Ty/ct-rs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: Ty:6d1ae370fa02f39ab9b9d601fd7a6bb45e6a9c02
Branches Tags
Ty:main
..
compare: Ty:7e51c915bc6b47b1c75901d1bca0a167efc347bd
Branches Tags
Ty:main

4 commits
6d1ae370fa ... 7e51c915bc

Author SHA1 Message Date
Tyler Beckman
7e51c915bc
docs(api): Fill in missing doc comments 2024-10-27 16:24:26 -06:00
Tyler Beckman
1c2b59e9f8
feat(api): Allow re-use of existing reqwest client in CtApiClient struct 2024-10-27 16:23:38 -06:00
Tyler Beckman
f526f859a5
docs(api): List outputs in CtApiClient methods 2024-10-27 16:10:01 -06:00
Tyler Beckman
505355189f
feat(api): Add Merkle Audit Proof by leaf hash endpoint 2024-10-27 16:01:52 -06:00
3 changed files with 112 additions and 5 deletions
Show stats Expand all files Collapse all files

25
src/api/endpoints.rs
View file

@ -100,3 +100,28 @@ pub const GET_STH: Endpoint = (reqwest::Method::GET, "/ct/v1/get-sth");
/// ``` /// ```
pub const GET_STH_CONSISTENCY: Endpoint = pub const GET_STH_CONSISTENCY: Endpoint =
(reqwest::Method::GET, "/ct/v1/get-sth-consistency"); (reqwest::Method::GET, "/ct/v1/get-sth-consistency");
/// Reference: https://datatracker.ietf.org/doc/html/rfc6962#section-4.4
/// ```txt
/// GET https://<log server>/ct/v1/get-proof-by-hash
///
/// Inputs:
///
/// hash: A base64-encoded v1 leaf hash.
///
/// tree_size: The tree_size of the tree on which to base the proof,
/// in decimal.
///
/// The "hash" must be calculated as defined in Section 3.4. The
/// "tree_size" must designate an existing v1 STH.
///
/// Outputs:
///
/// leaf_index: The 0-based index of the end entity corresponding to
/// the "hash" parameter.
///
/// audit_path: An array of base64-encoded Merkle Tree nodes proving
/// the inclusion of the chosen certificate.
/// ```
pub const GET_PROOF_BY_HASH: Endpoint =
(reqwest::Method::GET, "/ct/v1/get-proof-by-hash");

82
src/api/mod.rs
View file

@ -1,7 +1,10 @@
use std::sync::Arc;
use reqwest::Url; use reqwest::Url;
use responses::{ use responses::{
AddChainRequest, AddChainRequest,
AddChainResponse, AddChainResponse,
GetProofByHashResponse,
GetSthConsistencyResponse, GetSthConsistencyResponse,
GetSthResponse GetSthResponse
}; };
@ -9,20 +12,50 @@ use responses::{
pub mod endpoints; pub mod endpoints;
pub mod responses; pub mod responses;
/// An API client used for interfacing with a specific CT log. This can be
/// constructed with [`CtApiClient::new`] to automatically create an inner
/// [`reqwest::Client`], or an [`Arc`] of one can be passed manually with
/// [`CtApiClient::new_with_client`] to re-use an existing client between code.
/// Re-using clients if one is already created is recommended, as it allows
/// connection-pools to be re-used and will have less overhead between requests.
pub struct CtApiClient { pub struct CtApiClient {
inner_client: reqwest::Client, inner_client: Arc<reqwest::Client>,
log_url: Url log_url: Url
} }
impl CtApiClient { impl CtApiClient {
/// Creates a new [`CtApiClient`] given a specific log URL. This log URL can
/// contain a subpath if the specific log uses one. Anything besides a
/// scheme, host information (ip/port), and a standard path is not supported
/// and will likely cause requests to fail.
///
/// ## Errors
///
/// As this automatically constructs a [`reqwest::Client`], this will error
/// if the client fails to be created for whatever reason, usually due to it
/// being unable to find TLS configuration and root store for the platform.
pub fn new(log_url: Url) -> reqwest::Result<Self> { pub fn new(log_url: Url) -> reqwest::Result<Self> {
Ok(Self { Ok(Self {
inner_client: reqwest::Client::builder().https_only(true).build()?, inner_client: Arc::new(reqwest::Client::builder().https_only(true).build()?),
log_url log_url
}) })
} }
/// Adds a standard x509 chain to the CT log. /// Creates a new [`CtApiClient`] given a specific log URL and
/// [`reqwest::Client`]. This log URL can contain a subpath if the specific
/// log uses one. Anything besides a scheme, host information (ip/port),
/// and a standard path is not supported and will likely cause requests to
/// fail.
pub fn new_with_client(log_url: Url, inner_client: Arc<reqwest::Client>) -> Self {
Self {
inner_client,
log_url
}
}
/// Adds a standard x509 chain to the CT log. The log will then return
/// information needed to construct a valid SCT entry, including timestamp,
/// CT log signature, sct version, and any log operator extensions.
/// ///
/// See: [`endpoints::ADD_CHAIN`] /// See: [`endpoints::ADD_CHAIN`]
/// ///
@ -53,6 +86,7 @@ impl CtApiClient {
/// Adds a precetificate chain to the CT log. This is largely the same as /// Adds a precetificate chain to the CT log. This is largely the same as
/// [`CtApiClient::add_chain`], except is used specifically when the chain /// [`CtApiClient::add_chain`], except is used specifically when the chain
/// starts with a precertificate rather than the final end-user certificate. /// starts with a precertificate rather than the final end-user certificate.
/// Response data is exactly the same as [`CtApiClient::add_chain`].
/// ///
/// See: [`endpoints::ADD_PRE_CHAIN`] /// See: [`endpoints::ADD_PRE_CHAIN`]
/// ///
@ -83,7 +117,11 @@ impl CtApiClient {
.await .await
} }
/// Fetches the Signed Tree Head information for the current CT log tree /// Fetches the Signed Tree Head information for the current CT log tree.
/// The response contains the tree size, timestamp, root hash, and a
/// signature of all of the above from the CT log. This data can be used to
/// verify the integrity of the tree at any point, and verify inclusion of a
/// leaf in the tree.
/// ///
/// See: [`endpoints::GET_STH`] /// See: [`endpoints::GET_STH`]
/// ///
@ -105,7 +143,9 @@ impl CtApiClient {
} }
/// Fetches the Signed Tree Head consistency proof for a specified start /// Fetches the Signed Tree Head consistency proof for a specified start
/// tree_size and end tree_size. /// tree_size and end tree_size. This consistency proof is simply a list of
/// each merkle tree node necessary to verify the append-only nature of the
/// log between the specified first and second tree sizes.
/// ///
/// See: [`endpoints::GET_STH_CONSISTENCY`] /// See: [`endpoints::GET_STH_CONSISTENCY`]
/// ///
@ -133,4 +173,36 @@ impl CtApiClient {
.json() .json()
.await .await
} }
/// Fetches a single merkle audit proof for a specific leaf node by hash
/// from the CT log. The response both includes the index of the hashed
/// leaf node and the list of Merkle Tree nodes required to verify proof of
/// existence of your specified node in the full tree.
///
/// See: [`endpoints::GET_PROOF_BY_HASH`]
///
/// ## Errors
///
/// This may error if either the request failed (due to lack of internet or
/// invalid domain, for example), or if the CT log gave a 4xx/5xx response.
/// The CT log may error the response if your provided hash was not a hash
/// of a valid node at the tree size specified.
pub async fn get_merkle_audit_proof_by_hash(
&self,
hash: &str,
tree_size: u64
) -> reqwest::Result<GetProofByHashResponse> {
self.inner_client
.request(
endpoints::GET_PROOF_BY_HASH.0,
self.log_url.to_string() + endpoints::GET_PROOF_BY_HASH.1
)
.query(&[("hash", hash)])
.query(&[("tree_size", tree_size)])
.send()
.await?
.error_for_status()?
.json()
.await
}
} }

10
src/api/responses.rs
View file

@ -41,3 +41,13 @@ pub struct GetSthResponse {
pub struct GetSthConsistencyResponse { pub struct GetSthConsistencyResponse {
pub consistency: Vec<String> pub consistency: Vec<String>
} }
/// A response given when fetching the Merkle Audit Proof from a CT log merkle
/// leaf.
///
/// See: [`super::endpoints::GET_PROOF_BY_HASH`]
#[derive(Debug, Deserialize)]
pub struct GetProofByHashResponse {
pub leaf_index: u64,
pub audit_path: Vec<String>
}