instance: Add experimental checkpoint endpointv0.3.3

This commit adds an experimental endpoint that serves the log's to-sign
tree head formatted as a signed checkpoint.  See documentation at:

https://github.com/transparency-dev/formats/tree/main/log#readme

If we decide to adopt this endpoint we should consider in more detail
what the origin string should be.  Right now, it is assumed that the
log's configured prefix is unique across the set of all sigsum logs.

Example output:
```
$ echo "Public verification key: $vk"
Public verification key: 8cf3ac85aadd42891c5ae9aef27244cb2a546a2312f80020aad3f2ae1af73314
$
$ echo "Formatted as a note key: $vkNote"
Formatted as a note key: sigsum.org:testonly+8de2c54b+AYzzrIWq3UKJHFrprvJyRMsqVGojEvgAIKrT8q4a9zMU
$
$ curl http://localhost:6965/testonly/sigsum/v0/get-checkpoint
sigsum.org:testonly
23
HSt6W8ve4/36xAIf04qDOqaKLaKqSOUqKxLNrkK74+g=

— sigsum.org:testonly jeLFS4WQDEeTavbiYArHzCQUPXbQ1Y/V8/dKJlBxqOAY4eLhSh3uWNJ8YXp1vs/zR4SDNHI+6UybLmHmFlg/VSf5OAs=
```

1 files changed, 85 insertions, 0 deletions

diff --git a/pkg/instance/experimental_endpoint.go b/pkg/instance/experimental_endpoint.go
new file mode 100644
index 0000000..2986a27
--- /dev/null
+++ b/pkg/instance/experimental_endpoint.go
@@ -0,0 +1,85 @@
+package instance
+
+import (
+	"bytes"
+	"context"
+	"crypto"
+	"crypto/ed25519"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/binary"
+	"fmt"
+	"net/http"
+
+	"git.sigsum.org/sigsum-log-go/pkg/types"
+	"github.com/golang/glog"
+)
+
+// algEd25519 identifies a checkpoint signature algorithm
+const algEd25519 byte = 1
+
+// getCheckpoint is an experimental endpoint that is not part of the official
+// Sigsum API.  Documentation can be found in the transparency-dev repo.
+func getCheckpoint(ctx context.Context, i *Instance, w http.ResponseWriter, r *http.Request) (int, error) {
+	glog.V(3).Info("handling get-checkpoint request")
+	sth, err := i.Stateman.ToSign(ctx)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+	if err := i.signWriteNote(w, sth); err != nil {
+		return http.StatusInternalServerError, err
+	}
+	return http.StatusOK, nil
+}
+
+// signWriteNote signs and writes a checkpoint which uses "sigsum.org:<prefix>"
+// as origin string.  Origin string is also used as ID in the note signature.
+// This means that a sigsum log's prefix (say, "glass-frog"), must be unique.
+func (i *Instance) signWriteNote(w http.ResponseWriter, sth *types.SignedTreeHead) error {
+	origin := fmt.Sprintf("sigsum.org:%s", i.Prefix)
+	msg := fmt.Sprintf("%s\n%d\n%s\n",
+		origin,
+		sth.TreeSize,
+		base64.StdEncoding.EncodeToString(sth.RootHash[:]),
+	)
+	sig, err := noteSign(i.Signer, origin, msg)
+	if err != nil {
+		return err
+	}
+
+	fmt.Fprintf(w, "%s\n\u2014 %s %s\n", msg, origin, sig)
+	return nil
+}
+
+// noteSign returns a note signature for the provided origin and message
+func noteSign(signer crypto.Signer, origin, msg string) (string, error) {
+	sig, err := signer.Sign(nil, []byte(msg), crypto.Hash(0))
+	if err != nil {
+		return "", err
+	}
+
+	var hbuf [4]byte
+	binary.BigEndian.PutUint32(hbuf[:], noteKeyHash(origin, notePubKeyEd25519(signer)))
+	sig = append(hbuf[:], sig...)
+	return base64.StdEncoding.EncodeToString(sig), nil
+}
+
+// See:
+// https://cs.opensource.google/go/x/mod/+/refs/tags/v0.5.1:sumdb/note/note.go;l=336
+func notePubKeyEd25519(signer crypto.Signer) []byte {
+	return bytes.Join([][]byte{
+		[]byte{algEd25519},
+		signer.Public().(ed25519.PublicKey),
+	}, nil)
+}
+
+// Source:
+// https://cs.opensource.google/go/x/mod/+/refs/tags/v0.5.1:sumdb/note/note.go;l=222
+func noteKeyHash(name string, key []byte) uint32 {
+	h := sha256.New()
+	h.Write([]byte(name))
+	h.Write([]byte("\n"))
+	h.Write(key)
+	sum := h.Sum(nil)
+	return binary.BigEndian.Uint32(sum)
+}