Simplify command line client flags (#738)

* simlify flags * update docker-compose * Update trusted root, and adjust VerifyInclusionByIndex for off by one root * Simplify and remove unused variables
google · Aug 12, 2017 · bb9607e70f5ff4174aedba3c6b2327390ed9532a · bb9607e
1 parent c459b76
commit bb9607e70f5ff4174aedba3c6b2327390ed9532a
diff --git a/.keytransparency.yaml b/.keytransparency.yaml
@@ -1,8 +1,3 @@
-log-key: "genfiles/trillian-log.pem"
-vrf:    "genfiles/vrf-pubkey.pem"
-kt-key: "genfiles/server.crt"
-kt-sig: "genfiles/p256-pubkey.pem"
-domain: "example.com"
-kt-url: "35.184.134.53:8080"
-client-secret: "client_secret.json"
-service-key: ""
+kt-url: localhost:8080
+client-secret: 
+service-key: 
diff --git a/README.md b/README.md
@@ -101,5 +101,6 @@ source scripts/configure_trillian.sh && createLog && createMap
 - `docker-compose up -d`
 - `docker-compose logs --tail=0 --follow`
 - [https://localhost:8080/v1/users/foo@bar.com](https://localhost:8080/v1/users/foo@bar.com)
+- [https://localhost:8080/v1/domain/info](https://localhost:8080/v1/domain/info)
 - [Prometheus graphs](http://localhost:9090/graph)

diff --git a/cmd/keytransparency-client/cmd/root.go b/cmd/keytransparency-client/cmd/root.go
@@ -25,16 +25,14 @@ import (
 	"github.com/google/keytransparency/cmd/keytransparency-client/grpcc"
 	"github.com/google/keytransparency/core/authentication"
 	"github.com/google/keytransparency/core/client/kt"
-	"github.com/google/keytransparency/core/crypto/keymaster"
-	"github.com/google/keytransparency/core/crypto/signatures"
 	"github.com/google/keytransparency/core/crypto/vrf"
 	"github.com/google/keytransparency/core/crypto/vrf/p256"
 	gauth "github.com/google/keytransparency/impl/google/authentication"
-	pb "github.com/google/keytransparency/impl/proto/keytransparency_v1_service"

 	"github.com/google/trillian"
 	"github.com/google/trillian/client"
 	"github.com/google/trillian/crypto/keys"
+	"github.com/google/trillian/merkle/coniks"
 	"github.com/google/trillian/merkle/hashers"
 	_ "github.com/google/trillian/merkle/objhasher" // Register objhasher
 	"github.com/spf13/cobra"
@@ -78,15 +76,13 @@ func Execute() {
 func init() {
 	cobra.OnInitialize(initConfig)
 	RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is $HOME/.keytransparency.yaml)")
-	RootCmd.PersistentFlags().String("vrf", "testdata/vrf-pubkey.pem", "path to vrf public key")
-
-	RootCmd.PersistentFlags().Int64("log-id", 0, "Log ID of the backend log server")
-	RootCmd.PersistentFlags().String("log-url", "", "URL of Certificate Transparency server")
-	RootCmd.PersistentFlags().String("log-key", "", "Path to public key PEM for Trillian Log server")

 	RootCmd.PersistentFlags().String("kt-url", "", "URL of Key Transparency server")
-	RootCmd.PersistentFlags().String("kt-key", "testdata/server.crt", "Path to public key for Key Transparency")
-	RootCmd.PersistentFlags().String("kt-sig", "testdata/p256-pubkey.pem", "Path to public key for signed map heads")
+	RootCmd.PersistentFlags().String("kt-cert", "genfiles/server.crt", "Path to public key for Key Transparency")
+	RootCmd.PersistentFlags().String("vrf", "genfiles/vrf-pubkey.pem", "path to vrf public key")
+
+	RootCmd.PersistentFlags().String("log-key", "genfiles/trillian-log.pem", "Path to public key PEM for Trillian Log server")
+	RootCmd.PersistentFlags().String("map-key", "genfiles/trillian-map.pem", "Path to public key PEM for Trillian Map server")

 	RootCmd.PersistentFlags().String("fake-auth-userid", "", "userid to present to the server as identity for authentication. Only succeeds if fake auth is enabled on the server side.")

@@ -173,32 +169,6 @@ func getServiceCreds(serviceKeyFile string) (credentials.PerRPCCredentials, erro
 	return oauth.NewServiceAccountFromKey(b, gauth.RequiredScopes...)
 }

-func readSignatureVerifier(ktPEM string) (signatures.Verifier, error) {
-	pem, err := ioutil.ReadFile(ktPEM)
-	if err != nil {
-		return nil, err
-	}
-	ver, err := keymaster.NewVerifierFromPEM(pem)
-	if err != nil {
-		return nil, err
-	}
-	return ver, nil
-}
-
-func getClient(cc *grpc.ClientConn, vrfPubFile, ktSig string, log client.LogVerifier) (*grpcc.Client, error) {
-	// Create Key Transparency client.
-	vrfKey, err := readVrfKey(vrfPubFile)
-	if err != nil {
-		return nil, err
-	}
-	verifier, err := readSignatureVerifier(ktSig)
-	if err != nil {
-		return nil, fmt.Errorf("error reading key transparency PEM: %v", err)
-	}
-	cli := pb.NewKeyTransparencyServiceClient(cc)
-	return grpcc.New(cli, vrfKey, verifier, log), nil
-}
-
 func dial(ktURL, caFile, clientSecretFile string, serviceKeyFile string) (*grpc.ClientConn, error) {
 	ctx := context.Background()
 	var opts []grpc.DialOption
@@ -253,32 +223,46 @@ func dial(ktURL, caFile, clientSecretFile string, serviceKeyFile string) (*grpc.
 // GetClient connects to the server and returns a key transparency verification
 // client.
 func GetClient(clientSecretFile string) (*grpcc.Client, error) {
-	vrfFile := viper.GetString("vrf")
 	ktURL := viper.GetString("kt-url")
-	ktPEM := viper.GetString("kt-key")
-	ktSig := viper.GetString("kt-sig")
-	logPEM := viper.GetString("log-key")
-	serviceKeyFile := viper.GetString("service-key")
-	cc, err := dial(ktURL, ktPEM, clientSecretFile, serviceKeyFile)
+	ktCert := viper.GetString("kt-cert")
+	vrfPubFile := viper.GetString("vrf")
+	logPEMFile := viper.GetString("log-key")
+	mapPEMFile := viper.GetString("map-key")
+	serviceKeyFile := viper.GetString("service-key") // Anonymous user creds.
+
+	// Client Connection.
+	cc, err := dial(ktURL, ktCert, clientSecretFile, serviceKeyFile)
 	if err != nil {
 		return nil, fmt.Errorf("Error Dialing %v: %v", ktURL, err)
 	}

-	// Log verifier.
-	logPubKey, err := keys.NewFromPublicPEMFile(logPEM)
+	// Log PubKey.
+	logPubKey, err := keys.NewFromPublicPEMFile(logPEMFile)
 	if err != nil {
 		return nil, fmt.Errorf("Failed to open public key %v: %v", logPubKey, err)
 	}

-	hasher, err := hashers.NewLogHasher(trillian.HashStrategy_OBJECT_RFC6962_SHA256)
+	// Log Hasher.
+	logHasher, err := hashers.NewLogHasher(trillian.HashStrategy_OBJECT_RFC6962_SHA256)
 	if err != nil {
 		return nil, fmt.Errorf("Failed retrieving LogHasher from registry: %v", err)
 	}
-	log := client.NewLogVerifier(hasher, logPubKey)

-	c, err := getClient(cc, vrfFile, ktSig, log)
+	// VRF PubKey.
+	vrfPubKey, err := readVrfKey(vrfPubFile)
 	if err != nil {
-		return nil, fmt.Errorf("Error creating client: %v", err)
+		return nil, err
 	}
-	return c, nil
+
+	// MapPubKey.
+	mapPubKey, err := keys.NewFromPublicPEMFile(mapPEMFile)
+	if err != nil {
+		return nil, fmt.Errorf("error reading key transparency PEM: %v", err)
+	}
+
+	// Map Hasher
+	mapHasher := coniks.Default
+
+	logVerifier := client.NewLogVerifier(logHasher, logPubKey)
+	return grpcc.New(cc, vrfPubKey, mapPubKey, mapHasher, logVerifier), nil
 }
diff --git a/cmd/keytransparency-client/grpcc/grpc_client.go b/cmd/keytransparency-client/grpcc/grpc_client.go
@@ -34,7 +34,7 @@ import (

 	"github.com/golang/protobuf/proto"
 	"github.com/google/trillian/client"
-	"github.com/google/trillian/merkle/coniks"
+	"github.com/google/trillian/merkle/hashers"
 	"golang.org/x/net/context"
 	"google.golang.org/grpc"

@@ -79,23 +79,22 @@ type Client struct {
 	cli        spb.KeyTransparencyServiceClient
 	vrf        vrf.PublicKey
 	kt         *kt.Verifier
-	log        client.LogVerifier
 	mutator    mutator.Mutator
 	RetryCount int
 	RetryDelay time.Duration
 	trusted    trillian.SignedLogRoot
 }

 // New creates a new client.
-func New(client spb.KeyTransparencyServiceClient,
+func New(cc *grpc.ClientConn,
 	vrf vrf.PublicKey,
-	verifier crypto.PublicKey,
-	log client.LogVerifier) *Client {
+	mapPubKey crypto.PublicKey,
+	mapHasher hashers.MapHasher,
+	logVerifier client.LogVerifier) *Client {
 	return &Client{
-		cli:        client,
+		cli:        spb.NewKeyTransparencyServiceClient(cc),
 		vrf:        vrf,
-		kt:         kt.New(vrf, coniks.Default, verifier, log),
-		log:        log,
+		kt:         kt.New(vrf, mapHasher, mapPubKey, logVerifier),
 		mutator:    entry.New(),
 		RetryCount: 1,
 		RetryDelay: 3 * time.Second,
diff --git a/core/client/kt/verify.go b/core/client/kt/verify.go
@@ -46,22 +46,22 @@ var (

 // Verifier is a client helper library for verifying request and responses.
 type Verifier struct {
-	vrf    vrf.PublicKey
-	hasher hashers.MapHasher
-	sig    crypto.PublicKey
-	log    client.LogVerifier
+	vrf         vrf.PublicKey
+	hasher      hashers.MapHasher
+	mapPubKey   crypto.PublicKey
+	logVerifier client.LogVerifier
 }

 // New creates a new instance of the client verifier.
 func New(vrf vrf.PublicKey,
 	hasher hashers.MapHasher,
-	sig crypto.PublicKey,
-	log client.LogVerifier) *Verifier {
+	mapPubKey crypto.PublicKey,
+	logVerifier client.LogVerifier) *Verifier {
 	return &Verifier{
-		vrf:    vrf,
-		hasher: hasher,
-		sig:    sig,
-		log:    log,
+		vrf:         vrf,
+		hasher:      hasher,
+		mapPubKey:   mapPubKey,
+		logVerifier: logVerifier,
 	}
 }

@@ -120,25 +120,27 @@ func (v *Verifier) VerifyGetEntryResponse(ctx context.Context, userID, appID str
 	// by removing the signature from the object.
 	smr := *in.GetSmr()
 	smr.Signature = nil // Remove the signature from the object to be verified.
-	if err := tcrypto.VerifyObject(v.sig, smr, in.GetSmr().GetSignature()); err != nil {
+	if err := tcrypto.VerifyObject(v.mapPubKey, smr, in.GetSmr().GetSignature()); err != nil {
 		Vlog.Printf("✗ Signed Map Head signature verification failed.")
 		return fmt.Errorf("sig.Verify(SMR): %v", err)
 	}
 	Vlog.Printf("✓ Signed Map Head signature verified.")

 	// Verify consistency proof between root and newroot.
 	// TODO(gdbelvin): Gossip root.
-	if err := v.log.VerifyRoot(trusted, in.GetLogRoot(), in.GetLogConsistency()); err != nil {
+	if err := v.logVerifier.VerifyRoot(trusted, in.GetLogRoot(), in.GetLogConsistency()); err != nil {
 		return fmt.Errorf("VerifyRoot(%v, %v): %v", in.GetLogRoot(), in.GetLogConsistency(), err)
 	}
 	Vlog.Printf("✓ Log root updated.")
+	trusted = in.GetLogRoot()

 	// Verify inclusion proof.
 	b, err := json.Marshal(in.GetSmr())
 	if err != nil {
 		return fmt.Errorf("json.Marshal(): %v", err)
 	}
-	if err := v.log.VerifyInclusionAtIndex(trusted, b, in.GetSmr().GetMapRevision(),
+	logLeafIndex := in.GetSmr().GetMapRevision() - 1
+	if err := v.logVerifier.VerifyInclusionAtIndex(trusted, b, logLeafIndex,
 		in.GetLogInclusion()); err != nil {
 		return fmt.Errorf("VerifyInclusionAtIndex(%s, %v, _): %v",
 			b, in.GetSmr().GetMapRevision(), err)
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -35,11 +35,17 @@ services:
    ports:
      - "8090:8090" # gRPC
      - "8091:8091" # HTTP & Metrics
-    environment:
-      DB_HOST: db:3306
-      DB_DATABASE: test
-      DB_USER: test
-      DB_PASSWORD: zaphod 
+    entrypoint:
+      - /go/bin/trillian_log_server
+      - --mysql_uri=test:zaphod@tcp(db:3306)/test
+      - --rpc_endpoint=0.0.0.0:8090
+      - --http_endpoint=0.0.0.0:8091
+      - --alsologtostderr 
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8091/metrics"]
+      interval: 30s
+      timeout: 30s
+      retries: 3

  trillian-log-signer:
    depends_on:
@@ -51,13 +57,21 @@ services:
    restart: always
    ports:
      - "8092:8091" # HTTP & Metrics
-    environment:
-      DB_HOST: db:3306
-      DB_DATABASE: test
-      DB_USER: test
-      DB_PASSWORD: zaphod
-      SEQUENCER_INTERVAL: 1s
-
+    entrypoint: 
+      - /go/bin/trillian_log_signer
+      - --mysql_uri=test:zaphod@tcp(db:3306)/test
+      - --http_endpoint=0.0.0.0:8091
+      - --sequencer_guard_window=0s
+      - --sequencer_interval=1s
+      - --num_sequencers=1
+      - --batch_size=50
+      - --force_master=true
+      - --alsologtostderr
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8091/metrics"]
+      interval: 30s
+      timeout: 30s
+      retries: 3

  trillian-map:
    depends_on:
@@ -70,11 +84,17 @@ services:
    ports:
      - "8093:8090" # gRPC
      - "8094:8091" # HTTP & Metrics
-    environment:
-      DB_HOST: db:3306
-      DB_DATABASE: test
-      DB_USER: test
-      DB_PASSWORD: zaphod 
+    entrypoint:
+      - /go/bin/trillian_map_server
+      - --mysql_uri=test:zaphod@tcp(db:3306)/test
+      - --rpc_endpoint=0.0.0.0:8090
+      - --http_endpoint=0.0.0.0:8091
+      - --alsologtostderr 
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8091/metrics"]
+      interval: 30s
+      timeout: 30s
+      retries: 3

  kt-server:
    depends_on:
diff --git a/integration/testutil.go b/integration/testutil.go
@@ -39,6 +39,7 @@ import (

 	"github.com/google/trillian"
 	"github.com/google/trillian/crypto/keys"
+	"github.com/google/trillian/merkle/coniks"
 	"github.com/google/trillian/testonly/integration"
 	"golang.org/x/net/context"
 	"google.golang.org/grpc"
@@ -145,7 +146,7 @@ func NewEnv(t *testing.T) *Env {
 		t.Fatalf("SetLeaves(): %v", err)
 	}

-	verifier, err := keys.NewFromPublicDER(tree.GetPublicKey().GetDer())
+	mapPubKey, err := keys.NewFromPublicDER(tree.GetPublicKey().GetDer())
 	if err != nil {
 		t.Fatalf("Failed to load signing keypair: %v", err)
 	}
@@ -192,8 +193,8 @@ func NewEnv(t *testing.T) *Env {
 	if err != nil {
 		t.Fatalf("Dial(%v) = %v", addr, err)
 	}
-	cli := pb.NewKeyTransparencyServiceClient(cc)
-	client := grpcc.New(cli, vrfPub, verifier, fake.NewFakeTrillianLogVerifier())
+	client := grpcc.New(cc, vrfPub, mapPubKey, coniks.Default,
+		fake.NewFakeTrillianLogVerifier())
 	client.RetryCount = 0

 	return &Env{
@@ -206,7 +207,7 @@ func NewEnv(t *testing.T) *Env {
 		db:         sqldb,
 		Factory:    factory,
 		VrfPriv:    vrfPriv,
-		Cli:        cli,
+		Cli:        pb.NewKeyTransparencyServiceClient(cc),
 		mapLog:     hs,
 	}
 }
diff --git a/scripts/gen_signer_keys.sh b/scripts/gen_signer_keys.sh