Use ct/v1/get-entries over get-entry-and-proof

Reasoning: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/OMFdTY16VPc
adem-wg · May 3, 2024 · 5112a57 · 5112a57
1 parent ebcbc1e
commit 5112a57
Showing 1 changed file with 13 additions and 5 deletions.
diff --git a/lib/ct/api.ts b/lib/ct/api.ts
@@ -35,6 +35,10 @@ interface EntryResponse {
   extra_data: string
 }
 
+interface EntriesResponse {
+  entries: EntryResponse[]
+}
+
 export async function checkInclusion(logId: string, leafHash: string, iss: URL, keyHash: string): Promise<void> {
   let log = (await fetchLogs())[logId];
   if (log === undefined) {
@@ -46,16 +50,20 @@ export async function checkInclusion(logId: string, leafHash: string, iss: URL,
           log.url,
           'ct/v1/get-proof-by-hash',
           new URLSearchParams({ hash: leafHash, tree_size: sth.tree_size.toString() }),
-        ).then((resp) => logQuery<EntryResponse>(
+        ).then((resp) => logQuery<EntriesResponse>(
           log.url,
-          'ct/v1/get-entry-and-proof',
+          'ct/v1/get-entries',
           new URLSearchParams({
-            leaf_index: resp.leaf_index.toString(),
-            tree_size: sth.tree_size.toString(),
+            start: resp.leaf_index.toString(),
+            end: resp.leaf_index.toString(),
           }),
         ))
       ).then(async (resp) => {
-        const altNames = getSubjectAltNames(resp.leaf_input);
+        if (resp.entries.length != 1) {
+          throw new Error('wrong number of certificates returned');
+        }
+
+        const altNames = getSubjectAltNames(resp.entries[0].leaf_input);
         if (!(altNames.includes(iss.host))) {
           throw new Error('issuer not in certificate altNames');
         } else if (!(altNames.includes(`${keyHash}.adem-configuration.${iss.host}`))) {