Replace SignerFactory with global protobuf handlers for keys

[RJPercival]

Previously, when adding support for a new way of accessing keys (e.g. PKCS#11), there were two options:

1. Modify DefaultSignerFactory.
   • Anyone using DefaultSignerFactory would be able to use this, but they'd also have any new dependencies imposed upon them.
2. Create a new SignerFactory implementation.
   • Requires running a fork of Trillian.
   • This new implementation would likely duplicate some code from DefaultSignerFactory, if it wanted to support some of the same ways of accessing keys.

An improved way of doing this is to instead have a global registry of functions that each accept a particular kind of protobuf message and return the corresponding private key. Functions can be added to this registry to provide support for new methods of accessing keys, or removed to disable particular methods. Disabled methods could be excluded from the build entirely using build tags, sparing users who do not use a particular method from having to install unnecessary dependencies.

TODO: In a follow-up PR, I intend to improve test coverage of the pre-existing crypto/keys/... packages.

[RJPercival]

Judging by Travis, it looks like this PR might be responsible for the slow integration tests I reported in #733. I'm not sure where the performance issue is yet though - I'll investigate shortly.

[RJPercival]

It turned out not to be a performance issue, but rather a sequencing pass failure that wasn't being (visibly) reported (see #738). I've now fixed that.

[codingllama]

Sending the comments I have so far. Github is warning me my page is out of date, so I'll refresh and resume the review.

[codingllama]

FYI: I found it a bit odd that keyHandlers was declared here, but initialized elsewhere. There's more at a further comment.

[RJPercival]

It's because one of the handlers comes from a file that is conditionally built (if "pkcs11" build tag is used), so it can't be populated right here.

[gdbelvin]

Were we going to move keyHandlers to their own file or package?

[codingllama]

Is this an error test because the private key won't be set? Maybe rename to "mandatoryOptsNotSet", or add a comment? At a glance it doesn't look different from "validOpts", it only became clearer after I realized runTest "fixes" a few flags.

[RJPercival]

That's correct. I'll rename it.

[codingllama]

Please use proto.Equal() when comparing protos, pretty.Compare doesn't know about internal proto fields, so it may diff in cases where protos are meant to be equal.

The suggested idiom is:

if !proto.Equal(pb1, pb2) {
    diff := pretty.Compare(pb1, pb2)
    t.Errorf("%v: post-Foo diff (-got +want):\n%v", test.desc, diff)
}

(Yep, it's a bit verbose, I know :/ )

[RJPercival]

That's not actually new code (the indentation has just changed), but I'll fix it up nonetheless.

[RJPercival]

Done.

[codingllama]

I would prefer keyHandlers to be declared and initialized in the same file. I would also prefer all flags to be defined together (at main.go), but since this is in the main package we're not breaking the rule too much.

Suggestion: for the sake of isolation / cleaner interface between createtree and key logic, we could do something like:

At createtree/keys/keys.go:

package keys

type handler func() (proto.Message, error)

func SetHandler(name string, fn handler) { ... }

func Handler(name string) (handler, bool) { ... }

func NewPEMKeyHandler(path, pass) handler { ... }

At createtree/main.go:

func main() {
    keys.RegisterHandler("PEMKeyFile", keys.NewPEMKeyHandler(*path, *pass))
    // ...
}

WDYT?

[RJPercival]

keyHandlers can't be initialized in the same file, because the PKCS#11 handler needs to be behind a build tag. It needs to use the global registry / auto-registration pattern. I can move this registry out of main.go and into its own package though.

[gdbelvin]

I think we figured out a way for everything except the RegisterHander function to be in it's own package?

[codingllama]

Could we have runTest and testCase moved to a separate, test-library like file? I'd be ok with a testonly package inside createtree, for example.

[RJPercival]

It'll then lose access to the flags and won't be able to call createTree(). I can put them in their own file, but not their own package.

[codingllama]

Since this is tested in an integration-like style, where we exercise it via createtree, I'd be tempted to use real handlers at main_test.go and move those test cases there. Or, possibly, just test the handlers directly here. If you take the comment on package separation, it'll force you down one of those roads regardless (which why I like it).

[codingllama]

flagsaver isn't a command we run, so it shouldn't be placed inside cmd/. It definitely deserves its own package, though. Maybe util/flagsaver?

[RJPercival]

Done.

[codingllama]

Maybe type Stash map[string]string ?

[RJPercival]

That would preclude extending this type in the future and expose the implementation detail that it stores a map of flag names to values. The only reason I can see to do this is to allow the user to examine stashed flag values - do you see that being a use case?

[codingllama]

It works fine as a struct, but since you don't have other fields an alias could have worked too. It's fine as it is.

[codingllama]

nit: "// name is ..."

Ditto for the other comments, although I think they could all be removed.

nit2: "desc string"? That seems to be the recommended format.

[RJPercival]

Nits addressed, but left the comments, since I'm not sure oldValue and newValue are completely self-explanatory (perhaps I just need better names?).

[codingllama]

Looks good.

[codingllama]

nit: Please use field labels. It's clearer, saves you from specifying defaults, and saves us from having to touch all structs if a new field is added.

[RJPercival]

Done.

[codingllama]

In the future consider breaking PRs like this into smaller steps. It's a bit hard to figure out what changed and what was moved, since Github doesn't help much to identify the latter.

[codingllama]

Is the ordering here in any way important? Should we try EC first (assuming it is / will be the most popular one)?

[RJPercival]

No, these can be re-ordered.

[RJPercival]

Re-ordered to try EC first.

[codingllama]

Suggestion: s/name/desc? Same for others (if you take it, ofc).

[RJPercival]

Done.

[codingllama]

Suggestion: Declare ctx outside the loop and reuse it?

[RJPercival]

Done.

[codingllama]

Should we test the handler for *keyspb.Specification? Ditto for the other public functions.

[RJPercival]

I'm planning on writing tests for all of the public functions in a follow-up PR - it that ok? I haven't added any new public functions, other than NewPrivateKeyProtoFromSpec(), that don't have tests (I'll add a test for that now).

[codingllama]

SGTM.

[RJPercival]

Added test for NewPrivateKeyProtoFromSpec().

[codingllama]

We shuffled some things around, but tests seem to have lagged behind. Could we make sure that the tests are in the matching _test.go file, compared to the one the function is defined?

[RJPercival]

Done for TestNewFromSpec. I was intending to do this more thoroughly in the follow-up CL by replacing TestLoadPrivateKeyAndSign with individual tests for each of the public funcs (and put those tests in the appropriate _test.go file).

[codingllama]

Could we have a simple, happy path test? If we disable integration testing for some reason this will go without coverage.

[RJPercival]

This would be difficult because the PKCS#11 code calls out to https://github.com/letsencrypt/pkcs11key which attempts to load a dynamic library and communicate with a PKCS#11 interface. I could expose a package variable that allows the pkcs11key.New() call to be overridden during the tests, but that's about the only way I can think of making it unit testable.

At least by now having a skipped test for this, there is some (minimal) visibility of the fact that it lacks unit tests.

[codingllama]

Have you considered making handlers global? Is there a situation where having factory-scoped handlers is useful?

A global handler registry would allow each handler-defining package to register its own handlers at init-time.

[RJPercival]

It's what I started with, but...

1. I've known people to be opposed to globals (e.g. @daviddrysdale lamented the scattering of flags through the codebase).
2. I preferred the explicitness of adding a handler, rather than it being a side-effect of importing a package, since it's quite an important decision - do you really want unencrypted keys in your storage, for instance? It also means it's easier to control which handlers are available to tests.
3. Scoping it to a SignerFactory means you can start servers/signers in-process (like the integration tests do) and not be forced to share the same set of handlers.

Having said that, I do recognise that making the handlers global and having them register on package init is a more common pattern. I can put together a commit that makes that change and see how it compares if you like?

[codingllama]

We didn't seem to shy away from global state in other places, like the hashers registry, and an init-based registry would reduce the number of +build pkcs11 files reaching for signerFactories, so it seemed worth to suggest it.

That said, your counter-arguments and the wariness about global state are certainly strong points (I found number "2" above particularly convincing). I'm happy going forward the way it is. Thanks for the detailed response, Rob.

[codingllama]

nit: s/alreadyExists/ok/, so we don't deviate from the idiom?

[RJPercival]

I wasn't entirely convinced that "ok" was an appropriate name here, as it's semantically the opposite - if it already exists, that's not really ok. Originally I was returning an error here, which meant it was very much not ok. Perhaps that doesn't matter though.

[codingllama]

OK ;)

[codingllama]

nit: s/sigpb.DigitallySigned_UNKNOWN/sigpb.DigitallySigned_ANONYMOUS/

In a somewhat related comment, is anonymous ever valid / allowed? Should we differentiate between anonymous and unknown? (This is possibly out of scope.)

[RJPercival]

I think this is intended to mirror the DigitallySigned struct in RFC5246, which is why there isn't an "unknown" value. There are cases where anonymous is valid (see that RFC), but never in Trillian. Arguably, this should return an error rather than sigpb.DigitallySigned_ANONYMOUS.

[RJPercival]

Fixed typo.

[codingllama]

Asserting on error strings is likely to make tests brittle. Ideally, we'd use something more resilient to small changes, like error codes, but I that won't help if the codes are all the same. OTOH, it does make it easier to reason that the error is what you think it is, and not some problem.

WDYT?

[RJPercival]

I agree, and never usually check the error string but, in this case, there are a lot of different errors that could occur. I really want to know that the test is failing for the reason I think it is, rather than because the test is misconfigured, for example. Error codes would be a better solution except, as you suggest, I don't think they'd actually be different for most of these test cases (they're almost all cases of invalid arguments). Maybe that would be good enough for distinguishing the intended type of error from unintended errors though?

[RJPercival]

If you like, I think I could break this PR in two, with the first just doing some moving around of code?

[codingllama]

No need to break it now, I'll review the fixes commit-by-commit from now on. Just give me nudge when you finish replying to the comments.

[gdbelvin]

Consider making each of these anonymous functions real functions for ease on the eye and ease of testing.

[RJPercival]

Done.

[RJPercival]

I've just completed some changes @gdbelvin requested offline, which swaps over to a global registry of key handlers with auto-registration on import and ultimately deletes SignerFactory. I'll take on improvement to cmd/createtree next.

[gdbelvin]

This is a great change of replacing opts with the relevant flags, but for the clarity of this already large PR, could I suggest that it be a separate PR?

[RJPercival]

Sure, it'll have to merge first though, since having the PKCS#11 flag behind a build tag is dependent on createOpts behind removed.

[RJPercival]

Done in #788.

[gdbelvin]

Were we going to move keyHandlers to their own file or package?

[gdbelvin]

This function should probably live in it's own file or package along with the keyHandlers

Also consider a clearer function name, say NewPublicKeyProto

[RJPercival]

Done.

[gdbelvin]

A function comment would be great

[RJPercival]

Done (though it's now called RegisteredTypes() in the createtree/keys package).

[gdbelvin]

If you'd like to run the test in a sub function, consider using a proper SubTest
https://golang.org/pkg/testing/#hdr-Subtests_and_Sub_benchmarks

for _, tc := range []struct{}{}{
  t.Run("A=1", func(t *testing.T) { ... })
}

[RJPercival]

I'm not sure this is so much a subtest as just delegating the actual test logic to a helper. However, I wonder if we should be using subtests for all of our tabular tests? It'd save having to prepend the test case name to every failure message, and defer would work nicely (running at the end of each test case, rather than at the end of the entire test).

[codingllama]

The convention seems to prefer "regular" table-driven, but it may be because t.Run is a relatively recent addition, iirc. Maybe we should take this question to stylists? Meanwhile, I'd vouch for the simplest approach (no t.Run unless you really need it).

Edit: spelling

[RJPercival]

I consulted a stylist, and they too leaned away from using subtests, but mostly because they are quite new and rarely used so far. I've decided to use them, but inside of runTest(), where it was already using an anonymous function to isolate each test case.

[RJPercival]

See #788 for the use of subtests.

[gdbelvin]

a slightly more descriptive name would be great

[gdbelvin]

a slightly more descriptive name would be great - and the test should probably only run one test case at a time

[RJPercival]

They are only run one at a time.

[RJPercival]

Ah you mean that it should take a single testCase, rather than an array.

[gdbelvin]

I think we figured out a way for everything except the RegisterHander function to be in it's own package?

[codingllama]

Travis looks unhappy, but other than that LGTM.

Is this one of the cases where we Travis won't pass because of the google/trillian <-> google/ct-go cycle?

[codingllama]

The convention seems to prefer "regular" table-driven, but it may be because t.Run is a relatively recent addition, iirc. Maybe we should take this question to stylists? Meanwhile, I'd vouch for the simplest approach (no t.Run unless you really need it).

Edit: spelling

[codingllama]

Suggestion: Move the DER string to a const?

[codingllama]

nit: s/NewProtoFromSpec/CheckKeyMatchesSpec/

[RJPercival]

Done.

[codingllama]

Ditto (move to const suggestion)

[codingllama]

nit: s/NewFromSpec/CheckKeyMatchesSpec/

[RJPercival]

Done.

[codingllama]

Suggestion: I've been splitting imports in the following blocks: golang, external libs, aliases and _ imports. I've found it more readable than mixing aliases and _ imports on the "external" block.

Eg:

import (
    "context"
    "flag"

    "github.com/golang/glog"
    "github.com/golang/protobuf/proto"
    "github.com/google/trillian"
    "github.com/google/trillian/cmd"

    mysqlq "github.com/google/trillian/quota/mysql"

    _ "github.com/google/trillian/merkle/objhasher" // Load hashers
    _ "github.com/google/trillian/merkle/rfc6962"   // Load hashers
)

[RJPercival]

Done.

[RJPercival]

Yes, this breaks ct-go so Travis will never be happy. PR google/certificate-transparency-go#50 will fix ct-go once this merges.

[AMarcedone]

What's the ETA for merging this PR?

[RJPercival]

Apologies for the delay getting this merged, I was on holiday for a week and have had competing priorities. I've now broken this PR up as requested by @gdbelvin (see PRs #791, #792, #793, #794). Once those PRs are merged, I'll rebase this and hopefully it'll be of a more easily reviewable size.

[RJPercival]

This has now been rebased. The number of modified files has reduced from 63 to 46, and the number of changes in those files has reduced.

[codingllama]

nit: Use single quotes

[RJPercival]

Done.

[codingllama]

There seems to be an extra double quote here.

[RJPercival]

Done.

[codingllama]

Maybe rename pb to wantPB (or something to that effect)?

[RJPercival]

Done.

[gdbelvin]

Awesome. This is looking great!