2016-05-04 20:53:48 +02:00
|
|
|
// Copyright (C) 2016 Opsmate, Inc.
|
|
|
|
//
|
|
|
|
// This Source Code Form is subject to the terms of the Mozilla
|
|
|
|
// Public License, v. 2.0. If a copy of the MPL was not distributed
|
|
|
|
// with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
//
|
|
|
|
// This software is distributed WITHOUT A WARRANTY OF ANY KIND.
|
|
|
|
// See the Mozilla Public License for details.
|
|
|
|
|
2016-05-04 20:49:07 +02:00
|
|
|
package certspotter
|
2016-02-17 23:54:25 +01:00
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"crypto/sha256"
|
2017-01-06 00:43:26 +01:00
|
|
|
"encoding/json"
|
2017-01-05 23:48:35 +01:00
|
|
|
"errors"
|
2016-07-28 20:55:46 +02:00
|
|
|
"software.sslmate.com/src/certspotter/ct"
|
2016-02-17 23:54:25 +01:00
|
|
|
)
|
|
|
|
|
2016-07-28 20:55:46 +02:00
|
|
|
func reverseHashes(hashes []ct.MerkleTreeNode) {
|
|
|
|
for i := 0; i < len(hashes)/2; i++ {
|
2016-02-17 23:54:25 +01:00
|
|
|
j := len(hashes) - i - 1
|
|
|
|
hashes[i], hashes[j] = hashes[j], hashes[i]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-01-06 06:06:37 +01:00
|
|
|
func VerifyConsistencyProof(proof ct.ConsistencyProof, first *ct.SignedTreeHead, second *ct.SignedTreeHead) bool {
|
2017-01-05 23:32:28 +01:00
|
|
|
// TODO: make sure every hash in proof is right length? otherwise input to hashChildren is ambiguous
|
2016-02-17 23:54:25 +01:00
|
|
|
if second.TreeSize < first.TreeSize {
|
|
|
|
// Can't be consistent if tree got smaller
|
2017-01-06 06:06:37 +01:00
|
|
|
return false
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
|
|
|
if first.TreeSize == second.TreeSize {
|
2016-11-15 21:38:49 +01:00
|
|
|
if !(bytes.Equal(first.SHA256RootHash[:], second.SHA256RootHash[:]) && len(proof) == 0) {
|
2017-01-06 06:06:37 +01:00
|
|
|
return false
|
2016-11-15 21:38:49 +01:00
|
|
|
}
|
2017-01-06 06:06:37 +01:00
|
|
|
return true
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
|
|
|
if first.TreeSize == 0 {
|
|
|
|
// The purpose of the consistency proof is to ensure the append-only
|
|
|
|
// nature of the tree; i.e. that the first tree is a "prefix" of the
|
|
|
|
// second tree. If the first tree is empty, then it's trivially a prefix
|
|
|
|
// of the second tree, so no proof is needed.
|
2016-02-18 20:58:00 +01:00
|
|
|
if len(proof) != 0 {
|
2017-01-06 06:06:37 +01:00
|
|
|
return false
|
2016-02-18 20:58:00 +01:00
|
|
|
}
|
2017-01-06 06:06:37 +01:00
|
|
|
return true
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
|
|
|
// Guaranteed that 0 < first.TreeSize < second.TreeSize
|
|
|
|
|
|
|
|
node := first.TreeSize - 1
|
|
|
|
lastNode := second.TreeSize - 1
|
|
|
|
|
|
|
|
// While we're the right child, everything is in both trees, so move one level up.
|
2016-07-28 20:55:46 +02:00
|
|
|
for node%2 == 1 {
|
2016-02-17 23:54:25 +01:00
|
|
|
node /= 2
|
|
|
|
lastNode /= 2
|
|
|
|
}
|
|
|
|
|
|
|
|
var newHash ct.MerkleTreeNode
|
|
|
|
var oldHash ct.MerkleTreeNode
|
|
|
|
if node > 0 {
|
|
|
|
if len(proof) == 0 {
|
2017-01-06 06:06:37 +01:00
|
|
|
return false
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
|
|
|
newHash = proof[0]
|
|
|
|
proof = proof[1:]
|
|
|
|
} else {
|
|
|
|
// The old tree was balanced, so we already know the first hash to use
|
|
|
|
newHash = first.SHA256RootHash[:]
|
|
|
|
}
|
|
|
|
oldHash = newHash
|
|
|
|
|
|
|
|
for node > 0 {
|
2016-07-28 20:55:46 +02:00
|
|
|
if node%2 == 1 {
|
2016-02-17 23:54:25 +01:00
|
|
|
// node is a right child; left sibling exists in both trees
|
|
|
|
if len(proof) == 0 {
|
2017-01-06 06:06:37 +01:00
|
|
|
return false
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
|
|
|
newHash = hashChildren(proof[0], newHash)
|
|
|
|
oldHash = hashChildren(proof[0], oldHash)
|
|
|
|
proof = proof[1:]
|
|
|
|
} else if node < lastNode {
|
|
|
|
// node is a left child; rigth sibling only exists in the new tree
|
|
|
|
if len(proof) == 0 {
|
2017-01-06 06:06:37 +01:00
|
|
|
return false
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
|
|
|
newHash = hashChildren(newHash, proof[0])
|
|
|
|
proof = proof[1:]
|
2016-07-29 00:52:32 +02:00
|
|
|
} // else node == lastNode: node is a left child with no sibling in either tree
|
2016-02-17 23:54:25 +01:00
|
|
|
node /= 2
|
|
|
|
lastNode /= 2
|
|
|
|
}
|
|
|
|
|
|
|
|
if !bytes.Equal(oldHash, first.SHA256RootHash[:]) {
|
2017-01-06 06:06:37 +01:00
|
|
|
return false
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// If trees have different height, continue up the path to reach the new root
|
|
|
|
for lastNode > 0 {
|
|
|
|
if len(proof) == 0 {
|
2017-01-06 06:06:37 +01:00
|
|
|
return false
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
|
|
|
newHash = hashChildren(newHash, proof[0])
|
|
|
|
proof = proof[1:]
|
|
|
|
lastNode /= 2
|
|
|
|
}
|
|
|
|
|
|
|
|
if !bytes.Equal(newHash, second.SHA256RootHash[:]) {
|
2017-01-06 06:06:37 +01:00
|
|
|
return false
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
|
|
|
|
2017-01-06 06:06:37 +01:00
|
|
|
return true
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
|
|
|
|
2017-01-05 23:32:22 +01:00
|
|
|
func hashNothing() ct.MerkleTreeNode {
|
|
|
|
return sha256.New().Sum(nil)
|
|
|
|
}
|
|
|
|
|
2016-07-28 20:55:46 +02:00
|
|
|
func hashLeaf(leafBytes []byte) ct.MerkleTreeNode {
|
2016-02-17 23:54:25 +01:00
|
|
|
hasher := sha256.New()
|
|
|
|
hasher.Write([]byte{0x00})
|
|
|
|
hasher.Write(leafBytes)
|
|
|
|
return hasher.Sum(nil)
|
|
|
|
}
|
|
|
|
|
2016-07-28 20:55:46 +02:00
|
|
|
func hashChildren(left ct.MerkleTreeNode, right ct.MerkleTreeNode) ct.MerkleTreeNode {
|
2016-02-17 23:54:25 +01:00
|
|
|
hasher := sha256.New()
|
|
|
|
hasher.Write([]byte{0x01})
|
|
|
|
hasher.Write(left)
|
|
|
|
hasher.Write(right)
|
|
|
|
return hasher.Sum(nil)
|
|
|
|
}
|
|
|
|
|
2017-01-06 23:39:08 +01:00
|
|
|
type CollapsedMerkleTree struct {
|
2017-01-06 23:43:20 +01:00
|
|
|
nodes []ct.MerkleTreeNode
|
2017-01-06 23:41:51 +01:00
|
|
|
size uint64
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
|
|
|
|
2017-01-06 23:43:20 +01:00
|
|
|
func calculateNumNodes (size uint64) int {
|
|
|
|
numNodes := 0
|
2017-01-06 23:41:51 +01:00
|
|
|
for size > 0 {
|
2017-01-06 23:43:20 +01:00
|
|
|
numNodes += int(size & 1)
|
2017-01-06 23:41:51 +01:00
|
|
|
size >>= 1
|
2017-01-05 23:48:35 +01:00
|
|
|
}
|
2017-01-06 23:43:20 +01:00
|
|
|
return numNodes
|
2017-01-05 23:48:35 +01:00
|
|
|
}
|
2017-01-06 23:39:08 +01:00
|
|
|
func EmptyCollapsedMerkleTree () *CollapsedMerkleTree {
|
|
|
|
return &CollapsedMerkleTree{}
|
2017-01-05 23:48:35 +01:00
|
|
|
}
|
2017-01-06 23:43:20 +01:00
|
|
|
func NewCollapsedMerkleTree (nodes []ct.MerkleTreeNode, size uint64) (*CollapsedMerkleTree, error) {
|
|
|
|
if len(nodes) != calculateNumNodes(size) {
|
|
|
|
return nil, errors.New("NewCollapsedMerkleTree: nodes has incorrect size")
|
2017-01-05 23:48:35 +01:00
|
|
|
}
|
2017-01-06 23:43:20 +01:00
|
|
|
return &CollapsedMerkleTree{nodes: nodes, size: size}, nil
|
2017-01-05 23:48:35 +01:00
|
|
|
}
|
2017-01-06 23:39:08 +01:00
|
|
|
func CloneCollapsedMerkleTree (source *CollapsedMerkleTree) *CollapsedMerkleTree {
|
2017-01-06 23:43:20 +01:00
|
|
|
nodes := make([]ct.MerkleTreeNode, len(source.nodes))
|
|
|
|
copy(nodes, source.nodes)
|
|
|
|
return &CollapsedMerkleTree{nodes: nodes, size: source.size}
|
2017-01-06 21:19:53 +01:00
|
|
|
}
|
2017-01-05 23:48:35 +01:00
|
|
|
|
2017-01-06 23:39:08 +01:00
|
|
|
func (tree *CollapsedMerkleTree) Add(hash ct.MerkleTreeNode) {
|
2017-01-06 23:43:20 +01:00
|
|
|
tree.nodes = append(tree.nodes, hash)
|
2017-01-06 23:41:51 +01:00
|
|
|
tree.size++
|
|
|
|
size := tree.size
|
|
|
|
for size%2 == 0 {
|
2017-01-06 23:43:20 +01:00
|
|
|
left, right := tree.nodes[len(tree.nodes)-2], tree.nodes[len(tree.nodes)-1]
|
|
|
|
tree.nodes = tree.nodes[:len(tree.nodes)-2]
|
|
|
|
tree.nodes = append(tree.nodes, hashChildren(left, right))
|
2017-01-06 23:41:51 +01:00
|
|
|
size /= 2
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-01-06 23:39:08 +01:00
|
|
|
func (tree *CollapsedMerkleTree) CalculateRoot() ct.MerkleTreeNode {
|
2017-01-06 23:43:20 +01:00
|
|
|
if len(tree.nodes) == 0 {
|
2017-01-05 23:32:22 +01:00
|
|
|
return hashNothing()
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
2017-01-06 23:43:20 +01:00
|
|
|
i := len(tree.nodes) - 1
|
|
|
|
hash := tree.nodes[i]
|
2016-11-26 02:43:07 +01:00
|
|
|
for i > 0 {
|
|
|
|
i -= 1
|
2017-01-06 23:43:20 +01:00
|
|
|
hash = hashChildren(tree.nodes[i], hash)
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
2016-11-26 02:43:07 +01:00
|
|
|
return hash
|
2016-02-17 23:54:25 +01:00
|
|
|
}
|
2017-01-06 00:00:56 +01:00
|
|
|
|
2017-01-06 23:41:51 +01:00
|
|
|
func (tree *CollapsedMerkleTree) GetSize() uint64 {
|
|
|
|
return tree.size
|
2017-01-06 00:00:56 +01:00
|
|
|
}
|
2017-01-06 00:43:26 +01:00
|
|
|
|
2017-01-06 23:39:08 +01:00
|
|
|
func (tree *CollapsedMerkleTree) MarshalJSON() ([]byte, error) {
|
2017-01-06 00:43:26 +01:00
|
|
|
return json.Marshal(map[string]interface{}{
|
2017-01-06 23:43:20 +01:00
|
|
|
"nodes": tree.nodes,
|
2017-01-06 23:41:51 +01:00
|
|
|
"size": tree.size,
|
2017-01-06 00:43:26 +01:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2017-01-06 23:39:08 +01:00
|
|
|
func (tree *CollapsedMerkleTree) UnmarshalJSON(b []byte) error {
|
|
|
|
var rawTree struct {
|
2017-01-06 23:43:20 +01:00
|
|
|
Nodes []ct.MerkleTreeNode `json:"nodes"`
|
2017-01-06 23:41:51 +01:00
|
|
|
Size uint64 `json:"size"`
|
2017-01-06 00:43:26 +01:00
|
|
|
}
|
2017-01-06 23:39:08 +01:00
|
|
|
if err := json.Unmarshal(b, &rawTree); err != nil {
|
|
|
|
return errors.New("Failed to unmarshal CollapsedMerkleTree: " + err.Error())
|
2017-01-06 00:43:26 +01:00
|
|
|
}
|
2017-01-06 23:43:20 +01:00
|
|
|
if len(rawTree.Nodes) != calculateNumNodes(rawTree.Size) {
|
|
|
|
return errors.New("Failed to unmarshal CollapsedMerkleTree: nodes has incorrect length")
|
2017-01-06 00:43:26 +01:00
|
|
|
}
|
2017-01-06 23:41:51 +01:00
|
|
|
tree.size = rawTree.Size
|
2017-01-06 23:43:20 +01:00
|
|
|
tree.nodes = rawTree.Nodes
|
2017-01-06 00:43:26 +01:00
|
|
|
return nil
|
|
|
|
}
|