Use trillian logverifier instead

Author: liamsi

cmd/keytransparency-monitor/main.go

@@ -42,7 +42,10 @@ import (
 	spb "github.com/google/keytransparency/impl/proto/keytransparency_v1_service"
 	mopb "github.com/google/keytransparency/impl/proto/monitor_v1_service"
 	mupb "github.com/google/keytransparency/impl/proto/mutation_v1_service"
-	_ "github.com/google/trillian/merkle/coniks"    // Register coniks
+	tlogcli "github.com/google/trillian/client"
+	"github.com/google/trillian/crypto/keys/der"
+	_ "github.com/google/trillian/merkle/coniks" // Register coniks
+	"github.com/google/trillian/merkle/hashers"
 	_ "github.com/google/trillian/merkle/objhasher" // Register objhasher
 )
 
@@ -141,13 +144,22 @@ func main() {
 	// Insert handlers for other http paths here.
 	mux := http.NewServeMux()
 	mux.Handle("/", gwmux)
+	logHasher, err := hashers.NewLogHasher(logTree.GetHashStrategy())
+	if err != nil {
+		glog.Fatalf("Could not initialize log hasher: %v", err)
+	}
+	logPubKey, err := der.UnmarshalPublicKey(logTree.GetPublicKey().GetDer())
+	if err != nil {
+		glog.Fatalf("Failed parsing Log public key: %v", err)
+	}
+	logVerifier := tlogcli.NewLogVerifier(logHasher, logPubKey)
 
-	// initialize the mutations API client and feed the responses it got
-	// into the monitor:
-	mon, err := cmon.New(logTree, mapTree, crypto.NewSHA256Signer(key), store)
+	mon, err := cmon.New(logVerifier, mapTree, crypto.NewSHA256Signer(key), store)
 	if err != nil {
 		glog.Exitf("Failed to initialize monitor: %v", err)
 	}
+	// initialize the mutations API client and feed the responses it got
+	// into the monitor:
 	mutCli := client.New(mcc, *pollPeriod)
 	responses, errs := mutCli.StartPolling(1)
 	go func() {

core/client/kt/verify.go

@@ -120,10 +120,6 @@ func (v *Verifier) VerifyGetEntryResponse(ctx context.Context, userID, appID str
 	// by removing the signature from the object.
 	smr := *in.GetSmr()
 	smr.Signature = nil // Remove the signature from the object to be verified.
-	fmt.Println("CLIENT tcrypto.VerifyObject:")
-	fmt.Println(v.mapPubKey)
-	fmt.Println(smr)
-	fmt.Println(in.GetSmr().GetSignature())
 	if err := tcrypto.VerifyObject(v.mapPubKey, smr, in.GetSmr().GetSignature()); err != nil {
 		Vlog.Printf("✗ Signed Map Head signature verification failed.")
 		return fmt.Errorf("sig.Verify(SMR): %v", err)

core/monitor/monitor.go

@@ -27,18 +27,15 @@ import (
 	"github.com/google/trillian"
 	"github.com/google/trillian/client"
 	tcrypto "github.com/google/trillian/crypto"
-	"github.com/google/trillian/merkle"
-	"github.com/google/trillian/merkle/hashers"
 	"github.com/google/trillian/crypto/keys/der"
+	"github.com/google/trillian/merkle/hashers"
 )
 
 // Monitor holds the internal state for a monitor accessing the mutations API
 // and for verifying its responses.
 type Monitor struct {
 	mapID       int64
-	logHasher   hashers.LogHasher
 	mapHasher   hashers.MapHasher
-	logPubKey   crypto.PublicKey
 	mapPubKey   crypto.PublicKey
 	logVerifier client.LogVerifier
 	signer      *tcrypto.Signer
@@ -52,7 +49,7 @@ func New(logverifierCli client.LogVerifier, mapTree *trillian.Tree, signer *tcry
 	if err != nil {
 		return nil, fmt.Errorf("Failed creating MapHasher: %v", err)
 	}
-	mapPubKey, err  := der.UnmarshalPublicKey(mapTree.GetPublicKey().GetDer())
+	mapPubKey, err := der.UnmarshalPublicKey(mapTree.GetPublicKey().GetDer())
 	if err != nil {
 		return nil, fmt.Errorf("Could not unmarshal map public key: %v", err)
 	}

core/monitor/verify.go

@@ -70,11 +70,6 @@ func (m *Monitor) VerifyMutationsResponse(in *ktpb.GetMutationsResponse) []error
 		m.trusted = in.GetLogRoot()
 	}
 
-
-	// TODO(ismail): pass in a (trillian) logverifier instead
-	// - create a set of fixed error messages so the caller can differentiate
-	//   between different error types (like below)
-	// - also, create an equivalent map verifier (in trillian)
 	if err := m.logVerifier.VerifyRoot(m.trusted, in.GetLogRoot(), in.GetLogConsistency()); err != nil {
 		// this could be one of ErrInvalidLogSignature, ErrInvalidLogConsistencyProof
 		errList = append(errList, err)
@@ -85,7 +80,7 @@ func (m *Monitor) VerifyMutationsResponse(in *ktpb.GetMutationsResponse) []error
 	b, err := json.Marshal(in.GetSmr())
 	if err != nil {
 		glog.Errorf("json.Marshal(): %v", err)
-		// Encoding error
+		errList = append(errList, ErrInvalidMapSignature)
 	}
 	leafIndex := in.GetSmr().GetMapRevision()
 	treeSize := in.GetLogRoot().GetTreeSize()
@@ -95,9 +90,7 @@ func (m *Monitor) VerifyMutationsResponse(in *ktpb.GetMutationsResponse) []error
 		errList = append(errList, ErrInvalidLogInclusion)
 	}
 
-	//
 	// map verification
-	//
 
 	// copy of singed map root
 	smr := *in.GetSmr()
@@ -109,9 +102,7 @@ func (m *Monitor) VerifyMutationsResponse(in *ktpb.GetMutationsResponse) []error
 		errList = append(errList, ErrInvalidMapSignature)
 	}
 
-	//
 	// mutations verification
-	//
 
 	// we need the old root for verifying the inclusion of the old leafs in the
 	// previous epoch. Storage always stores the mutations response independent
@@ -128,9 +119,7 @@ func (m *Monitor) VerifyMutationsResponse(in *ktpb.GetMutationsResponse) []error
 			in.GetSmr().GetRootHash(), in.GetSmr().GetMapId()); len(err) > 0 {
 			errList = append(errList, err...)
 		}
-	} else {
-		// TODO oldRoot is the hash of the initial empty sparse merkle tree
-	}
+	} // TODO else oldRoot is the hash of the initial empty sparse merkle tree
 
 	return errList
 }

integration/monitor_test.go

@@ -21,8 +21,8 @@ import (
 
 	"github.com/google/keytransparency/core/monitor"
 	"github.com/google/keytransparency/core/monitor/storage"
-	"github.com/google/keytransparency/impl/monitor/client"
 	kpb "github.com/google/keytransparency/core/proto/keytransparency_v1_types"
+	"github.com/google/keytransparency/impl/monitor/client"
 	spb "github.com/google/keytransparency/impl/proto/keytransparency_v1_service"
 	mupb "github.com/google/keytransparency/impl/proto/mutation_v1_service"
 	"github.com/google/trillian/crypto"
@@ -54,14 +54,14 @@ func TestMonitorEmptyStart(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Couldn't retrieve domain info: %v", err)
 	}
-	signer, err  := pem.UnmarshalPrivateKey(monitorPrivKey, "")
+	signer, err := pem.UnmarshalPrivateKey(monitorPrivKey, "")
 	if err != nil {
 		t.Fatalf("Couldn't create signer: %v", err)
 	}
-	logTree := resp.Log
+	//logTree := resp.Log
 	mapTree := resp.Map
 	store := storage.New()
-	mon, err := monitor.New(fake.NewFakeTrillianLogVerifier(), logTree, mapTree, crypto.NewSHA256Signer(signer), store)
+	mon, err := monitor.New(fake.NewFakeTrillianLogVerifier(), mapTree, crypto.NewSHA256Signer(signer), store)
 	if err != nil {
 		t.Fatalf("Couldn't create monitor: %v", err)
 	}

integration/testutil.go

@@ -43,11 +43,11 @@ import (
 
 	_ "github.com/mattn/go-sqlite3" // Use sqlite database for testing.
 
+	cmutation "github.com/google/keytransparency/core/mutation"
+	"github.com/google/keytransparency/impl/mutation"
 	pb "github.com/google/keytransparency/impl/proto/keytransparency_v1_service"
 	mpb "github.com/google/keytransparency/impl/proto/mutation_v1_service"
-	cmutation "github.com/google/keytransparency/core/mutation"
 	stestonly "github.com/google/trillian/storage/testonly"
-	"github.com/google/keytransparency/impl/mutation"
 )
 
 // NewDB creates a new in-memory database for testing.