replaced x509 with namespace on the client-side

12 files changed, 255 insertions, 224 deletions

diff --git a/client/add-entry/main.go b/client/add-entry/main.go
index 0f494aa..52861ef 100644
--- a/client/add-entry/main.go
+++ b/client/add-entry/main.go
@@ -5,18 +5,19 @@ import (
 	"flag"
 	"fmt"
 
+	"crypto/ed25519"
 	"encoding/base64"
 	"net/http"
 
 	"github.com/golang/glog"
 	"github.com/system-transparency/stfe/client"
+	"github.com/system-transparency/stfe/descriptor"
 )
 
 var (
 	operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators")
-	logId     = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier")
-	chain     = flag.String("chain", "../../x509util/testdata/chain.pem", "path to pem-encoded certificate chain that the log accepts")
-	key       = flag.String("key", "../../x509util/testdata/end-entity.key", "path to ed25519 private key that corresponds to the chain's end-entity certificate")
+	logId     = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier")
+	key       = flag.String("key", "Zaajc50Xt1tNpTj6WYkljzcVjLXL2CcQcHFT/xZqYEcc5AVSQo1amNgCE0pPJYLNqGUjtEO1/nXbeQcPYsAKPQ==", "base64-encoded ed25519 signing key")
 	name      = flag.String("name", "foobar-1.2.3", "package name")
 	checksum  = flag.String("checksum", "50e7967bce266a506f8f614bb5096beba580d205046b918f47d23b2ec626d75e", "base64-encoded package checksum")
 )
@@ -24,17 +25,13 @@ var (
 func main() {
 	flag.Parse()
 
-	pname := []byte(*name)
-	psum, err := base64.StdEncoding.DecodeString(*checksum)
-	if err != nil {
-		glog.Fatalf("failed decoding checksum: %v", err)
-	}
-
-	client, err := client.NewClientFromPath(*logId, *chain, *key, *operators, &http.Client{}, true)
+	log, sk, sum := mustLoad(*operators, *logId, *key, *checksum)
+	client, err := client.NewClient(log, &http.Client{}, true, sk)
 	if err != nil {
 		glog.Fatal(err)
 	}
-	sdi, err := client.AddEntry(context.Background(), pname, psum)
+
+	sdi, err := client.AddEntry(context.Background(), []byte(*name), sum)
 	if err != nil {
 		glog.Fatalf("add-entry failed: %v", err)
 	}
@@ -47,3 +44,28 @@ func main() {
 
 	glog.Flush()
 }
+
+func mustLoad(operators, logId, key, checksum string) (*descriptor.Log, *ed25519.PrivateKey, []byte) {
+	ops, err := descriptor.LoadOperators(operators)
+	if err != nil {
+		glog.Fatalf("failed loading log operators: %v")
+	}
+	id, err := base64.StdEncoding.DecodeString(logId)
+	if err != nil {
+		glog.Fatalf("invalid base64 log id: %v", err)
+	}
+	log, err := descriptor.FindLog(ops, id)
+	if err != nil {
+		glog.Fatalf("unknown log id: %v", err)
+	}
+	b, err := base64.StdEncoding.DecodeString(key)
+	if err != nil {
+		glog.Fatalf("invalid base64 key: %v", err)
+	}
+	sk := ed25519.PrivateKey(b)
+	b, err = base64.StdEncoding.DecodeString(checksum)
+	if err != nil {
+		glog.Fatalf("failed decoding checksum: %v", err)
+	}
+	return log, &sk, b
+}
diff --git a/client/client.go b/client/client.go
index f474401..0cbf432 100644
--- a/client/client.go
+++ b/client/client.go
@@ -6,8 +6,6 @@ import (
 	"fmt"
 
 	"crypto/ed25519"
-	"crypto/tls"
-	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"io/ioutil"
@@ -17,7 +15,7 @@ import (
 	"github.com/google/trillian/merkle/rfc6962"
 	"github.com/system-transparency/stfe"
 	"github.com/system-transparency/stfe/descriptor"
-	"github.com/system-transparency/stfe/x509util"
+	"github.com/system-transparency/stfe/namespace"
 	"golang.org/x/net/context/ctxhttp"
 )
 
@@ -25,73 +23,40 @@ import (
 type Client struct {
 	Log        *descriptor.Log
 	Client     *http.Client
-	Chain      []*x509.Certificate
 	PrivateKey *ed25519.PrivateKey
+	Namespace  *namespace.Namespace
 	useHttp    bool
 }
 
-// NewClient returns a new log client
-func NewClient(log *descriptor.Log, client *http.Client, useHttp bool, chain []*x509.Certificate, privateKey *ed25519.PrivateKey) *Client {
-	return &Client{
+// NewClient returns a new log client.
+//
+// Note: private key can be ommied if no write APIs are used.
+func NewClient(log *descriptor.Log, client *http.Client, useHttp bool, privateKey *ed25519.PrivateKey) (*Client, error) {
+	c := &Client{
 		Log:        log,
-		Chain:      chain,
 		Client:     client,
 		PrivateKey: privateKey,
 		useHttp:    useHttp,
 	}
-}
-
-// NewClientFromPath loads necessary data from file before creating a new
-// client, namely, a pem-encoded certificate chain, a pem-encoded ed25519
-// private key, and a json-encoded list of log operators (see descriptor).
-// Chain and key paths may be left out by passing the empty string: "".
-func NewClientFromPath(logId, chainPath, keyPath, operatorsPath string, cli *http.Client, useHttp bool) (*Client, error) {
-	pem, err := ioutil.ReadFile(chainPath)
-	if err != nil && chainPath != "" {
-		return nil, fmt.Errorf("failed reading %s: %v", chainPath, err)
-	}
-	c, err := x509util.NewCertificateList(pem)
-	if err != nil {
-		return nil, err
-	}
-
-	pem, err = ioutil.ReadFile(keyPath)
-	if err != nil && keyPath != "" {
-		return nil, fmt.Errorf("failed reading %s: %v", keyPath, err)
-	}
-	k, err := x509util.NewEd25519PrivateKey(pem)
-	if err != nil && keyPath != "" {
-		return nil, err
-	}
-
-	ops, err := descriptor.LoadOperators(operatorsPath)
-	if err != nil {
-		return nil, err
-	}
-
-	id, err := base64.StdEncoding.DecodeString(logId)
-	if err != nil {
-		return nil, fmt.Errorf("failed decoding log identifier: %v", err)
-	}
-
-	log, err := descriptor.FindLog(ops, id)
-	if err != nil {
-		return nil, err
+	if privateKey != nil {
+		var err error
+		c.Namespace, err = namespace.NewNamespaceEd25519V1([]byte(privateKey.Public().(ed25519.PublicKey)))
+		if err != nil {
+			return nil, fmt.Errorf("failed creating namespace: %v", err)
+		}
 	}
-	return NewClient(log, cli, useHttp, c, &k), nil
+	return c, nil
 }
 
 // AddEntry creates, signs, and adds a new ChecksumV1 entry to the log
 func (c *Client) AddEntry(ctx context.Context, name, checksum []byte) (*stfe.StItem, error) {
-	leaf, err := stfe.NewChecksumV1(name, checksum).Marshal()
+	leaf, err := stfe.NewChecksumV1(name, checksum, c.Namespace).Marshal()
 	if err != nil {
 		return nil, fmt.Errorf("failed marshaling StItem: %v", err)
 	}
 	data, err := json.Marshal(stfe.AddEntryRequest{
-		Item:            leaf,
-		Signature:       ed25519.Sign(*c.PrivateKey, leaf),
-		SignatureScheme: uint16(tls.Ed25519),
-		Chain:           c.chain(),
+		Item:      leaf,
+		Signature: ed25519.Sign(*c.PrivateKey, leaf),
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed creating post data: %v", err)
@@ -114,16 +79,15 @@ func (c *Client) AddEntry(ctx context.Context, name, checksum []byte) (*stfe.StI
 		return nil, fmt.Errorf("bad StItem format: %v", item.Format)
 	}
 
-	if k, err := c.Log.Key(); err != nil {
-		return nil, fmt.Errorf("bad public key: %v", err)
-	} else if err := VerifySignedDebugInfoV1(item, c.Log.Scheme, k, leaf); err != nil {
+	if ns, err := c.Log.Namespace(); err != nil {
+		return nil, fmt.Errorf("invalid log namespace: %v", err)
+	} else if err := ns.Verify(leaf, item.SignedDebugInfoV1.Signature); err != nil {
 		return nil, fmt.Errorf("bad SignedDebugInfoV1 signature: %v", err)
 	}
 	return item, nil
 }
 
-// GetSth fetches and verifies the most recent STH.  Safe to use without a
-// client chain and corresponding private key.
+// GetSth fetches and verifies the most recent STH.
 func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) {
 	url := stfe.EndpointGetSth.Path(c.protocol() + c.Log.BaseUrl)
 	req, err := http.NewRequest("GET", url, nil)
@@ -139,17 +103,21 @@ func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) {
 	if item.Format != stfe.StFormatSignedTreeHeadV1 {
 		return nil, fmt.Errorf("bad StItem format: %v", item.Format)
 	}
+	th, err := item.SignedTreeHeadV1.TreeHead.Marshal()
+	if err != nil {
+		return nil, fmt.Errorf("failed marshaling tree head: %v", err)
+	}
 
-	if k, err := c.Log.Key(); err != nil {
+	if ns, err := c.Log.Namespace(); err != nil {
 		return nil, fmt.Errorf("bad public key: %v", err)
-	} else if err := VerifySignedTreeHeadV1(item, c.Log.Scheme, k); err != nil {
-		return nil, fmt.Errorf("bad SignedDebugInfoV1 signature: %v", err)
+	} else if err := ns.Verify(th, item.SignedTreeHeadV1.Signature); err != nil {
+		return nil, fmt.Errorf("bad SignedTreeHeadV1 signature: %v", err)
 	}
 	return item, nil
 }
 
 // GetConsistencyProof fetches and verifies a consistency proof between two
-// STHs.  Safe to use without a client chain and corresponding private key.
+// STHs.
 func (c *Client) GetConsistencyProof(ctx context.Context, first, second *stfe.StItem) (*stfe.StItem, error) {
 	url := stfe.EndpointGetConsistencyProof.Path(c.protocol() + c.Log.BaseUrl)
 	req, err := http.NewRequest("GET", url, nil)
@@ -177,7 +145,7 @@ func (c *Client) GetConsistencyProof(ctx context.Context, first, second *stfe.St
 }
 
 // GetProofByHash fetches and verifies an inclusion proof for a leaf against an
-// STH.  Safe to use without a client chain and corresponding private key.
+// STH.
 func (c *Client) GetProofByHash(ctx context.Context, treeSize uint64, rootHash, leaf []byte) (*stfe.StItem, error) {
 	leafHash := rfc6962.DefaultHasher.HashLeaf(leaf)
 	url := stfe.EndpointGetProofByHash.Path(c.protocol() + c.Log.BaseUrl)
@@ -208,7 +176,7 @@ func (c *Client) GetProofByHash(ctx context.Context, treeSize uint64, rootHash,
 // GetEntries fetches a range of entries from the log, verifying that they are
 // of type checksum_v1 and signed by a valid certificate chain in the appendix.
 // Fewer entries may be returned if too large range, in which case the end is
-// truncated. Safe to use without a client chain and corresponding private key.
+// truncated.
 //
 // Note that a certificate chain is considered valid if it is chained correctly.
 // In other words, the caller may want to check whether the anchor is trusted.
@@ -237,21 +205,16 @@ func (c *Client) GetEntries(ctx context.Context, start, end uint64) ([]*stfe.Get
 		if item.Format != stfe.StFormatChecksumV1 {
 			return nil, fmt.Errorf("bad StFormat: %v (%v)", err, entry)
 		}
-		if chain, err := x509util.ParseDerList(entry.Chain); err != nil {
-			return nil, fmt.Errorf("bad certificate chain: %v (%v)", err, entry)
-		} else if err := x509util.VerifyChain(chain); err != nil {
-			return nil, fmt.Errorf("invalid certificate chain: %v (%v)", err, entry)
-		} else if err := VerifyChecksumV1(&item, chain[0].PublicKey, entry.Signature, tls.SignatureScheme(entry.SignatureScheme)); err != nil {
-			return nil, fmt.Errorf("invalid signature: %v (%v)", err, entry)
+		if err := item.ChecksumV1.Namespace.Verify(entry.Item, entry.Signature); err != nil { // TODO: only works if full vk in namespace
+			return nil, fmt.Errorf("bad signature: %v (%v)", err, entry)
 		}
 	}
 	return rsp, nil
 }
 
-// GetAnchors fetches the log's trust anchors.  Safe to use without a client
-// chain and corresponding private key.
-func (c *Client) GetAnchors(ctx context.Context) ([]*x509.Certificate, error) {
-	url := stfe.EndpointGetAnchors.Path(c.protocol() + c.Log.BaseUrl)
+// GetNamespaces fetches the log's trusted namespaces.
+func (c *Client) GetNamespaces(ctx context.Context) ([][]byte, error) {
+	url := stfe.EndpointGetAnchors.Path(c.protocol() + c.Log.BaseUrl) // TODO: update GetAnchors => GetNamespaces
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed creating http request: %v", err)
@@ -260,15 +223,7 @@ func (c *Client) GetAnchors(ctx context.Context) ([]*x509.Certificate, error) {
 	if err := c.doRequest(ctx, req, &rsp); err != nil {
 		return nil, err
 	}
-	return x509util.ParseDerList(rsp)
-}
-
-func (c *Client) chain() [][]byte {
-	chain := make([][]byte, 0, len(c.Chain))
-	for _, cert := range c.Chain {
-		chain = append(chain, cert.Raw)
-	}
-	return chain
+	return rsp, nil
 }
 
 // doRequest sends an HTTP request and decodes the resulting json body into out
@@ -291,6 +246,7 @@ func (c *Client) doRequest(ctx context.Context, req *http.Request, out interface
 	return nil
 }
 
+//
 // doRequestWithStItemResponse sends an HTTP request and returns a decoded
 // StItem that the resulting HTTP response contained json:ed and marshaled
 func (c *Client) doRequestWithStItemResponse(ctx context.Context, req *http.Request) (*stfe.StItem, error) {
diff --git a/client/get-anchors/main.go b/client/get-anchors/main.go
index fe00445..1c10924 100644
--- a/client/get-anchors/main.go
+++ b/client/get-anchors/main.go
@@ -10,29 +10,45 @@ import (
 
 	"github.com/golang/glog"
 	"github.com/system-transparency/stfe/client"
+	"github.com/system-transparency/stfe/descriptor"
 )
 
 var (
 	operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators")
-	logId     = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier")
+	logId     = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier")
 )
 
 func main() {
 	flag.Parse()
 
-	client, err := client.NewClientFromPath(*logId, "", "", *operators, &http.Client{}, true)
+	client, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil)
 	if err != nil {
 		glog.Fatal(err)
 	}
 
-	anchors, err := client.GetAnchors(context.Background())
+	namespaces, err := client.GetNamespaces(context.Background())
 	if err != nil {
 		glog.Fatal(err)
 	}
-	for i, anchor := range anchors {
-		glog.V(3).Infof("anchor[%d] serial number: %x", i, anchor.SerialNumber)
-		fmt.Printf("anchor[%d]: %s\n", i, base64.StdEncoding.EncodeToString(anchor.Raw))
+	for i, namespace := range namespaces {
+		fmt.Printf("namespace[%d]: %s\n", i, base64.StdEncoding.EncodeToString(namespace))
 	}
 
 	glog.Flush()
 }
+
+func mustLoad(operators, logId string) *descriptor.Log {
+	ops, err := descriptor.LoadOperators(operators)
+	if err != nil {
+		glog.Fatalf("failed loading log operators: %v")
+	}
+	id, err := base64.StdEncoding.DecodeString(logId)
+	if err != nil {
+		glog.Fatalf("invalid base64 log id: %v", err)
+	}
+	log, err := descriptor.FindLog(ops, id)
+	if err != nil {
+		glog.Fatalf("unknown log id: %v", err)
+	}
+	return log
+}
diff --git a/client/get-consistency-proof/main.go b/client/get-consistency-proof/main.go
index 316bbdc..283e9b8 100644
--- a/client/get-consistency-proof/main.go
+++ b/client/get-consistency-proof/main.go
@@ -5,51 +5,63 @@ import (
 	"flag"
 	"fmt"
 
+	"encoding/base64"
 	"net/http"
 
 	"github.com/golang/glog"
 	"github.com/system-transparency/stfe"
 	"github.com/system-transparency/stfe/client"
+	"github.com/system-transparency/stfe/descriptor"
 )
 
 var (
 	operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators")
-	logId     = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier")
-	first     = flag.String("first", "AAEgB9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPMAAAF1jnn7fwAAAAAAAAAxICCqLJn4QWYd0aRIRjDWGf4GWalDIb/iH60jSSX89WgvAAAAQF9XPFRdM56KaelHFFg1RqjTw1yFL085zHhdNkLeZh9BCXxVTByqrHEMngAkY69EX45aJMWh9NymmPau0qoigA8=", "first base64-encoded StItem of type StFormatSignedTreeHeadV1")
-	second    = flag.String("second", "AAEgB9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPMAAAF1jsZrygAAAAAAAABFIL7Zz0WEolql7o7G496Izl7Qy/l2Qd/Pwc87W8jFPoL6AAAAQHc7ttIDUKuMJR7uqCLb3qqAxiwEN5KLt/7IblT7f+QaKq4BqqI3cO6vT3eMSZMHZDd4EkgvkAwo1o7IsA4N8Qc=", "second base64-encoded StItem of type StFormatSignedTreeHeadV1")
+	logId     = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier")
+	first     = flag.String("first", "AAEjAAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGcAAAF3TqQQZAAAAAAAAACEIEV75viH3o4llUxCqwoTvY38vKUiv2lg4uFd1jTfcCC5AAAAQBoc5JvG6AovqHjZAU77zrsrIN8ZuR3DIwYAFD2mcvyI/b2KcIPxH6XQ7+zTnGJPWfgwvI5sCuu/MBAAHEzZzQk=", "first base64-encoded StItem of type StFormatSignedTreeHeadV1")
+	second    = flag.String("second", "AAEjAAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGcAAAF3TrZf7gAAAAAAAACJIEl/yYdMBb6st/D4yQXRXIAphR7i2y10jB/BbnQljy8rAAAAQBzYrWNidZ8bCdaHqi5zgxGJ6HQNfYihDhRQy20lu36a/yxKqgrvoH+dv969c4aeBEAGz5TSSAn5CwqmqUFSAQo=", "second base64-encoded StItem of type StFormatSignedTreeHeadV1")
 )
 
 func main() {
 	flag.Parse()
 
-	cli, err := client.NewClientFromPath(*logId, "", "", *operators, &http.Client{}, true)
+	cli, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil)
 	if err != nil {
 		glog.Fatal(err)
 	}
-
-	k, err := cli.Log.Key()
+	ns, err := cli.Log.Namespace()
 	if err != nil {
-		glog.Fatalf("bad public key: %v", err)
+		glog.Fatalf("bad log namespace: %v", err)
 	}
 
+	// Check first STH
 	var sth1 stfe.StItem
 	if err := sth1.UnmarshalB64(*first); err != nil {
 		glog.Fatalf("bad signed tree head: %v", err)
 	}
-	if err := client.VerifySignedTreeHeadV1(&sth1, cli.Log.Scheme, k); err != nil {
+	th1, err := sth1.SignedTreeHeadV1.TreeHead.Marshal()
+	if err != nil {
+		glog.Fatalf("cannot marshal tree head: %v", err)
+	}
+	if err := ns.Verify(th1, sth1.SignedTreeHeadV1.Signature); err != nil {
 		glog.Fatalf("bad signed tree head: %v", err)
 	}
 	glog.V(3).Info("verified first sth")
 
+	// Check second STH
 	var sth2 stfe.StItem
 	if err := sth2.UnmarshalB64(*second); err != nil {
 		glog.Fatalf("bad signed tree head: %v", err)
 	}
-	if err := client.VerifySignedTreeHeadV1(&sth2, cli.Log.Scheme, k); err != nil {
+	th2, err := sth2.SignedTreeHeadV1.TreeHead.Marshal()
+	if err != nil {
+		glog.Fatalf("cannot marshal tree head: %v", err)
+	}
+	if err := ns.Verify(th2, sth2.SignedTreeHeadV1.Signature); err != nil {
 		glog.Fatalf("bad signed tree head: %v", err)
 	}
 	glog.V(3).Info("verified second sth")
 
+	// Check consistency
 	proof, err := cli.GetConsistencyProof(context.Background(), &sth1, &sth2)
 	if err != nil {
 		glog.Fatalf("get-proof-by-hash failed: %v", err)
@@ -64,3 +76,19 @@ func main() {
 
 	glog.Flush()
 }
+
+func mustLoad(operators, logId string) *descriptor.Log {
+	ops, err := descriptor.LoadOperators(operators)
+	if err != nil {
+		glog.Fatalf("failed loading log operators: %v")
+	}
+	id, err := base64.StdEncoding.DecodeString(logId)
+	if err != nil {
+		glog.Fatalf("invalid base64 log id: %v", err)
+	}
+	log, err := descriptor.FindLog(ops, id)
+	if err != nil {
+		glog.Fatalf("unknown log id: %v", err)
+	}
+	return log
+}
diff --git a/client/get-entries/main.go b/client/get-entries/main.go
index 511d53d..1500cd0 100644
--- a/client/get-entries/main.go
+++ b/client/get-entries/main.go
@@ -5,24 +5,26 @@ import (
 	"flag"
 	"fmt"
 
+	"encoding/base64"
 	"net/http"
 
 	"github.com/golang/glog"
 	"github.com/system-transparency/stfe"
 	"github.com/system-transparency/stfe/client"
+	"github.com/system-transparency/stfe/descriptor"
 )
 
 var (
 	operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators")
-	logId     = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier")
-	start     = flag.Uint64("start", 50, "inclusive start index to download")
-	end       = flag.Uint64("end", 60, "inclusive stop index to download")
+	logId     = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier")
+	start     = flag.Uint64("start", 132, "inclusive start index to download")
+	end       = flag.Uint64("end", 137, "inclusive stop index to download")
 )
 
 func main() {
 	flag.Parse()
 
-	if client, err := client.NewClientFromPath(*logId, "", "", *operators, &http.Client{}, true); err != nil {
+	if client, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil); err != nil {
 		glog.Fatal(err)
 	} else if items, err := getRange(client, *start, *end); err != nil {
 		glog.Fatal(err)
@@ -66,3 +68,19 @@ func printRange(items []*stfe.StItem) error {
 	}
 	return nil
 }
+
+func mustLoad(operators, logId string) *descriptor.Log {
+	ops, err := descriptor.LoadOperators(operators)
+	if err != nil {
+		glog.Fatalf("failed loading log operators: %v")
+	}
+	id, err := base64.StdEncoding.DecodeString(logId)
+	if err != nil {
+		glog.Fatalf("invalid base64 log id: %v", err)
+	}
+	log, err := descriptor.FindLog(ops, id)
+	if err != nil {
+		glog.Fatalf("unknown log id: %v", err)
+	}
+	return log
+}
diff --git a/client/get-proof-by-hash/main.go b/client/get-proof-by-hash/main.go
index 964bcda..00a4486 100644
--- a/client/get-proof-by-hash/main.go
+++ b/client/get-proof-by-hash/main.go
@@ -11,34 +11,43 @@ import (
 	"github.com/golang/glog"
 	"github.com/system-transparency/stfe"
 	"github.com/system-transparency/stfe/client"
+	"github.com/system-transparency/stfe/descriptor"
 )
 
 var (
 	operators      = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators")
-	logId          = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier")
-	signedTreeHead = flag.String("sth", "AAEgB9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPMAAAF1jnn7fwAAAAAAAAAxICCqLJn4QWYd0aRIRjDWGf4GWalDIb/iH60jSSX89WgvAAAAQF9XPFRdM56KaelHFFg1RqjTw1yFL085zHhdNkLeZh9BCXxVTByqrHEMngAkY69EX45aJMWh9NymmPau0qoigA8=", "base64-encoded StItem of type StFormatSignedTreeHeadV1")
-	entry          = flag.String("entry", "AAUBOCAsYkIyzdIhdxKU37sxCsoACg32rItmtpbZDvBv3vtkow==", "base64-encoded StItem of type StFormatChecksumV1")
+	logId          = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier")
+	signedTreeHead = flag.String("sth", "AAEjAAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGcAAAF3Ts1DPAAAAAAAAACKIOjuyYlimCylCNmIliPWn+O+oOPpvdtllbJnp+xKV3qhAAAAQKW2+4+3a2cgERULDrbwoeevo6q1JxY8mcj73XPLAhcmlR/YmtuWv6PEJYiLP/bclN6ZQ5ttQq1/9hG+VvgLvA4=", "base64-encoded StItem of type StFormatSignedTreeHeadV1")
+	entry          = flag.String("entry", "AAUFZGViaTYw50e7967bce266a506f8f614bb5096beba580d205046b918f47d23b2ec626d75eAAEgHOQFUkKNWpjYAhNKTyWCzahlI7RDtf5123kHD2LACj0=", "base64-encoded StItem of type StFormatChecksumV1")
 )
 
 func main() {
 	flag.Parse()
 
-	cli, err := client.NewClientFromPath(*logId, "", "", *operators, &http.Client{}, true)
+	cli, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil)
 	if err != nil {
 		glog.Fatal(err)
 	}
+	ns, err := cli.Log.Namespace()
+	if err != nil {
+		glog.Fatalf("bad log namespace: %v", err)
+	}
 
+	// Check STH
 	var sth stfe.StItem
 	if err := sth.UnmarshalB64(*signedTreeHead); err != nil {
 		glog.Fatalf("bad signed tree head: %v", err)
 	}
-	if k, err := cli.Log.Key(); err != nil {
-		glog.Fatalf("bad public key: %v", err)
-	} else if err := client.VerifySignedTreeHeadV1(&sth, cli.Log.Scheme, k); err != nil {
+	th, err := sth.SignedTreeHeadV1.TreeHead.Marshal()
+	if err != nil {
+		glog.Fatalf("cannot marshal tree head: %v", err)
+	}
+	if err := ns.Verify(th, sth.SignedTreeHeadV1.Signature); err != nil {
 		glog.Fatalf("bad signed tree head: %v", err)
 	}
 	glog.V(3).Info("verified sth")
 
+	// Check inclusion
 	leaf, err := base64.StdEncoding.DecodeString(*entry)
 	if err != nil {
 		glog.Fatalf("failed decoding entry: %v", err)
@@ -57,3 +66,19 @@ func main() {
 
 	glog.Flush()
 }
+
+func mustLoad(operators, logId string) *descriptor.Log {
+	ops, err := descriptor.LoadOperators(operators)
+	if err != nil {
+		glog.Fatalf("failed loading log operators: %v")
+	}
+	id, err := base64.StdEncoding.DecodeString(logId)
+	if err != nil {
+		glog.Fatalf("invalid base64 log id: %v", err)
+	}
+	log, err := descriptor.FindLog(ops, id)
+	if err != nil {
+		glog.Fatalf("unknown log id: %v", err)
+	}
+	return log
+}
diff --git a/client/get-sth/main.go b/client/get-sth/main.go
index d13746b..e952ee3 100644
--- a/client/get-sth/main.go
+++ b/client/get-sth/main.go
@@ -5,24 +5,27 @@ import (
 	"flag"
 	"fmt"
 
+	"encoding/base64"
 	"net/http"
 
 	"github.com/golang/glog"
 	"github.com/system-transparency/stfe/client"
+	"github.com/system-transparency/stfe/descriptor"
 )
 
 var (
 	operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators")
-	logId     = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier")
+	logId     = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier")
 )
 
 func main() {
 	flag.Parse()
 
-	client, err := client.NewClientFromPath(*logId, "", "", *operators, &http.Client{}, true)
+	client, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil)
 	if err != nil {
 		glog.Fatal(err)
 	}
+
 	sth, err := client.GetSth(context.Background())
 	if err != nil {
 		glog.Fatalf("get-sth failed: %v", err)
@@ -36,3 +39,19 @@ func main() {
 
 	glog.Flush()
 }
+
+func mustLoad(operators, logId string) *descriptor.Log {
+	ops, err := descriptor.LoadOperators(operators)
+	if err != nil {
+		glog.Fatalf("failed loading log operators: %v")
+	}
+	id, err := base64.StdEncoding.DecodeString(logId)
+	if err != nil {
+		glog.Fatalf("invalid base64 log id: %v", err)
+	}
+	log, err := descriptor.FindLog(ops, id)
+	if err != nil {
+		glog.Fatalf("unknown log id: %v", err)
+	}
+	return log
+}
diff --git a/client/verify.go b/client/verify.go
index d9c18bf..3ce02e7 100644
--- a/client/verify.go
+++ b/client/verify.go
@@ -1,58 +1,11 @@
 package client
 
 import (
-	"fmt"
-
-	"crypto"
-	"crypto/ed25519"
-	"crypto/tls"
-
 	"github.com/google/trillian/merkle"
 	"github.com/google/trillian/merkle/rfc6962"
 	"github.com/system-transparency/stfe"
 )
 
-// VerifySignedDebugInfoV1 verifies an SDI signature
-func VerifySignedDebugInfoV1(sdi *stfe.StItem, scheme tls.SignatureScheme, key crypto.PublicKey, message []byte) error {
-	if err := supportedScheme(scheme, key); err != nil {
-		return err
-	}
-	if !ed25519.Verify(key.(ed25519.PublicKey), message, sdi.SignedDebugInfoV1.Signature) {
-		return fmt.Errorf("bad signature")
-	}
-	return nil
-}
-
-// VerifySignedTreeHeadV1 verifies an STH signature
-func VerifySignedTreeHeadV1(sth *stfe.StItem, scheme tls.SignatureScheme, key crypto.PublicKey) error {
-	serialized, err := sth.SignedTreeHeadV1.TreeHead.Marshal()
-	if err != nil {
-		return fmt.Errorf("failed marshaling tree head: %v", err)
-	}
-	if err := supportedScheme(scheme, key); err != nil {
-		return err
-	}
-	if !ed25519.Verify(key.(ed25519.PublicKey), serialized, sth.SignedTreeHeadV1.Signature) {
-		return fmt.Errorf("bad signature")
-	}
-	return nil
-}
-
-// VerifyChecksumV1 verifies a checksum signature
-func VerifyChecksumV1(checksum *stfe.StItem, key crypto.PublicKey, signature []byte, scheme tls.SignatureScheme) error {
-	serialized, err := checksum.Marshal()
-	if err != nil {
-		return fmt.Errorf("failed marshaling StItem: %v", err)
-	}
-	if err := supportedScheme(scheme, key); err != nil {
-		return err
-	}
-	if !ed25519.Verify(key.(ed25519.PublicKey), serialized, signature) {
-		return fmt.Errorf("bad signature")
-	}
-	return nil
-}
-
 // VerifyConsistencyProofV1 verifies that a consistency proof is valid without
 // checking any sth signature
 func VerifyConsistencyProofV1(proof, first, second *stfe.StItem) error {
@@ -84,15 +37,3 @@ func VerifyInclusionProofV1(proof *stfe.StItem, rootHash, leafHash []byte) error
 		leafHash,
 	)
 }
-
-// supportedScheme checks whether the client library supports the log's
-// signature scheme and public key type
-func supportedScheme(scheme tls.SignatureScheme, key crypto.PublicKey) error {
-	if _, ok := key.(ed25519.PublicKey); ok && scheme == tls.Ed25519 {
-		return nil
-	}
-	switch t := key.(type) {
-	default:
-		return fmt.Errorf("unsupported scheme(%v) and key(%v)", scheme, t)
-	}
-}
diff --git a/descriptor/descriptor.go b/descriptor/descriptor.go
index 1879cd8..efe2cf1 100644
--- a/descriptor/descriptor.go
+++ b/descriptor/descriptor.go
@@ -4,12 +4,11 @@ import (
 	"bytes"
 	"fmt"
 
-	"crypto"
-	"crypto/tls"
-	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"io/ioutil"
+
+	"github.com/system-transparency/stfe/namespace"
 )
 
 // Operator is an stfe log operator that runs zero or more logs
@@ -21,12 +20,9 @@ type Operator struct {
 
 // Log is a collection of immutable stfe log parameters
 type Log struct {
-	Id        []byte                `json:"id"`                // H(PublicKey)
-	PublicKey []byte                `json:"public_key"`        // DER-encoded SubjectPublicKeyInfo
-	Scheme    tls.SignatureScheme   `json:"signature_scheme"`  // Signature schemes used by the log (RFC 8446, §4.2.3)
-	Schemes   []tls.SignatureScheme `json:"signature_schemes"` // Signature schemes that submitters can use (RFC 8446, §4.2.3)
-	MaxChain  uint8                 `json:"max_chain"`         // maximum certificate chain length
-	BaseUrl   string                `json:"base_url"`          // E.g., example.com/st/v1
+	Id      []byte `json:"id"`       // Serialized namespace
+	BaseUrl string `json:"base_url"` // E.g., example.com/st/v1
+	// TODO: List of supported namespace types?
 }
 
 func FindLog(ops []Operator, logId []byte) (*Log, error) {
@@ -53,7 +49,10 @@ func LoadOperators(path string) ([]Operator, error) {
 	return ops, nil
 }
 
-// Key parses the log's public key
-func (l *Log) Key() (crypto.PublicKey, error) {
-	return x509.ParsePKIXPublicKey(l.PublicKey)
+func (l *Log) Namespace() (*namespace.Namespace, error) {
+	var n namespace.Namespace
+	if err := n.Unmarshal(l.Id); err != nil {
+		return nil, fmt.Errorf("invalid namespace: %v", err)
+	}
+	return &n, nil
 }
diff --git a/descriptor/descriptor_test.go b/descriptor/descriptor_test.go
index d01fc66..22641ca 100644
--- a/descriptor/descriptor_test.go
+++ b/descriptor/descriptor_test.go
@@ -4,14 +4,12 @@ import (
 	"fmt"
 	"testing"
 
-	"crypto/sha256"
-	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 )
 
 const (
-	operatorListJson = `[{"name":"Test operator","email":"test@example.com","logs":[{"id":"B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=","public_key":"MCowBQYDK2VwAyEAqM4b/SHOCRId9xgiCPn8D8r6+Nrk9JTZZqW6vj7TGa0=","signature_scheme":2055,"signature_schemes":[2055],"max_chain":3,"base_url":"example.com/st/v1"}]}]`
+	operatorListJson = `[{"name":"Test operator","email":"test@example.com","logs":[{"id":"AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=","base_url":"example.com/st/v1"}]}]`
 )
 
 func TestMarshal(t *testing.T) {
@@ -52,7 +50,7 @@ func TestFindLog(t *testing.T) {
 		logId     []byte
 		wantError bool
 	}{
-		{makeOperatorList(), deb64("B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM="), false},
+		{makeOperatorList(), deb64("AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc="), false},
 		{makeOperatorList(), []byte{0, 1, 2, 3}, true},
 	} {
 		_, err := FindLog(table.ops, table.logId)
@@ -62,24 +60,39 @@ func TestFindLog(t *testing.T) {
 	}
 }
 
+func TestNamespace(t *testing.T) {
+	for _, table := range []struct {
+		description string
+		id []byte
+		wantErr bool
+	}{
+		{
+			description: "invalid: not a namespace",
+			id: []byte{0,1,2,3},
+			wantErr: true,
+		},
+		{
+			description: "valid",
+			id: deb64("AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc="),
+		},
+	}{
+		l := &Log{ Id: table.id, BaseUrl: "example.com/st/v1" }
+		_, err := l.Namespace()
+		if got, want := err != nil, table.wantErr; got != want {
+			t.Errorf("wanted error %v but got %v in test %q: %v", got, want, table.description, err)
+			return
+		}
+	}
+}
+
 func makeOperatorList() []Operator {
-	pub := deb64("MCowBQYDK2VwAyEAqM4b/SHOCRId9xgiCPn8D8r6+Nrk9JTZZqW6vj7TGa0=")
-	h := sha256.New()
-	h.Write(pub)
-	id := h.Sum(nil)
 	return []Operator{
 		Operator{
 			Name:  "Test operator",
 			Email: "test@example.com",
 			Logs: []*Log{
 				&Log{
-					Id:        id,
-					PublicKey: pub,
-					Scheme:    tls.Ed25519,
-					Schemes: []tls.SignatureScheme{
-						tls.Ed25519,
-					},
-					MaxChain: 3,
+					Id:        deb64("AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc="),
 					BaseUrl:  "example.com/st/v1",
 				},
 			},
diff --git a/descriptor/stfe.json b/descriptor/stfe.json
index d987c47..34f884b 100644
--- a/descriptor/stfe.json
+++ b/descriptor/stfe.json
@@ -1,18 +1,12 @@
 [
-    {
-        "name": "Test operator",
-        "email": "test@example.com",
-        "logs": [
-            {
-                "max_chain": 3,
-                "id": "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=",
-                "signature_schemes": [
-                    2055
-                ],
-                "base_url": "localhost:6965/st/v1",
-                "signature_scheme": 2055,
-                "public_key": "MCowBQYDK2VwAyEAqM4b/SHOCRId9xgiCPn8D8r6+Nrk9JTZZqW6vj7TGa0="
-            }
-        ]
-    }
+	{
+		"name": "Test operator",
+		"email":"test@example.com",
+		"logs": [
+			{
+				"id":"AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=",
+				"base_url":"localhost:6965/st/v1"
+			}
+		]
+	}
 ]
diff --git a/trillian.go b/trillian.go
index c20901f..233d5e8 100644
--- a/trillian.go
+++ b/trillian.go
@@ -24,7 +24,7 @@ func checkQueueLeaf(rsp *trillian.QueueLeafResponse, err error) error {
 
 func checkGetLeavesByRange(req *GetEntriesRequest, rsp *trillian.GetLeavesByRangeResponse, err error) (int, error) {
 	if err != nil || rsp == nil || len(rsp.Leaves) == 0 || rsp.SignedLogRoot == nil || rsp.SignedLogRoot.LogRoot == nil {
-		return http.StatusInternalServerError, fmt.Errorf("%v", err)
+		return http.StatusInternalServerError, fmt.Errorf("%v", err) // TODO: break up into multiple returns?
 	}
 	if len(rsp.Leaves) > int(req.End-req.Start+1) {
 		return http.StatusInternalServerError, fmt.Errorf("too many leaves: %d for [%d,%d]", len(rsp.Leaves), req.Start, req.End)