* Add Log ID to LogEntry field

Since the signed entry timestamp (SET) will be able to prove insertion into the log, adding the log ID (aka public key SHA256 hash) makes it easier to know which log the entry came from. 

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Add sha256 prefix to index keys for artifact hashes

This change adds the `sha256:` prefix to index values that are created to simplify searching the transparency log for artifacts. In case we shift to using a different hashing algorithm in the future, this will provide a way to specify it.

Fixes #289

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Add signature to LogEntry for offline verification

Also add an integration test for this.

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Address code review comments:
- Canonicalize payload before signing it
- Change name of signature to signedEntryTimestamp
- move signedEntryTimestamp and inclusionProof into separate Verification field in LogEntry

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Create helper func for extracting log entry

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add info around verifying signedEntryTimestamp as comments in openapi.yaml

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Generalize verification instructions

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

Signed-off-by: Asra Ali <asraa@google.com>

* Add new type for JAR archives

This adds support for a new pluggable type that can extract signatures
from signed JAR files. Per the JAR spec, a special manifest file is
created with the digest hashes of all included content in the JAR file.
It is this special manifest file that is then signed, and included in a
file within the archive in PKCS7 format. The PKCS7 file also includes
the X509 certificate that can be used to verify the signed manifest file
inside of the JAR.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Add signing package for signing within rekor

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove public key from trillian and add in TODO for getting public key from Signer

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Create signer flag and store signer in api struct

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove public key from tlog in API, replace with a new pubkey tag

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Make sure we can get the public key locally

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Fix build error

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Reuse cosign implementation of signing interface

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* fix lint

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add in-memory signer, store unmarshaled public key in api

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Temporarily skip the log_info test, since we are now getting the public key from rekor and not trillian

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Replace cosign import with sigstore

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add unit test for memory signer

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove unnecessary code

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* skip test

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Sign the signature for the signed log root ourselves

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Include memory as a signer option for signer flag, make memory default

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* update boilerplate header and apply go fmt

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* lints: fix golangci-lint issues

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* updated based on feedback

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

This patch removes the /api/v1/log/entries/{uuid}/proof endpoint. If you
have the UUID (aka the leaf Merkle hash), you likely want proof that the
content represented by that hash is included in the log. There's no need
for a separate /proof endpoint to deliver the same content.

This commit also ensures that the getLogEntryByIndex and
getLogEntryByUUID endpoints return an inclusion proof as part of their
response content. The search endpoint also now returns the inclusion
proof of all entries returned from the query.

With this patch, Rekor no longer uses the deprecated `GetLeavesByHash`
Trillian API.

Fixes #229

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Adds a Location response header when a 409 Conflict error is returned
from the server when a duplicate entry is sent for insertion into the
log. Also changes message printed by CLI to improve usability.

Fixes #222

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Co-authored-by: Dan Lorenc <dlorenc@google.com>

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

* add endpoint for public key and return signed tree head with loginfo

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Introduce swagger UI server

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Co-authored-by: Bob Callaway <bcallawa@redhat.com>

also adds --log-index parameter to CLI verify command

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

We can't insert a blank entry, so mark request body as required.

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

- adds trillian API object to context
- improves request error logging pre and post validation
- use consistent request context throughout all GRPC calls
- improve validation of incoming UUID values
- disable swagger UI endpoint
- only print cacheable headers if response code is HTTP 2XX
- use GetLeavesByRange instead of deprecated GetLeavesByIndex API

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

* add xml & yaml format support

* add attributes to denote files that are generated so GH skips them on diffs