Log SCTs via RequestLog API when they are about to be issued (google#243

) * Add SCT logging to RequestLog api. * Log SCT bytes earlier. * Review fixes * Fix doc comment.
n-ct · May 18, 2018 · 7c2bade · 7c2bade
1 parent 05f3323
commit 7c2bade
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 3 deletions.
diff --git a/trillian/ctfe/handlers.go b/trillian/ctfe/handlers.go
@@ -394,6 +394,12 @@ func addChainInternal(ctx context.Context, c *LogContext, w http.ResponseWriter,
 	if err != nil {
 		return http.StatusInternalServerError, fmt.Errorf("failed to generate SCT: %v", err)
 	}
+	sctBytes, err := tls.Marshal(*sct)
+	if err != nil {
+		return http.StatusInternalServerError, fmt.Errorf("failed to marshall SCT: %v", err)
+	}
+	// We could possibly fail to issue the SCT after this but it's v. unlikely.
+	c.RequestLog.IssueSCT(ctx, sctBytes)
 	err = marshalAndWriteAddChainResponse(sct, c.signer, w)
 	if err != nil {
 		// reason is logged and http status is already set

diff --git a/trillian/ctfe/requestlog.go b/trillian/ctfe/requestlog.go
@@ -16,7 +16,6 @@ package ctfe
 
 import (
 	"context"
-	"encoding/hex"
 	"time"
 
 	"github.com/golang/glog"
@@ -64,6 +63,12 @@ type RequestLog interface {
 	// LeafHash will be called once for get proof by hash requests with the
 	// requested hash value (if the parameters parse correctly).
 	LeafHash(context.Context, []byte)
+	// IssueSCT will be called once when the server is about to issue an SCT to a
+	// client. This should not be called if the submission process fails before an
+	// SCT could be presented to a client, even if this is unrelated to
+	// the validity of the submitted chain. The SCT bytes will be in TLS
+	// serialized format.
+	IssueSCT(context.Context, []byte)
 	// Status will be called once to set the HTTP status code that was the
 	// the result after the request has been handled.
 	Status(context.Context, int)
@@ -87,7 +92,7 @@ func (dlr *DefaultRequestLog) LogPrefix(_ context.Context, p string) {
 
 // AddDERToChain logs the raw bytes of a submitted certificate.
 func (dlr *DefaultRequestLog) AddDERToChain(_ context.Context, d []byte) {
-	glog.V(vLevel).Infof("RL: Cert DER: %s", hex.EncodeToString(d))
+	glog.V(vLevel).Infof("RL: Cert DER: %x", d)
 }
 
 // AddCertToChain logs some issuer / subject / timing fields from a
@@ -122,7 +127,12 @@ func (dlr *DefaultRequestLog) TreeSize(_ context.Context, ts int64) {
 
 // LeafHash logs request parameters.
 func (dlr *DefaultRequestLog) LeafHash(_ context.Context, lh []byte) {
-	glog.V(vLevel).Infof("RL: LeafHash: %s", hex.EncodeToString(lh))
+	glog.V(vLevel).Infof("RL: LeafHash: %x", lh)
+}
+
+// IssueSCT logs an SCT that will be issued to a client.
+func (dlr *DefaultRequestLog) IssueSCT(_ context.Context, sct []byte) {
+	glog.V(vLevel).Infof("RL: Issuing SCT: %x", sct)
 }
 
 // Status logs the response HTTP status code after processing completes.