502 error when posting intoto 0.0.2 entry w/o hash

[bdehamer]

Description

If I try to upload an intoto/0.0.2 entry to Rekor without including a value for the hash field, I receive a 502 status code in response:

curl -X "POST" "https://rekor.sigstore.dev/api/v1/log/entries" \
     -H 'Accept: application/json' \
     -H 'Content-Type: application/json' \
     -d $'{
  "kind": "intoto",
  "apiVersion": "0.0.2",
  "spec": {
    "content": {
      "envelope": {
        "payload": "YUdWc2JHOHNJSGR2Y214a0lRPT0=",
        "payloadType": "text/plain",
        "signatures": [
          {
            "sig": "TUVRQ0lHZ3hXNWgxUmZoNklwcFcvdm9KV2xNMUNVdStsRzBWdGoxN21XM2pta1BwQWlBdEx2aTFMekxyc2xsSnd3YnJYMEppR0w2MjA0ZURmNUpad2lTaFF4Mk9vdz09",
            "publicKey": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvRENDQWlhZ0F3SUJBZ0lVU2FJQ3BsMGlHbWZsQ2d0cVkvZlZIZlZqb3VNd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpJeE1UQXlNak0wT1RBMFdoY05Nakl4TVRBeU1qTTFPVEEwV2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVEZmp1TEp3R3ZBT1dCTFUvdlFMcmlTQlY1dkVhc0lTYVlXcisKNVhOdzU3ZlZKNW1hM3MwYjZVSTdCb1gvdXBaVk9CdElrK21pTHc2TTRLV3dlVElSbUtPQ0FVVXdnZ0ZCTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVU0UXNQCkRIL1d5YkxxOGVDcWVBRGU1bldSajVvd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d0h3WURWUjBSQVFIL0JCVXdFNEVSWW5KcFlXNUFaR1ZvWVcxbGNpNWpiMjB3TEFZS0t3WUJCQUdEdnpBQgpBUVFlYUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDJ4dloybHVMMjloZFhSb01JR0tCZ29yQmdFRUFkWjVBZ1FDCkJId0VlZ0I0QUhZQTNUMHdhc2JIRVRKakdSNGNtV2MzQXFKS1hyamVQSzMvaDRweWdDOHA3bzRBQUFHRU9yK1UKY2dBQUJBTUFSekJGQWlBWEdvUTBEWldMOFUySy9pNlhYRGFVT3RLdTQ1YnQxU0RTYUVrUUZtM25NQUloQU1RKwpNeVk1MkFOSE5EanJiTHBhOUFLVDF5K25YTGs2NkN5NUo4dENLZ3ViTUFvR0NDcUdTTTQ5QkFNREEyZ0FNR1VDCk1RQ2NPejYzL3Z0dG1qbVIwSHRvb2RraG9wY0lna1dYRG0zenZpVWNUd0VYeGZ0eWZhR1BYVWFIbFRqeXZqWXoKWXNzQ01BRElHbU91UEN0b0ZyNERsbmlKMWF5VTh1aXpQb2VxcjZPSUJKaTExTGtmMWRVUnFCRmpjenBTRkJPRwpoNEhuVFE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
          }
        ]
      }
    }
  }
}'

HTTP/1.1 502 Bad Gateway
Date: Wed, 02 Nov 2022 23:49:15 GMT
Content-Type: text/html
Content-Length: 150
Connection: close
Strict-Transport-Security: max-age=15724800; includeSubDomains

<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx</center>
</body>
</html>

Despite the error, it appears that an entry is created. If I resubmit the same request a second time, I receive the following:

HTTP/1.1 409 Conflict
Date: Wed, 02 Nov 2022 23:51:25 GMT
Content-Type: application/json
Content-Length: 159
Connection: close
Location: /api/v1/log/entries/8c98ab9a4ad8f58a5823ce6808b7552aa1cb44ed26e5f0ead4c8270914f7dac7
Vary: Origin
Strict-Transport-Security: max-age=15724800; includeSubDomains

{"code":409,"message":"An equivalent entry already exists in the transparency log with UUID 8c98ab9a4ad8f58a5823ce6808b7552aa1cb44ed26e5f0ead4c8270914f7dac7"}

Given that the hash field is marked as "readOnly" in the schema I would expect that I could create an entry without specifying a value.

[bobcallaway]

Your understanding is correct; there are two issues here. One is that the computation of the hash over the entire envelope is not canonical, because the addition of publicKey introduces marshalling and unmarshalling on the server side that may result in a different byte stream than the client's representation of the DSSE envelope. The other is a bug in how the IndexKeys are computed (which happens only after the entry is made into the log, as you note). I can fix the IndexKeys bug for 0.0.2, but we should also fix the broader issue in the 0.0.3 version of intoto (that will also address #1150)