Skip to content

Commit

Permalink
Cleanup some initialization/flag parsing in rekor-server.
Browse files Browse the repository at this point in the history
This is in preparation for supporting multiple logIDs (for sharding).

Signed-off-by: Dan Lorenc <[email protected]>
  • Loading branch information
Dan Lorenc committed Sep 14, 2021
1 parent 11a91be commit f33d5ee
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 40 deletions.
29 changes: 8 additions & 21 deletions pkg/api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ import (
"time"

"github.com/google/trillian"
"github.com/google/trillian/client"
radix "github.com/mediocregopher/radix/v4"
"github.com/pkg/errors"
"github.com/spf13/viper"
Expand Down Expand Up @@ -61,7 +60,6 @@ type API struct {
tsaSigner signature.Signer // the signer to use for timestamping
certChain []*x509.Certificate // timestamping cert chain
certChainPem string // PEM encoded timestamping cert chain
verifier *client.LogVerifier
}

func NewAPI() (*API, error) {
Expand All @@ -85,13 +83,6 @@ func NewAPI() (*API, error) {
tLogID = t.TreeId
}

t, err := logAdminClient.GetTree(ctx, &trillian.GetTreeRequest{
TreeId: tLogID,
})
if err != nil {
return nil, errors.Wrap(err, "get tree")
}

rekorSigner, err := signer.New(ctx, viper.GetString("rekor_server.signer"))
if err != nil {
return nil, errors.Wrap(err, "getting new signer")
Expand All @@ -108,11 +99,6 @@ func NewAPI() (*API, error) {

pubkey := cryptoutils.PEMEncode(cryptoutils.PublicKeyPEMType, b)

verifier, err := client.NewLogVerifierFromTree(t)
if err != nil {
return nil, errors.Wrap(err, "new verifier")
}

// Use an in-memory key for timestamping
tsaSigner, err := signer.New(ctx, signer.MemoryScheme)
if err != nil {
Expand Down Expand Up @@ -146,15 +132,16 @@ func NewAPI() (*API, error) {
}

return &API{
logClient: logClient,
logID: tLogID,
pubkey: string(pubkey),
pubkeyHash: hex.EncodeToString(pubkeyHashBytes[:]),
signer: rekorSigner,
// Transparency Log Stuff
logClient: logClient,
logID: tLogID,
// Signing/verifying fields
pubkey: string(pubkey),
pubkeyHash: hex.EncodeToString(pubkeyHashBytes[:]),
signer: rekorSigner,
// TSA signing stuff
tsaSigner: tsaSigner,
certChain: certChain,
certChainPem: string(certChainPem),
verifier: verifier,
}, nil
}

Expand Down
9 changes: 0 additions & 9 deletions pkg/api/timestamp.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ import (
"net/http"

"github.com/go-openapi/runtime/middleware"
"github.com/pkg/errors"
"github.com/sassoftware/relic/lib/pkcs9"
"github.com/sigstore/rekor/pkg/generated/restapi/operations/entries"
"github.com/sigstore/rekor/pkg/generated/restapi/operations/timestamp"
Expand All @@ -47,11 +46,6 @@ func RequestFromRekor(ctx context.Context, req pkcs9.TimeStampReq) ([]byte, erro
}

func TimestampResponseHandler(params timestamp.GetTimestampResponseParams) middleware.Responder {
// Fail early if we don't haven't configured rekor with a certificate for timestamping.
if len(api.certChain) == 0 {
return handleRekorAPIError(params, http.StatusNotImplemented, errors.New("rekor is not configured to serve timestamps"), "")
}

// TODO: Add support for in-house JSON based timestamp response.
requestBytes, err := ioutil.ReadAll(params.Request)
if err != nil {
Expand Down Expand Up @@ -96,8 +90,5 @@ func TimestampResponseHandler(params timestamp.GetTimestampResponseParams) middl
}

func GetTimestampCertChainHandler(params timestamp.GetTimestampCertChainParams) middleware.Responder {
if len(api.certChain) == 0 {
return handleRekorAPIError(params, http.StatusNotFound, errors.New("rekor is not configured with a timestamping certificate"), "")
}
return timestamp.NewGetTimestampCertChainOK().WithPayload(api.certChainPem)
}
22 changes: 12 additions & 10 deletions pkg/api/trillian_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (

"github.com/google/trillian/merkle/logverifier"
"github.com/google/trillian/merkle/rfc6962/hasher"
rfc6962 "github.com/google/trillian/merkle/rfc6962/hasher"
"github.com/pkg/errors"

"google.golang.org/grpc/codes"
Expand All @@ -35,18 +36,16 @@ import (
)

type TrillianClient struct {
client trillian.TrillianLogClient
logID int64
context context.Context
verifier *client.LogVerifier
client trillian.TrillianLogClient
logID int64
context context.Context
}

func NewTrillianClient(ctx context.Context) TrillianClient {
return TrillianClient{
client: api.logClient,
logID: api.logID,
context: ctx,
verifier: api.verifier,
client: api.logClient,
logID: api.logID,
context: ctx,
}
}

Expand Down Expand Up @@ -102,7 +101,8 @@ func (t *TrillianClient) addLeaf(byteValue []byte) *Response {
getAddResult: resp,
}
}
logClient := client.New(t.logID, t.client, t.verifier, root)
v := client.NewLogVerifier(rfc6962.DefaultHasher)
logClient := client.New(t.logID, t.client, v, root)

waitForInclusion := func(ctx context.Context, leafHash []byte) *Response {
if logClient.MinMergeDelay > 0 {
Expand Down Expand Up @@ -252,8 +252,10 @@ func (t *TrillianClient) getProofByHash(hashValue []byte) *Response {
})

if resp != nil {
v := client.NewLogVerifier(rfc6962.DefaultHasher)
for _, proof := range resp.Proof {
if err := t.verifier.VerifyInclusionByHash(&root, hashValue, proof); err != nil {

if err := v.VerifyInclusionByHash(&root, hashValue, proof); err != nil {
return &Response{
status: status.Code(err),
err: err,
Expand Down

0 comments on commit f33d5ee

Please sign in to comment.