aboutsummaryrefslogtreecommitdiff
path: root/client
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-11-03 16:45:51 +0100
committerRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-11-03 16:45:51 +0100
commit2ad1e255d7909376bec16dc874e51be5b2629273 (patch)
tree12d10c8925875423ecd6529e00f4dbe73fe3181c /client
parent14dd503f7612e18091e82b3b0a3ec381604d60df (diff)
added client-side consistency proof verification
Diffstat (limited to 'client')
-rw-r--r--client/client.go31
-rw-r--r--client/get-consistency-proof/main.go62
-rw-r--r--client/verify.go19
3 files changed, 105 insertions, 7 deletions
diff --git a/client/client.go b/client/client.go
index 5209a83..864afb4 100644
--- a/client/client.go
+++ b/client/client.go
@@ -130,8 +130,29 @@ func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) {
return item, nil
}
-func (c *Client) GetConsistencyProof(ctx context.Context, first, second uint64) (*stfe.StItem, error) {
- return nil, fmt.Errorf("TODO")
+func (c *Client) GetConsistencyProof(ctx context.Context, first, second *stfe.StItem) (*stfe.StItem, error) {
+ req, err := http.NewRequest("GET", c.protocol()+c.Log.BaseUrl+"/get-consistency-proof", nil)
+ if err != nil {
+ return nil, fmt.Errorf("failed creating http request: %v", err)
+ }
+ req.Header.Set("Content-Type", "application/json")
+ q := req.URL.Query()
+ q.Add("first", fmt.Sprintf("%d", first.SignedTreeHeadV1.TreeHead.TreeSize))
+ q.Add("second", fmt.Sprintf("%d", second.SignedTreeHeadV1.TreeHead.TreeSize))
+ req.URL.RawQuery = q.Encode()
+ glog.V(2).Infof("created http request: %s %s", req.Method, req.URL)
+
+ item, err := c.doRequestWithStItemResponse(ctx, req)
+ if err != nil {
+ return nil, err
+ }
+ if item.Format != stfe.StFormatConsistencyProofV1 {
+ return nil, fmt.Errorf("bad StItem format: %v", item.Format)
+ }
+ if err := VerifyConsistencyProofV1(item, first, second); err != nil {
+ return nil, fmt.Errorf("bad consistency proof: %v", err)
+ }
+ return item, nil
}
func (c *Client) GetProofByHash(ctx context.Context, treeSize uint64, rootHash, leaf []byte) (*stfe.StItem, error) {
@@ -161,13 +182,11 @@ func (c *Client) GetProofByHash(ctx context.Context, treeSize uint64, rootHash,
}
func (c *Client) GetEntries(ctx context.Context, start, end uint64) (*stfe.StItem, error) {
- glog.V(2).Info("creating get-entries request")
- return nil, fmt.Errorf("TODO")
+ return nil, fmt.Errorf("TODO: Client.GetEntries()")
}
func (c *Client) GetAnchors(ctx context.Context, start, end uint64) ([]*x509.Certificate, error) {
- glog.V(2).Info("creating get-anchors request")
- return nil, fmt.Errorf("TODO")
+ return nil, fmt.Errorf("TODO: Client.GetAnchors()")
}
func (c *Client) b64Chain() []string {
diff --git a/client/get-consistency-proof/main.go b/client/get-consistency-proof/main.go
new file mode 100644
index 0000000..49c45f1
--- /dev/null
+++ b/client/get-consistency-proof/main.go
@@ -0,0 +1,62 @@
+package main
+
+import (
+ "context"
+ "flag"
+ "fmt"
+
+ "net/http"
+
+ "github.com/golang/glog"
+ "github.com/system-transparency/stfe"
+ "github.com/system-transparency/stfe/client"
+)
+
+var (
+ operators = flag.String("operators", "../../server/descriptor/stfe.json", "path to json-encoded list of log operators")
+ logId = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier")
+ chain = flag.String("chain", "../../server/testdata/chain/ee.pem", "path to pem-encoded certificate chain that the log accepts")
+ first = flag.String("first", "AAEgB9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPMAAAF1jnn7fwAAAAAAAAAxICCqLJn4QWYd0aRIRjDWGf4GWalDIb/iH60jSSX89WgvAAAAQF9XPFRdM56KaelHFFg1RqjTw1yFL085zHhdNkLeZh9BCXxVTByqrHEMngAkY69EX45aJMWh9NymmPau0qoigA8=", "first base64-encoded StItem of type StFormatSignedTreeHeadV1")
+ second = flag.String("second", "AAEgB9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPMAAAF1jsZrygAAAAAAAABFIL7Zz0WEolql7o7G496Izl7Qy/l2Qd/Pwc87W8jFPoL6AAAAQHc7ttIDUKuMJR7uqCLb3qqAxiwEN5KLt/7IblT7f+QaKq4BqqI3cO6vT3eMSZMHZDd4EkgvkAwo1o7IsA4N8Qc=", "second base64-encoded StItem of type StFormatSignedTreeHeadV1")
+)
+
+func main() {
+ flag.Parse()
+
+ cli, err := client.NewClientFromPath(*logId, *chain, "", *operators, &http.Client{}, true)
+ if err != nil {
+ glog.Fatal(err)
+ }
+
+ var sth1 stfe.StItem
+ if err := sth1.UnmarshalB64(*first); err != nil {
+ glog.Fatalf("bad signed tree head: %v", err)
+ }
+ if err := client.VerifySignedTreeHeadV1(&sth1, cli.Log.Scheme, cli.Log.Key()); err != nil {
+ glog.Fatalf("bad signed tree head: %v", err)
+ }
+ glog.V(3).Info("verified first sth")
+
+ var sth2 stfe.StItem
+ if err := sth2.UnmarshalB64(*second); err != nil {
+ glog.Fatalf("bad signed tree head: %v", err)
+ }
+ if err := client.VerifySignedTreeHeadV1(&sth2, cli.Log.Scheme, cli.Log.Key()); err != nil {
+ glog.Fatalf("bad signed tree head: %v", err)
+ }
+ glog.V(3).Info("verified second sth")
+
+ proof, err := cli.GetConsistencyProof(context.Background(), &sth1, &sth2)
+ if err != nil {
+ glog.Fatalf("get-proof-by-hash failed: %v", err)
+ }
+ glog.V(3).Info("verified inclusion proof")
+
+ str, err := proof.MarshalB64()
+ if err != nil {
+ glog.Fatalf("failed encoding valid inclusion proof: %v", err)
+ }
+ fmt.Println(str)
+
+ glog.Flush()
+}
diff --git a/client/verify.go b/client/verify.go
index 3668bf2..b5257ac 100644
--- a/client/verify.go
+++ b/client/verify.go
@@ -44,7 +44,24 @@ func VerifySignedTreeHeadV1(sth *stfe.StItem, scheme tls.SignatureScheme, key cr
return nil
}
-// VerifyInclusionProofV1 verifies that an inclusion proof is valid
+// VerifyConsistencyProofV1 verifies that a consistency proof is valid without
+// checking any sth signature
+func VerifyConsistencyProofV1(proof, first, second *stfe.StItem) error {
+ path := make([][]byte, 0, len(proof.ConsistencyProofV1.ConsistencyPath))
+ for _, nh := range proof.ConsistencyProofV1.ConsistencyPath {
+ path = append(path, nh.Data)
+ }
+ return merkle.NewLogVerifier(rfc6962.DefaultHasher).VerifyConsistencyProof(
+ int64(proof.ConsistencyProofV1.TreeSize1),
+ int64(proof.ConsistencyProofV1.TreeSize2),
+ first.SignedTreeHeadV1.TreeHead.RootHash.Data,
+ second.SignedTreeHeadV1.TreeHead.RootHash.Data,
+ path,
+ )
+}
+
+// VerifyInclusionProofV1 verifies that an inclusion proof is valid without checking
+// any sth signature
func VerifyInclusionProofV1(proof *stfe.StItem, rootHash, leafHash []byte) error {
path := make([][]byte, 0, len(proof.InclusionProofV1.InclusionPath))
for _, nh := range proof.InclusionProofV1.InclusionPath {