Overhaul log processing and auditing
1. Instead of storing a single STH per log, we now store one verified
STH and any number of unverified STHs. When we process a log, we verify
each unverified STH using a consistency proof with the verified STH,
and only delete it if it successfully verifies. We set the verified
STH to the largest STH which we've successfully verified.
This has two important benefits. First, we never ever delete an STH
unless we can successfully verify it (previously, we would forget about
an STH under certain error conditions). Second, it lays the groundwork
for STH pollination. Upon reception of an STH, we can simply drop it in
the log's unverified_sths directory (assuming the signature is valid),
and Cert Spotter will audit it.
There is no more "evidence" directory; if a consistency proof fails,
the STHs will already be present elsewhere in the state directory.
2. We now persist a MerkleTreeBuilder between each run of Cert Spotter,
instead of rebuilding it every time from the consistency proof. This is
not intrinsically better, but it makes the code simpler considering we
can now fetch numerous consistency proofs per run.
3. To accommodate the above changes, the state directory has a brand
new layout. The state directory is now versioned, and Cert Spotter
will automatically migrate old state directories to the new layout.
This migration logic will be removed in a future Cert Spotter release.
As a bonus, the code is generally cleaner now :-)
2017-01-06 05:46:42 +01:00
// Copyright (C) 2017 Opsmate, Inc.
//
// This Source Code Form is subject to the terms of the Mozilla
// Public License, v. 2.0. If a copy of the MPL was not distributed
// with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
//
// This software is distributed WITHOUT A WARRANTY OF ANY KIND.
// See the Mozilla Public License for details.
package cmd
import (
"crypto/sha256"
"encoding/base64"
"encoding/binary"
"fmt"
"os"
"path/filepath"
2017-01-06 21:51:10 +01:00
"strconv"
Overhaul log processing and auditing
1. Instead of storing a single STH per log, we now store one verified
STH and any number of unverified STHs. When we process a log, we verify
each unverified STH using a consistency proof with the verified STH,
and only delete it if it successfully verifies. We set the verified
STH to the largest STH which we've successfully verified.
This has two important benefits. First, we never ever delete an STH
unless we can successfully verify it (previously, we would forget about
an STH under certain error conditions). Second, it lays the groundwork
for STH pollination. Upon reception of an STH, we can simply drop it in
the log's unverified_sths directory (assuming the signature is valid),
and Cert Spotter will audit it.
There is no more "evidence" directory; if a consistency proof fails,
the STHs will already be present elsewhere in the state directory.
2. We now persist a MerkleTreeBuilder between each run of Cert Spotter,
instead of rebuilding it every time from the consistency proof. This is
not intrinsically better, but it makes the code simpler considering we
can now fetch numerous consistency proofs per run.
3. To accommodate the above changes, the state directory has a brand
new layout. The state directory is now versioned, and Cert Spotter
will automatically migrate old state directories to the new layout.
This migration logic will be removed in a future Cert Spotter release.
As a bonus, the code is generally cleaner now :-)
2017-01-06 05:46:42 +01:00
"strings"
"software.sslmate.com/src/certspotter"
"software.sslmate.com/src/certspotter/ct"
)
type LogState struct {
path string
}
// generate a filename that uniquely identifies the STH (within the context of a particular log)
func sthFilename ( sth * ct . SignedTreeHead ) string {
hasher := sha256 . New ( )
switch sth . Version {
case ct . V1 :
binary . Write ( hasher , binary . LittleEndian , sth . Timestamp )
binary . Write ( hasher , binary . LittleEndian , sth . SHA256RootHash )
default :
panic ( fmt . Sprintf ( "Unsupported STH version %d" , sth . Version ) )
}
// For 6962-bis, we will need to handle a variable-length root hash, and include the signature in the filename hash (since signatures must be deterministic)
2017-01-06 21:51:10 +01:00
return strconv . FormatUint ( sth . TreeSize , 10 ) + "-" + base64 . RawURLEncoding . EncodeToString ( hasher . Sum ( nil ) )
Overhaul log processing and auditing
1. Instead of storing a single STH per log, we now store one verified
STH and any number of unverified STHs. When we process a log, we verify
each unverified STH using a consistency proof with the verified STH,
and only delete it if it successfully verifies. We set the verified
STH to the largest STH which we've successfully verified.
This has two important benefits. First, we never ever delete an STH
unless we can successfully verify it (previously, we would forget about
an STH under certain error conditions). Second, it lays the groundwork
for STH pollination. Upon reception of an STH, we can simply drop it in
the log's unverified_sths directory (assuming the signature is valid),
and Cert Spotter will audit it.
There is no more "evidence" directory; if a consistency proof fails,
the STHs will already be present elsewhere in the state directory.
2. We now persist a MerkleTreeBuilder between each run of Cert Spotter,
instead of rebuilding it every time from the consistency proof. This is
not intrinsically better, but it makes the code simpler considering we
can now fetch numerous consistency proofs per run.
3. To accommodate the above changes, the state directory has a brand
new layout. The state directory is now versioned, and Cert Spotter
will automatically migrate old state directories to the new layout.
This migration logic will be removed in a future Cert Spotter release.
As a bonus, the code is generally cleaner now :-)
2017-01-06 05:46:42 +01:00
}
func makeLogStateDir ( logStatePath string ) error {
if err := os . Mkdir ( logStatePath , 0777 ) ; err != nil && ! os . IsExist ( err ) {
return fmt . Errorf ( "%s: %s" , logStatePath , err )
}
for _ , subdir := range [ ] string { "unverified_sths" } {
path := filepath . Join ( logStatePath , subdir )
if err := os . Mkdir ( path , 0777 ) ; err != nil && ! os . IsExist ( err ) {
return fmt . Errorf ( "%s: %s" , path , err )
}
}
return nil
}
func OpenLogState ( logStatePath string ) ( * LogState , error ) {
if err := makeLogStateDir ( logStatePath ) ; err != nil {
return nil , fmt . Errorf ( "Error creating log state directory: %s" , err )
}
return & LogState { path : logStatePath } , nil
}
func ( logState * LogState ) VerifiedSTHFilename ( ) string {
return filepath . Join ( logState . path , "verified_sth" )
}
func ( logState * LogState ) GetVerifiedSTH ( ) ( * ct . SignedTreeHead , error ) {
sth , err := readSTHFile ( logState . VerifiedSTHFilename ( ) )
if err != nil {
if os . IsNotExist ( err ) {
return nil , nil
} else {
return nil , err
}
}
return sth , nil
}
func ( logState * LogState ) StoreVerifiedSTH ( sth * ct . SignedTreeHead ) error {
return writeJSONFile ( logState . VerifiedSTHFilename ( ) , sth , 0666 )
}
func ( logState * LogState ) GetUnverifiedSTHs ( ) ( [ ] * ct . SignedTreeHead , error ) {
dir , err := os . Open ( filepath . Join ( logState . path , "unverified_sths" ) )
if err != nil {
if os . IsNotExist ( err ) {
return [ ] * ct . SignedTreeHead { } , nil
} else {
return nil , err
}
}
filenames , err := dir . Readdirnames ( 0 )
if err != nil {
return nil , err
}
sths := make ( [ ] * ct . SignedTreeHead , 0 , len ( filenames ) )
for _ , filename := range filenames {
if ! strings . HasPrefix ( filename , "." ) {
sth , _ := readSTHFile ( filepath . Join ( dir . Name ( ) , filename ) )
if sth != nil {
sths = append ( sths , sth )
}
}
}
return sths , nil
}
func ( logState * LogState ) UnverifiedSTHFilename ( sth * ct . SignedTreeHead ) string {
return filepath . Join ( logState . path , "unverified_sths" , sthFilename ( sth ) )
}
func ( logState * LogState ) StoreUnverifiedSTH ( sth * ct . SignedTreeHead ) error {
filename := logState . UnverifiedSTHFilename ( sth )
if fileExists ( filename ) {
return nil
}
return writeJSONFile ( filename , sth , 0666 )
}
func ( logState * LogState ) RemoveUnverifiedSTH ( sth * ct . SignedTreeHead ) error {
filename := logState . UnverifiedSTHFilename ( sth )
err := os . Remove ( filepath . Join ( filename ) )
if err != nil && ! os . IsNotExist ( err ) {
return err
}
return nil
}
2017-01-06 23:49:42 +01:00
func ( logState * LogState ) GetTree ( ) ( * certspotter . CollapsedMerkleTree , error ) {
2017-01-06 23:39:08 +01:00
tree := new ( certspotter . CollapsedMerkleTree )
2017-01-06 23:49:42 +01:00
if err := readJSONFile ( filepath . Join ( logState . path , "tree" ) , tree ) ; err != nil {
Overhaul log processing and auditing
1. Instead of storing a single STH per log, we now store one verified
STH and any number of unverified STHs. When we process a log, we verify
each unverified STH using a consistency proof with the verified STH,
and only delete it if it successfully verifies. We set the verified
STH to the largest STH which we've successfully verified.
This has two important benefits. First, we never ever delete an STH
unless we can successfully verify it (previously, we would forget about
an STH under certain error conditions). Second, it lays the groundwork
for STH pollination. Upon reception of an STH, we can simply drop it in
the log's unverified_sths directory (assuming the signature is valid),
and Cert Spotter will audit it.
There is no more "evidence" directory; if a consistency proof fails,
the STHs will already be present elsewhere in the state directory.
2. We now persist a MerkleTreeBuilder between each run of Cert Spotter,
instead of rebuilding it every time from the consistency proof. This is
not intrinsically better, but it makes the code simpler considering we
can now fetch numerous consistency proofs per run.
3. To accommodate the above changes, the state directory has a brand
new layout. The state directory is now versioned, and Cert Spotter
will automatically migrate old state directories to the new layout.
This migration logic will be removed in a future Cert Spotter release.
As a bonus, the code is generally cleaner now :-)
2017-01-06 05:46:42 +01:00
if os . IsNotExist ( err ) {
return nil , nil
} else {
return nil , err
}
}
2017-01-06 23:39:08 +01:00
return tree , nil
Overhaul log processing and auditing
1. Instead of storing a single STH per log, we now store one verified
STH and any number of unverified STHs. When we process a log, we verify
each unverified STH using a consistency proof with the verified STH,
and only delete it if it successfully verifies. We set the verified
STH to the largest STH which we've successfully verified.
This has two important benefits. First, we never ever delete an STH
unless we can successfully verify it (previously, we would forget about
an STH under certain error conditions). Second, it lays the groundwork
for STH pollination. Upon reception of an STH, we can simply drop it in
the log's unverified_sths directory (assuming the signature is valid),
and Cert Spotter will audit it.
There is no more "evidence" directory; if a consistency proof fails,
the STHs will already be present elsewhere in the state directory.
2. We now persist a MerkleTreeBuilder between each run of Cert Spotter,
instead of rebuilding it every time from the consistency proof. This is
not intrinsically better, but it makes the code simpler considering we
can now fetch numerous consistency proofs per run.
3. To accommodate the above changes, the state directory has a brand
new layout. The state directory is now versioned, and Cert Spotter
will automatically migrate old state directories to the new layout.
This migration logic will be removed in a future Cert Spotter release.
As a bonus, the code is generally cleaner now :-)
2017-01-06 05:46:42 +01:00
}
2017-01-06 23:49:42 +01:00
func ( logState * LogState ) StoreTree ( tree * certspotter . CollapsedMerkleTree ) error {
return writeJSONFile ( filepath . Join ( logState . path , "tree" ) , tree , 0666 )
Overhaul log processing and auditing
1. Instead of storing a single STH per log, we now store one verified
STH and any number of unverified STHs. When we process a log, we verify
each unverified STH using a consistency proof with the verified STH,
and only delete it if it successfully verifies. We set the verified
STH to the largest STH which we've successfully verified.
This has two important benefits. First, we never ever delete an STH
unless we can successfully verify it (previously, we would forget about
an STH under certain error conditions). Second, it lays the groundwork
for STH pollination. Upon reception of an STH, we can simply drop it in
the log's unverified_sths directory (assuming the signature is valid),
and Cert Spotter will audit it.
There is no more "evidence" directory; if a consistency proof fails,
the STHs will already be present elsewhere in the state directory.
2. We now persist a MerkleTreeBuilder between each run of Cert Spotter,
instead of rebuilding it every time from the consistency proof. This is
not intrinsically better, but it makes the code simpler considering we
can now fetch numerous consistency proofs per run.
3. To accommodate the above changes, the state directory has a brand
new layout. The state directory is now versioned, and Cert Spotter
will automatically migrate old state directories to the new layout.
This migration logic will be removed in a future Cert Spotter release.
As a bonus, the code is generally cleaner now :-)
2017-01-06 05:46:42 +01:00
}