From 4e4250dad212cd3db0b221f03ba7c76a93bbe18f Mon Sep 17 00:00:00 2001
From: Andrew Ayer <andrew@sslmate.com>
Date: Tue, 17 Aug 2021 14:59:21 -0400
Subject: [PATCH] Don't ask for consistency proofs based on an empty tree

RFC 6962 doesn't define how to generate a consistency proof in this case,
and it doesn't matter anyways since the tree is empty.  The DigiCert logs
return a 400 error if we ask for such a proof.
---
 scanner.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/scanner.go b/scanner.go
index ba71c9d..1d026e4 100644
--- a/scanner.go
+++ b/scanner.go
@@ -212,7 +212,12 @@ func (s *Scanner) GetSTH() (*ct.SignedTreeHead, error) {
 }
 
 func (s *Scanner) CheckConsistency(first *ct.SignedTreeHead, second *ct.SignedTreeHead) (bool, error) {
-	if first.TreeSize < second.TreeSize {
+	if first.TreeSize == 0 || second.TreeSize == 0 {
+		// RFC 6962 doesn't define how to generate a consistency proof in this case,
+		// and it doesn't matter anyways since the tree is empty.  The DigiCert logs
+		// return a 400 error if we ask for such a proof.
+		return true, nil
+	} else if first.TreeSize < second.TreeSize {
 		proof, err := s.logClient.GetConsistencyProof(int64(first.TreeSize), int64(second.TreeSize))
 		if err != nil {
 			return false, err