From 5112a573716e89a025645252ba0363e356d93ef0 Mon Sep 17 00:00:00 2001
From: Felix Linker <linkerfelix@gmail.com>
Date: Fri, 3 May 2024 09:51:41 +0200
Subject: [PATCH] Use ct/v1/get-entries over get-entry-and-proof

Reasoning: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/OMFdTY16VPc
---
 lib/ct/api.ts | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/lib/ct/api.ts b/lib/ct/api.ts
index 54e29b0..70480c6 100644
--- a/lib/ct/api.ts
+++ b/lib/ct/api.ts
@@ -35,6 +35,10 @@ interface EntryResponse {
   extra_data: string
 }
 
+interface EntriesResponse {
+  entries: EntryResponse[]
+}
+
 export async function checkInclusion(logId: string, leafHash: string, iss: URL, keyHash: string): Promise<void> {
   let log = (await fetchLogs())[logId];
   if (log === undefined) {
@@ -46,16 +50,20 @@ export async function checkInclusion(logId: string, leafHash: string, iss: URL,
           log.url,
           'ct/v1/get-proof-by-hash',
           new URLSearchParams({ hash: leafHash, tree_size: sth.tree_size.toString() }),
-        ).then((resp) => logQuery<EntryResponse>(
+        ).then((resp) => logQuery<EntriesResponse>(
           log.url,
-          'ct/v1/get-entry-and-proof',
+          'ct/v1/get-entries',
           new URLSearchParams({
-            leaf_index: resp.leaf_index.toString(),
-            tree_size: sth.tree_size.toString(),
+            start: resp.leaf_index.toString(),
+            end: resp.leaf_index.toString(),
           }),
         ))
       ).then(async (resp) => {
-        const altNames = getSubjectAltNames(resp.leaf_input);
+        if (resp.entries.length != 1) {
+          throw new Error('wrong number of certificates returned');
+        }
+
+        const altNames = getSubjectAltNames(resp.entries[0].leaf_input);
         if (!(altNames.includes(iss.host))) {
           throw new Error('issuer not in certificate altNames');
         } else if (!(altNames.includes(`${keyHash}.adem-configuration.${iss.host}`))) {