Migrate to CoSigV1 timestamped signatures (transparency-dev#62)

cmd/internal/distributor/distributor.go

@@ -164,6 +164,14 @@ func (d *Distributor) Distribute(ctx context.Context, logID, witID string, nextR
 		}
 	}
 
+	// Remove any unexpected signatures submitted alongside the log+witness we recognised.
+	n.UnverifiedSigs = nil
+	nextRaw, err = note.Sign(n)
+	if err != nil {
+		return fmt.Errorf("failed to serialise note with filtered sigs: %v", err)
+	}
+	glog.V(1).Infof("Accepted: %s", string(nextRaw))
+
 	// At this point we know that we have a valid checkpoint that is fresher than any previous version for
 	// this witness. We should now store this, and then attempt to merge with other checkpoints for the same
 	// log size to create the checkpoint.N files.
@@ -283,5 +291,5 @@ func getLatestCheckpoint(ctx context.Context, tx *sql.Tx, logID, witID string) (
 // approach is followed to ensure that the DB size stays limited, i.e. don't allow
 // the same/similar inconsistencies to be written indefinitely.
 func reportInconsistency(oldCP, newCP []byte) {
-	glog.Errorf("Found inconsistent checkpoints:\n%v\n\n%v", oldCP, newCP)
+	glog.Errorf("Found inconsistent checkpoints:\n%v\n\n%v", string(oldCP), string(newCP))
 }

cmd/internal/distributor/distributor_test.go

@@ -499,6 +499,55 @@ func TestGetCheckpointWitness(t *testing.T) {
 	}
 }
 
+func TestFiltersUnknownSignatures(t *testing.T) {
+	ws := map[string]note.Verifier{
+		"Aardvark": witAardvark.verifier,
+	}
+	ls := map[string]distributor.LogInfo{
+		"FooLog": logFoo.LogInfo,
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	db, err := helper.create("TestFiltersUnknownSignatures")
+	if err != nil {
+		t.Fatalf("helper.create(): %v", err)
+	}
+	d, err := distributor.NewDistributor(ws, ls, db)
+	if err != nil {
+		t.Fatalf("NewDistributor(): %v", err)
+	}
+	writeCP := logFoo.checkpoint(16, "16", witAardvark.signer, witChameleon.signer)
+
+	// Assert there we're starting with a surplus of signatures
+	wN, err := note.Open(writeCP, note.VerifierList([]note.Verifier{logFoo.Verifier, witAardvark.verifier, witChameleon.verifier}...))
+	if err != nil {
+		t.Fatalf("Open(writeCP): %v", err)
+	}
+	if got, want := len(wN.Sigs), 3; got != want {
+		t.Errorf("Sanity failure, want 1 log + 2 witness sigs on submitted checkpoint, got %d", got)
+	}
+
+	// Send checkpoint with "unknown" witness signature to distro
+	err = d.Distribute(ctx, "FooLog", "Aardvark", writeCP)
+	if err != nil {
+		t.Fatalf("Distribute(): %v", err)
+	}
+
+	// Assert that we get back a checkpoint with only signatures from the log and exptected witness
+	readCP, err := d.GetCheckpointWitness(ctx, logFoo.Verifier.Name(), witAardvark.verifier.Name())
+	if err != nil {
+		t.Errorf("GetCheckpointWitness: %v", err)
+	}
+	rN, err := note.Open(readCP, note.VerifierList([]note.Verifier{logFoo.Verifier, witAardvark.verifier, witChameleon.verifier}...))
+	if err != nil {
+		t.Fatalf("Open(readCP): %v", err)
+	}
+	if gotSig, wantSig, gotUnverified, wantUnverified := len(rN.Sigs), 2, len(rN.UnverifiedSigs), 0; gotSig != wantSig || gotUnverified != wantUnverified {
+		t.Errorf("got %d sigs want %d, got %d unverified sigs want %d:\n%v", gotSig, wantSig, gotUnverified, wantUnverified, string(readCP))
+	}
+}
+
 func TestGetCheckpointN(t *testing.T) {
 	// The base case for this test is that 2 checkpoints have already been written:
 	//  - aardvark, at tree size 16
@@ -805,7 +854,7 @@ type fakeLog struct {
 	signer note.Signer
 }
 
-func (l fakeLog) checkpoint(size uint64, hashSeed string, wit note.Signer) []byte {
+func (l fakeLog) checkpoint(size uint64, hashSeed string, wit ...note.Signer) []byte {
 	hbs := sha256.Sum256([]byte(hashSeed))
 	rawCP := log.Checkpoint{
 		Origin: l.Origin,
@@ -814,7 +863,7 @@ func (l fakeLog) checkpoint(size uint64, hashSeed string, wit note.Signer) []byt
 	}.Marshal()
 	n := note.Note{}
 	n.Text = string(rawCP)
-	bs, err := note.Sign(&n, []note.Signer{l.signer, wit}...)
+	bs, err := note.Sign(&n, append([]note.Signer{l.signer}, wit...)...)
 	if err != nil {
 		panic(err)
 	}

cmd/main.go

@@ -30,8 +30,8 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/transparency-dev/distributor/cmd/internal/distributor"
 	ihttp "github.com/transparency-dev/distributor/cmd/internal/http"
-	i_note "github.com/transparency-dev/distributor/internal/note"
 	"github.com/transparency-dev/formats/log"
+	f_note "github.com/transparency-dev/formats/note"
 	"golang.org/x/mod/sumdb/note"
 	"golang.org/x/sync/errgroup"
 	"gopkg.in/yaml.v3"
@@ -158,7 +158,7 @@ func getLogsOrDie() map[string]distributor.LogInfo {
 	}
 	ls := make(map[string]distributor.LogInfo, len(logsCfg.Logs))
 	for _, l := range logsCfg.Logs {
-		lSigV, err := i_note.NewVerifier(l.PublicKeyType, l.PublicKey)
+		lSigV, err := f_note.NewVerifier(l.PublicKey)
 		if err != nil {
 			glog.Exitf("Invalid log public key: %v", err)
 		}
@@ -192,7 +192,7 @@ func getWitnessesOrDie() map[string]note.Verifier {
 	}
 	ws := make(map[string]note.Verifier, len(witCfg.Witnesses))
 	for _, w := range witCfg.Witnesses {
-		wSigV, err := note.NewVerifier(w)
+		wSigV, err := f_note.NewVerifierForCosignatureV1(w)
 		if err != nil {
 			glog.Exitf("Invalid witness public key: %v", err)
 		}
@@ -216,10 +216,6 @@ type logConfig struct {
 	ID string `yaml:"ID"`
 	// PublicKey used to verify checkpoints from this log.
 	PublicKey string `yaml:"PublicKey"`
-	// PublicKeyType identifies the format of the key present in the PublicKey field.
-	// If unset, the key should be assumed to be in a format which `note.NewVerifier`
-	// understands.
-	PublicKeyType string `yaml:"PublicKeyType"`
 	// Origin is the expected first line of checkpoints from the log.
 	Origin string `yaml:"Origin"`
 	// URL is the URL of the root of the log.

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/gorilla/mux v1.8.1
 	github.com/mattn/go-sqlite3 v1.14.18
 	github.com/ory/dockertest/v3 v3.10.0
-	github.com/transparency-dev/formats v0.0.0-20230619083159-fea486e0b437
+	github.com/transparency-dev/formats v0.0.0-20231205184308-949529efd6b3
 	golang.org/x/mod v0.14.0
 	golang.org/x/sync v0.5.0
 	google.golang.org/grpc v1.59.0

go.sum

@@ -157,8 +157,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
-github.com/transparency-dev/formats v0.0.0-20230619083159-fea486e0b437 h1:URBmePD31wqFRk6JyuH1f4zCxizn86EIe54I0y49Mf0=
-github.com/transparency-dev/formats v0.0.0-20230619083159-fea486e0b437/go.mod h1:n4WaqmAvPXspZADcvhGOLGIp+S/vrikmArFONkfH2rs=
+github.com/transparency-dev/formats v0.0.0-20231205184308-949529efd6b3 h1:Mpx9pqc7bKrx2QQxKL3SPbLIGH4gTBR1ZFrNuKq3CcY=
+github.com/transparency-dev/formats v0.0.0-20231205184308-949529efd6b3/go.mod h1:tY9Z9oBaYdQt4NWIhsFAtv0altwLk+K9Gg/2tbS0eBQ=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=