[Trans] Parsing existing logs entries.
Kurt Roeckx <kurt@roeckx.be> Thu, 29 May 2014 17:59 UTC
Return-Path: <kurt@roeckx.be>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22C111A01B4 for <trans@ietfa.amsl.com>; Thu, 29 May 2014 10:59:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z8hRwiH093VL for <trans@ietfa.amsl.com>; Thu, 29 May 2014 10:59:18 -0700 (PDT)
Received: from defiant.e-webshops.eu (defiant.e-webshops.eu [82.146.122.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8DBD1A01A9 for <trans@ietf.org>; Thu, 29 May 2014 10:59:17 -0700 (PDT)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by defiant.e-webshops.eu (Postfix) with ESMTP id 040111C20D6 for <trans@ietf.org>; Thu, 29 May 2014 19:59:13 +0200 (CEST)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id DA4341FE00F3; Thu, 29 May 2014 19:59:12 +0200 (CEST)
Date: Thu, 29 May 2014 19:59:12 +0200
From: Kurt Roeckx <kurt@roeckx.be>
To: trans@ietf.org
Message-ID: <20140529175912.GB15165@roeckx.be>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/2bTZ5uvLievSUpgd4ZuSc_G9X9Q
Subject: [Trans] Parsing existing logs entries.
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 May 2014 17:59:21 -0000
Hi,
I've been tryint to parse the existing log file based on the
description in RFC 6962. I'm using Google's pilot log as example.
The RFC says that GET will give you:
leaf_input: The base64-encoded MerkleTreeLeaf structure.
extra_data: The base64-encoded unsigned data pertaining to the
log entry. In the case of an X509ChainEntry, this is the
"certificate_chain". In the case of a PrecertChainEntry,
this is the whole "PrecertChainEntry".
With MerkleTreeLeaf:
struct {
Version version;
MerkleLeafType leaf_type;
select (leaf_type) {
case timestamped_entry: TimestampedEntry;
}
} MerkleTreeLeaf;
Which uses the following types:
enum { v1(0), (255) }
Version;
enum { timestamped_entry(0), (255) }
MerkleLeafType;
struct {
uint64 timestamp;
LogEntryType entry_type;
select(entry_type) {
case x509_entry: ASN.1Cert;
case precert_entry: PreCert;
} signed_entry;
CtExtensions extensions;
} TimestampedEntry;
enum { x509_entry(0), precert_entry(1), (65535) } LogEntryType;
opaque ASN.1Cert<1..2^24-1>;
opaque CtExtensions<0..2^16-1>;
So after base64 decoding things, and turning it to hex, I see:
0000000 00 00 00 00 01 3d a4 07 ab d0 00 00 00 05 09 30
0000020 82 05 05 30 82 03 ed a0 03 02 01 02 02 11 00 91
So my guess of parsing it is:
MerkleTreeLeaf {
version = 00 (v1)
leaf_type = 00 (timestamped_entry)
TimestampedEntry {
timestamp = 00 00 01 3d a4 07 ab d0 (1364256598992, 2013-03-26 00:09:58.992)
entry_type = 00 00 (x509_entry)
ASN.1Cert = 00 05 09 30 82 05 05 30 [...]
And I seem to have been gotton lost somewhere. That doesn't look
like a valid X509 certificate, nor do I have any idea how long it
is.
If I had to guess "00 05 09" would be a length, and that might
work since it's limited to 2^24-1 bytes, so let's just assume
that's the case for now.
Now let's try to look at the extra_data. That is:
struct {
ASN.1Cert leaf_certificate;
ASN.1Cert certificate_chain<0..2^24-1>;
} X509ChainEntry;
And we have this hex data:
0000000 00 09 29 00 04 e9 30 82 04 e5 30 82 03 cd a0 03
0000020 02 01 02 02 10 07 6f 12 46 81 45 9c 28 d5 48 d6
So with what we learned from the previous attempt, it looks like
we need to parse it like:
certificate_chain {
length = 00 09 29 (2345)
ASN.1Cert {
length = 00 04 e9 (1257)
data = 30 82 04 e5 30 82 03 cd a0 03 [...] }
ASN.1Cert { [...]
I think the RFC needs some clarifications on how to parse things,
so that I don't have to guess.
This definition is also confusing:
extra_data: The base64-encoded unsigned data pertaining to the
log entry. In the case of an X509ChainEntry, this is the
"certificate_chain". In the case of a PrecertChainEntry,
this is the whole "PrecertChainEntry".
So the X509ChainEntry is not used, you need to directly go to it's
member certificate_chain. The LogEntry also isn't used anywhere.
Kurt
- [Trans] Parsing existing logs entries. Kurt Roeckx
- Re: [Trans] Parsing existing logs entries. Rob Stradling
- Re: [Trans] Parsing existing logs entries. Kurt Roeckx
- Re: [Trans] Parsing existing logs entries. Rob Stradling
- Re: [Trans] Parsing existing logs entries. Ben Laurie