Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CT serialisation #421

Merged
merged 1 commit into from
Dec 17, 2024
Merged

Fix CT serialisation #421

merged 1 commit into from
Dec 17, 2024

Conversation

AlCutter
Copy link
Collaborator

This PR fixes an error in the serialisation of Static CT API leaf data.

The ctonly package could do with some golden tests, I've added #420 to track that.

@AlCutter AlCutter requested a review from phbnf December 16, 2024 18:22
@AlCutter AlCutter merged commit c4d2331 into transparency-dev:main Dec 17, 2024
16 checks passed
@AlCutter AlCutter deleted the fix_ctonly branch December 17, 2024 12:45
@phbnf
Copy link
Contributor

phbnf commented Dec 18, 2024
edited
Loading

I expanded all the structures from RFC6962 and https://c2sp.org/static-ct-api, and I think that this PR steers away from the specs. What do you think? (apologies for poor formatting)

LeafData

struct {
           uint64 timestamp;
           LogEntryType entry_type;
           select(entry_type) {
               case x509_entry: ASN.1Cert;
               case precert_entry: PreCert;
  struct {
          	      opaque issuer_key_hash[32];
                   TBSCertificate tbs_certificate; <-- according to rfc6962, this is precert without the precert bit etc, i.e defangedTBS, not the Raw precertificate. [static-ct sets the defangedTBS into leaf.Certificate](https://github.com/transparency-dev/static-ct/blob/d5b947a46312391263762e2855e0df7456fe17b5/handlers.go#L539), leaf.Precertificate is the raw Precertificate. ccl: this field should be leaf.Certificate
                } PreCert;
           } signed_entry;
           CtExtensions extensions;
       } TimestampedEntry;
	TimestampedEntry timestamped_entry;
	select (entry_type) {
		case x509_entry: Empty;
		case precert_entry: ASN.1Cert pre_certificate; --> According to c2sp/static-ct-api, this is the precertificate submitted, i.e [what static-ct sets in leaf.Precertificate](https://github.com/transparency-dev/static-ct/blob/main/handlers.go#L537), not the issuer precertificate
	};
	Fingerprint certificate_chain<0..2^16-1>; ---> If this is a Precert entry, [the first hash of that chain will be the hash of PrecertSigningCert](https://github.com/transparency-dev/static-ct/blob/main/handlers.go#L498-L500), which itself can be fetched from the issuer storage.
	} TileLeaf;

MerkleTreeLeaf

struct {
           Version version;
           MerkleLeafType leaf_type;
           select (leaf_type) {
               case timestamped_entry: TimestampedEntry;
		   struct {
                   uint64 timestamp;
                   LogEntryType entry_type;
                   select(entry_type) {
                       case x509_entry: ASN.1Cert;
                       case precert_entry: PreCert;
            struct {
          	                opaque issuer_key_hash[32];
                             TBSCertificate tbs_certificate; <-- According to rfc6962, this is precert without the precert bit etc, i.e defangedTBS, not the Raw precertificate. [static-ct sets the defangedTBS into leaf.Certificate](https://github.com/transparency-dev/static-ct/blob/d5b947a46312391263762e2855e0df7456fe17b5/handlers.go#L539), leaf.Precertificate is the raw Precertificate. ccl: this field should be leaf.Certificate
                         } PreCert;
                   } signed_entry;
                   CtExtensions extensions;
               } TimestampedEntry;
           }
       } MerkleTreeLeaf;

@AlCutter AlCutter mentioned this pull request Dec 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhutchinson mhutchinson mhutchinson approved these changes

@phbnf phbnf Awaiting requested review from phbnf

Assignees

@mhutchinson mhutchinson

@phbnf phbnf

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AlCutter @phbnf @mhutchinson