cmd/witnessctl: separate add-log and add/del-key commands

FiloSottile · FiloSottile · commit 4634f70e967d · 2024-12-14T18:06:24.000+01:00
Fixes #17
diff --git a/README.md b/README.md
@@ -74,11 +74,22 @@ successfully. If the connection drops after establishing, litewitness exits.
 witnessctl is a CLI tool to operate on the litewitness database. It can be used
 while litewitness is running.
 
-    witnessctl add-log -db <path> -origin <origin> -key <base64-encoded Ed25519 key>
+    witnessctl add-log -db <path> -origin <origin>
+
+The `add-log` command adds a new known log starting at a size of zero. Removing
+a log is not supported, as it presents the risk of signing a split view if
+re-added. To disable a log, remove all its keys.
+
+    witnessctl add-key -db <path> -origin <origin> -key <verifier key>
+    witnessctl del-key -db <path> -origin <origin> -key <verifier key>
+
+The `add-key` and `del-key` commands add and remove verifier keys for a known
+log. The name of the key must match the log origin.
+
     witnessctl add-sigsum-log -db <path> -key <hex-encoded key>
 
-The `add-log` and `add-sigsum-log` commands add a new known log starting at a
-size of zero.
+The `add-sigsum-log` command is a helper that adds a new Sigsum log, computing
+the origin and key from a 32-byte hex-encoded Ed25519 public key.
 
     witnessctl list-logs -db <path>
 
diff --git a/cmd/litewitness/testdata/audit-log.txt b/cmd/litewitness/testdata/audit-log.txt
diff --git a/cmd/witnessctl/witnessctl.go b/cmd/witnessctl/witnessctl.go
@@ -1,7 +1,6 @@
 package main
 
 import (
-	"crypto/ed25519"
 	"encoding/base64"
 	"encoding/hex"
 	"flag"
@@ -20,7 +19,9 @@ import (
 func usage() {
 	fmt.Printf("Usage: %s <command> [options]\n", os.Args[0])
 	fmt.Println("Commands:")
-	fmt.Println("    add-log -db <path> -origin <origin> -key <base64-encoded Ed25519 key>")
+	fmt.Println("    add-log -db <path> -origin <origin>")
+	fmt.Println("    add-key -db <path> -origin <origin> -key <verifier key>")
+	fmt.Println("    del-key -db <path> -origin <origin> -key <verifier key>")
 	fmt.Println("    add-sigsum-log -db <path> -key <hex-encoded key>")
 	fmt.Println("    list-logs -db <path>")
 	os.Exit(1)
@@ -30,39 +31,36 @@ func main() {
 	if len(os.Args) < 2 {
 		usage()
 	}
+	fs := flag.NewFlagSet(os.Args[0], flag.ExitOnError)
+	dbFlag := fs.String("db", "litewitness.db", "path to sqlite database")
 	switch os.Args[1] {
 	case "add-log":
-		fs := flag.NewFlagSet("add-log", flag.ExitOnError)
-		dbFlag := fs.String("db", "litewitness.db", "path to sqlite database")
 		originFlag := fs.String("origin", "", "log name")
-		keyFlag := fs.String("key", "", "base64-encoded key")
 		fs.Parse(os.Args[2:])
-		key, err := base64.StdEncoding.DecodeString(*keyFlag)
-		if err != nil {
-			log.Fatal(err)
-		}
 		db := openDB(*dbFlag)
-		addLog(db, *originFlag, key)
+		addLog(db, *originFlag)
+
+	case "add-key":
+		originFlag := fs.String("origin", "", "log name")
+		keyFlag := fs.String("key", "", "verifier key")
+		fs.Parse(os.Args[2:])
+		db := openDB(*dbFlag)
+		addKey(db, *originFlag, *keyFlag)
+
+	case "del-key":
+		originFlag := fs.String("origin", "", "log name")
+		keyFlag := fs.String("key", "", "verifier key")
+		fs.Parse(os.Args[2:])
+		db := openDB(*dbFlag)
+		delKey(db, *originFlag, *keyFlag)
 
 	case "add-sigsum-log":
-		fs := flag.NewFlagSet("add-sigsum-log", flag.ExitOnError)
-		dbFlag := fs.String("db", "litewitness.db", "path to sqlite database")
 		keyFlag := fs.String("key", "", "hex-encoded key")
 		fs.Parse(os.Args[2:])
-		if len(*keyFlag) != sigsum.PublicKeySize*2 {
-			log.Println(*keyFlag)
-			log.Fatal("key must be 32 hex-encoded bytes")
-		}
-		var key sigsum.PublicKey
-		if _, err := hex.Decode(key[:], []byte(*keyFlag)); err != nil {
-			log.Fatal(err)
-		}
 		db := openDB(*dbFlag)
-		addSigsumLog(db, key)
+		addSigsumLog(db, *keyFlag)
 
 	case "list-logs":
-		fs := flag.NewFlagSet("list-logs", flag.ExitOnError)
-		dbFlag := fs.String("db", "litewitness.db", "path to sqlite database")
 		fs.Parse(os.Args[2:])
 		db := openDB(*dbFlag)
 		listLogs(db)
@@ -75,31 +73,62 @@ func main() {
 func openDB(dbPath string) *sqlite.Conn {
 	db, err := witness.OpenDB(dbPath)
 	if err != nil {
-		log.Fatalf("opening database: %v", err)
+		log.Fatalf("Error opening database: %v", err)
 	}
 	return db
 }
 
-func addLog(db *sqlite.Conn, origin string, key ed25519.PublicKey) {
+func addLog(db *sqlite.Conn, origin string) {
 	treeHash := merkle.HashEmptyTree()
 	if err := sqlitex.Exec(db, "INSERT INTO log (origin, tree_size, tree_hash) VALUES (?, 0, ?)",
 		nil, origin, base64.StdEncoding.EncodeToString(treeHash[:])); err != nil {
-		log.Fatal(err)
+		log.Fatalf("Error adding log: %v", err)
 	}
-	k, err := note.NewEd25519VerifierKey(origin, key[:])
+	log.Printf("Added log %q.", origin)
+}
+
+func addKey(db *sqlite.Conn, origin string, vk string) {
+	v, err := note.NewVerifier(vk)
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("Error parsing verifier key: %v", err)
 	}
-	if sqlitex.Exec(db, "INSERT INTO key (origin, key) VALUES (?, ?)", nil, origin, k); err != nil {
-		log.Fatal(err)
+	if v.Name() != origin {
+		log.Fatalf("Verifier key name %q does not match origin %q.", v.Name(), origin)
 	}
-	log.Printf("Added log %q.", key)
+	err = sqlitex.Exec(db, "INSERT INTO key (origin, key) VALUES (?, ?)", nil, origin, vk)
+	if err != nil {
+		log.Fatalf("Error adding key: %v", err)
+	}
+	log.Printf("Added key %q.", vk)
+}
+
+func delKey(db *sqlite.Conn, origin string, vk string) {
+	err := sqlitex.Exec(db, "DELETE FROM key WHERE origin = ? AND key = ?", nil, origin, vk)
+	if err != nil {
+		log.Fatalf("Error deleting key: %v", err)
+	}
+	if db.Changes() == 0 {
+		log.Fatalf("Key %q not found.", vk)
+	}
+	log.Printf("Deleted key %q.", vk)
 }
 
-func addSigsumLog(db *sqlite.Conn, key sigsum.PublicKey) {
+func addSigsumLog(db *sqlite.Conn, keyFlag string) {
+	if len(keyFlag) != sigsum.PublicKeySize*2 {
+		log.Fatal("Key must be 32 hex-encoded bytes.")
+	}
+	var key sigsum.PublicKey
+	if _, err := hex.Decode(key[:], []byte(keyFlag)); err != nil {
+		log.Fatalf("Error decoding key: %v", err)
+	}
 	keyHash := sigsum.HashBytes(key[:])
 	origin := fmt.Sprintf("sigsum.org/v1/tree/%x", keyHash)
-	addLog(db, origin, key[:])
+	vk, err := note.NewEd25519VerifierKey(origin, key[:])
+	if err != nil {
+		log.Fatalf("Error computing verifier key: %v", err)
+	}
+	addLog(db, origin)
+	addKey(db, origin, vk)
 }
 
 func listLogs(db *sqlite.Conn) {
@@ -120,6 +149,6 @@ func listLogs(db *sqlite.Conn) {
 		_, err := fmt.Printf("%s\n", stmt.ColumnText(0))
 		return err
 	}); err != nil {
-		log.Fatal(err)
+		log.Fatalf("Error listing logs: %v", err)
 	}
 }
