Breaking change: Change the log ID function to also include the origi…

…n string (#15) Previously the ID function only used the public key. For operators that reuse key material between logs (not recommended, but not the end of the world), this causes different logs to be mapped to the same ID. This defeats the primary reason for having an ID. We now use both the origin string and the key material to compute the ID. This fixes #14. Any log operator using the same origin string and key for different logs is really doing things very wrong, and this is very much behaviour we don't want to support.
transparency-dev · Jan 24, 2023 · 2da9e25 · 2da9e25
1 parent 34660ba
commit 2da9e25
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 3 deletions.
diff --git a/log/identifier.go b/log/identifier.go
@@ -24,5 +24,10 @@ import (
 // for this log at distributors, and that will be used to feed
 // checkpoints to witnesses.
 func ID(origin string, key []byte) string {
-	return fmt.Sprintf("%x", sha256.Sum256(key))
+	s := sha256.New()
+	s.Write([]byte("o:"))
+	s.Write([]byte(origin))
+	s.Write([]byte("\nk:"))
+	s.Write(key)
+	return fmt.Sprintf("%x", s.Sum(nil))
 }
diff --git a/log/identifier_test.go b/log/identifier_test.go
@@ -31,13 +31,31 @@ func TestID(t *testing.T) {
 			desc:   "sumdb",
 			origin: "go.sum database tree",
 			pk:     []byte("sum.golang.org+033de0ae+Ac4zctda0e5eza+HJyk9SxEdh+s3Ux18htTTAD8OuAn8"),
-			want:   "3e9617dce5730053cb82f0481b9d289cd3c384a9219ef5509c91aa60d214794e",
+			want:   "bdc0d5078d38fc2b9491df373eb7c0d3365bfe661c83edc89112fd38719dc3a0",
 		},
 		{
 			desc:   "usbarmory",
 			origin: "Armory Drive Prod 2",
 			pk:     []byte("armory-drive-log+16541b8f+AYDPmG5pQp4Bgu0a1mr5uDZ196+t8lIVIfWQSPWmP+Jv"),
-			want:   "50dfc1866b26a18b65834743645f90737c331bc5e99b44100e5ca555c17821e3",
+			want:   "a49f0a631f86d3e4fc6726e4389d1cc1998731aa58be95e3e81026d35d2b2902",
+		},
+		{
+			desc:   "rekor 1",
+			origin: "rekor.sigstore.dev - 2605736670972794746",
+			pk:     []byte("rekor.sigstore.dev+c0d23d6a+AjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNhtmPtrWm3U1eQXBogSMdGvXwBcK5AW5i0hrZLOC96l+smGNM7nwZ4QvFK/4sueRoVj//QP22Ni4Qt9DPfkWLc="),
+			want:   "50ed07082843287df5342353a4084563e6eaeb7bbaaa961d45400dde004c1186",
+		},
+		{
+			desc:   "rekor 2",
+			origin: "rekor.sigstore.dev - 3904496407287907110",
+			pk:     []byte("rekor.sigstore.dev+c0d23d6a+AjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNhtmPtrWm3U1eQXBogSMdGvXwBcK5AW5i0hrZLOC96l+smGNM7nwZ4QvFK/4sueRoVj//QP22Ni4Qt9DPfkWLc="),
+			want:   "9b2bc13a3839d8a954832caa002ce8d7fb3d0bf7f4ce4a310a7dbbf28de101a8",
+		},
+		{
+			desc:   "rekor 3",
+			origin: "rekor.sigstore.dev - 3904496407287907110",
+			pk:     []byte("armory-drive-log+16541b8f+AYDPmG5pQp4Bgu0a1mr5uDZ196+t8lIVIfWQSPWmP+Jv"),
+			want:   "27ad43bd0470950078c0aeb4bd7293d8dc6e47cb969f18aa958f1db6dd27b337",
 		},
 	} {
 		t.Run(test.desc, func(t *testing.T) {