Tandem/certspotter
2
0
Fork 0
mirror of https://github.com/SSLMate/certspotter.git synced 2025-07-03 10:47:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

logclient: optionally verify STH signatures

Browse Source
This commit is contained in:
Andrew Ayer 2023-01-21 16:53:43 -05:00
parent 654f8d4670
commit 95c823e86a
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ct/client/logclient.go
View File

@ -71,6 +71,7 @@ const (
type LogClient struct { type LogClient struct {
uri string // the base URI of the log. e.g. http://ct.googleapis/pilot uri string // the base URI of the log. e.g. http://ct.googleapis/pilot
httpClient *http.Client // used to interact with the log via HTTP httpClient *http.Client // used to interact with the log via HTTP
verifier *ct.SignatureVerifier // if non-nil, used to verify STH signatures
} }
////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////
@ -124,8 +125,13 @@ type addChainResponse struct {
// |uri| is the base URI of the CT log instance to interact with, e.g. // |uri| is the base URI of the CT log instance to interact with, e.g.
// http://ct.googleapis.com/pilot // http://ct.googleapis.com/pilot
func New(uri string) *LogClient { func New(uri string) *LogClient {
return NewWithVerifier(uri, nil)
}
func NewWithVerifier(uri string, verifier *ct.SignatureVerifier) *LogClient {
var c LogClient var c LogClient
c.uri = uri c.uri = uri
c.verifier = verifier
transport := &http.Transport{ transport := &http.Transport{
Proxy: http.ProxyFromEnvironment, Proxy: http.ProxyFromEnvironment,
TLSHandshakeTimeout: 15 * time.Second, TLSHandshakeTimeout: 15 * time.Second,
@ -264,8 +270,12 @@ func (c *LogClient) GetSTH(ctx context.Context) (sth *ct.SignedTreeHead, err err
if err != nil { if err != nil {
return nil, err return nil, err
} }
// TODO(alcutter): Verify signature
sth.TreeHeadSignature = *ds sth.TreeHeadSignature = *ds
if c.verifier != nil {
if err := c.verifier.VerifySTHSignature(*sth); err != nil {
return nil, fmt.Errorf("STH returned by server has invalid signature: %w", err)
}
}
return return
} }