[witness] witness and feeder derive logID themselves (google#858)

Author: smeiklej

internal/witness/api/http.go

@@ -15,6 +15,12 @@
 // Package api provides the API endpoints for the witness.
 package api
 
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+)
+
 const (
 	// HTTPGetSTH is the path of the URL to get an STH.  The
 	// placeholder is for the logID (an alphanumeric string).
@@ -34,3 +40,13 @@ type UpdateRequest struct {
 	STH   []byte
 	Proof [][]byte
 }
+
+// LogIDFromPubKey builds the logID given the base64-encoded public key.
+func LogIDFromPubKey(pk string) (string, error) {
+	der, err := base64.StdEncoding.DecodeString(pk)
+	if err != nil {
+		return "", fmt.Errorf("failed to decode public key: %v", err)
+	}
+	sha := sha256.Sum256(der)
+	return base64.StdEncoding.EncodeToString(sha[:]), nil
+}

internal/witness/client/http/witness_client.go

@@ -46,7 +46,7 @@ func (w Witness) SigVerifier() ct.SignatureVerifier {
 
 // GetLatestSTH returns a recent STH from the witness for the specified log ID.
 func (w Witness) GetLatestSTH(ctx context.Context, logID string) ([]byte, error) {
-	u, err := w.URL.Parse(fmt.Sprintf(wit_api.HTTPGetSTH, logID))
+	u, err := w.URL.Parse(fmt.Sprintf(wit_api.HTTPGetSTH, url.QueryEscape(logID)))
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse URL: %v", err)
 	}
@@ -78,7 +78,7 @@ func (w Witness) Update(ctx context.Context, logID string, sth []byte, proof [][
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal update request: %v", err)
 	}
-	u, err := w.URL.Parse(fmt.Sprintf(wit_api.HTTPUpdate, logID))
+	u, err := w.URL.Parse(fmt.Sprintf(wit_api.HTTPUpdate, url.QueryEscape(logID)))
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse URL: %v", err)
 	}

internal/witness/cmd/feeder/main.go

@@ -17,26 +17,27 @@ package main
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"time"
 
 	"github.com/golang/glog"
 	ct "github.com/google/certificate-transparency-go"
 	"github.com/google/certificate-transparency-go/client"
-	"github.com/google/certificate-transparency-go/jsonclient"
+	wa "github.com/google/certificate-transparency-go/internal/witness/api"
 	wh "github.com/google/certificate-transparency-go/internal/witness/client/http"
+	"github.com/google/certificate-transparency-go/jsonclient"
 )
 
 var (
 	logURL   = flag.String("log_url", "", "The endpoint of the log HTTP API")
-	logPK    = flag.String("log_pk", "", "A file containing the PEM-encoded log public key")
-	logID    = flag.String("log_id", "", "The log ID")
+	logPK    = flag.String("log_pk", "", "The base64-encoded log public key")
 	witness  = flag.String("witness_url", "", "The endpoint of the witness HTTP API")
 	interval = flag.Duration("poll", 10*time.Second, "How quickly to poll the log to get updates")
 )
@@ -56,11 +57,7 @@ func main() {
 		glog.Exit("--log_pk must not be empty")
 	}
 	var w wh.Witness
-	pemPK, err := ioutil.ReadFile(*logPK)
-	if err != nil {
-		glog.Exitf("Failed to read public key from file: %v", err)
-	}
-	pk, _, _, err := ct.PublicKeyFromPEM(pemPK)
+	pk, err := ct.PublicKeyFromB64(*logPK)
 	if err != nil {
 		glog.Exitf("Failed to create public key: %v", err)
 	}
@@ -77,22 +74,29 @@ func main() {
 		}
 	}
 	// Now set up the log client.
-	// TODO(smeiklej): This should be optional as it can be
-	// deterministically derived from the public key.
-	if *logID == "" {
-		glog.Exit("--log_id must not be empty")
+	logID, err := wa.LogIDFromPubKey(*logPK)
+	if err != nil {
+		glog.Exitf("Failed to create log id: %v", err)
 	}
 	if *logURL == "" {
 		glog.Exit("--log_url must not be empty")
 	}
+	der, err := base64.StdEncoding.DecodeString(*logPK)
+	if err != nil {
+		glog.Exitf("Failed to decode public key: %v", err)
+	}
+	pemPK := pem.EncodeToMemory(&pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: der,
+	})
 	opts := jsonclient.Options{PublicKey: string(pemPK)}
 	c, err := client.New(*logURL, http.DefaultClient, opts)
 	if err != nil {
 		glog.Exitf("Failed to create JSON client: %v", err)
 	}
 	// Create the feeder with no initial witness STH.
 	feeder := feeder{
-		logID: *logID,
+		logID: logID,
 		c:     c,
 		w:     w,
 	}

internal/witness/cmd/feeder/test.key

@@ -1,4 +1,3 @@
 Logs: 
   - Description: Google 'Argon2021' log
-    LogID: 9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM
     PubKey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETeBmZOrzZKo4xYktx9gI2chEce3cw/tbr5xkoQlmhB18aKfsxD+MnILgGNl0FOm0eYGilFVi85wLRIOhK8lxKw==

internal/witness/cmd/witness/example_config.yaml

@@ -24,6 +24,7 @@ import (
 
 	"github.com/golang/glog"
 	ct "github.com/google/certificate-transparency-go"
+	"github.com/google/certificate-transparency-go/internal/witness/api"
 	ih "github.com/google/certificate-transparency-go/internal/witness/cmd/witness/internal/http"
 	"github.com/google/certificate-transparency-go/internal/witness/cmd/witness/internal/witness"
 	"github.com/gorilla/mux"
@@ -35,11 +36,8 @@ type LogConfig struct {
 	Logs []LogInfo `yaml:"Logs"`
 }
 
-// LogInfo contains the configuration options for a log: its identifier and public key.
+// LogInfo contains the configuration options for a log, which is just its public key.
 type LogInfo struct {
-	// TODO(smeiklej): For CT the LogID is deterministically derived from
-	// PubKey so we don't need to specify it separately.
-	LogID  string `yaml:"LogID"`
 	PubKey string `yaml:"PubKey"`
 }
 
@@ -59,6 +57,7 @@ type ServerOpts struct {
 func buildLogMap(config LogConfig) (map[string]ct.SignatureVerifier, error) {
 	logMap := make(map[string]ct.SignatureVerifier)
 	for _, log := range config.Logs {
+		// Use the PubKey string to first create the verifier.
 		pk, err := ct.PublicKeyFromB64(log.PubKey)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create public key: %v", err)
@@ -67,7 +66,12 @@ func buildLogMap(config LogConfig) (map[string]ct.SignatureVerifier, error) {
 		if err != nil {
 			return nil, fmt.Errorf("failed to create signature verifier: %v", err)
 		}
-		logMap[log.LogID] = *logV
+		// And then to create the (alphanumeric) logID.
+		logID, err := api.LogIDFromPubKey(log.PubKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create log id: %v", err)
+		}
+		logMap[logID] = *logV
 	}
 	return logMap, nil
 }

internal/witness/cmd/witness/impl/witness.go

@@ -41,7 +41,7 @@ func NewServer(witness *witness.Witness) *Server {
 }
 
 // update handles requests to update STHs.
-// It expects a POSTed body containing a JSON-formatted api.UpdateRequest
+// It expects a PUT body containing a JSON-formatted api.UpdateRequest
 // statement and returns a JSON-formatted api.UpdateResponse statement.
 func (s *Server) update(w http.ResponseWriter, r *http.Request) {
 	v := mux.Vars(r)
@@ -109,7 +109,7 @@ func (s *Server) getLogs(w http.ResponseWriter, r *http.Request) {
 
 // RegisterHandlers registers HTTP handlers for witness endpoints.
 func (s *Server) RegisterHandlers(r *mux.Router) {
-	logStr := "{logid:[a-zA-Z0-9-]+}"
+	logStr := "{logid}"
 	r.HandleFunc(fmt.Sprintf(api.HTTPGetSTH, logStr), s.getSTH).Methods("GET")
 	r.HandleFunc(fmt.Sprintf(api.HTTPUpdate, logStr), s.update).Methods("PUT")
 	r.HandleFunc(api.HTTPGetLogs, s.getLogs).Methods("GET")