Add Log ID to LogEntry field (#294)

* Add Log ID to LogEntry field Since the signed entry timestamp (SET) will be able to prove insertion into the log, adding the log ID (aka public key SHA256 hash) makes it easier to know which log the entry came from. Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Add Log ID to LogEntry field (#294)
c28f0099 · Bob Callaway · GitHub · 603b4a8f · c28f0099 · c28f0099
Unverified Commit c28f0099 authored 3 years ago by Bob Callaway Committed by GitHub 3 years ago
--- a/cmd/rekor-cli/app/get.go
+++ b/cmd/rekor-cli/app/get.go
@@ -40,10 +40,12 @@ type getCmdOutput struct {
 	LogIndex       int
 	IntegratedTime int64
 	UUID           string
+	LogID          string
 }
 func (g *getCmdOutput) String() string {
-	s := fmt.Sprintf("Index: %d\n", g.LogIndex)
+	s := fmt.Sprintf("LogID: %v\n", g.LogID)
+	s += fmt.Sprintf("Index: %d\n", g.LogIndex)
 	dt := time.Unix(g.IntegratedTime, 0).UTC().Format(time.RFC3339)
 	s += fmt.Sprintf("IntegratedTime: %s\n", dt)
 	s += fmt.Sprintf("UUID: %s\n", g.UUID)
@@ -130,8 +132,9 @@ func parseEntry(uuid string, e models.LogEntryAnon) (interface{}, error) {
 	obj := getCmdOutput{
 		Body:           eimpl,
 		UUID:           uuid,
-		IntegratedTime: e.IntegratedTime,
+		IntegratedTime: *e.IntegratedTime,
 		LogIndex:       int(*e.LogIndex),
+		LogID:          *e.LogID,
 	}
 	return &obj, nil

--- a/openapi.yaml
+++ b/openapi.yaml
@@ -291,6 +291,10 @@ definitions:
    additionalProperties:
      type: object
      properties:
+        logID:
+          type: string
+          pattern: '^[0-9a-fA-F]{64}$'
+          description: This is the SHA256 hash of the DER-encoded public key for the log at the time the entry was included in the log
        logIndex:
          type: integer
          minimum: 0
@@ -311,10 +315,12 @@ definitions:
                # 1. Remove the Verification object from the JSON Document
                # 2. Canonicalize the remaining JSON document by following RFC 8785 rules
                # 3. Verify the canonicalized payload and signedEntryTimestamp against rekor's public key
-              description: Signature over the logIndex, body and integratedTime. 
+              description: Signature over the logID, logIndex, body and integratedTime.
      required:
+        - "logID"
        - "logIndex"
        - "body"
+        - "integratedTime"
  SearchIndex:
    type: object

--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -17,7 +17,9 @@ package api
 import (
 	"context"
+	"crypto/sha256"
 	"crypto/x509"
+	"encoding/hex"
 	"encoding/pem"
 	"fmt"
 	"time"
@@ -47,12 +49,12 @@ func dial(ctx context.Context, rpcServer string) (*grpc.ClientConn, error) {
 }
 type API struct {
-	logClient trillian.TrillianLogClient
+	logClient  trillian.TrillianLogClient
-	logID     int64
+	logID      int64
-	// PEM encoded public key
+	pubkey     string // PEM encoded public key
-	pubkey   string
+	pubkeyHash string // SHA256 hash of DER-encoded public key
-	signer   signature.Signer
+	signer     signature.Signer
-	verifier *client.LogVerifier
+	verifier   *client.LogVerifier
 }
 func NewAPI() (*API, error) {
@@ -95,6 +97,12 @@ func NewAPI() (*API, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "marshalling public key")
 	}
+	hasher := sha256.New()
+	if _, err = hasher.Write(b); err != nil {
+		return nil, errors.Wrap(err, "computing hash of public key")
+	}
+	pubkeyHashBytes := hasher.Sum(nil)
 	pubkey := pem.EncodeToMemory(&pem.Block{
 		Type:  "PUBLIC KEY",
 		Bytes: b,
@@ -106,11 +114,12 @@ func NewAPI() (*API, error) {
 	}
 	return &API{
-		logClient: logClient,
+		logClient:  logClient,
-		logID:     tLogID,
+		logID:      tLogID,
-		pubkey:    string(pubkey),
+		pubkey:     string(pubkey),
-		signer:    signer,
+		pubkeyHash: hex.EncodeToString(pubkeyHashBytes),
-		verifier:  verifier,
+		signer:     signer,
+		verifier:   verifier,
 	}, nil
 }

--- a/pkg/api/entries.go
+++ b/pkg/api/entries.go
@@ -62,9 +62,10 @@ func logEntryFromLeaf(tc TrillianClient, leaf *trillian.LogLeaf, signedLogRoot *
 	logEntry := models.LogEntry{
 		hex.EncodeToString(leaf.MerkleLeafHash): models.LogEntryAnon{
+			LogID:          swag.String(api.pubkeyHash),
 			LogIndex:       &leaf.LeafIndex,
 			Body:           leaf.LeafValue,
-			IntegratedTime: leaf.IntegrateTimestamp.AsTime().Unix(),
+			IntegratedTime: swag.Int64(leaf.IntegrateTimestamp.AsTime().Unix()),
 			Verification: &models.LogEntryAnonVerification{
 				InclusionProof: &inclusionProof,
 			},
@@ -143,9 +144,10 @@ func CreateLogEntryHandler(params entries.CreateLogEntryParams) middleware.Respo
 	uuid := hex.EncodeToString(queuedLeaf.GetMerkleLeafHash())
 	logEntryAnon := models.LogEntryAnon{
+		LogID:          swag.String(api.pubkeyHash),
 		LogIndex:       swag.Int64(queuedLeaf.LeafIndex),
 		Body:           queuedLeaf.GetLeafValue(),
-		IntegratedTime: queuedLeaf.IntegrateTimestamp.AsTime().Unix(),
+		IntegratedTime: swag.Int64(queuedLeaf.IntegrateTimestamp.AsTime().Unix()),
 	}
 	if viper.GetBool("enable_retrieve_api") {

--- a/pkg/generated/models/log_entry.go
+++ b/pkg/generated/models/log_entry.go
@@ -88,7 +88,13 @@ type LogEntryAnon struct {
 	Body interface{} `json:"body"`
 	// integrated time
-	IntegratedTime int64 `json:"integratedTime,omitempty"`
+	// Required: true
+	IntegratedTime *int64 `json:"integratedTime"`
+	// This is the SHA256 hash of the DER-encoded public key for the log at the time the entry was included in the log
+	// Required: true
+	// Pattern: ^[0-9a-fA-F]{64}$
+	LogID *string `json:"logID"`
 	// log index
 	// Required: true
@@ -107,6 +113,14 @@ func (m *LogEntryAnon) Validate(formats strfmt.Registry) error {
 		res = append(res, err)
 	}
+	if err := m.validateIntegratedTime(formats); err != nil {
+		res = append(res, err)
+	}
+	if err := m.validateLogID(formats); err != nil {
+		res = append(res, err)
+	}
 	if err := m.validateLogIndex(formats); err != nil {
 		res = append(res, err)
 	}
@@ -130,6 +144,28 @@ func (m *LogEntryAnon) validateBody(formats strfmt.Registry) error {
 	return nil
 }
+func (m *LogEntryAnon) validateIntegratedTime(formats strfmt.Registry) error {
+	if err := validate.Required("integratedTime", "body", m.IntegratedTime); err != nil {
+		return err
+	}
+	return nil
+}
+func (m *LogEntryAnon) validateLogID(formats strfmt.Registry) error {
+	if err := validate.Required("logID", "body", m.LogID); err != nil {
+		return err
+	}
+	if err := validate.Pattern("logID", "body", *m.LogID, `^[0-9a-fA-F]{64}$`); err != nil {
+		return err
+	}
+	return nil
+}
 func (m *LogEntryAnon) validateLogIndex(formats strfmt.Registry) error {
 	if err := validate.Required("logIndex", "body", m.LogIndex); err != nil {
@@ -214,7 +250,7 @@ type LogEntryAnonVerification struct {
 	// inclusion proof
 	InclusionProof *InclusionProof `json:"inclusionProof,omitempty"`
-	// Signature over the logIndex, body and integratedTime.
+	// Signature over the logID, logIndex, body and integratedTime.
 	// Format: byte
 	SignedEntryTimestamp strfmt.Base64 `json:"signedEntryTimestamp,omitempty"`
 }

--- a/pkg/generated/restapi/embedded_spec.go
+++ b/pkg/generated/restapi/embedded_spec.go
@@ -400,8 +400,10 @@ func init() {
      "additionalProperties": {
        "type": "object",
        "required": [
+          "logID",
          "logIndex",
-          "body"
+          "body",
+          "integratedTime"
        ],
        "properties": {
          "body": {
@@ -411,6 +413,11 @@ func init() {
          "integratedTime": {
            "type": "integer"
          },
+          "logID": {
+            "description": "This is the SHA256 hash of the DER-encoded public key for the log at the time the entry was included in the log",
+            "type": "string",
+            "pattern": "^[0-9a-fA-F]{64}$"
+          },
          "logIndex": {
            "type": "integer"
          },
@@ -421,7 +428,7 @@ func init() {
                "$ref": "#/definitions/InclusionProof"
              },
              "signedEntryTimestamp": {
-                "description": "Signature over the logIndex, body and integratedTime.",
+                "description": "Signature over the logID, logIndex, body and integratedTime.",
                "type": "string",
                "format": "byte"
              }
@@ -1193,8 +1200,10 @@ func init() {
    "LogEntryAnon": {
      "type": "object",
      "required": [
+        "logID",
        "logIndex",
-        "body"
+        "body",
+        "integratedTime"
      ],
      "properties": {
        "body": {
@@ -1204,6 +1213,11 @@ func init() {
        "integratedTime": {
          "type": "integer"
        },
+        "logID": {
+          "description": "This is the SHA256 hash of the DER-encoded public key for the log at the time the entry was included in the log",
+          "type": "string",
+          "pattern": "^[0-9a-fA-F]{64}$"
+        },
        "logIndex": {
          "type": "integer",
          "minimum": 0
@@ -1215,7 +1229,7 @@ func init() {
              "$ref": "#/definitions/InclusionProof"
            },
            "signedEntryTimestamp": {
-              "description": "Signature over the logIndex, body and integratedTime.",
+              "description": "Signature over the logID, logIndex, body and integratedTime.",
              "type": "string",
              "format": "byte"
            }
@@ -1230,7 +1244,7 @@ func init() {
          "$ref": "#/definitions/InclusionProof"
        },
        "signedEntryTimestamp": {
-          "description": "Signature over the logIndex, body and integratedTime.",
+          "description": "Signature over the logID, logIndex, body and integratedTime.",
          "type": "string",
          "format": "byte"
        }