httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From traw...@apache.org
Subject svn commit: r1588987 [3/3] - in /httpd/httpd/trunk: ./ docs/manual/mod/ docs/manual/programs/ modules/ssl/ support/
Date Mon, 21 Apr 2014 21:14:22 GMT
Added: httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c?rev=1588987&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c (added)
+++ httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c Mon Apr 21 21:14:21 2014
@@ -0,0 +1,419 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "apr_dbd.h"
+#include "apr_escape.h"
+#include "apr_strings.h"
+
+#include "httpd.h"
+#include "http_log.h"
+#include "http_main.h"
+
+#include "ssl_ct_sct.h"
+#include "ssl_ct_log_config.h"
+#include "ssl_ct_util.h"
+
+APLOG_USE_MODULE(ssl_ct);
+
+int log_config_readable(apr_pool_t *p, const char *logconfig,
+                        const char **msg)
+{
+    const apr_dbd_driver_t *driver;
+    apr_dbd_t *handle;
+    apr_status_t rv;
+    apr_dbd_results_t *res;
+    int rc;
+
+    rv = apr_dbd_get_driver(p, "sqlite3", &driver);
+    if (rv != APR_SUCCESS) {
+        if (msg) {
+            *msg = "SQLite3 driver cannot be loaded";
+        }
+        return 0;
+    }
+
+    rv = apr_dbd_open(driver, p, logconfig, &handle);
+    if (rv != APR_SUCCESS) {
+        return 0;
+    }
+
+    /* is there a cheaper way? */
+    res = NULL;
+    rc = apr_dbd_select(driver, p, handle, &res,
+                        "SELECT * FROM loginfo WHERE id = 0", 0);
+
+    apr_dbd_close(driver, handle);
+
+    if (rc != 0) {
+        return 0;
+    }
+
+    return 1;
+}
+
+static apr_status_t public_key_cleanup(void *data)
+{
+    EVP_PKEY *pubkey = data;
+
+    EVP_PKEY_free(pubkey);
+    return APR_SUCCESS;
+}
+
+static apr_status_t read_public_key(apr_pool_t *p, const char *pubkey_fname,
+                                    EVP_PKEY **ppkey)
+{
+    apr_status_t rv;
+    EVP_PKEY *pubkey;
+    FILE *pubkeyf;
+
+    *ppkey = NULL;
+
+    rv = ctutil_fopen(pubkey_fname, "r", &pubkeyf);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, ap_server_conf,
+                     "could not open log public key file %s",
+                     pubkey_fname);
+        return rv;
+    }
+
+    pubkey = PEM_read_PUBKEY(pubkeyf, NULL, NULL, NULL);
+    if (!pubkey) {
+        fclose(pubkeyf);
+        rv = APR_EINVAL;
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
+                     "PEM_read_PUBKEY() failed to process public key file %s",
+                     pubkey_fname);
+        return rv;
+    }
+
+    fclose(pubkeyf);
+
+    *ppkey = pubkey;
+
+    apr_pool_cleanup_register(p, (void *)pubkey, public_key_cleanup,
+                              apr_pool_cleanup_null);
+
+    return APR_SUCCESS;
+}
+
+static void digest_public_key(EVP_PKEY *pubkey, unsigned char digest[LOG_ID_SIZE])
+{
+    int len = i2d_PUBKEY(pubkey, NULL);
+    unsigned char *val = malloc(len);
+    unsigned char *tmp = val;
+    SHA256_CTX sha256ctx;
+
+    ap_assert(LOG_ID_SIZE == SHA256_DIGEST_LENGTH);
+
+    i2d_PUBKEY(pubkey, &tmp);
+    SHA256_Init(&sha256ctx);
+    SHA256_Update(&sha256ctx, (unsigned char *)val, len);
+    SHA256_Final(digest, &sha256ctx);
+    free(val);
+}
+
+static apr_status_t parse_log_url(apr_pool_t *p, const char *lu, apr_uri_t *puri)
+{
+    apr_status_t rv;
+    apr_uri_t uri;
+
+    rv = apr_uri_parse(p, lu, &uri);
+    if (rv == APR_SUCCESS) {
+        if (!uri.scheme
+            || !uri.hostname
+            || !uri.path) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
+                         "Error in log url \"%s\": URL can't be parsed or is missing required "
+                         "elements", lu);
+            rv = APR_EINVAL;
+        }
+        if (strcmp(uri.scheme, "http")) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
+                         "Error in log url \"%s\": Only scheme \"http\" (instead of \"%s\") "
+                         "is currently accepted",
+                         lu, uri.scheme);
+            rv = APR_EINVAL;
+        }
+        if (strcmp(uri.path, "/")) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
+                         "Error in log url \"%s\": Only path \"/\" (instead of \"%s\") "
+                         "is currently accepted",
+                         lu, uri.path);
+            rv = APR_EINVAL;
+        }
+    }
+    if (rv == APR_SUCCESS) {
+        *puri = uri;
+    }
+    return rv;
+}
+
+static apr_status_t parse_time_str(apr_pool_t *p, const char *time_str,
+                                   apr_time_t *time)
+{
+    apr_int64_t val;
+    const char *end;
+
+    errno = 0;
+    val = apr_strtoi64(time_str, (char **)&end, 10);
+    if (errno || *end != '\0') {
+        return APR_EINVAL;
+    }
+
+    *time = apr_time_from_msec(val);
+    return APR_SUCCESS;
+}
+
+/* The log_config array should have already been allocated from p. */
+apr_status_t save_log_config_entry(apr_array_header_t *log_config,
+                                   apr_pool_t *p,
+                                   const char *log_id,
+                                   const char *pubkey_fname,
+                                   const char *distrusted_str,
+                                   const char *min_time_str,
+                                   const char *max_time_str,
+                                   const char *url)
+{
+    apr_size_t len;
+    apr_status_t rv;
+    apr_time_t min_time, max_time;
+    apr_uri_t uri;
+    char *computed_log_id = NULL, *log_id_bin = NULL;
+    ct_log_config *newconf, **pnewconf;
+    int distrusted;
+    EVP_PKEY *public_key;
+
+    if (!distrusted_str) {
+        distrusted = DISTRUSTED_UNSET;
+    }
+    else if (!strcasecmp(distrusted_str, "1")) {
+        distrusted = DISTRUSTED;
+    }
+    else if (!strcasecmp(distrusted_str, "0")) {
+        distrusted = DISTRUSTED;
+    }
+    else {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
+                     "Trusted status \"%s\" not valid", distrusted_str);
+        return APR_EINVAL;
+    }
+
+    if (log_id) {
+        rv = apr_unescape_hex(NULL, log_id, strlen(log_id), 0, &len);
+        if (rv != 0 || len != 32) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
+                         "Log id \"%s\" not valid", log_id);
+            log_id_bin = apr_palloc(p, len);
+            apr_unescape_hex(log_id_bin, log_id, strlen(log_id), 0, NULL);
+        }
+    }
+
+    if (pubkey_fname) {
+        rv = read_public_key(p, pubkey_fname, &public_key);
+        if (rv != APR_SUCCESS) {
+            return rv;
+        }
+    }
+    else {
+        public_key = NULL;
+    }
+
+    if (min_time_str) {
+        rv = parse_time_str(p, min_time_str, &min_time);
+        if (rv) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
+                         "Invalid min time \"%s\"", min_time_str);
+            return rv;
+        }
+    }
+    else {
+        min_time = 0;
+    }
+
+    if (max_time_str) {
+        rv = parse_time_str(p, max_time_str, &max_time);
+        if (rv) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
+                         "Invalid max time \"%s\"", max_time_str);
+            return rv;
+        }
+    }
+    else {
+        max_time = 0;
+    }
+
+    if (url) {
+        rv = parse_log_url(p, url, &uri);
+        if (rv != APR_SUCCESS) {
+            return rv;
+        }
+    }
+
+    newconf = apr_pcalloc(p, sizeof(ct_log_config));
+    pnewconf = (ct_log_config **)apr_array_push(log_config);
+    *pnewconf = newconf;
+
+    newconf->distrusted = distrusted;
+    newconf->public_key = public_key;
+
+    if (newconf->public_key) {
+        computed_log_id = apr_palloc(p, LOG_ID_SIZE);
+        digest_public_key(newconf->public_key,
+                          (unsigned char *)computed_log_id);
+    }
+
+    if (computed_log_id && log_id_bin) {
+        if (memcmp(computed_log_id, log_id_bin, LOG_ID_SIZE)) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
+                         "Provided log id doesn't match digest of public key");
+            return APR_EINVAL;
+        }
+    }
+
+    newconf->log_id = log_id_bin ? log_id_bin : computed_log_id;
+
+    newconf->min_valid_time = min_time;
+    newconf->max_valid_time = max_time;
+
+    newconf->url = url;
+    if (url) {
+        newconf->uri = uri;
+        newconf->uri_str = apr_uri_unparse(p, &uri, 0);
+    }
+    newconf->public_key_pem = pubkey_fname;
+
+    return APR_SUCCESS;
+}
+
+apr_status_t read_config_db(apr_pool_t *p, server_rec *s_main,
+                            const char *log_config_fname,
+                            apr_array_header_t *log_config)
+{
+    apr_status_t rv;
+    const apr_dbd_driver_t *driver;
+    apr_dbd_t *handle;
+    apr_dbd_results_t *res;
+    apr_dbd_row_t *row;
+    int rc;
+
+    ap_assert(log_config);
+
+    rv = apr_dbd_get_driver(p, "sqlite3", &driver);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s_main,
+                     "APR SQLite3 driver can't be loaded");
+        return rv;
+    }
+
+    rv = apr_dbd_open(driver, p, log_config_fname, &handle);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s_main,
+                     "Can't open SQLite3 db %s", log_config_fname);
+        return rv;
+    }
+
+    res = NULL;
+    rc = apr_dbd_select(driver, p, handle, &res,
+                        "SELECT * FROM loginfo", 0);
+
+    if (rc != 0) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s_main,
+                     "SELECT of loginfo records failed");
+        apr_dbd_close(driver, handle);
+        return APR_EINVAL;
+    }
+
+    rc = apr_dbd_num_tuples(driver, res);
+    switch (rc) {
+    case -1:
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s_main,
+                     "Unexpected asynchronous result reading %s",
+                     log_config_fname);
+        apr_dbd_close(driver, handle);
+        return APR_EINVAL;
+    case 0:
+        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s_main,
+                     "Log configuration in %s is empty",
+                     log_config_fname);
+        apr_dbd_close(driver, handle);
+        return APR_SUCCESS;
+    default:
+        /* quiet some lints */
+        break;
+    }
+        
+    for (rv = apr_dbd_get_row(driver, p, res, &row, -1);
+         rv == APR_SUCCESS;
+         rv = apr_dbd_get_row(driver, p, res, &row, -1)) {
+        int cur = 0;
+        const char *id = apr_dbd_get_entry(driver, row, cur++);
+        const char *log_id = apr_dbd_get_entry(driver, row, cur++);
+        const char *public_key = apr_dbd_get_entry(driver, row, cur++);
+        const char *distrusted = apr_dbd_get_entry(driver, row, cur++);
+        const char *min_timestamp = apr_dbd_get_entry(driver, row, cur++);
+        const char *max_timestamp = apr_dbd_get_entry(driver, row, cur++);
+        const char *url = apr_dbd_get_entry(driver, row, cur++);
+
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s_main,
+                     "Log config: Record %s, log id %s, public key file %s, distrusted %s, URL %s, time %s->%s",
+                     id,
+                     log_id ? log_id : "(unset)",
+                     public_key ? public_key : "(unset)",
+                     distrusted ? distrusted : "(unset, defaults to trusted)",
+                     url ? url : "(unset)",
+                     min_timestamp ? min_timestamp : "-INF",
+                     max_timestamp ? max_timestamp : "+INF");
+
+        rv = save_log_config_entry(log_config, p, log_id,
+                                   public_key, distrusted, 
+                                   min_timestamp, max_timestamp, url);
+        if (rv != APR_SUCCESS) {
+            apr_dbd_close(driver, handle);
+            return rv;
+        }
+    }
+
+    apr_dbd_close(driver, handle);
+
+    return APR_SUCCESS;
+}
+
+int log_valid_for_received_sct(const ct_log_config *l, apr_time_t to_check)
+{
+    if (l->distrusted == DISTRUSTED) {
+        return 0;
+    }
+
+    if (l->max_valid_time && l->max_valid_time < to_check) {
+        return 0;
+    }
+
+    if (l->min_valid_time && l->min_valid_time < to_check) {
+        return 0;
+    }
+
+    return 1;
+}
+
+int log_valid_for_sent_sct(const ct_log_config *l)
+{
+    /* The log could return us an SCT with an older timestamp which
+     * is within the trusted time interval for the log, but for
+     * simplicity let's just assume that if the log isn't still
+     * within a trusted interval we won't send SCTs from the log.
+     */
+    return log_valid_for_received_sct(l, apr_time_now());
+}

Propchange: httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c
------------------------------------------------------------------------------
    eol-style:native = mod_ssl_ct.c

Added: httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h?rev=1588987&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h (added)
+++ httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h Mon Apr 21 21:14:21 2014
@@ -0,0 +1,57 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef SSL_CT_LOG_CONFIG_H
+#define SSL_CT_LOG_CONFIG_H
+
+#include "httpd.h"
+#include "mod_ssl_openssl.h" /* cheap way to get OpenSSL headers */
+
+typedef struct ct_log_config {
+    const char *log_id; /* binary form */
+    const char *public_key_pem;
+    EVP_PKEY *public_key;
+#define DISTRUSTED_UNSET -1
+#define TRUSTED           0
+#define DISTRUSTED        1
+    int distrusted;
+    apr_time_t min_valid_time, max_valid_time;
+    const char *url;
+    const char *uri_str;
+    apr_uri_t uri;
+} ct_log_config;
+
+int log_config_readable(apr_pool_t *p, const char *logconfig,
+                        const char **msg);
+
+apr_status_t read_config_db(apr_pool_t *p, server_rec *s_main,
+                            const char *log_config_fname,
+                            apr_array_header_t *log_config);
+
+apr_status_t save_log_config_entry(apr_array_header_t *log_config,
+                                   apr_pool_t *p,
+                                   const char *log_id,
+                                   const char *pubkey_fname,
+                                   const char *distrusted,
+                                   const char *min_time,
+                                   const char *max_time,
+                                   const char *url);
+
+int log_valid_for_sent_sct(const ct_log_config *l);
+
+int log_valid_for_received_sct(const ct_log_config *l, apr_time_t to_check);
+
+#endif /* SSL_CT_LOG_CONFIG_H */

Propchange: httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h
------------------------------------------------------------------------------
    eol-style:native = mod_ssl_ct.c

Added: httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c?rev=1588987&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c (added)
+++ httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c Mon Apr 21 21:14:21 2014
@@ -0,0 +1,300 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+#include "ssl_ct_sct.h"
+#include "ssl_ct_util.h"
+
+#include "http_log.h"
+
+APLOG_USE_MODULE(ssl_ct);
+
+static apr_status_t verify_signature(sct_fields_t *sctf,
+                                     EVP_PKEY *pkey)
+{
+    EVP_MD_CTX ctx;
+    int rc;
+
+    if (sctf->signed_data == NULL) {
+        return APR_EINVAL;
+    }
+
+    EVP_MD_CTX_init(&ctx);
+    ap_assert(1 == EVP_VerifyInit(&ctx, EVP_sha256()));
+    ap_assert(1 == EVP_VerifyUpdate(&ctx, sctf->signed_data,
+                                    sctf->signed_data_len));
+    rc = EVP_VerifyFinal(&ctx, sctf->sig, sctf->siglen, pkey);
+    EVP_MD_CTX_cleanup(&ctx);
+
+    return rc == 1 ? APR_SUCCESS : APR_EINVAL;
+}
+
+apr_status_t sct_verify_signature(conn_rec *c, sct_fields_t *sctf,
+                                  apr_array_header_t *log_config)
+{
+    apr_status_t rv = APR_EINVAL;
+    int i;
+    ct_log_config **config_elts;
+    int nelts = log_config->nelts;
+
+    ap_assert(sctf->signed_data != NULL);
+
+    config_elts = (ct_log_config **)log_config->elts;
+
+    for (i = 0; i < nelts; i++) {
+        EVP_PKEY *pubkey = config_elts[i]->public_key;
+        const char *logid = config_elts[i]->log_id;
+
+        if (!pubkey || !logid) {
+            continue;
+        }
+
+        if (!memcmp(logid, sctf->logid, LOG_ID_SIZE)) {
+            if (!log_valid_for_received_sct(config_elts[i], sctf->time)) {
+                ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+                              "Got SCT from distrusted log, or out of trusted time interval");
+                return APR_EINVAL;
+            }
+            rv = verify_signature(sctf, pubkey);
+            if (rv != APR_SUCCESS) {
+                ap_log_cerror(APLOG_MARK, 
+                              APLOG_ERR,
+                              rv, c,
+                              "verify_signature failed");
+            }
+            else {
+                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
+                              "verify_signature succeeded");
+            }
+            return rv;
+        }
+    }
+
+    return APR_NOTFOUND;
+}
+
+apr_status_t sct_parse(const char *source,
+                       server_rec *s, const unsigned char *sct,
+                       apr_size_t len, cert_chain *cc,
+                       sct_fields_t *fields)
+{
+    const unsigned char *cur;
+    apr_size_t orig_len = len;
+    apr_status_t rv;
+
+    memset(fields, 0, sizeof *fields);
+
+    if (len < 1 + LOG_ID_SIZE + 8) {
+        /* no room for header */
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                     "SCT size %" APR_SIZE_T_FMT " is too small",
+                     len);
+        return APR_EINVAL;
+    }
+
+    cur = sct;
+
+    fields->version = *cur;
+    cur++;
+    len -= 1;
+    memcpy(fields->logid, cur, LOG_ID_SIZE);
+    cur += LOG_ID_SIZE;
+    len -= LOG_ID_SIZE;
+    rv = ctutil_deserialize_uint64(&cur, &len, &fields->timestamp);
+    ap_assert(rv == APR_SUCCESS);
+
+    fields->time = apr_time_from_msec(fields->timestamp);
+
+    /* XXX maybe do this only if log level is such that we'll
+     *     use it later?
+     */
+    apr_rfc822_date(fields->timestr, fields->time);
+
+
+    if (len < 2) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                     "SCT size %" APR_SIZE_T_FMT " has no space for extension "
+                     "len", orig_len);
+        return APR_EINVAL;
+    }
+
+    rv = ctutil_deserialize_uint16(&cur, &len, &fields->extlen);
+    ap_assert(rv == APR_SUCCESS);
+
+    if (fields->extlen != 0) {
+        if (fields->extlen < len) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                         "SCT size %" APR_SIZE_T_FMT " has no space for "
+                         "%hu bytes of extensions",
+                         orig_len, fields->extlen);
+            return APR_EINVAL;
+        }
+
+        fields->extensions = cur;
+        cur += fields->extlen;
+        len -= fields->extlen;
+    }
+    else {
+        fields->extensions = 0;
+    }
+
+    if (len < 4) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                     "SCT size %" APR_SIZE_T_FMT " has no space for "
+                     "hash algorithm, signature algorithm, and signature len",
+                     orig_len);
+        return APR_EINVAL;
+    }
+
+    fields->hash_alg = *cur;
+    cur += 1;
+    len -= 1;
+    fields->sig_alg = *cur;
+    cur += 1;
+    len -= 1;
+    rv = ctutil_deserialize_uint16(&cur, &len, &fields->siglen);
+    ap_assert(rv == APR_SUCCESS);
+
+    if (fields->siglen < len) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                     "SCT has no space for signature");
+        return APR_EINVAL;
+    }
+
+    fields->sig = cur;
+    cur += fields->siglen;
+    len -= fields->siglen;
+
+    if (cc) {
+        /* If we have the server certificate, we can construct the
+         * data over which the signature is computed.
+         */
+
+        /* XXX Which part is signed? */
+        /* See certificate-transparency/src/proto/serializer.cc,
+         * method Serializer::SerializeV1CertSCTSignatureInput()
+         */
+
+        apr_size_t orig_len;
+        apr_size_t avail;
+        int der_length;
+        unsigned char *mem;
+        unsigned char *orig_mem;
+
+        der_length = i2d_X509(cc->leaf, NULL);
+        if (der_length < 0) {
+            rv = APR_EINVAL;
+        }
+
+        if (rv == APR_SUCCESS) {
+            orig_len = 0
+                + 1 /* version 1 */
+                + 1 /* CERTIFICATE_TIMESTAMP */
+                + 8 /* timestamp */
+                + 2 /* X509_ENTRY */
+                + 3 + der_length /* 24-bit length + X509 */
+                + 2 + fields->extlen /* 16-bit length + extensions */
+                ;
+            avail = orig_len;
+            mem = malloc(avail);
+            orig_mem = mem;
+            
+            rv = ctutil_serialize_uint8(&mem, &avail, 0); /* version 1 */
+            if (rv == APR_SUCCESS) {
+                rv = ctutil_serialize_uint8(&mem, &avail, 0); /* CERTIFICATE_TIMESTAMP */
+            }
+            if (rv == APR_SUCCESS) {
+                rv = ctutil_serialize_uint64(&mem, &avail, fields->timestamp);
+            }
+            if (rv == APR_SUCCESS) {
+                rv = ctutil_serialize_uint16(&mem, &avail, 0); /* X509_ENTRY */
+            }
+            if (rv == APR_SUCCESS) {
+                /* Get DER encoding of leaf certificate */
+                unsigned char *der_buf
+                    /* get OpenSSL to allocate: */
+                    = NULL;
+
+                der_length = i2d_X509(cc->leaf, &der_buf);
+                if (der_length < 0) {
+                    rv = APR_EINVAL;
+                }
+                else {
+                    rv = ctutil_write_var24_bytes(&mem, &avail,
+                                                  der_buf, der_length);
+                    OPENSSL_free(der_buf);
+                }
+            }
+            if (rv == APR_SUCCESS) {
+                rv = ctutil_write_var16_bytes(&mem, &avail, fields->extensions,
+                                              fields->extlen);
+            }
+        }
+
+        if (rv != APR_SUCCESS) {
+            ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
+                         "Failed to reconstruct signed data for SCT");
+            free(orig_mem);
+        }
+        else {
+            if (avail != 0) {
+                ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s,
+                             "length miscalculation for signed data (%" APR_SIZE_T_FMT
+                             " vs. %" APR_SIZE_T_FMT ")",
+                             orig_len, avail);
+            }
+            fields->signed_data_len = orig_len - avail;
+            fields->signed_data = orig_mem;
+            /* Force invalid signature error: orig_mem[0] = orig_mem[0] + 1; */
+        }
+    }
+
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                 "SCT from %s: version %d timestamp %s hash alg %d sig alg %d",
+                 source, fields->version, fields->timestr,
+                 fields->hash_alg, fields->sig_alg);
+#if AP_MODULE_MAGIC_AT_LEAST(20130702,2)
+    ap_log_data(APLOG_MARK, APLOG_DEBUG, s, "Log Id",
+                fields->logid, sizeof(fields->logid),
+                AP_LOG_DATA_SHOW_OFFSET);
+    ap_log_data(APLOG_MARK, APLOG_DEBUG, s, "Signature",
+                fields->sig, fields->siglen,
+                AP_LOG_DATA_SHOW_OFFSET);
+#endif /* httpd has ap_log_*data() */
+
+    ap_assert(!(fields->signed_data && rv != APR_SUCCESS));
+
+    return rv;
+}
+
+void sct_release(sct_fields_t *sctf)
+{
+    if (sctf->signed_data) {
+        free((void *)sctf->signed_data);
+        sctf->signed_data = NULL;
+    }
+}
+
+apr_status_t sct_verify_timestamp(conn_rec *c, sct_fields_t *sctf)
+{
+    if (sctf->time > apr_time_now()) {
+        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+                      "Server sent SCT not yet valid (timestamp %s)",
+                      sctf->timestr);
+        return APR_EINVAL;
+    }
+    return APR_SUCCESS;
+}

Propchange: httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c
------------------------------------------------------------------------------
    eol-style:native = mod_ssl_ct.c

Added: httpd/httpd/trunk/modules/ssl/ssl_ct_sct.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_sct.h?rev=1588987&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_ct_sct.h (added)
+++ httpd/httpd/trunk/modules/ssl/ssl_ct_sct.h Mon Apr 21 21:14:21 2014
@@ -0,0 +1,64 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef SSL_CT_SCT_H
+#define SSL_CT_SCT_H
+
+#include "apr_pools.h"
+#include "apr_tables.h"
+
+#include "httpd.h"
+#include "mod_ssl.h"
+
+#include "ssl_ct_log_config.h"
+
+#define LOG_ID_SIZE 32
+
+typedef struct cert_chain {
+    apr_pool_t *p;
+    apr_array_header_t *cert_arr; /* array of X509 * */
+    X509 *leaf;
+} cert_chain;
+
+typedef struct {
+    unsigned char version;
+    unsigned char logid[LOG_ID_SIZE];
+    apr_uint64_t timestamp;
+    apr_time_t time;
+    char timestr[APR_RFC822_DATE_LEN];
+    const unsigned char *extensions;
+    apr_uint16_t extlen;
+    unsigned char hash_alg;
+    unsigned char sig_alg;
+    apr_uint16_t siglen;
+    const unsigned char *sig;
+    const unsigned char *signed_data;
+    apr_size_t signed_data_len;
+} sct_fields_t;
+
+apr_status_t sct_parse(const char *source,
+                       server_rec *s, const unsigned char *sct,
+                       apr_size_t len, cert_chain *cc,
+                       sct_fields_t *fields);
+
+void sct_release(sct_fields_t *sctf);
+
+apr_status_t sct_verify_signature(conn_rec *c, sct_fields_t *sctf,
+                                  apr_array_header_t *log_config);
+
+apr_status_t sct_verify_timestamp(conn_rec *c, sct_fields_t *sctf);
+
+#endif /* SSL_CT_SCT_H */

Propchange: httpd/httpd/trunk/modules/ssl/ssl_ct_sct.h
------------------------------------------------------------------------------
    eol-style:native = mod_ssl_ct.c

Added: httpd/httpd/trunk/modules/ssl/ssl_ct_util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_util.c?rev=1588987&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_ct_util.c (added)
+++ httpd/httpd/trunk/modules/ssl/ssl_ct_util.c Mon Apr 21 21:14:21 2014
@@ -0,0 +1,781 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "apr_fnmatch.h"
+#include "apr_lib.h"
+#include "apr_strings.h"
+
+#include "httpd.h"
+#include "http_log.h"
+
+#include "ssl_ct_util.h"
+
+APLOG_USE_MODULE(ssl_ct);
+
+apr_status_t ctutil_path_join(char **out, const char *dirname, const char *basename,
+                              apr_pool_t *p, server_rec *s)
+{
+    apr_status_t rv;
+
+    rv = apr_filepath_merge(out, dirname, basename, 0, p);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                     "can't build filename from %s and %s",
+                     dirname, basename);
+    }
+
+    return rv;
+}
+
+int ctutil_dir_exists(apr_pool_t *p, const char *dirname)
+{
+    apr_finfo_t finfo;
+    apr_status_t rv = apr_stat(&finfo, dirname, APR_FINFO_TYPE, p);
+
+    return rv == APR_SUCCESS && finfo.filetype == APR_DIR;
+}
+
+int ctutil_file_exists(apr_pool_t *p, const char *filename)
+{
+    apr_finfo_t finfo;
+    apr_status_t rv = apr_stat(&finfo, filename, APR_FINFO_TYPE, p);
+
+    return rv == APR_SUCCESS && finfo.filetype == APR_REG;
+}
+
+void ctutil_buffer_to_array(apr_pool_t *p, const char *b,
+                            apr_size_t b_size, apr_array_header_t **out)
+{
+    apr_array_header_t *arr = apr_array_make(p, 10, sizeof(char *));
+    const char *ch, *last;
+
+    ch = b;
+    last = b + b_size - 1;
+    while (ch < last) {
+        const char *end = memchr(ch, '\n', last - ch);
+        const char *line;
+
+        if (!end) {
+            end = last + 1;
+        }
+        while (apr_isspace(*ch) && ch < end) {
+            ch++;
+        }
+        if (ch < end) {
+            const char *tmpend = end - 1;
+
+            while (tmpend > ch
+                   && isspace(*tmpend)) {
+                --tmpend;
+            }
+            
+            line = apr_pstrndup(p, ch, 1 + tmpend - ch);
+            *(const char **)apr_array_push(arr) = line;
+        }
+        ch = end + 1;
+    }
+
+    *out = arr;
+}
+
+int ctutil_in_array(const char *needle, const apr_array_header_t *haystack)
+{
+    const char * const *elts;
+    int i;
+
+    elts = (const char * const *)haystack->elts;
+    for (i = 0; i < haystack->nelts; i++) {
+        if (!strcmp(needle, elts[i])) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+apr_status_t ctutil_fopen(const char *fn, const char *mode, FILE **f)
+{
+    apr_status_t rv;
+
+    *f = fopen(fn, mode);
+    if (*f == NULL) {
+        rv = errno; /* XXX Windows equivalent -- CreateFile + fdopen? */
+    }
+    else {
+        rv = APR_SUCCESS;
+    }
+
+    return rv;
+}
+
+/* read_dir() is remarkably like apr_match_glob(), which could
+ * probably use some processing flags to indicate variations on
+ * the basic behavior (and implement better error checking).
+ */
+apr_status_t ctutil_read_dir(apr_pool_t *p,
+                             server_rec *s,
+                             const char *dirname,
+                             const char *pattern,
+                             apr_array_header_t **outarr)
+{
+    apr_array_header_t *arr;
+    apr_dir_t *d;
+    apr_finfo_t finfo;
+    apr_status_t rv;
+    int reported = 0;
+
+    /* add to existing array if it already exists */
+    arr = *outarr;
+    if (arr == NULL) {
+        arr = apr_array_make(p, 4, sizeof(char *));
+    }
+
+    rv = apr_dir_open(&d, dirname, p);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, "couldn't read dir %s",
+                     dirname);
+        return rv;
+    }
+
+    while ((rv = apr_dir_read(&finfo, APR_FINFO_NAME, d)) == APR_SUCCESS) {
+        const char *fn;
+
+        if (APR_SUCCESS == apr_fnmatch(pattern, finfo.name, APR_FNM_CASE_BLIND)) {
+            rv = ctutil_path_join((char **)&fn, dirname, finfo.name, p, s);
+            if (rv != APR_SUCCESS) {
+                reported = 1;
+                break;
+            }
+
+            *(char **)apr_array_push(arr) = apr_pstrdup(p, fn);
+        }
+    }
+
+    if (APR_STATUS_IS_ENOENT(rv)) {
+        rv = APR_SUCCESS;
+    }
+    else if (rv != APR_SUCCESS && !reported) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                     "couldn't read entry from dir %s", dirname);
+    }
+
+    apr_dir_close(d);
+
+    if (rv == APR_SUCCESS) {
+        *outarr = arr;
+    }
+
+    return rv;
+}
+
+apr_status_t ctutil_read_file(apr_pool_t *p,
+                              server_rec *s,
+                              const char *fn,
+                              apr_off_t limit,
+                              char **contents,
+                              apr_size_t *contents_size)
+{
+    apr_file_t *f;
+    apr_finfo_t finfo;
+    apr_status_t rv;
+    apr_size_t nbytes;
+
+    *contents = NULL;
+    *contents_size = 0;
+
+    rv = apr_file_open(&f, fn, APR_READ | APR_BINARY, APR_FPROT_OS_DEFAULT, p);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                     "couldn't read %s", fn);
+        return rv;
+    }
+    
+    rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, f);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                     "couldn't retrieve size of %s", fn);
+        apr_file_close(f);
+        return rv;
+    }
+
+    if (finfo.size > limit) {
+        rv = APR_ENOSPC;
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                     "size %" APR_OFF_T_FMT " of %s exceeds limit (%"
+                     APR_SIZE_T_FMT ")", finfo.size, fn, limit);
+        apr_file_close(f);
+        return rv;
+    }
+
+    nbytes = (apr_size_t)finfo.size;
+    *contents = apr_palloc(p, nbytes);
+    rv = apr_file_read_full(f, *contents, nbytes, contents_size);
+    if (rv != APR_SUCCESS) { /* shouldn't get APR_EOF since we know
+                              * how big the file is
+                              */
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                         "apr_file_read_full");
+    }
+    apr_file_close(f);
+
+    return rv;
+}
+
+#if APR_FILES_AS_SOCKETS
+static void io_loop(apr_pool_t *p, server_rec *s, apr_proc_t *proc,
+                    const char *desc_for_log)
+{
+    apr_status_t rv;
+    apr_pollfd_t pfd = {0};
+    apr_pollset_t *pollset;
+    int fds_waiting;
+
+    rv = apr_pollset_create(&pollset, 2, p, 0);
+    ap_assert(rv == APR_SUCCESS);
+
+    fds_waiting = 0;
+
+    pfd.p = p;
+    pfd.desc_type = APR_POLL_FILE;
+    pfd.reqevents = APR_POLLIN;
+    pfd.desc.f = proc->err;
+    rv = apr_pollset_add(pollset, &pfd);
+    ap_assert(rv == APR_SUCCESS);
+    ++fds_waiting;
+
+    pfd.desc.f = proc->out;
+    rv = apr_pollset_add(pollset, &pfd);
+    ap_assert(rv == APR_SUCCESS);
+    ++fds_waiting;
+
+    while (fds_waiting) {
+        int i, num_events;
+        const apr_pollfd_t *pdesc;
+        char buf[4096];
+        apr_size_t len;
+
+        rv = apr_pollset_poll(pollset, apr_time_from_sec(10),
+                              &num_events, &pdesc);
+        if (rv != APR_SUCCESS && !APR_STATUS_IS_EINTR(rv)) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                         "apr_pollset_poll");
+            break;
+        }
+
+        for (i = 0; i < num_events; i++) {
+            len = sizeof buf;
+            rv = apr_file_read(pdesc[i].desc.f, buf, &len);
+            if (APR_STATUS_IS_EOF(rv)) {
+                apr_file_close(pdesc[i].desc.f);
+                apr_pollset_remove(pollset, &pdesc[i]);
+                --fds_waiting;
+            }
+            else if (rv != APR_SUCCESS) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                             "apr_file_read");
+            }
+            else {
+                ap_log_error(APLOG_MARK, APLOG_TRACE2, 0, s,
+                             "%s: %.*s", desc_for_log, (int)len, buf);
+            }
+        }
+    }
+}
+#else /* APR_FILES_AS_SOCKETS */
+static void io_loop(apr_pool_t *p, server_rec *s, apr_proc_t *proc,
+                    const char *desc_for_log)
+{
+    apr_status_t rv;
+    apr_file_t *fds[2] = {proc->out, proc->err};
+    apr_size_t len;
+    char buf[4096];
+    int fds_waiting = 2;
+
+    while (fds_waiting) {
+        int i;
+        int read = 0;
+
+        for (i = 0; i < sizeof fds / sizeof fds[0]; i++) {
+            if (!fds[i]) {
+                continue;
+            }
+            len = sizeof buf;
+            rv = apr_file_read(fds[i], buf, &len);
+            if (APR_STATUS_IS_EOF(rv)) {
+                apr_file_close(fds[i]);
+                fds[i] = NULL;
+                --fds_waiting;
+            }
+            else if (APR_STATUS_IS_EAGAIN(rv)) {
+                /* we don't actually know if data is ready before reading, so
+                 * this isn't an error
+                 */
+            }
+            else if (rv != APR_SUCCESS) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                             "apr_file_read");
+            }
+            else {
+                ap_log_error(APLOG_MARK, APLOG_TRACE2, 0, s,
+                             "%s: %.*s", desc_for_log, (int)len, buf);
+                ++read;
+            }
+        }
+        if (fds_waiting && !read) {
+            /* no tight loop */
+            apr_sleep(apr_time_from_msec(100));
+        }
+    }
+}
+#endif /* APR_FILES_AS_SOCKETS */
+
+apr_status_t ctutil_run_to_log(apr_pool_t *p,
+                               server_rec *s,
+                               const char *args[8],
+                               const char *desc_for_log)
+{
+    apr_exit_why_e exitwhy;
+    apr_proc_t proc = {0};
+    apr_procattr_t *attr;
+    apr_status_t rv;
+    int exitcode;
+
+    rv = apr_procattr_create(&attr, p);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, "apr_procattr_create failed");
+        return rv;
+    }
+
+    rv = apr_procattr_io_set(attr,
+                             APR_NO_PIPE,
+                             APR_CHILD_BLOCK,
+                             APR_CHILD_BLOCK);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, "apr_procattr_io_set failed");
+        return rv;
+    }
+
+    rv = apr_proc_create(&proc, args[0], args, NULL, attr, p);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, "apr_proc_create failed");
+        return rv;
+    }
+
+    io_loop(p, s, &proc, desc_for_log);
+
+    rv = apr_proc_wait(&proc, &exitcode, &exitwhy, APR_WAIT);
+    rv = rv == APR_CHILD_DONE ? APR_SUCCESS : rv;
+
+    ap_log_error(APLOG_MARK,
+                 rv != APR_SUCCESS || exitcode ? APLOG_ERR : APLOG_DEBUG,
+                 rv, s,
+                 "exit code from %s: %d (%s)", 
+                 desc_for_log, exitcode,
+                 exitwhy == APR_PROC_EXIT ? "exited normally" : "exited due to a signal");
+
+    if (rv == APR_SUCCESS && exitcode) {
+        rv = APR_EGENERAL;
+    }
+
+    return rv;
+}
+
+void ctutil_thread_mutex_lock(apr_thread_mutex_t *m)
+{
+    apr_status_t rv = apr_thread_mutex_lock(m);
+    ap_assert(rv == APR_SUCCESS);
+}
+
+void ctutil_thread_mutex_unlock(apr_thread_mutex_t *m)
+{
+    apr_status_t rv = apr_thread_mutex_unlock(m);
+    ap_assert(rv == APR_SUCCESS);
+}
+
+apr_status_t ctutil_file_write_uint16(server_rec *s,
+                                      apr_file_t *f,
+                                      apr_uint16_t in_val)
+{
+    apr_size_t nbytes;
+    apr_status_t rv;
+    char vals[2];
+
+    vals[0] = (in_val & 0xFF00) >> 8;
+    vals[1] = (in_val & 0x00FF);
+    nbytes = sizeof(vals);
+    rv = apr_file_write(f, vals, &nbytes);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                     "can't write 2-byte length to file");
+    }
+    return rv;
+}
+
+apr_status_t ctutil_file_write_uint24(server_rec *s,
+                                      apr_file_t *f,
+                                      apr_uint32_t in_val)
+{
+    apr_size_t nbytes;
+    apr_status_t rv;
+    char vals[3];
+
+    vals[0] = (in_val & 0xFF0000) >> 16;
+    vals[1] = (in_val & 0x00FF00) >> 8;
+    vals[2] = (in_val & 0x0000FF) >> 0;
+    nbytes = sizeof(vals);
+    rv = apr_file_write(f, vals, &nbytes);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                     "can't write 3-byte length to file");
+    }
+    return rv;
+}
+
+void ctutil_log_array(const char *file, int line, int module_index,
+                      int level, server_rec *s, const char *desc,
+                      apr_array_header_t *arr)
+{
+    const char **elts = (const char **)arr->elts;
+    int i;
+
+    ap_log_error(file, line, module_index, level,
+                 0, s, "%s", desc);
+    for (i = 0; i < arr->nelts; i++) {
+        ap_log_error(file, line, module_index, level,
+                     0, s, ">>%s", elts[i]);
+    }
+}
+
+static apr_status_t deserialize_uint(const unsigned char **mem,
+                                     apr_size_t *avail,
+                                     apr_byte_t num_bits, apr_uint64_t *pval)
+{
+    apr_byte_t num_bytes = num_bits / 8;
+    apr_uint64_t val = 0;
+    int i;
+
+    if (*avail < num_bytes || num_bits > 64) {
+        return APR_EINVAL;
+    }
+
+    for (i = 0; i < num_bytes; i++) {
+        val = (val << 8) | **mem;
+        *mem += 1;
+        *avail -= 1;
+    }
+
+    *pval = val;
+    return APR_SUCCESS;
+}
+
+apr_status_t ctutil_deserialize_uint64(const unsigned char **mem,
+                                       apr_size_t *avail,
+                                       apr_uint64_t *pval)
+{
+    return deserialize_uint(mem, avail, 64, pval);
+}
+
+apr_status_t ctutil_deserialize_uint16(const unsigned char **mem,
+                                       apr_size_t *avail,
+                                       apr_uint16_t *pval)
+{
+    apr_status_t rv;
+    apr_uint64_t val64;
+
+    rv = deserialize_uint(mem, avail, 16, &val64);
+    *pval = (apr_uint16_t)val64;
+    return rv;
+}
+
+static apr_status_t serialize_uint(unsigned char **mem, apr_size_t *avail,
+                                   apr_byte_t num_bits, apr_uint64_t val)
+{
+    apr_byte_t num_bytes = num_bits / 8;
+    int i;
+    apr_uint64_t mask;
+    apr_byte_t shift;
+
+    if (*avail < num_bytes || num_bits > 64) {
+        return APR_EINVAL;
+    }
+
+    mask = (apr_uint64_t)0xFF << (num_bits - 8);
+    shift = num_bits - 8;
+    for (i = 0; i < num_bytes; i++) {
+        **mem = (unsigned char)((val & mask) >> shift);
+        *mem += 1;
+        *avail -= 1;
+        mask = mask >> 8;
+        shift -= 8;
+    }
+
+    return APR_SUCCESS;
+}
+
+apr_status_t ctutil_serialize_uint64(unsigned char **mem, apr_size_t *avail,
+                                     apr_uint64_t val)
+{
+    return serialize_uint(mem, avail, 64, val);
+}
+
+apr_status_t ctutil_serialize_uint24(unsigned char **mem, apr_size_t *avail,
+                                     apr_uint32_t val)
+{
+    return serialize_uint(mem, avail, 24, val);
+}
+
+apr_status_t ctutil_serialize_uint16(unsigned char **mem, apr_size_t *avail,
+                                     apr_uint16_t val)
+{
+    return serialize_uint(mem, avail, 16, val);
+}
+
+apr_status_t ctutil_serialize_uint8(unsigned char **mem, apr_size_t *avail,
+                                    unsigned char val)
+{
+    return serialize_uint(mem, avail, 8, val);
+}
+
+apr_status_t ctutil_write_var16_bytes(unsigned char **mem, apr_size_t *avail,
+                                      const unsigned char *val,
+                                      apr_uint16_t len)
+{
+    apr_status_t rv;
+
+    if (*avail < (sizeof(apr_uint16_t) + len)) {
+        return APR_EINVAL;
+    }
+
+    rv = ctutil_serialize_uint16(mem, avail, len);
+    if (rv != APR_SUCCESS) { /* should not occur */
+        return rv;
+    }
+
+    memcpy(*mem, val, len);
+    *mem += len;
+    *avail -= len;
+    return APR_SUCCESS;
+}
+
+apr_status_t ctutil_write_var24_bytes(unsigned char **mem, apr_size_t *avail,
+                                      const unsigned char *val,
+                                      apr_uint32_t len)
+{
+    apr_status_t rv;
+
+    if (*avail < (3 + len)) {
+        return APR_EINVAL;
+    }
+
+    rv = ctutil_serialize_uint24(mem, avail, len);
+    if (rv != APR_SUCCESS) { /* should not occur */
+        return rv;
+    }
+
+    memcpy(*mem, val, len);
+    *mem += len;
+    *avail -= len;
+    return APR_SUCCESS;
+}
+
+/* all this deserialization crap is of course from
+ * c-t/src/proto/serializer.cc
+ */
+static apr_status_t read_length_prefix(const unsigned char **mem, apr_size_t *avail,
+                                       apr_size_t *result)
+{
+    apr_status_t rv;
+    apr_uint16_t val;
+
+    rv = ctutil_deserialize_uint16(mem, avail, &val);
+    if (rv == APR_SUCCESS) {
+        *result = val;
+    }
+
+    return rv;
+}
+
+static apr_status_t read_fixed_bytes(const unsigned char **mem, apr_size_t *avail,
+                                     apr_size_t len,
+                                     const unsigned char **start)
+{
+    if (*avail < len) {
+        return APR_EINVAL;
+    }
+
+    *start = *mem;
+    *avail -= len;
+    *mem += len;
+
+    return APR_SUCCESS;
+}
+
+apr_status_t ctutil_read_var_bytes(const unsigned char **mem, apr_size_t *avail,
+                                   const unsigned char **start, apr_size_t *len)
+{
+    apr_status_t rv;
+
+    rv = read_length_prefix(mem, avail, len);
+    if (rv != APR_SUCCESS) {
+        return rv;
+    }
+
+    rv = read_fixed_bytes(mem, avail, *len, start);
+    return rv;
+}
+
+#define TESTURL1 "http://127.0.0.1:8888"
+#define TESTURL2 "http://127.0.0.1:9999"
+#define TESTURL3 "http://127.0.0.1:10000"
+
+void ctutil_run_internal_tests(apr_pool_t *p)
+{
+    apr_array_header_t *arr;
+    const char *filecontents =
+      " " TESTURL1 " \r\n" TESTURL2 "\n"
+      TESTURL3 /* no "\n" */ ;
+    unsigned char buf[8], *ch;
+    const unsigned char *const_ch;
+    apr_size_t avail;
+    apr_status_t rv;
+    apr_uint16_t val16;
+    apr_uint64_t val64;
+
+    ctutil_buffer_to_array(p, filecontents, strlen(filecontents), &arr);
+    
+    ap_assert(ctutil_in_array(TESTURL1, arr));
+    ap_assert(ctutil_in_array(TESTURL2, arr));
+    ap_assert(ctutil_in_array(TESTURL3, arr));
+    ap_assert(!ctutil_in_array(TESTURL1 "x", arr));
+
+    ch = buf;
+    avail = 8;
+    rv = ctutil_serialize_uint64(&ch, &avail, 0xDEADBEEFCAFEBABE);
+    ap_assert(rv == APR_SUCCESS);
+    ap_assert(avail == 0);
+    ap_assert(ch == buf + 8);
+    ap_assert(buf[0] == 0xDE);
+    ap_assert(buf[1] == 0xAD);
+    ap_assert(buf[2] == 0xBE);
+    ap_assert(buf[3] == 0xEF);
+    ap_assert(buf[4] == 0xCA);
+    ap_assert(buf[5] == 0xFE);
+    ap_assert(buf[6] == 0xBA);
+    ap_assert(buf[7] == 0xBE);
+
+    const_ch = buf;
+    avail = 8;
+    rv = ctutil_deserialize_uint64(&const_ch, &avail, &val64);
+    ap_assert(rv == APR_SUCCESS);
+    ap_assert(avail == 0);
+    ap_assert(const_ch == buf + 8);
+    ap_assert(val64 == 0xDEADBEEFCAFEBABE);
+
+    ch = buf;
+    avail = 7;
+    ap_assert(ctutil_serialize_uint64(&ch, &avail, 0xDEADBEEFCAFEBABE)
+              == APR_EINVAL);
+
+    ch = buf;
+    avail = 3;
+    rv = ctutil_serialize_uint24(&ch, &avail, 0xDEADBE);
+    ap_assert(rv == APR_SUCCESS);
+    ap_assert(avail == 0);
+    ap_assert(ch == buf + 3);
+    ap_assert(buf[0] == 0xDE);
+    ap_assert(buf[1] == 0xAD);
+    ap_assert(buf[2] == 0xBE);
+
+    ch = buf;
+    avail = 1;
+    ap_assert(ctutil_serialize_uint16(&ch, &avail, 0xDEAD)
+              == APR_EINVAL);
+
+    ch = buf;
+    avail = 2;
+    rv = ctutil_serialize_uint16(&ch, &avail, 0xDEAD);
+    ap_assert(rv == APR_SUCCESS);
+    ap_assert(avail == 0);
+    ap_assert(ch == buf + 2);
+    ap_assert(buf[0] == 0xDE);
+    ap_assert(buf[1] == 0xAD);
+
+    const_ch = buf;
+    avail = 2;
+    rv = ctutil_deserialize_uint16(&const_ch, &avail, &val16);
+    ap_assert(rv == APR_SUCCESS);
+    ap_assert(avail == 0);
+    ap_assert(val16 == 0xDEAD);
+
+    ch = buf;
+    avail = 1;
+    ap_assert(ctutil_serialize_uint16(&ch, &avail, 0xDEAD)
+              == APR_EINVAL);
+
+    ch = buf;
+    avail = 1;
+    rv = ctutil_serialize_uint8(&ch, &avail, 0xDE);
+    ap_assert(rv == APR_SUCCESS);
+    ap_assert(avail == 0);
+    ap_assert(ch == buf + 1);
+    ap_assert(buf[0] == 0xDE);
+
+    ch = buf;
+    avail = 0;
+    ap_assert(ctutil_serialize_uint8(&ch, &avail, 0xDE)
+              == APR_EINVAL);
+
+    ch = buf;
+    avail = 8;
+    rv = ctutil_write_var16_bytes(&ch, &avail, 
+                                  (unsigned char *)"\x01""\x02""\x03""\x04", 4);
+    ap_assert(rv == APR_SUCCESS);
+    ap_assert(avail == 2);
+    ap_assert(ch == buf + 6);
+    ap_assert(buf[0] == 0);
+    ap_assert(buf[1] == 4);
+    ap_assert(buf[2] == 0x01);
+    ap_assert(buf[3] == 0x02);
+    ap_assert(buf[4] == 0x03);
+    ap_assert(buf[5] == 0x04);
+
+    ch = buf;
+    avail = 3;
+    rv = ctutil_write_var16_bytes(&ch, &avail, 
+                                  (unsigned char *)"\x01""\x02""\x03""\x04", 4);
+    ap_assert(rv == APR_EINVAL);
+
+    ch = buf;
+    avail = 8;
+    rv = ctutil_write_var24_bytes(&ch, &avail, 
+                                  (unsigned char *)"\x01""\x02""\x03""\x04", 4);
+    ap_assert(rv == APR_SUCCESS);
+    ap_assert(avail == 1);
+    ap_assert(ch == buf + 7);
+    ap_assert(buf[0] == 0);
+    ap_assert(buf[1] == 0);
+    ap_assert(buf[2] == 4);
+    ap_assert(buf[3] == 0x01);
+    ap_assert(buf[4] == 0x02);
+    ap_assert(buf[5] == 0x03);
+    ap_assert(buf[6] == 0x04);
+
+    ch = buf;
+    avail = 4;
+    rv = ctutil_write_var24_bytes(&ch, &avail, 
+                                  (unsigned char *)"\x01""\x02""\x03""\x04", 4);
+    ap_assert(rv == APR_EINVAL);
+}

Propchange: httpd/httpd/trunk/modules/ssl/ssl_ct_util.c
------------------------------------------------------------------------------
    eol-style:native = mod_ssl_ct.c

Added: httpd/httpd/trunk/modules/ssl/ssl_ct_util.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_util.h?rev=1588987&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_ct_util.h (added)
+++ httpd/httpd/trunk/modules/ssl/ssl_ct_util.h Mon Apr 21 21:14:21 2014
@@ -0,0 +1,102 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef SSL_CT_UTIL_H
+#define SSL_CT_UTIL_H
+
+#include "httpd.h"
+
+apr_status_t ctutil_path_join(char **out, const char *dirname, const char *basename,
+                              apr_pool_t *p, server_rec *s);
+
+int ctutil_dir_exists(apr_pool_t *p, const char *dirname);
+
+int ctutil_file_exists(apr_pool_t *p, const char *filename);
+
+void ctutil_buffer_to_array(apr_pool_t *p, const char *b,
+                            apr_size_t b_size, apr_array_header_t **out);
+
+int ctutil_in_array(const char *needle, const apr_array_header_t *haystack);
+
+apr_status_t ctutil_fopen(const char *fn, const char *mode, FILE **f);
+
+apr_status_t ctutil_read_dir(apr_pool_t *p,
+                             server_rec *s,
+                             const char *dirname,
+                             const char *pattern,
+                             apr_array_header_t **outarr);
+
+apr_status_t ctutil_read_file(apr_pool_t *p,
+                              server_rec *s,
+                              const char *fn,
+                              apr_off_t limit,
+                              char **contents,
+                              apr_size_t *contents_size);
+
+apr_status_t ctutil_run_to_log(apr_pool_t *p,
+                               server_rec *s,
+                               const char *args[8],
+                               const char *desc_for_log);
+
+void ctutil_thread_mutex_lock(apr_thread_mutex_t *m);
+void ctutil_thread_mutex_unlock(apr_thread_mutex_t *m);
+
+apr_status_t ctutil_file_write_uint16(server_rec *s,
+                                      apr_file_t *f,
+                                      apr_uint16_t val);
+
+apr_status_t ctutil_file_write_uint24(server_rec *s,
+                                      apr_file_t *f,
+                                      apr_uint32_t val);
+
+void ctutil_log_array(const char *file, int line, int module_index,
+                      int level, server_rec *s, const char *desc,
+                      apr_array_header_t *arr);
+
+apr_status_t ctutil_read_var_bytes(const unsigned char **mem,
+                                   apr_size_t *avail,
+                                   const unsigned char **start,
+                                   apr_size_t *len);
+
+apr_status_t ctutil_deserialize_uint64(const unsigned char **mem,
+                                       apr_size_t *avail, apr_uint64_t *pval);
+apr_status_t ctutil_deserialize_uint16(const unsigned char **mem,
+                                       apr_size_t *avail,
+                                       apr_uint16_t *pval);
+
+apr_status_t ctutil_serialize_uint64(unsigned char **mem, apr_size_t *avail,
+                                     apr_uint64_t val);
+
+apr_status_t ctutil_serialize_uint24(unsigned char **mem, apr_size_t *avail,
+                                     apr_uint32_t val);
+
+apr_status_t ctutil_serialize_uint16(unsigned char **mem, apr_size_t *avail,
+                                     apr_uint16_t val);
+
+apr_status_t ctutil_serialize_uint8(unsigned char **mem, apr_size_t *avail,
+                                    unsigned char val);
+
+apr_status_t ctutil_write_var16_bytes(unsigned char **mem, apr_size_t *avail,
+                                      const unsigned char *val,
+                                      apr_uint16_t len);
+
+apr_status_t ctutil_write_var24_bytes(unsigned char **mem, apr_size_t *avail,
+                                      const unsigned char *val,
+                                      apr_uint32_t len);
+
+void ctutil_run_internal_tests(apr_pool_t *p);
+
+#endif /* SSL_CT_UTIL_H */

Propchange: httpd/httpd/trunk/modules/ssl/ssl_ct_util.h
------------------------------------------------------------------------------
    eol-style:native = mod_ssl_ct.c

Modified: httpd/httpd/trunk/support/Makefile.in
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/Makefile.in?rev=1588987&r1=1588986&r2=1588987&view=diff
==============================================================================
--- httpd/httpd/trunk/support/Makefile.in (original)
+++ httpd/httpd/trunk/support/Makefile.in Mon Apr 21 21:14:21 2014
@@ -23,7 +23,7 @@ install:
 	        chmod 755 $(DESTDIR)$(bindir)/$$i; \
 	    fi ; \
 	done
-	@for i in apachectl; do \
+	@for i in apachectl ctlogconfig; do \
 	    if test -f "$(builddir)/$$i"; then \
 	        cp -p $$i $(DESTDIR)$(sbindir); \
 	        chmod 755 $(DESTDIR)$(sbindir)/$$i; \

Added: httpd/httpd/trunk/support/ctauditscts
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/ctauditscts?rev=1588987&view=auto
==============================================================================
--- httpd/httpd/trunk/support/ctauditscts (added)
+++ httpd/httpd/trunk/support/ctauditscts Mon Apr 21 21:14:21 2014
@@ -0,0 +1,160 @@
+#!/usr/bin/env python
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import binascii
+import os
+import sqlite3
+import ssl
+import struct
+import sys
+import tempfile
+
+from contextlib import closing
+
+SERVER_START = 1
+KEY_START = 2
+CERT_START = 3
+SCT_START = 4
+
+
+def usage():
+    print >> sys.stderr, ('Usage: %s /path/to/audit/files ' +
+                          '[/path/to/log-config-db]') % sys.argv[0]
+    sys.exit(1)
+
+
+def audit(fn, tmp, already_checked, cur):
+    print 'Auditing %s...' % fn
+
+    # First, parse the audit file into a series of related
+    #
+    #   1. PEM file with certificate chain
+    #   2. Individual SCT files
+    #
+    # Next,  for each SCT, invoke verify_single_proof to verify.
+    log_bytes = open(fn, 'rb').read()
+    offset = 0
+    while offset < len(log_bytes):
+        print 'Got package from server...'
+        val = struct.unpack_from('>H', log_bytes, offset)
+        assert val[0] == SERVER_START
+        offset += 2
+
+        assert struct.unpack_from('>H', log_bytes, offset)[0] == KEY_START
+        offset += 2
+
+        key_size = struct.unpack_from('>H', log_bytes, offset)[0]
+        assert key_size > 0
+        offset += 2
+
+        key = log_bytes[offset:offset + key_size]
+        offset += key_size
+
+        # at least one certificate
+        assert struct.unpack_from('>H', log_bytes, offset)[0] == CERT_START
+
+        # for each certificate:
+        leaf = None
+        while struct.unpack_from('>H', log_bytes, offset)[0] == CERT_START:
+            offset += 2
+            val = struct.unpack_from('BBB', log_bytes, offset)
+            offset += 3
+            der_size = (val[0] << 16) | (val[1] << 8) | (val[2] << 0)
+            print '  Certificate size:', hex(der_size)
+            if not leaf:
+                leaf = (offset, der_size)
+            offset += der_size
+
+        pem = ssl.DER_cert_to_PEM_cert(log_bytes[leaf[0]:leaf[0] + leaf[1]])
+
+        tmp_leaf_pem = tempfile.mkstemp(text=True)
+        with closing(os.fdopen(tmp_leaf_pem[0], 'w')) as f:
+            f.write(pem)
+
+        # at least one SCT
+        assert struct.unpack_from('>H', log_bytes, offset)[0] == SCT_START
+
+        # for each SCT:
+        while offset < len(log_bytes) and \
+                struct.unpack_from('>H', log_bytes, offset)[0] == SCT_START:
+            offset += 2
+            len_offset = offset
+            sct_size = struct.unpack_from('>H', log_bytes, len_offset)[0]
+            offset += 2
+            print '  SCT size:', hex(sct_size)
+            log_id = log_bytes[offset + 1:offset + 1 + 32]
+            log_id_hex = binascii.hexlify(log_id).upper()
+            print '    Log id: %s' % log_id_hex
+            timestamp_ms = struct.unpack_from('>Q', log_bytes, offset + 33)[0]
+            print '    Timestamp: %s' % timestamp_ms
+
+            #  If we ever need the full SCT: sct = (offset, sct_size)
+            offset += sct_size
+
+            if key in already_checked:
+                print '  (SCTs already checked)'
+                continue
+
+            already_checked[key] = True
+
+            log_url_arg = ''
+            if cur:
+                stmt = 'SELECT * FROM loginfo WHERE log_id = ?'
+                cur.execute(stmt, [log_id_hex])
+                recs = list(cur.fetchall())
+                if len(recs) > 0 and recs[0][6] is not None:
+                    log_url = recs[0][6]
+
+                    # verify_single_proof doesn't accept <scheme>://
+                    if '://' in log_url:
+                        log_url = log_url.split('://')[1]
+                    log_url_arg = '--log_url %s' % log_url
+
+                    print '    Log URL: ' + log_url
+
+            cmd = 'verify_single_proof.py --cert %s --timestamp %s %s' % \
+                  (tmp_leaf_pem[1], timestamp_ms, log_url_arg)
+            print '>%s<' % cmd
+            os.system(cmd)
+
+        os.unlink(tmp_leaf_pem[1])
+
+
+def main():
+    if len(sys.argv) != 2 and len(sys.argv) != 3:
+        usage()
+
+    top = sys.argv[1]
+    tmp = '/tmp'
+
+    if len(sys.argv) == 3:
+        cxn = sqlite3.connect(sys.argv[2])
+        cur = cxn.cursor()
+    else:
+        cur = None
+
+    # could serialize this between runs to further limit duplicate checking
+    already_checked = dict()
+
+    for dirpath, dnames, fnames in os.walk(top):
+        fnames = [fn for fn in fnames if fn[-4:] == '.out']
+        for fn in fnames:
+            audit(os.path.join(dirpath, fn), tmp, already_checked, cur)
+
+
+if __name__ == "__main__":
+    main()

Propchange: httpd/httpd/trunk/support/ctauditscts
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: httpd/httpd/trunk/support/ctauditscts
------------------------------------------------------------------------------
    svn:executable = *

Added: httpd/httpd/trunk/support/ctlogconfig
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/ctlogconfig?rev=1588987&view=auto
==============================================================================
--- httpd/httpd/trunk/support/ctlogconfig (added)
+++ httpd/httpd/trunk/support/ctlogconfig Mon Apr 21 21:14:21 2014
@@ -0,0 +1,313 @@
+#!/usr/bin/env python
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import re
+import sqlite3
+import sys
+
+
+def create_tables(db_name):
+    cxn = sqlite3.connect(db_name)
+    cur = cxn.cursor()
+
+    cur.execute(
+        'CREATE TABLE loginfo('
+        + 'id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, '
+        + 'log_id TEXT, '
+        + 'public_key TEXT, '  # path to PEM-encoded file
+        + 'distrusted INTEGER, '  # non-zero if not trusted
+        + 'min_valid_timestamp INTEGER, '
+        + 'max_valid_timestamp INTEGER, '
+        + 'url TEXT)'
+    )
+    cur.close()
+    cxn.commit()
+    cxn.close()
+
+
+def record_id_arg(cur, args, required=False):
+    if len(args) < 1 or args[0][0] != '#' or len(args[0]) < 2:
+        if required:
+            print >> sys.stderr, 'A record id was not provided'
+            sys.exit(1)
+        return None
+    record_id = args.pop(0)[1:]
+    stmt = 'SELECT * FROM loginfo WHERE id = ?'
+    cur.execute(stmt, [record_id])
+    recs = list(cur.fetchall())
+    assert len(recs) < 2
+    if len(recs) == 0:
+        print >> sys.stderr, 'Record #%s was not found' % record_id
+        sys.exit(1)
+    return record_id
+
+
+def log_id_arg(cur, args, required=True):
+    if len(args) < 1 or len(args[0]) != 64:
+        if not required:
+            return None
+        print >> sys.stderr, 'A log id was not provided'
+        sys.exit(1)
+    log_id = args.pop(0).upper()
+    if len(re.compile(r'[A-Z0-9]').findall(log_id)) != len(log_id):
+        print >> sys.stderr, 'The log id is not formatted properly'
+        sys.exit(1)
+    return log_id
+
+
+def public_key_arg(args):
+    if len(args) < 1:
+        print >> sys.stderr, 'A public key file was not provided'
+        sys.exit(1)
+    pubkey = args.pop(0)
+    if not os.path.exists(pubkey):
+        print >> sys.stderr, 'Public key file %s could not be read' % pubkey
+        sys.exit(1)
+    return pubkey
+
+
+def time_arg(args):
+    if len(args) < 1:
+        print >> sys.stderr, 'A timestamp was not provided'
+        sys.exit(1)
+    t = args.pop(0)
+    if t == '-':
+        return None
+    try:
+        return int(t)
+    except ValueError:
+        print >> sys.stderr, 'The timestamp "%s" is invalid' % t
+        sys.exit(1)
+
+
+def configure_public_key(cur, args):
+    record_id = record_id_arg(cur, args, False)
+    public_key = public_key_arg(args)
+    if len(args) != 0:
+        usage()
+    if not record_id:
+        stmt = 'INSERT INTO loginfo (public_key) VALUES(?)'
+        cur.execute(stmt, [public_key])
+    else:
+        stmt = 'UPDATE loginfo SET public_key = ? WHERE id = ?'
+        cur.execute(stmt, [public_key, record_id])
+
+
+def configure_url(cur, args):
+    # can't specify more than one of record-id and log-id
+    log_id = None
+    record_id = record_id_arg(cur, args, False)
+    if not record_id:
+        log_id = log_id_arg(cur, args, False)
+    if len(args) != 1:
+        usage()
+    url = args.pop(0)
+
+    if record_id:
+        stmt = 'UPDATE loginfo SET url = ? WHERE id = ?'
+        args = [url, record_id]
+    elif log_id:
+        stmt = 'INSERT INTO loginfo (log_id, url) VALUES(?, ?)'
+        args = [log_id, url]
+    else:
+        stmt = 'INSERT INTO loginfo (url) VALUES(?)'
+        args = [url]
+
+    cur.execute(stmt, args)
+
+
+def forget_log(cur, args):
+    record_id = record_id_arg(cur, args, False)
+    log_id = None
+    if not record_id:
+        log_id = log_id_arg(cur, args, True)
+    if len(args) != 0:
+        usage()
+    if record_id:
+        stmt = 'DELETE FROM loginfo WHERE id = ?'
+        args = [record_id]
+    else:
+        stmt = 'DELETE FROM loginfo WHERE log_id = ?'
+        args = [log_id]
+    cur.execute(stmt, args)
+
+
+def trust_distrust_log(cur, args):
+    # could take a record id or a log id
+    record_id = record_id_arg(cur, args, False)
+    if record_id:
+        log_id = None
+    else:
+        log_id = log_id_arg(cur, args)
+
+    if len(args) != 1:
+        usage()
+    flag = args.pop(0)
+
+    if not record_id:
+        stmt = 'INSERT INTO loginfo (log_id, distrusted) VALUES(?, ?)'
+        cur.execute(stmt, [log_id, flag])
+    else:
+        stmt = 'UPDATE loginfo SET distrusted = ? WHERE id = ?'
+        cur.execute(stmt, [flag, record_id])
+
+
+def trust_log(cur, args):
+    trust_distrust_log(cur, args + [0])
+
+
+def distrust_log(cur, args):
+    trust_distrust_log(cur, args + [1])
+
+
+def time_range(cur, args):
+    # could take a record id or a log id
+    record_id = record_id_arg(cur, args, False)
+    if record_id:
+        log_id = None
+    else:
+        log_id = log_id_arg(cur, args)
+
+    min_valid_time = time_arg(args)
+    max_valid_time = time_arg(args)
+    if len(args) != 0:
+        usage()
+    if not record_id:
+        stmt = 'INSERT INTO loginfo ' + \
+               '(log_id, min_valid_timestamp, max_valid_timestamp) ' + \
+               'VALUES(?, ?, ?)'
+        cur.execute(stmt, [log_id, min_valid_time, max_valid_time])
+    else:
+        stmt = 'UPDATE loginfo SET min_valid_timestamp = ?, ' + \
+               'max_valid_timestamp = ? WHERE id = ?'
+        cur.execute(stmt, [min_valid_time, max_valid_time, record_id])
+
+
+class ConfigEntry:
+
+    pass
+
+
+def dump_ll(cur):
+    stmt = 'SELECT * FROM loginfo'
+    cur.execute(stmt)
+    recs = []
+    for row in cur.fetchall():
+        obj = ConfigEntry()
+        obj.id = row[0]
+        obj.log_id = row[1]
+        obj.public_key = row[2]
+        obj.distrusted = row[3]
+        obj.min_valid_timestamp = row[4]
+        obj.max_valid_timestamp = row[5]
+        obj.url = row[6]
+        recs += [obj]
+    return recs
+
+
+def dump(cur, args):
+    if len(args) != 0:
+        usage()
+    recs = dump_ll(cur)
+    for rec in recs:
+        not_conf = '(not configured)'
+
+        mint = \
+            str(rec.min_valid_timestamp) if rec.min_valid_timestamp else '-INF'
+        maxt = \
+            str(rec.max_valid_timestamp) if rec.max_valid_timestamp else '+INF'
+        print 'Log entry:'
+        print '  Record ' + str(rec.id) + \
+            (' (DISTRUSTED)' if rec.distrusted else '')
+        print '  Log id         : ' + (rec.log_id if rec.log_id else not_conf)
+        print '  Public key file: ' + \
+            (rec.public_key if rec.public_key else not_conf)
+        print '  URL            : ' + (rec.url if rec.url else not_conf)
+        print '  Time range     : ' + mint + ' to ' + maxt
+        print ''
+
+
+def usage():
+    help = """Usage: %s /path/to/log-config-db command args
+
+Commands:
+  display config-db contents:
+    dump
+  configure public key:
+    configure-public-key [log-id|record-id] /path/log-pub-key.pem
+  configure URL:
+    configure-url [log-id|record-id] http://www.example.com/path/
+  configure min and/or max valid timestamps:
+    valid-time-range log-id|record-id min-range max-range
+  mark log as trusted (default):
+    trust log-id|record-id
+  mark log as untrusted:
+    distrust log-id|record-id
+  remove log config from config-db:
+    forget log-id|record-id
+
+log-id is a 64-character hex string representation of a log id
+
+record-id references an existing entry and is in the form:
+  #<record-number>
+  (displayable with the dump command)
+""" % sys.argv[0]
+    print >> sys.stderr, help
+    sys.exit(1)
+
+
+def main(argv):
+    if len(argv) < 3:
+        usage()
+
+    db_name = argv[1]
+    cmd = argv[2]
+    args = argv[3:]
+
+    cmds = {'configure-public-key': configure_public_key,
+            'configure-url': configure_url,
+            'distrust': distrust_log,
+            'trust': trust_log,
+            'forget': forget_log,
+            'valid-time-range': time_range,
+            'dump': dump,
+            }
+
+    cmds_requiring_db = ['dump', 'forget']  # db must already exist
+
+    if not cmd in cmds:
+        usage()
+
+    if not os.path.exists(db_name):
+        if not cmd in cmds_requiring_db:
+            create_tables(db_name)
+        else:
+            print >> sys.stderr, 'Database "%s" does not exist' % db_name
+            sys.exit(1)
+
+    cxn = sqlite3.connect(db_name)
+    cur = cxn.cursor()
+
+    cmds[cmd](cur, args)
+
+    cur.close()
+    cxn.commit()
+    cxn.close()
+
+if __name__ == "__main__":
+    main(sys.argv)

Propchange: httpd/httpd/trunk/support/ctlogconfig
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: httpd/httpd/trunk/support/ctlogconfig
------------------------------------------------------------------------------
    svn:executable = *



Mime
View raw message