diff --git a/go.mod b/go.mod index 030f5cf..23538bb 100644 --- a/go.mod +++ b/go.mod @@ -5,9 +5,9 @@ go 1.21.0 toolchain go1.22.3 require ( - github.com/google/certificate-transparency-go v1.2.1 + github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b github.com/google/go-cmp v0.6.0 golang.org/x/mod v0.18.0 ) -require golang.org/x/crypto v0.23.0 // indirect +require gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/go.sum b/go.sum index e1b06b1..3bfb73a 100644 --- a/go.sum +++ b/go.sum @@ -1,8 +1,17 @@ -github.com/google/certificate-transparency-go v1.2.1 h1:4iW/NwzqOqYEEoCBEFP+jPbBXbLqMpq3CifMyOnDUME= -github.com/google/certificate-transparency-go v1.2.1/go.mod h1:bvn/ytAccv+I6+DGkqpvSsEdiVGramgaSC6RD3tEmeE= +github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b h1:Ves2turKTX7zruivAcUOQg155xggcbv3suVdbKCBQNM= +github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b/go.mod h1:0AZAV7lYvynZQ5ErHlGMKH+4QYMyNCFd+AiL9MlrCYA= +github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= -golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/note/note_rfc6962.go b/note/note_rfc6962.go index 614d1cf..cead14d 100644 --- a/note/note_rfc6962.go +++ b/note/note_rfc6962.go @@ -29,7 +29,7 @@ import ( "strings" "time" - ct "github.com/google/certificate-transparency-go" + tls "github.com/cisco/go-tls-syntax" "golang.org/x/mod/sumdb/note" ) @@ -253,14 +253,64 @@ func formatRFC6962STH(t uint64, msg []byte) (string, []byte, error) { rootHash := [32]byte{} copy(rootHash[:], root) - sth := ct.SignedTreeHead{ + sth := treeHeadSignature{ + Version: V1, TreeSize: size, Timestamp: t, SHA256RootHash: rootHash, } - input, err := ct.SerializeSTHSignatureInput(sth) + input, err := sth.Marshal() if err != nil { return "", nil, err } return lines[0], input, nil } + +// Version represents the Version enum from section 3.2: +// +// enum { v1(0), (255) } Version; +type version uint8 // tls:"maxval:255" + +// CT Version constants from section 3.2. +const ( + V1 version = 0 +) + +// ~ignatureType differentiates STH signatures from SCT signatures, see section 3.2. +// +// enum { certificate_timestamp(0), tree_hash(1), (255) } SignatureType; +type signatureType uint8 // tls:"maxval:255" + +// SignatureType constants from section 3.2. +const ( + treeHashSignatureType signatureType = 1 +) + +// sha256Hash represents the output from the SHA256 hash function. +type sha256Hash [sha256.Size]byte + +// treeHeadSignature holds the data over which the signature in an STH is +// generated; see section 3.5 +type treeHeadSignature struct { + Version version `tls:"maxval:255"` + SignatureType signatureType `tls:"maxval:255"` // == TreeHashSignatureType + Timestamp uint64 + TreeSize uint64 + SHA256RootHash sha256Hash +} + +// Marshal serializes the passed in STH into the correct +// format for signing. +func (s treeHeadSignature) Marshal() ([]byte, error) { + switch s.Version { + case V1: + if len(s.SHA256RootHash) != crypto.SHA256.Size() { + return nil, fmt.Errorf("invalid TreeHash length, got %d expected %d", len(s.SHA256RootHash), crypto.SHA256.Size()) + } + s.SignatureType = treeHashSignatureType + + return tls.Marshal(s) + default: + return nil, fmt.Errorf("unsupported STH version %d", s.Version) + } +}