Drop dep on the certificate-transparency-go repo

go.mod

@@ -5,9 +5,9 @@ go 1.21.0
 toolchain go1.22.3
 
 require (
-	github.com/google/certificate-transparency-go v1.2.1
+	github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b
 	github.com/google/go-cmp v0.6.0
 	golang.org/x/mod v0.18.0
 )
 
-require golang.org/x/crypto v0.23.0 // indirect
+require gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -1,8 +1,17 @@
-github.com/google/certificate-transparency-go v1.2.1 h1:4iW/NwzqOqYEEoCBEFP+jPbBXbLqMpq3CifMyOnDUME=
-github.com/google/certificate-transparency-go v1.2.1/go.mod h1:bvn/ytAccv+I6+DGkqpvSsEdiVGramgaSC6RD3tEmeE=
+github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b h1:Ves2turKTX7zruivAcUOQg155xggcbv3suVdbKCBQNM=
+github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b/go.mod h1:0AZAV7lYvynZQ5ErHlGMKH+4QYMyNCFd+AiL9MlrCYA=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
 golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

note/note_rfc6962.go

@@ -29,7 +29,7 @@ import (
 	"strings"
 	"time"
 
-	ct "github.com/google/certificate-transparency-go"
+	tls "github.com/cisco/go-tls-syntax"
 	"golang.org/x/mod/sumdb/note"
 )
 
@@ -253,14 +253,64 @@ func formatRFC6962STH(t uint64, msg []byte) (string, []byte, error) {
 	rootHash := [32]byte{}
 	copy(rootHash[:], root)
 
-	sth := ct.SignedTreeHead{
+	sth := treeHeadSignature{
+		Version:        V1,
 		TreeSize:       size,
 		Timestamp:      t,
 		SHA256RootHash: rootHash,
 	}
-	input, err := ct.SerializeSTHSignatureInput(sth)
+	input, err := sth.Marshal()
 	if err != nil {
 		return "", nil, err
 	}
 	return lines[0], input, nil
 }
+
+// Version represents the Version enum from section 3.2:
+//
+//	enum { v1(0), (255) } Version;
+type version uint8 // tls:"maxval:255"
+
+// CT Version constants from section 3.2.
+const (
+	V1 version = 0
+)
+
+// ~ignatureType differentiates STH signatures from SCT signatures, see section 3.2.
+//
+//	enum { certificate_timestamp(0), tree_hash(1), (255) } SignatureType;
+type signatureType uint8 // tls:"maxval:255"
+
+// SignatureType constants from section 3.2.
+const (
+	treeHashSignatureType signatureType = 1
+)
+
+// sha256Hash represents the output from the SHA256 hash function.
+type sha256Hash [sha256.Size]byte
+
+// treeHeadSignature holds the data over which the signature in an STH is
+// generated; see section 3.5
+type treeHeadSignature struct {
+	Version        version       `tls:"maxval:255"`
+	SignatureType  signatureType `tls:"maxval:255"` // == TreeHashSignatureType
+	Timestamp      uint64
+	TreeSize       uint64
+	SHA256RootHash sha256Hash
+}
+
+// Marshal serializes the passed in STH into the correct
+// format for signing.
+func (s treeHeadSignature) Marshal() ([]byte, error) {
+	switch s.Version {
+	case V1:
+		if len(s.SHA256RootHash) != crypto.SHA256.Size() {
+			return nil, fmt.Errorf("invalid TreeHash length, got %d expected %d", len(s.SHA256RootHash), crypto.SHA256.Size())
+		}
+		s.SignatureType = treeHashSignatureType
+
+		return tls.Marshal(s)
+	default:
+		return nil, fmt.Errorf("unsupported STH version %d", s.Version)
+	}
+}