...

Source file src/github.com/google/certificate-transparency-go/trillian/util/log_leaf.go

Documentation: github.com/google/certificate-transparency-go/trillian/util 

     1  // Copyright 2018 Google LLC. All Rights Reserved.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package util
    16  
    17  import (
    18  	"crypto/sha256"
    19  
    20  	ct "github.com/google/certificate-transparency-go"
    21  	"github.com/google/certificate-transparency-go/tls"
    22  	"github.com/google/trillian"
    23  	"k8s.io/klog/v2"
    24  )
    25  
    26  // BuildLogLeaf returns a Trillian LogLeaf structure for a (pre-)cert and the
    27  // chain of certificates leading it up to a known root.
    28  func BuildLogLeaf(logPrefix string,
    29  	merkleLeaf ct.MerkleTreeLeaf, leafIndex int64,
    30  	cert ct.ASN1Cert, chain []ct.ASN1Cert, isPrecert bool,
    31  ) (trillian.LogLeaf, error) {
    32  	leafData, err := tls.Marshal(merkleLeaf)
    33  	if err != nil {
    34  		klog.Warningf("%s: Failed to serialize Merkle leaf: %v", logPrefix, err)
    35  		return trillian.LogLeaf{}, err
    36  	}
    37  
    38  	extraData, err := ExtraDataForChain(cert, chain, isPrecert)
    39  	if err != nil {
    40  		klog.Warningf("%s: Failed to serialize chain for ExtraData: %v", logPrefix, err)
    41  		return trillian.LogLeaf{}, err
    42  	}
    43  
    44  	// leafIDHash allows Trillian to detect duplicate entries, so this should be
    45  	// a hash over the cert data.
    46  	leafIDHash := sha256.Sum256(cert.Data)
    47  
    48  	return trillian.LogLeaf{
    49  		LeafValue:        leafData,
    50  		ExtraData:        extraData,
    51  		LeafIndex:        leafIndex,
    52  		LeafIdentityHash: leafIDHash[:],
    53  	}, nil
    54  }
    55  
    56  // ExtraDataForChain creates the extra data associated with a log entry as
    57  // described in RFC6962 section 4.6.
    58  func ExtraDataForChain(cert ct.ASN1Cert, chain []ct.ASN1Cert, isPrecert bool) ([]byte, error) {
    59  	var extra interface{}
    60  	if isPrecert {
    61  		// For a pre-cert, the extra data is a TLS-encoded PrecertChainEntry.
    62  		extra = ct.PrecertChainEntry{
    63  			PreCertificate:   cert,
    64  			CertificateChain: chain,
    65  		}
    66  	} else {
    67  		// For a certificate, the extra data is a TLS-encoded:
    68  		//   ASN.1Cert certificate_chain<0..2^24-1>;
    69  		// containing the chain after the leaf.
    70  		extra = ct.CertificateChain{Entries: chain}
    71  	}
    72  	return tls.Marshal(extra)
    73  }
    74  

View as plain text