TLS LogRootV1 Format

[gdbelvin]

This PR is part of a multi step process updating the SignedLogRoot struct to look like the following:

message SignedLogRoot {
   bytes key_hint
   bytes log_root
   bytes signature
}

This PR defines the serialization and deserialization functions for log_root.

#958

[daviddrysdale]

BTW, any Log-specific comments usually apply to the Map- variants too

[daviddrysdale]

Personally, I'm not a big fan of using the got, want:=... thing outside of unit tests, unless there's a calculation to avoid repeating -- I think it's easier to see what's going on with:

 if version != uint16(trillian.LogRootFormat_LOG_ROOT_FORMAT_V1) {

(But I know other opinions vary...)

[gdbelvin]

done

[daviddrysdale]

Comment is incorrect; also, it doesn't really add any extra information over and above the method signature.

[gdbelvin]

Updated the comment to
ParseLogRoot verifies that b has the LOG_ROOT_FORMAT_V1 tag and returns a *LogRootV1

[daviddrysdale]

Do we need LogID in the structure too?

[gdbelvin]

We discussed including the LogID in the struct, but decided against it in order to prevent a malicious log from falsely representing it's LogID. Clients should derive the LogID from the valid signature associated with SignedLogRoot

[daviddrysdale]

IIUC this field will always have value 1 (i.e. LogRootV1.Version==LOG_ROOT_FORMAT_V1 is an invariant)? If so, a comment to that effect might be helpful.

Also, if this is effectively an enum, it might be worth using the tls.Enum type (with a size:2 tag).

More generally, I wonder whether using variants might be more future proof -- e.g. something in TLS-speak like:

enum { v1(1), (65535)} Version;
struct {
  uint64 tree_size;
  opaque root_hash<0..128>;
  uint64 timestamp_nanos;
  uint64 revision;
  opaque metadata<0..65535>;
} LogRootV1;
struct {
  Version version;
  select(version) {
    case v1: LogRootV1;
  }
} LogRoot;

is then easily extendable to:

enum { v1(1), v2(2), (65535)} Version;
...
struct {
  uint64 tree_size;
  opaque root_hash<0..128>;
  uint64 timestamp_nanos;
  uint64 revision;
  opaque metadata<0..65535>;
  opaque something_else<0..255>;
} LogRootV2;
struct {
  Version version;
  select(version) {
    case v1: LogRootV1;
    case v2: LogRootV2;
  }
} LogRoot;

(might well be overkill though)

[gdbelvin]

Great idea :-)

[daviddrysdale]

Having these type definitions in crypto/data_formats.go feels a bit out of the way, given that this is a data type that forms part of the external API to Trillian. It's not a proto structure so we can't directly have it in the top-level .proto files that define the API, but we could do something like:

• Add a top-level types.go file with these API types as Go types.
• Add (in a later PR) comments to the .proto files that say something like:

  // The log_root field holds the TLS-serialization of the following 
  // structure (described in RFC5246 notation):
  //  struct {
  //    uint16 version;
  //    uint64 tree_size;
  //    opaque root_hash<0..128>;
  //    uint64 timestamp_nanos;
  //    uint64 revision;
  //    opaque metadata<0..65535>;
  //  } LogRootV1;
  

That way the .proto files would contain an unambiguous description of the API details, and a non-Go user of Trillian would have enough information to be able to use the API.

[gdbelvin]

I agree on both points. Unfortunately, I can't add non-proto code to a proto package.
I'm tempted to move the proto definitions to api/v1/trillian_proto so we can use the top level trillian package name for this type of stuff.

[gdbelvin]

In the following pull requests, I'll be defining methods to verify SignedLogRoot that will return LogRootV1 upon verification. That was the rational for keeping these methods in the crypto package. Should I create a crypto/signature package?

[daviddrysdale]

Just call this got and skip the aliasing below.

[gdbelvin]

Done, but are we sure that skipping the aliasing best matches go style?

[daviddrysdale]

I didn't think the aliasing was the point, more that things are named something-like "got" and "want". E.g. the example in the docs doesn't introduce a if want := tt.want; ... alias

[daviddrysdale]

This is not the pretty package we use everywhere else.

[gdbelvin]

Removed

[daviddrysdale]

Need test cases exercising version overwriting during serialization.

[gdbelvin]

Refactored to remove this sharp edge.

[daviddrysdale]

Good idea.

[daviddrysdale]

A comment would be helpful here.

Also/alternatively, it might be nice if the tests distinguished errors -- I think this one is checking that a wrong version (0x101) gets bounced (and so the error will be something containing "Invalid MapRoot.Version"), whereas the test below is a plain parse failure.

[gdbelvin]

It looks like the error types are internal to the tls package. It's difficult to reliably discern what the error was from the outside?

[daviddrysdale]

I often do something like if !strings.Contains(err.Error(), test.wantErr) { and put a relevant substring in the test definition ("failed to parse", "trailing data", etc.) -- that seems to get a decent balance between specificity and brittleness.

[codecov-io]

Codecov Report

Merging #1037 into master will increase coverage by 0.12%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #1037      +/-   ##
==========================================
+ Coverage   62.56%   62.69%   +0.12%     
==========================================
  Files         101      103       +2     
  Lines        8379     8408      +29     
==========================================
+ Hits         5242     5271      +29     
  Misses       2610     2610              
  Partials      527      527

Impacted Files	Coverage Δ
crypto/data_formats.go	77.77% <ø> (ø)	⬆️
types/maproot.go	100% <100%> (ø)
types/logroot.go	100% <100%> (ø)
trees/trees.go	83.67% <0%> (-1.52%)	⬇️
trees/types.go	100% <0%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c5bde67...e073651. Read the comment docs.

[gdbelvin]

Updated and ready for a second look

[daviddrysdale]

Can we have a package comment in exactly one of the files in types ? (Some stricter linters check for this.)

[gdbelvin]

Added.

[daviddrysdale]

(nit) As it stands, this comment doesn't really add anything that the code doesn't say clearly. But it could -- eg. by explaining why you do the version check first.

[gdbelvin]

I'll remove the comment. As it stands, this check is not strictly needed because of the way we're using TLS variants, but it's a nice belt and braces check for others that might look to use this as a hint for other languages and parsers.

[daviddrysdale]

If this is going to be API documentation, it would be good to say how serialized

[gdbelvin]

Added a description of the TLS serialization

[gdbelvin]

done

[daviddrysdale]

Be nice to describe the expected form of b -- it's not just bytes, it's supposed to be bytes that hold a TLS-serialized LogRoot structure.

[gdbelvin]

done

[daviddrysdale]

Maybe include a reference or two to RFC 5246 section 4 scattered around -- I don't think TLS encoding is as well-known as other encodings.

[gdbelvin]

done

[daviddrysdale]

I often do something like if !strings.Contains(err.Error(), test.wantErr) { and put a relevant substring in the test definition ("failed to parse", "trailing data", etc.) -- that seems to get a decent balance between specificity and brittleness.

[daviddrysdale]

Could we have a more adversarial test case or two here? One that starts with a valid version field but has nonsense thereafter? Or which has a 129 byte root_hash (which will decode fine but should hit a runtime limit)

[gdbelvin]

Added.

[daviddrysdale]

Good idea.

[daviddrysdale]

(As before log* comments => map*... )

Looking good, just doc changes + a test suggestion

[gdbelvin]

Added tests and documentation for both logs and maps.

I often do something like if !strings.Contains(err.Error(), test.wantErr)

is a good idea but it doesn't work well when err is nil. Do you know of any reliable function to stringify err and not panic on nil?

[daviddrysdale]

"deserialization"

[gdbelvin]

Done

[daviddrysdale]

"deserialization"

[gdbelvin]

done

[daviddrysdale]

Could alter the test so it handles objects of encoding.BinaryMarshaller and encoding.BinaryUnmarshaller interfaces ? That would implicitly check that the interfaces are indeed satisfied.

[gdbelvin]

Good idea.