Fix bug in mocked inclusion proof (#649)

Signed-off-by: Brian DeHamer <[email protected]>

Author: bdehamer

.changeset/hip-papayas-build.md

@@ -0,0 +1,5 @@
+---
+'@sigstore/mock': patch
+---
+
+Fix bug in inclusion proof returned with mocked transaction log enries

packages/mock/src/rekor/handler.test.ts

@@ -71,7 +71,7 @@ describe('rekorHandler', () => {
         ).toEqual(proposedEntry);
         expect(entry.integratedTime).toBeGreaterThan(0);
         expect(entry.logID).toBe(logID);
-        expect(entry.logIndex).toBe(0);
+        expect(entry.logIndex).toBeGreaterThan(0);
         expect(entry.verification).toBeDefined();
         expect(entry.verification?.signedEntryTimestamp).toBeDefined();
       });

packages/mock/src/rekor/tlog.test.ts

@@ -50,14 +50,14 @@ describe('TLog', () => {
       );
       expect(entry.integratedTime).toBeGreaterThan(0);
       expect(entry.logID).toEqual(logID);
-      expect(entry.logIndex).toBe(0);
+      expect(entry.logIndex).toBeGreaterThan(0);
       expect(entry.verification).toBeDefined();
       expect(entry.verification?.signedEntryTimestamp).toBeDefined();
       expect(entry.verification?.inclusionProof).toBeDefined();
       expect(entry.verification?.inclusionProof?.logIndex).toBe(0);
       expect(entry.verification?.inclusionProof?.treeSize).toBe(1);
       expect(entry.verification?.inclusionProof?.rootHash).toBeDefined();
-      expect(entry.verification?.inclusionProof?.hashes).toHaveLength(1);
+      expect(entry.verification?.inclusionProof?.hashes).toHaveLength(0);
       expect(entry.verification?.inclusionProof?.checkpoint).toBeDefined();
     });
   });

packages/mock/src/rekor/tlog.ts

@@ -53,41 +53,76 @@ class TLogImpl implements TLog {
   }
 
   public async log(proposedEntry: object): Promise<LogEntry> {
-    const logIndex = 0;
-    const treeSize = 1;
-    const treeID = crypto.randomInt(0, 2 ** 48 - 1);
-    const uuid = crypto.randomBytes(32).toString('hex');
-    const timestamp = Math.floor(Date.now() / 1000);
     const logID = crypto.createHash('sha256').update(this.publicKey).digest();
-    const body = canonicalize(proposedEntry);
+    const logIndex = crypto.randomInt(10_000_000);
+    const timestamp = Math.floor(Date.now() / 1000);
+    const body = canonicalize(proposedEntry)!;
+
+    const entry = { logID, logIndex, timestamp, body };
+    const set = this.calculateSET(entry);
+    const proof = this.calculateInclusionProof(entry);
 
-    // Calculate SET
-    // https://github.com/sigstore/rekor/blob/9eb7ec628a41ffed291b605a57e716e86ef0d680/pkg/api/entries.go#L71
+    const uuid = crypto.randomBytes(32).toString('hex');
+
+    return {
+      [uuid]: {
+        body: Buffer.from(body).toString('base64'),
+        integratedTime: timestamp,
+        logID: logID.toString('hex'),
+        logIndex: logIndex,
+        verification: {
+          inclusionProof: proof,
+          signedEntryTimestamp: set.toString('base64'),
+        },
+      },
+    };
+  }
+
+  // Compute the Signed Entry Timestamp (SET) for the given entry.
+  // https://github.com/sigstore/rekor/blob/9eb7ec628a41ffed291b605a57e716e86ef0d680/pkg/api/entries.go#L71
+  private calculateSET({
+    body,
+    timestamp,
+    logIndex,
+    logID,
+  }: {
+    body: string;
+    timestamp: number;
+    logIndex: number;
+    logID: Buffer;
+  }): Buffer {
     const setData = {
       body: body,
       integratedTime: timestamp,
       logIndex: logIndex,
       logID: logID.toString('hex'),
     };
     const setBuffer = Buffer.from(canonicalize(setData)!, 'utf8');
-    const set = crypto.sign('sha256', setBuffer, this.privateKey);
+    return crypto.sign('sha256', setBuffer, this.privateKey);
+  }
+
+  // Calculate inclusion proof assuming that the entry being added is the
+  // first and only entry in the log.
+  // https://github.com/sigstore/rekor/blob/2bd83dacf5a302da83ab4eaf20ff7ad119cb6c11/pkg/util/signed_note.go
+  private calculateInclusionProof({
+    body,
+    timestamp,
+    logID,
+  }: {
+    body: string;
+    timestamp: number;
+    logID: Buffer;
+  }): InclusionProof {
+    const treeSize = 1;
+    const treeID = crypto.randomInt(2 ** 48 - 1);
 
-    // Calculate inclusion proof assuming that the entry being added is the first
-    // entry in the log.
-    const leafHash = crypto
-      .createHash('sha256')
-      .update(Buffer.from([0x00]))
-      .update(body!)
-      .digest();
     const rootHash = crypto
       .createHash('sha256')
-      .update(Buffer.from([0x01]))
-      .update(leafHash)
-      .update(leafHash)
+      .update(Buffer.from([0x00]))
+      .update(body)
       .digest();
 
     // Construct checkpoint note
-    // https://github.com/sigstore/rekor/blob/2bd83dacf5a302da83ab4eaf20ff7ad119cb6c11/pkg/util/signed_note.go
     const note = [
       `${this.host} - ${treeID}`,
       `${treeSize}`,
@@ -104,25 +139,12 @@ class TLogImpl implements TLog {
     // Assemble checkpoint from note and signature
     const checkpoint = [note, sigLine, ''].join('\n');
 
-    const proof: InclusionProof = {
-      logIndex: logIndex,
+    return {
+      logIndex: 0,
       treeSize: treeSize,
       checkpoint,
-      hashes: [leafHash.toString('hex')],
+      hashes: [],
       rootHash: rootHash.toString('hex'),
     };
-
-    return {
-      [uuid]: {
-        body: Buffer.from(body!).toString('base64'),
-        integratedTime: timestamp,
-        logID: logID.toString('hex'),
-        logIndex: logIndex,
-        verification: {
-          inclusionProof: proof,
-          signedEntryTimestamp: set.toString('base64'),
-        },
-      },
-    };
   }
 }