Add Rekor v2 client and verifier

Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>

Author: aaronlew02

sigstore-java/src/main/java/dev/sigstore/encryption/signers/Ed25519Verifier.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright 2025 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.encryption.signers;
+
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignatureException;
+
+/** Ed25519 verifier, instantiated by {@link Verifiers#newVerifier(PublicKey)}. */
+public class Ed25519Verifier implements Verifier {
+
+  private final PublicKey publicKey;
+
+  Ed25519Verifier(PublicKey publicKey) {
+    this.publicKey = publicKey;
+  }
+
+  @Override
+  public PublicKey getPublicKey() {
+    return publicKey;
+  }
+
+  @Override
+  public boolean verify(byte[] artifact, byte[] signature)
+      throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
+    var verifier = Signature.getInstance("Ed25519");
+    verifier.initVerify(publicKey);
+    verifier.update(artifact);
+    return verifier.verify(signature);
+  }
+
+  @Override
+  public boolean verifyDigest(byte[] digest, byte[] signature)
+      throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
+    var verifier = Signature.getInstance("Ed25519");
+    verifier.initVerify(publicKey);
+    verifier.update(digest); // Treat artifactDigest as the message that was signed
+    return verifier.verify(signature);
+  }
+}

sigstore-java/src/main/java/dev/sigstore/encryption/signers/Verifiers.java

@@ -28,9 +28,13 @@ public static Verifier newVerifier(PublicKey publicKey) throws NoSuchAlgorithmEx
     if (publicKey.getAlgorithm().equals("EC") || publicKey.getAlgorithm().equals("ECDSA")) {
       return new EcdsaVerifier(publicKey);
     }
+    // EdDSA is the family, Ed25519 is a specific curve/algorithm instance.
+    if (publicKey.getAlgorithm().equals("Ed25519")) {
+      return new Ed25519Verifier(publicKey);
+    }
     throw new NoSuchAlgorithmException(
         "Cannot verify signatures for key type '"
             + publicKey.getAlgorithm()
-            + "', this client only supports RSA and ECDSA verification");
+            + "', this client only supports RSA, ECDSA, and Ed25519 verification");
   }
 }

sigstore-java/src/main/java/dev/sigstore/rekor/client/Checkpoints.java

@@ -29,10 +29,10 @@
  * Checkpoint helper class to parse from a string in the format described in
  * https://github.com/transparency-dev/formats/blob/12bf59947efb7ae227c12f218b4740fb17a87e50/log/README.md
  */
-class Checkpoints {
+public class Checkpoints {
   private static final Pattern SIGNATURE_BLOCK = Pattern.compile("\\u2014 (\\S+) (\\S+)");
 
-  static Checkpoint from(String encoded) throws RekorParseException {
+  public static Checkpoint from(String encoded) throws RekorParseException {
     var split = Splitter.on("\n\n").splitToList(encoded);
     if (split.size() != 2) {
       throw new RekorParseException(

sigstore-java/src/main/java/dev/sigstore/rekor/v2/client/RekorV2Client.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2025 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.rekor.v2.client;
+
+import dev.sigstore.proto.rekor.v1.TransparencyLogEntry;
+import dev.sigstore.proto.rekor.v2.HashedRekordRequestV002;
+import dev.sigstore.rekor.client.RekorParseException;
+import java.io.IOException;
+
+/** A client to communicate with a rekor v2 service instance. */
+public interface RekorV2Client {
+  /**
+   * Put a new hashedrekord entry on the Rekor log.
+   *
+   * @param hashedRekordRequest the request to send to rekor
+   * @return a {@link TransparencyLogEntry} with information about the log entry
+   */
+  TransparencyLogEntry putEntry(HashedRekordRequestV002 hashedRekordRequest)
+      throws IOException, RekorParseException;
+
+  /**
+   * Retrieve the latest checkpoint from the Rekor log.
+   *
+   * @return the checkpoint in plain text.
+   */
+  String getCheckpoint() throws IOException;
+}

sigstore-java/src/main/java/dev/sigstore/rekor/v2/client/RekorV2ClientHttp.java

@@ -0,0 +1,183 @@
+/*
+ * Copyright 2025 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.rekor.v2.client;
+
+import com.google.api.client.http.ByteArrayContent;
+import com.google.api.client.http.GenericUrl;
+import com.google.api.client.http.HttpRequest;
+import com.google.api.client.http.HttpResponse;
+import com.google.api.client.util.Preconditions;
+import com.google.gson.reflect.TypeToken;
+import com.google.protobuf.InvalidProtocolBufferException;
+import com.google.protobuf.util.JsonFormat;
+import dev.sigstore.http.HttpClients;
+import dev.sigstore.http.HttpParams;
+import dev.sigstore.http.ImmutableHttpParams;
+import dev.sigstore.json.GsonSupplier;
+import dev.sigstore.json.ProtoJson;
+import dev.sigstore.proto.rekor.v1.TransparencyLogEntry;
+import dev.sigstore.proto.rekor.v2.HashedRekordRequestV002;
+import dev.sigstore.rekor.client.RekorParseException;
+import dev.sigstore.trustroot.Service;
+import java.io.IOException;
+import java.lang.reflect.Type;
+import java.net.URI;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.Locale;
+import java.util.Map;
+
+/** A client to communicate with a rekor v2 service instance over http. */
+public class RekorV2ClientHttp implements RekorV2Client {
+  public static final String REKOR_ENTRIES_PATH = "/api/v2/log/entries";
+  public static final String REKOR_CHECKPOINT_PATH = "/api/v2/checkpoint";
+
+  private final HttpParams httpParams;
+  private final URI uri;
+
+  public static RekorV2ClientHttp.Builder builder() {
+    return new RekorV2ClientHttp.Builder();
+  }
+
+  private RekorV2ClientHttp(HttpParams httpParams, URI uri) {
+    this.uri = uri;
+    this.httpParams = httpParams;
+  }
+
+  public static class Builder {
+    private HttpParams httpParams = ImmutableHttpParams.builder().build();
+    private Service service;
+
+    private Builder() {}
+
+    /** Configure the http properties, see {@link HttpParams}, {@link ImmutableHttpParams}. */
+    public Builder setHttpParams(HttpParams httpParams) {
+      this.httpParams = httpParams;
+      return this;
+    }
+
+    /** Service information for a remote rekor instance. */
+    public Builder setService(Service service) {
+      this.service = service;
+      return this;
+    }
+
+    public RekorV2ClientHttp build() {
+      Preconditions.checkNotNull(service);
+      return new RekorV2ClientHttp(httpParams, service.getUrl());
+    }
+  }
+
+  @Override
+  public TransparencyLogEntry putEntry(HashedRekordRequestV002 hashedRekordRequest)
+      throws IOException, RekorParseException {
+    URI rekorPutEndpoint = uri.resolve(REKOR_ENTRIES_PATH);
+
+    String jsonPayload;
+    try {
+      String innerJson = JsonFormat.printer().print(hashedRekordRequest);
+
+      Type type = new TypeToken<Map<String, Object>>() {}.getType();
+      Map<String, Object> innerMap = GsonSupplier.GSON.get().fromJson(innerJson, type);
+
+      var requestMap = new HashMap<String, Object>();
+      requestMap.put("hashedRekordRequestV002", innerMap);
+
+      jsonPayload = GsonSupplier.GSON.get().toJson(requestMap);
+    } catch (InvalidProtocolBufferException e) {
+      throw new RekorParseException("Failed to serialize HashedRekordRequestV002 to JSON", e);
+    }
+
+    // jsonPayload = moreComplicatedJSONGeneration(hashedRekordRequest);
+
+    System.out.println(jsonPayload);
+
+    HttpRequest req =
+        HttpClients.newRequestFactory(httpParams)
+            .buildPostRequest(
+                new GenericUrl(rekorPutEndpoint),
+                ByteArrayContent.fromString("application/json", jsonPayload));
+    req.getHeaders().set("Accept", "application/json");
+    req.getHeaders().set("Content-Type", "application/json");
+
+    HttpResponse resp = req.execute();
+    if (resp.getStatusCode() != 201) {
+      throw new IOException(
+          String.format(
+              Locale.ROOT,
+              "bad response from rekor @ '%s' : %s",
+              rekorPutEndpoint,
+              resp.parseAsString()));
+    }
+
+    String respEntryJson = resp.parseAsString();
+
+    try {
+      TransparencyLogEntry.Builder builder = TransparencyLogEntry.newBuilder();
+      ProtoJson.parser().merge(respEntryJson, builder);
+      return builder.build();
+    } catch (InvalidProtocolBufferException e) {
+      throw new RekorParseException("Failed to parse Rekor response JSON", e);
+    }
+  }
+
+  @Override
+  public String getCheckpoint() throws IOException {
+    URI rekorGetEndpoint = uri.resolve(REKOR_CHECKPOINT_PATH);
+
+    HttpRequest req =
+        HttpClients.newRequestFactory(httpParams).buildGetRequest(new GenericUrl(rekorGetEndpoint));
+    req.getHeaders().set("Accept", "text/plain");
+
+    HttpResponse resp = req.execute();
+
+    return resp.parseAsString();
+  }
+
+  private String moreComplicatedJSONGeneration(HashedRekordRequestV002 hashedRekordRequest) {
+    var data = new LinkedHashMap<String, Object>();
+    var hashedRekorRequestData = new LinkedHashMap<String, Object>();
+    var signatureData = new LinkedHashMap<String, Object>();
+
+    var digest = Base64.getEncoder().encodeToString(hashedRekordRequest.getDigest().toByteArray());
+
+    var signature = hashedRekordRequest.getSignature();
+    var signatureContent = Base64.getEncoder().encodeToString(signature.getContent().toByteArray());
+
+    var verifier = signature.getVerifier();
+    var verifierCertificate = verifier.getX509Certificate();
+    var verifierCertificateRawBytes =
+        Base64.getEncoder().encodeToString(verifierCertificate.getRawBytes().toByteArray());
+    var verifierCertificateData = new LinkedHashMap<String, Object>();
+    var verifierKeyDetails = verifier.getKeyDetails().toString();
+    var signatureVerifier = new LinkedHashMap<String, Object>();
+
+    verifierCertificateData.put("rawBytes", verifierCertificateRawBytes);
+    signatureVerifier.put("x509Certificate", verifierCertificateData);
+    signatureVerifier.put("keyDetails", verifierKeyDetails);
+
+    signatureData.put("content", signatureContent);
+    signatureData.put("verifier", signatureVerifier);
+
+    hashedRekorRequestData.put("digest", digest);
+    hashedRekorRequestData.put("signature", signatureData);
+
+    data.put("hashedRekordRequestV002", hashedRekorRequestData);
+
+    return GsonSupplier.GSON.get().toJson(data);
+  }
+}