From 63106370d31330f174c3048b7aea9f10108b6aad Mon Sep 17 00:00:00 2001
From: Philippe Boneff <phb@google.com>
Date: Mon, 11 Nov 2024 16:31:22 +0000
Subject: [PATCH] pass verifier

---
 cmd/gcp/main.go  |  4 ++--
 go.mod           |  1 +
 go.sum           |  2 ++
 instance.go      | 16 ++++++++++++++--
 instance_test.go |  6 +++---
 5 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/cmd/gcp/main.go b/cmd/gcp/main.go
index e7f8b5d8..350339c9 100644
--- a/cmd/gcp/main.go
+++ b/cmd/gcp/main.go
@@ -200,13 +200,13 @@ func awaitSignal(doneFn func()) {
 	doneFn()
 }
 
-func newGCPStorage(ctx context.Context, signer note.Signer) (*sctfe.CTStorage, error) {
+func newGCPStorage(ctx context.Context, signer note.Signer, verifier note.Verifier) (*sctfe.CTStorage, error) {
 	gcpCfg := gcpTessera.Config{
 		ProjectID: *projectID,
 		Bucket:    *bucket,
 		Spanner:   *spannerDB,
 	}
-	tesseraStorage, err := gcpTessera.New(ctx, gcpCfg, tessera.WithCheckpointSignerVerifier(signer, nil), tessera.WithCTLayout())
+	tesseraStorage, err := gcpTessera.New(ctx, gcpCfg, tessera.WithCheckpointSignerVerifier(signer, verifier), tessera.WithCTLayout())
 	if err != nil {
 		return nil, fmt.Errorf("Failed to initialize GCP Tessera storage: %v", err)
 	}
diff --git a/go.mod b/go.mod
index 63b27db0..e4290b40 100644
--- a/go.mod
+++ b/go.mod
@@ -42,6 +42,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b // indirect
 	github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect
 	github.com/envoyproxy/go-control-plane v0.13.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
diff --git a/go.sum b/go.sum
index be628276..347ce1ed 100644
--- a/go.sum
+++ b/go.sum
@@ -664,6 +664,8 @@ github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b h1:Ves2turKTX7zruivAcUOQg155xggcbv3suVdbKCBQNM=
+github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b/go.mod h1:0AZAV7lYvynZQ5ErHlGMKH+4QYMyNCFd+AiL9MlrCYA=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
diff --git a/instance.go b/instance.go
index 806c9a18..50852017 100644
--- a/instance.go
+++ b/instance.go
@@ -25,16 +25,19 @@ import (
 	"github.com/google/certificate-transparency-go/asn1"
 	"github.com/google/certificate-transparency-go/x509util"
 	"github.com/google/trillian/monitoring"
+	tnote "github.com/transparency-dev/formats/note"
 	"golang.org/x/mod/sumdb/note"
 )
 
+type createStorageFunc func(context.Context, note.Signer, note.Verifier) (*CTStorage, error)
+
 // InstanceOptions describes the options for a log instance.
 type InstanceOptions struct {
 	// Validated holds the original configuration options for the log, and some
 	// of its fields parsed as a result of validating it.
 	Validated *ValidatedLogConfig
 	// CreateStorage instantiates a Tessera storage implementation with a signer option.
-	CreateStorage func(context.Context, note.Signer) (*CTStorage, error)
+	CreateStorage createStorageFunc
 	// Deadline is a timeout for Tessera requests.
 	Deadline time.Duration
 	// MetricFactory allows creating metrics.
@@ -92,10 +95,19 @@ func SetUpInstance(ctx context.Context, opts InstanceOptions) (*Instance, error)
 	timeSource := new(SystemTimeSource)
 	ctSigner := NewCpSigner(cfg.Signer, cfg.Origin, logID, timeSource)
 
+	vkey, err := tnote.RFC6962VerifierString(cfg.Origin, cfg.Signer.Public())
+	if err != nil {
+		return nil, fmt.Errorf("failed to create verifier key: %v", err)
+	}
+	ctVerifier, err := tnote.NewRFC6962Verifier(vkey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create verifier: %v", err)
+	}
+
 	if opts.CreateStorage == nil {
 		return nil, fmt.Errorf("failed to initiate storage backend: nil createStorage")
 	}
-	storage, err := opts.CreateStorage(ctx, ctSigner)
+	storage, err := opts.CreateStorage(ctx, ctSigner, ctVerifier)
 	if err != nil {
 		return nil, fmt.Errorf("failed to initiate storage backend: %v", err)
 	}
diff --git a/instance_test.go b/instance_test.go
index 7170c19f..ee6cea7a 100644
--- a/instance_test.go
+++ b/instance_test.go
@@ -30,7 +30,7 @@ import (
 	"golang.org/x/mod/sumdb/note"
 )
 
-func fakeCTStorage(_ context.Context, _ note.Signer) (*CTStorage, error) {
+func fakeCTStorage(_ context.Context, _ note.Signer, _ note.Verifier) (*CTStorage, error) {
 	return &CTStorage{}, nil
 }
 
@@ -52,7 +52,7 @@ func TestSetUpInstance(t *testing.T) {
 		extKeyUsages     string
 		rejectExtensions string
 		signer           crypto.Signer
-		ctStorage        func(context.Context, note.Signer) (*CTStorage, error)
+		ctStorage        createStorageFunc
 		wantErr          string
 	}{
 		{
@@ -150,7 +150,7 @@ func TestSetUpInstance(t *testing.T) {
 			spannerDB:    "spanner",
 			rootsPemFile: "./testdata/fake-ca.cert",
 			signer:       signer,
-			ctStorage: func(_ context.Context, _ note.Signer) (*CTStorage, error) {
+			ctStorage: func(_ context.Context, _ note.Signer, _ note.Verifier) (*CTStorage, error) {
 				return nil, fmt.Errorf("I failed")
 			},
 			wantErr: "failed to initiate storage backend",