Skip to content
Snippets Groups Projects
Unverified Commit 070f83e9 authored by Bob Callaway's avatar Bob Callaway Committed by GitHub
Browse files

Canonicalize JSON before inserting into trillian (#445) 


Each of the supported types has a Canonicalize() method that generates a
JSON representation of the entry. If the golang library were to make a
change to the order of keys when marshalling an object, it would cause
a duplicate entry in the log for a semantically equivalent object.

This change simply transforms the JSON into RFC8785-compliant
canonicalized JSON protecting against any changes in JSON libraries
going forward.

Signed-off-by: default avatarBob Callaway <bob.callaway@gmail.com>
parent 58652e30
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
pkg/api/entries.go
+ 2
2
View file @ 070f83e9
...@@ -148,7 +148,7 @@ func createLogEntry(params entries.CreateLogEntryParams) (models.LogEntry, middl ...@@ -148,7 +148,7 @@ func createLogEntry(params entries.CreateLogEntryParams) (models.LogEntry, middl
if err != nil { if err != nil {
return nil, handleRekorAPIError(params, http.StatusBadRequest, err, fmt.Sprintf(validationError, err)) return nil, handleRekorAPIError(params, http.StatusBadRequest, err, fmt.Sprintf(validationError, err))
} }
leaf, err := entry.Canonicalize(ctx) leaf, err := types.CanonicalizeEntry(ctx, entry)
if err != nil { if err != nil {
if _, ok := (err).(types.ValidationError); ok { if _, ok := (err).(types.ValidationError); ok {
return nil, handleRekorAPIError(params, http.StatusBadRequest, err, fmt.Sprintf(validationError, err)) return nil, handleRekorAPIError(params, http.StatusBadRequest, err, fmt.Sprintf(validationError, err))
...@@ -315,7 +315,7 @@ func SearchLogQueryHandler(params entries.SearchLogQueryParams) middleware.Respo ...@@ -315,7 +315,7 @@ func SearchLogQueryHandler(params entries.SearchLogQueryParams) middleware.Respo
return err return err
} }
leaf, err := entry.Canonicalize(httpReqCtx) leaf, err := types.CanonicalizeEntry(httpReqCtx, entry)
if err != nil { if err != nil {
code = http.StatusInternalServerError code = http.StatusInternalServerError
return err return err
......
pkg/types/entries.go
+ 12
0
View file @ 070f83e9
...@@ -23,6 +23,7 @@ import ( ...@@ -23,6 +23,7 @@ import (
"net/url" "net/url"
"reflect" "reflect"
"github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer"
"github.com/go-openapi/strfmt" "github.com/go-openapi/strfmt"
"github.com/mitchellh/mapstructure" "github.com/mitchellh/mapstructure"
"github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/rekor/pkg/generated/models"
...@@ -105,6 +106,17 @@ func DecodeEntry(input, output interface{}) error { ...@@ -105,6 +106,17 @@ func DecodeEntry(input, output interface{}) error {
return dec.Decode(input) return dec.Decode(input)
} }
// CanonicalizeEntry returns the entry marshalled in JSON according to the
// canonicalization rules of RFC8785 to protect against any changes in golang's JSON
// marshalling logic that may reorder elements
func CanonicalizeEntry(ctx context.Context, entry EntryImpl) ([]byte, error) {
canonicalEntry, err := entry.Canonicalize(ctx)
if err != nil {
return nil, err
}
return jsoncanonicalizer.Transform(canonicalEntry)
}
// ArtifactProperties provide a consistent struct for passing values from // ArtifactProperties provide a consistent struct for passing values from
// CLI flags to the type+version specific CreateProposeEntry() methods // CLI flags to the type+version specific CreateProposeEntry() methods
type ArtifactProperties struct { type ArtifactProperties struct {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment