Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cleanup some initialization/flag parsing in rekor-server. #433

Merged
merged 1 commit into from
Sep 14, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 8 additions & 20 deletions pkg/api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ import (
"time"

"github.com/google/trillian"
"github.com/google/trillian/client"
radix "github.com/mediocregopher/radix/v4"
"github.com/pkg/errors"
"github.com/spf13/viper"
Expand Down Expand Up @@ -61,7 +60,6 @@ type API struct {
tsaSigner signature.Signer // the signer to use for timestamping
certChain []*x509.Certificate // timestamping cert chain
certChainPem string // PEM encoded timestamping cert chain
verifier *client.LogVerifier
}

func NewAPI() (*API, error) {
Expand All @@ -85,13 +83,6 @@ func NewAPI() (*API, error) {
tLogID = t.TreeId
}

t, err := logAdminClient.GetTree(ctx, &trillian.GetTreeRequest{
TreeId: tLogID,
})
if err != nil {
return nil, errors.Wrap(err, "get tree")
}

rekorSigner, err := signer.New(ctx, viper.GetString("rekor_server.signer"))
if err != nil {
return nil, errors.Wrap(err, "getting new signer")
Expand All @@ -108,11 +99,6 @@ func NewAPI() (*API, error) {

pubkey := cryptoutils.PEMEncode(cryptoutils.PublicKeyPEMType, b)

verifier, err := client.NewLogVerifierFromTree(t)
if err != nil {
return nil, errors.Wrap(err, "new verifier")
}

// Use an in-memory key for timestamping
tsaSigner, err := signer.New(ctx, signer.MemoryScheme)
if err != nil {
Expand Down Expand Up @@ -146,15 +132,17 @@ func NewAPI() (*API, error) {
}

return &API{
logClient: logClient,
logID: tLogID,
pubkey: string(pubkey),
pubkeyHash: hex.EncodeToString(pubkeyHashBytes[:]),
signer: rekorSigner,
// Transparency Log Stuff
logClient: logClient,
logID: tLogID,
// Signing/verifying fields
pubkey: string(pubkey),
pubkeyHash: hex.EncodeToString(pubkeyHashBytes[:]),
signer: rekorSigner,
// TSA signing stuff
tsaSigner: tsaSigner,
certChain: certChain,
certChainPem: string(certChainPem),
verifier: verifier,
}, nil
}

Expand Down
9 changes: 0 additions & 9 deletions pkg/api/timestamp.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ import (
"net/http"

"github.com/go-openapi/runtime/middleware"
"github.com/pkg/errors"
"github.com/sassoftware/relic/lib/pkcs9"
"github.com/sigstore/rekor/pkg/generated/restapi/operations/entries"
"github.com/sigstore/rekor/pkg/generated/restapi/operations/timestamp"
Expand All @@ -47,11 +46,6 @@ func RequestFromRekor(ctx context.Context, req pkcs9.TimeStampReq) ([]byte, erro
}

func TimestampResponseHandler(params timestamp.GetTimestampResponseParams) middleware.Responder {
// Fail early if we don't haven't configured rekor with a certificate for timestamping.
if len(api.certChain) == 0 {
return handleRekorAPIError(params, http.StatusNotImplemented, errors.New("rekor is not configured to serve timestamps"), "")
}

// TODO: Add support for in-house JSON based timestamp response.
requestBytes, err := ioutil.ReadAll(params.Request)
if err != nil {
Expand Down Expand Up @@ -96,8 +90,5 @@ func TimestampResponseHandler(params timestamp.GetTimestampResponseParams) middl
}

func GetTimestampCertChainHandler(params timestamp.GetTimestampCertChainParams) middleware.Responder {
if len(api.certChain) == 0 {
return handleRekorAPIError(params, http.StatusNotFound, errors.New("rekor is not configured with a timestamping certificate"), "")
}
return timestamp.NewGetTimestampCertChainOK().WithPayload(api.certChainPem)
}
22 changes: 12 additions & 10 deletions pkg/api/trillian_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (

"github.com/google/trillian/merkle/logverifier"
"github.com/google/trillian/merkle/rfc6962/hasher"
rfc6962 "github.com/google/trillian/merkle/rfc6962/hasher"
"github.com/pkg/errors"

"google.golang.org/grpc/codes"
Expand All @@ -35,18 +36,16 @@ import (
)

type TrillianClient struct {
client trillian.TrillianLogClient
logID int64
context context.Context
verifier *client.LogVerifier
client trillian.TrillianLogClient
logID int64
context context.Context
}

func NewTrillianClient(ctx context.Context) TrillianClient {
return TrillianClient{
client: api.logClient,
logID: api.logID,
context: ctx,
verifier: api.verifier,
client: api.logClient,
logID: api.logID,
context: ctx,
}
}

Expand Down Expand Up @@ -102,7 +101,8 @@ func (t *TrillianClient) addLeaf(byteValue []byte) *Response {
getAddResult: resp,
}
}
logClient := client.New(t.logID, t.client, t.verifier, root)
v := client.NewLogVerifier(rfc6962.DefaultHasher)
logClient := client.New(t.logID, t.client, v, root)

waitForInclusion := func(ctx context.Context, leafHash []byte) *Response {
if logClient.MinMergeDelay > 0 {
Expand Down Expand Up @@ -252,8 +252,10 @@ func (t *TrillianClient) getProofByHash(hashValue []byte) *Response {
})

if resp != nil {
v := client.NewLogVerifier(rfc6962.DefaultHasher)
for _, proof := range resp.Proof {
if err := t.verifier.VerifyInclusionByHash(&root, hashValue, proof); err != nil {

if err := v.VerifyInclusionByHash(&root, hashValue, proof); err != nil {
return &Response{
status: status.Code(err),
err: err,
Expand Down