createSTHTestData.py

Enable keyboard shortcuts

#!/usr/bin/env python

# This Source Code Form is subject to the terms of the Mozilla Public

# License, v. 2.0. If a copy of the MPL was not distributed with this

# file, You can obtain one at http://mozilla.org/MPL/2.0/.

"""

This utility is used by the build system to create test inputs for the

signed tree head decoding and verification implementation. The format is

generally lines of <key>:<value> pairs except for the to-be-signed

section, which consists of one or more lines of hex bytes. Comments may

appear at the end of lines and begin with '//'.

The following keys are valid:

signingKey: A pykey key identifier to use to sign the to-be-signed data.

            Required.

spki: A pykey key identifier to create an encoded SubjectPublicKeyInfo

      to be included with the test data. The tests will use this spki to

      validate the signature. Required.

prefix: Hex bytes to include at the beginning of the signed tree head

        data. This data is not covered by the signature (typically this

        is used for the log_id field). Optional. Defaults to the empty

        string.

hash: The name of a hash algorithm to use when signing. Optional.

      Defaults to 'sha256'.

"""

import binascii

import os

import sys

from pyasn1.codec.der import encoder

sys.path.append(

    os.path.join(os.path.dirname(__file__), "..", "..", "..", "manager", "tools")

import pykey

def sign(signingKey, hashAlgorithm, hexToSign):

    """Given a pykey, the name of a hash function, and hex bytes to

    sign, signs the data (as binary) and returns a hex string consisting

    of the signature."""

    # key.sign returns a hex string in the format "'<hex bytes>'H",

    # so we have to strip off the "'"s and trailing 'H'

    return signingKey.sign(binascii.unhexlify(hexToSign), "hash:%s" % hashAlgorithm)[

        1:-2

class Error(Exception):

    """Base class for exceptions in this module."""

    pass

class UnknownParameterTypeError(Error):

    """Base class for handling unexpected input in this module."""

    def __init__(self, value):

        super(Error, self).__init__()

        self.value = value

        self.category = "key"

    def __str__(self):

        return 'Unknown %s type "%s"' % (self.category, repr(self.value))

class InputTooLongError(Error):

    """Helper exception type for inputs that are too long."""

    def __init__(self, length):

        super(InputTooLongError, self).__init__()

        self.length = length

    def __str__(self):

        return "Input too long: %s > 65535" % self.length

def getTwoByteLenAsHex(callLenOnMe):

    """Given something that len can be called on, returns a hex string

    representing the two-byte length of the something, in network byte

    order (the length must be less than or equal to 65535)."""

    length = len(callLenOnMe)

    if length > 65535:

        raise InputTooLongError(length)

    return bytes([length // 256, length % 256]).hex()

def createSTH(configStream):

    """Given a stream that will provide the specification for a signed

    tree head (see the comment at the top of this file), creates the

    corresponding signed tree head. Returns a string that can be

    compiled as C/C++ that declares two const char*s kSTHHex and

    kSPKIHex corresponding to the hex encoding of the signed tree head

    and the hex encoding of the subject public key info from the

    specification, respectively."""

    toSign = ""

    prefix = ""

    hashAlgorithm = "sha256"

    for line in configStream.readlines():

        if ":" in line:

            param = line.split(":")[0]

            arg = line.split(":")[1].split("//")[0].strip()

            if param == "signingKey":

                signingKey = pykey.keyFromSpecification(arg)

            elif param == "spki":

                spki = pykey.keyFromSpecification(arg)

            elif param == "prefix":

                prefix = arg

            elif param == "hash":

                hashAlgorithm = arg

            else:

                raise UnknownParameterTypeError(param)

        else:

            toSign = toSign + line.split("//")[0].strip()

    signature = sign(signingKey, hashAlgorithm, toSign)

    lengthBytesHex = getTwoByteLenAsHex(binascii.unhexlify(signature))

    sth = prefix + toSign + lengthBytesHex + signature

    spkiHex = encoder.encode(spki.asSubjectPublicKeyInfo()).hex()

    return 'const char* kSTHHex = "%s";\nconst char* kSPKIHex = "%s";\n' % (

        sth,

        spkiHex,

def main(output, inputPath):

    """Given a file-like output and the path to a signed tree head

    specification (see the comment at the top of this file), reads the

    specification, creates the signed tree head, and outputs test data

    that can be included by a gtest corresponding to the

    specification."""

    with open(inputPath) as configStream:

        output.write(createSTH(configStream))