https-github-com-bit
diff --git a/‎ca/certificate-authority.go‎
Lines changed: 5 additions & 16 deletions b/‎ca/certificate-authority.go‎
Lines changed: 5 additions & 16 deletions
diff --git a/‎ca/certificate-authority_test.go‎
Lines changed: 8 additions & 1 deletion b/‎ca/certificate-authority_test.go‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎cmd/boulder-ca/main.go‎
Lines changed: 7 additions & 0 deletions b/‎cmd/boulder-ca/main.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎cmd/boulder-publisher/main.go‎
Lines changed: 59 additions & 0 deletions b/‎cmd/boulder-publisher/main.go‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎cmd/shell.go‎
Lines changed: 17 additions & 8 deletions b/‎cmd/shell.go‎
Lines changed: 17 additions & 8 deletions
diff --git a/‎core/interfaces.go‎
Lines changed: 8 additions & 0 deletions b/‎core/interfaces.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎core/objects.go‎
Lines changed: 92 additions & 0 deletions b/‎core/objects.go‎
Lines changed: 92 additions & 0 deletions
@@ -53,6 +53,7 @@ type CertificateAuthorityImpl struct {
 	SA             core.StorageAuthority
 	PA             core.PolicyAuthority
 	DB             core.CertificateAuthorityDatabase
+	Publisher      core.Publisher
 	Clk            clock.Clock // TODO(jmhodges): should be private, like log
 	log            *blog.AuditLogger
 	Prefix         int // Prepended to the serial number
@@ -95,7 +96,7 @@ func NewCertificateAuthorityImpl(cadb core.CertificateAuthorityDatabase, config
 		return nil, err
 	}
 
-	issuer, err := loadIssuer(issuerCert)
+	issuer, err := core.LoadCert(issuerCert)
 	if err != nil {
 		return nil, err
 	}
@@ -170,19 +171,6 @@ func loadKey(keyConfig cmd.KeyConfig) (priv crypto.Signer, err error) {
 	return
 }
 
-func loadIssuer(filename string) (issuerCert *x509.Certificate, err error) {
-	if filename == "" {
-		err = errors.New("Issuer certificate was not provided in config.")
-		return
-	}
-	issuerCertPEM, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return
-	}
-	issuerCert, err = helpers.ParseCertificatePEM(issuerCertPEM)
-	return
-}
-
 // GenerateOCSP produces a new OCSP response and returns it
 func (ca *CertificateAuthorityImpl) GenerateOCSP(xferObj core.OCSPSigningRequest) ([]byte, error) {
 	cert, err := x509.ParseCertificate(xferObj.CertDER)
@@ -402,15 +390,13 @@ func (ca *CertificateAuthorityImpl) IssueCertificate(csr x509.CertificateRequest
 	// Attempt to generate the OCSP Response now. If this raises an error, it is
 	// logged but is not returned to the caller, as an error at this point does
 	// not constitute an issuance failure.
-
 	certObj, err := x509.ParseCertificate(certDER)
 	if err != nil {
 		ca.log.Warning(fmt.Sprintf("Post-Issuance OCSP failed parsing Certificate: %s", err))
 		return cert, nil
 	}
 
 	serial := core.SerialToString(certObj.SerialNumber)
-
 	signRequest := ocsp.SignRequest{
 		Certificate: certObj,
 		Status:      string(core.OCSPStatusGood),
@@ -428,6 +414,9 @@ func (ca *CertificateAuthorityImpl) IssueCertificate(csr x509.CertificateRequest
 		return cert, nil
 	}
 
+	// Submit the certificate to any configured CT logs
+	go ca.Publisher.SubmitToCT(certObj.Raw)
+
 	// Do not return an err at this point; caller must know that the Certificate
 	// was issued. (Also, it should be impossible for err to be non-nil here)
 	return cert, nil
 
@@ -205,9 +205,9 @@ func TestRevoke(t *testing.T) {
 	defer ctx.cleanUp()
 	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, ctx.fc, caCertFile)
 	test.AssertNotError(t, err, "Failed to create CA")
-
 	ca.PA = ctx.pa
 	ca.SA = ctx.sa
+	ca.Publisher = &mocks.MockPublisher{}
 
 	csr, _ := x509.ParseCertificateRequest(CNandSANCSR)
 	certObj, err := ca.IssueCertificate(*csr, ctx.reg.ID)
@@ -246,6 +246,7 @@ func TestIssueCertificate(t *testing.T) {
 	defer ctx.cleanUp()
 	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, ctx.fc, caCertFile)
 	test.AssertNotError(t, err, "Failed to create CA")
+	ca.Publisher = &mocks.MockPublisher{}
 	ca.PA = ctx.pa
 	ca.SA = ctx.sa
 
@@ -322,6 +323,7 @@ func TestRejectNoName(t *testing.T) {
 	defer ctx.cleanUp()
 	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, ctx.fc, caCertFile)
 	test.AssertNotError(t, err, "Failed to create CA")
+	ca.Publisher = &mocks.MockPublisher{}
 	ca.PA = ctx.pa
 	ca.SA = ctx.sa
 
@@ -338,6 +340,7 @@ func TestRejectTooManyNames(t *testing.T) {
 	defer ctx.cleanUp()
 	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, ctx.fc, caCertFile)
 	test.AssertNotError(t, err, "Failed to create CA")
+	ca.Publisher = &mocks.MockPublisher{}
 	ca.PA = ctx.pa
 	ca.SA = ctx.sa
 
@@ -352,6 +355,7 @@ func TestDeduplication(t *testing.T) {
 	defer ctx.cleanUp()
 	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, ctx.fc, caCertFile)
 	test.AssertNotError(t, err, "Failed to create CA")
+	ca.Publisher = &mocks.MockPublisher{}
 	ca.PA = ctx.pa
 	ca.SA = ctx.sa
 
@@ -381,6 +385,7 @@ func TestRejectValidityTooLong(t *testing.T) {
 	defer ctx.cleanUp()
 	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, ctx.fc, caCertFile)
 	test.AssertNotError(t, err, "Failed to create CA")
+	ca.Publisher = &mocks.MockPublisher{}
 	ca.PA = ctx.pa
 	ca.SA = ctx.sa
 
@@ -395,6 +400,7 @@ func TestShortKey(t *testing.T) {
 	ctx := setup(t)
 	defer ctx.cleanUp()
 	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, ctx.fc, caCertFile)
+	ca.Publisher = &mocks.MockPublisher{}
 	ca.PA = ctx.pa
 	ca.SA = ctx.sa
 
@@ -408,6 +414,7 @@ func TestRejectBadAlgorithm(t *testing.T) {
 	ctx := setup(t)
 	defer ctx.cleanUp()
 	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, ctx.fc, caCertFile)
+	ca.Publisher = &mocks.MockPublisher{}
 	ca.PA = ctx.pa
 	ca.SA = ctx.sa
 
 
@@ -57,6 +57,13 @@ func main() {
 			sac, err := rpc.NewStorageAuthorityClient(saRPC)
 			cmd.FailOnError(err, "Failed to create SA client")
 
+			pubRPC, err := rpc.NewAmqpRPCClient("CA->Publisher", c.AMQP.Publisher.Server, srv.Channel)
+			cmd.FailOnError(err, "Unable to create RPC client")
+
+			pubc, err := rpc.NewPublisherClient(pubRPC)
+			cmd.FailOnError(err, "Failed to create Publisher client")
+
+			cai.Publisher = &pubc
 			cai.SA = &sac
 		}
 
 
@@ -0,0 +1,59 @@
+// Copyright 2015 ISRG.  All rights reserved
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package main
+
+import (
+	"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cactus/go-statsd-client/statsd"
+
+	"github.com/letsencrypt/boulder/cmd"
+	blog "github.com/letsencrypt/boulder/log"
+	"github.com/letsencrypt/boulder/publisher"
+	"github.com/letsencrypt/boulder/rpc"
+)
+
+func main() {
+	app := cmd.NewAppShell("boulder-publisher", "Submits issued certificates to CT logs")
+	app.Action = func(c cmd.Config) {
+		stats, err := statsd.NewClient(c.Statsd.Server, c.Statsd.Prefix)
+		cmd.FailOnError(err, "Could not connect to statsd")
+
+		// Set up logging
+		auditlogger, err := blog.Dial(c.Syslog.Network, c.Syslog.Server, c.Syslog.Tag, stats)
+		cmd.FailOnError(err, "Could not connect to syslog")
+
+		// AUDIT[ Error Conditions ] 9cc4d537-8534-4970-8665-4b382abe82f3
+		defer auditlogger.AuditPanic()
+
+		blog.SetAuditLogger(auditlogger)
+
+		pubi, err := publisher.NewPublisherImpl(c.Publisher.CT)
+		cmd.FailOnError(err, "Could not setup Publisher")
+
+		go cmd.DebugServer(c.Publisher.DebugAddr)
+		go cmd.ProfileCmd("Publisher", stats)
+
+		connectionHandler := func(srv *rpc.AmqpRPCServer) {
+			saRPC, err := rpc.NewAmqpRPCClient("Publisher->SA", c.AMQP.SA.Server, srv.Channel)
+			cmd.FailOnError(err, "Unable to create SA RPC client")
+
+			sac, err := rpc.NewStorageAuthorityClient(saRPC)
+			cmd.FailOnError(err, "Unable to create SA client")
+
+			pubi.SA = &sac
+		}
+
+		pubs, err := rpc.NewAmqpRPCServer(c.AMQP.Publisher.Server, connectionHandler)
+		cmd.FailOnError(err, "Unable to create Publisher RPC server")
+		rpc.NewPublisherServer(pubs, &pubi)
+
+		auditlogger.Info(app.VersionString())
+
+		err = pubs.Start(c)
+		cmd.FailOnError(err, "Unable to run Publisher RPC server")
+	}
+
+	app.Run()
+}
@@ -41,6 +41,7 @@ import (
 
 	"github.com/letsencrypt/boulder/core"
 	blog "github.com/letsencrypt/boulder/log"
+	"github.com/letsencrypt/boulder/publisher"
 )
 
 // Config stores configuration parameters that applications
@@ -56,14 +57,15 @@ type Config struct {
 
 	// General
 	AMQP struct {
-		Server   string
-		Insecure bool
-		RA       Queue
-		VA       Queue
-		SA       Queue
-		CA       Queue
-		OCSP     Queue
-		TLS      *TLSConfig
+		Server    string
+		Insecure  bool
+		RA        Queue
+		VA        Queue
+		SA        Queue
+		CA        Queue
+		OCSP      Queue
+		Publisher Queue
+		TLS       *TLSConfig
 	}
 
 	WFE struct {
@@ -164,6 +166,13 @@ type Config struct {
 		DebugAddr string
 	}
 
+	Publisher struct {
+		CT publisher.CTConfig
+
+		// DebugAddr is the address to run the /debug handlers on.
+		DebugAddr string
+	}
+
 	ExternalCertImporter struct {
 		CertsToImportCSVFilename   string
 		DomainsToImportCSVFilename string
 
@@ -111,6 +111,7 @@ type StorageGetter interface {
 	GetCertificateByShortSerial(string) (Certificate, error)
 	GetCertificateStatus(string) (CertificateStatus, error)
 	AlreadyDeniedCSR([]string) (bool, error)
+	GetSCTReceipt(string, string) (SignedCertificateTimestamp, error)
 }
 
 // StorageAdder are the Boulder SA's write/update methods
@@ -125,6 +126,8 @@ type StorageAdder interface {
 	UpdateOCSP(serial string, ocspResponse []byte) error
 
 	AddCertificate([]byte, int64) (string, error)
+
+	AddSCTReceipt(SignedCertificateTimestamp) error
 }
 
 // StorageAuthority interface represents a simple key/value
@@ -151,3 +154,8 @@ type DNSResolver interface {
 	LookupCAA(string) ([]*dns.CAA, time.Duration, error)
 	LookupMX(string) ([]string, time.Duration, error)
 }
+
+// Publisher defines the public interface for the Boulder Publisher
+type Publisher interface {
+	SubmitToCT([]byte) error
+}
@@ -7,9 +7,12 @@ package core
 
 import (
 	"crypto/x509"
+	"encoding/asn1"
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"math/big"
 	"net"
 	"strings"
 	"time"
@@ -553,6 +556,95 @@ type OCSPSigningRequest struct {
 	RevokedAt time.Time
 }
 
+type SignedCertificateTimestamp struct {
+	ID int `db:"id"`
+	// The version of the protocol to which the SCT conforms
+	SCTVersion uint8 `db:"sctVersion"`
+	// the SHA-256 hash of the log's public key, calculated over
+	// the DER encoding of the key represented as SubjectPublicKeyInfo.
+	LogID string `db:"logID"`
+	// Timestamp (in ms since unix epoc) at which the SCT was issued
+	Timestamp uint64 `db:"timestamp"`
+	// For future extensions to the protocol
+	Extensions []byte `db:"extensions"`
+	// The Log's signature for this SCT
+	Signature []byte `db:"signature"`
+
+	// The serial of the certificate this SCT is for
+	CertificateSerial string `db:"certificateSerial"`
+
+	LockCol int64
+}
+
+type RPCSignedCertificateTimestamp SignedCertificateTimestamp
+
+type rawSignedCertificateTimestamp struct {
+	Version    uint8  `json:"sct_version"`
+	LogID      string `json:"id"`
+	Timestamp  uint64 `json:"timestamp"`
+	Signature  string `json:"signature"`
+	Extensions string `json:"extensions"`
+}
+
+func (sct *SignedCertificateTimestamp) UnmarshalJSON(data []byte) error {
+	var err error
+	var rawSCT rawSignedCertificateTimestamp
+	if err = json.Unmarshal(data, &rawSCT); err != nil {
+		return fmt.Errorf("Failed to unmarshal SCT receipt, %s", err)
+	}
+	sct.LogID = rawSCT.LogID
+	if err != nil {
+		return fmt.Errorf("Failed to decode log ID, %s", err)
+	}
+	sct.Signature, err = base64.StdEncoding.DecodeString(rawSCT.Signature)
+	if err != nil {
+		return fmt.Errorf("Failed to decode SCT signature, %s", err)
+	}
+	sct.Extensions, err = base64.StdEncoding.DecodeString(rawSCT.Extensions)
+	if err != nil {
+		return fmt.Errorf("Failed to decode SCT extensions, %s", err)
+	}
+	sct.SCTVersion = rawSCT.Version
+	sct.Timestamp = rawSCT.Timestamp
+	return nil
+}
+
+const (
+	sctHashSHA256 = 4
+	sctSigECDSA   = 3
+)
+
+// CheckSignature validates that the returned SCT signature is a valid SHA256 +
+// ECDSA signature but does not verify that a specific public key signed it.
+func (sct *SignedCertificateTimestamp) CheckSignature() error {
+	if len(sct.Signature) < 4 {
+		return errors.New("SCT signature is truncated")
+	}
+	// Since all of the known logs currently only use SHA256 hashes and ECDSA
+	// keys, only allow those
+	if sct.Signature[0] != sctHashSHA256 {
+		return fmt.Errorf("Unsupported SCT hash function [%d]", sct.Signature[0])
+	}
+	if sct.Signature[1] != sctSigECDSA {
+		return fmt.Errorf("Unsupported SCT signature algorithm [%d]", sct.Signature[1])
+	}
+
+	var ecdsaSig struct {
+		R, S *big.Int
+	}
+	// Ignore the two length bytes and attempt to unmarshal the signature directly
+	signatureBytes := sct.Signature[4:]
+	signatureBytes, err := asn1.Unmarshal(signatureBytes, &ecdsaSig)
+	if err != nil {
+		return fmt.Errorf("Failed to parse SCT signature, %s", err)
+	}
+	if len(signatureBytes) > 0 {
+		return fmt.Errorf("Trailing garbage after signature")
+	}
+
+	return nil
+}
+
 // RevocationCode is used to specify a certificate revocation reason
 type RevocationCode int