Hi,
I've been tryint to parse the existing log file based on the
description in RFC 6962. I'm using Google's pilot log as example.
The RFC says that GET will give you:
leaf_input: The base64-encoded MerkleTreeLeaf structure.
extra_data: The base64-encoded unsigned data pertaining to the
log entry. In the case of an X509ChainEntry, this is the
"certificate_chain". In the case of a PrecertChainEntry,
this is the whole "PrecertChainEntry".
With MerkleTreeLeaf:
struct {
Version version;
MerkleLeafType leaf_type;
select (leaf_type) {
case timestamped_entry: TimestampedEntry;
}
} MerkleTreeLeaf;
Which uses the following types:
enum { v1(0), (255) }
Version;
enum { timestamped_entry(0), (255) }
MerkleLeafType;
struct {
uint64 timestamp;
LogEntryType entry_type;
select(entry_type) {
case x509_entry: ASN.1Cert;
case precert_entry: PreCert;
} signed_entry;
CtExtensions extensions;
} TimestampedEntry;
enum { x509_entry(0), precert_entry(1), (65535) } LogEntryType;
opaque ASN.1Cert<1..2^24-1>;
opaque CtExtensions<0..2^16-1>;
So after base64 decoding things, and turning it to hex, I see:
0000000 00 00 00 00 01 3d a4 07 ab d0 00 00 00 05 09 30
0000020 82 05 05 30 82 03 ed a0 03 02 01 02 02 11 00 91
So my guess of parsing it is:
MerkleTreeLeaf {
version = 00 (v1)
leaf_type = 00 (timestamped_entry)
TimestampedEntry {
timestamp = 00 00 01 3d a4 07 ab d0 (1364256598992, 2013-03-26
00:09:58.992)
entry_type = 00 00 (x509_entry)
ASN.1Cert = 00 05 09 30 82 05 05 30 [...]
And I seem to have been gotton lost somewhere. That doesn't look
like a valid X509 certificate, nor do I have any idea how long it
is.
If I had to guess "00 05 09" would be a length, and that might
work since it's limited to 2^24-1 bytes, so let's just assume
that's the case for now.
Now let's try to look at the extra_data. That is:
struct {
ASN.1Cert leaf_certificate;
ASN.1Cert certificate_chain<0..2^24-1>;
} X509ChainEntry;
And we have this hex data:
0000000 00 09 29 00 04 e9 30 82 04 e5 30 82 03 cd a0 03
0000020 02 01 02 02 10 07 6f 12 46 81 45 9c 28 d5 48 d6
So with what we learned from the previous attempt, it looks like
we need to parse it like:
certificate_chain {
length = 00 09 29 (2345)
ASN.1Cert {
length = 00 04 e9 (1257)
data = 30 82 04 e5 30 82 03 cd a0 03 [...] }
ASN.1Cert { [...]
I think the RFC needs some clarifications on how to parse things,
so that I don't have to guess.
This definition is also confusing:
extra_data: The base64-encoded unsigned data pertaining to the
log entry. In the case of an X509ChainEntry, this is the
"certificate_chain". In the case of a PrecertChainEntry,
this is the whole "PrecertChainEntry".
So the X509ChainEntry is not used, you need to directly go to it's
member certificate_chain. The LogEntry also isn't used anywhere.
Kurt
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
