Skip to content

Error handling bug in aws antispam driver causes unincorporated SCT #1018

Description

@AGWA

The aws antispam driver returns 0, nil if there's a database error:

var idx uint64
if err := row.Scan(&idx); err == sql.ErrNoRows {
return nil, nil
}
d.numHits.Add(1)
return &idx, nil

This causes tesseract to execute this code path, which retrieves the timestamp for entry 0, and then signs an SCT with index 0, the timestamp of entry 0, but with the certificate data from the add-(pre-)chain request. This SCT can never be successfully audited.

Consequentially, a database error in the aws antispam driver causes instant death of the log.

I think it's fragile how tesseract overwrites just the timestamp, but otherwise keeps the entry that was constructed from the submission. It means that inputs to the critical SCT signing operation come from multiple places, and consequentially might not be coherent. Instead, tesseract should retrieve the entire entry from storage, not just the timestamp, and completely discard the entry constructed from the submission. That way, a malfunction in the antispam driver can only cause the wrong SCT to be returned; it can't kill the log by returning an invalid SCT.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions