cloudflare
diff --git a/‎crates/ct_worker/src/lib.rs‎
Lines changed: 33 additions & 1 deletion b/‎crates/ct_worker/src/lib.rs‎
Lines changed: 33 additions & 1 deletion
diff --git a/‎crates/ct_worker/src/sequencer_do.rs‎
Lines changed: 4 additions & 29 deletions b/‎crates/ct_worker/src/sequencer_do.rs‎
Lines changed: 4 additions & 29 deletions
diff --git a/‎crates/generic_log_worker/src/lib.rs‎
Lines changed: 0 additions & 1 deletion b/‎crates/generic_log_worker/src/lib.rs‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎crates/generic_log_worker/src/log_ops.rs‎
Lines changed: 62 additions & 57 deletions b/‎crates/generic_log_worker/src/log_ops.rs‎
Lines changed: 62 additions & 57 deletions
diff --git a/‎crates/generic_log_worker/src/sequencer_do.rs‎
Lines changed: 2 additions & 49 deletions b/‎crates/generic_log_worker/src/sequencer_do.rs‎
Lines changed: 2 additions & 49 deletions
@@ -6,9 +6,11 @@
 use config::AppConfig;
 use ed25519_dalek::SigningKey as Ed25519SigningKey;
 use p256::{ecdsa::SigningKey as EcdsaSigningKey, pkcs8::DecodePrivateKey};
+use signed_note::KeyName;
+use static_ct_api::StaticCTCheckpointSigner;
 use std::collections::HashMap;
 use std::sync::{LazyLock, OnceLock};
-use tlog_tiles::{LookupKey, SequenceMetadata};
+use tlog_tiles::{CheckpointSigner, Ed25519CheckpointSigner, LookupKey, SequenceMetadata};
 #[allow(clippy::wildcard_imports)]
 use worker::*;
 use x509_cert::Certificate;
@@ -72,3 +74,33 @@ pub(crate) fn load_witness_key(env: &Env, name: &str) -> Result<&'static Ed25519
         Ok(once.get_or_init(|| key))
     }
 }
+
+pub(crate) fn load_checkpoint_signers(env: &Env, name: &str) -> Vec<Box<dyn CheckpointSigner>> {
+    let origin = load_origin(name);
+    let signing_key = load_signing_key(env, name).unwrap().clone();
+    let witness_key = load_witness_key(env, name).unwrap().clone();
+
+    // Make the checkpoint signers from the secret keys and put them in a vec
+    let signer = StaticCTCheckpointSigner::new(origin.clone(), signing_key)
+        .map_err(|e| format!("could not create static-ct checkpoint signer: {e}"))
+        .unwrap();
+    let witness = Ed25519CheckpointSigner::new(origin, witness_key)
+        .map_err(|e| format!("could not create ed25519 checkpoint signer: {e}"))
+        .unwrap();
+
+    vec![Box::new(signer), Box::new(witness)]
+}
+
+pub(crate) fn load_origin(name: &str) -> KeyName {
+    // https://github.com/C2SP/C2SP/blob/main/static-ct-api.md#checkpoints
+    // The origin line MUST be the submission prefix of the log as a schema-less URL with no trailing slashes.
+    KeyName::new(
+        CONFIG.logs[name]
+            .submission_url
+            .trim_start_matches("http://")
+            .trim_start_matches("https://")
+            .trim_end_matches('/')
+            .to_string(),
+    )
+    .expect("invalid origin name")
+}
@@ -5,12 +5,10 @@
 
 use std::time::Duration;
 
-use crate::{load_signing_key, load_witness_key, CONFIG};
+use crate::{load_checkpoint_signers, load_origin, CONFIG};
 use generic_log_worker::{load_public_bucket, GenericSequencer, SequencerConfig};
 use prometheus::Registry;
-use signed_note::KeyName;
-use static_ct_api::{StaticCTCheckpointSigner, StaticCTLogEntry};
-use tlog_tiles::{CheckpointSigner, Ed25519CheckpointSigner};
+use static_ct_api::StaticCTLogEntry;
 #[allow(clippy::wildcard_imports)]
 use worker::*;
 
@@ -29,36 +27,13 @@ impl DurableObject for Sequencer {
             .find(|(name, _)| id == namespace.id_from_name(name).unwrap().to_string())
             .expect("unable to find sequencer name");
 
-        // https://github.com/C2SP/C2SP/blob/main/static-ct-api.md#checkpoints
-        // The origin line MUST be the submission prefix of the log as a schema-less URL with no trailing slashes.
-        let origin = KeyName::new(
-            params
-                .submission_url
-                .trim_start_matches("http://")
-                .trim_start_matches("https://")
-                .trim_end_matches('/')
-                .to_string(),
-        )
-        .expect("invalid origin name");
+        let origin = load_origin(name);
         let sequence_interval = Duration::from_millis(params.sequence_interval_millis);
 
         // We don't use checkpoint extensions for CT
         let checkpoint_extension = Box::new(|_| vec![]);
 
-        let checkpoint_signers: Vec<Box<dyn CheckpointSigner>> = {
-            let signing_key = load_signing_key(&env, name).unwrap().clone();
-            let witness_key = load_witness_key(&env, name).unwrap().clone();
-
-            // Make the checkpoint signers from the secret keys and put them in a vec
-            let signer = StaticCTCheckpointSigner::new(origin.clone(), signing_key)
-                .map_err(|e| format!("could not create static-ct checkpoint signer: {e}"))
-                .unwrap();
-            let witness = Ed25519CheckpointSigner::new(origin.clone(), witness_key)
-                .map_err(|e| format!("could not create ed25519 checkpoint signer: {e}"))
-                .unwrap();
-
-            vec![Box::new(signer), Box::new(witness)]
-        };
+        let checkpoint_signers = load_checkpoint_signers(&env, name);
         let bucket = load_public_bucket(&env, name).unwrap();
         let registry = Registry::new();
 
 
@@ -30,7 +30,6 @@ use worker::kv::KvStore;
 #[allow(clippy::wildcard_imports)]
 use worker::*;
 
-pub const PROVE_INCLUSION_ENDPOINT: &str = "/prove_inclusion";
 const BATCH_ENDPOINT: &str = "/add_batch";
 pub const ENTRY_ENDPOINT: &str = "/add_entry";
 pub const METRICS_ENDPOINT: &str = "/metrics";
 
@@ -38,10 +38,11 @@ use std::{
 };
 use thiserror::Error;
 use tlog_tiles::{
-    prove_record, tlog, Hash, HashReader, LogEntry, PendingLogEntry, RecordProof, Tile,
-    TileHashReader, TileIterator, TileReader, TlogError, TlogTile, TreeProof, TreeWithTimestamp,
-    UnixTimestamp, HASH_SIZE,
+    prove_record, Hash, HashReader, LogEntry, PendingLogEntry, RecordProof, Tile, TileHashReader,
+    TileIterator, TileReader, TlogError, TlogTile, TreeWithTimestamp, UnixTimestamp, HASH_SIZE,
 };
+#[cfg(test)]
+use tlog_tiles::{tlog, TreeProof};
 use tokio::sync::watch::{channel, Receiver, Sender};
 use worker::Error as WorkerError;
 
@@ -50,7 +51,7 @@ use worker::Error as WorkerError;
 const DATA_TILE_LEVEL_KEY: u8 = u8::MAX;
 /// Same as above, anything above 63 is fine to use as the level key.
 const UNHASHED_TILE_LEVEL_KEY: u8 = u8::MAX - 1;
-const CHECKPOINT_KEY: &str = "checkpoint";
+pub const CHECKPOINT_KEY: &str = "checkpoint";
 const STAGING_KEY: &str = "staging";
 
 // Limit on the number of entries per batch. Tune this parameter to avoid
@@ -555,6 +556,7 @@ impl SequenceState {
     }
 
     /// Proves inclusion of the last leaf in the current tree.
+    #[cfg(test)]
     pub(crate) fn prove_inclusion_of_last_elem(&self) -> RecordProof {
         let tree_size = self.tree.size();
         let reader = HashReaderWithOverlay {
@@ -572,6 +574,7 @@ impl SequenceState {
     /// # Errors
     /// Errors when the last tree was size 0. We cannot prove consistency with
     /// respect to an empty tree
+    #[cfg(test)]
     pub(crate) fn prove_consistency_of_single_append(&self) -> Result<TreeProof, TlogError> {
         let tree_size = self.tree.size();
         let reader = HashReaderWithOverlay {
@@ -580,62 +583,58 @@ impl SequenceState {
         };
         tlog::prove_tree(tree_size, tree_size - 1, &reader)
     }
+}
 
-    /// Returns an inclusion proof for the given leaf index
-    ///
-    /// # Errors
-    /// Errors when the leaf index equals or exceeds the number of leaves, or
-    /// the desired tiles do not exist as bucket objects.
-    pub async fn prove_inclusion(
-        &self,
-        object: &impl ObjectBackend,
-        leaf_index: u64,
-    ) -> Result<RecordProof, WorkerError> {
-        // Get the size of the tree
-        let num_leaves = self.tree.size();
-        let tree_hash = *self.tree.hash();
-
-        if leaf_index >= num_leaves {
-            return Err(WorkerError::RustError(
-                "leaf index exceeds number of leaves in the tree".to_string(),
-            ));
-        }
-
-        let mut all_tile_data = HashMap::new();
-
-        // Make a fake proof using ProofPreparer to get all the tiles we need
-        // TODO: This seems useful. We can probably move this into the tlog_tiles crate
-        let tiles_to_fetch = {
-            let tile_reader = ProofPreparer::default();
-            let hash_reader = TileHashReader::new(num_leaves, tree_hash, &tile_reader);
-            // ProofPreparer is guaranteed to make prove_record return a BadMath
-            // error. This is fine, because it already collected the data we
-            // needed
-            let _ = prove_record(num_leaves, leaf_index, &hash_reader);
-            tile_reader.0.into_inner()
-        };
-
-        // Fetch all the tiles we need for a proof
-        for tile in tiles_to_fetch {
-            let Some(tile_data) = object.fetch(&tile.path()).await? else {
-                return Err(WorkerError::RustError(format!(
-                    "missing tile for inclusion proof {}",
-                    tile.path()
-                )));
-            };
-            all_tile_data.insert(tile, tile_data);
-        }
+/// Returns an inclusion proof for the given leaf index, tree size, and root hash.
+///
+/// # Errors
+/// Errors when the leaf index equals or exceeds the number of leaves, or
+/// the desired tiles do not exist as bucket objects.
+pub async fn prove_inclusion(
+    num_leaves: u64,
+    tree_hash: Hash,
+    leaf_index: u64,
+    object: &impl ObjectBackend,
+) -> Result<RecordProof, WorkerError> {
+    if leaf_index >= num_leaves {
+        return Err(WorkerError::RustError(
+            "leaf index exceeds number of leaves in the tree".to_string(),
+        ));
+    }
+
+    let mut all_tile_data = HashMap::new();
+
+    // Make a fake proof using ProofPreparer to get all the tiles we need
+    // TODO: This seems useful. We can probably move this into the tlog_tiles crate
+    let tiles_to_fetch = {
+        let tile_reader = ProofPreparer::default();
+        let hash_reader = TileHashReader::new(num_leaves, tree_hash, &tile_reader);
+        // ProofPreparer is guaranteed to make prove_record return a BadMath
+        // error. This is fine, because it already collected the data we
+        // needed.
+        let _ = prove_record(num_leaves, leaf_index, &hash_reader);
+        tile_reader.0.into_inner()
+    };
 
-        // Now make the proof
-        let proof = {
-            // Put the recorded tiles into the appropriate Reader structs for prove_record()
-            let tile_reader = SimpleTlogTileReader(all_tile_data);
-            let hash_reader = TileHashReader::new(num_leaves, tree_hash, &tile_reader);
-            prove_record(num_leaves, leaf_index, &hash_reader)
-                .map_err(|e| WorkerError::RustError(e.to_string()))?
+    // Fetch all the tiles we need for a proof
+    for tile in tiles_to_fetch {
+        let Some(tile_data) = object.fetch(&tile.path()).await? else {
+            return Err(WorkerError::RustError(format!(
+                "missing tile for inclusion proof {}",
+                tile.path()
+            )));
         };
-        Ok(proof)
+        all_tile_data.insert(tile, tile_data);
     }
+
+    // Now make the proof
+    let proof = {
+        // Put the recorded tiles into the appropriate Reader structs for prove_record()
+        let tile_reader = SimpleTlogTileReader(all_tile_data);
+        let hash_reader = TileHashReader::new(num_leaves, tree_hash, &tile_reader);
+        prove_record(num_leaves, leaf_index, &hash_reader).map_err(|e| e.to_string())?
+    };
+    Ok(proof)
 }
 
 /// Result of an [`add_leaf_to_pool`] request containing either a cached log
@@ -1455,7 +1454,13 @@ mod tests {
         let tree_hash = *sequence_state.tree.hash();
         for i in 0..n {
             // Compute the inclusion proof for leaf i
-            let proof = block_on(sequence_state.prove_inclusion(&log.object, i)).unwrap();
+            let proof = block_on(prove_inclusion(
+                sequence_state.tree.size(),
+                *sequence_state.tree.hash(),
+                i,
+                &log.object,
+            ))
+            .unwrap();
             // Verify the inclusion proof. We need the leaf hash
             let leaf_hash = {
                 // Get the tile the leaf belongs to, and correct the width by getting the 0th parent
 
@@ -10,7 +10,7 @@ use crate::{
     metrics::{millis_diff_as_secs, ObjectMetrics, SequencerMetrics},
     util::now_millis,
     DedupCache, LookupKey, MemoryCache, ObjectBucket, SequenceMetadata, BATCH_ENDPOINT,
-    ENTRY_ENDPOINT, METRICS_ENDPOINT, PROVE_INCLUSION_ENDPOINT,
+    ENTRY_ENDPOINT, METRICS_ENDPOINT,
 };
 use futures_util::future::join_all;
 use log::{info, warn};
@@ -19,9 +19,7 @@ use serde::{Deserialize, Serialize};
 use serde_with::base64::Base64;
 use serde_with::serde_as;
 use signed_note::KeyName;
-use tlog_tiles::{
-    CheckpointSigner, LeafIndex, LogEntry, PendingLogEntry, RecordProof, UnixTimestamp,
-};
+use tlog_tiles::{CheckpointSigner, LeafIndex, LogEntry, PendingLogEntry, UnixTimestamp};
 use tokio::sync::Mutex;
 use worker::{Bucket, Error as WorkerError, Request, Response, State};
 
@@ -117,18 +115,6 @@ impl<L: LogEntry> GenericSequencer<L> {
         let mut endpoint = path.trim_start_matches('/');
         let resp = match path.as_str() {
             METRICS_ENDPOINT => self.fetch_metrics(),
-            PROVE_INCLUSION_ENDPOINT => {
-                let ProveInclusionQuery { leaf_index } = req.query()?;
-                // Construct the proof and convert the hashes to Vec<u8>
-                let proof = self
-                    .prove_inclusion(leaf_index)
-                    .await
-                    .map_err(|e| WorkerError::RustError(e.to_string()))?;
-                let proof_bytestrings = proof.into_iter().map(|h| h.0.to_vec()).collect::<Vec<_>>();
-                Response::from_json(&ProveInclusionResponse {
-                    proof: proof_bytestrings,
-                })
-            }
             ENTRY_ENDPOINT => {
                 let pending_entry: L::Pending = req.json().await?;
                 let lookup_key = pending_entry.lookup_key();
@@ -272,39 +258,6 @@ impl<L: LogEntry> GenericSequencer<L> {
             .collect::<Vec<_>>()
     }
 
-    /// Returns an inclusion proof for the given leaf index, fetching tiles from
-    /// object storage as needed.
-    ///
-    /// # Errors
-    /// Errors when the leaf index equals or exceeds the number of leaves or
-    /// when the desired tiles do not exist as bucket objects.
-    pub async fn prove_inclusion(&self, leaf_index: u64) -> Result<RecordProof, anyhow::Error> {
-        let sequence_state = self.sequence_state.borrow().clone();
-        sequence_state
-            .prove_inclusion(&self.public_bucket, leaf_index)
-            .await
-            .map_err(anyhow::Error::from)
-    }
-
-    /// Proves inclusion of the last leaf in the current tree. This is
-    /// guaranteed not to fail since the necessary 'right edge' tiles are cached
-    /// in the sequence state.
-    pub fn prove_inclusion_of_last_elem(&self) -> RecordProof {
-        self.sequence_state.borrow().prove_inclusion_of_last_elem()
-    }
-
-    /// Proves that this tree of size n is compatible with the subtree of size
-    /// n-1. In other words, prove that we appended 1 element to the tree.
-    ///
-    /// # Errors
-    /// Errors if the tree is empty.
-    pub fn prove_consistency_of_single_append(&self) -> Result<RecordProof, WorkerError> {
-        self.sequence_state
-            .borrow()
-            .prove_consistency_of_single_append()
-            .map_err(|e| format!("consistency proof failed: {e}").into())
-    }
-
     fn fetch_metrics(&self) -> Result<Response, WorkerError> {
         let mut buffer = String::new();
         let encoder = TextEncoder::new();