sigstore
diff --git a/‎sigstore-java/src/main/java/dev/sigstore/rekor/client/Checkpoints.java
Lines changed: 2 additions & 2 deletions b/‎sigstore-java/src/main/java/dev/sigstore/rekor/client/Checkpoints.java
Lines changed: 2 additions & 2 deletions
diff --git a/‎sigstore-java/src/main/java/dev/sigstore/rekor/v2/client/RekorV2Client.java
Lines changed: 33 additions & 0 deletions b/‎sigstore-java/src/main/java/dev/sigstore/rekor/v2/client/RekorV2Client.java
Lines changed: 33 additions & 0 deletions
diff --git a/‎sigstore-java/src/main/java/dev/sigstore/rekor/v2/client/RekorV2ClientHttp.java
Lines changed: 131 additions & 0 deletions b/‎sigstore-java/src/main/java/dev/sigstore/rekor/v2/client/RekorV2ClientHttp.java
Lines changed: 131 additions & 0 deletions
diff --git a/‎sigstore-java/src/main/java/dev/sigstore/rekor/v2/client/RekorV2Verifier.java
Lines changed: 160 additions & 0 deletions b/‎sigstore-java/src/main/java/dev/sigstore/rekor/v2/client/RekorV2Verifier.java
Lines changed: 160 additions & 0 deletions
@@ -29,10 +29,10 @@
  * Checkpoint helper class to parse from a string in the format described in
  * https://github.com/transparency-dev/formats/blob/12bf59947efb7ae227c12f218b4740fb17a87e50/log/README.md
  */
-class Checkpoints {
+public class Checkpoints {
   private static final Pattern SIGNATURE_BLOCK = Pattern.compile("\\u2014 (\\S+) (\\S+)");
 
-  static Checkpoint from(String encoded) throws RekorParseException {
+  public static Checkpoint from(String encoded) throws RekorParseException {
     var split = Splitter.on("\n\n").splitToList(encoded);
     if (split.size() != 2) {
       throw new RekorParseException(
 
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2025 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.rekor.v2.client;
+
+import dev.sigstore.proto.rekor.v1.TransparencyLogEntry;
+import dev.sigstore.proto.rekor.v2.HashedRekordRequestV002;
+import dev.sigstore.rekor.client.RekorParseException;
+import java.io.IOException;
+
+/** A client to communicate with a rekor v2 service instance. */
+public interface RekorV2Client {
+  /**
+   * Put a new hashedrekord entry on the Rekor log.
+   *
+   * @param hashedRekordRequest the request to send to rekor
+   * @return a {@link TransparencyLogEntry} with information about the log entry
+   */
+  TransparencyLogEntry putEntry(HashedRekordRequestV002 hashedRekordRequest)
+      throws IOException, RekorParseException;
+}
@@ -0,0 +1,131 @@
+/*
+ * Copyright 2025 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.rekor.v2.client;
+
+import com.google.api.client.http.ByteArrayContent;
+import com.google.api.client.http.GenericUrl;
+import com.google.api.client.http.HttpRequest;
+import com.google.api.client.http.HttpResponse;
+import com.google.api.client.util.Preconditions;
+import com.google.gson.reflect.TypeToken;
+import com.google.protobuf.InvalidProtocolBufferException;
+import com.google.protobuf.util.JsonFormat;
+import dev.sigstore.http.HttpClients;
+import dev.sigstore.http.HttpParams;
+import dev.sigstore.http.ImmutableHttpParams;
+import dev.sigstore.json.GsonSupplier;
+import dev.sigstore.json.ProtoJson;
+import dev.sigstore.proto.rekor.v1.TransparencyLogEntry;
+import dev.sigstore.proto.rekor.v2.HashedRekordRequestV002;
+import dev.sigstore.rekor.client.RekorParseException;
+import dev.sigstore.trustroot.Service;
+import java.io.IOException;
+import java.lang.reflect.Type;
+import java.net.URI;
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
+
+/** A client to communicate with a rekor v2 service instance over http. */
+public class RekorV2ClientHttp implements RekorV2Client {
+  public static final String REKOR_ENTRIES_PATH = "/api/v2/log/entries";
+  public static final String REKOR_CHECKPOINT_PATH = "/api/v2/checkpoint";
+
+  private final HttpParams httpParams;
+  private final URI uri;
+
+  public static RekorV2ClientHttp.Builder builder() {
+    return new RekorV2ClientHttp.Builder();
+  }
+
+  private RekorV2ClientHttp(HttpParams httpParams, URI uri) {
+    this.uri = uri;
+    this.httpParams = httpParams;
+  }
+
+  public static class Builder {
+    private HttpParams httpParams = ImmutableHttpParams.builder().build();
+    private Service service;
+
+    private Builder() {}
+
+    /** Configure the http properties, see {@link HttpParams}, {@link ImmutableHttpParams}. */
+    public Builder setHttpParams(HttpParams httpParams) {
+      this.httpParams = httpParams;
+      return this;
+    }
+
+    /** Service information for a remote rekor instance. */
+    public Builder setService(Service service) {
+      this.service = service;
+      return this;
+    }
+
+    public RekorV2ClientHttp build() {
+      Preconditions.checkNotNull(service);
+      return new RekorV2ClientHttp(httpParams, service.getUrl());
+    }
+  }
+
+  @Override
+  public TransparencyLogEntry putEntry(HashedRekordRequestV002 hashedRekordRequest)
+      throws IOException, RekorParseException {
+    URI rekorPutEndpoint = uri.resolve(REKOR_ENTRIES_PATH);
+
+    String jsonPayload;
+    try {
+      String innerJson = JsonFormat.printer().print(hashedRekordRequest);
+
+      Type type = new TypeToken<Map<String, Object>>() {}.getType();
+      Map<String, Object> innerMap = GsonSupplier.GSON.get().fromJson(innerJson, type);
+
+      var requestMap = new HashMap<String, Object>();
+      requestMap.put("hashedRekordRequestV002", innerMap);
+
+      jsonPayload = GsonSupplier.GSON.get().toJson(requestMap);
+    } catch (InvalidProtocolBufferException e) {
+      throw new RekorParseException("Failed to serialize HashedRekordRequestV002 to JSON", e);
+    }
+
+    HttpRequest req =
+        HttpClients.newRequestFactory(httpParams)
+            .buildPostRequest(
+                new GenericUrl(rekorPutEndpoint),
+                ByteArrayContent.fromString("application/json", jsonPayload));
+    req.getHeaders().set("Accept", "application/json");
+    req.getHeaders().set("Content-Type", "application/json");
+
+    HttpResponse resp = req.execute();
+    if (resp.getStatusCode() != 201) {
+      throw new IOException(
+          String.format(
+              Locale.ROOT,
+              "bad response from rekor @ '%s' : %s",
+              rekorPutEndpoint,
+              resp.parseAsString()));
+    }
+
+    String respEntryJson = resp.parseAsString();
+
+    try {
+      TransparencyLogEntry.Builder builder = TransparencyLogEntry.newBuilder();
+      ProtoJson.parser().merge(respEntryJson, builder);
+      return builder.build();
+    } catch (InvalidProtocolBufferException e) {
+      throw new RekorParseException("Failed to parse Rekor response JSON", e);
+    }
+  }
+}
@@ -0,0 +1,160 @@
+/*
+ * Copyright 2025 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.rekor.v2.client;
+
+import com.google.common.hash.Hashing;
+import com.google.protobuf.ByteString;
+import dev.sigstore.encryption.signers.Verifiers;
+import dev.sigstore.merkle.InclusionProofVerificationException;
+import dev.sigstore.merkle.InclusionProofVerifier;
+import dev.sigstore.proto.rekor.v1.TransparencyLogEntry;
+import dev.sigstore.rekor.client.Checkpoints;
+import dev.sigstore.rekor.client.RekorEntry.Checkpoint;
+import dev.sigstore.rekor.client.RekorEntry.CheckpointSignature;
+import dev.sigstore.rekor.client.RekorParseException;
+import dev.sigstore.rekor.client.RekorVerificationException;
+import dev.sigstore.trustroot.SigstoreTrustedRoot;
+import dev.sigstore.trustroot.TransparencyLog;
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SignatureException;
+import java.security.spec.InvalidKeySpecException;
+import java.time.Instant;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.List;
+import java.util.Optional;
+
+/* Verifier for rekor v2 entries. */
+public class RekorV2Verifier {
+  private final List<TransparencyLog> tlogs;
+
+  public static RekorV2Verifier newRekorV2Verifier(SigstoreTrustedRoot trustRoot) {
+    return newRekorV2Verifier(trustRoot.getTLogs());
+  }
+
+  public static RekorV2Verifier newRekorV2Verifier(List<TransparencyLog> tlogs) {
+    return new RekorV2Verifier(tlogs);
+  }
+
+  private RekorV2Verifier(List<TransparencyLog> tlogs) {
+    this.tlogs = tlogs;
+  }
+
+  public void verifyEntry(TransparencyLogEntry entry, Instant timestamp)
+      throws RekorVerificationException {
+    if (entry.getInclusionProof() == null) {
+      throw new RekorVerificationException("No inclusion proof in entry.");
+    }
+
+    var tlog =
+        TransparencyLog.find(tlogs, entry.getLogId().getKeyId().toByteArray(), timestamp)
+            .orElseThrow(
+                () ->
+                    new RekorVerificationException(
+                        "Log entry (logid, timestamp) does not match any provided transparency logs."));
+
+    // verify inclusion proof
+    verifyInclusionProof(entry);
+    verifyCheckpoint(entry, tlog);
+  }
+
+  /** Verify that a Rekor Entry is in the log by checking inclusion proof. */
+  private void verifyInclusionProof(TransparencyLogEntry entry) throws RekorVerificationException {
+    var inclusionProof = entry.getInclusionProof();
+
+    var leafHash =
+        Hashing.sha256()
+            .newHasher()
+            .putByte((byte) 0x00)
+            .putBytes(entry.getCanonicalizedBody().toByteArray())
+            .hash()
+            .asBytes();
+
+    List<byte[]> hashes = new ArrayList<>();
+    for (ByteString hash : inclusionProof.getHashesList()) {
+      hashes.add(hash.toByteArray());
+    }
+
+    byte[] expectedRootHash = inclusionProof.getRootHash().toByteArray();
+
+    try {
+      InclusionProofVerifier.verify(
+          leafHash,
+          inclusionProof.getLogIndex(),
+          inclusionProof.getTreeSize(),
+          hashes,
+          expectedRootHash);
+    } catch (InclusionProofVerificationException e) {
+      throw new RekorVerificationException("Inclusion proof verification failed", e);
+    }
+  }
+
+  private void verifyCheckpoint(TransparencyLogEntry entry, TransparencyLog tlog)
+      throws RekorVerificationException {
+    var checkpoint = entry.getInclusionProof().getCheckpoint();
+    Checkpoint parsedCheckpoint;
+    try {
+      parsedCheckpoint = Checkpoints.from(checkpoint.getEnvelope());
+    } catch (RekorParseException ex) {
+      throw new RekorVerificationException("Could not parse checkpoint from envelope", ex);
+    }
+
+    final int MAX_CHECKPOINT_SIGNATURES = 20;
+    if (parsedCheckpoint.getSignatures().size() > MAX_CHECKPOINT_SIGNATURES) {
+      throw new RekorVerificationException(
+          "Checkpoint contains an excessive number of signatures ("
+              + parsedCheckpoint.getSignatures().size()
+              + "), exceeding the maximum allowed of "
+              + MAX_CHECKPOINT_SIGNATURES);
+    }
+
+    byte[] inclusionRootHash = entry.getInclusionProof().getRootHash().toByteArray();
+    byte[] checkpointRootHash = Base64.getDecoder().decode(parsedCheckpoint.getBase64Hash());
+
+    if (!Arrays.equals(inclusionRootHash, checkpointRootHash)) {
+      throw new RekorVerificationException(
+          "Checkpoint root hash does not match root hash provided in inclusion proof");
+    }
+
+    Optional<CheckpointSignature> matchingSig =
+        parsedCheckpoint.getSignatures().stream()
+            .filter(sig -> sig.getIdentity().equals(tlog.getBaseUrl().getHost()))
+            .findFirst();
+
+    if (!matchingSig.isPresent()) {
+      throw new RekorVerificationException(
+          "No matching checkpoint signature found for transparency log: "
+              + tlog.getBaseUrl().getHost());
+    }
+
+    var signedData = parsedCheckpoint.getSignedData();
+
+    try {
+      if (!Verifiers.newVerifier(tlog.getPublicKey().toJavaPublicKey())
+          .verify(signedData.getBytes(StandardCharsets.UTF_8), matchingSig.get().getSignature())) {
+        throw new RekorVerificationException("Checkpoint signature was invalid");
+      }
+    } catch (NoSuchAlgorithmException
+        | InvalidKeySpecException
+        | SignatureException
+        | InvalidKeyException ex) {
+      throw new RekorVerificationException("Could not verify checkpoint signature", ex);
+    }
+  }
+}