google · gdbelvin · Mar 19, 2018 · Mar 7, 2018 · Mar 7, 2018 · Mar 7, 2018
@@ -15,6 +15,7 @@
 package client
 
 import (
+	"crypto"
 	"testing"
 
 	"github.com/google/trillian"
@@ -32,7 +33,7 @@ func TestVerifyRootErrors(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to open test key, err=%v", err)
 	}
-	signer := tcrypto.NewSHA256Signer(key)
+	signer := tcrypto.NewSigner(0, key, crypto.SHA256)
 	pk, err := pem.UnmarshalPublicKey(testonly.DemoPublicKey)
 	if err != nil {
 		t.Fatalf("Failed to load public key, err=%v", err)

@@ -35,11 +35,22 @@ var sigpbHashLookup = map[crypto.Hash]sigpb.DigitallySigned_HashAlgorithm{
 // Signer is responsible for signing log-related data and producing the appropriate
 // application specific signature objects.
 type Signer struct {
-	Hash   crypto.Hash
-	Signer crypto.Signer
+	KeyHint []byte
+	Hash    crypto.Hash
+	Signer  crypto.Signer
 }
 
-// NewSHA256Signer creates a new SHA256 based Signer.
+// NewSigner returns a new signer. The signer will set the KeyHint field, when available, with KeyID.
+func NewSigner(keyID int64, signer crypto.Signer, hash crypto.Hash) *Signer {
+	return &Signer{
+		KeyHint: types.SerializeKeyHint(keyID),
+		Hash:    hash,
+		Signer:  signer,
+	}
+}
+
+// NewSHA256Signer creates a new SHA256 based Signer and a KeyID of 0.
+// TODO(gbelvin): remove
 func NewSHA256Signer(signer crypto.Signer) *Signer {
 	return &Signer{
 		Hash:   crypto.SHA256,
@@ -98,7 +109,7 @@ func (s *Signer) SignLogRoot(r *types.LogRootV1) (*trillian.SignedLogRoot, error
 	}
 	signature, err := s.Sign(hash)
 	if err != nil {
-		glog.Warningf("%v: signer failed to sign log root: %v", root.LogId, err)
+		glog.Warningf("%v: signer failed to sign log root: %v", s.KeyHint, err)
 		return nil, err
 	}
 
@@ -111,7 +122,7 @@ func (s *Signer) SignLogRoot(r *types.LogRootV1) (*trillian.SignedLogRoot, error
 func (s *Signer) SignMapRoot(root *trillian.SignedMapRoot) (*sigpb.DigitallySigned, error) {
 	signature, err := s.SignObject(root)
 	if err != nil {
-		glog.Warningf("%v: signer failed to sign map root: %v", root.MapId, err)
+		glog.Warningf("%v: signer failed to sign map root: %v", s.KeyHint, err)
 		return nil, err
 	}
 

@@ -15,6 +15,7 @@
 package crypto
 
 import (
+	"crypto"
 	"encoding/json"
 	"errors"
 	"testing"
@@ -35,7 +36,7 @@ func TestSign(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to open test key, err=%v", err)
 	}
-	signer := NewSHA256Signer(key)
+	signer := NewSigner(0, key, crypto.SHA256)
 
 	for _, test := range []struct {
 		message []byte
@@ -72,7 +73,7 @@ func TestSign_SignerFails(t *testing.T) {
 		t.Fatalf("Failed to load private key: %v", err)
 	}
 
-	_, err = NewSHA256Signer(testonly.NewSignerWithErr(key, errors.New("sign"))).Sign([]byte(message))
+	_, err = NewSigner(0, testonly.NewSignerWithErr(key, errors.New("sign")), crypto.SHA256).Sign([]byte(message))
 	if err == nil {
 		t.Fatalf("Ignored a signing error: %v", err)
 	}
@@ -95,7 +96,7 @@ func TestSignWithSignedLogRoot_SignerFails(t *testing.T) {
 	if err != nil {
 		t.Fatalf("HashLogRoot(): %v", err)
 	}
-	_, err = NewSHA256Signer(s).Sign(hash)
+	_, err = NewSigner(0, s, crypto.SHA256).Sign(hash)
 	testonly.EnsureErrorContains(t, err, "signfail")
 }
 
@@ -104,7 +105,7 @@ func TestSignLogRoot(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to open test key, err=%v", err)
 	}
-	signer := NewSHA256Signer(key)
+	signer := NewSigner(0, key, crypto.SHA256)
 
 	for _, test := range []struct {
 		root *types.LogRootV1
@@ -137,7 +138,7 @@ func TestSignMapRoot(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to open test key, err=%v", err)
 	}
-	signer := NewSHA256Signer(key)
+	signer := NewSigner(0, key, crypto.SHA256)
 
 	for _, test := range []struct {
 		root trillian.SignedMapRoot

@@ -15,6 +15,7 @@
 package crypto
 
 import (
+	"crypto"
 	"testing"
 
 	"github.com/google/trillian"
@@ -70,7 +71,7 @@ func TestSignVerify(t *testing.T) {
 		msg := []byte("foo")
 		var signature *sigpb.DigitallySigned
 		if !test.skipSigning {
-			signature, err = NewSHA256Signer(key).Sign(msg)
+			signature, err = NewSigner(0, key, crypto.SHA256).Sign(msg)
 			if err != nil {
 				t.Errorf("%s: Sign()=(_,%v), want (_,nil)", test.name, err)
 				continue
@@ -89,7 +90,7 @@ func TestSignVerifyObject(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to open test key, err=%v", err)
 	}
-	signer := NewSHA256Signer(key)
+	signer := NewSigner(0, key, crypto.SHA256)
 
 	type subfield struct {
 		c int

@@ -138,19 +138,19 @@ func (s Sequencer) buildMerkleTreeFromStorageAtRoot(ctx context.Context, root tr
 	mt, err := merkle.NewCompactMerkleTreeWithState(s.hasher, root.TreeSize, func(depth int, index int64) ([]byte, error) {
 		nodeID, err := storage.NewNodeIDForTreeCoords(int64(depth), index, maxTreeDepth)
 		if err != nil {
-			glog.Warningf("%v: Failed to create nodeID: %v", root.LogId, err)
+			glog.Warningf("%x: Failed to create nodeID: %v", s.signer.KeyHint, err)
 			return nil, err
 		}
 		nodes, err := tx.GetMerkleNodes(ctx, root.TreeRevision, []storage.NodeID{nodeID})
 
 		if err != nil {
-			glog.Warningf("%v: Failed to get Merkle nodes: %v", root.LogId, err)
+			glog.Warningf("%x: Failed to get Merkle nodes: %v", s.signer.KeyHint, err)
 			return nil, err
 		}
 
 		// We expect to get exactly one node here
 		if nodes == nil || len(nodes) != 1 {
-			return nil, fmt.Errorf("%v: Did not retrieve one node while loading CompactMerkleTree, got %#v for ID %v@%v", root.LogId, nodes, nodeID.String(), root.TreeRevision)
+			return nil, fmt.Errorf("%x: Did not retrieve one node while loading CompactMerkleTree, got %#v for ID %v@%v", s.signer.KeyHint, nodes, nodeID.String(), root.TreeRevision)
 		}
 
 		return nodes[0].Hash, nil

@@ -31,9 +31,10 @@ import (
 	"github.com/google/trillian/merkle/rfc6962"
 	"github.com/google/trillian/quota"
 	"github.com/google/trillian/storage"
-	stestonly "github.com/google/trillian/storage/testonly"
 	"github.com/google/trillian/testonly"
 	"github.com/google/trillian/util"
+
+	stestonly "github.com/google/trillian/storage/testonly"
 )
 
 var (
@@ -73,7 +74,6 @@ var expectedSignedRoot = trillian.SignedLogRoot{
 	TimestampNanos: fakeTimeForTest.UnixNano(),
 	TreeRevision:   6,
 	TreeSize:       17,
-	LogId:          0,
 	Signature: &sigpb.DigitallySigned{
 		SignatureAlgorithm: sigpb.DigitallySigned_ECDSA,
 		HashAlgorithm:      sigpb.DigitallySigned_SHA256,
@@ -87,7 +87,6 @@ var expectedSignedRoot16 = trillian.SignedLogRoot{
 	TreeRevision:   6,
 	TreeSize:       16,
 	RootHash:       testRoot16.RootHash,
-	LogId:          0,
 	Signature: &sigpb.DigitallySigned{
 		SignatureAlgorithm: sigpb.DigitallySigned_ECDSA,
 		HashAlgorithm:      sigpb.DigitallySigned_SHA256,
@@ -101,7 +100,6 @@ var expectedSignedRoot0 = trillian.SignedLogRoot{
 	TimestampNanos: fakeTimeForTest.UnixNano(),
 	TreeRevision:   1,
 	TreeSize:       0,
-	LogId:          0,
 	Signature: &sigpb.DigitallySigned{
 		SignatureAlgorithm: sigpb.DigitallySigned_ECDSA,
 		HashAlgorithm:      sigpb.DigitallySigned_SHA256,
@@ -251,7 +249,7 @@ func createTestContext(ctrl *gomock.Controller, params testParameters) (testCont
 		}
 	}
 
-	signer := crypto.NewSHA256Signer(params.signer)
+	signer := crypto.NewSigner(0, params.signer, gocrypto.SHA256)
 	qm := params.qm
 	if qm == nil {
 		qm = quota.Noop()
@@ -550,7 +548,7 @@ func TestIntegrateBatch_PutTokens(t *testing.T) {
 	// Needed to create a signer
 	hasher := rfc6962.DefaultHasher
 	ts := util.NewFakeTimeSource(fakeTimeForTest)
-	signer := crypto.NewSHA256Signer(cryptoSigner)
+	signer := crypto.NewSigner(0, cryptoSigner, gocrypto.SHA256)
 
 	// Needed for IntegrateBatch calls
 	const treeID int64 = 1234

@@ -16,21 +16,25 @@ package mysqlqm_test
 
 import (
 	"context"
+	"crypto"
 	"database/sql"
 	"fmt"
 	"testing"
 	"time"
 
 	"github.com/google/trillian"
-	"github.com/google/trillian/crypto/sigpb"
 	"github.com/google/trillian/quota"
 	"github.com/google/trillian/quota/mysqlqm"
 	"github.com/google/trillian/storage"
 	"github.com/google/trillian/storage/mysql"
 	"github.com/google/trillian/storage/testdb"
-	"github.com/google/trillian/storage/testonly"
+	"github.com/google/trillian/testonly"
 	"github.com/google/trillian/trees"
+	"github.com/google/trillian/types"
 	"github.com/kylelemons/godebug/pretty"
+
+	tcrypto "github.com/google/trillian/crypto"
+	stestonly "github.com/google/trillian/storage/testonly"
 )
 
 func TestQuotaManager_GetTokens(t *testing.T) {
@@ -293,7 +297,7 @@ func createTree(ctx context.Context, db *sql.DB) (*trillian.Tree, error) {
 		as := mysql.NewAdminStorage(db)
 		err := as.ReadWriteTransaction(ctx, func(ctx context.Context, tx storage.AdminTX) error {
 			var err error
-			tree, err = tx.CreateTree(ctx, testonly.LogTree)
+			tree, err = tx.CreateTree(ctx, stestonly.LogTree)
 			return err
 		})
 		if err != nil {
@@ -304,7 +308,13 @@ func createTree(ctx context.Context, db *sql.DB) (*trillian.Tree, error) {
 	{
 		ls := mysql.NewLogStorage(db, nil)
 		err := ls.ReadWriteTransaction(ctx, tree, func(ctx context.Context, tx storage.LogTreeTX) error {
-			return tx.StoreSignedLogRoot(ctx, trillian.SignedLogRoot{LogId: tree.TreeId, RootHash: []byte{0}, Signature: &sigpb.DigitallySigned{}})
+			signer := tcrypto.NewSigner(0, testonly.NewSignerWithFixedSig(nil, nil), crypto.SHA256)
+			slr, err := signer.SignLogRoot(&types.LogRootV1{RootHash: []byte{0}})
+			if err != nil {
+				return err
+			}
+			return tx.StoreSignedLogRoot(ctx, *slr)
+
 		})
 		if err != nil {
 			return nil, err

@@ -36,6 +36,7 @@ import (
 	"github.com/google/trillian/storage"
 	stestonly "github.com/google/trillian/storage/testonly"
 	"github.com/google/trillian/testonly"
+	"github.com/google/trillian/types"
 	"github.com/google/trillian/util"
 )
 
@@ -63,7 +64,7 @@ var testLeaf0Updated = &trillian.LogLeaf{
 var testRoot0 = trillian.SignedLogRoot{
 	TreeSize:     0,
 	TreeRevision: 0,
-	LogId:        testLogID1,
+	KeyHint:      types.SerializeKeyHint(testLogID1),
 	RootHash:     []byte{},
 	Signature: &sigpb.DigitallySigned{
 		HashAlgorithm:      sigpb.DigitallySigned_SHA256,

@@ -340,7 +340,6 @@ func (tx *logTX) LatestSignedLogRoot(ctx context.Context) (trillian.SignedLogRoo
 		TimestampNanos: currentSTH.TsNanos,
 		RootHash:       currentSTH.RootHash,
 		TreeSize:       currentSTH.TreeSize,
-		LogId:          currentSTH.TreeId,
 		TreeRevision:   currentSTH.TreeRevision,
 		Signature:      apiSig,
 	}, nil

@@ -34,6 +34,7 @@ import (
 	"github.com/google/trillian/monitoring"
 	"github.com/google/trillian/storage"
 	"github.com/google/trillian/storage/cache"
+	"github.com/google/trillian/types"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 
@@ -668,8 +669,8 @@ func (t *logTreeTX) fetchLatestRoot(ctx context.Context) (trillian.SignedLogRoot
 		TimestampNanos: timestamp,
 		TreeRevision:   treeRevision,
 		Signature:      &rootSignature,
-		LogId:          t.treeID,
 		TreeSize:       treeSize,
+		KeyHint:        types.SerializeKeyHint(t.treeID),
 	}, nil
 }
 

@@ -30,6 +30,7 @@ import (
 	"github.com/google/trillian"
 	"github.com/google/trillian/storage"
 	"github.com/google/trillian/storage/testonly"
+	"github.com/google/trillian/types"
 	"github.com/kylelemons/godebug/pretty"
 
 	spb "github.com/google/trillian/crypto/sigpb"
@@ -865,7 +866,7 @@ func TestLatestSignedLogRoot(t *testing.T) {
 	tree := logTree(logID)
 
 	root := trillian.SignedLogRoot{
-		LogId:          logID,
+		KeyHint:        types.SerializeKeyHint(logID),
 		TimestampNanos: 98765,
 		TreeSize:       16,
 		TreeRevision:   5,
@@ -902,7 +903,7 @@ func TestDuplicateSignedLogRoot(t *testing.T) {
 
 	runLogTX(s, tree, t, func(ctx context.Context, tx storage.LogTreeTX) error {
 		root := trillian.SignedLogRoot{
-			LogId:          logID,
+			KeyHint:        types.SerializeKeyHint(logID),
 			TimestampNanos: 98765,
 			TreeSize:       16,
 			TreeRevision:   5,
@@ -928,15 +929,15 @@ func TestLogRootUpdate(t *testing.T) {
 	tree := logTree(logID)
 
 	root := trillian.SignedLogRoot{
-		LogId:          logID,
+		KeyHint:        types.SerializeKeyHint(logID),
 		TimestampNanos: 98765,
 		TreeSize:       16,
 		TreeRevision:   5,
 		RootHash:       []byte(dummyHash),
 		Signature:      &spb.DigitallySigned{Signature: []byte("notempty")},
 	}
 	root2 := trillian.SignedLogRoot{
-		LogId:          logID,
+		KeyHint:        types.SerializeKeyHint(logID),
 		TimestampNanos: 98766,
 		TreeSize:       16,
 		TreeRevision:   6,

@@ -27,12 +27,14 @@ import (
 
 	"github.com/golang/glog"
 	"github.com/google/trillian"
-	"github.com/google/trillian/crypto/sigpb"
 	"github.com/google/trillian/merkle"
 	"github.com/google/trillian/merkle/rfc6962"
 	"github.com/google/trillian/storage"
 	"github.com/google/trillian/storage/testdb"
+	"github.com/google/trillian/testonly"
+	"github.com/google/trillian/types"
 
+	tcrypto "github.com/google/trillian/crypto"
 	storageto "github.com/google/trillian/storage/testonly"
 )
 
@@ -256,13 +258,16 @@ func createLogForTests(db *sql.DB) int64 {
 		panic(fmt.Sprintf("Error creating log: %v", err))
 	}
 
+	signer := tcrypto.NewSigner(0, testonly.NewSignerWithFixedSig(nil, nil), crypto.SHA256)
+
 	ctx := context.Background()
 	l := NewLogStorage(db, nil)
 	err = l.ReadWriteTransaction(ctx, tree, func(ctx context.Context, tx storage.LogTreeTX) error {
-		if err := tx.StoreSignedLogRoot(ctx, trillian.SignedLogRoot{
-			LogId:     tree.TreeId,
-			RootHash:  []byte{0},
-			Signature: &sigpb.DigitallySigned{Signature: []byte("asignature")}}); err != nil {
+		root, err := signer.SignLogRoot(&types.LogRootV1{RootHash: []byte{0}})
+		if err != nil {
+			return fmt.Errorf("Error creating new SignedLogRoot: %v", err)
+		}
+		if err := tx.StoreSignedLogRoot(ctx, *root); err != nil {
 			return fmt.Errorf("Error storing new SignedLogRoot: %v", err)
 		}
 		return nil