Skip to content

Commit

Permalink
do not persist local state if log is empty; fail consistency proofs f…
Browse files Browse the repository at this point in the history
…rom 0 size (#1290)

Signed-off-by: Bob Callaway <bcallaway@google.com>

Signed-off-by: Bob Callaway <bcallaway@google.com>
  • Loading branch information
bobcallaway authored Jan 19, 2023
1 parent 66b1549 commit 343edbb
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 0 deletions.
4 changes: 4 additions & 0 deletions cmd/rekor-cli/app/state/state.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package state

import (
"encoding/json"
"errors"
"os"
"path/filepath"

Expand All @@ -27,6 +28,9 @@ import (
type persistedState map[string]*util.SignedCheckpoint

func Dump(key string, sth *util.SignedCheckpoint) error {
if sth.Size == 0 {
return errors.New("do not persist state for empty logs")
}
rekorDir, err := getRekorDir()
if err != nil {
return err
Expand Down
2 changes: 2 additions & 0 deletions pkg/verify/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ func ProveConsistency(ctx context.Context, rClient *client.Rekor,
oldSTH *util.SignedCheckpoint, newSTH *util.SignedCheckpoint, treeID string) error {
oldTreeSize := int64(oldSTH.Size)
switch {
case oldTreeSize == 0:
return errors.New("consistency proofs can not be computed starting from an empty log")
case oldTreeSize == int64(newSTH.Size):
if !bytes.Equal(oldSTH.Hash, newSTH.Hash) {
return errors.New("old root hash does not match STH hash")
Expand Down
15 changes: 15 additions & 0 deletions pkg/verify/verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ func TestConsistency(t *testing.T) {
root2String := "5be1758dd2228acfaf2546b4b6ce8aa40c82a3748f3dcb550e0d67ba34f02a45"
root2, _ := hex.DecodeString(root2String)
root1, _ := hex.DecodeString("59a575f157274702c38de3ab1e1784226f391fb79500ebf9f02b4439fb77574c")
root0, _ := hex.DecodeString("1a341bc342ff4e567387de9789ab14000b147124317841489172419874198147")
hashes := []string{"d3be742c8d73e2dd3c5635843e987ad3dfb3837616f412a07bf730c3ad73f5cb"}
for _, test := range []struct {
name string
Expand Down Expand Up @@ -138,6 +139,20 @@ func TestConsistency(t *testing.T) {
},
wantErr: true,
},
{
name: "invalid consistency - empty log",
oldC: util.Checkpoint{
Origin: "test",
Size: uint64(0),
Hash: root0,
},
newC: util.Checkpoint{
Origin: "test",
Size: uint64(2),
Hash: root2,
},
wantErr: true,
},
} {
var mClient client.Rekor
mClient.Tlog = &TlogClient{Proof: hashes, Root: root2String}
Expand Down

0 comments on commit 343edbb

Please sign in to comment.