Add Rekor v2 support to bundle reader and writer

Signed-off-by: Aaron Lew <[email protected]>

Author: aaronlew02

sigstore-java/src/main/java/dev/sigstore/bundle/BundleReader.java

@@ -73,17 +73,15 @@ static Bundle readBundle(Reader jsonReader) throws BundleParseException {
                       .collect(Collectors.toList()))
               .build();
 
-      var verification =
-          ImmutableVerification.builder()
-              .signedEntryTimestamp(
-                  Base64.getEncoder()
-                      .encodeToString(
-                          bundleEntry
-                              .getInclusionPromise()
-                              .getSignedEntryTimestamp()
-                              .toByteArray()))
-              .inclusionProof(inclusionProof)
-              .build();
+      var verificationBuilder = ImmutableVerification.builder().inclusionProof(inclusionProof);
+      if (bundleEntry.hasInclusionPromise()
+          && !bundleEntry.getInclusionPromise().getSignedEntryTimestamp().isEmpty()) {
+        verificationBuilder.signedEntryTimestamp(
+            Base64.getEncoder()
+                .encodeToString(
+                    bundleEntry.getInclusionPromise().getSignedEntryTimestamp().toByteArray()));
+      }
+      var verification = verificationBuilder.build();
 
       var rekorEntry =
           ImmutableRekorEntry.builder()

sigstore-java/src/main/java/dev/sigstore/bundle/BundleWriter.java

@@ -53,6 +53,9 @@ static String writeBundle(Bundle signingResult) {
     try {
       String jsonBundle = JSON_PRINTER.print(bundle);
       List<String> missingFields = BundleVerifier.findMissingFields(bundle);
+      // TODO(#1018): Update handling of integrated_time once it becomes an optional field
+      // integrated_time is a required field in the Bundle spec
+      missingFields.removeIf(f -> f.endsWith("integrated_time"));
       if (!missingFields.isEmpty()) {
         throw new IllegalStateException(
             "Some of the fields were not initialized: "
@@ -128,13 +131,15 @@ private static TransparencyLogEntry.Builder buildTlogEntries(RekorEntry entry) {
                     .setKind(entry.getBodyDecoded().getKind())
                     .setVersion(entry.getBodyDecoded().getApiVersion()))
             .setIntegratedTime(entry.getIntegratedTime())
-            .setInclusionPromise(
-                InclusionPromise.newBuilder()
-                    .setSignedEntryTimestamp(
-                        ByteString.copyFrom(
-                            Base64.getDecoder()
-                                .decode(entry.getVerification().getSignedEntryTimestamp()))))
             .setCanonicalizedBody(ByteString.copyFrom(Base64.getDecoder().decode(entry.getBody())));
+    if (entry.getVerification().getSignedEntryTimestamp() != null) {
+      transparencyLogEntry.setInclusionPromise(
+          InclusionPromise.newBuilder()
+              .setSignedEntryTimestamp(
+                  ByteString.copyFrom(
+                      Base64.getDecoder()
+                          .decode(entry.getVerification().getSignedEntryTimestamp()))));
+    }
     addInclusionProof(transparencyLogEntry, entry);
     return transparencyLogEntry;
   }

sigstore-java/src/test/java/dev/sigstore/bundle/BundleReaderTest.java

@@ -92,6 +92,11 @@ public void readBundle_timestamp() throws Exception {
     readBundle("dev/sigstore/samples/bundles/bundle-with-timestamp.sigstore");
   }
 
+  @Test
+  public void readBundle_rekorV2Entry() throws Exception {
+    readBundle("dev/sigstore/samples/bundles/bundle-with-rekor-v2-entry.sigstore");
+  }
+
   private Bundle readBundle(String resourcePath) throws Exception {
     try (var reader =
         new InputStreamReader(

sigstore-java/src/test/resources/dev/sigstore/samples/bundles/bundle-with-rekor-v2-entry.sigstore

@@ -0,0 +1,40 @@
+{
+  "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
+  "verificationMaterial": {
+    "tlogEntries": [{
+      "logIndex": "4423",
+      "logId": {
+        "keyId": "8w1amZ2S5mJIQkQmPxdMuOrL/oJkvFg9MnQXmeOCXck="
+      },
+      "kindVersion": {
+        "kind": "hashedrekord",
+        "version": "0.0.2"
+      },
+      "inclusionProof": {
+        "logIndex": "4423",
+        "rootHash": "vz8cWrY7CxbLJb3KSgqqhJ36LYWBmsHQIosDW+jz6Mo=",
+        "treeSize": "4424",
+        "hashes": ["NTHGhFLQsx1sNpRFYsL8ojXorva801HqWY0VmFcOdG8=", "mNYKGdHB92+dfYqbxAaAmAEwJionRJRIJkp9Hd9qAEI=", "7Z5SW5fiCoeni4AiOaxH29+fy/yHvxoJs0NIgr4205Y=", "pnfrCn+zMIndV2oSiVJgUwDUl877+tscVelEn8ocmCg=", "Y9dHtdFhpgfmulbHFbY0lA3Gy3QJof82auCf/EoYppU=", "xbDsGnxf1siByWHEuiK85p0reQCaKKWUjf8YNl9s/Vo="],
+        "checkpoint": {
+          "envelope": "log2025-alpha1.rekor.sigstage.dev\n4424\nvz8cWrY7CxbLJb3KSgqqhJ36LYWBmsHQIosDW+jz6Mo\u003d\n\n— log2025-alpha1.rekor.sigstage.dev 8w1ambRbXNoVP7oYsfLKBZszx0NESaWaSswYn/enUk/olcaQjGuCTmN8GheotGFBLvbP+QcswGIIyDOJPyHYoVODCw4\u003d\n"
+        }
+      },
+      "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJoYXNoZWRSZWtvcmRWMDAyIjp7ImRhdGEiOnsiYWxnb3JpdGhtIjoiU0hBMl8yNTYiLCJkaWdlc3QiOiJvTS9IRW5IVzRuamxmTk15LzVWOFAzQkQvZG8xVEV5N0dRb3cxVzc2QWI4PSJ9LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUQySHFTd0NTOFRSSndCc0V5TWhrN3Z4MlhQWWZRQ3hLSzJkc0lMclhEd0NRSWdGL2tRUEdIMHlRcVNIODZVa1pBYTFoYmhFWFZlZXAwZWx4S0ZoNDNUV05FPSIsInZlcmlmaWVyIjp7ImtleURldGFpbHMiOiJQS0lYX0VDRFNBX1AyNTZfU0hBXzI1NiIsIng1MDlDZXJ0aWZpY2F0ZSI6eyJyYXdCeXRlcyI6Ik1JSUN6RENDQWxLZ0F3SUJBZ0lVQzl3aGd6STI0aytuR2xWRm1OL3I2cEc5NXBRd0NnWUlLb1pJemowRUF3TXdOekVWTUJNR0ExVUVDaE1NYzJsbmMzUnZjbVV1WkdWMk1SNHdIQVlEVlFRREV4VnphV2R6ZEc5eVpTMXBiblJsY20xbFpHbGhkR1V3SGhjTk1qVXdOekF5TVRnMU1UVXdXaGNOTWpVd056QXlNVGt3TVRVd1dqQUFNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVoaDl3c3A0OUdhMlY3emJlV0FwNXN5L243RUliaWhuQm8vb3B0N2pnWVBuZ3EyMCttYjZkb3FJR0x3OXdKbkRmRkFIeFdSMmtTdS95SmNPalZTZ1B6YU9DQVhFd2dnRnRNQTRHQTFVZER3RUIvd1FFQXdJSGdEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBekFkQmdOVkhRNEVGZ1FVZFJ2UDRlVG5BY0ozNHZYK2t3Tk1YYW5EOUNrd0h3WURWUjBqQkJnd0ZvQVVjWVl3cGhSOFltLzU5OWIwQlJwL1gvL3JiNnd3SVFZRFZSMFJBUUgvQkJjd0ZZRVRZV0Z5YjI1c1pYZEFaMjl2WjJ4bExtTnZiVEFwQmdvckJnRUVBWU8vTUFFQkJCdG9kSFJ3Y3pvdkwyRmpZMjkxYm5SekxtZHZiMmRzWlM1amIyMHdLd1lLS3dZQkJBR0R2ekFCQ0FRZERCdG9kSFJ3Y3pvdkwyRmpZMjkxYm5SekxtZHZiMmRzWlM1amIyMHdnWW9HQ2lzR0FRUUIxbmtDQkFJRWZBUjZBSGdBZGdBck1MemNhSWpKNHVIWUppbGVkQjlJT1RHV0F2S2NNOHRlUTBEK3NxeUdlZ0FBQVpmTWV5RlVBQUFFQXdCSE1FVUNJSE1RNHgzelBnTWpjWnV1dUxNQmFSYTlSL05HM1JqUTlJazV1cHd3MWJ4a0FpRUFpYzBYcUd0RUtpa1pndkRWRmRYeDgxSXhTQlUzQXdRMWIwOXppQzczcjQwd0NnWUlLb1pJemowRUF3TURhQUF3WlFJd1RqMXJmVjlsK0JGOEhWRXd5Z05COHhPSlEzVDJyVktSSkR1dU1adTBUUlcrNUI0Z1pBSmdGcGltdzZ4QU9UZ25BakVBcGRkcnJXRHRHbHV2K0ZlWkhGcWNsaFZ6OEVHK0pOd0NEc2dFdjdHTU9DTjhON05VWjNzVDZ6T1VCaEZjUmJuOSJ9fX19fX0="
+    }],
+    "timestampVerificationData": {
+      "rfc3161Timestamps": [{
+        "signedTimestamp": "MIIC1DADAgEAMIICywYJKoZIhvcNAQcCoIICvDCCArgCAQMxDTALBglghkgBZQMEAgEwgcIGCyqGSIb3DQEJEAEEoIGyBIGvMIGsAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgtF/jtMHzKroX8UjkT/BViNcIlC5Y7za/y4n5cjasXD0CFQCxAdEfFrtmTuy4mcW7QjLeeOAUXhgPMjAyNTA3MDIxODUxNTFaMAMCAQECCE0pZTAXtl1eoDKkMDAuMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxFTATBgNVBAMTDHNpZ3N0b3JlLXRzYaAAMYIB2zCCAdcCAQEwUTA5MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxIDAeBgNVBAMTF3NpZ3N0b3JlLXRzYS1zZWxmc2lnbmVkAhQKNaEGYdXiQXPGiZan8n3yfgN8pzALBglghkgBZQMEAgGggfwwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNTA3MDIxODUxNTFaMC8GCSqGSIb3DQEJBDEiBCCiICYObTnM098xx9niiVyPo+gxp4FTvN94z4K6gH/LgjCBjgYLKoZIhvcNAQkQAi8xfzB9MHsweQQgBvT/4Ef+s1mZtzOw16MjUBz8GOTAM2aoRdd1NudLJ0QwVTA9pDswOTEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MSAwHgYDVQQDExdzaWdzdG9yZS10c2Etc2VsZnNpZ25lZAIUCjWhBmHV4kFzxomWp/J98n4DfKcwCgYIKoZIzj0EAwIEZzBlAjB0/hfB4Hm4GO5SZYuDzCtgnNdXQkETtx/QTtILM09awUdez2kQNmCAkLtPBf8ojB8CMQDfRBy5WNohfrWNDh0o+NBR7Yj67vsUyBS1WK5nT5QatouJQ3PbtSJN3Kk8xsiVxFc="
+      }]
+    },
+    "certificate": {
+      "rawBytes": "MIICzDCCAlKgAwIBAgIUC9whgzI24k+nGlVFmN/r6pG95pQwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwNzAyMTg1MTUwWhcNMjUwNzAyMTkwMTUwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhh9wsp49Ga2V7zbeWAp5sy/n7EIbihnBo/opt7jgYPngq20+mb6doqIGLw9wJnDfFAHxWR2kSu/yJcOjVSgPzaOCAXEwggFtMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUdRvP4eTnAcJ34vX+kwNMXanD9CkwHwYDVR0jBBgwFoAUcYYwphR8Ym/599b0BRp/X//rb6wwIQYDVR0RAQH/BBcwFYETYWFyb25sZXdAZ29vZ2xlLmNvbTApBgorBgEEAYO/MAEBBBtodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20wKwYKKwYBBAGDvzABCAQdDBtodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20wgYoGCisGAQQB1nkCBAIEfAR6AHgAdgArMLzcaIjJ4uHYJiledB9IOTGWAvKcM8teQ0D+sqyGegAAAZfMeyFUAAAEAwBHMEUCIHMQ4x3zPgMjcZuuuLMBaRa9R/NG3RjQ9Ik5upww1bxkAiEAic0XqGtEKikZgvDVFdXx81IxSBU3AwQ1b09ziC73r40wCgYIKoZIzj0EAwMDaAAwZQIwTj1rfV9l+BF8HVEwygNB8xOJQ3T2rVKRJDuuMZu0TRW+5B4gZAJgFpimw6xAOTgnAjEApddrrWDtGluv+FeZHFqclhVz8EG+JNwCDsgEv7GMOCN8N7NUZ3sT6zOUBhFcRbn9"
+    }
+  },
+  "messageSignature": {
+    "messageDigest": {
+      "algorithm": "SHA2_256",
+      "digest": "oM/HEnHW4njlfNMy/5V8P3BD/do1TEy7GQow1W76Ab8="
+    },
+    "signature": "MEUCIQD2HqSwCS8TRJwBsEyMhk7vx2XPYfQCxKK2dsILrXDwCQIgF/kQPGH0yQqSH86UkZAa1hbhEXVeep0elxKFh43TWNE="
+  }
+}