Skip to content

Align MTC support closer to spec #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lukevalenta merged 10 commits into from
Jul 14, 2025
Merged

Align MTC support closer to spec #57

lukevalenta merged 10 commits into from
Jul 14, 2025

Conversation

@lukevalenta
Copy link
Contributor

@lukevalenta lukevalenta commented Jul 11, 2025

Add cosignature support

  • Add support for cosignature/v1 signatures from tlog-cosignature
  • Add support for subtree_signatures from current MTC draft. This is
    currently limited to signing checkpoints but not arbitrary subtrees.

Other changes (hopefully improvements):

  • Consolidate signed_note error types into NoteError
  • Add new() functions for Ed25519NoteSigner/Verifier to avoid needing to go through text format
  • Add KeyName wrapper around string that enforces that key names are valid according to signed_note spec
  • Move Ed25519 signer/verifier to separate file in signed_note
  • Add enum for signed_note signature types

Clean up config

Rename Signature -> NoteSignature to avoid naming conflicts

Add support for parsing the log ID as a ObjectIdentifier

This is not compatibile with the current MTC draft which uses RELATIVE-OID, but will do until RustCrypto/formats#1875 is handled.

Add support for MTC's initial log entry

In MTCs, the certificate serial number is its index in the log. Since
X.509 serial numbers must be non-zero, MTCs adds an initial 'null_entry'
at index 0 to help avoid off-by-one errors in consumers of the log.

Align MTC implementation closer to spec

@lukevalenta
Align MTC implementation closer to spec
44beb7e
@lukevalenta
Add support for MTC's initial log entry
dc95c58 
In MTCs, the certificate serial number is its index in the log. Since
X.509 serial numbers must be non-zero, MTCs adds an initial 'null_entry'
at index 0 to help avoid off-by-one errors in consumers of the log.
@lukevalenta
Add support for parsing the log ID as a ObjectIdentifier
ee25fbf 
This is not compatibile with the current MTC draft which uses RELATIVE-OID, but will do until RustCrypto/formats#1875 is handled.
@lukevalenta
Rename Signature -> NoteSignature to avoid naming conflicts
8801d9f
@lukevalenta
Clean up config
519242b 
* Update wrangler KV and R2 resources for MTC dev deploy
* Re-enable wasm-opt (see cloudflare/workers-rs#767)
@lukevalenta
Add cosignature support
8fb968f 
- Add support for cosignature/v1 signatures from tlog-cosignature
- Add support for subtree_signatures from current MTC draft.  This is
  currently limited to signing checkpoints but not arbitrary subtrees.

Other changes (hopefully improvements):
- Consolidate signed_note error types into NoteError
- Add new() functions for Ed25519NoteSigner/Verifier to avoid needing to go through text format
- Add KeyName wrapper around string that enforces that key names are valid according to signed_note spec
- Move Ed25519 signer/verifier to separate file in signed_note
- Add enum for signed_note signature types
@lukevalenta
Clean up after self-review
5a10049
@lukevalenta lukevalenta requested a review from bwesterb July 11, 2025 18:35
@lukevalenta
Make kv_namespaces optional when enable_dedup = false
4a2d1d7 
Previously, when enable_dedup was set to false, entries were still written to the long-term deduplication cache in KV. Now, deduplication is skipped entirely.
@lukevalenta
Remove unused byteorder dependency from signed_note
2b95045
@lukevalenta
Document how to reset a targeted dev log without needing to clear DO …
c063338 
…storage and R2
@lukevalenta lukevalenta changed the title Add cosignature support Align MTC support closer to spec Jul 11, 2025
bwesterb
bwesterb approved these changes Jul 14, 2025
View reviewed changes
crates/mtc_worker/src/sequencer_do.rs
let checkpoint_extension = Box::new(|_| vec![]);

// TODO parse log ID as a RelativeOid after https://github.com/RustCrypto/formats/issues/1875
let log_id_relative_oid = ObjectIdentifier::from_str(&params.log_id).unwrap();
Copy link
Member

@bwesterb bwesterb Jul 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The RelativeOID format is not that complicated. There is an implementation of it in our old Go code.

As a hack, btw, you can prepend "0.0", parse as an OID, and then leave out the first byte:

bas@Mac ~ $ echo 'RELATIVE_OID {.1234.1.2}' |  ascii2der | hexdump -C
00000000  0d 04 89 52 01 02                                 |...R..|
00000006
bas@Mac ~ $ echo 'OBJECT_IDENTIFIER {0.0.1234.1.2}' |  ascii2der | hexdump -C
00000000  06 05 00 89 52 01 02                              |....R..|
00000007

Copy link
Contributor Author

@lukevalenta lukevalenta Jul 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, that's a nice trick! The encoding itself makes sense now, but just trying to figure out how to incorporate into the RustCrypto library..

@lukevalenta lukevalenta merged commit 73b7438 into main Jul 14, 2025
1 check passed
@lukevalenta lukevalenta deleted the lvalenta/mtc branch July 14, 2025 19:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bwesterb bwesterb bwesterb approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lukevalenta @bwesterb