From 2ad1e255d7909376bec16dc874e51be5b2629273 Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Tue, 3 Nov 2020 16:45:51 +0100 Subject: added client-side consistency proof verification --- client/client.go | 31 ++++++++++++++---- client/get-consistency-proof/main.go | 62 ++++++++++++++++++++++++++++++++++++ client/verify.go | 19 ++++++++++- 3 files changed, 105 insertions(+), 7 deletions(-) create mode 100644 client/get-consistency-proof/main.go (limited to 'client') diff --git a/client/client.go b/client/client.go index 5209a83..864afb4 100644 --- a/client/client.go +++ b/client/client.go @@ -130,8 +130,29 @@ func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) { return item, nil } -func (c *Client) GetConsistencyProof(ctx context.Context, first, second uint64) (*stfe.StItem, error) { - return nil, fmt.Errorf("TODO") +func (c *Client) GetConsistencyProof(ctx context.Context, first, second *stfe.StItem) (*stfe.StItem, error) { + req, err := http.NewRequest("GET", c.protocol()+c.Log.BaseUrl+"/get-consistency-proof", nil) + if err != nil { + return nil, fmt.Errorf("failed creating http request: %v", err) + } + req.Header.Set("Content-Type", "application/json") + q := req.URL.Query() + q.Add("first", fmt.Sprintf("%d", first.SignedTreeHeadV1.TreeHead.TreeSize)) + q.Add("second", fmt.Sprintf("%d", second.SignedTreeHeadV1.TreeHead.TreeSize)) + req.URL.RawQuery = q.Encode() + glog.V(2).Infof("created http request: %s %s", req.Method, req.URL) + + item, err := c.doRequestWithStItemResponse(ctx, req) + if err != nil { + return nil, err + } + if item.Format != stfe.StFormatConsistencyProofV1 { + return nil, fmt.Errorf("bad StItem format: %v", item.Format) + } + if err := VerifyConsistencyProofV1(item, first, second); err != nil { + return nil, fmt.Errorf("bad consistency proof: %v", err) + } + return item, nil } func (c *Client) GetProofByHash(ctx context.Context, treeSize uint64, rootHash, leaf []byte) (*stfe.StItem, error) { @@ -161,13 +182,11 @@ func (c *Client) GetProofByHash(ctx context.Context, treeSize uint64, rootHash, } func (c *Client) GetEntries(ctx context.Context, start, end uint64) (*stfe.StItem, error) { - glog.V(2).Info("creating get-entries request") - return nil, fmt.Errorf("TODO") + return nil, fmt.Errorf("TODO: Client.GetEntries()") } func (c *Client) GetAnchors(ctx context.Context, start, end uint64) ([]*x509.Certificate, error) { - glog.V(2).Info("creating get-anchors request") - return nil, fmt.Errorf("TODO") + return nil, fmt.Errorf("TODO: Client.GetAnchors()") } func (c *Client) b64Chain() []string { diff --git a/client/get-consistency-proof/main.go b/client/get-consistency-proof/main.go new file mode 100644 index 0000000..49c45f1 --- /dev/null +++ b/client/get-consistency-proof/main.go @@ -0,0 +1,62 @@ +package main + +import ( + "context" + "flag" + "fmt" + + "net/http" + + "github.com/golang/glog" + "github.com/system-transparency/stfe" + "github.com/system-transparency/stfe/client" +) + +var ( + operators = flag.String("operators", "../../server/descriptor/stfe.json", "path to json-encoded list of log operators") + logId = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier") + chain = flag.String("chain", "../../server/testdata/chain/ee.pem", "path to pem-encoded certificate chain that the log accepts") + first = flag.String("first", "AAEgB9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPMAAAF1jnn7fwAAAAAAAAAxICCqLJn4QWYd0aRIRjDWGf4GWalDIb/iH60jSSX89WgvAAAAQF9XPFRdM56KaelHFFg1RqjTw1yFL085zHhdNkLeZh9BCXxVTByqrHEMngAkY69EX45aJMWh9NymmPau0qoigA8=", "first base64-encoded StItem of type StFormatSignedTreeHeadV1") + second = flag.String("second", "AAEgB9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPMAAAF1jsZrygAAAAAAAABFIL7Zz0WEolql7o7G496Izl7Qy/l2Qd/Pwc87W8jFPoL6AAAAQHc7ttIDUKuMJR7uqCLb3qqAxiwEN5KLt/7IblT7f+QaKq4BqqI3cO6vT3eMSZMHZDd4EkgvkAwo1o7IsA4N8Qc=", "second base64-encoded StItem of type StFormatSignedTreeHeadV1") +) + +func main() { + flag.Parse() + + cli, err := client.NewClientFromPath(*logId, *chain, "", *operators, &http.Client{}, true) + if err != nil { + glog.Fatal(err) + } + + var sth1 stfe.StItem + if err := sth1.UnmarshalB64(*first); err != nil { + glog.Fatalf("bad signed tree head: %v", err) + } + if err := client.VerifySignedTreeHeadV1(&sth1, cli.Log.Scheme, cli.Log.Key()); err != nil { + glog.Fatalf("bad signed tree head: %v", err) + } + glog.V(3).Info("verified first sth") + + var sth2 stfe.StItem + if err := sth2.UnmarshalB64(*second); err != nil { + glog.Fatalf("bad signed tree head: %v", err) + } + if err := client.VerifySignedTreeHeadV1(&sth2, cli.Log.Scheme, cli.Log.Key()); err != nil { + glog.Fatalf("bad signed tree head: %v", err) + } + glog.V(3).Info("verified second sth") + + proof, err := cli.GetConsistencyProof(context.Background(), &sth1, &sth2) + if err != nil { + glog.Fatalf("get-proof-by-hash failed: %v", err) + } + glog.V(3).Info("verified inclusion proof") + + str, err := proof.MarshalB64() + if err != nil { + glog.Fatalf("failed encoding valid inclusion proof: %v", err) + } + fmt.Println(str) + + glog.Flush() +} diff --git a/client/verify.go b/client/verify.go index 3668bf2..b5257ac 100644 --- a/client/verify.go +++ b/client/verify.go @@ -44,7 +44,24 @@ func VerifySignedTreeHeadV1(sth *stfe.StItem, scheme tls.SignatureScheme, key cr return nil } -// VerifyInclusionProofV1 verifies that an inclusion proof is valid +// VerifyConsistencyProofV1 verifies that a consistency proof is valid without +// checking any sth signature +func VerifyConsistencyProofV1(proof, first, second *stfe.StItem) error { + path := make([][]byte, 0, len(proof.ConsistencyProofV1.ConsistencyPath)) + for _, nh := range proof.ConsistencyProofV1.ConsistencyPath { + path = append(path, nh.Data) + } + return merkle.NewLogVerifier(rfc6962.DefaultHasher).VerifyConsistencyProof( + int64(proof.ConsistencyProofV1.TreeSize1), + int64(proof.ConsistencyProofV1.TreeSize2), + first.SignedTreeHeadV1.TreeHead.RootHash.Data, + second.SignedTreeHeadV1.TreeHead.RootHash.Data, + path, + ) +} + +// VerifyInclusionProofV1 verifies that an inclusion proof is valid without checking +// any sth signature func VerifyInclusionProofV1(proof *stfe.StItem, rootHash, leafHash []byte) error { path := make([][]byte, 0, len(proof.InclusionProofV1.InclusionPath)) for _, nh := range proof.InclusionProofV1.InclusionPath { -- cgit v1.2.3