Add Log ID to LogEntry field (sigstore#294)

* Add Log ID to LogEntry field

Since the signed entry timestamp (SET) will be able to prove insertion into the log, adding the log ID (aka public key SHA256 hash) makes it easier to know which log the entry came from. 

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Author: bobcallaway

cmd/rekor-cli/app/get.go

@@ -40,10 +40,12 @@ type getCmdOutput struct {
 	LogIndex       int
 	IntegratedTime int64
 	UUID           string
+	LogID          string
 }
 
 func (g *getCmdOutput) String() string {
-	s := fmt.Sprintf("Index: %d\n", g.LogIndex)
+	s := fmt.Sprintf("LogID: %v\n", g.LogID)
+	s += fmt.Sprintf("Index: %d\n", g.LogIndex)
 	dt := time.Unix(g.IntegratedTime, 0).UTC().Format(time.RFC3339)
 	s += fmt.Sprintf("IntegratedTime: %s\n", dt)
 	s += fmt.Sprintf("UUID: %s\n", g.UUID)
@@ -130,8 +132,9 @@ func parseEntry(uuid string, e models.LogEntryAnon) (interface{}, error) {
 	obj := getCmdOutput{
 		Body:           eimpl,
 		UUID:           uuid,
-		IntegratedTime: e.IntegratedTime,
+		IntegratedTime: *e.IntegratedTime,
 		LogIndex:       int(*e.LogIndex),
+		LogID:          *e.LogID,
 	}
 
 	return &obj, nil

openapi.yaml

@@ -291,6 +291,10 @@ definitions:
     additionalProperties:
       type: object
       properties:
+        logID:
+          type: string
+          pattern: '^[0-9a-fA-F]{64}$'
+          description: This is the SHA256 hash of the DER-encoded public key for the log at the time the entry was included in the log
         logIndex:
           type: integer
           minimum: 0
@@ -311,10 +315,12 @@ definitions:
                 # 1. Remove the Verification object from the JSON Document
                 # 2. Canonicalize the remaining JSON document by following RFC 8785 rules
                 # 3. Verify the canonicalized payload and signedEntryTimestamp against rekor's public key
-              description: Signature over the logIndex, body and integratedTime. 
+              description: Signature over the logID, logIndex, body and integratedTime.
       required:
+        - "logID"
         - "logIndex"
         - "body"
+        - "integratedTime"
 
   SearchIndex:
     type: object

pkg/api/api.go

@@ -17,7 +17,9 @@ package api
 
 import (
 	"context"
+	"crypto/sha256"
 	"crypto/x509"
+	"encoding/hex"
 	"encoding/pem"
 	"fmt"
 	"time"
@@ -47,12 +49,12 @@ func dial(ctx context.Context, rpcServer string) (*grpc.ClientConn, error) {
 }
 
 type API struct {
-	logClient trillian.TrillianLogClient
-	logID     int64
-	// PEM encoded public key
-	pubkey   string
-	signer   signature.Signer
-	verifier *client.LogVerifier
+	logClient  trillian.TrillianLogClient
+	logID      int64
+	pubkey     string // PEM encoded public key
+	pubkeyHash string // SHA256 hash of DER-encoded public key
+	signer     signature.Signer
+	verifier   *client.LogVerifier
 }
 
 func NewAPI() (*API, error) {
@@ -95,6 +97,12 @@ func NewAPI() (*API, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "marshalling public key")
 	}
+	hasher := sha256.New()
+	if _, err = hasher.Write(b); err != nil {
+		return nil, errors.Wrap(err, "computing hash of public key")
+	}
+	pubkeyHashBytes := hasher.Sum(nil)
+
 	pubkey := pem.EncodeToMemory(&pem.Block{
 		Type:  "PUBLIC KEY",
 		Bytes: b,
@@ -106,11 +114,12 @@ func NewAPI() (*API, error) {
 	}
 
 	return &API{
-		logClient: logClient,
-		logID:     tLogID,
-		pubkey:    string(pubkey),
-		signer:    signer,
-		verifier:  verifier,
+		logClient:  logClient,
+		logID:      tLogID,
+		pubkey:     string(pubkey),
+		pubkeyHash: hex.EncodeToString(pubkeyHashBytes),
+		signer:     signer,
+		verifier:   verifier,
 	}, nil
 }
 

pkg/api/entries.go

@@ -62,9 +62,10 @@ func logEntryFromLeaf(tc TrillianClient, leaf *trillian.LogLeaf, signedLogRoot *
 
 	logEntry := models.LogEntry{
 		hex.EncodeToString(leaf.MerkleLeafHash): models.LogEntryAnon{
+			LogID:          swag.String(api.pubkeyHash),
 			LogIndex:       &leaf.LeafIndex,
 			Body:           leaf.LeafValue,
-			IntegratedTime: leaf.IntegrateTimestamp.AsTime().Unix(),
+			IntegratedTime: swag.Int64(leaf.IntegrateTimestamp.AsTime().Unix()),
 			Verification: &models.LogEntryAnonVerification{
 				InclusionProof: &inclusionProof,
 			},
@@ -143,9 +144,10 @@ func CreateLogEntryHandler(params entries.CreateLogEntryParams) middleware.Respo
 	uuid := hex.EncodeToString(queuedLeaf.GetMerkleLeafHash())
 
 	logEntryAnon := models.LogEntryAnon{
+		LogID:          swag.String(api.pubkeyHash),
 		LogIndex:       swag.Int64(queuedLeaf.LeafIndex),
 		Body:           queuedLeaf.GetLeafValue(),
-		IntegratedTime: queuedLeaf.IntegrateTimestamp.AsTime().Unix(),
+		IntegratedTime: swag.Int64(queuedLeaf.IntegrateTimestamp.AsTime().Unix()),
 	}
 
 	if viper.GetBool("enable_retrieve_api") {