Tandem
/
certspotter
mirror of https://github.com/SSLMate/certspotter.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Don't ask for consistency proofs based on an empty tree 

RFC 6962 doesn't define how to generate a consistency proof in this case,
and it doesn't matter anyways since the tree is empty.  The DigiCert logs
return a 400 error if we ask for such a proof.
This commit is contained in:
Andrew Ayer 2021-08-17 14:59:21 -04:00
parent 1a7622bfa6
commit 4e4250dad2
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
scanner.go
View File

@ -212,7 +212,12 @@ func (s *Scanner) GetSTH() (*ct.SignedTreeHead, error) {
}
func (s *Scanner) CheckConsistency(first *ct.SignedTreeHead, second *ct.SignedTreeHead) (bool, error) {
if first.TreeSize < second.TreeSize {
if first.TreeSize == 0 || second.TreeSize == 0 {
// RFC 6962 doesn't define how to generate a consistency proof in this case,
// and it doesn't matter anyways since the tree is empty. The DigiCert logs
// return a 400 error if we ask for such a proof.
return true, nil
} else if first.TreeSize < second.TreeSize {
proof, err := s.logClient.GetConsistencyProof(int64(first.TreeSize), int64(second.TreeSize))
if err != nil {
return false, err