The aws antispam driver returns 0, nil if there's a database error:
|
var idx uint64 |
|
if err := row.Scan(&idx); err == sql.ErrNoRows { |
|
return nil, nil |
|
} |
|
d.numHits.Add(1) |
|
return &idx, nil |
This causes tesseract to execute this code path, which retrieves the timestamp for entry 0, and then signs an SCT with index 0, the timestamp of entry 0, but with the certificate data from the add-(pre-)chain request. This SCT can never be successfully audited.
Consequentially, a database error in the aws antispam driver causes instant death of the log.
I think it's fragile how tesseract overwrites just the timestamp, but otherwise keeps the entry that was constructed from the submission. It means that inputs to the critical SCT signing operation come from multiple places, and consequentially might not be coherent. Instead, tesseract should retrieve the entire entry from storage, not just the timestamp, and completely discard the entry constructed from the submission. That way, a malfunction in the antispam driver can only cause the wrong SCT to be returned; it can't kill the log by returning an invalid SCT.
The aws antispam driver returns
0, nilif there's a database error:tessera/storage/aws/antispam/aws.go
Lines 200 to 205 in 20980b0
This causes tesseract to execute this code path, which retrieves the timestamp for entry 0, and then signs an SCT with index 0, the timestamp of entry 0, but with the certificate data from the add-(pre-)chain request. This SCT can never be successfully audited.
Consequentially, a database error in the aws antispam driver causes instant death of the log.
I think it's fragile how tesseract overwrites just the timestamp, but otherwise keeps the entry that was constructed from the submission. It means that inputs to the critical SCT signing operation come from multiple places, and consequentially might not be coherent. Instead, tesseract should retrieve the entire entry from storage, not just the timestamp, and completely discard the entry constructed from the submission. That way, a malfunction in the antispam driver can only cause the wrong SCT to be returned; it can't kill the log by returning an invalid SCT.