From 9012af09dec4f2bfec7b71a444df19f9b97352ed Mon Sep 17 00:00:00 2001 From: Dan Lorenc Date: Mon, 13 Sep 2021 19:07:05 -0500 Subject: [PATCH] Cleanup some initialization/flag parsing in rekor-server. This is in preparation for supporting multiple logIDs (for sharding). Signed-off-by: Dan Lorenc --- pkg/api/api.go | 28 ++++++++-------------------- pkg/api/timestamp.go | 9 --------- pkg/api/trillian_client.go | 22 ++++++++++++---------- 3 files changed, 20 insertions(+), 39 deletions(-) diff --git a/pkg/api/api.go b/pkg/api/api.go index 3429aa0ee..8468f7afe 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -25,7 +25,6 @@ import ( "time" "github.com/google/trillian" - "github.com/google/trillian/client" radix "github.com/mediocregopher/radix/v4" "github.com/pkg/errors" "github.com/spf13/viper" @@ -61,7 +60,6 @@ type API struct { tsaSigner signature.Signer // the signer to use for timestamping certChain []*x509.Certificate // timestamping cert chain certChainPem string // PEM encoded timestamping cert chain - verifier *client.LogVerifier } func NewAPI() (*API, error) { @@ -85,13 +83,6 @@ func NewAPI() (*API, error) { tLogID = t.TreeId } - t, err := logAdminClient.GetTree(ctx, &trillian.GetTreeRequest{ - TreeId: tLogID, - }) - if err != nil { - return nil, errors.Wrap(err, "get tree") - } - rekorSigner, err := signer.New(ctx, viper.GetString("rekor_server.signer")) if err != nil { return nil, errors.Wrap(err, "getting new signer") @@ -108,11 +99,6 @@ func NewAPI() (*API, error) { pubkey := cryptoutils.PEMEncode(cryptoutils.PublicKeyPEMType, b) - verifier, err := client.NewLogVerifierFromTree(t) - if err != nil { - return nil, errors.Wrap(err, "new verifier") - } - // Use an in-memory key for timestamping tsaSigner, err := signer.New(ctx, signer.MemoryScheme) if err != nil { @@ -146,15 +132,17 @@ func NewAPI() (*API, error) { } return &API{ - logClient: logClient, - logID: tLogID, - pubkey: string(pubkey), - pubkeyHash: hex.EncodeToString(pubkeyHashBytes[:]), - signer: rekorSigner, + // Transparency Log Stuff + logClient: logClient, + logID: tLogID, + // Signing/verifying fields + pubkey: string(pubkey), + pubkeyHash: hex.EncodeToString(pubkeyHashBytes[:]), + signer: rekorSigner, + // TSA signing stuff tsaSigner: tsaSigner, certChain: certChain, certChainPem: string(certChainPem), - verifier: verifier, }, nil } diff --git a/pkg/api/timestamp.go b/pkg/api/timestamp.go index 30d003e1a..20f020940 100644 --- a/pkg/api/timestamp.go +++ b/pkg/api/timestamp.go @@ -24,7 +24,6 @@ import ( "net/http" "github.com/go-openapi/runtime/middleware" - "github.com/pkg/errors" "github.com/sassoftware/relic/lib/pkcs9" "github.com/sigstore/rekor/pkg/generated/restapi/operations/entries" "github.com/sigstore/rekor/pkg/generated/restapi/operations/timestamp" @@ -47,11 +46,6 @@ func RequestFromRekor(ctx context.Context, req pkcs9.TimeStampReq) ([]byte, erro } func TimestampResponseHandler(params timestamp.GetTimestampResponseParams) middleware.Responder { - // Fail early if we don't haven't configured rekor with a certificate for timestamping. - if len(api.certChain) == 0 { - return handleRekorAPIError(params, http.StatusNotImplemented, errors.New("rekor is not configured to serve timestamps"), "") - } - // TODO: Add support for in-house JSON based timestamp response. requestBytes, err := ioutil.ReadAll(params.Request) if err != nil { @@ -96,8 +90,5 @@ func TimestampResponseHandler(params timestamp.GetTimestampResponseParams) middl } func GetTimestampCertChainHandler(params timestamp.GetTimestampCertChainParams) middleware.Responder { - if len(api.certChain) == 0 { - return handleRekorAPIError(params, http.StatusNotFound, errors.New("rekor is not configured with a timestamping certificate"), "") - } return timestamp.NewGetTimestampCertChainOK().WithPayload(api.certChainPem) } diff --git a/pkg/api/trillian_client.go b/pkg/api/trillian_client.go index 2be6b6e91..a9a13487b 100644 --- a/pkg/api/trillian_client.go +++ b/pkg/api/trillian_client.go @@ -23,6 +23,7 @@ import ( "github.com/google/trillian/merkle/logverifier" "github.com/google/trillian/merkle/rfc6962/hasher" + rfc6962 "github.com/google/trillian/merkle/rfc6962/hasher" "github.com/pkg/errors" "google.golang.org/grpc/codes" @@ -35,18 +36,16 @@ import ( ) type TrillianClient struct { - client trillian.TrillianLogClient - logID int64 - context context.Context - verifier *client.LogVerifier + client trillian.TrillianLogClient + logID int64 + context context.Context } func NewTrillianClient(ctx context.Context) TrillianClient { return TrillianClient{ - client: api.logClient, - logID: api.logID, - context: ctx, - verifier: api.verifier, + client: api.logClient, + logID: api.logID, + context: ctx, } } @@ -102,7 +101,8 @@ func (t *TrillianClient) addLeaf(byteValue []byte) *Response { getAddResult: resp, } } - logClient := client.New(t.logID, t.client, t.verifier, root) + v := client.NewLogVerifier(rfc6962.DefaultHasher) + logClient := client.New(t.logID, t.client, v, root) waitForInclusion := func(ctx context.Context, leafHash []byte) *Response { if logClient.MinMergeDelay > 0 { @@ -252,8 +252,10 @@ func (t *TrillianClient) getProofByHash(hashValue []byte) *Response { }) if resp != nil { + v := client.NewLogVerifier(rfc6962.DefaultHasher) for _, proof := range resp.Proof { - if err := t.verifier.VerifyInclusionByHash(&root, hashValue, proof); err != nil { + + if err := v.VerifyInclusionByHash(&root, hashValue, proof); err != nil { return &Response{ status: status.Code(err), err: err,