certificate-transparency 0.1.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e4ea6b3e2c15000d7eaca39ef6b3661c0bab1865
-  data.tar.gz: 093bb71663c96c018b54f6c8604ae69a3f439e38
+  metadata.gz: 39b2b99f63286dade01640df20a331e7c1281018
+  data.tar.gz: 98f432392e75038c15eaa17090e239501dc8011e
 SHA512:
-  metadata.gz: 0d4c7c9b2788e6103c6a2382f2810ff3e2e4ae0b62251f1f53d9c739aa115897de996b53f269f92510e03b1a431df8f0c27c4c096f7fdba0a46c66e7a7b42805
-  data.tar.gz: 105393ac84c748cf4cef092c2550653c00fc3d1ae99de0543c0ef77b7e4796bb230ea603f4429781d4f58a24226542364db4f345edba54e1cc232e6f289fab60
+  metadata.gz: 4b1d533fafad47199195eaf133fe8cdbcc7889897fd413336ed8d48bbbaf466bcc566f2238cd16c459df2a0f34020d356556b6b623ccbf9a05dded51cd67ab2f
+  data.tar.gz: d49e9c47f74b63f6c8b5bf1c063d34f730abd84dd7282beb8bb06ac28162f988bd01b46acb026f5d0aad2977964cd30954f79a99bb4b1b8b14ff75b58772b91e

data/lib/certificate-transparency/merkle_tree_leaf.rb

@@ -0,0 +1,126 @@
+# An RFC6962 MerkleTreeLeaf structure
+#
+# Use {.from_blob} if you have an encoded MTL you wish to decode, or
+# else create a new instance, pass in a `TimestampedEntry` object via
+# `#timestamped_entry=`, and then call `#to_blob` to get the encoded MTL.
+#
+class CertificateTransparency::MerkleTreeLeaf
+	attr_reader :timestamped_entry
+
+	# Return a new MerkleTreeLeaf instance, from a binary blob of data.
+	# Raises an ArgumentError if the blob is invalid in some way.
+	#
+	# @param blob [String]
+	#
+	# @return [CertificateTransparency::MerkleTreeLeaf]
+	#
+	def self.from_blob(blob)
+		new.tap do |mtl|
+			mtl.version, leaf_type, te = blob.unpack("CCa*")
+			unless leaf_type == ::CertificateTransparency::MerkleLeafType[:timestamped_entry]
+				raise ArgumentError,
+				      "Unknown leaf type in blob"
+			end
+
+			mtl.timestamped_entry =
+			     ::CertificateTransparency::TimestampedEntry.from_blob(te)
+		end
+	end
+
+	# Instantiate a new MerkleTreeLeaf.
+	#
+	def initialize
+		@version   = ::CertificateTransparency::Version[:v1]
+		@leaf_type = ::CertificateTransparency::MerkleLeafType[:timestamped_entry]
+	end
+
+	# Set the version of the MerkleTreeLeaf structure to create.  At present,
+	# only `:v1` is supported, so there isn't much point in ever calling this
+	# method.
+	#
+	# @param v [Symbol]
+	#
+	# @return void
+	#
+	def version=(v)
+		@version = case v
+		when Symbol
+			::CertificateTransparency::Version[v]
+		when Integer
+			v
+		else
+			nil
+		end
+
+		if @version.nil? or !::CertificateTransparency::Version.values.include?(@version)
+			raise ArgumentError,
+			      "Invalid version #{v.inspect}"
+		end
+	end
+
+	# Return a symbol indicating the version of the MerkleTreeLeaf structure
+	# represented by this object.  At present, only `:v1` is supported.
+	#
+	# @return Symbol
+	#
+	def version
+		::CertificateTransparency::Version.invert[@version]
+	end
+
+	# Set the leaf type of the MerkleTreeLeaf structure.  At present, only
+	# `:timestamped_entry` is supported, so there isn't much point in ever
+	# calling this method.
+	#
+	# @param lt [Symbol]
+	#
+	# @return void
+	#
+	def leaf_type=(lt)
+		@leaf_type = ::CertificateTransparency::MerkleLeafType[lt]
+
+		if @leaf_type.nil?
+			raise ArgumentError,
+			      "Invalid leaf_type #{lt.inspect}"
+		end
+	end
+
+	# Return a symbol indicating the leaf type of the MerkleTreeLeaf
+	# structure represented by this object.  At present, only
+	# `:timestamped_entry` is supported.
+	#
+	# @return Symbol
+	#
+	def leaf_type
+		::CertificateTransparency::MerkleLeafType.invert[@leaf_type]
+	end
+
+	# Set the TimestampedEntry element for this MerkleTreeLeaf.  It must be
+	# an instance of CertificateTransparency::TimestampedEntry, or an
+	# ArgumentError will be raised.
+	#
+	# @param te [CertificateTransparency::TimestampedEntry]
+	#
+	# @return void
+	#
+	def timestamped_entry=(te)
+		unless te.is_a? ::CertificateTransparency::TimestampedEntry
+			raise ArgumentError,
+			      "Wasn't passed a TimestampedEntry (got a #{te.class})"
+		end
+
+		@timestamped_entry = te
+	end
+
+	# Generate a binary blob representing this MerkleTreeLeaf structure.
+	#
+	# @return [String]
+	#
+	def to_blob
+		if @timestamped_entry.nil?
+			raise RuntimeError,
+			      "timestamped_entry has not been set"
+		end
+
+		[@version, @leaf_type, @timestamped_entry.to_blob].pack("CCa*")
+	end
+end

data/lib/certificate-transparency/timestamped_entry.rb

@@ -0,0 +1,166 @@
+# An RFC6962 TimestampedEntry structure
+#
+# Use {.from_blob} if you have an encoded TE you wish to decode, or create a
+# new instance, set the various parameters, and use `#to_blob` to give you
+# an encoded structure you can put over the wire.  The various elements of
+# the TE struct are available via accessors.
+#
+class CertificateTransparency::TimestampedEntry
+	# An instance of Time representing the timestamp of this entry
+	#
+	# @return [Time]
+	#
+	attr_reader :timestamp
+
+	# The type of entry we've got here.  Is a symbol, either
+	# :x509_entry or :precert_entry.
+	#
+	# @return [Symbol]
+	#
+	attr_reader :entry_type
+
+	# An OpenSSL::X509::Certificate instance, if `entry_type == :x509_entry`,
+	# or nil otherwise.
+	#
+	# @return [OpenSSL::X509::Certificate]
+	#
+	attr_reader :x509_entry
+
+	# An instance of ::CertificateTransparency::PreCert if `entry_type ==
+	# :precert_entry`, or nil otherwise.
+	#
+	# @return [CertificateTransparency::PreCert]
+	#
+	attr_reader :precert_entry
+
+	# Create a new {CT::TimestampedEntry} by decoding a binary blob.
+	#
+	# @param blob [String]
+	#
+	# @return [CertificateTransparency::TimestampedEntry]
+	#
+	# @raise [ArgumentError] if we can't understand how to decode the
+	#   provided blob.
+	#
+	def self.from_blob(blob)
+		ts, entry_type, rest = blob.unpack("Q>na*")
+
+		new.tap do |te|
+			te.timestamp = Time.ms(ts)
+
+			case CertificateTransparency::LogEntryType.invert[entry_type]
+			when :x509_entry
+				cert_data, rest = TLS::Opaque.from_blob(rest, 2**24-1)
+				te.x509_entry = OpenSSL::X509::Certificate.new(cert_data.value)
+			when :precert_entry
+				# Holy fuck, can I have ASN1 back, please?  I can't just pass
+				# the PreCert part of the blob into CT::PreCert.new, because I
+				# can't parse the PreCert part out of the blob without digging
+				# *into* the PreCert part, because the only information on how
+				# long TBSCertificate is is contained *IN THE PRECERT!*
+				#
+				# I'm surprised there aren't a lot more bugs in TLS
+				# implementations, if this is how they lay out their data
+				# structures.
+				ikh, tbsc_len_hi, tbsc_len_lo, rest = rest.unpack("a32nCa*")
+				tbsc_len = tbsc_len_hi * 256 + tbsc_len_lo
+				tbsc, rest = rest.unpack("a#{tbsc_len}a*")
+				te.precert_entry = ::CertificateTransparency::PreCert.new do |ctpc|
+					ctpc.issuer_key_hash = ikh
+					ctpc.tbs_certificate = tbsc
+				end
+			else
+				raise ArgumentError,
+				      "Unknown LogEntryType: #{entry_type} (corrupt TimestampedEntry?)"
+			end
+
+			exts, rest = TLS::Opaque.from_blob(rest, 2**16-1)
+			unless exts.value == ""
+				raise ArgumentError,
+				      "Non-empty extensions found (#{exts.value.inspect})"
+			end
+
+			unless rest == ""
+				raise ArgumentError,
+				      "Corrupted blob (garbage data after extensions)"
+			end
+		end
+	end
+
+	# Gives you whichever of `#x509_entry` or `#precert_entry` is
+	# not nil, or `nil` if both of them are `nil`.
+	#
+	# @return [OpenSSL::X509::Certificate, CertificateTransparency::PreCert]
+	#
+	def signed_entry
+		@x509_entry or @precert_entry
+	end
+
+	# Set the timestamp for this entry
+	#
+	# Must be a Time object, or something that can be bludgeoned
+	# into a Time object.
+	#
+	# @param ts [Time]
+	#
+	# @return void
+	#
+	def timestamp=(ts)
+		unless ts.is_a? Time or ts.respond_to? :to_time
+			raise ArgumentError,
+			      "Must pass me a Time or something that responds to :to_time"
+		end
+
+		@timestamp = ts.is_a?(Time) ? ts : ts.to_time
+	end
+
+	# Set the entry to be an x509_entry with the given certificate.
+	#
+	# @param xe [OpenSSL::X509::Certificate]
+	#
+	# @return void
+	#
+	def x509_entry=(xe)
+		@x509_entry = OpenSSL::X509::Certificate.new(xe.to_s)
+		@entry_type = :x509_entry
+		@precert_entry = nil
+	end
+
+	# Set the entry to be a precert_entry with the given precert data.  You
+	# must pass in a CertificateTransparency::PreCert instance.
+	#
+	# @param pe [CertificateTransparency::PreCert]
+	#
+	# @return void
+	#
+	def precert_entry=(pe)
+		unless pe.is_a? ::CertificateTransparency::PreCert
+			raise ArgumentError,
+			      "I only accept PreCert instances (you gave me a #{pe.class})"
+		end
+
+		@precert_entry = pe
+		@entry_type = :precert_entry
+		@x509_entry = nil
+	end
+
+	# Encode this {TimestampedEntry} into a binary blob.
+	#
+	# @return [String]
+	#
+	def to_blob
+		signed_entry = if @x509_entry
+			TLS::Opaque.new(@x509_entry.to_der, 2**24-1).to_blob
+		elsif @precert_entry
+			@precert_entry.to_blob
+		else
+			raise RuntimeError,
+			      "You must call #precert_entry= or #x509_entry= before calling #to_blob"
+		end
+
+		[@timestamp.ms,
+		 CertificateTransparency::LogEntryType[entry_type],
+		 signed_entry, 0
+		].pack("Q>na*n")
+	end
+end

data/lib/certificate-transparency.rb

@@ -28,7 +28,9 @@ unless Kernel.const_defined?(:CT)
 	CT = CertificateTransparency
 end
 
-require 'certificate-transparency/extensions/string'
-require 'certificate-transparency/extensions/time'
+require_relative 'certificate-transparency/extensions/string'
+require_relative 'certificate-transparency/extensions/time'
 
-require 'certificate-transparency/signed_tree_head'
+require_relative 'certificate-transparency/merkle_tree_leaf'
+require_relative 'certificate-transparency/signed_tree_head'
+require_relative 'certificate-transparency/timestamped_entry'

data/lib/tls/digitally_signed.rb

@@ -62,9 +62,9 @@ class TLS::DigitallySigned
 
 	# Set the key for this instance.
 	#
-	# @param k [OpenSSL::PKey::EC] a key to verify or generate the signature. 
+	# @param k [OpenSSL::PKey::EC] a key to verify or generate the signature.
 	#   If you only want to verify an existing signature (ie you created this
-	#   instance via {.from_blob}, then this key can be a public key. 
+	#   instance via {.from_blob}, then this key can be a public key.
 	#   Otherwise, if you want to generate a new signature, you must pass in
 	#   a private key.
 	#

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: certificate-transparency
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Matt Palmer
@@ -159,7 +159,9 @@ files:
 - lib/certificate-transparency.rb
 - lib/certificate-transparency/extensions/string.rb
 - lib/certificate-transparency/extensions/time.rb
+- lib/certificate-transparency/merkle_tree_leaf.rb
 - lib/certificate-transparency/signed_tree_head.rb
+- lib/certificate-transparency/timestamped_entry.rb
 - lib/tls.rb
 - lib/tls/digitally_signed.rb
 - lib/tls/opaque.rb