Merge pull request #771 from sigstore/minor-updates

Add test with verification and bundle reader

Author: loosebazooka

sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java

@@ -130,8 +130,7 @@ public Integer call() throws Exception {
                   fetcher.getEntryFromRekor(digest, Certificates.getLeaf(certPath), signature))
               .build();
     } else {
-      bundle =
-          Bundle.from(Files.newBufferedReader(signatureFiles.bundleFile, StandardCharsets.UTF_8));
+      bundle = Bundle.from(signatureFiles.bundleFile, StandardCharsets.UTF_8);
     }
 
     var verificationOptionsBuilder = VerificationOptions.builder();

sigstore-java/src/main/java/dev/sigstore/bundle/Bundle.java

@@ -17,7 +17,11 @@
 
 import com.google.common.base.Preconditions;
 import dev.sigstore.rekor.client.RekorEntry;
+import java.io.IOException;
 import java.io.Reader;
+import java.nio.charset.Charset;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.security.cert.CertPath;
 import java.util.List;
 import java.util.Optional;
@@ -147,10 +151,16 @@ public interface Timestamp {
     byte[] getRfc3161Timestamp();
   }
 
+  /** Read a json formatted bundle. */
   public static Bundle from(Reader bundleJson) throws BundleParseException {
     return BundleReader.readBundle(bundleJson);
   }
 
+  /** Read a json formatted bundle from a file. */
+  public static Bundle from(Path file, Charset cs) throws BundleParseException, IOException {
+    return BundleReader.readBundle(Files.newBufferedReader(file, cs));
+  }
+
   @Lazy
   public String toJson() {
     return BundleWriter.writeBundle(this);

sigstore-java/src/test/java/dev/sigstore/KeylessVerifierTest.java

@@ -118,6 +118,27 @@ public void verifyBundle(String artifactResourcePath, String bundleResourcePath)
         Path.of(artifact), Bundle.from(new StringReader(bundleFile)), VerificationOptions.empty());
   }
 
+  @Test
+  public void verifyWithVerificationOptions() throws Exception {
+    var bundleFile =
+        Resources.toString(
+            Resources.getResource("dev/sigstore/samples/bundles/bundle.sigstore"),
+            StandardCharsets.UTF_8);
+    var artifact = Resources.getResource("dev/sigstore/samples/bundles/artifact.txt").getPath();
+
+    var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();
+    verifier.verify(
+        Path.of(artifact),
+        Bundle.from(new StringReader(bundleFile)),
+        VerificationOptions.builder()
+            .addCertificateMatchers(
+                CertificateMatcher.fulcio()
+                    .subjectAlternativeName(StringMatcher.string("[email protected]"))
+                    .issuer(StringMatcher.string("https://accounts.google.com"))
+                    .build())
+            .build());
+  }
+
   @Test
   public void verifyCertificateMatches_noneProvided() throws Exception {
     var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();