Merge pull request #245 from trail-of-forks/alex/conformance-pr

Add conformance testing

Author: loosebazooka

.github/workflows/conformance.yml

@@ -0,0 +1,41 @@
+name: Conformance Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request_target:
+    types: [labeled]
+  workflow_dispatch:
+
+jobs:
+  conformance:
+    strategy:
+      matrix:
+        java-version: [11, 17]
+      fail-fast: false
+
+    permissions:
+      # Needed to access the workflow's OIDC identity.
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
+
+      - name: Set up JDK ${{ matrix.java-version }}
+        uses: actions/setup-java@v3
+        with:
+          java-version: ${{ matrix.java-version }}
+          distribution: 'temurin'
+
+      - name: Build sigstore-java
+        uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2.3.3
+        with:
+          arguments: :sigstore-conformance:build
+
+      - name: Unpack sigstore-java distribution
+        run: tar -xvf ${{ github.workspace }}/sigstore-conformance/build/distributions/sigstore-conformance-*.tar --strip-components 1
+
+      - uses: trailofbits/sigstore-conformance@0748d63c53810e36cc3f4bbe4114301080f0d844
+        with:
+          entrypoint: ${{ github.workspace }}/bin/sigstore-conformance

settings.gradle.kts

@@ -7,3 +7,4 @@ include("sigstore-java")
 include("sigstore-gradle:sigstore-gradle-sign-base-plugin")
 include("sigstore-gradle:sigstore-gradle-sign-plugin")
 include("sigstore-testkit")
+include("sigstore-conformance")

sigstore-conformance/build.gradle.kts

@@ -0,0 +1,36 @@
+plugins {
+    id("java")
+    id("application")
+    id("com.diffplug.spotless") version "6.11.0"
+}
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    implementation(project(":sigstore-java"))
+    implementation("com.google.guava:guava:31.1-jre")
+}
+
+spotless {
+    kotlinGradle {
+        target("*.gradle.kts") // default target for kotlinGradle
+        ktlint()
+    }
+    format("misc") {
+        target("*.md", ".gitignore", "**/*.yaml")
+
+        trimTrailingWhitespace()
+        indentWithSpaces()
+        endWithNewline()
+    }
+    java {
+        googleJavaFormat("1.6")
+        licenseHeaderFile("$rootDir/config/licenseHeader")
+    }
+}
+
+application {
+    mainClass.set("dev.sigstore.conformance.Main")
+}

sigstore-conformance/src/main/java/dev/sigstore/conformance/Main.java

@@ -0,0 +1,137 @@
+/*
+ * Copyright 2022 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.conformance;
+
+import static com.google.common.io.Files.asByteSource;
+import static dev.sigstore.encryption.certificates.Certificates.toPemString;
+
+import com.google.common.hash.Hashing;
+import dev.sigstore.KeylessSigner;
+import dev.sigstore.KeylessVerifier;
+import dev.sigstore.oidc.client.GithubActionsOidcClient;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+public class Main {
+  private static final String SIGN_COMMAND = "sign";
+  private static final String VERIFY_COMMAND = "verify";
+  private static final String SIGNATURE_FLAG = "--signature";
+  private static final String CERTIFICATE_FLAG = "--certificate";
+  private static final String CERTIFICATE_IDENTITY_FLAG = "--certificate-identity";
+  private static final String CERTIFICATE_OIDC_ISSUER_FLAG = "--certificate-oidc-issuer";
+
+  public static void main(String[] args) throws Exception {
+    Arguments a = new Arguments(args);
+    final var action = a.getNextArgument();
+    if (action.equals(SIGN_COMMAND)) {
+      final SignArguments signArgs = parseSignArguments(a);
+      executeSign(signArgs);
+    } else if (action.equals(VERIFY_COMMAND)) {
+      final VerifyArguments verifyArgs = parseVerifyArguments(a);
+      executeVerify(verifyArgs);
+    } else {
+      throw new IllegalArgumentException("Unrecognized action: " + action);
+    }
+  }
+
+  private static class Arguments {
+    private int index;
+    private final String[] args;
+
+    public Arguments(String[] args) {
+      this.index = 0;
+      this.args = args;
+    }
+
+    public String getNextArgument() {
+      if (index >= args.length) {
+        final var errorMsg =
+            String.format("Insufficient arguments; amount=%d, requested=%d", args.length, index);
+        throw new IllegalArgumentException(errorMsg);
+      }
+      return args[index++];
+    }
+
+    public void expectNextArgument(String expectedArg) {
+      final var nextArg = getNextArgument();
+      if (!expectedArg.equals(nextArg)) {
+        final var errorMsg =
+            String.format(
+                "Found unexpected argument; expected=\"%s\", found=\"%s\"", expectedArg, nextArg);
+        throw new IllegalArgumentException(errorMsg);
+      }
+    }
+  }
+
+  private static class SignArguments {
+    public Path signature;
+    public Path certificate;
+    public Path artifact;
+  }
+
+  private static SignArguments parseSignArguments(Arguments args) {
+    final var signArgs = new SignArguments();
+    args.expectNextArgument(SIGNATURE_FLAG);
+    signArgs.signature = Paths.get(args.getNextArgument());
+    args.expectNextArgument(CERTIFICATE_FLAG);
+    signArgs.certificate = Paths.get(args.getNextArgument());
+    signArgs.artifact = Paths.get(args.getNextArgument());
+    return signArgs;
+  }
+
+  private static void executeSign(SignArguments args) throws Exception {
+    final var signer =
+        KeylessSigner.builder()
+            .sigstorePublicDefaults()
+            .oidcClient(GithubActionsOidcClient.builder().build())
+            .build();
+    final var result = signer.signFile(args.artifact);
+    Files.write(args.signature, result.getSignature());
+    final var pemBytes = toPemString(result.getCertPath()).getBytes();
+    Files.write(args.certificate, pemBytes);
+  }
+
+  private static class VerifyArguments {
+    public Path signature;
+    public Path certificate;
+    public String certificateIdentity;
+    public String certificateOidcIssuer;
+    public Path artifact;
+  }
+
+  private static VerifyArguments parseVerifyArguments(Arguments args) {
+    final var verifyArgs = new VerifyArguments();
+    args.expectNextArgument(SIGNATURE_FLAG);
+    verifyArgs.signature = Paths.get(args.getNextArgument());
+    args.expectNextArgument(CERTIFICATE_FLAG);
+    verifyArgs.certificate = Paths.get(args.getNextArgument());
+    args.expectNextArgument(CERTIFICATE_IDENTITY_FLAG);
+    verifyArgs.certificateIdentity = args.getNextArgument();
+    args.expectNextArgument(CERTIFICATE_OIDC_ISSUER_FLAG);
+    verifyArgs.certificateOidcIssuer = args.getNextArgument();
+    verifyArgs.artifact = Paths.get(args.getNextArgument());
+    return verifyArgs;
+  }
+
+  private static void executeVerify(VerifyArguments args) throws Exception {
+    final var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();
+    final var artifactByteSource = asByteSource(args.artifact.toFile());
+    final byte[] artifactDigest = artifactByteSource.hash(Hashing.sha256()).asBytes();
+    verifier.verifyOnline(
+        artifactDigest, Files.readAllBytes(args.certificate), Files.readAllBytes(args.signature));
+  }
+}