Update dependency on merkle (#918)

client/ctclient/cmd/get_consistency_proof.go

@@ -24,7 +24,7 @@ import (
 	"github.com/golang/glog"
 	"github.com/google/certificate-transparency-go/client"
 	"github.com/spf13/cobra"
-	"github.com/transparency-dev/merkle"
+	"github.com/transparency-dev/merkle/proof"
 	"github.com/transparency-dev/merkle/rfc6962"
 )
 
@@ -82,21 +82,20 @@ func runGetConsistencyProof(ctx context.Context) {
 }
 
 func getConsistencyProofBetween(ctx context.Context, logClient client.CheckLogClient, first, second uint64, prevHash, treeHash []byte) {
-	proof, err := logClient.GetSTHConsistency(ctx, uint64(first), uint64(second))
+	pf, err := logClient.GetSTHConsistency(ctx, uint64(first), uint64(second))
 	if err != nil {
 		exitWithDetails(err)
 	}
 	fmt.Printf("Consistency proof from size %d to size %d:\n", first, second)
-	for _, e := range proof {
+	for _, e := range pf {
 		fmt.Printf("  %x\n", e)
 	}
 	if prevHash == nil || treeHash == nil {
 		return
 	}
 	// We have tree hashes so we can verify the proof.
-	verifier := merkle.NewLogVerifier(rfc6962.DefaultHasher)
-	if err := verifier.VerifyConsistency(first, second, prevHash, treeHash, proof); err != nil {
-		glog.Exitf("Failed to VerifyConsistencyProof(%x @size=%d, %x @size=%d): %v", prevHash, first, treeHash, second, err)
+	if err := proof.VerifyConsistency(rfc6962.DefaultHasher, first, second, pf, prevHash, treeHash); err != nil {
+		glog.Exitf("Failed to VerifyConsistency(%x @size=%d, %x @size=%d): %v", prevHash, first, treeHash, second, err)
 	}
 	fmt.Printf("Verified that hash %x @%d + proof = hash %x @%d\n", prevHash, first, treeHash, second)
 }

client/ctclient/cmd/get_inclusion_proof.go

@@ -30,7 +30,7 @@ import (
 	"github.com/google/certificate-transparency-go/client"
 	"github.com/google/certificate-transparency-go/x509"
 	"github.com/spf13/cobra"
-	"github.com/transparency-dev/merkle"
+	"github.com/transparency-dev/merkle/proof"
 	"github.com/transparency-dev/merkle/rfc6962"
 )
 
@@ -131,9 +131,8 @@ func getInclusionProofForHash(ctx context.Context, logClient client.CheckLogClie
 	}
 	if sth != nil {
 		// If we retrieved an STH we can verify the proof.
-		verifier := merkle.NewLogVerifier(rfc6962.DefaultHasher)
-		if err := verifier.VerifyInclusion(uint64(rsp.LeafIndex), sth.TreeSize, hash, rsp.AuditPath, sth.SHA256RootHash[:]); err != nil {
-			glog.Exitf("Failed to VerifyInclusionProof(%d, %d)=%v", rsp.LeafIndex, sth.TreeSize, err)
+		if err := proof.VerifyInclusion(rfc6962.DefaultHasher, uint64(rsp.LeafIndex), sth.TreeSize, hash, rsp.AuditPath, sth.SHA256RootHash[:]); err != nil {
+			glog.Exitf("Failed to VerifyInclusion(%d, %d)=%v", rsp.LeafIndex, sth.TreeSize, err)
 		}
 		fmt.Printf("Verified that hash %x + proof = root hash %x\n", hash, sth.SHA256RootHash)
 	}

ctutil/loginfo.go

@@ -28,7 +28,7 @@ import (
 	"github.com/google/certificate-transparency-go/jsonclient"
 	"github.com/google/certificate-transparency-go/loglist"
 	"github.com/google/certificate-transparency-go/x509"
-	"github.com/transparency-dev/merkle"
+	"github.com/transparency-dev/merkle/proof"
 	"github.com/transparency-dev/merkle/rfc6962"
 )
 
@@ -165,8 +165,7 @@ func (li *LogInfo) VerifyInclusionAt(ctx context.Context, leaf ct.MerkleTreeLeaf
 		return -1, fmt.Errorf("failed to GetProofByHash(sct,size=%d): %v", treeSize, err)
 	}
 
-	verifier := merkle.NewLogVerifier(rfc6962.DefaultHasher)
-	if err := verifier.VerifyInclusion(uint64(rsp.LeafIndex), treeSize, leafHash[:], rsp.AuditPath, rootHash); err != nil {
+	if err := proof.VerifyInclusion(rfc6962.DefaultHasher, uint64(rsp.LeafIndex), treeSize, leafHash[:], rsp.AuditPath, rootHash); err != nil {
 		return -1, fmt.Errorf("failed to verify inclusion proof at size %d: %v", treeSize, err)
 	}
 	return rsp.LeafIndex, nil

go.mod

@@ -25,7 +25,7 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.7.1 // indirect
 	github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce
-	github.com/transparency-dev/merkle v0.0.0-20220411132142-cfdaeb1822ee
+	github.com/transparency-dev/merkle v0.0.0-20220427153749-09877c5f5967
 	github.com/urfave/cli v1.22.7 // indirect
 	go.etcd.io/etcd/client/v3 v3.5.4
 	go.etcd.io/etcd/etcdctl/v3 v3.5.4

go.sum

@@ -750,8 +750,8 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 h1:uruHq4
 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce h1:fb190+cK2Xz/dvi9Hv8eCYJYvIGUTN2/KLq1pT6CjEc=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4=
-github.com/transparency-dev/merkle v0.0.0-20220411132142-cfdaeb1822ee h1:zki8y/aKV+yDMeBy1Pd6LeC9msxz33cWj9QYXMqcOVA=
-github.com/transparency-dev/merkle v0.0.0-20220411132142-cfdaeb1822ee/go.mod h1:B8FIw5LTq6DaULoHsVFRzYIUDkl8yuSwCdZnOZGKL/A=
+github.com/transparency-dev/merkle v0.0.0-20220427153749-09877c5f5967 h1:0HykT2IlbcP8a0VlH5XsX+a2OCtB+MUVth/SjAK3E2w=
+github.com/transparency-dev/merkle v0.0.0-20220427153749-09877c5f5967/go.mod h1:B8FIw5LTq6DaULoHsVFRzYIUDkl8yuSwCdZnOZGKL/A=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=

internal/witness/cmd/witness/internal/witness/witness.go

@@ -32,7 +32,7 @@ import (
 	ct "github.com/google/certificate-transparency-go"
 	"github.com/google/certificate-transparency-go/internal/witness/api"
 	"github.com/google/certificate-transparency-go/tls"
-	"github.com/transparency-dev/merkle"
+	"github.com/transparency-dev/merkle/proof"
 	"github.com/transparency-dev/merkle/rfc6962"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -156,7 +156,7 @@ func (w *Witness) GetSTH(logID string) ([]byte, error) {
 // Update updates the latest STH if nextRaw is consistent with the current
 // latest one for this log. It returns the latest cosigned STH held by
 // the witness, which is a signed version of nextRaw if the update was applied.
-func (w *Witness) Update(ctx context.Context, logID string, nextRaw []byte, proof [][]byte) ([]byte, error) {
+func (w *Witness) Update(ctx context.Context, logID string, nextRaw []byte, pf [][]byte) ([]byte, error) {
 	// If we don't witness this log then no point in going further.
 	_, ok := w.Logs[logID]
 	if !ok {
@@ -211,8 +211,7 @@ func (w *Witness) Update(ctx context.Context, logID string, nextRaw []byte, proo
 	}
 	// The only remaining option is next.Size > prev.Size. This might be
 	// valid so we verify the consistency proof.
-	logV := merkle.NewLogVerifier(rfc6962.DefaultHasher)
-	if err := logV.VerifyConsistency(prev.TreeSize, next.TreeSize, prev.SHA256RootHash[:], next.SHA256RootHash[:], proof); err != nil {
+	if err := proof.VerifyConsistency(rfc6962.DefaultHasher, prev.TreeSize, next.TreeSize, pf, prev.SHA256RootHash[:], next.SHA256RootHash[:]); err != nil {
 		// Complain if the STHs aren't consistent.
 		return prevRaw, status.Errorf(codes.FailedPrecondition, "failed to verify consistency proof: %v", err)
 	}

trillian/integration/ct_integration.go

@@ -46,6 +46,7 @@ import (
 	"github.com/google/trillian/crypto/keyspb"
 	"github.com/kylelemons/godebug/pretty"
 	"github.com/transparency-dev/merkle"
+	"github.com/transparency-dev/merkle/proof"
 	"github.com/transparency-dev/merkle/rfc6962"
 	"golang.org/x/net/context/ctxhttp"
 	"google.golang.org/grpc"
@@ -124,7 +125,7 @@ type testInfo struct {
 	adminServer    string
 	stats          *logStats
 	pool           ClientPool
-	verifier       merkle.LogVerifier
+	hasher         merkle.LogHasher
 }
 
 func (t *testInfo) checkStats() error {
@@ -181,7 +182,7 @@ func (t *testInfo) checkInclusionOf(ctx context.Context, chain []ct.ASN1Cert, sc
 	if err != nil {
 		return fmt.Errorf("got GetProofByHash(sct[%d],size=%d)=(nil,%v); want (_,nil)", 0, sth.TreeSize, err)
 	}
-	if err := t.verifier.VerifyInclusion(uint64(rsp.LeafIndex), sth.TreeSize, leafHash[:], rsp.AuditPath, sth.SHA256RootHash[:]); err != nil {
+	if err := proof.VerifyInclusion(t.hasher, uint64(rsp.LeafIndex), sth.TreeSize, leafHash[:], rsp.AuditPath, sth.SHA256RootHash[:]); err != nil {
 		return fmt.Errorf("got VerifyInclusion(%d, %d,...)=%v", 0, sth.TreeSize, err)
 	}
 	return nil
@@ -212,7 +213,7 @@ func (t *testInfo) checkInclusionOfPreCert(ctx context.Context, tbs []byte, issu
 		return fmt.Errorf("got GetProofByHash(sct, size=%d)=nil,%v", sth.TreeSize, err)
 	}
 	fmt.Printf("%s: Inclusion proof leaf %d @ %d -> root %d = %x\n", t.prefix, rsp.LeafIndex, sct.Timestamp, sth.TreeSize, rsp.AuditPath)
-	if err := t.verifier.VerifyInclusion(uint64(rsp.LeafIndex), sth.TreeSize, leafHash[:], rsp.AuditPath, sth.SHA256RootHash[:]); err != nil {
+	if err := proof.VerifyInclusion(t.hasher, uint64(rsp.LeafIndex), sth.TreeSize, leafHash[:], rsp.AuditPath, sth.SHA256RootHash[:]); err != nil {
 		return fmt.Errorf("got VerifyInclusion(%d,%d,...)=%v; want nil", rsp.LeafIndex, sth.TreeSize, err)
 	}
 	if err := t.checkStats(); err != nil {
@@ -264,7 +265,7 @@ func RunCTIntegrationForLog(cfg *configpb.LogConfig, servers, metricsServers, te
 		metricsServers: metricsServers,
 		stats:          stats,
 		pool:           pool,
-		verifier:       merkle.NewLogVerifier(rfc6962.DefaultHasher),
+		hasher:         rfc6962.DefaultHasher,
 	}
 
 	if err := t.checkStats(); err != nil {
@@ -630,7 +631,7 @@ func RunCTLifecycleForLog(cfg *configpb.LogConfig, servers, metricsServers, admi
 		adminServer:    adminServer,
 		stats:          stats,
 		pool:           pool,
-		verifier:       merkle.NewLogVerifier(rfc6962.DefaultHasher),
+		hasher:         rfc6962.DefaultHasher,
 	}
 
 	if err := t.checkStats(); err != nil {
@@ -814,8 +815,8 @@ func CertsFromPEM(data []byte) []ct.ASN1Cert {
 }
 
 // checkCTConsistencyProof checks the given consistency proof.
-func (t *testInfo) checkCTConsistencyProof(sth1, sth2 *ct.SignedTreeHead, proof [][]byte) error {
-	return t.verifier.VerifyConsistency(sth1.TreeSize, sth2.TreeSize, sth1.SHA256RootHash[:], sth2.SHA256RootHash[:], proof)
+func (t *testInfo) checkCTConsistencyProof(sth1, sth2 *ct.SignedTreeHead, pf [][]byte) error {
+	return proof.VerifyConsistency(t.hasher, sth1.TreeSize, sth2.TreeSize, pf, sth1.SHA256RootHash[:], sth2.SHA256RootHash[:])
 }
 
 // buildNewPrecertData creates a new pre-certificate based on the given template cert (which is

trillian/integration/hammer.go

@@ -34,6 +34,7 @@ import (
 	"github.com/google/certificate-transparency-go/x509"
 	"github.com/google/trillian/monitoring"
 	"github.com/transparency-dev/merkle"
+	"github.com/transparency-dev/merkle/proof"
 	"github.com/transparency-dev/merkle/rfc6962"
 
 	ct "github.com/google/certificate-transparency-go"
@@ -303,8 +304,8 @@ type hammerState struct {
 	pending pendingCerts
 	// Operations that are required to fix dependencies.
 	nextOp []ctfe.EntrypointName
-	// verifier is the verifier to be used for this log.
-	verifier merkle.LogVerifier
+
+	hasher merkle.LogHasher
 }
 
 func newHammerState(cfg *HammerConfig) (*hammerState, error) {
@@ -336,9 +337,9 @@ func newHammerState(cfg *HammerConfig) (*hammerState, error) {
 	}
 
 	state := hammerState{
-		cfg:      cfg,
-		nextOp:   make([]ctfe.EntrypointName, 0),
-		verifier: merkle.NewLogVerifier(rfc6962.DefaultHasher),
+		cfg:    cfg,
+		nextOp: make([]ctfe.EntrypointName, 0),
+		hasher: rfc6962.DefaultHasher,
 	}
 	return &state, nil
 }
@@ -783,7 +784,7 @@ func (s *hammerState) getProofByHash(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("failed to get-proof-by-hash(size=%d) on cert with SCT @ %v: %v, %+v", sth.TreeSize, timeFromMS(submitted.sct.Timestamp), err, rsp)
 	}
-	if err := s.verifier.VerifyInclusion(uint64(rsp.LeafIndex), sth.TreeSize, submitted.leafHash[:], rsp.AuditPath, sth.SHA256RootHash[:]); err != nil {
+	if err := proof.VerifyInclusion(s.hasher, uint64(rsp.LeafIndex), sth.TreeSize, submitted.leafHash[:], rsp.AuditPath, sth.SHA256RootHash[:]); err != nil {
 		return fmt.Errorf("failed to VerifyInclusion(%d, %d)=%v", rsp.LeafIndex, sth.TreeSize, err)
 	}
 	s.pending.dropOldest()
@@ -1096,8 +1097,8 @@ func (s *hammerState) retryOneOp(ctx context.Context) error {
 }
 
 // checkCTConsistencyProof checks the given consistency proof.
-func (s *hammerState) checkCTConsistencyProof(sth1, sth2 *ct.SignedTreeHead, proof [][]byte) error {
-	return s.verifier.VerifyConsistency(sth1.TreeSize, sth2.TreeSize, sth1.SHA256RootHash[:], sth2.SHA256RootHash[:], proof)
+func (s *hammerState) checkCTConsistencyProof(sth1, sth2 *ct.SignedTreeHead, pf [][]byte) error {
+	return proof.VerifyConsistency(s.hasher, sth1.TreeSize, sth2.TreeSize, pf, sth1.SHA256RootHash[:], sth2.SHA256RootHash[:])
 }
 
 // HammerCTLog performs load/stress operations according to given config.

trillian/migrillian/core/controller.go

@@ -33,7 +33,7 @@ import (
 	"github.com/google/trillian/monitoring"
 	"github.com/google/trillian/util/clock"
 	"github.com/google/trillian/util/election2"
-	"github.com/transparency-dev/merkle"
+	"github.com/transparency-dev/merkle/proof"
 	"github.com/transparency-dev/merkle/rfc6962"
 )
 
@@ -340,12 +340,12 @@ func (c *Controller) verifyConsistency(ctx context.Context, treeSize uint64, roo
 		glog.Warningf("%s: skipping consistency check", c.label)
 		return nil
 	}
-	proof, err := c.ctClient.GetSTHConsistency(ctx, treeSize, sth.TreeSize)
+	pf, err := c.ctClient.GetSTHConsistency(ctx, treeSize, sth.TreeSize)
 	if err != nil {
 		return err
 	}
-	return merkle.NewLogVerifier(rfc6962.DefaultHasher).VerifyConsistency(
-		treeSize, sth.TreeSize, rootHash, sth.SHA256RootHash[:], proof)
+	return proof.VerifyConsistency(rfc6962.DefaultHasher, treeSize, sth.TreeSize,
+		pf, rootHash, sth.SHA256RootHash[:])
 }
 
 // runSubmitter obtains CT log entry batches from the controller's channel and