From 7dfa743dce780659bd2e71130d91d51e93b1f68e Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Fri, 29 Jan 2021 17:29:34 +0100 Subject: replaced x509 with namespace on the client-side --- client/add-entry/main.go | 44 +++++++++---- client/client.go | 120 +++++++++++------------------------ client/get-anchors/main.go | 28 ++++++-- client/get-consistency-proof/main.go | 46 +++++++++++--- client/get-entries/main.go | 26 ++++++-- client/get-proof-by-hash/main.go | 39 ++++++++++-- client/get-sth/main.go | 23 ++++++- client/verify.go | 59 ----------------- descriptor/descriptor.go | 23 ++++--- descriptor/descriptor_test.go | 43 ++++++++----- descriptor/stfe.json | 26 +++----- trillian.go | 2 +- 12 files changed, 255 insertions(+), 224 deletions(-) diff --git a/client/add-entry/main.go b/client/add-entry/main.go index 0f494aa..52861ef 100644 --- a/client/add-entry/main.go +++ b/client/add-entry/main.go @@ -5,18 +5,19 @@ import ( "flag" "fmt" + "crypto/ed25519" "encoding/base64" "net/http" "github.com/golang/glog" "github.com/system-transparency/stfe/client" + "github.com/system-transparency/stfe/descriptor" ) var ( operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators") - logId = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier") - chain = flag.String("chain", "../../x509util/testdata/chain.pem", "path to pem-encoded certificate chain that the log accepts") - key = flag.String("key", "../../x509util/testdata/end-entity.key", "path to ed25519 private key that corresponds to the chain's end-entity certificate") + logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier") + key = flag.String("key", "Zaajc50Xt1tNpTj6WYkljzcVjLXL2CcQcHFT/xZqYEcc5AVSQo1amNgCE0pPJYLNqGUjtEO1/nXbeQcPYsAKPQ==", "base64-encoded ed25519 signing key") name = flag.String("name", "foobar-1.2.3", "package name") checksum = flag.String("checksum", "50e7967bce266a506f8f614bb5096beba580d205046b918f47d23b2ec626d75e", "base64-encoded package checksum") ) @@ -24,17 +25,13 @@ var ( func main() { flag.Parse() - pname := []byte(*name) - psum, err := base64.StdEncoding.DecodeString(*checksum) - if err != nil { - glog.Fatalf("failed decoding checksum: %v", err) - } - - client, err := client.NewClientFromPath(*logId, *chain, *key, *operators, &http.Client{}, true) + log, sk, sum := mustLoad(*operators, *logId, *key, *checksum) + client, err := client.NewClient(log, &http.Client{}, true, sk) if err != nil { glog.Fatal(err) } - sdi, err := client.AddEntry(context.Background(), pname, psum) + + sdi, err := client.AddEntry(context.Background(), []byte(*name), sum) if err != nil { glog.Fatalf("add-entry failed: %v", err) } @@ -47,3 +44,28 @@ func main() { glog.Flush() } + +func mustLoad(operators, logId, key, checksum string) (*descriptor.Log, *ed25519.PrivateKey, []byte) { + ops, err := descriptor.LoadOperators(operators) + if err != nil { + glog.Fatalf("failed loading log operators: %v") + } + id, err := base64.StdEncoding.DecodeString(logId) + if err != nil { + glog.Fatalf("invalid base64 log id: %v", err) + } + log, err := descriptor.FindLog(ops, id) + if err != nil { + glog.Fatalf("unknown log id: %v", err) + } + b, err := base64.StdEncoding.DecodeString(key) + if err != nil { + glog.Fatalf("invalid base64 key: %v", err) + } + sk := ed25519.PrivateKey(b) + b, err = base64.StdEncoding.DecodeString(checksum) + if err != nil { + glog.Fatalf("failed decoding checksum: %v", err) + } + return log, &sk, b +} diff --git a/client/client.go b/client/client.go index f474401..0cbf432 100644 --- a/client/client.go +++ b/client/client.go @@ -6,8 +6,6 @@ import ( "fmt" "crypto/ed25519" - "crypto/tls" - "crypto/x509" "encoding/base64" "encoding/json" "io/ioutil" @@ -17,7 +15,7 @@ import ( "github.com/google/trillian/merkle/rfc6962" "github.com/system-transparency/stfe" "github.com/system-transparency/stfe/descriptor" - "github.com/system-transparency/stfe/x509util" + "github.com/system-transparency/stfe/namespace" "golang.org/x/net/context/ctxhttp" ) @@ -25,73 +23,40 @@ import ( type Client struct { Log *descriptor.Log Client *http.Client - Chain []*x509.Certificate PrivateKey *ed25519.PrivateKey + Namespace *namespace.Namespace useHttp bool } -// NewClient returns a new log client -func NewClient(log *descriptor.Log, client *http.Client, useHttp bool, chain []*x509.Certificate, privateKey *ed25519.PrivateKey) *Client { - return &Client{ +// NewClient returns a new log client. +// +// Note: private key can be ommied if no write APIs are used. +func NewClient(log *descriptor.Log, client *http.Client, useHttp bool, privateKey *ed25519.PrivateKey) (*Client, error) { + c := &Client{ Log: log, - Chain: chain, Client: client, PrivateKey: privateKey, useHttp: useHttp, } -} - -// NewClientFromPath loads necessary data from file before creating a new -// client, namely, a pem-encoded certificate chain, a pem-encoded ed25519 -// private key, and a json-encoded list of log operators (see descriptor). -// Chain and key paths may be left out by passing the empty string: "". -func NewClientFromPath(logId, chainPath, keyPath, operatorsPath string, cli *http.Client, useHttp bool) (*Client, error) { - pem, err := ioutil.ReadFile(chainPath) - if err != nil && chainPath != "" { - return nil, fmt.Errorf("failed reading %s: %v", chainPath, err) - } - c, err := x509util.NewCertificateList(pem) - if err != nil { - return nil, err - } - - pem, err = ioutil.ReadFile(keyPath) - if err != nil && keyPath != "" { - return nil, fmt.Errorf("failed reading %s: %v", keyPath, err) - } - k, err := x509util.NewEd25519PrivateKey(pem) - if err != nil && keyPath != "" { - return nil, err - } - - ops, err := descriptor.LoadOperators(operatorsPath) - if err != nil { - return nil, err - } - - id, err := base64.StdEncoding.DecodeString(logId) - if err != nil { - return nil, fmt.Errorf("failed decoding log identifier: %v", err) - } - - log, err := descriptor.FindLog(ops, id) - if err != nil { - return nil, err + if privateKey != nil { + var err error + c.Namespace, err = namespace.NewNamespaceEd25519V1([]byte(privateKey.Public().(ed25519.PublicKey))) + if err != nil { + return nil, fmt.Errorf("failed creating namespace: %v", err) + } } - return NewClient(log, cli, useHttp, c, &k), nil + return c, nil } // AddEntry creates, signs, and adds a new ChecksumV1 entry to the log func (c *Client) AddEntry(ctx context.Context, name, checksum []byte) (*stfe.StItem, error) { - leaf, err := stfe.NewChecksumV1(name, checksum).Marshal() + leaf, err := stfe.NewChecksumV1(name, checksum, c.Namespace).Marshal() if err != nil { return nil, fmt.Errorf("failed marshaling StItem: %v", err) } data, err := json.Marshal(stfe.AddEntryRequest{ - Item: leaf, - Signature: ed25519.Sign(*c.PrivateKey, leaf), - SignatureScheme: uint16(tls.Ed25519), - Chain: c.chain(), + Item: leaf, + Signature: ed25519.Sign(*c.PrivateKey, leaf), }) if err != nil { return nil, fmt.Errorf("failed creating post data: %v", err) @@ -114,16 +79,15 @@ func (c *Client) AddEntry(ctx context.Context, name, checksum []byte) (*stfe.StI return nil, fmt.Errorf("bad StItem format: %v", item.Format) } - if k, err := c.Log.Key(); err != nil { - return nil, fmt.Errorf("bad public key: %v", err) - } else if err := VerifySignedDebugInfoV1(item, c.Log.Scheme, k, leaf); err != nil { + if ns, err := c.Log.Namespace(); err != nil { + return nil, fmt.Errorf("invalid log namespace: %v", err) + } else if err := ns.Verify(leaf, item.SignedDebugInfoV1.Signature); err != nil { return nil, fmt.Errorf("bad SignedDebugInfoV1 signature: %v", err) } return item, nil } -// GetSth fetches and verifies the most recent STH. Safe to use without a -// client chain and corresponding private key. +// GetSth fetches and verifies the most recent STH. func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) { url := stfe.EndpointGetSth.Path(c.protocol() + c.Log.BaseUrl) req, err := http.NewRequest("GET", url, nil) @@ -139,17 +103,21 @@ func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) { if item.Format != stfe.StFormatSignedTreeHeadV1 { return nil, fmt.Errorf("bad StItem format: %v", item.Format) } + th, err := item.SignedTreeHeadV1.TreeHead.Marshal() + if err != nil { + return nil, fmt.Errorf("failed marshaling tree head: %v", err) + } - if k, err := c.Log.Key(); err != nil { + if ns, err := c.Log.Namespace(); err != nil { return nil, fmt.Errorf("bad public key: %v", err) - } else if err := VerifySignedTreeHeadV1(item, c.Log.Scheme, k); err != nil { - return nil, fmt.Errorf("bad SignedDebugInfoV1 signature: %v", err) + } else if err := ns.Verify(th, item.SignedTreeHeadV1.Signature); err != nil { + return nil, fmt.Errorf("bad SignedTreeHeadV1 signature: %v", err) } return item, nil } // GetConsistencyProof fetches and verifies a consistency proof between two -// STHs. Safe to use without a client chain and corresponding private key. +// STHs. func (c *Client) GetConsistencyProof(ctx context.Context, first, second *stfe.StItem) (*stfe.StItem, error) { url := stfe.EndpointGetConsistencyProof.Path(c.protocol() + c.Log.BaseUrl) req, err := http.NewRequest("GET", url, nil) @@ -177,7 +145,7 @@ func (c *Client) GetConsistencyProof(ctx context.Context, first, second *stfe.St } // GetProofByHash fetches and verifies an inclusion proof for a leaf against an -// STH. Safe to use without a client chain and corresponding private key. +// STH. func (c *Client) GetProofByHash(ctx context.Context, treeSize uint64, rootHash, leaf []byte) (*stfe.StItem, error) { leafHash := rfc6962.DefaultHasher.HashLeaf(leaf) url := stfe.EndpointGetProofByHash.Path(c.protocol() + c.Log.BaseUrl) @@ -208,7 +176,7 @@ func (c *Client) GetProofByHash(ctx context.Context, treeSize uint64, rootHash, // GetEntries fetches a range of entries from the log, verifying that they are // of type checksum_v1 and signed by a valid certificate chain in the appendix. // Fewer entries may be returned if too large range, in which case the end is -// truncated. Safe to use without a client chain and corresponding private key. +// truncated. // // Note that a certificate chain is considered valid if it is chained correctly. // In other words, the caller may want to check whether the anchor is trusted. @@ -237,21 +205,16 @@ func (c *Client) GetEntries(ctx context.Context, start, end uint64) ([]*stfe.Get if item.Format != stfe.StFormatChecksumV1 { return nil, fmt.Errorf("bad StFormat: %v (%v)", err, entry) } - if chain, err := x509util.ParseDerList(entry.Chain); err != nil { - return nil, fmt.Errorf("bad certificate chain: %v (%v)", err, entry) - } else if err := x509util.VerifyChain(chain); err != nil { - return nil, fmt.Errorf("invalid certificate chain: %v (%v)", err, entry) - } else if err := VerifyChecksumV1(&item, chain[0].PublicKey, entry.Signature, tls.SignatureScheme(entry.SignatureScheme)); err != nil { - return nil, fmt.Errorf("invalid signature: %v (%v)", err, entry) + if err := item.ChecksumV1.Namespace.Verify(entry.Item, entry.Signature); err != nil { // TODO: only works if full vk in namespace + return nil, fmt.Errorf("bad signature: %v (%v)", err, entry) } } return rsp, nil } -// GetAnchors fetches the log's trust anchors. Safe to use without a client -// chain and corresponding private key. -func (c *Client) GetAnchors(ctx context.Context) ([]*x509.Certificate, error) { - url := stfe.EndpointGetAnchors.Path(c.protocol() + c.Log.BaseUrl) +// GetNamespaces fetches the log's trusted namespaces. +func (c *Client) GetNamespaces(ctx context.Context) ([][]byte, error) { + url := stfe.EndpointGetAnchors.Path(c.protocol() + c.Log.BaseUrl) // TODO: update GetAnchors => GetNamespaces req, err := http.NewRequest("GET", url, nil) if err != nil { return nil, fmt.Errorf("failed creating http request: %v", err) @@ -260,15 +223,7 @@ func (c *Client) GetAnchors(ctx context.Context) ([]*x509.Certificate, error) { if err := c.doRequest(ctx, req, &rsp); err != nil { return nil, err } - return x509util.ParseDerList(rsp) -} - -func (c *Client) chain() [][]byte { - chain := make([][]byte, 0, len(c.Chain)) - for _, cert := range c.Chain { - chain = append(chain, cert.Raw) - } - return chain + return rsp, nil } // doRequest sends an HTTP request and decodes the resulting json body into out @@ -291,6 +246,7 @@ func (c *Client) doRequest(ctx context.Context, req *http.Request, out interface return nil } +// // doRequestWithStItemResponse sends an HTTP request and returns a decoded // StItem that the resulting HTTP response contained json:ed and marshaled func (c *Client) doRequestWithStItemResponse(ctx context.Context, req *http.Request) (*stfe.StItem, error) { diff --git a/client/get-anchors/main.go b/client/get-anchors/main.go index fe00445..1c10924 100644 --- a/client/get-anchors/main.go +++ b/client/get-anchors/main.go @@ -10,29 +10,45 @@ import ( "github.com/golang/glog" "github.com/system-transparency/stfe/client" + "github.com/system-transparency/stfe/descriptor" ) var ( operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators") - logId = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier") + logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier") ) func main() { flag.Parse() - client, err := client.NewClientFromPath(*logId, "", "", *operators, &http.Client{}, true) + client, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil) if err != nil { glog.Fatal(err) } - anchors, err := client.GetAnchors(context.Background()) + namespaces, err := client.GetNamespaces(context.Background()) if err != nil { glog.Fatal(err) } - for i, anchor := range anchors { - glog.V(3).Infof("anchor[%d] serial number: %x", i, anchor.SerialNumber) - fmt.Printf("anchor[%d]: %s\n", i, base64.StdEncoding.EncodeToString(anchor.Raw)) + for i, namespace := range namespaces { + fmt.Printf("namespace[%d]: %s\n", i, base64.StdEncoding.EncodeToString(namespace)) } glog.Flush() } + +func mustLoad(operators, logId string) *descriptor.Log { + ops, err := descriptor.LoadOperators(operators) + if err != nil { + glog.Fatalf("failed loading log operators: %v") + } + id, err := base64.StdEncoding.DecodeString(logId) + if err != nil { + glog.Fatalf("invalid base64 log id: %v", err) + } + log, err := descriptor.FindLog(ops, id) + if err != nil { + glog.Fatalf("unknown log id: %v", err) + } + return log +} diff --git a/client/get-consistency-proof/main.go b/client/get-consistency-proof/main.go index 316bbdc..283e9b8 100644 --- a/client/get-consistency-proof/main.go +++ b/client/get-consistency-proof/main.go @@ -5,51 +5,63 @@ import ( "flag" "fmt" + "encoding/base64" "net/http" "github.com/golang/glog" "github.com/system-transparency/stfe" "github.com/system-transparency/stfe/client" + "github.com/system-transparency/stfe/descriptor" ) var ( operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators") - logId = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier") - first = flag.String("first", "AAEgB9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPMAAAF1jnn7fwAAAAAAAAAxICCqLJn4QWYd0aRIRjDWGf4GWalDIb/iH60jSSX89WgvAAAAQF9XPFRdM56KaelHFFg1RqjTw1yFL085zHhdNkLeZh9BCXxVTByqrHEMngAkY69EX45aJMWh9NymmPau0qoigA8=", "first base64-encoded StItem of type StFormatSignedTreeHeadV1") - second = flag.String("second", "AAEgB9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPMAAAF1jsZrygAAAAAAAABFIL7Zz0WEolql7o7G496Izl7Qy/l2Qd/Pwc87W8jFPoL6AAAAQHc7ttIDUKuMJR7uqCLb3qqAxiwEN5KLt/7IblT7f+QaKq4BqqI3cO6vT3eMSZMHZDd4EkgvkAwo1o7IsA4N8Qc=", "second base64-encoded StItem of type StFormatSignedTreeHeadV1") + logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier") + first = flag.String("first", "AAEjAAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGcAAAF3TqQQZAAAAAAAAACEIEV75viH3o4llUxCqwoTvY38vKUiv2lg4uFd1jTfcCC5AAAAQBoc5JvG6AovqHjZAU77zrsrIN8ZuR3DIwYAFD2mcvyI/b2KcIPxH6XQ7+zTnGJPWfgwvI5sCuu/MBAAHEzZzQk=", "first base64-encoded StItem of type StFormatSignedTreeHeadV1") + second = flag.String("second", "AAEjAAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGcAAAF3TrZf7gAAAAAAAACJIEl/yYdMBb6st/D4yQXRXIAphR7i2y10jB/BbnQljy8rAAAAQBzYrWNidZ8bCdaHqi5zgxGJ6HQNfYihDhRQy20lu36a/yxKqgrvoH+dv969c4aeBEAGz5TSSAn5CwqmqUFSAQo=", "second base64-encoded StItem of type StFormatSignedTreeHeadV1") ) func main() { flag.Parse() - cli, err := client.NewClientFromPath(*logId, "", "", *operators, &http.Client{}, true) + cli, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil) if err != nil { glog.Fatal(err) } - - k, err := cli.Log.Key() + ns, err := cli.Log.Namespace() if err != nil { - glog.Fatalf("bad public key: %v", err) + glog.Fatalf("bad log namespace: %v", err) } + // Check first STH var sth1 stfe.StItem if err := sth1.UnmarshalB64(*first); err != nil { glog.Fatalf("bad signed tree head: %v", err) } - if err := client.VerifySignedTreeHeadV1(&sth1, cli.Log.Scheme, k); err != nil { + th1, err := sth1.SignedTreeHeadV1.TreeHead.Marshal() + if err != nil { + glog.Fatalf("cannot marshal tree head: %v", err) + } + if err := ns.Verify(th1, sth1.SignedTreeHeadV1.Signature); err != nil { glog.Fatalf("bad signed tree head: %v", err) } glog.V(3).Info("verified first sth") + // Check second STH var sth2 stfe.StItem if err := sth2.UnmarshalB64(*second); err != nil { glog.Fatalf("bad signed tree head: %v", err) } - if err := client.VerifySignedTreeHeadV1(&sth2, cli.Log.Scheme, k); err != nil { + th2, err := sth2.SignedTreeHeadV1.TreeHead.Marshal() + if err != nil { + glog.Fatalf("cannot marshal tree head: %v", err) + } + if err := ns.Verify(th2, sth2.SignedTreeHeadV1.Signature); err != nil { glog.Fatalf("bad signed tree head: %v", err) } glog.V(3).Info("verified second sth") + // Check consistency proof, err := cli.GetConsistencyProof(context.Background(), &sth1, &sth2) if err != nil { glog.Fatalf("get-proof-by-hash failed: %v", err) @@ -64,3 +76,19 @@ func main() { glog.Flush() } + +func mustLoad(operators, logId string) *descriptor.Log { + ops, err := descriptor.LoadOperators(operators) + if err != nil { + glog.Fatalf("failed loading log operators: %v") + } + id, err := base64.StdEncoding.DecodeString(logId) + if err != nil { + glog.Fatalf("invalid base64 log id: %v", err) + } + log, err := descriptor.FindLog(ops, id) + if err != nil { + glog.Fatalf("unknown log id: %v", err) + } + return log +} diff --git a/client/get-entries/main.go b/client/get-entries/main.go index 511d53d..1500cd0 100644 --- a/client/get-entries/main.go +++ b/client/get-entries/main.go @@ -5,24 +5,26 @@ import ( "flag" "fmt" + "encoding/base64" "net/http" "github.com/golang/glog" "github.com/system-transparency/stfe" "github.com/system-transparency/stfe/client" + "github.com/system-transparency/stfe/descriptor" ) var ( operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators") - logId = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier") - start = flag.Uint64("start", 50, "inclusive start index to download") - end = flag.Uint64("end", 60, "inclusive stop index to download") + logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier") + start = flag.Uint64("start", 132, "inclusive start index to download") + end = flag.Uint64("end", 137, "inclusive stop index to download") ) func main() { flag.Parse() - if client, err := client.NewClientFromPath(*logId, "", "", *operators, &http.Client{}, true); err != nil { + if client, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil); err != nil { glog.Fatal(err) } else if items, err := getRange(client, *start, *end); err != nil { glog.Fatal(err) @@ -66,3 +68,19 @@ func printRange(items []*stfe.StItem) error { } return nil } + +func mustLoad(operators, logId string) *descriptor.Log { + ops, err := descriptor.LoadOperators(operators) + if err != nil { + glog.Fatalf("failed loading log operators: %v") + } + id, err := base64.StdEncoding.DecodeString(logId) + if err != nil { + glog.Fatalf("invalid base64 log id: %v", err) + } + log, err := descriptor.FindLog(ops, id) + if err != nil { + glog.Fatalf("unknown log id: %v", err) + } + return log +} diff --git a/client/get-proof-by-hash/main.go b/client/get-proof-by-hash/main.go index 964bcda..00a4486 100644 --- a/client/get-proof-by-hash/main.go +++ b/client/get-proof-by-hash/main.go @@ -11,34 +11,43 @@ import ( "github.com/golang/glog" "github.com/system-transparency/stfe" "github.com/system-transparency/stfe/client" + "github.com/system-transparency/stfe/descriptor" ) var ( operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators") - logId = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier") - signedTreeHead = flag.String("sth", "AAEgB9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPMAAAF1jnn7fwAAAAAAAAAxICCqLJn4QWYd0aRIRjDWGf4GWalDIb/iH60jSSX89WgvAAAAQF9XPFRdM56KaelHFFg1RqjTw1yFL085zHhdNkLeZh9BCXxVTByqrHEMngAkY69EX45aJMWh9NymmPau0qoigA8=", "base64-encoded StItem of type StFormatSignedTreeHeadV1") - entry = flag.String("entry", "AAUBOCAsYkIyzdIhdxKU37sxCsoACg32rItmtpbZDvBv3vtkow==", "base64-encoded StItem of type StFormatChecksumV1") + logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier") + signedTreeHead = flag.String("sth", "AAEjAAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGcAAAF3Ts1DPAAAAAAAAACKIOjuyYlimCylCNmIliPWn+O+oOPpvdtllbJnp+xKV3qhAAAAQKW2+4+3a2cgERULDrbwoeevo6q1JxY8mcj73XPLAhcmlR/YmtuWv6PEJYiLP/bclN6ZQ5ttQq1/9hG+VvgLvA4=", "base64-encoded StItem of type StFormatSignedTreeHeadV1") + entry = flag.String("entry", "AAUFZGViaTYw50e7967bce266a506f8f614bb5096beba580d205046b918f47d23b2ec626d75eAAEgHOQFUkKNWpjYAhNKTyWCzahlI7RDtf5123kHD2LACj0=", "base64-encoded StItem of type StFormatChecksumV1") ) func main() { flag.Parse() - cli, err := client.NewClientFromPath(*logId, "", "", *operators, &http.Client{}, true) + cli, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil) if err != nil { glog.Fatal(err) } + ns, err := cli.Log.Namespace() + if err != nil { + glog.Fatalf("bad log namespace: %v", err) + } + // Check STH var sth stfe.StItem if err := sth.UnmarshalB64(*signedTreeHead); err != nil { glog.Fatalf("bad signed tree head: %v", err) } - if k, err := cli.Log.Key(); err != nil { - glog.Fatalf("bad public key: %v", err) - } else if err := client.VerifySignedTreeHeadV1(&sth, cli.Log.Scheme, k); err != nil { + th, err := sth.SignedTreeHeadV1.TreeHead.Marshal() + if err != nil { + glog.Fatalf("cannot marshal tree head: %v", err) + } + if err := ns.Verify(th, sth.SignedTreeHeadV1.Signature); err != nil { glog.Fatalf("bad signed tree head: %v", err) } glog.V(3).Info("verified sth") + // Check inclusion leaf, err := base64.StdEncoding.DecodeString(*entry) if err != nil { glog.Fatalf("failed decoding entry: %v", err) @@ -57,3 +66,19 @@ func main() { glog.Flush() } + +func mustLoad(operators, logId string) *descriptor.Log { + ops, err := descriptor.LoadOperators(operators) + if err != nil { + glog.Fatalf("failed loading log operators: %v") + } + id, err := base64.StdEncoding.DecodeString(logId) + if err != nil { + glog.Fatalf("invalid base64 log id: %v", err) + } + log, err := descriptor.FindLog(ops, id) + if err != nil { + glog.Fatalf("unknown log id: %v", err) + } + return log +} diff --git a/client/get-sth/main.go b/client/get-sth/main.go index d13746b..e952ee3 100644 --- a/client/get-sth/main.go +++ b/client/get-sth/main.go @@ -5,24 +5,27 @@ import ( "flag" "fmt" + "encoding/base64" "net/http" "github.com/golang/glog" "github.com/system-transparency/stfe/client" + "github.com/system-transparency/stfe/descriptor" ) var ( operators = flag.String("operators", "../../descriptor/stfe.json", "path to json-encoded list of log operators") - logId = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier") + logId = flag.String("log_id", "AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", "base64-encoded log identifier") ) func main() { flag.Parse() - client, err := client.NewClientFromPath(*logId, "", "", *operators, &http.Client{}, true) + client, err := client.NewClient(mustLoad(*operators, *logId), &http.Client{}, true, nil) if err != nil { glog.Fatal(err) } + sth, err := client.GetSth(context.Background()) if err != nil { glog.Fatalf("get-sth failed: %v", err) @@ -36,3 +39,19 @@ func main() { glog.Flush() } + +func mustLoad(operators, logId string) *descriptor.Log { + ops, err := descriptor.LoadOperators(operators) + if err != nil { + glog.Fatalf("failed loading log operators: %v") + } + id, err := base64.StdEncoding.DecodeString(logId) + if err != nil { + glog.Fatalf("invalid base64 log id: %v", err) + } + log, err := descriptor.FindLog(ops, id) + if err != nil { + glog.Fatalf("unknown log id: %v", err) + } + return log +} diff --git a/client/verify.go b/client/verify.go index d9c18bf..3ce02e7 100644 --- a/client/verify.go +++ b/client/verify.go @@ -1,58 +1,11 @@ package client import ( - "fmt" - - "crypto" - "crypto/ed25519" - "crypto/tls" - "github.com/google/trillian/merkle" "github.com/google/trillian/merkle/rfc6962" "github.com/system-transparency/stfe" ) -// VerifySignedDebugInfoV1 verifies an SDI signature -func VerifySignedDebugInfoV1(sdi *stfe.StItem, scheme tls.SignatureScheme, key crypto.PublicKey, message []byte) error { - if err := supportedScheme(scheme, key); err != nil { - return err - } - if !ed25519.Verify(key.(ed25519.PublicKey), message, sdi.SignedDebugInfoV1.Signature) { - return fmt.Errorf("bad signature") - } - return nil -} - -// VerifySignedTreeHeadV1 verifies an STH signature -func VerifySignedTreeHeadV1(sth *stfe.StItem, scheme tls.SignatureScheme, key crypto.PublicKey) error { - serialized, err := sth.SignedTreeHeadV1.TreeHead.Marshal() - if err != nil { - return fmt.Errorf("failed marshaling tree head: %v", err) - } - if err := supportedScheme(scheme, key); err != nil { - return err - } - if !ed25519.Verify(key.(ed25519.PublicKey), serialized, sth.SignedTreeHeadV1.Signature) { - return fmt.Errorf("bad signature") - } - return nil -} - -// VerifyChecksumV1 verifies a checksum signature -func VerifyChecksumV1(checksum *stfe.StItem, key crypto.PublicKey, signature []byte, scheme tls.SignatureScheme) error { - serialized, err := checksum.Marshal() - if err != nil { - return fmt.Errorf("failed marshaling StItem: %v", err) - } - if err := supportedScheme(scheme, key); err != nil { - return err - } - if !ed25519.Verify(key.(ed25519.PublicKey), serialized, signature) { - return fmt.Errorf("bad signature") - } - return nil -} - // VerifyConsistencyProofV1 verifies that a consistency proof is valid without // checking any sth signature func VerifyConsistencyProofV1(proof, first, second *stfe.StItem) error { @@ -84,15 +37,3 @@ func VerifyInclusionProofV1(proof *stfe.StItem, rootHash, leafHash []byte) error leafHash, ) } - -// supportedScheme checks whether the client library supports the log's -// signature scheme and public key type -func supportedScheme(scheme tls.SignatureScheme, key crypto.PublicKey) error { - if _, ok := key.(ed25519.PublicKey); ok && scheme == tls.Ed25519 { - return nil - } - switch t := key.(type) { - default: - return fmt.Errorf("unsupported scheme(%v) and key(%v)", scheme, t) - } -} diff --git a/descriptor/descriptor.go b/descriptor/descriptor.go index 1879cd8..efe2cf1 100644 --- a/descriptor/descriptor.go +++ b/descriptor/descriptor.go @@ -4,12 +4,11 @@ import ( "bytes" "fmt" - "crypto" - "crypto/tls" - "crypto/x509" "encoding/base64" "encoding/json" "io/ioutil" + + "github.com/system-transparency/stfe/namespace" ) // Operator is an stfe log operator that runs zero or more logs @@ -21,12 +20,9 @@ type Operator struct { // Log is a collection of immutable stfe log parameters type Log struct { - Id []byte `json:"id"` // H(PublicKey) - PublicKey []byte `json:"public_key"` // DER-encoded SubjectPublicKeyInfo - Scheme tls.SignatureScheme `json:"signature_scheme"` // Signature schemes used by the log (RFC 8446, §4.2.3) - Schemes []tls.SignatureScheme `json:"signature_schemes"` // Signature schemes that submitters can use (RFC 8446, §4.2.3) - MaxChain uint8 `json:"max_chain"` // maximum certificate chain length - BaseUrl string `json:"base_url"` // E.g., example.com/st/v1 + Id []byte `json:"id"` // Serialized namespace + BaseUrl string `json:"base_url"` // E.g., example.com/st/v1 + // TODO: List of supported namespace types? } func FindLog(ops []Operator, logId []byte) (*Log, error) { @@ -53,7 +49,10 @@ func LoadOperators(path string) ([]Operator, error) { return ops, nil } -// Key parses the log's public key -func (l *Log) Key() (crypto.PublicKey, error) { - return x509.ParsePKIXPublicKey(l.PublicKey) +func (l *Log) Namespace() (*namespace.Namespace, error) { + var n namespace.Namespace + if err := n.Unmarshal(l.Id); err != nil { + return nil, fmt.Errorf("invalid namespace: %v", err) + } + return &n, nil } diff --git a/descriptor/descriptor_test.go b/descriptor/descriptor_test.go index d01fc66..22641ca 100644 --- a/descriptor/descriptor_test.go +++ b/descriptor/descriptor_test.go @@ -4,14 +4,12 @@ import ( "fmt" "testing" - "crypto/sha256" - "crypto/tls" "encoding/base64" "encoding/json" ) const ( - operatorListJson = `[{"name":"Test operator","email":"test@example.com","logs":[{"id":"B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=","public_key":"MCowBQYDK2VwAyEAqM4b/SHOCRId9xgiCPn8D8r6+Nrk9JTZZqW6vj7TGa0=","signature_scheme":2055,"signature_schemes":[2055],"max_chain":3,"base_url":"example.com/st/v1"}]}]` + operatorListJson = `[{"name":"Test operator","email":"test@example.com","logs":[{"id":"AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=","base_url":"example.com/st/v1"}]}]` ) func TestMarshal(t *testing.T) { @@ -52,7 +50,7 @@ func TestFindLog(t *testing.T) { logId []byte wantError bool }{ - {makeOperatorList(), deb64("B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM="), false}, + {makeOperatorList(), deb64("AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc="), false}, {makeOperatorList(), []byte{0, 1, 2, 3}, true}, } { _, err := FindLog(table.ops, table.logId) @@ -62,24 +60,39 @@ func TestFindLog(t *testing.T) { } } +func TestNamespace(t *testing.T) { + for _, table := range []struct { + description string + id []byte + wantErr bool + }{ + { + description: "invalid: not a namespace", + id: []byte{0,1,2,3}, + wantErr: true, + }, + { + description: "valid", + id: deb64("AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc="), + }, + }{ + l := &Log{ Id: table.id, BaseUrl: "example.com/st/v1" } + _, err := l.Namespace() + if got, want := err != nil, table.wantErr; got != want { + t.Errorf("wanted error %v but got %v in test %q: %v", got, want, table.description, err) + return + } + } +} + func makeOperatorList() []Operator { - pub := deb64("MCowBQYDK2VwAyEAqM4b/SHOCRId9xgiCPn8D8r6+Nrk9JTZZqW6vj7TGa0=") - h := sha256.New() - h.Write(pub) - id := h.Sum(nil) return []Operator{ Operator{ Name: "Test operator", Email: "test@example.com", Logs: []*Log{ &Log{ - Id: id, - PublicKey: pub, - Scheme: tls.Ed25519, - Schemes: []tls.SignatureScheme{ - tls.Ed25519, - }, - MaxChain: 3, + Id: deb64("AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc="), BaseUrl: "example.com/st/v1", }, }, diff --git a/descriptor/stfe.json b/descriptor/stfe.json index d987c47..34f884b 100644 --- a/descriptor/stfe.json +++ b/descriptor/stfe.json @@ -1,18 +1,12 @@ [ - { - "name": "Test operator", - "email": "test@example.com", - "logs": [ - { - "max_chain": 3, - "id": "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", - "signature_schemes": [ - 2055 - ], - "base_url": "localhost:6965/st/v1", - "signature_scheme": 2055, - "public_key": "MCowBQYDK2VwAyEAqM4b/SHOCRId9xgiCPn8D8r6+Nrk9JTZZqW6vj7TGa0=" - } - ] - } + { + "name": "Test operator", + "email":"test@example.com", + "logs": [ + { + "id":"AAEgFKl1V+J3ib3Aav86UgGD7GRRtcKIdDhgc0G4vVD/TGc=", + "base_url":"localhost:6965/st/v1" + } + ] + } ] diff --git a/trillian.go b/trillian.go index c20901f..233d5e8 100644 --- a/trillian.go +++ b/trillian.go @@ -24,7 +24,7 @@ func checkQueueLeaf(rsp *trillian.QueueLeafResponse, err error) error { func checkGetLeavesByRange(req *GetEntriesRequest, rsp *trillian.GetLeavesByRangeResponse, err error) (int, error) { if err != nil || rsp == nil || len(rsp.Leaves) == 0 || rsp.SignedLogRoot == nil || rsp.SignedLogRoot.LogRoot == nil { - return http.StatusInternalServerError, fmt.Errorf("%v", err) + return http.StatusInternalServerError, fmt.Errorf("%v", err) // TODO: break up into multiple returns? } if len(rsp.Leaves) > int(req.End-req.Start+1) { return http.StatusInternalServerError, fmt.Errorf("too many leaves: %d for [%d,%d]", len(rsp.Leaves), req.Start, req.End) -- cgit v1.2.3