diff options
author | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2021-03-16 00:26:07 +0100 |
---|---|---|
committer | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2021-03-16 00:26:07 +0100 |
commit | 9f7690327f8d74abdd86232546a154ab8408d174 (patch) | |
tree | 0abeaade1c7673579c1b6a76cd4c6c25395555ee | |
parent | e2959d506de6067afe494315c3621b33613b5414 (diff) |
started to re-add basic client commands
-rw-r--r-- | client/add-entry/main.go | 71 | ||||
-rw-r--r-- | client/client.go | 292 | ||||
-rw-r--r-- | client/cmd/add-entry/main.go | 52 | ||||
-rw-r--r-- | client/cmd/get-sth/main.go | 35 | ||||
-rw-r--r-- | client/get-anchors/main.go | 54 | ||||
-rw-r--r-- | client/get-consistency-proof/main.go | 94 | ||||
-rw-r--r-- | client/get-entries/main.go | 86 | ||||
-rw-r--r-- | client/get-proof-by-hash/main.go | 84 | ||||
-rw-r--r-- | client/get-sth/main.go | 57 | ||||
-rw-r--r-- | client/verify.go | 39 | ||||
-rw-r--r-- | descriptor/descriptor.go | 58 | ||||
-rw-r--r-- | descriptor/descriptor_test.go | 109 | ||||
-rw-r--r-- | descriptor/stfe.json | 12 | ||||
-rw-r--r-- | go.mod | 1 | ||||
-rw-r--r-- | server/main.go | 2 |
15 files changed, 186 insertions, 860 deletions
diff --git a/client/add-entry/main.go b/client/add-entry/main.go deleted file mode 100644 index 52861ef..0000000 --- a/client/add-entry/main.go +++ /dev/null @@ -1,71 +0,0 @@ -package main - -import ( - "context" - "flag" - "fmt" - - "crypto/ed25519" - "encoding/base64" - "net/http" - - "github.com/golang/glog" - "github.com/system-transparency/stfe/client" - "github.com/system-transparency/stfe/descriptor" -) - -var ( - operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators") - logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier") - key = flag.String("key", "Zaajc50Xt1tNpTj6WYkljzcVjLXL2CcQcHFT/xZqYEcc5AVSQo1amNgCE0pPJYLNqGUjtEO1/nXbeQcPYsAKPQ==", "base64-encoded ed25519 signing key") - name = flag.String("name", "foobar-1.2.3", "package name") - checksum = flag.String("checksum", "50e7967bce266a506f8f614bb5096beba580d205046b918f47d23b2ec626d75e", "base64-encoded package checksum") -) - -func main() { - flag.Parse() - - log, sk, sum := mustLoad(*operators, *logId, *key, *checksum) - client, err := client.NewClient(log, &http.Client{}, true, sk) - if err != nil { - glog.Fatal(err) - } - - sdi, err := client.AddEntry(context.Background(), []byte(*name), sum) - if err != nil { - glog.Fatalf("add-entry failed: %v", err) - } - - str, err := sdi.MarshalB64() - if err != nil { - glog.Fatalf("failed encoding valid signed debug info: %v", err) - } - fmt.Println(str) - - glog.Flush() -} - -func mustLoad(operators, logId, key, checksum string) (*descriptor.Log, *ed25519.PrivateKey, []byte) { - ops, err := descriptor.LoadOperators(operators) - if err != nil { - glog.Fatalf("failed loading log operators: %v") - } - id, err := base64.StdEncoding.DecodeString(logId) - if err != nil { - glog.Fatalf("invalid base64 log id: %v", err) - } - log, err := descriptor.FindLog(ops, id) - if err != nil { - glog.Fatalf("unknown log id: %v", err) - } - b, err := base64.StdEncoding.DecodeString(key) - if err != nil { - glog.Fatalf("invalid base64 key: %v", err) - } - sk := ed25519.PrivateKey(b) - b, err = base64.StdEncoding.DecodeString(checksum) - if err != nil { - glog.Fatalf("failed decoding checksum: %v", err) - } - return log, &sk, b -} diff --git a/client/client.go b/client/client.go index 3bd4f50..ead2c77 100644 --- a/client/client.go +++ b/client/client.go @@ -3,273 +3,175 @@ package client import ( "bytes" "context" + "crypto" + "flag" "fmt" + "reflect" "crypto/ed25519" + "crypto/rand" "encoding/base64" - "encoding/json" "io/ioutil" "net/http" "github.com/golang/glog" "github.com/google/trillian/merkle/rfc6962" "github.com/system-transparency/stfe" - "github.com/system-transparency/stfe/descriptor" - "github.com/system-transparency/stfe/namespace" + "github.com/system-transparency/stfe/types" "golang.org/x/net/context/ctxhttp" ) -// Client is an HTTP(S) client that talks to an ST log +var ( + logId = flag.String("log_id", "AAEsY0retj4wa3S2fjsOCJCTVHab7ipEiMdqtW1uJ6Jvmg==", "base64-encoded log identifier") + logUrl = flag.String("log_url", "http://localhost:6965/st/v1", "log url") + ed25519_sk = flag.String("ed25519_sk", "d8i6nud7PS1vdO0sIk9H+W0nyxbM63Y3/mSeUPRafWaFh8iH8QXvL7NaAYn2RZPrnEey+FdpmTYXE47OFO70eg==", "base64-encoded ed25519 signing key") +) + type Client struct { - Log *descriptor.Log - Client *http.Client - PrivateKey *ed25519.PrivateKey - Namespace *namespace.Namespace - useHttp bool + HttpClient *http.Client + Signer crypto.Signer // client's private identity + Namespace *types.Namespace // client's public identity + Log *Descriptor // log's public identity } -// NewClient returns a new log client. -// -// Note: private key can be ommied if no write APIs are used. -func NewClient(log *descriptor.Log, client *http.Client, useHttp bool, privateKey *ed25519.PrivateKey) (*Client, error) { - c := &Client{ - Log: log, - Client: client, - PrivateKey: privateKey, - useHttp: useHttp, - } - if privateKey != nil { - var err error - c.Namespace, err = namespace.NewNamespaceEd25519V1([]byte(privateKey.Public().(ed25519.PublicKey))) - if err != nil { - return nil, fmt.Errorf("failed creating namespace: %v", err) - } - } - return c, nil +type Descriptor struct { + Namespace *types.Namespace // log identifier is a namespace + Url string // log url, e.g., http://example.com/st/v1 } -// AddEntry creates, signs, and adds a new ChecksumV1 entry to the log -func (c *Client) AddEntry(ctx context.Context, name, checksum []byte) (*stfe.StItem, error) { - leaf, err := stfe.NewChecksumV1(name, checksum, c.Namespace).Marshal() - if err != nil { - return nil, fmt.Errorf("failed marshaling StItem: %v", err) +func NewClientFromFlags() (*Client, error) { + var err error + c := Client{ + HttpClient: &http.Client{}, } - data, err := json.Marshal(stfe.AddEntryRequest{ - Item: leaf, - Signature: ed25519.Sign(*c.PrivateKey, leaf), - }) - if err != nil { - return nil, fmt.Errorf("failed creating post data: %v", err) + if len(*ed25519_sk) != 0 { + sk, err := base64.StdEncoding.DecodeString(*ed25519_sk) + if err != nil { + return nil, fmt.Errorf("ed25519_sk: DecodeString: %v", err) + } + c.Signer = ed25519.PrivateKey(sk) + c.Namespace, err = types.NewNamespaceEd25519V1([]byte(ed25519.PrivateKey(sk).Public().(ed25519.PublicKey))) + if err != nil { + return nil, fmt.Errorf("ed25519_vk: NewNamespaceEd25519V1: %v", err) + } } - glog.V(3).Infof("created post data: %s", string(data)) - - url := stfe.EndpointAddEntry.Path(c.protocol() + c.Log.BaseUrl) - req, err := http.NewRequest("POST", url, bytes.NewBuffer(data)) - if err != nil { - return nil, fmt.Errorf("failed creating http request: %v", err) + if c.Log, err = NewDescriptorFromFlags(); err != nil { + return nil, fmt.Errorf("NewDescriptorFromFlags: %v", err) } - req.Header.Set("Content-Type", "application/json") - glog.V(2).Infof("created http request: %s %s", req.Method, req.URL) + return &c, nil +} - item, err := c.doRequestWithStItemResponse(ctx, req) +func NewDescriptorFromFlags() (*Descriptor, error) { + b, err := base64.StdEncoding.DecodeString(*logId) if err != nil { - return nil, err + return nil, fmt.Errorf("LogId: DecodeString: %v", err) } - if item.Format != stfe.StFormatSignedDebugInfoV1 { - return nil, fmt.Errorf("bad StItem format: %v", item.Format) + var namespace types.Namespace + if err := types.Unmarshal(b, &namespace); err != nil { + return nil, fmt.Errorf("LogId: Unmarshal: %v", err) } - - if ns, err := c.Log.Namespace(); err != nil { - return nil, fmt.Errorf("invalid log namespace: %v", err) - } else if err := ns.Verify(leaf, item.SignedDebugInfoV1.Signature); err != nil { - return nil, fmt.Errorf("bad SignedDebugInfoV1 signature: %v", err) - } - return item, nil + return &Descriptor{ + Namespace: &namespace, + Url: *logUrl, + }, nil } -// GetSth fetches and verifies the most recent STH. -func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) { - url := stfe.EndpointGetLatestSth.Path(c.protocol() + c.Log.BaseUrl) - req, err := http.NewRequest("GET", url, nil) +// AddEntry signs and submits a checksum_v1 entry to the log. Outputs the +// resulting leaf-hash on success, which can be used to verify inclusion. +func (c *Client) AddEntry(ctx context.Context, data *types.ChecksumV1) ([]byte, error) { + msg, err := types.Marshal(*data) if err != nil { - return nil, fmt.Errorf("failed creating http request: %v", err) + return nil, fmt.Errorf("failed marshaling ChecksumV1: %v", err) } - glog.V(2).Infof("created http request: %s %s", req.Method, req.URL) - - item, err := c.doRequestWithStItemResponse(ctx, req) + sig, err := c.Signer.Sign(rand.Reader, msg, crypto.Hash(0)) if err != nil { - return nil, err - } - if item.Format != stfe.StFormatSignedTreeHeadV1 { - return nil, fmt.Errorf("bad StItem format: %v", item.Format) + return nil, fmt.Errorf("failed signing ChecksumV1: %v", err) } - th, err := item.SignedTreeHeadV1.TreeHead.Marshal() + leaf, err := types.Marshal(*types.NewSignedChecksumV1(data, &types.SignatureV1{ + Namespace: *c.Namespace, + Signature: sig, + })) if err != nil { - return nil, fmt.Errorf("failed marshaling tree head: %v", err) - } - - if ns, err := c.Log.Namespace(); err != nil { - return nil, fmt.Errorf("bad public key: %v", err) - } else if err := ns.Verify(th, item.SignedTreeHeadV1.Signature); err != nil { - return nil, fmt.Errorf("bad SignedTreeHeadV1 signature: %v", err) + return nil, fmt.Errorf("failed marshaling SignedChecksumV1: %v", err) } - return item, nil -} + glog.V(9).Infof("signed: %v", data) -// GetConsistencyProof fetches and verifies a consistency proof between two -// STHs. -func (c *Client) GetConsistencyProof(ctx context.Context, first, second *stfe.StItem) (*stfe.StItem, error) { - url := stfe.EndpointGetConsistencyProof.Path(c.protocol() + c.Log.BaseUrl) - req, err := http.NewRequest("GET", url, nil) + url := stfe.EndpointAddEntry.Path(c.Log.Url) + req, err := http.NewRequest("POST", url, bytes.NewBuffer(leaf)) if err != nil { return nil, fmt.Errorf("failed creating http request: %v", err) } - req.Header.Set("Content-Type", "application/json") - q := req.URL.Query() - q.Add("first", fmt.Sprintf("%d", first.SignedTreeHeadV1.TreeHead.TreeSize)) - q.Add("second", fmt.Sprintf("%d", second.SignedTreeHeadV1.TreeHead.TreeSize)) - req.URL.RawQuery = q.Encode() - glog.V(2).Infof("created http request: %s %s", req.Method, req.URL) + req.Header.Set("Content-Type", "application/octet-stream") + glog.V(3).Infof("created http request: %s %s", req.Method, req.URL) - item, err := c.doRequestWithStItemResponse(ctx, req) - if err != nil { - return nil, err - } - if item.Format != stfe.StFormatConsistencyProofV1 { - return nil, fmt.Errorf("bad StItem format: %v", item.Format) - } - if err := VerifyConsistencyProofV1(item, first, second); err != nil { - return nil, fmt.Errorf("bad consistency proof: %v", err) + if rsp, err := c.doRequest(ctx, req); err != nil { + return nil, fmt.Errorf("doRequest: %v", err) + } else if len(rsp) != 0 { + return nil, fmt.Errorf("extra data: %v", err) } - return item, nil + glog.V(3).Infof("add-entry succeded") + return rfc6962.DefaultHasher.HashLeaf(leaf), nil } -// GetProofByHash fetches and verifies an inclusion proof for a leaf against an -// STH. -func (c *Client) GetProofByHash(ctx context.Context, treeSize uint64, rootHash, leaf []byte) (*stfe.StItem, error) { - leafHash := rfc6962.DefaultHasher.HashLeaf(leaf) - url := stfe.EndpointGetProofByHash.Path(c.protocol() + c.Log.BaseUrl) +func (c *Client) GetLatestSth(ctx context.Context) (*types.StItem, error) { + url := stfe.EndpointGetLatestSth.Path(c.Log.Url) req, err := http.NewRequest("GET", url, nil) if err != nil { return nil, fmt.Errorf("failed creating http request: %v", err) } - req.Header.Set("Content-Type", "application/json") - q := req.URL.Query() - q.Add("hash", base64.StdEncoding.EncodeToString(leafHash)) - q.Add("tree_size", fmt.Sprintf("%d", treeSize)) - req.URL.RawQuery = q.Encode() - glog.V(2).Infof("created http request: %s %s", req.Method, req.URL) + glog.V(3).Infof("created http request: %s %s", req.Method, req.URL) item, err := c.doRequestWithStItemResponse(ctx, req) if err != nil { return nil, err } - if item.Format != stfe.StFormatInclusionProofV1 { - return nil, fmt.Errorf("bad StItem format: %v", item.Format) + if got, want := item.Format, types.StFormatSignedTreeHeadV1; got != want { + return nil, fmt.Errorf("unexpected StItem format: %v", got) } - if err := VerifyInclusionProofV1(item, rootHash, leafHash); err != nil { - return nil, fmt.Errorf("bad inclusion proof: %v", err) + if got, want := &item.SignedTreeHeadV1.Signature.Namespace, c.Log.Namespace; !reflect.DeepEqual(got, want) { + return nil, fmt.Errorf("unexpected log id: %v", want) } - return item, nil -} -// GetEntries fetches a range of entries from the log, verifying that they are -// of type checksum_v1 and signed by a valid certificate chain in the appendix. -// Fewer entries may be returned if too large range, in which case the end is -// truncated. -// -// Note that a certificate chain is considered valid if it is chained correctly. -// In other words, the caller may want to check whether the anchor is trusted. -func (c *Client) GetEntries(ctx context.Context, start, end uint64) ([]*stfe.GetEntryResponse, error) { - url := stfe.EndpointGetEntries.Path(c.protocol() + c.Log.BaseUrl) - req, err := http.NewRequest("GET", url, nil) + th, err := types.Marshal(item.SignedTreeHeadV1.TreeHead) if err != nil { - return nil, fmt.Errorf("failed creating http request: %v", err) - } - req.Header.Set("Content-Type", "application/json") - q := req.URL.Query() - q.Add("start", fmt.Sprintf("%d", start)) - q.Add("end", fmt.Sprintf("%d", end)) - req.URL.RawQuery = q.Encode() - glog.V(2).Infof("created http request: %s %s", req.Method, req.URL) - - var rsp []*stfe.GetEntryResponse - if err := c.doRequest(ctx, req, &rsp); err != nil { - return nil, err + return nil, fmt.Errorf("failed marshaling tree head: %v", err) } - for _, entry := range rsp { - var item stfe.StItem - if err := item.Unmarshal(entry.Item); err != nil { - return nil, fmt.Errorf("unmarshal failed: %v (%v)", err, entry) - } - if item.Format != stfe.StFormatChecksumV1 { - return nil, fmt.Errorf("bad StFormat: %v (%v)", err, entry) - } - if err := item.ChecksumV1.Namespace.Verify(entry.Item, entry.Signature); err != nil { // TODO: only works if full vk in namespace - return nil, fmt.Errorf("bad signature: %v (%v)", err, entry) - } + if err := c.Log.Namespace.Verify(th, item.SignedTreeHeadV1.Signature.Signature); err != nil { + return nil, fmt.Errorf("signature verification failed: %v", err) } - return rsp, nil + glog.V(3).Infof("verified sth") + return item, nil } -// GetNamespaces fetches the log's trusted namespaces. -func (c *Client) GetNamespaces(ctx context.Context) ([][]byte, error) { - url := stfe.EndpointGetAnchors.Path(c.protocol() + c.Log.BaseUrl) // TODO: update GetAnchors => GetNamespaces - req, err := http.NewRequest("GET", url, nil) +// doRequest sends an HTTP request and outputs the raw body +func (c *Client) doRequest(ctx context.Context, req *http.Request) ([]byte, error) { + rsp, err := ctxhttp.Do(ctx, c.HttpClient, req) if err != nil { - return nil, fmt.Errorf("failed creating http request: %v", err) + return nil, fmt.Errorf("no response: %v", err) } - var rsp [][]byte - if err := c.doRequest(ctx, req, &rsp); err != nil { - return nil, err - } - return rsp, nil -} - -// doRequest sends an HTTP request and decodes the resulting json body into out -func (c *Client) doRequest(ctx context.Context, req *http.Request, out interface{}) error { - rsp, err := ctxhttp.Do(ctx, c.Client, req) - if err != nil { - return fmt.Errorf("http request failed: %v", err) + defer rsp.Body.Close() + if got, want := rsp.StatusCode, http.StatusOK; got != want { + return nil, fmt.Errorf("bad http status: %v", got) } body, err := ioutil.ReadAll(rsp.Body) - rsp.Body.Close() if err != nil { - return fmt.Errorf("http body read failed: %v", err) + return nil, fmt.Errorf("cannot read body: %v", err) } - if rsp.StatusCode != http.StatusOK { - return fmt.Errorf("http status code not ok: %v", rsp.StatusCode) - } - if err := json.Unmarshal(body, out); err != nil { - return fmt.Errorf("failed decoding json body: %v", err) - } - return nil + return body, nil } // // doRequestWithStItemResponse sends an HTTP request and returns a decoded // StItem that the resulting HTTP response contained json:ed and marshaled -func (c *Client) doRequestWithStItemResponse(ctx context.Context, req *http.Request) (*stfe.StItem, error) { - var itemStr string - if err := c.doRequest(ctx, req, &itemStr); err != nil { - return nil, err - } - b, err := base64.StdEncoding.DecodeString(itemStr) +func (c *Client) doRequestWithStItemResponse(ctx context.Context, req *http.Request) (*types.StItem, error) { + body, err := c.doRequest(ctx, req) if err != nil { - return nil, fmt.Errorf("failed decoding base64 body: %v", err) + return nil, err } - var item stfe.StItem - if err := item.Unmarshal(b); err != nil { + var item types.StItem + if err := types.Unmarshal(body, &item); err != nil { return nil, fmt.Errorf("failed decoding StItem: %v", err) } - glog.V(3).Infof("got StItem: %s", item) + glog.V(9).Infof("got StItem: %v", item) return &item, nil } - -// protocol returns a protocol string that preceeds the log's base url -func (c *Client) protocol() string { - if c.useHttp { - return "http://" - } - return "https://" -} diff --git a/client/cmd/add-entry/main.go b/client/cmd/add-entry/main.go new file mode 100644 index 0000000..03844fa --- /dev/null +++ b/client/cmd/add-entry/main.go @@ -0,0 +1,52 @@ +package main + +import ( + "context" + "flag" + "fmt" + + "encoding/base64" + + "github.com/golang/glog" + "github.com/system-transparency/stfe/client" + "github.com/system-transparency/stfe/types" +) + +var ( + identifier = flag.String("identifier", "foobar-1.2.3", "checksum identifier") + checksum = flag.String("checksum", "50e7967bce266a506f8f614bb5096beba580d205046b918f47d23b2ec626d75e", "base64-encoded checksum") +) + +func main() { + flag.Parse() + defer glog.Flush() + + client, err := client.NewClientFromFlags() + if err != nil { + glog.Errorf("NewClientFromFlags: %v", err) + return + } + data, err := NewChecksumV1FromFlags() + if err != nil { + glog.Errorf("NewChecksumV1FromFlags: %v", err) + return + } + leafHash, err := client.AddEntry(context.Background(), data) + if err != nil { + glog.Errorf("AddEntry: %v", err) + return + } + fmt.Println("leaf hash:", base64.StdEncoding.EncodeToString(leafHash)) +} + +func NewChecksumV1FromFlags() (*types.ChecksumV1, error) { + var err error + data := types.ChecksumV1{ + Identifier: []byte(*identifier), + } + data.Checksum, err = base64.StdEncoding.DecodeString(*checksum) + if err != nil { + return nil, fmt.Errorf("entry_checksum: DecodeString: %v", err) + } + return &data, nil +} diff --git a/client/cmd/get-sth/main.go b/client/cmd/get-sth/main.go new file mode 100644 index 0000000..6b23b06 --- /dev/null +++ b/client/cmd/get-sth/main.go @@ -0,0 +1,35 @@ +package main + +import ( + "context" + "flag" + "fmt" + + "encoding/base64" + + "github.com/golang/glog" + "github.com/system-transparency/stfe/client" + "github.com/system-transparency/stfe/types" +) + +func main() { + flag.Parse() + defer glog.Flush() + + client, err := client.NewClientFromFlags() + if err != nil { + glog.Errorf("NewClientFromFlags: %v", err) + return + } + sth, err := client.GetLatestSth(context.Background()) + if err != nil { + glog.Errorf("GetLatestSth: %v", err) + return + } + serialized, err := types.Marshal(*sth) + if err != nil { + glog.Errorf("Marshal: %v", err) + return + } + fmt.Println("sth:", base64.StdEncoding.EncodeToString(serialized)) +} diff --git a/client/get-anchors/main.go b/client/get-anchors/main.go deleted file mode 100644 index 1c10924..0000000 --- a/client/get-anchors/main.go +++ /dev/null @@ -1,54 +0,0 @@ -package main - -import ( - "context" - "flag" - "fmt" - - "encoding/base64" - "net/http" - - "github.com/golang/glog" - "github.com/system-transparency/stfe/client" - "github.com/system-transparency/stfe/descriptor" -) - -var ( - operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators") - logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier") -) - -func main() { - flag.Parse() - - client, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil) - if err != nil { - glog.Fatal(err) - } - - namespaces, err := client.GetNamespaces(context.Background()) - if err != nil { - glog.Fatal(err) - } - for i, namespace := range namespaces { - fmt.Printf("namespace[%d]: %s\n", i, base64.StdEncoding.EncodeToString(namespace)) - } - - glog.Flush() -} - -func mustLoad(operators, logId string) *descriptor.Log { - ops, err := descriptor.LoadOperators(operators) - if err != nil { - glog.Fatalf("failed loading log operators: %v") - } - id, err := base64.StdEncoding.DecodeString(logId) - if err != nil { - glog.Fatalf("invalid base64 log id: %v", err) - } - log, err := descriptor.FindLog(ops, id) - if err != nil { - glog.Fatalf("unknown log id: %v", err) - } - return log -} diff --git a/client/get-consistency-proof/main.go b/client/get-consistency-proof/main.go deleted file mode 100644 index 283e9b8..0000000 --- a/client/get-consistency-proof/main.go +++ /dev/null @@ -1,94 +0,0 @@ -package main - -import ( - "context" - "flag" - "fmt" - - "encoding/base64" - "net/http" - - "github.com/golang/glog" - "github.com/system-transparency/stfe" - "github.com/system-transparency/stfe/client" - "github.com/system-transparency/stfe/descriptor" -) - -var ( - operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators") - logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier") - first = flag.String("first", "AAEjAAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGcAAAF3TqQQZAAAAAAAAACEIEV75viH3o4llUxCqwoTvY38vKUiv2lg4uFd1jTfcCC5AAAAQBoc5JvG6AovqHjZAU77zrsrIN8ZuR3DIwYAFD2mcvyI/b2KcIPxH6XQ7+zTnGJPWfgwvI5sCuu/MBAAHEzZzQk=", "first base64-encoded StItem of type StFormatSignedTreeHeadV1") - second = flag.String("second", "AAEjAAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGcAAAF3TrZf7gAAAAAAAACJIEl/yYdMBb6st/D4yQXRXIAphR7i2y10jB/BbnQljy8rAAAAQBzYrWNidZ8bCdaHqi5zgxGJ6HQNfYihDhRQy20lu36a/yxKqgrvoH+dv969c4aeBEAGz5TSSAn5CwqmqUFSAQo=", "second base64-encoded StItem of type StFormatSignedTreeHeadV1") -) - -func main() { - flag.Parse() - - cli, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil) - if err != nil { - glog.Fatal(err) - } - ns, err := cli.Log.Namespace() - if err != nil { - glog.Fatalf("bad log namespace: %v", err) - } - - // Check first STH - var sth1 stfe.StItem - if err := sth1.UnmarshalB64(*first); err != nil { - glog.Fatalf("bad signed tree head: %v", err) - } - th1, err := sth1.SignedTreeHeadV1.TreeHead.Marshal() - if err != nil { - glog.Fatalf("cannot marshal tree head: %v", err) - } - if err := ns.Verify(th1, sth1.SignedTreeHeadV1.Signature); err != nil { - glog.Fatalf("bad signed tree head: %v", err) - } - glog.V(3).Info("verified first sth") - - // Check second STH - var sth2 stfe.StItem - if err := sth2.UnmarshalB64(*second); err != nil { - glog.Fatalf("bad signed tree head: %v", err) - } - th2, err := sth2.SignedTreeHeadV1.TreeHead.Marshal() - if err != nil { - glog.Fatalf("cannot marshal tree head: %v", err) - } - if err := ns.Verify(th2, sth2.SignedTreeHeadV1.Signature); err != nil { - glog.Fatalf("bad signed tree head: %v", err) - } - glog.V(3).Info("verified second sth") - - // Check consistency - proof, err := cli.GetConsistencyProof(context.Background(), &sth1, &sth2) - if err != nil { - glog.Fatalf("get-proof-by-hash failed: %v", err) - } - glog.V(3).Info("verified inclusion proof") - - str, err := proof.MarshalB64() - if err != nil { - glog.Fatalf("failed encoding valid inclusion proof: %v", err) - } - fmt.Println(str) - - glog.Flush() -} - -func mustLoad(operators, logId string) *descriptor.Log { - ops, err := descriptor.LoadOperators(operators) - if err != nil { - glog.Fatalf("failed loading log operators: %v") - } - id, err := base64.StdEncoding.DecodeString(logId) - if err != nil { - glog.Fatalf("invalid base64 log id: %v", err) - } - log, err := descriptor.FindLog(ops, id) - if err != nil { - glog.Fatalf("unknown log id: %v", err) - } - return log -} diff --git a/client/get-entries/main.go b/client/get-entries/main.go deleted file mode 100644 index 1500cd0..0000000 --- a/client/get-entries/main.go +++ /dev/null @@ -1,86 +0,0 @@ -package main - -import ( - "context" - "flag" - "fmt" - - "encoding/base64" - "net/http" - - "github.com/golang/glog" - "github.com/system-transparency/stfe" - "github.com/system-transparency/stfe/client" - "github.com/system-transparency/stfe/descriptor" -) - -var ( - operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators") - logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier") - start = flag.Uint64("start", 132, "inclusive start index to download") - end = flag.Uint64("end", 137, "inclusive stop index to download") -) - -func main() { - flag.Parse() - - if client, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil); err != nil { - glog.Fatal(err) - } else if items, err := getRange(client, *start, *end); err != nil { - glog.Fatal(err) - } else if err := printRange(items); err != nil { - glog.Fatal(err) - } - - glog.Flush() -} - -func getRange(client *client.Client, start, end uint64) ([]*stfe.StItem, error) { - items := make([]*stfe.StItem, 0, end-start+1) - for len(items) != cap(items) { - rsps, err := client.GetEntries(context.Background(), start, end) - if err != nil { - return nil, fmt.Errorf("fetching entries failed: %v", err) - } - - for _, rsp := range rsps { - var item stfe.StItem - if err := item.Unmarshal(rsp.Item); err != nil { - return nil, fmt.Errorf("expected valid StItem but unmarshal failed: %v", err) - } else if item.Format != stfe.StFormatChecksumV1 { - return nil, fmt.Errorf("expected checksum_v1 but got: %v", item.Format) - } - items = append(items, &item) - } - start += uint64(len(rsps)) - } - return items, nil -} - -func printRange(items []*stfe.StItem) error { - for i, item := range items { - glog.V(3).Infof("Index(%d): %s", *start+uint64(i), item) - str, err := item.MarshalB64() - if err != nil { - glog.Fatalf("expected valid StItem but marshal failed: %v", err) - } - fmt.Printf("Index(%d): %s\n", *start+uint64(i), str) - } - return nil -} - -func mustLoad(operators, logId string) *descriptor.Log { - ops, err := descriptor.LoadOperators(operators) - if err != nil { - glog.Fatalf("failed loading log operators: %v") - } - id, err := base64.StdEncoding.DecodeString(logId) - if err != nil { - glog.Fatalf("invalid base64 log id: %v", err) - } - log, err := descriptor.FindLog(ops, id) - if err != nil { - glog.Fatalf("unknown log id: %v", err) - } - return log -} diff --git a/client/get-proof-by-hash/main.go b/client/get-proof-by-hash/main.go deleted file mode 100644 index 00a4486..0000000 --- a/client/get-proof-by-hash/main.go +++ /dev/null @@ -1,84 +0,0 @@ -package main - -import ( - "context" - "flag" - "fmt" - - "encoding/base64" - "net/http" - - "github.com/golang/glog" - "github.com/system-transparency/stfe" - "github.com/system-transparency/stfe/client" - "github.com/system-transparency/stfe/descriptor" -) - -var ( - operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators") - logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier") - signedTreeHead = flag.String("sth", "AAEjAAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGcAAAF3Ts1DPAAAAAAAAACKIOjuyYlimCylCNmIliPWn+O+oOPpvdtllbJnp+xKV3qhAAAAQKW2+4+3a2cgERULDrbwoeevo6q1JxY8mcj73XPLAhcmlR/YmtuWv6PEJYiLP/bclN6ZQ5ttQq1/9hG+VvgLvA4=", "base64-encoded StItem of type StFormatSignedTreeHeadV1") - entry = flag.String("entry", "AAUFZGViaTYw50e7967bce266a506f8f614bb5096beba580d205046b918f47d23b2ec626d75eAAEgHOQFUkKNWpjYAhNKTyWCzahlI7RDtf5123kHD2LACj0=", "base64-encoded StItem of type StFormatChecksumV1") -) - -func main() { - flag.Parse() - - cli, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil) - if err != nil { - glog.Fatal(err) - } - ns, err := cli.Log.Namespace() - if err != nil { - glog.Fatalf("bad log namespace: %v", err) - } - - // Check STH - var sth stfe.StItem - if err := sth.UnmarshalB64(*signedTreeHead); err != nil { - glog.Fatalf("bad signed tree head: %v", err) - } - th, err := sth.SignedTreeHeadV1.TreeHead.Marshal() - if err != nil { - glog.Fatalf("cannot marshal tree head: %v", err) - } - if err := ns.Verify(th, sth.SignedTreeHeadV1.Signature); err != nil { - glog.Fatalf("bad signed tree head: %v", err) - } - glog.V(3).Info("verified sth") - - // Check inclusion - leaf, err := base64.StdEncoding.DecodeString(*entry) - if err != nil { - glog.Fatalf("failed decoding entry: %v", err) - } - proof, err := cli.GetProofByHash(context.Background(), sth.SignedTreeHeadV1.TreeHead.TreeSize, sth.SignedTreeHeadV1.TreeHead.RootHash.Data, leaf) - if err != nil { - glog.Fatalf("get-proof-by-hash failed: %v", err) - } - glog.V(3).Info("verified inclusion proof") - - str, err := proof.MarshalB64() - if err != nil { - glog.Fatalf("failed encoding valid inclusion proof: %v", err) - } - fmt.Println(str) - - glog.Flush() -} - -func mustLoad(operators, logId string) *descriptor.Log { - ops, err := descriptor.LoadOperators(operators) - if err != nil { - glog.Fatalf("failed loading log operators: %v") - } - id, err := base64.StdEncoding.DecodeString(logId) - if err != nil { - glog.Fatalf("invalid base64 log id: %v", err) - } - log, err := descriptor.FindLog(ops, id) - if err != nil { - glog.Fatalf("unknown log id: %v", err) - } - return log -} diff --git a/client/get-sth/main.go b/client/get-sth/main.go deleted file mode 100644 index e952ee3..0000000 --- a/client/get-sth/main.go +++ /dev/null @@ -1,57 +0,0 @@ -package main - -import ( - "context" - "flag" - "fmt" - - "encoding/base64" - "net/http" - - "github.com/golang/glog" - "github.com/system-transparency/stfe/client" - "github.com/system-transparency/stfe/descriptor" -) - -var ( - operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators") - logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier") -) - -func main() { - flag.Parse() - - client, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil) - if err != nil { - glog.Fatal(err) - } - - sth, err := client.GetSth(context.Background()) - if err != nil { - glog.Fatalf("get-sth failed: %v", err) - } - - str, err := sth.MarshalB64() - if err != nil { - glog.Fatalf("failed encoding valid signed tree head: %v", err) - } - fmt.Println(str) - - glog.Flush() -} - -func mustLoad(operators, logId string) *descriptor.Log { - ops, err := descriptor.LoadOperators(operators) - if err != nil { - glog.Fatalf("failed loading log operators: %v") - } - id, err := base64.StdEncoding.DecodeString(logId) - if err != nil { - glog.Fatalf("invalid base64 log id: %v", err) - } - log, err := descriptor.FindLog(ops, id) - if err != nil { - glog.Fatalf("unknown log id: %v", err) - } - return log -} diff --git a/client/verify.go b/client/verify.go deleted file mode 100644 index 3ce02e7..0000000 --- a/client/verify.go +++ /dev/null @@ -1,39 +0,0 @@ -package client - -import ( - "github.com/google/trillian/merkle" - "github.com/google/trillian/merkle/rfc6962" - "github.com/system-transparency/stfe" -) - -// VerifyConsistencyProofV1 verifies that a consistency proof is valid without -// checking any sth signature -func VerifyConsistencyProofV1(proof, first, second *stfe.StItem) error { - path := make([][]byte, 0, len(proof.ConsistencyProofV1.ConsistencyPath)) - for _, nh := range proof.ConsistencyProofV1.ConsistencyPath { - path = append(path, nh.Data) - } - return merkle.NewLogVerifier(rfc6962.DefaultHasher).VerifyConsistencyProof( - int64(proof.ConsistencyProofV1.TreeSize1), - int64(proof.ConsistencyProofV1.TreeSize2), - first.SignedTreeHeadV1.TreeHead.RootHash.Data, - second.SignedTreeHeadV1.TreeHead.RootHash.Data, - path, - ) -} - -// VerifyInclusionProofV1 verifies that an inclusion proof is valid without checking -// any sth signature -func VerifyInclusionProofV1(proof *stfe.StItem, rootHash, leafHash []byte) error { - path := make([][]byte, 0, len(proof.InclusionProofV1.InclusionPath)) - for _, nh := range proof.InclusionProofV1.InclusionPath { - path = append(path, nh.Data) - } - return merkle.NewLogVerifier(rfc6962.DefaultHasher).VerifyInclusionProof( - int64(proof.InclusionProofV1.LeafIndex), - int64(proof.InclusionProofV1.TreeSize), - path, - rootHash, - leafHash, - ) -} diff --git a/descriptor/descriptor.go b/descriptor/descriptor.go deleted file mode 100644 index efe2cf1..0000000 --- a/descriptor/descriptor.go +++ /dev/null @@ -1,58 +0,0 @@ -package descriptor - -import ( - "bytes" - "fmt" - - "encoding/base64" - "encoding/json" - "io/ioutil" - - "github.com/system-transparency/stfe/namespace" -) - -// Operator is an stfe log operator that runs zero or more logs -type Operator struct { - Name string `json:"name"` - Email string `json:"email"` - Logs []*Log `json:"logs"` -} - -// Log is a collection of immutable stfe log parameters -type Log struct { - Id []byte `json:"id"` // Serialized namespace - BaseUrl string `json:"base_url"` // E.g., example.com/st/v1 - // TODO: List of supported namespace types? -} - -func FindLog(ops []Operator, logId []byte) (*Log, error) { - for _, op := range ops { - for _, log := range op.Logs { - if bytes.Equal(logId, log.Id) { - return log, nil - } - } - } - return nil, fmt.Errorf("no such log: %s", base64.StdEncoding.EncodeToString(logId)) -} - -// LoadOperators loads a list of json-encoded log operators from a given path -func LoadOperators(path string) ([]Operator, error) { - blob, err := ioutil.ReadFile(path) - if err != nil { - return nil, fmt.Errorf("failed reading log operators: %v", err) - } - var ops []Operator - if err := json.Unmarshal(blob, &ops); err != nil { - return nil, fmt.Errorf("failed decoding log operators: %v", err) - } - return ops, nil -} - -func (l *Log) Namespace() (*namespace.Namespace, error) { - var n namespace.Namespace - if err := n.Unmarshal(l.Id); err != nil { - return nil, fmt.Errorf("invalid namespace: %v", err) - } - return &n, nil -} diff --git a/descriptor/descriptor_test.go b/descriptor/descriptor_test.go deleted file mode 100644 index 22641ca..0000000 --- a/descriptor/descriptor_test.go +++ /dev/null @@ -1,109 +0,0 @@ -package descriptor - -import ( - "fmt" - "testing" - - "encoding/base64" - "encoding/json" -) - -const ( - operatorListJson = `[{"name":"Test operator","email":"test@example.com","logs":[{"id":"AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=","base_url":"example.com/st/v1"}]}]` -) - -func TestMarshal(t *testing.T) { - for _, table := range []struct { - in []Operator - want string - }{ - {makeOperatorList(), operatorListJson}, - } { - b, err := json.Marshal(table.in) - if err != nil { - t.Errorf("operator list marshaling failed: %v", err) - } - if string(b) != table.want { - t.Errorf("\nwant %s\n got %s", table.want, string(b)) - } - } - -} - -func TestUnmarshal(t *testing.T) { - for _, table := range []struct { - in []byte - want error - }{ - {[]byte(operatorListJson), nil}, - } { - var op []Operator - if err := json.Unmarshal(table.in, &op); err != table.want { - t.Errorf("wanted err=%v, got %v", table.want, err) - } - } -} - -func TestFindLog(t *testing.T) { - for _, table := range []struct { - ops []Operator - logId []byte - wantError bool - }{ - {makeOperatorList(), deb64("AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc="), false}, - {makeOperatorList(), []byte{0, 1, 2, 3}, true}, - } { - _, err := FindLog(table.ops, table.logId) - if (err != nil) != table.wantError { - t.Errorf("wanted log not found for id: %v", table.logId) - } - } -} - -func TestNamespace(t *testing.T) { - for _, table := range []struct { - description string - id []byte - wantErr bool - }{ - { - description: "invalid: not a namespace", - id: []byte{0,1,2,3}, - wantErr: true, - }, - { - description: "valid", - id: deb64("AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc="), - }, - }{ - l := &Log{ Id: table.id, BaseUrl: "example.com/st/v1" } - _, err := l.Namespace() - if got, want := err != nil, table.wantErr; got != want { - t.Errorf("wanted error %v but got %v in test %q: %v", got, want, table.description, err) - return - } - } -} - -func makeOperatorList() []Operator { - return []Operator{ - Operator{ - Name: "Test operator", - Email: "test@example.com", - Logs: []*Log{ - &Log{ - Id: deb64("AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc="), - BaseUrl: "example.com/st/v1", - }, - }, - }, - } -} - -func deb64(s string) []byte { - b, err := base64.StdEncoding.DecodeString(s) - if err != nil { - panic(fmt.Sprintf("failed decoding base64: %v", err)) - } - return b -} diff --git a/descriptor/stfe.json b/descriptor/stfe.json deleted file mode 100644 index 34f884b..0000000 --- a/descriptor/stfe.json +++ /dev/null @@ -1,12 +0,0 @@ -[ - { - "name": "Test operator", - "email":"test@example.com", - "logs": [ - { - "id":"AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", - "base_url":"localhost:6965/st/v1" - } - ] - } -] @@ -8,5 +8,6 @@ require ( github.com/google/certificate-transparency-go v1.1.1 github.com/google/trillian v1.3.13 github.com/prometheus/client_golang v1.9.0 // indirect + golang.org/x/net v0.0.0-20200625001655-4c5254603344 // indirect google.golang.org/grpc v1.35.0 ) diff --git a/server/main.go b/server/main.go index d45079b..122a6fe 100644 --- a/server/main.go +++ b/server/main.go @@ -30,7 +30,7 @@ var ( prefix = flag.String("prefix", "st/v1", "a prefix that proceeds each endpoint path") trillianID = flag.Int64("trillian_id", 5991359069696313945, "log identifier in the Trillian database") deadline = flag.Duration("deadline", time.Second*10, "deadline for backend requests") - key = flag.String("key", "8gzezwrU/2eTrO6tEYyLKsoqn5V54URvKIL9cTE7jUYUqXVX4neJvcBq/zpSAYPsZFG1woh0OGBzQbi9UP9MZw==", "base64-encoded Ed25519 signing key") + key = flag.String("key", "d3qiIZ/BBPLwZ3rlPEC/Eo2GWvhseUrgs+pX+/BwXSEsY0retj4wa3S2fjsOCJCTVHab7ipEiMdqtW1uJ6Jvmg==", "base64-encoded Ed25519 signing key") submitterPolicy = flag.Bool("submitter_policy", false, "whether there is any submitter namespace policy (default: none, accept unregistered submitter namespaces)") witnessPolicy = flag.Bool("witness_policy", false, "whether there is any witness namespace policy (default: none, accept unregistered witness namespaces)") submitters = flag.String("submitters", "", "comma-separated list of trusted submitter namespaces in base64 (default: none)") |