Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sha256_root_hash is invalid in ctfe config #773

Closed
pgporada opened this issue Mar 2, 2021 · 3 comments
Closed

sha256_root_hash is invalid in ctfe config #773

pgporada opened this issue Mar 2, 2021 · 3 comments

Comments

@pgporada
Copy link
Contributor

pgporada commented Mar 2, 2021

Hi,

I've frozen some shards, but am unsure how to serve a frozen sth in preparation for when the shards are deleted. I receive this error and ctfe fails to start up.

F0302 00:29:25.518703       1 main.go:105] Invalid config: log config: invalid frozen STH: sha256_root_hash is invalid length, expected 32 got 44:

Assuming I've pieced the frozen_sth section together correctly from https://github.com/google/certificate-transparency-go/blob/master/trillian/ctfe/configpb/config.pb.go#L509-L521

config {
  log_id: 7098813260217451818
  prefix: "2019"
  not_after_start: {seconds: 1546300800}
  not_after_limit: {seconds: 1578355200}
  roots_pem_file: "/roots.pem"
  max_merge_delay_sec: 86400
  reject_expired: true
  frozen_sth: {
    tree_size: 666628491,
    timestamp: 1614610745490,
    sha256_root_hash: "ul1sABvz3nsF6GhyCPDOC2keQPQ8JWDKWIZXqqEWBcM=",
    tree_head_signature: "BAMARzBFAiEAj6CmRZJv/SSF2EsrT9dchsUXYhlQINmyblaoE2BVBycCIDVcdXRriiIYLqxJ/BtZga55ROnlMWObsJNwx/yb1Emu"
  }
  public_key: {
    der: "\xpubkey
  }
  private_key: {
    [type.googleapis.com/keyspb.PrivateKey] {
      der: "\xnevergonnaseeme"
  }
}
$ curl -s https://testflume.ct.letsencrypt.org/2019/ct/v1/get-sth | jq -r '.'
{
  "tree_size": 666628491,
  "timestamp": 1614610745490,
  "sha256_root_hash": "ul1sABvz3nsF6GhyCPDOC2keQPQ8JWDKWIZXqqEWBcM=",
  "tree_head_signature": "BAMARzBFAiEAj6CmRZJv/SSF2EsrT9dchsUXYhlQINmyblaoE2BVBycCIDVcdXRriiIYLqxJ/BtZga55ROnlMWObsJNwx/yb1Emu"
}

Is this a bug? From what I can tell based on various outdated test files, I believe I am doing the right thing.

@pav-kv
Copy link
Contributor

pav-kv commented May 11, 2022

This config is a protobuf, and it expects bytes for sha256_root_hash. It would not decode base64.

@pav-kv
Copy link
Contributor

pav-kv commented May 11, 2022

@pgporada It is slightly inconvenient in this case, but you would need to convert it to bytes. Here is the example of this field in our config for Aviator log:

  frozen_sth: {
    tree_size: 46466472
    timestamp: 1480512258330
    sha256_root_hash: "-\301\234e\033&\370\261\230\232\271r\013\222\327\205]S\350\340\374\210~]6V\364\260Be\365\260"
    tree_head_signature: "\004\003\000H0F\002!\000\374\315\r\276\336\373h\327\276\365\346\033*\313\372\255\032S\314T\312k\220\206\251\276zy\256!\236\337\002!\000\211\014N\351/\254`\001\354\014w\230\267\033Yk\005h\005\242\204\366\221\335\376\316X\204\317\224p\363"
  }

@pav-kv
Copy link
Contributor

pav-kv commented May 11, 2022

This is true for the signature too.

@pav-kv pav-kv closed this as completed May 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants