leftHashes`
			`}`

			`func hashLeaf (leafBytes []byte) ct.MerkleTreeNode {`
			`hasher := sha256.New()`
			`hasher.Write([]byte{0x00})`
			`hasher.Write(leafBytes)`
			`return hasher.Sum(nil)`
			`}`

			`func hashChildren (left ct.MerkleTreeNode, right ct.MerkleTreeNode) ct.MerkleTreeNode {`
			`hasher := sha256.New()`
			`hasher.Write([]byte{0x01})`
			`hasher.Write(left)`
			`hasher.Write(right)`
			`return hasher.Sum(nil)`
			`}`

			`type MerkleBuilder struct {`
			`stack []ct.MerkleTreeNode`
			`size uint64 // number of hashes added so far`
			`}`

			`func ResumedMerkleBuilder (hashes []ct.MerkleTreeNode, size uint64) *MerkleBuilder {`
			`return &MerkleBuilder{`
			`stack: hashes,`
			`size: size,`
			`}`
			`}`

			`func (builder *MerkleBuilder) Add (hash ct.MerkleTreeNode) {`
			`builder.stack = append(builder.stack, hash)`
			`builder.size++`
			`size := builder.size`
			`for size % 2 == 0 {`
			`left, right := builder.stack[len(builder.stack)-2], builder.stack[len(builder.stack)-1]`
			`builder.stack = builder.stack[:len(builder.stack)-2]`
			`builder.stack = append(builder.stack, hashChildren(left, right))`
			`size /= 2`
			`}`
			`}`

			`func (builder *MerkleBuilder) Finish () ct.MerkleTreeNode {`
			`if len(builder.stack) == 0 {`
			`panic("MerkleBuilder.Finish called on an empty tree")`
			`}`
			`for len(builder.stack) > 1 {`
			`left, right := builder.stack[len(builder.stack)-2], builder.stack[len(builder.stack)-1]`
			`builder.stack = builder.stack[:len(builder.stack)-2]`
			`builder.stack = append(builder.stack, hashChildren(left, right))`
			`}`
			`return builder.stack[0]`
			`}`