Cleanup some initialization/flag parsing in rekor-server. (#433)

This is in preparation for supporting multiple logIDs (for sharding). Signed-off-by: Dan Lorenc <dlorenc@google.com>

Cleanup some initialization/flag parsing in rekor-server. (#433)
d089e5df · dlorenc · GitHub · 11a91be5 · d089e5df · d089e5df
Unverified Commit d089e5df authored 3 years ago by dlorenc Committed by GitHub 3 years ago
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -25,7 +25,6 @@ import (
 	"time"

 	"github.com/google/trillian"
-	"github.com/google/trillian/client"
 	radix "github.com/mediocregopher/radix/v4"
 	"github.com/pkg/errors"
 	"github.com/spf13/viper"
@@ -61,7 +60,6 @@ type API struct {
 	tsaSigner    signature.Signer    // the signer to use for timestamping
 	certChain    []*x509.Certificate // timestamping cert chain
 	certChainPem string              // PEM encoded timestamping cert chain
-	verifier     *client.LogVerifier
 }

 func NewAPI() (*API, error) {
@@ -85,13 +83,6 @@ func NewAPI() (*API, error) {
 		tLogID = t.TreeId
 	}

-	t, err := logAdminClient.GetTree(ctx, &trillian.GetTreeRequest{
-		TreeId: tLogID,
-	})
-	if err != nil {
-		return nil, errors.Wrap(err, "get tree")
-	}
-
 	rekorSigner, err := signer.New(ctx, viper.GetString("rekor_server.signer"))
 	if err != nil {
 		return nil, errors.Wrap(err, "getting new signer")
@@ -108,11 +99,6 @@ func NewAPI() (*API, error) {

 	pubkey := cryptoutils.PEMEncode(cryptoutils.PublicKeyPEMType, b)

-	verifier, err := client.NewLogVerifierFromTree(t)
-	if err != nil {
-		return nil, errors.Wrap(err, "new verifier")
-	}
-
 	// Use an in-memory key for timestamping
 	tsaSigner, err := signer.New(ctx, signer.MemoryScheme)
 	if err != nil {
@@ -146,15 +132,17 @@ func NewAPI() (*API, error) {
 	}

 	return &API{
-		logClient:    logClient,
-		logID:        tLogID,
-		pubkey:       string(pubkey),
-		pubkeyHash:   hex.EncodeToString(pubkeyHashBytes[:]),
-		signer:       rekorSigner,
+		// Transparency Log Stuff
+		logClient: logClient,
+		logID:     tLogID,
+		// Signing/verifying fields
+		pubkey:     string(pubkey),
+		pubkeyHash: hex.EncodeToString(pubkeyHashBytes[:]),
+		signer:     rekorSigner,
+		// TSA signing stuff
 		tsaSigner:    tsaSigner,
 		certChain:    certChain,
 		certChainPem: string(certChainPem),
-		verifier:     verifier,
 	}, nil
 }


--- a/pkg/api/timestamp.go
+++ b/pkg/api/timestamp.go
@@ -24,7 +24,6 @@ import (
 	"net/http"

 	"github.com/go-openapi/runtime/middleware"
-	"github.com/pkg/errors"
 	"github.com/sassoftware/relic/lib/pkcs9"
 	"github.com/sigstore/rekor/pkg/generated/restapi/operations/entries"
 	"github.com/sigstore/rekor/pkg/generated/restapi/operations/timestamp"
@@ -47,11 +46,6 @@ func RequestFromRekor(ctx context.Context, req pkcs9.TimeStampReq) ([]byte, erro
 }

 func TimestampResponseHandler(params timestamp.GetTimestampResponseParams) middleware.Responder {
-	// Fail early if we don't haven't configured rekor with a certificate for timestamping.
-	if len(api.certChain) == 0 {
-		return handleRekorAPIError(params, http.StatusNotImplemented, errors.New("rekor is not configured to serve timestamps"), "")
-	}
-
 	// TODO: Add support for in-house JSON based timestamp response.
 	requestBytes, err := ioutil.ReadAll(params.Request)
 	if err != nil {
@@ -96,8 +90,5 @@ func TimestampResponseHandler(params timestamp.GetTimestampResponseParams) middl
 }

 func GetTimestampCertChainHandler(params timestamp.GetTimestampCertChainParams) middleware.Responder {
-	if len(api.certChain) == 0 {
-		return handleRekorAPIError(params, http.StatusNotFound, errors.New("rekor is not configured with a timestamping certificate"), "")
-	}
 	return timestamp.NewGetTimestampCertChainOK().WithPayload(api.certChainPem)
 }
--- a/pkg/api/trillian_client.go
+++ b/pkg/api/trillian_client.go
@@ -23,6 +23,7 @@ import (

 	"github.com/google/trillian/merkle/logverifier"
 	"github.com/google/trillian/merkle/rfc6962/hasher"
+	rfc6962 "github.com/google/trillian/merkle/rfc6962/hasher"
 	"github.com/pkg/errors"

 	"google.golang.org/grpc/codes"
@@ -35,18 +36,16 @@ import (
 )

 type TrillianClient struct {
-	client   trillian.TrillianLogClient
-	logID    int64
-	context  context.Context
-	verifier *client.LogVerifier
+	client  trillian.TrillianLogClient
+	logID   int64
+	context context.Context
 }

 func NewTrillianClient(ctx context.Context) TrillianClient {
 	return TrillianClient{
-		client:   api.logClient,
-		logID:    api.logID,
-		context:  ctx,
-		verifier: api.verifier,
+		client:  api.logClient,
+		logID:   api.logID,
+		context: ctx,
 	}
 }

@@ -102,7 +101,8 @@ func (t *TrillianClient) addLeaf(byteValue []byte) *Response {
 			getAddResult: resp,
 		}
 	}
-	logClient := client.New(t.logID, t.client, t.verifier, root)
+	v := client.NewLogVerifier(rfc6962.DefaultHasher)
+	logClient := client.New(t.logID, t.client, v, root)

 	waitForInclusion := func(ctx context.Context, leafHash []byte) *Response {
 		if logClient.MinMergeDelay > 0 {
@@ -252,8 +252,10 @@ func (t *TrillianClient) getProofByHash(hashValue []byte) *Response {
 		})

 	if resp != nil {
+		v := client.NewLogVerifier(rfc6962.DefaultHasher)
 		for _, proof := range resp.Proof {
-			if err := t.verifier.VerifyInclusionByHash(&root, hashValue, proof); err != nil {
+
+			if err := v.VerifyInclusionByHash(&root, hashValue, proof); err != nil {
 				return &Response{
 					status: status.Code(err),
 					err:    err,