added start on stfe client

ChecksumV1 entries can be submitted using client-side ed25519
signatures.  The resulting SignedDebugInfoV1 is then verified using the
log's announced signature scheme and public key (currently only ed25519).

2 files changed, 289 insertions, 0 deletions

diff --git a/client/add-entry/main.go b/client/add-entry/main.go
new file mode 100644
index 0000000..693aca8
--- /dev/null
+++ b/client/add-entry/main.go
@@ -0,0 +1,150 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+
+	"crypto/ed25519"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/golang/glog"
+	"github.com/system-transparency/stfe/client"
+	"github.com/system-transparency/stfe/server/descriptor"
+)
+
+var (
+	operators = flag.String("operators", "../../server/descriptor/stfe.json", "path to json-encoded list of log operators")
+	logId     = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier")
+	chain     = flag.String("chain", "../../server/testdata/chain/ee.pem", "path to pem-encoded certificate chain that the log accepts")
+	key       = flag.String("key", "../../server/testdata/chain/ee.key", "path to ed25519 private key that corresponds to the chain's end-entity certificate")
+	name      = flag.String("name", "foobar-1.2.3", "package name")
+	checksum  = flag.String("checksum", "50e7967bce266a506f8f614bb5096beba580d205046b918f47d23b2ec626d75e", "base64-encoded package checksum")
+)
+
+func main() {
+	flag.Parse()
+
+	client, err := setup()
+	if err != nil {
+		glog.Fatal(err)
+	}
+
+	pname, psum, err := params()
+	if err != nil {
+		glog.Fatal(err)
+	}
+
+	sdi, err := client.AddEntry(context.Background(), pname, psum)
+	if err != nil {
+		glog.Fatalf("add-entry failed: %v", err)
+	}
+	glog.Infof("got valid StItem: %v", sdi)
+	glog.Flush()
+}
+
+func params() ([]byte, []byte, error) {
+	b, err := base64.StdEncoding.DecodeString(*checksum)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed decoding checksum: %v", err)
+	}
+	return []byte(*name), b, nil
+}
+
+func setup() (*client.Client, error) {
+	blob, err := ioutil.ReadFile(*chain)
+	if err != nil {
+		return nil, fmt.Errorf("failed reading certificate chain: %v", err)
+	}
+	c, err := parseChain(blob)
+	if err != nil {
+		return nil, fmt.Errorf("failed loading certificate chain: %v", err)
+	}
+
+	blob, err = ioutil.ReadFile(*key)
+	if err != nil {
+		return nil, fmt.Errorf("failed reading ed25519 private key: %v", err)
+	}
+	k, err := parseEd25519PrivateKey(blob)
+	if err != nil {
+		return nil, fmt.Errorf("failed decoding ed25519 private key: %v", err)
+	}
+
+	blob, err = ioutil.ReadFile(*operators)
+	if err != nil {
+		return nil, fmt.Errorf("failed reading log operators: %v", err)
+	}
+	var ops []descriptor.Operator
+	if err := json.Unmarshal(blob, &ops); err != nil {
+		return nil, fmt.Errorf("failed decoding log operators: %v", err)
+	}
+
+	id, err := base64.StdEncoding.DecodeString(*logId)
+	if err != nil {
+		return nil, fmt.Errorf("failed decoding log identifier: %v", err)
+	}
+
+	// TODO: define FindLog() for []Operator
+	var log *descriptor.Log
+	for _, op := range ops {
+		l, err := op.FindLog(id)
+		if err == nil {
+			log = l
+			break
+		}
+	}
+	if log == nil {
+		return nil, fmt.Errorf("unknown log identifier: %v", err)
+	}
+	return client.NewClient(log, &http.Client{}, c, &k), nil
+}
+
+func parseEd25519PrivateKey(data []byte) (ed25519.PrivateKey, error) {
+	block, rest := pem.Decode(data)
+	if block == nil {
+		return nil, fmt.Errorf("pem block: is empty")
+	}
+	if block.Type != "PRIVATE KEY" {
+		return nil, fmt.Errorf("bad pem block type: %v", block.Type)
+	}
+	if len(rest) != 0 {
+		return nil, fmt.Errorf("pem block: trailing data")
+	}
+
+	key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		fmt.Errorf("x509 parser failed: %v", err)
+	}
+	switch t := key.(type) {
+	case ed25519.PrivateKey:
+		return key.(ed25519.PrivateKey), nil
+	default:
+		return nil, fmt.Errorf("unexpected signing key type: %v", t)
+	}
+}
+
+func parseChain(rest []byte) ([]*x509.Certificate, error) {
+	var chain []*x509.Certificate
+	for len(rest) > 0 {
+		var block *pem.Block
+		block, rest = pem.Decode(rest)
+		if block == nil {
+			break
+		}
+		if block.Type != "CERTIFICATE" {
+			return nil, fmt.Errorf("unexpected pem block type: %v", block.Type)
+		}
+
+		certificate, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed parsing x509 certificate: %v", err)
+		}
+		chain = append(chain, certificate)
+	}
+	return chain, nil
+}
diff --git a/client/client.go b/client/client.go
new file mode 100644
index 0000000..e1663a0
--- /dev/null
+++ b/client/client.go
@@ -0,0 +1,139 @@
+package client
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+
+	"crypto/ed25519"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/golang/glog"
+	"github.com/system-transparency/stfe"
+	"github.com/system-transparency/stfe/server/descriptor"
+	"golang.org/x/net/context/ctxhttp"
+)
+
+type Client struct {
+	Log        *descriptor.Log
+	Client     *http.Client
+	Chain      []*x509.Certificate
+	PrivateKey *ed25519.PrivateKey
+}
+
+// NewClient returns a new log client
+func NewClient(log *descriptor.Log, client *http.Client, chain []*x509.Certificate, privateKey *ed25519.PrivateKey) *Client {
+	return &Client{
+		Log:        log,
+		Chain:      chain,
+		Client:     client,
+		PrivateKey: privateKey,
+	}
+}
+
+func (c *Client) AddEntry(ctx context.Context, name, checksum []byte) (*stfe.StItem, error) {
+	glog.V(3).Info("creating add-entry request")
+	leaf, err := stfe.NewChecksumV1(name, checksum).Marshal()
+	if err != nil {
+		return nil, fmt.Errorf("failed marshaling StItem: %v", err)
+	}
+	data, err := json.Marshal(struct {
+		Item      string   `json:"item"`
+		Scheme    uint16   `json:"signature_scheme"`
+		Signature string   `json:"signature"`
+		Chain     []string `json:"chain"`
+	}{
+		Item:      base64.StdEncoding.EncodeToString(leaf),
+		Scheme:    uint16(tls.Ed25519),
+		Signature: base64.StdEncoding.EncodeToString(ed25519.Sign(*c.PrivateKey, serialized)),
+		Chain:     c.b64Chain(),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed creating post data: %v", err)
+	}
+	// TODO: make http(s) config option
+	req, err := http.NewRequest("POST", "http://"+c.Log.BaseUrl+"/add-entry", bytes.NewBuffer(data))
+	if err != nil {
+		return nil, fmt.Errorf("failed creating http request: %v", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+
+	var itemStr string
+	if err := c.doRequest(ctx, req, &itemStr); err != nil {
+		return nil, err
+	}
+	b, err := base64.StdEncoding.DecodeString(itemStr)
+	if err != nil {
+		return nil, fmt.Errorf("failed decoding base64 body: %v", err)
+	}
+	var item stfe.StItem
+	if err := item.Unmarshal(b); err != nil {
+		return nil, fmt.Errorf("failed decoding StItem: %v", err)
+	}
+
+	if item.Format != stfe.StFormatSignedDebugInfoV1 {
+		return nil, fmt.Errorf("bad StItem format: %v", item.Format)
+	}
+	if err := item.SignedDebugInfoV1.Verify(c.Log.Scheme, c.Log.PublicKey, serialized); err != nil {
+		return nil, fmt.Errorf("bad SignedDebugInfoV1 signature: %v", err)
+	}
+	return &item, nil
+}
+
+func (c *Client) doRequest(ctx context.Context, req *http.Request, out interface{}) error {
+	glog.V(3).Infof("sending request: %v %v", req.Method, req.URL)
+	rsp, err := ctxhttp.Do(ctx, c.Client, req)
+	if err != nil {
+		return fmt.Errorf("http request failed: %v", err)
+	}
+	body, err := ioutil.ReadAll(rsp.Body)
+	rsp.Body.Close()
+	if err != nil {
+		return fmt.Errorf("http body read failed: %v", err)
+	}
+	if rsp.StatusCode != http.StatusOK {
+		return fmt.Errorf("http status code not ok: %v", rsp.StatusCode)
+	}
+	if err := json.Unmarshal(body, out); err != nil {
+		return fmt.Errorf("failed decoding json body: %v", err)
+	}
+	return nil
+}
+
+func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) {
+	glog.V(2).Info("creating get-sth request")
+	return nil, fmt.Errorf("TODO")
+}
+
+func (c *Client) GetConsistencyProof(ctx context.Context, first, second uint64) (*stfe.StItem, error) {
+	glog.V(2).Info("creating get-consistency-proof request")
+	return nil, fmt.Errorf("TODO")
+}
+
+func (c *Client) GetProofByHash(ctx context.Context, treeSize uint64, hash []byte) (*stfe.StItem, error) {
+	glog.V(2).Info("creating get-proof-by-hash request")
+	return nil, fmt.Errorf("TODO")
+}
+
+func (c *Client) GetEntries(ctx context.Context, start, end uint64) (*stfe.StItem, error) {
+	glog.V(2).Info("creating get-entries request")
+	return nil, fmt.Errorf("TODO")
+}
+
+func (c *Client) GetAnchors(ctx context.Context, start, end uint64) ([]*x509.Certificate, error) {
+	glog.V(2).Info("creating get-anchors request")
+	return nil, fmt.Errorf("TODO")
+}
+
+func (c *Client) b64Chain() []string {
+	chain := make([]string, 0, len(c.Chain))
+	for _, cert := range c.Chain {
+		chain = append(chain, base64.StdEncoding.EncodeToString(cert.Raw))
+	}
+	return chain
+}