Restore signing to ct-test-srv.

jsha · jsha · commit 2ea173d3ce4c · 2016-01-05T16:35:34.000-08:00
This restores an earlier version of letsencrypt#1282. During code review on that change, I requested that we replace the realtime signing with a static signature. However, that is now generating failures. I think the signature validation is now validating more of the content.
diff --git a/test/ct-test-srv/main.go b/test/ct-test-srv/main.go
@@ -9,20 +9,77 @@
 package main
 
 import (
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/asn1"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"log"
+	"math/big"
 	"net/http"
+	"os"
 	"sync/atomic"
+
+	ct "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/google/certificate-transparency/go"
 )
 
+func createSignedSCT(leaf []byte, k *ecdsa.PrivateKey) []byte {
+	rawKey, _ := x509.MarshalPKIXPublicKey(&k.PublicKey)
+	pkHash := sha256.Sum256(rawKey)
+	sct := ct.SignedCertificateTimestamp{
+		SCTVersion: ct.V1,
+		LogID:      pkHash,
+		Timestamp:  1337,
+	}
+	serialized, _ := ct.SerializeSCTSignatureInput(sct, ct.LogEntry{
+		Leaf: ct.MerkleTreeLeaf{
+			LeafType: ct.TimestampedEntryLeafType,
+			TimestampedEntry: ct.TimestampedEntry{
+				X509Entry: ct.ASN1Cert(leaf),
+				EntryType: ct.X509LogEntryType,
+			},
+		},
+	})
+	hashed := sha256.Sum256(serialized)
+	var ecdsaSig struct {
+		R, S *big.Int
+	}
+	ecdsaSig.R, ecdsaSig.S, _ = ecdsa.Sign(rand.Reader, k, hashed[:])
+	sig, _ := asn1.Marshal(ecdsaSig)
+
+	ds := ct.DigitallySigned{
+		HashAlgorithm:      ct.SHA256,
+		SignatureAlgorithm: ct.ECDSA,
+		Signature:          sig,
+	}
+
+	var jsonSCTObj struct {
+		SCTVersion ct.Version `json:"sct_version"`
+		ID         string     `json:"id"`
+		Timestamp  uint64     `json:"timestamp"`
+		Extensions string     `json:"extensions"`
+		Signature  string     `json:"signature"`
+	}
+	jsonSCTObj.SCTVersion = ct.V1
+	jsonSCTObj.ID = base64.StdEncoding.EncodeToString(pkHash[:])
+	jsonSCTObj.Timestamp = 1337
+	jsonSCTObj.Signature, _ = ds.Base64String()
+
+	jsonSCT, _ := json.Marshal(jsonSCTObj)
+	return jsonSCT
+}
+
 type ctSubmissionRequest struct {
 	Chain []string `json:"chain"`
 }
 
 type integrationSrv struct {
 	submissions int64
+	key         *ecdsa.PrivateKey
 }
 
 func (is *integrationSrv) handler(w http.ResponseWriter, r *http.Request) {
@@ -47,14 +104,16 @@ func (is *integrationSrv) handler(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		leaf, err := base64.StdEncoding.DecodeString(addChainReq.Chain[0])
+		if err != nil {
+			w.WriteHeader(400)
+			return
+		}
+
 		w.WriteHeader(http.StatusOK)
-		w.Write([]byte(`{
-      "sct_version":0,
-      "id":"KHYaGJAn++880NYaAY12sFBXKcenQRvMvfYE9F1CYVM=",
-      "timestamp":1337,
-      "extensions":"",
-      "signature":"BAMARjBEAiAka/W0eYq23Iaih2wB2CGrAqlo92KyQuuY6WWumi1eNwIgBirYV/wsJvmZfGP5NrNYoWGIx1VV6NaNBIaSXh9hiYA="
-    }`))
+		// id is a sha256 of a random EC key. Generate your own with:
+		// openssl ecparam -name prime256v1 -genkey -outform der | openssl sha256 -binary | base64
+		w.Write(createSignedSCT(leaf, is.key))
 		atomic.AddInt64(&is.submissions, 1)
 	case "/submissions":
 		if r.Method != "GET" {
@@ -72,7 +131,16 @@ func (is *integrationSrv) handler(w http.ResponseWriter, r *http.Request) {
 }
 
 func main() {
-	is := integrationSrv{}
+	signingKey := "MHcCAQEEIOCtGlGt/WT7471dOHdfBg43uJWJoZDkZAQjWfTitcVNoAoGCCqGSM49AwEHoUQDQgAEYggOxPnPkzKBIhTacSYoIfnSL2jPugcbUKx83vFMvk5gKAz/AGe87w20riuPwEGn229hKVbEKHFB61NIqNHC3Q=="
+	decodedKey, _ := base64.StdEncoding.DecodeString(signingKey)
+
+	key, err := x509.ParseECPrivateKey(decodedKey)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed to parse signing key: %s\n", err)
+		return
+	}
+
+	is := integrationSrv{key: key}
 	s := &http.Server{
 		Addr:    "localhost:4500",
 		Handler: http.HandlerFunc(is.handler),
