Add support for verifying Sunlight checkpoints

[AlCutter]

This PR adds support for verifying sunlight style checkpoints.

It provides:

• A helper to create a note Verifier string from RFC6962 log URL & public keys
• A note.Verifier implementation of the sunlight RFC6962 0x05 signature scheme
• A function which can convert RFC6962 JSON formatted Signed Tree Head structures directly to sunlight signed checkpoint format.

TODO: figure out best way to avoid the dep on ct-go #105

[codecov]

Codecov Report

Attention: Patch coverage is 66.92913% with 42 lines in your changes are missing coverage. Please review.

Project coverage is 76.99%. Comparing base (fa00c16) to head (dbdce9e).
Report is 22 commits behind head on main.

Files	Patch %	Lines
note/note_rfc6962.go	66.40%	24 Missing and 18 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #99      +/-   ##
==========================================
- Coverage   82.57%   76.99%   -5.58%     
==========================================
  Files           5        6       +1     
  Lines         241      313      +72     
==========================================
+ Hits          199      241      +42     
- Misses         30       42      +12     
- Partials       12       30      +18     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[FiloSottile]

BTW, is there a way to hide Codecov complaints? They are extremely distracting.

[FiloSottile]

I have one of these, named just the same, in an (for now) untagged version of the Sunlight module.

https://pkg.go.dev/filippo.io/sunlight@main#NewRFC6962Verifier

What do you think of it? Would it make sense to import it from here?

A key difference is that it allows extracting/validating the timestamp, which I think is critical for verification.

I didn't make a string encoding for it though. Should we specify those?

[AlCutter]

Aha, I was trying to do this "clean room" from the spec :)

In general I really like the string vkey idea; it makes it very easy to poke through configs in existing code (e.g. the witness), so I'm all up for specifying for all the note-compatible verifiers we're cooking up!

On the extracting the timestamp, the way I was going to go was the same as I've done here for TimestampCoSigv1: https://github.com/transparency-dev/formats/blob/main/note/note_cosigv1.go#L116-L127

Passing the call-back in at verifier c'tor time means that in apps like the witness you can't really create verifiers out at "config parsing" time (with corresponding error handling there) and then pass them down into other funcs/modules without adding some other complexity around how you pass that callback in too. It also means that the verifier is no longer safe to use from multiple go-routines.

It "feels good" to have the timestamp extracted during verification available, but OTOH, since note.Note already has a mechanism to convey which sigs (if any) were verified, I figured it's probably ok to have the application logic which relies on those signatures then go and explicitly extract the "extra" info present in them. Any malicious code which could modify/insert/remove entries from the note.Sigs[] immediately after the note.Open() returns can also probably just nobble the signature verification/timestamp extraction itself, or the callback and its side effects, etc.

wdyt?

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 66.92913% with 42 lines in your changes are missing coverage. Please review.

Project coverage is 76.99%. Comparing base (fa00c16) to head (dc192e9).
Report is 23 commits behind head on main.

Files	Patch %	Lines
note/note_rfc6962.go	66.40%	24 Missing and 18 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #99      +/-   ##
==========================================
- Coverage   82.57%   76.99%   -5.58%     
==========================================
  Files           5        6       +1     
  Lines         241      313      +72     
==========================================
+ Hits          199      241      +42     
- Misses         30       42      +12     
- Partials       12       30      +18     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mhutchinson]

As discussed, please open an issue about this dependency. Copying out the CT bits we need is reasonable as a solution. We worked very hard to keep the number of deps for this repo to a minimum. This now implicitly depends on trillian, which is a big dependency load that was a prime part of the motivation towards creating these smaller repos.

[AlCutter]

#105

[mhutchinson]

nit: signedTreeHead (lower case s).

Passim.

[mhutchinson]

The quotes around this sentence have me asking a lot of questions. I suspect it's an accident. If not, it needs an attribution.

[AlCutter]

Linked to Sunlight spec