Merge pull request #658 from sigstore/must-have-inclusion-proof

Inclusion proof is required

Author: loosebazooka

fuzzing/src/main/java/fuzzing/RekorVerifierFuzzer.java

@@ -40,7 +40,6 @@ public static void fuzzerTestOneInput(FuzzedDataProvider data) {
       RekorVerifier verifier = RekorVerifier.newRekorVerifier(tLogs);
 
       verifier.verifyEntry(entry);
-      verifier.verifyInclusionProof(entry);
     } catch (URISyntaxException | RekorParseException | RekorVerificationException e) {
       // Known exception
     }

sigstore-java/src/main/java/dev/sigstore/KeylessVerifier.java

@@ -180,17 +180,6 @@ public void verify(byte[] artifactDigest, KeylessVerificationRequest request)
       throw new KeylessVerificationException("Rekor entry signature was not valid");
     }
 
-    // verify any inclusion proof
-    if (rekorEntry.getVerification().getInclusionProof().isPresent()) {
-      try {
-        rekorVerifier.verifyInclusionProof(rekorEntry);
-      } catch (RekorVerificationException ex) {
-        throw new KeylessVerificationException("Rekor entry inclusion proof was not valid");
-      }
-    } else if (request.getVerificationOptions().alwaysUseRemoteRekorEntry()) {
-      throw new KeylessVerificationException("Rekor entry did not contain inclusion proof");
-    }
-
     // check if the time of entry inclusion in the log (a stand-in for signing time) is within the
     // validity period for the certificate
     var entryTime = Date.from(rekorEntry.getIntegratedTimeInstant());

sigstore-java/src/main/java/dev/sigstore/bundle/BundleFactoryInternal.java

@@ -43,7 +43,6 @@
 import java.security.cert.CertificateException;
 import java.util.Base64;
 import java.util.List;
-import java.util.Optional;
 import java.util.stream.Collectors;
 import org.bouncycastle.util.encoders.Hex;
 
@@ -127,14 +126,7 @@ private static TransparencyLogEntry.Builder buildTlogEntries(RekorEntry entry) {
 
   private static void addInclusionProof(
       TransparencyLogEntry.Builder transparencyLogEntry, RekorEntry entry) {
-    RekorEntry.InclusionProof inclusionProof =
-        entry
-            .getVerification()
-            .getInclusionProof()
-            .orElseThrow(
-                () ->
-                    new IllegalArgumentException(
-                        "An inclusion proof must be present in the log entry in the signing result"));
+    RekorEntry.InclusionProof inclusionProof = entry.getVerification().getInclusionProof();
     transparencyLogEntry.setInclusionProof(
         InclusionProof.newBuilder()
             .setLogIndex(inclusionProof.getLogIndex())
@@ -166,9 +158,8 @@ static KeylessSignature readBundle(Reader jsonReader) throws BundleParseExceptio
     var bundleEntry = bundle.getVerificationMaterial().getTlogEntries(0);
     RekorEntry.InclusionProof inclusionProof = null;
     if (!bundleEntry.hasInclusionProof()) {
-      if (!bundle.getMediaType().equals(BUNDLE_V_0_1)) {
-        throw new BundleParseException("Could not find an inclusion proof");
-      }
+      // all consumed bundles must have an inclusion proof
+      throw new BundleParseException("Could not find an inclusion proof");
     } else {
       var bundleInclusionProof = bundleEntry.getInclusionProof();
 
@@ -192,7 +183,7 @@ static KeylessSignature readBundle(Reader jsonReader) throws BundleParseExceptio
                 Base64.getEncoder()
                     .encodeToString(
                         bundleEntry.getInclusionPromise().getSignedEntryTimestamp().toByteArray()))
-            .inclusionProof(Optional.ofNullable(inclusionProof))
+            .inclusionProof(inclusionProof)
             .build();
 
     var rekorEntry =

sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorEntry.java

@@ -38,7 +38,8 @@ interface Verification {
     /** Return the signed entry timestamp. */
     String getSignedEntryTimestamp();
 
-    Optional<InclusionProof> getInclusionProof();
+    /** Return the inclusion proof. */
+    InclusionProof getInclusionProof();
   }
 
   /**

sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorVerifier.java

@@ -81,24 +81,15 @@ public void verifyEntry(RekorEntry entry) throws RekorVerificationException {
     } catch (NoSuchAlgorithmException nsae) {
       throw new AssertionError("Required verification algorithm 'SHA256withECDSA' not found.");
     }
+
+    // verify inclusion proof
+    verifyInclusionProof(entry);
   }
 
-  /**
-   * Verify that a Rekor Entry is in the log by checking inclusion proof.
-   *
-   * @param entry the entry to verify
-   * @throws RekorVerificationException if the entry cannot be verified
-   */
-  public void verifyInclusionProof(RekorEntry entry) throws RekorVerificationException {
+  /** Verify that a Rekor Entry is in the log by checking inclusion proof. */
+  private void verifyInclusionProof(RekorEntry entry) throws RekorVerificationException {
 
-    var inclusionProof =
-        entry
-            .getVerification()
-            .getInclusionProof()
-            .orElseThrow(
-                () ->
-                    new RekorVerificationException(
-                        "No inclusion proof was found in the rekor entry"));
+    var inclusionProof = entry.getVerification().getInclusionProof();
 
     var leafHash =
         Hashing.sha256()

sigstore-java/src/test/java/dev/sigstore/KeylessVerifierTest.java

@@ -69,6 +69,7 @@ public void testVerify_mismatchedSet() throws Exception {
 
   @Test
   public void testVerify_canVerifyV01Bundle() throws Exception {
+    // note that this v1 bundle contains an inclusion proof
     verifyBundle(
         "dev/sigstore/samples/bundles/artifact.txt",
         "dev/sigstore/samples/bundles/bundle.v1.sigstore");

sigstore-java/src/test/java/dev/sigstore/bundle/BundleFactoryTest.java

@@ -29,6 +29,15 @@ public void readV1Bundle() throws Exception {
     readBundle("dev/sigstore/samples/bundles/bundle.v1.sigstore");
   }
 
+  @Test
+  public void readV1Bundle_noInclusion() {
+    var ex =
+        Assertions.assertThrows(
+            BundleParseException.class,
+            () -> readBundle("dev/sigstore/samples/bundles/bundle.v1.no.inclusion.sigstore"));
+    Assertions.assertEquals("Could not find an inclusion proof", ex.getMessage());
+  }
+
   @Test
   public void readV2Bundle() throws Exception {
     readBundle("dev/sigstore/samples/bundles/bundle.v2.sigstore");

sigstore-java/src/test/java/dev/sigstore/rekor/client/RekorClientTest.java

@@ -170,11 +170,10 @@ public void getEntry_hashedRekordRequest_byCalculatedUuid() throws Exception {
   private void assertEntry(RekorResponse resp, Optional<RekorEntry> entry) {
     assertTrue(entry.isPresent());
     assertEquals(resp.getEntry().getLogID(), entry.get().getLogID());
-    assertTrue(entry.get().getVerification().getInclusionProof().isPresent());
-    assertNotNull(entry.get().getVerification().getInclusionProof().get().getTreeSize());
-    assertNotNull(entry.get().getVerification().getInclusionProof().get().getRootHash());
-    assertNotNull(entry.get().getVerification().getInclusionProof().get().getLogIndex());
-    assertTrue(entry.get().getVerification().getInclusionProof().get().getHashes().size() > 0);
+    assertNotNull(entry.get().getVerification().getInclusionProof().getTreeSize());
+    assertNotNull(entry.get().getVerification().getInclusionProof().getRootHash());
+    assertNotNull(entry.get().getVerification().getInclusionProof().getLogIndex());
+    assertTrue(entry.get().getVerification().getInclusionProof().getHashes().size() > 0);
   }
 
   @Test

sigstore-java/src/test/java/dev/sigstore/rekor/client/RekorTypesTest.java

@@ -32,15 +32,15 @@ private RekorEntry fromResource(String path) throws Exception {
 
   @Test
   public void getHashedRekord_pass() throws Exception {
-    var entry = fromResource("dev/sigstore/samples/rekor-response/valid/response.json");
+    var entry = fromResource("dev/sigstore/samples/rekor-response/valid/entry.json");
 
     var hashedRekord = RekorTypes.getHashedRekord(entry);
     Assertions.assertNotNull(hashedRekord);
   }
 
   @Test
   public void getHashedRekord_badType() throws Exception {
-    var entry = fromResource("dev/sigstore/samples/rekor-response/valid/jar-response.json");
+    var entry = fromResource("dev/sigstore/samples/rekor-response/valid/jar-entry.json");
 
     var exception =
         Assertions.assertThrows(RekorTypeException.class, () -> RekorTypes.getHashedRekord(entry));

sigstore-java/src/test/java/dev/sigstore/rekor/client/RekorVerifierTest.java

@@ -41,7 +41,6 @@
 
 public class RekorVerifierTest {
   public String rekorResponse;
-  public String rekorQueryResponse;
   public byte[] rekorPub;
 
   public static SigstoreTrustedRoot trustRoot;
@@ -50,15 +49,11 @@ public class RekorVerifierTest {
   public void loadResources() throws IOException {
     rekorResponse =
         Resources.toString(
-            Resources.getResource("dev/sigstore/samples/rekor-response/valid/response.json"),
+            Resources.getResource("dev/sigstore/samples/rekor-response/valid/entry.json"),
             StandardCharsets.UTF_8);
     rekorPub =
         Resources.toByteArray(
             Resources.getResource("dev/sigstore/samples/rekor-response/valid/rekor.pub"));
-    rekorQueryResponse =
-        Resources.toString(
-            Resources.getResource("dev/sigstore/samples/rekor-response/valid/query-response.json"),
-            StandardCharsets.UTF_8);
   }
 
   @BeforeAll
@@ -73,18 +68,10 @@ public static void initTrustRoot() throws IOException, CertificateException {
     trustRoot = SigstoreTrustedRoot.from(builder.build());
   }
 
-  @Test
-  public void verifyEntry_valid() throws Exception {
-    var response = RekorResponse.newRekorResponse(new URI("https://somewhere"), rekorResponse);
-    var verifier = RekorVerifier.newRekorVerifier(trustRoot);
-
-    verifier.verifyEntry(response.getEntry());
-  }
-
   @Test
   public void verifyEntry_invalid() throws Exception {
     // change the logindex
-    var invalidResponse = rekorResponse.replace("79", "80");
+    var invalidResponse = rekorResponse.replace("1688", "1700");
     var response = RekorResponse.newRekorResponse(new URI("https://somewhere"), invalidResponse);
     var verifier = RekorVerifier.newRekorVerifier(trustRoot);
 
@@ -95,29 +82,27 @@ public void verifyEntry_invalid() throws Exception {
   }
 
   @Test
-  public void verifyEntry_withInclusionProof() throws Exception {
-    var response = RekorResponse.newRekorResponse(new URI("https://somewhere"), rekorQueryResponse);
+  public void verifyEntry() throws Exception {
+    var response = RekorResponse.newRekorResponse(new URI("https://somewhere"), rekorResponse);
     var verifier = RekorVerifier.newRekorVerifier(trustRoot);
 
     var entry = response.getEntry();
     verifier.verifyEntry(entry);
-    verifier.verifyInclusionProof(entry);
   }
 
   @Test
   public void verifyEntry_withInvalidInclusionProof() throws Exception {
     // replace a hash in the inclusion proof to make it bad
-    var invalidResponse = rekorQueryResponse.replace("b4439e", "aaaaaa");
+    var invalidResponse = rekorResponse.replace("b4439e", "aaaaaa");
 
     var response = RekorResponse.newRekorResponse(new URI("https://somewhere"), invalidResponse);
     var verifier = RekorVerifier.newRekorVerifier(trustRoot);
 
     var entry = response.getEntry();
-    verifier.verifyEntry(entry);
-
     var thrown =
         Assertions.assertThrows(
-            RekorVerificationException.class, () -> verifier.verifyInclusionProof(entry));
+            RekorVerificationException.class, () -> verifier.verifyEntry(entry));
+
     MatcherAssert.assertThat(
         thrown.getMessage(),
         CoreMatchers.startsWith(