aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus.dahlberg@kau.se>2021-03-16 00:26:07 +0100
committerRasmus Dahlberg <rasmus.dahlberg@kau.se>2021-03-16 00:26:07 +0100
commit9f7690327f8d74abdd86232546a154ab8408d174 (patch)
tree0abeaade1c7673579c1b6a76cd4c6c25395555ee
parente2959d506de6067afe494315c3621b33613b5414 (diff)
started to re-add basic client commands
-rw-r--r--client/add-entry/main.go71
-rw-r--r--client/client.go292
-rw-r--r--client/cmd/add-entry/main.go52
-rw-r--r--client/cmd/get-sth/main.go35
-rw-r--r--client/get-anchors/main.go54
-rw-r--r--client/get-consistency-proof/main.go94
-rw-r--r--client/get-entries/main.go86
-rw-r--r--client/get-proof-by-hash/main.go84
-rw-r--r--client/get-sth/main.go57
-rw-r--r--client/verify.go39
-rw-r--r--descriptor/descriptor.go58
-rw-r--r--descriptor/descriptor_test.go109
-rw-r--r--descriptor/stfe.json12
-rw-r--r--go.mod1
-rw-r--r--server/main.go2
15 files changed, 186 insertions, 860 deletions
diff --git a/client/add-entry/main.go b/client/add-entry/main.go
deleted file mode 100644
index 52861ef..0000000
--- a/client/add-entry/main.go
+++ /dev/null
@@ -1,71 +0,0 @@
-package main
-
-import (
- "context"
- "flag"
- "fmt"
-
- "crypto/ed25519"
- "encoding/base64"
- "net/http"
-
- "github.com/golang/glog"
- "github.com/system-transparency/stfe/client"
- "github.com/system-transparency/stfe/descriptor"
-)
-
-var (
- operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators")
- logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier")
- key = flag.String("key", "Zaajc50Xt1tNpTj6WYkljzcVjLXL2CcQcHFT/xZqYEcc5AVSQo1amNgCE0pPJYLNqGUjtEO1/nXbeQcPYsAKPQ==", "base64-encoded ed25519 signing key")
- name = flag.String("name", "foobar-1.2.3", "package name")
- checksum = flag.String("checksum", "50e7967bce266a506f8f614bb5096beba580d205046b918f47d23b2ec626d75e", "base64-encoded package checksum")
-)
-
-func main() {
- flag.Parse()
-
- log, sk, sum := mustLoad(*operators, *logId, *key, *checksum)
- client, err := client.NewClient(log, &http.Client{}, true, sk)
- if err != nil {
- glog.Fatal(err)
- }
-
- sdi, err := client.AddEntry(context.Background(), []byte(*name), sum)
- if err != nil {
- glog.Fatalf("add-entry failed: %v", err)
- }
-
- str, err := sdi.MarshalB64()
- if err != nil {
- glog.Fatalf("failed encoding valid signed debug info: %v", err)
- }
- fmt.Println(str)
-
- glog.Flush()
-}
-
-func mustLoad(operators, logId, key, checksum string) (*descriptor.Log, *ed25519.PrivateKey, []byte) {
- ops, err := descriptor.LoadOperators(operators)
- if err != nil {
- glog.Fatalf("failed loading log operators: %v")
- }
- id, err := base64.StdEncoding.DecodeString(logId)
- if err != nil {
- glog.Fatalf("invalid base64 log id: %v", err)
- }
- log, err := descriptor.FindLog(ops, id)
- if err != nil {
- glog.Fatalf("unknown log id: %v", err)
- }
- b, err := base64.StdEncoding.DecodeString(key)
- if err != nil {
- glog.Fatalf("invalid base64 key: %v", err)
- }
- sk := ed25519.PrivateKey(b)
- b, err = base64.StdEncoding.DecodeString(checksum)
- if err != nil {
- glog.Fatalf("failed decoding checksum: %v", err)
- }
- return log, &sk, b
-}
diff --git a/client/client.go b/client/client.go
index 3bd4f50..ead2c77 100644
--- a/client/client.go
+++ b/client/client.go
@@ -3,273 +3,175 @@ package client
import (
"bytes"
"context"
+ "crypto"
+ "flag"
"fmt"
+ "reflect"
"crypto/ed25519"
+ "crypto/rand"
"encoding/base64"
- "encoding/json"
"io/ioutil"
"net/http"
"github.com/golang/glog"
"github.com/google/trillian/merkle/rfc6962"
"github.com/system-transparency/stfe"
- "github.com/system-transparency/stfe/descriptor"
- "github.com/system-transparency/stfe/namespace"
+ "github.com/system-transparency/stfe/types"
"golang.org/x/net/context/ctxhttp"
)
-// Client is an HTTP(S) client that talks to an ST log
+var (
+ logId = flag.String("log_id", "AAEsY0retj4wa3S2fjsOCJCTVHab7ipEiMdqtW1uJ6Jvmg==", "base64-encoded log identifier")
+ logUrl = flag.String("log_url", "http://localhost:6965/st/v1", "log url")
+ ed25519_sk = flag.String("ed25519_sk", "d8i6nud7PS1vdO0sIk9H+W0nyxbM63Y3/mSeUPRafWaFh8iH8QXvL7NaAYn2RZPrnEey+FdpmTYXE47OFO70eg==", "base64-encoded ed25519 signing key")
+)
+
type Client struct {
- Log *descriptor.Log
- Client *http.Client
- PrivateKey *ed25519.PrivateKey
- Namespace *namespace.Namespace
- useHttp bool
+ HttpClient *http.Client
+ Signer crypto.Signer // client's private identity
+ Namespace *types.Namespace // client's public identity
+ Log *Descriptor // log's public identity
}
-// NewClient returns a new log client.
-//
-// Note: private key can be ommied if no write APIs are used.
-func NewClient(log *descriptor.Log, client *http.Client, useHttp bool, privateKey *ed25519.PrivateKey) (*Client, error) {
- c := &Client{
- Log: log,
- Client: client,
- PrivateKey: privateKey,
- useHttp: useHttp,
- }
- if privateKey != nil {
- var err error
- c.Namespace, err = namespace.NewNamespaceEd25519V1([]byte(privateKey.Public().(ed25519.PublicKey)))
- if err != nil {
- return nil, fmt.Errorf("failed creating namespace: %v", err)
- }
- }
- return c, nil
+type Descriptor struct {
+ Namespace *types.Namespace // log identifier is a namespace
+ Url string // log url, e.g., http://example.com/st/v1
}
-// AddEntry creates, signs, and adds a new ChecksumV1 entry to the log
-func (c *Client) AddEntry(ctx context.Context, name, checksum []byte) (*stfe.StItem, error) {
- leaf, err := stfe.NewChecksumV1(name, checksum, c.Namespace).Marshal()
- if err != nil {
- return nil, fmt.Errorf("failed marshaling StItem: %v", err)
+func NewClientFromFlags() (*Client, error) {
+ var err error
+ c := Client{
+ HttpClient: &http.Client{},
}
- data, err := json.Marshal(stfe.AddEntryRequest{
- Item: leaf,
- Signature: ed25519.Sign(*c.PrivateKey, leaf),
- })
- if err != nil {
- return nil, fmt.Errorf("failed creating post data: %v", err)
+ if len(*ed25519_sk) != 0 {
+ sk, err := base64.StdEncoding.DecodeString(*ed25519_sk)
+ if err != nil {
+ return nil, fmt.Errorf("ed25519_sk: DecodeString: %v", err)
+ }
+ c.Signer = ed25519.PrivateKey(sk)
+ c.Namespace, err = types.NewNamespaceEd25519V1([]byte(ed25519.PrivateKey(sk).Public().(ed25519.PublicKey)))
+ if err != nil {
+ return nil, fmt.Errorf("ed25519_vk: NewNamespaceEd25519V1: %v", err)
+ }
}
- glog.V(3).Infof("created post data: %s", string(data))
-
- url := stfe.EndpointAddEntry.Path(c.protocol() + c.Log.BaseUrl)
- req, err := http.NewRequest("POST", url, bytes.NewBuffer(data))
- if err != nil {
- return nil, fmt.Errorf("failed creating http request: %v", err)
+ if c.Log, err = NewDescriptorFromFlags(); err != nil {
+ return nil, fmt.Errorf("NewDescriptorFromFlags: %v", err)
}
- req.Header.Set("Content-Type", "application/json")
- glog.V(2).Infof("created http request: %s %s", req.Method, req.URL)
+ return &c, nil
+}
- item, err := c.doRequestWithStItemResponse(ctx, req)
+func NewDescriptorFromFlags() (*Descriptor, error) {
+ b, err := base64.StdEncoding.DecodeString(*logId)
if err != nil {
- return nil, err
+ return nil, fmt.Errorf("LogId: DecodeString: %v", err)
}
- if item.Format != stfe.StFormatSignedDebugInfoV1 {
- return nil, fmt.Errorf("bad StItem format: %v", item.Format)
+ var namespace types.Namespace
+ if err := types.Unmarshal(b, &namespace); err != nil {
+ return nil, fmt.Errorf("LogId: Unmarshal: %v", err)
}
-
- if ns, err := c.Log.Namespace(); err != nil {
- return nil, fmt.Errorf("invalid log namespace: %v", err)
- } else if err := ns.Verify(leaf, item.SignedDebugInfoV1.Signature); err != nil {
- return nil, fmt.Errorf("bad SignedDebugInfoV1 signature: %v", err)
- }
- return item, nil
+ return &Descriptor{
+ Namespace: &namespace,
+ Url: *logUrl,
+ }, nil
}
-// GetSth fetches and verifies the most recent STH.
-func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) {
- url := stfe.EndpointGetLatestSth.Path(c.protocol() + c.Log.BaseUrl)
- req, err := http.NewRequest("GET", url, nil)
+// AddEntry signs and submits a checksum_v1 entry to the log. Outputs the
+// resulting leaf-hash on success, which can be used to verify inclusion.
+func (c *Client) AddEntry(ctx context.Context, data *types.ChecksumV1) ([]byte, error) {
+ msg, err := types.Marshal(*data)
if err != nil {
- return nil, fmt.Errorf("failed creating http request: %v", err)
+ return nil, fmt.Errorf("failed marshaling ChecksumV1: %v", err)
}
- glog.V(2).Infof("created http request: %s %s", req.Method, req.URL)
-
- item, err := c.doRequestWithStItemResponse(ctx, req)
+ sig, err := c.Signer.Sign(rand.Reader, msg, crypto.Hash(0))
if err != nil {
- return nil, err
- }
- if item.Format != stfe.StFormatSignedTreeHeadV1 {
- return nil, fmt.Errorf("bad StItem format: %v", item.Format)
+ return nil, fmt.Errorf("failed signing ChecksumV1: %v", err)
}
- th, err := item.SignedTreeHeadV1.TreeHead.Marshal()
+ leaf, err := types.Marshal(*types.NewSignedChecksumV1(data, &types.SignatureV1{
+ Namespace: *c.Namespace,
+ Signature: sig,
+ }))
if err != nil {
- return nil, fmt.Errorf("failed marshaling tree head: %v", err)
- }
-
- if ns, err := c.Log.Namespace(); err != nil {
- return nil, fmt.Errorf("bad public key: %v", err)
- } else if err := ns.Verify(th, item.SignedTreeHeadV1.Signature); err != nil {
- return nil, fmt.Errorf("bad SignedTreeHeadV1 signature: %v", err)
+ return nil, fmt.Errorf("failed marshaling SignedChecksumV1: %v", err)
}
- return item, nil
-}
+ glog.V(9).Infof("signed: %v", data)
-// GetConsistencyProof fetches and verifies a consistency proof between two
-// STHs.
-func (c *Client) GetConsistencyProof(ctx context.Context, first, second *stfe.StItem) (*stfe.StItem, error) {
- url := stfe.EndpointGetConsistencyProof.Path(c.protocol() + c.Log.BaseUrl)
- req, err := http.NewRequest("GET", url, nil)
+ url := stfe.EndpointAddEntry.Path(c.Log.Url)
+ req, err := http.NewRequest("POST", url, bytes.NewBuffer(leaf))
if err != nil {
return nil, fmt.Errorf("failed creating http request: %v", err)
}
- req.Header.Set("Content-Type", "application/json")
- q := req.URL.Query()
- q.Add("first", fmt.Sprintf("%d", first.SignedTreeHeadV1.TreeHead.TreeSize))
- q.Add("second", fmt.Sprintf("%d", second.SignedTreeHeadV1.TreeHead.TreeSize))
- req.URL.RawQuery = q.Encode()
- glog.V(2).Infof("created http request: %s %s", req.Method, req.URL)
+ req.Header.Set("Content-Type", "application/octet-stream")
+ glog.V(3).Infof("created http request: %s %s", req.Method, req.URL)
- item, err := c.doRequestWithStItemResponse(ctx, req)
- if err != nil {
- return nil, err
- }
- if item.Format != stfe.StFormatConsistencyProofV1 {
- return nil, fmt.Errorf("bad StItem format: %v", item.Format)
- }
- if err := VerifyConsistencyProofV1(item, first, second); err != nil {
- return nil, fmt.Errorf("bad consistency proof: %v", err)
+ if rsp, err := c.doRequest(ctx, req); err != nil {
+ return nil, fmt.Errorf("doRequest: %v", err)
+ } else if len(rsp) != 0 {
+ return nil, fmt.Errorf("extra data: %v", err)
}
- return item, nil
+ glog.V(3).Infof("add-entry succeded")
+ return rfc6962.DefaultHasher.HashLeaf(leaf), nil
}
-// GetProofByHash fetches and verifies an inclusion proof for a leaf against an
-// STH.
-func (c *Client) GetProofByHash(ctx context.Context, treeSize uint64, rootHash, leaf []byte) (*stfe.StItem, error) {
- leafHash := rfc6962.DefaultHasher.HashLeaf(leaf)
- url := stfe.EndpointGetProofByHash.Path(c.protocol() + c.Log.BaseUrl)
+func (c *Client) GetLatestSth(ctx context.Context) (*types.StItem, error) {
+ url := stfe.EndpointGetLatestSth.Path(c.Log.Url)
req, err := http.NewRequest("GET", url, nil)
if err != nil {
return nil, fmt.Errorf("failed creating http request: %v", err)
}
- req.Header.Set("Content-Type", "application/json")
- q := req.URL.Query()
- q.Add("hash", base64.StdEncoding.EncodeToString(leafHash))
- q.Add("tree_size", fmt.Sprintf("%d", treeSize))
- req.URL.RawQuery = q.Encode()
- glog.V(2).Infof("created http request: %s %s", req.Method, req.URL)
+ glog.V(3).Infof("created http request: %s %s", req.Method, req.URL)
item, err := c.doRequestWithStItemResponse(ctx, req)
if err != nil {
return nil, err
}
- if item.Format != stfe.StFormatInclusionProofV1 {
- return nil, fmt.Errorf("bad StItem format: %v", item.Format)
+ if got, want := item.Format, types.StFormatSignedTreeHeadV1; got != want {
+ return nil, fmt.Errorf("unexpected StItem format: %v", got)
}
- if err := VerifyInclusionProofV1(item, rootHash, leafHash); err != nil {
- return nil, fmt.Errorf("bad inclusion proof: %v", err)
+ if got, want := &item.SignedTreeHeadV1.Signature.Namespace, c.Log.Namespace; !reflect.DeepEqual(got, want) {
+ return nil, fmt.Errorf("unexpected log id: %v", want)
}
- return item, nil
-}
-// GetEntries fetches a range of entries from the log, verifying that they are
-// of type checksum_v1 and signed by a valid certificate chain in the appendix.
-// Fewer entries may be returned if too large range, in which case the end is
-// truncated.
-//
-// Note that a certificate chain is considered valid if it is chained correctly.
-// In other words, the caller may want to check whether the anchor is trusted.
-func (c *Client) GetEntries(ctx context.Context, start, end uint64) ([]*stfe.GetEntryResponse, error) {
- url := stfe.EndpointGetEntries.Path(c.protocol() + c.Log.BaseUrl)
- req, err := http.NewRequest("GET", url, nil)
+ th, err := types.Marshal(item.SignedTreeHeadV1.TreeHead)
if err != nil {
- return nil, fmt.Errorf("failed creating http request: %v", err)
- }
- req.Header.Set("Content-Type", "application/json")
- q := req.URL.Query()
- q.Add("start", fmt.Sprintf("%d", start))
- q.Add("end", fmt.Sprintf("%d", end))
- req.URL.RawQuery = q.Encode()
- glog.V(2).Infof("created http request: %s %s", req.Method, req.URL)
-
- var rsp []*stfe.GetEntryResponse
- if err := c.doRequest(ctx, req, &rsp); err != nil {
- return nil, err
+ return nil, fmt.Errorf("failed marshaling tree head: %v", err)
}
- for _, entry := range rsp {
- var item stfe.StItem
- if err := item.Unmarshal(entry.Item); err != nil {
- return nil, fmt.Errorf("unmarshal failed: %v (%v)", err, entry)
- }
- if item.Format != stfe.StFormatChecksumV1 {
- return nil, fmt.Errorf("bad StFormat: %v (%v)", err, entry)
- }
- if err := item.ChecksumV1.Namespace.Verify(entry.Item, entry.Signature); err != nil { // TODO: only works if full vk in namespace
- return nil, fmt.Errorf("bad signature: %v (%v)", err, entry)
- }
+ if err := c.Log.Namespace.Verify(th, item.SignedTreeHeadV1.Signature.Signature); err != nil {
+ return nil, fmt.Errorf("signature verification failed: %v", err)
}
- return rsp, nil
+ glog.V(3).Infof("verified sth")
+ return item, nil
}
-// GetNamespaces fetches the log's trusted namespaces.
-func (c *Client) GetNamespaces(ctx context.Context) ([][]byte, error) {
- url := stfe.EndpointGetAnchors.Path(c.protocol() + c.Log.BaseUrl) // TODO: update GetAnchors => GetNamespaces
- req, err := http.NewRequest("GET", url, nil)
+// doRequest sends an HTTP request and outputs the raw body
+func (c *Client) doRequest(ctx context.Context, req *http.Request) ([]byte, error) {
+ rsp, err := ctxhttp.Do(ctx, c.HttpClient, req)
if err != nil {
- return nil, fmt.Errorf("failed creating http request: %v", err)
+ return nil, fmt.Errorf("no response: %v", err)
}
- var rsp [][]byte
- if err := c.doRequest(ctx, req, &rsp); err != nil {
- return nil, err
- }
- return rsp, nil
-}
-
-// doRequest sends an HTTP request and decodes the resulting json body into out
-func (c *Client) doRequest(ctx context.Context, req *http.Request, out interface{}) error {
- rsp, err := ctxhttp.Do(ctx, c.Client, req)
- if err != nil {
- return fmt.Errorf("http request failed: %v", err)
+ defer rsp.Body.Close()
+ if got, want := rsp.StatusCode, http.StatusOK; got != want {
+ return nil, fmt.Errorf("bad http status: %v", got)
}
body, err := ioutil.ReadAll(rsp.Body)
- rsp.Body.Close()
if err != nil {
- return fmt.Errorf("http body read failed: %v", err)
+ return nil, fmt.Errorf("cannot read body: %v", err)
}
- if rsp.StatusCode != http.StatusOK {
- return fmt.Errorf("http status code not ok: %v", rsp.StatusCode)
- }
- if err := json.Unmarshal(body, out); err != nil {
- return fmt.Errorf("failed decoding json body: %v", err)
- }
- return nil
+ return body, nil
}
//
// doRequestWithStItemResponse sends an HTTP request and returns a decoded
// StItem that the resulting HTTP response contained json:ed and marshaled
-func (c *Client) doRequestWithStItemResponse(ctx context.Context, req *http.Request) (*stfe.StItem, error) {
- var itemStr string
- if err := c.doRequest(ctx, req, &itemStr); err != nil {
- return nil, err
- }
- b, err := base64.StdEncoding.DecodeString(itemStr)
+func (c *Client) doRequestWithStItemResponse(ctx context.Context, req *http.Request) (*types.StItem, error) {
+ body, err := c.doRequest(ctx, req)
if err != nil {
- return nil, fmt.Errorf("failed decoding base64 body: %v", err)
+ return nil, err
}
- var item stfe.StItem
- if err := item.Unmarshal(b); err != nil {
+ var item types.StItem
+ if err := types.Unmarshal(body, &item); err != nil {
return nil, fmt.Errorf("failed decoding StItem: %v", err)
}
- glog.V(3).Infof("got StItem: %s", item)
+ glog.V(9).Infof("got StItem: %v", item)
return &item, nil
}
-
-// protocol returns a protocol string that preceeds the log's base url
-func (c *Client) protocol() string {
- if c.useHttp {
- return "http://"
- }
- return "https://"
-}
diff --git a/client/cmd/add-entry/main.go b/client/cmd/add-entry/main.go
new file mode 100644
index 0000000..03844fa
--- /dev/null
+++ b/client/cmd/add-entry/main.go
@@ -0,0 +1,52 @@
+package main
+
+import (
+ "context"
+ "flag"
+ "fmt"
+
+ "encoding/base64"
+
+ "github.com/golang/glog"
+ "github.com/system-transparency/stfe/client"
+ "github.com/system-transparency/stfe/types"
+)
+
+var (
+ identifier = flag.String("identifier", "foobar-1.2.3", "checksum identifier")
+ checksum = flag.String("checksum", "50e7967bce266a506f8f614bb5096beba580d205046b918f47d23b2ec626d75e", "base64-encoded checksum")
+)
+
+func main() {
+ flag.Parse()
+ defer glog.Flush()
+
+ client, err := client.NewClientFromFlags()
+ if err != nil {
+ glog.Errorf("NewClientFromFlags: %v", err)
+ return
+ }
+ data, err := NewChecksumV1FromFlags()
+ if err != nil {
+ glog.Errorf("NewChecksumV1FromFlags: %v", err)
+ return
+ }
+ leafHash, err := client.AddEntry(context.Background(), data)
+ if err != nil {
+ glog.Errorf("AddEntry: %v", err)
+ return
+ }
+ fmt.Println("leaf hash:", base64.StdEncoding.EncodeToString(leafHash))
+}
+
+func NewChecksumV1FromFlags() (*types.ChecksumV1, error) {
+ var err error
+ data := types.ChecksumV1{
+ Identifier: []byte(*identifier),
+ }
+ data.Checksum, err = base64.StdEncoding.DecodeString(*checksum)
+ if err != nil {
+ return nil, fmt.Errorf("entry_checksum: DecodeString: %v", err)
+ }
+ return &data, nil
+}
diff --git a/client/cmd/get-sth/main.go b/client/cmd/get-sth/main.go
new file mode 100644
index 0000000..6b23b06
--- /dev/null
+++ b/client/cmd/get-sth/main.go
@@ -0,0 +1,35 @@
+package main
+
+import (
+ "context"
+ "flag"
+ "fmt"
+
+ "encoding/base64"
+
+ "github.com/golang/glog"
+ "github.com/system-transparency/stfe/client"
+ "github.com/system-transparency/stfe/types"
+)
+
+func main() {
+ flag.Parse()
+ defer glog.Flush()
+
+ client, err := client.NewClientFromFlags()
+ if err != nil {
+ glog.Errorf("NewClientFromFlags: %v", err)
+ return
+ }
+ sth, err := client.GetLatestSth(context.Background())
+ if err != nil {
+ glog.Errorf("GetLatestSth: %v", err)
+ return
+ }
+ serialized, err := types.Marshal(*sth)
+ if err != nil {
+ glog.Errorf("Marshal: %v", err)
+ return
+ }
+ fmt.Println("sth:", base64.StdEncoding.EncodeToString(serialized))
+}
diff --git a/client/get-anchors/main.go b/client/get-anchors/main.go
deleted file mode 100644
index 1c10924..0000000
--- a/client/get-anchors/main.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package main
-
-import (
- "context"
- "flag"
- "fmt"
-
- "encoding/base64"
- "net/http"
-
- "github.com/golang/glog"
- "github.com/system-transparency/stfe/client"
- "github.com/system-transparency/stfe/descriptor"
-)
-
-var (
- operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators")
- logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier")
-)
-
-func main() {
- flag.Parse()
-
- client, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil)
- if err != nil {
- glog.Fatal(err)
- }
-
- namespaces, err := client.GetNamespaces(context.Background())
- if err != nil {
- glog.Fatal(err)
- }
- for i, namespace := range namespaces {
- fmt.Printf("namespace[%d]: %s\n", i, base64.StdEncoding.EncodeToString(namespace))
- }
-
- glog.Flush()
-}
-
-func mustLoad(operators, logId string) *descriptor.Log {
- ops, err := descriptor.LoadOperators(operators)
- if err != nil {
- glog.Fatalf("failed loading log operators: %v")
- }
- id, err := base64.StdEncoding.DecodeString(logId)
- if err != nil {
- glog.Fatalf("invalid base64 log id: %v", err)
- }
- log, err := descriptor.FindLog(ops, id)
- if err != nil {
- glog.Fatalf("unknown log id: %v", err)
- }
- return log
-}
diff --git a/client/get-consistency-proof/main.go b/client/get-consistency-proof/main.go
deleted file mode 100644
index 283e9b8..0000000
--- a/client/get-consistency-proof/main.go
+++ /dev/null
@@ -1,94 +0,0 @@
-package main
-
-import (
- "context"
- "flag"
- "fmt"
-
- "encoding/base64"
- "net/http"
-
- "github.com/golang/glog"
- "github.com/system-transparency/stfe"
- "github.com/system-transparency/stfe/client"
- "github.com/system-transparency/stfe/descriptor"
-)
-
-var (
- operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators")
- logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier")
- first = flag.String("first", "AAEjAAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGcAAAF3TqQQZAAAAAAAAACEIEV75viH3o4llUxCqwoTvY38vKUiv2lg4uFd1jTfcCC5AAAAQBoc5JvG6AovqHjZAU77zrsrIN8ZuR3DIwYAFD2mcvyI/b2KcIPxH6XQ7+zTnGJPWfgwvI5sCuu/MBAAHEzZzQk=", "first base64-encoded StItem of type StFormatSignedTreeHeadV1")
- second = flag.String("second", "AAEjAAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGcAAAF3TrZf7gAAAAAAAACJIEl/yYdMBb6st/D4yQXRXIAphR7i2y10jB/BbnQljy8rAAAAQBzYrWNidZ8bCdaHqi5zgxGJ6HQNfYihDhRQy20lu36a/yxKqgrvoH+dv969c4aeBEAGz5TSSAn5CwqmqUFSAQo=", "second base64-encoded StItem of type StFormatSignedTreeHeadV1")
-)
-
-func main() {
- flag.Parse()
-
- cli, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil)
- if err != nil {
- glog.Fatal(err)
- }
- ns, err := cli.Log.Namespace()
- if err != nil {
- glog.Fatalf("bad log namespace: %v", err)
- }
-
- // Check first STH
- var sth1 stfe.StItem
- if err := sth1.UnmarshalB64(*first); err != nil {
- glog.Fatalf("bad signed tree head: %v", err)
- }
- th1, err := sth1.SignedTreeHeadV1.TreeHead.Marshal()
- if err != nil {
- glog.Fatalf("cannot marshal tree head: %v", err)
- }
- if err := ns.Verify(th1, sth1.SignedTreeHeadV1.Signature); err != nil {
- glog.Fatalf("bad signed tree head: %v", err)
- }
- glog.V(3).Info("verified first sth")
-
- // Check second STH
- var sth2 stfe.StItem
- if err := sth2.UnmarshalB64(*second); err != nil {
- glog.Fatalf("bad signed tree head: %v", err)
- }
- th2, err := sth2.SignedTreeHeadV1.TreeHead.Marshal()
- if err != nil {
- glog.Fatalf("cannot marshal tree head: %v", err)
- }
- if err := ns.Verify(th2, sth2.SignedTreeHeadV1.Signature); err != nil {
- glog.Fatalf("bad signed tree head: %v", err)
- }
- glog.V(3).Info("verified second sth")
-
- // Check consistency
- proof, err := cli.GetConsistencyProof(context.Background(), &sth1, &sth2)
- if err != nil {
- glog.Fatalf("get-proof-by-hash failed: %v", err)
- }
- glog.V(3).Info("verified inclusion proof")
-
- str, err := proof.MarshalB64()
- if err != nil {
- glog.Fatalf("failed encoding valid inclusion proof: %v", err)
- }
- fmt.Println(str)
-
- glog.Flush()
-}
-
-func mustLoad(operators, logId string) *descriptor.Log {
- ops, err := descriptor.LoadOperators(operators)
- if err != nil {
- glog.Fatalf("failed loading log operators: %v")
- }
- id, err := base64.StdEncoding.DecodeString(logId)
- if err != nil {
- glog.Fatalf("invalid base64 log id: %v", err)
- }
- log, err := descriptor.FindLog(ops, id)
- if err != nil {
- glog.Fatalf("unknown log id: %v", err)
- }
- return log
-}
diff --git a/client/get-entries/main.go b/client/get-entries/main.go
deleted file mode 100644
index 1500cd0..0000000
--- a/client/get-entries/main.go
+++ /dev/null
@@ -1,86 +0,0 @@
-package main
-
-import (
- "context"
- "flag"
- "fmt"
-
- "encoding/base64"
- "net/http"
-
- "github.com/golang/glog"
- "github.com/system-transparency/stfe"
- "github.com/system-transparency/stfe/client"
- "github.com/system-transparency/stfe/descriptor"
-)
-
-var (
- operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators")
- logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier")
- start = flag.Uint64("start", 132, "inclusive start index to download")
- end = flag.Uint64("end", 137, "inclusive stop index to download")
-)
-
-func main() {
- flag.Parse()
-
- if client, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil); err != nil {
- glog.Fatal(err)
- } else if items, err := getRange(client, *start, *end); err != nil {
- glog.Fatal(err)
- } else if err := printRange(items); err != nil {
- glog.Fatal(err)
- }
-
- glog.Flush()
-}
-
-func getRange(client *client.Client, start, end uint64) ([]*stfe.StItem, error) {
- items := make([]*stfe.StItem, 0, end-start+1)
- for len(items) != cap(items) {
- rsps, err := client.GetEntries(context.Background(), start, end)
- if err != nil {
- return nil, fmt.Errorf("fetching entries failed: %v", err)
- }
-
- for _, rsp := range rsps {
- var item stfe.StItem
- if err := item.Unmarshal(rsp.Item); err != nil {
- return nil, fmt.Errorf("expected valid StItem but unmarshal failed: %v", err)
- } else if item.Format != stfe.StFormatChecksumV1 {
- return nil, fmt.Errorf("expected checksum_v1 but got: %v", item.Format)
- }
- items = append(items, &item)
- }
- start += uint64(len(rsps))
- }
- return items, nil
-}
-
-func printRange(items []*stfe.StItem) error {
- for i, item := range items {
- glog.V(3).Infof("Index(%d): %s", *start+uint64(i), item)
- str, err := item.MarshalB64()
- if err != nil {
- glog.Fatalf("expected valid StItem but marshal failed: %v", err)
- }
- fmt.Printf("Index(%d): %s\n", *start+uint64(i), str)
- }
- return nil
-}
-
-func mustLoad(operators, logId string) *descriptor.Log {
- ops, err := descriptor.LoadOperators(operators)
- if err != nil {
- glog.Fatalf("failed loading log operators: %v")
- }
- id, err := base64.StdEncoding.DecodeString(logId)
- if err != nil {
- glog.Fatalf("invalid base64 log id: %v", err)
- }
- log, err := descriptor.FindLog(ops, id)
- if err != nil {
- glog.Fatalf("unknown log id: %v", err)
- }
- return log
-}
diff --git a/client/get-proof-by-hash/main.go b/client/get-proof-by-hash/main.go
deleted file mode 100644
index 00a4486..0000000
--- a/client/get-proof-by-hash/main.go
+++ /dev/null
@@ -1,84 +0,0 @@
-package main
-
-import (
- "context"
- "flag"
- "fmt"
-
- "encoding/base64"
- "net/http"
-
- "github.com/golang/glog"
- "github.com/system-transparency/stfe"
- "github.com/system-transparency/stfe/client"
- "github.com/system-transparency/stfe/descriptor"
-)
-
-var (
- operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators")
- logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier")
- signedTreeHead = flag.String("sth", "AAEjAAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGcAAAF3Ts1DPAAAAAAAAACKIOjuyYlimCylCNmIliPWn+O+oOPpvdtllbJnp+xKV3qhAAAAQKW2+4+3a2cgERULDrbwoeevo6q1JxY8mcj73XPLAhcmlR/YmtuWv6PEJYiLP/bclN6ZQ5ttQq1/9hG+VvgLvA4=", "base64-encoded StItem of type StFormatSignedTreeHeadV1")
- entry = flag.String("entry", "AAUFZGViaTYw50e7967bce266a506f8f614bb5096beba580d205046b918f47d23b2ec626d75eAAEgHOQFUkKNWpjYAhNKTyWCzahlI7RDtf5123kHD2LACj0=", "base64-encoded StItem of type StFormatChecksumV1")
-)
-
-func main() {
- flag.Parse()
-
- cli, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil)
- if err != nil {
- glog.Fatal(err)
- }
- ns, err := cli.Log.Namespace()
- if err != nil {
- glog.Fatalf("bad log namespace: %v", err)
- }
-
- // Check STH
- var sth stfe.StItem
- if err := sth.UnmarshalB64(*signedTreeHead); err != nil {
- glog.Fatalf("bad signed tree head: %v", err)
- }
- th, err := sth.SignedTreeHeadV1.TreeHead.Marshal()
- if err != nil {
- glog.Fatalf("cannot marshal tree head: %v", err)
- }
- if err := ns.Verify(th, sth.SignedTreeHeadV1.Signature); err != nil {
- glog.Fatalf("bad signed tree head: %v", err)
- }
- glog.V(3).Info("verified sth")
-
- // Check inclusion
- leaf, err := base64.StdEncoding.DecodeString(*entry)
- if err != nil {
- glog.Fatalf("failed decoding entry: %v", err)
- }
- proof, err := cli.GetProofByHash(context.Background(), sth.SignedTreeHeadV1.TreeHead.TreeSize, sth.SignedTreeHeadV1.TreeHead.RootHash.Data, leaf)
- if err != nil {
- glog.Fatalf("get-proof-by-hash failed: %v", err)
- }
- glog.V(3).Info("verified inclusion proof")
-
- str, err := proof.MarshalB64()
- if err != nil {
- glog.Fatalf("failed encoding valid inclusion proof: %v", err)
- }
- fmt.Println(str)
-
- glog.Flush()
-}
-
-func mustLoad(operators, logId string) *descriptor.Log {
- ops, err := descriptor.LoadOperators(operators)
- if err != nil {
- glog.Fatalf("failed loading log operators: %v")
- }
- id, err := base64.StdEncoding.DecodeString(logId)
- if err != nil {
- glog.Fatalf("invalid base64 log id: %v", err)
- }
- log, err := descriptor.FindLog(ops, id)
- if err != nil {
- glog.Fatalf("unknown log id: %v", err)
- }
- return log
-}
diff --git a/client/get-sth/main.go b/client/get-sth/main.go
deleted file mode 100644
index e952ee3..0000000
--- a/client/get-sth/main.go
+++ /dev/null
@@ -1,57 +0,0 @@
-package main
-
-import (
- "context"
- "flag"
- "fmt"
-
- "encoding/base64"
- "net/http"
-
- "github.com/golang/glog"
- "github.com/system-transparency/stfe/client"
- "github.com/system-transparency/stfe/descriptor"
-)
-
-var (
- operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators")
- logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier")
-)
-
-func main() {
- flag.Parse()
-
- client, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil)
- if err != nil {
- glog.Fatal(err)
- }
-
- sth, err := client.GetSth(context.Background())
- if err != nil {
- glog.Fatalf("get-sth failed: %v", err)
- }
-
- str, err := sth.MarshalB64()
- if err != nil {
- glog.Fatalf("failed encoding valid signed tree head: %v", err)
- }
- fmt.Println(str)
-
- glog.Flush()
-}
-
-func mustLoad(operators, logId string) *descriptor.Log {
- ops, err := descriptor.LoadOperators(operators)
- if err != nil {
- glog.Fatalf("failed loading log operators: %v")
- }
- id, err := base64.StdEncoding.DecodeString(logId)
- if err != nil {
- glog.Fatalf("invalid base64 log id: %v", err)
- }
- log, err := descriptor.FindLog(ops, id)
- if err != nil {
- glog.Fatalf("unknown log id: %v", err)
- }
- return log
-}
diff --git a/client/verify.go b/client/verify.go
deleted file mode 100644
index 3ce02e7..0000000
--- a/client/verify.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package client
-
-import (
- "github.com/google/trillian/merkle"
- "github.com/google/trillian/merkle/rfc6962"
- "github.com/system-transparency/stfe"
-)
-
-// VerifyConsistencyProofV1 verifies that a consistency proof is valid without
-// checking any sth signature
-func VerifyConsistencyProofV1(proof, first, second *stfe.StItem) error {
- path := make([][]byte, 0, len(proof.ConsistencyProofV1.ConsistencyPath))
- for _, nh := range proof.ConsistencyProofV1.ConsistencyPath {
- path = append(path, nh.Data)
- }
- return merkle.NewLogVerifier(rfc6962.DefaultHasher).VerifyConsistencyProof(
- int64(proof.ConsistencyProofV1.TreeSize1),
- int64(proof.ConsistencyProofV1.TreeSize2),
- first.SignedTreeHeadV1.TreeHead.RootHash.Data,
- second.SignedTreeHeadV1.TreeHead.RootHash.Data,
- path,
- )
-}
-
-// VerifyInclusionProofV1 verifies that an inclusion proof is valid without checking
-// any sth signature
-func VerifyInclusionProofV1(proof *stfe.StItem, rootHash, leafHash []byte) error {
- path := make([][]byte, 0, len(proof.InclusionProofV1.InclusionPath))
- for _, nh := range proof.InclusionProofV1.InclusionPath {
- path = append(path, nh.Data)
- }
- return merkle.NewLogVerifier(rfc6962.DefaultHasher).VerifyInclusionProof(
- int64(proof.InclusionProofV1.LeafIndex),
- int64(proof.InclusionProofV1.TreeSize),
- path,
- rootHash,
- leafHash,
- )
-}
diff --git a/descriptor/descriptor.go b/descriptor/descriptor.go
deleted file mode 100644
index efe2cf1..0000000
--- a/descriptor/descriptor.go
+++ /dev/null
@@ -1,58 +0,0 @@
-package descriptor
-
-import (
- "bytes"
- "fmt"
-
- "encoding/base64"
- "encoding/json"
- "io/ioutil"
-
- "github.com/system-transparency/stfe/namespace"
-)
-
-// Operator is an stfe log operator that runs zero or more logs
-type Operator struct {
- Name string `json:"name"`
- Email string `json:"email"`
- Logs []*Log `json:"logs"`
-}
-
-// Log is a collection of immutable stfe log parameters
-type Log struct {
- Id []byte `json:"id"` // Serialized namespace
- BaseUrl string `json:"base_url"` // E.g., example.com/st/v1
- // TODO: List of supported namespace types?
-}
-
-func FindLog(ops []Operator, logId []byte) (*Log, error) {
- for _, op := range ops {
- for _, log := range op.Logs {
- if bytes.Equal(logId, log.Id) {
- return log, nil
- }
- }
- }
- return nil, fmt.Errorf("no such log: %s", base64.StdEncoding.EncodeToString(logId))
-}
-
-// LoadOperators loads a list of json-encoded log operators from a given path
-func LoadOperators(path string) ([]Operator, error) {
- blob, err := ioutil.ReadFile(path)
- if err != nil {
- return nil, fmt.Errorf("failed reading log operators: %v", err)
- }
- var ops []Operator
- if err := json.Unmarshal(blob, &ops); err != nil {
- return nil, fmt.Errorf("failed decoding log operators: %v", err)
- }
- return ops, nil
-}
-
-func (l *Log) Namespace() (*namespace.Namespace, error) {
- var n namespace.Namespace
- if err := n.Unmarshal(l.Id); err != nil {
- return nil, fmt.Errorf("invalid namespace: %v", err)
- }
- return &n, nil
-}
diff --git a/descriptor/descriptor_test.go b/descriptor/descriptor_test.go
deleted file mode 100644
index 22641ca..0000000
--- a/descriptor/descriptor_test.go
+++ /dev/null
@@ -1,109 +0,0 @@
-package descriptor
-
-import (
- "fmt"
- "testing"
-
- "encoding/base64"
- "encoding/json"
-)
-
-const (
- operatorListJson = `[{"name":"Test operator","email":"test@example.com","logs":[{"id":"AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=","base_url":"example.com/st/v1"}]}]`
-)
-
-func TestMarshal(t *testing.T) {
- for _, table := range []struct {
- in []Operator
- want string
- }{
- {makeOperatorList(), operatorListJson},
- } {
- b, err := json.Marshal(table.in)
- if err != nil {
- t.Errorf("operator list marshaling failed: %v", err)
- }
- if string(b) != table.want {
- t.Errorf("\nwant %s\n got %s", table.want, string(b))
- }
- }
-
-}
-
-func TestUnmarshal(t *testing.T) {
- for _, table := range []struct {
- in []byte
- want error
- }{
- {[]byte(operatorListJson), nil},
- } {
- var op []Operator
- if err := json.Unmarshal(table.in, &op); err != table.want {
- t.Errorf("wanted err=%v, got %v", table.want, err)
- }
- }
-}
-
-func TestFindLog(t *testing.T) {
- for _, table := range []struct {
- ops []Operator
- logId []byte
- wantError bool
- }{
- {makeOperatorList(), deb64("AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc="), false},
- {makeOperatorList(), []byte{0, 1, 2, 3}, true},
- } {
- _, err := FindLog(table.ops, table.logId)
- if (err != nil) != table.wantError {
- t.Errorf("wanted log not found for id: %v", table.logId)
- }
- }
-}
-
-func TestNamespace(t *testing.T) {
- for _, table := range []struct {
- description string
- id []byte
- wantErr bool
- }{
- {
- description: "invalid: not a namespace",
- id: []byte{0,1,2,3},
- wantErr: true,
- },
- {
- description: "valid",
- id: deb64("AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc="),
- },
- }{
- l := &Log{ Id: table.id, BaseUrl: "example.com/st/v1" }
- _, err := l.Namespace()
- if got, want := err != nil, table.wantErr; got != want {
- t.Errorf("wanted error %v but got %v in test %q: %v", got, want, table.description, err)
- return
- }
- }
-}
-
-func makeOperatorList() []Operator {
- return []Operator{
- Operator{
- Name: "Test operator",
- Email: "test@example.com",
- Logs: []*Log{
- &Log{
- Id: deb64("AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc="),
- BaseUrl: "example.com/st/v1",
- },
- },
- },
- }
-}
-
-func deb64(s string) []byte {
- b, err := base64.StdEncoding.DecodeString(s)
- if err != nil {
- panic(fmt.Sprintf("failed decoding base64: %v", err))
- }
- return b
-}
diff --git a/descriptor/stfe.json b/descriptor/stfe.json
deleted file mode 100644
index 34f884b..0000000
--- a/descriptor/stfe.json
+++ /dev/null
@@ -1,12 +0,0 @@
-[
- {
- "name": "Test operator",
- "email":"test@example.com",
- "logs": [
- {
- "id":"AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=",
- "base_url":"localhost:6965/st/v1"
- }
- ]
- }
-]
diff --git a/go.mod b/go.mod
index af0c837..2e88d16 100644
--- a/go.mod
+++ b/go.mod
@@ -8,5 +8,6 @@ require (
github.com/google/certificate-transparency-go v1.1.1
github.com/google/trillian v1.3.13
github.com/prometheus/client_golang v1.9.0 // indirect
+ golang.org/x/net v0.0.0-20200625001655-4c5254603344 // indirect
google.golang.org/grpc v1.35.0
)
diff --git a/server/main.go b/server/main.go
index d45079b..122a6fe 100644
--- a/server/main.go
+++ b/server/main.go
@@ -30,7 +30,7 @@ var (
prefix = flag.String("prefix", "st/v1", "a prefix that proceeds each endpoint path")
trillianID = flag.Int64("trillian_id", 5991359069696313945, "log identifier in the Trillian database")
deadline = flag.Duration("deadline", time.Second*10, "deadline for backend requests")
- key = flag.String("key", "8gzezwrU/2eTrO6tEYyLKsoqn5V54URvKIL9cTE7jUYUqXVX4neJvcBq/zpSAYPsZFG1woh0OGBzQbi9UP9MZw==", "base64-encoded Ed25519 signing key")
+ key = flag.String("key", "d3qiIZ/BBPLwZ3rlPEC/Eo2GWvhseUrgs+pX+/BwXSEsY0retj4wa3S2fjsOCJCTVHab7ipEiMdqtW1uJ6Jvmg==", "base64-encoded Ed25519 signing key")
submitterPolicy = flag.Bool("submitter_policy", false, "whether there is any submitter namespace policy (default: none, accept unregistered submitter namespaces)")
witnessPolicy = flag.Bool("witness_policy", false, "whether there is any witness namespace policy (default: none, accept unregistered witness namespaces)")
submitters = flag.String("submitters", "", "comma-separated list of trusted submitter namespaces in base64 (default: none)")