Skip to content

mirror: check evidence#56

Merged
bwesterb merged 6 commits intomainfrom
issue-38
Apr 22, 2025
Merged

mirror: check evidence#56
bwesterb merged 6 commits intomainfrom
issue-38

Conversation

@bwesterb
Copy link
Owner

@bwesterb bwesterb commented Apr 22, 2025
edited
Loading

All functionality is there—just need to test it.

Note that this includes a backwards incompatible change to EvidencePolicyType (adding a zero value.)

@bwesterb
Copy link
Owner Author

bwesterb commented Apr 22, 2025
edited
Loading

And there is a bug

error: fetching batch 0: entry 0 has not_after 2025-04-22 14:16:32 +0000 UTC out of range [2025-04-22 13:06:33 +0000 UTC, 2025-04-22 14:06:32.999999999 +0000 UTC]

Fixed

@bwesterb
Copy link
Owner Author

bwesterb commented Apr 22, 2025
edited
Loading

There is a new bug:

error: fetching batch 0: Could not find umbilical certificate for entry 0 with hash 501e8568772db01f3064d52a4822288e7eb1fcec89e15d1e4eab044db2e4a4e9

It's there:

$ ./mtc inspect umbilical-certificates data/www/mtc/v1/batches/0/umbilical-certificates 
                                                             key  offset  length
1dfc1605fbad358d8bc844f76d15203fac9ca5c1a79fd4857ffaf2864fbebf96    6031     675
501e8568772db01f3064d52a4822288e7eb1fcec89e15d1e4eab044db2e4a4e9      18    3432
68b9c761219a5b1f0131784474665db61bbdb109e00f05ca9f74244ee5f5f52b   10227    1413
6bcb147d41e9b577f40002a5c4ba08846737805aafe8554dd0e72204f6007ba7   17062    1715
72a34ac2b424aed3f6b0b04755b88cc027dccc806fddb22b4cd7c47773973ec0    8662    1565
76b27b80a58027dc3cf1da68dac17010ed93997d0b603e2fadbe85012493b5a7    4124     894
7fadfe7f8af3260f0035d88f3aab283fe079b113b2d1c4f57a64cb5721cdac36   12718    2684
969d5c5487f159e624c28cf02f0db590ea053adb01705cf42ab775819c2c7f4f    6706    1956
9c3f2fd11c57d7c649ad5a0932c0f0d29756f6a0a1c74c43e1e89a62d64cd320    3450     674
b441012d64888df4e2f7e494dbd06d88d07c5a722e088fffcdd4fa5acb4efa05    5018    1013
d5612c7ed743b64cd8db432cedfea582608d4223f119eface7a6753534392ac8   15402    1660
d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4   11640    1078

It's also the very first tried

$ ./mtc inspect evidence data/www/mtc/v1/batches/0/evidence                            
evidence-list (1 entries)
compressed umbilical
 501e8568772db01f3064d52a4822288e7eb1fcec89e15d1e4eab044db2e4a4e9
 9c3f2fd11c57d7c649ad5a0932c0f0d29756f6a0a1c74c43e1e89a62d64cd320
 76b27b80a58027dc3cf1da68dac17010ed93997d0b603e2fadbe85012493b5a7

evidence-list (1 entries)
compressed umbilical
 b441012d64888df4e2f7e494dbd06d88d07c5a722e088fffcdd4fa5acb4efa05
 1dfc1605fbad358d8bc844f76d15203fac9ca5c1a79fd4857ffaf2864fbebf96
 76b27b80a58027dc3cf1da68dac17010ed93997d0b603e2fadbe85012493b5a7

evidence-list (1 entries)
compressed umbilical
 969d5c5487f159e624c28cf02f0db590ea053adb01705cf42ab775819c2c7f4f
 72a34ac2b424aed3f6b0b04755b88cc027dccc806fddb22b4cd7c47773973ec0
 68b9c761219a5b1f0131784474665db61bbdb109e00f05ca9f74244ee5f5f52b
 d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4

evidence-list (1 entries)
compressed umbilical
 7fadfe7f8af3260f0035d88f3aab283fe079b113b2d1c4f57a64cb5721cdac36
 d5612c7ed743b64cd8db432cedfea582608d4223f119eface7a6753534392ac8
 6bcb147d41e9b577f40002a5c4ba08846737805aafe8554dd0e72204f6007ba7

Total number of evidence lists: 4

Fixed!

@bwesterb bwesterb changed the title [WIP] mirror: check evidence mirror: check evidence Apr 22, 2025
lukevalenta
lukevalenta reviewed Apr 22, 2025
View reviewed changes
lukevalenta
lukevalenta reviewed Apr 22, 2025
View reviewed changes
lukevalenta
lukevalenta reviewed Apr 22, 2025
View reviewed changes
lukevalenta
lukevalenta reviewed Apr 22, 2025
View reviewed changes
mirror/mirror.go Outdated
return fmt.Errorf("building tree: %w", err)
}

// TODO Would the spec allow a small NotAfter?
Copy link
Collaborator

@lukevalenta lukevalenta Apr 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any reason for the spec to disallow small NotAfter values, although it should be the CA's right to require some minimum validity for entries it issues.

Copy link
Owner Author

@bwesterb bwesterb Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was a typo. Corrected.

Copy link
Collaborator

@lukevalenta lukevalenta Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see the corresponding change--did you push?

Copy link
Owner Author

@bwesterb bwesterb Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would the spec allow a NotAfter before batchStart?

lukevalenta
lukevalenta reviewed Apr 22, 2025
View reviewed changes
mirror/mirror.go
}

if h.b.Params.EvidencePolicy != mtc.UmbilicalEvidencePolicy {
continue
Copy link
Collaborator

@lukevalenta lukevalenta Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe move everything else in this loop below to a separate ValidateUmbilicalEvidence function that gets called here?

Copy link
Owner Author

@bwesterb bwesterb Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a bit of a long function. Because of the shared state, it's not that easy to pull into a function: we'd need an object.

lukevalenta
lukevalenta reviewed Apr 22, 2025
View reviewed changes
lukevalenta
lukevalenta approved these changes Apr 22, 2025
View reviewed changes
Copy link
Collaborator

@lukevalenta lukevalenta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only minor nits left. Feel free to merge when ready!

@bwesterb bwesterb merged commit 316cdb9 into main Apr 22, 2025
1 check passed
@bwesterb bwesterb deleted the issue-38 branch April 22, 2025 20:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukevalenta lukevalenta lukevalenta approved these changes

@cjpatton cjpatton Awaiting requested review from cjpatton

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bwesterb @lukevalenta