Permalink
Browse files

Simplify command line client flags (#738)

* simlify flags

* update docker-compose

* Update trusted root, and adjust VerifyInclusionByIndex for off by one root

* Simplify and remove unused variables
  • Loading branch information...
gdbelvin authored and Liamsi committed Aug 12, 2017
1 parent c459b76 commit bb9607e70f5ff4174aedba3c6b2327390ed9532a
View
@@ -1,8 +1,3 @@
log-key: "genfiles/trillian-log.pem"
vrf: "genfiles/vrf-pubkey.pem"
kt-key: "genfiles/server.crt"
kt-sig: "genfiles/p256-pubkey.pem"
domain: "example.com"
kt-url: "35.184.134.53:8080"
client-secret: "client_secret.json"
service-key: ""
kt-url: localhost:8080
client-secret:
service-key:
View
@@ -101,5 +101,6 @@ source scripts/configure_trillian.sh && createLog && createMap
- `docker-compose up -d`
- `docker-compose logs --tail=0 --follow`
- [https://localhost:8080/v1/users/foo@bar.com](https://localhost:8080/v1/users/foo@bar.com)
- [https://localhost:8080/v1/domain/info](https://localhost:8080/v1/domain/info)
- [Prometheus graphs](http://localhost:9090/graph)
@@ -25,16 +25,14 @@ import (
"github.com/google/keytransparency/cmd/keytransparency-client/grpcc"
"github.com/google/keytransparency/core/authentication"
"github.com/google/keytransparency/core/client/kt"
"github.com/google/keytransparency/core/crypto/keymaster"
"github.com/google/keytransparency/core/crypto/signatures"
"github.com/google/keytransparency/core/crypto/vrf"
"github.com/google/keytransparency/core/crypto/vrf/p256"
gauth "github.com/google/keytransparency/impl/google/authentication"
pb "github.com/google/keytransparency/impl/proto/keytransparency_v1_service"
"github.com/google/trillian"
"github.com/google/trillian/client"
"github.com/google/trillian/crypto/keys"
"github.com/google/trillian/merkle/coniks"
"github.com/google/trillian/merkle/hashers"
_ "github.com/google/trillian/merkle/objhasher" // Register objhasher
"github.com/spf13/cobra"
@@ -78,15 +76,13 @@ func Execute() {
func init() {
cobra.OnInitialize(initConfig)
RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is $HOME/.keytransparency.yaml)")
RootCmd.PersistentFlags().String("vrf", "testdata/vrf-pubkey.pem", "path to vrf public key")
RootCmd.PersistentFlags().Int64("log-id", 0, "Log ID of the backend log server")
RootCmd.PersistentFlags().String("log-url", "", "URL of Certificate Transparency server")
RootCmd.PersistentFlags().String("log-key", "", "Path to public key PEM for Trillian Log server")
RootCmd.PersistentFlags().String("kt-url", "", "URL of Key Transparency server")
RootCmd.PersistentFlags().String("kt-key", "testdata/server.crt", "Path to public key for Key Transparency")
RootCmd.PersistentFlags().String("kt-sig", "testdata/p256-pubkey.pem", "Path to public key for signed map heads")
RootCmd.PersistentFlags().String("kt-cert", "genfiles/server.crt", "Path to public key for Key Transparency")
RootCmd.PersistentFlags().String("vrf", "genfiles/vrf-pubkey.pem", "path to vrf public key")
RootCmd.PersistentFlags().String("log-key", "genfiles/trillian-log.pem", "Path to public key PEM for Trillian Log server")
RootCmd.PersistentFlags().String("map-key", "genfiles/trillian-map.pem", "Path to public key PEM for Trillian Map server")
RootCmd.PersistentFlags().String("fake-auth-userid", "", "userid to present to the server as identity for authentication. Only succeeds if fake auth is enabled on the server side.")
@@ -173,32 +169,6 @@ func getServiceCreds(serviceKeyFile string) (credentials.PerRPCCredentials, erro
return oauth.NewServiceAccountFromKey(b, gauth.RequiredScopes...)
}
func readSignatureVerifier(ktPEM string) (signatures.Verifier, error) {
pem, err := ioutil.ReadFile(ktPEM)
if err != nil {
return nil, err
}
ver, err := keymaster.NewVerifierFromPEM(pem)
if err != nil {
return nil, err
}
return ver, nil
}
func getClient(cc *grpc.ClientConn, vrfPubFile, ktSig string, log client.LogVerifier) (*grpcc.Client, error) {
// Create Key Transparency client.
vrfKey, err := readVrfKey(vrfPubFile)
if err != nil {
return nil, err
}
verifier, err := readSignatureVerifier(ktSig)
if err != nil {
return nil, fmt.Errorf("error reading key transparency PEM: %v", err)
}
cli := pb.NewKeyTransparencyServiceClient(cc)
return grpcc.New(cli, vrfKey, verifier, log), nil
}
func dial(ktURL, caFile, clientSecretFile string, serviceKeyFile string) (*grpc.ClientConn, error) {
ctx := context.Background()
var opts []grpc.DialOption
@@ -253,32 +223,46 @@ func dial(ktURL, caFile, clientSecretFile string, serviceKeyFile string) (*grpc.
// GetClient connects to the server and returns a key transparency verification
// client.
func GetClient(clientSecretFile string) (*grpcc.Client, error) {
vrfFile := viper.GetString("vrf")
ktURL := viper.GetString("kt-url")
ktPEM := viper.GetString("kt-key")
ktSig := viper.GetString("kt-sig")
logPEM := viper.GetString("log-key")
serviceKeyFile := viper.GetString("service-key")
cc, err := dial(ktURL, ktPEM, clientSecretFile, serviceKeyFile)
ktCert := viper.GetString("kt-cert")
vrfPubFile := viper.GetString("vrf")
logPEMFile := viper.GetString("log-key")
mapPEMFile := viper.GetString("map-key")
serviceKeyFile := viper.GetString("service-key") // Anonymous user creds.
// Client Connection.
cc, err := dial(ktURL, ktCert, clientSecretFile, serviceKeyFile)
if err != nil {
return nil, fmt.Errorf("Error Dialing %v: %v", ktURL, err)
}
// Log verifier.
logPubKey, err := keys.NewFromPublicPEMFile(logPEM)
// Log PubKey.
logPubKey, err := keys.NewFromPublicPEMFile(logPEMFile)
if err != nil {
return nil, fmt.Errorf("Failed to open public key %v: %v", logPubKey, err)
}
hasher, err := hashers.NewLogHasher(trillian.HashStrategy_OBJECT_RFC6962_SHA256)
// Log Hasher.
logHasher, err := hashers.NewLogHasher(trillian.HashStrategy_OBJECT_RFC6962_SHA256)
if err != nil {
return nil, fmt.Errorf("Failed retrieving LogHasher from registry: %v", err)
}
log := client.NewLogVerifier(hasher, logPubKey)
c, err := getClient(cc, vrfFile, ktSig, log)
// VRF PubKey.
vrfPubKey, err := readVrfKey(vrfPubFile)
if err != nil {
return nil, fmt.Errorf("Error creating client: %v", err)
return nil, err
}
return c, nil
// MapPubKey.
mapPubKey, err := keys.NewFromPublicPEMFile(mapPEMFile)
if err != nil {
return nil, fmt.Errorf("error reading key transparency PEM: %v", err)
}
// Map Hasher
mapHasher := coniks.Default
logVerifier := client.NewLogVerifier(logHasher, logPubKey)
return grpcc.New(cc, vrfPubKey, mapPubKey, mapHasher, logVerifier), nil
}
@@ -34,7 +34,7 @@ import (
"github.com/golang/protobuf/proto"
"github.com/google/trillian/client"
"github.com/google/trillian/merkle/coniks"
"github.com/google/trillian/merkle/hashers"
"golang.org/x/net/context"
"google.golang.org/grpc"
@@ -79,23 +79,22 @@ type Client struct {
cli spb.KeyTransparencyServiceClient
vrf vrf.PublicKey
kt *kt.Verifier
log client.LogVerifier
mutator mutator.Mutator
RetryCount int
RetryDelay time.Duration
trusted trillian.SignedLogRoot
}
// New creates a new client.
func New(client spb.KeyTransparencyServiceClient,
func New(cc *grpc.ClientConn,
vrf vrf.PublicKey,
verifier crypto.PublicKey,
log client.LogVerifier) *Client {
mapPubKey crypto.PublicKey,
mapHasher hashers.MapHasher,
logVerifier client.LogVerifier) *Client {
return &Client{
cli: client,
cli: spb.NewKeyTransparencyServiceClient(cc),
vrf: vrf,
kt: kt.New(vrf, coniks.Default, verifier, log),
log: log,
kt: kt.New(vrf, mapHasher, mapPubKey, logVerifier),
mutator: entry.New(),
RetryCount: 1,
RetryDelay: 3 * time.Second,
View
@@ -46,22 +46,22 @@ var (
// Verifier is a client helper library for verifying request and responses.
type Verifier struct {
vrf vrf.PublicKey
hasher hashers.MapHasher
sig crypto.PublicKey
log client.LogVerifier
vrf vrf.PublicKey
hasher hashers.MapHasher
mapPubKey crypto.PublicKey
logVerifier client.LogVerifier
}
// New creates a new instance of the client verifier.
func New(vrf vrf.PublicKey,
hasher hashers.MapHasher,
sig crypto.PublicKey,
log client.LogVerifier) *Verifier {
mapPubKey crypto.PublicKey,
logVerifier client.LogVerifier) *Verifier {
return &Verifier{
vrf: vrf,
hasher: hasher,
sig: sig,
log: log,
vrf: vrf,
hasher: hasher,
mapPubKey: mapPubKey,
logVerifier: logVerifier,
}
}
@@ -120,25 +120,27 @@ func (v *Verifier) VerifyGetEntryResponse(ctx context.Context, userID, appID str
// by removing the signature from the object.
smr := *in.GetSmr()
smr.Signature = nil // Remove the signature from the object to be verified.
if err := tcrypto.VerifyObject(v.sig, smr, in.GetSmr().GetSignature()); err != nil {
if err := tcrypto.VerifyObject(v.mapPubKey, smr, in.GetSmr().GetSignature()); err != nil {
Vlog.Printf("✗ Signed Map Head signature verification failed.")
return fmt.Errorf("sig.Verify(SMR): %v", err)
}
Vlog.Printf("✓ Signed Map Head signature verified.")
// Verify consistency proof between root and newroot.
// TODO(gdbelvin): Gossip root.
if err := v.log.VerifyRoot(trusted, in.GetLogRoot(), in.GetLogConsistency()); err != nil {
if err := v.logVerifier.VerifyRoot(trusted, in.GetLogRoot(), in.GetLogConsistency()); err != nil {
return fmt.Errorf("VerifyRoot(%v, %v): %v", in.GetLogRoot(), in.GetLogConsistency(), err)
}
Vlog.Printf("✓ Log root updated.")
trusted = in.GetLogRoot()
// Verify inclusion proof.
b, err := json.Marshal(in.GetSmr())
if err != nil {
return fmt.Errorf("json.Marshal(): %v", err)
}
if err := v.log.VerifyInclusionAtIndex(trusted, b, in.GetSmr().GetMapRevision(),
logLeafIndex := in.GetSmr().GetMapRevision() - 1
if err := v.logVerifier.VerifyInclusionAtIndex(trusted, b, logLeafIndex,
in.GetLogInclusion()); err != nil {
return fmt.Errorf("VerifyInclusionAtIndex(%s, %v, _): %v",
b, in.GetSmr().GetMapRevision(), err)
View
@@ -35,11 +35,17 @@ services:
ports:
- "8090:8090" # gRPC
- "8091:8091" # HTTP & Metrics
environment:
DB_HOST: db:3306
DB_DATABASE: test
DB_USER: test
DB_PASSWORD: zaphod
entrypoint:
- /go/bin/trillian_log_server
- --mysql_uri=test:zaphod@tcp(db:3306)/test
- --rpc_endpoint=0.0.0.0:8090
- --http_endpoint=0.0.0.0:8091
- --alsologtostderr
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8091/metrics"]
interval: 30s
timeout: 30s
retries: 3
trillian-log-signer:
depends_on:
@@ -51,13 +57,21 @@ services:
restart: always
ports:
- "8092:8091" # HTTP & Metrics
environment:
DB_HOST: db:3306
DB_DATABASE: test
DB_USER: test
DB_PASSWORD: zaphod
SEQUENCER_INTERVAL: 1s
entrypoint:
- /go/bin/trillian_log_signer
- --mysql_uri=test:zaphod@tcp(db:3306)/test
- --http_endpoint=0.0.0.0:8091
- --sequencer_guard_window=0s
- --sequencer_interval=1s
- --num_sequencers=1
- --batch_size=50
- --force_master=true
- --alsologtostderr
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8091/metrics"]
interval: 30s
timeout: 30s
retries: 3
trillian-map:
depends_on:
@@ -70,11 +84,17 @@ services:
ports:
- "8093:8090" # gRPC
- "8094:8091" # HTTP & Metrics
environment:
DB_HOST: db:3306
DB_DATABASE: test
DB_USER: test
DB_PASSWORD: zaphod
entrypoint:
- /go/bin/trillian_map_server
- --mysql_uri=test:zaphod@tcp(db:3306)/test
- --rpc_endpoint=0.0.0.0:8090
- --http_endpoint=0.0.0.0:8091
- --alsologtostderr
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8091/metrics"]
interval: 30s
timeout: 30s
retries: 3
kt-server:
depends_on:
View
@@ -39,6 +39,7 @@ import (
"github.com/google/trillian"
"github.com/google/trillian/crypto/keys"
"github.com/google/trillian/merkle/coniks"
"github.com/google/trillian/testonly/integration"
"golang.org/x/net/context"
"google.golang.org/grpc"
@@ -145,7 +146,7 @@ func NewEnv(t *testing.T) *Env {
t.Fatalf("SetLeaves(): %v", err)
}
verifier, err := keys.NewFromPublicDER(tree.GetPublicKey().GetDer())
mapPubKey, err := keys.NewFromPublicDER(tree.GetPublicKey().GetDer())
if err != nil {
t.Fatalf("Failed to load signing keypair: %v", err)
}
@@ -192,8 +193,8 @@ func NewEnv(t *testing.T) *Env {
if err != nil {
t.Fatalf("Dial(%v) = %v", addr, err)
}
cli := pb.NewKeyTransparencyServiceClient(cc)
client := grpcc.New(cli, vrfPub, verifier, fake.NewFakeTrillianLogVerifier())
client := grpcc.New(cc, vrfPub, mapPubKey, coniks.Default,
fake.NewFakeTrillianLogVerifier())
client.RetryCount = 0
return &Env{
@@ -206,7 +207,7 @@ func NewEnv(t *testing.T) *Env {
db: sqldb,
Factory: factory,
VrfPriv: vrfPriv,
Cli: cli,
Cli: pb.NewKeyTransparencyServiceClient(cc),
mapLog: hs,
}
}
View

This file was deleted.

Oops, something went wrong.
Oops, something went wrong.

0 comments on commit bb9607e

Please sign in to comment.