Empty logs sign wrong root hash

FiloSottile / sunlight

A Certificate Transparency log implementation and monitoring API designed for scalability, ease of operation, and reduced cost.

https://sunlight.dev

ISC License

126 stars 9 forks source link

Empty logs sign wrong root hash #14

Closed mcpherrinm closed 3 months ago

mcpherrinm commented 8 months ago

Per @AGWA on https://groups.google.com/a/chromium.org/g/ct-policy/c/v9JzlbphYBs/m/-blS5vMtAgAJ

Note that all cryptographic operations (such as hashes and signatures) are as specified by RFC 6962, so these APIs can be thought of as an alternative encoding format for the same data

at least 10 Sunlight logs have produced STHs with a tree size of 0 and an all-zero root hash, while RFC 6962 specifies that the root hash of an empty tree is the SHA-256 hash of an empty string.

nholstein commented 8 months ago

@mcpherrinm, are you looking for help with this? If so, I see two approaches:

fixup the hash of an empty tree prior to calling signTreeHead
copy and patch the logic of tlog.TreeHash to handle empty trees

The second approach would also need to handle construction of a new log within ctlog.CreateLog, so it seems like the first approach is simpler.

Would a PR be helpful?

FiloSottile commented 7 months ago

I had a chat with Russ, and we're going to change golang.org/x/mod/sumdb/tlog upstream, to avoid ecosystem fragmentation on this.