diff --git a/note/note_rfc6962.go b/note/note_rfc6962.go index fff621f..8a2cd85 100644 --- a/note/note_rfc6962.go +++ b/note/note_rfc6962.go @@ -105,7 +105,11 @@ func RFC6962STHToCheckpoint(j []byte, v note.Verifier) ([]byte, error) { sigBytes = append(sigBytes, sth.TreeHeadSignature...) sigLine := fmt.Sprintf("\u2014 %s %s", logName, base64.StdEncoding.EncodeToString(sigBytes)) - return []byte(fmt.Sprintf("%s\n%s\n", body, sigLine)), nil + n := []byte(fmt.Sprintf("%s\n%s\n", body, sigLine)) + if _, err := note.Open(n, note.VerifierList(v)); err != nil { + return nil, err + } + return n, nil } func rfc6962Keyhash(name string, logID [32]byte) uint32 { @@ -168,7 +172,7 @@ func verifyRFC6962(key crypto.PublicKey) func([]byte, string, []byte) bool { sigLen := binary.BigEndian.Uint16(sig) sig = sig[2:] // Slice off length bytes - // All that rremains should be the signature bytes themselves, and nothing more. + // All that remains should be the signature bytes themselves, and nothing more. if len(sig) != int(sigLen) { return false } diff --git a/note/note_rfc6962_test.go b/note/note_rfc6962_test.go index 846556d..f35976a 100644 --- a/note/note_rfc6962_test.go +++ b/note/note_rfc6962_test.go @@ -116,7 +116,7 @@ func TestVerify(t *testing.T) { } } -func TestRFC6962ToNote(t *testing.T) { +func TestRFC6962STHToCheckpoint(t *testing.T) { for _, test := range []struct { name string sth []byte @@ -127,6 +127,16 @@ func TestRFC6962ToNote(t *testing.T) { name: "works", sth: []byte(`{"tree_size":1267285836,"timestamp":1711642477482,"sha256_root_hash":"SHySaYoaGIV5oCMANTytRfUjfzXb7wvO9xQiGkDJlfQ=","tree_head_signature":"BAMARzBFAiAQWbsL/MbJdeR4jk8xYKWDBDGHyDcntBim9Jr1BvwPnAIhAMedQo0YuBo+ajNd9xyVOMvhOdVAeJYgOhBLQn8rca94"}`), verifier: "ct.googleapis.com/logs/us1/argon2024+7deb49d0+BTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB25bKnLaZTFXOa2pgO70rjcVEMXKJkMBgFQHZ1kwFlGK9zIAx0FtC2oCfeZQe0E++VXuiYE9hFSzhRlOy92K8A=", + }, { + name: "invalid JSON", + sth: []byte(`Bananas are cool : {"tree_size":1267285836,"timestamp":1711642477482,"sha256_root_hash":"SHySaYoaGIV5oCMANTytRfUjfzXb7wvO9xQiGkDJlfQ=","tree_head_signature":"BAMARzBFAiAQWbsL/MbJdeR4jk8xYKWDBDGHyDcntBim9Jr1BvwPnAIhAMedQo0YuBo+ajNd9xyVOMvhOdVAeJYgOhBLQn8rca94"}`), + verifier: "ct.googleapis.com/logs/us1/argon2024+7deb49d0+BTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB25bKnLaZTFXOa2pgO70rjcVEMXKJkMBgFQHZ1kwFlGK9zIAx0FtC2oCfeZQe0E++VXuiYE9hFSzhRlOy92K8A=", + wantErr: true, + }, { + name: "invalid STH", + sth: []byte(`{"tree_size":1267285836,"timestamp":1711642477482,"sha256_root_hash":"SHySaYoaGIV5oCMANTytRfUjfzXb7wvO9xQiGkDJlfQ=","tree_head_signature":"BananaSignature"}`), + verifier: "ct.googleapis.com/logs/us1/argon2024+7deb49d0+BTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB25bKnLaZTFXOa2pgO70rjcVEMXKJkMBgFQHZ1kwFlGK9zIAx0FtC2oCfeZQe0E++VXuiYE9hFSzhRlOy92K8A=", + wantErr: true, }, } { t.Run(test.name, func(t *testing.T) { @@ -139,6 +149,9 @@ func TestRFC6962ToNote(t *testing.T) { if gotErr := err != nil; gotErr != test.wantErr { t.Fatalf("Got err %q, wantErr: %t", err, test.wantErr) } + if test.wantErr { + return + } n, err := note.Open(nRaw, note.VerifierList(v)) if err != nil { t.Fatalf("Failed to open note: %v", err)