Move v2 clients to standard

- Change all *V2 clients to be default.
- Remove old clients that didn't use TUF
- Merge fulcio cert and sct checks into single check via api

Signed-off-by: Appu Goundan <[email protected]>

Author: loosebazooka

fuzzing/build.gradle.kts

@@ -9,6 +9,7 @@ repositories {
 dependencies {
     implementation(project(":sigstore-java"))
     implementation("com.code-intelligence:jazzer-api:0.20.1")
+    implementation("com.google.guava:guava:31.1-jre")
 }
 
 // copy to the fuzzing builder's output directory. This is an existing directory with

fuzzing/src/main/java/fuzzing/FulcioVerifierFuzzer.java

@@ -29,24 +29,24 @@
 import java.security.spec.InvalidKeySpecException;
 import java.util.ArrayList;
 import java.util.List;
+import util.Tuf;
 
 public class FulcioVerifierFuzzer {
   public static void fuzzerTestOneInput(FuzzedDataProvider data) {
     try {
       int[] intArray = data.consumeInts(data.consumeInt(1, 10));
-      byte[] byteArray = data.consumeRemainingAsBytes();
 
-      List<Certificate> certList = new ArrayList<Certificate>();
-      List<byte[]> byteArrayList = new ArrayList<byte[]>();
+      var cas = Tuf.certificateAuthoritiesFrom(data);
+      var ctLogs = Tuf.transparencyLogsFrom(data);
 
+      byte[] byteArray = data.consumeRemainingAsBytes();
+      List<Certificate> certList = new ArrayList<Certificate>();
       CertificateFactory cf = CertificateFactory.getInstance("X.509");
       certList.add(cf.generateCertificate(new ByteArrayInputStream(byteArray)));
       certList.add(cf.generateCertificate(new ByteArrayInputStream(byteArray)));
-      byteArrayList.add(byteArray);
-      byteArrayList.add(byteArray);
 
       SigningCertificate sc = SigningCertificate.from(cf.generateCertPath(certList));
-      FulcioVerifier fv = FulcioVerifier.newFulcioVerifier(byteArray, byteArrayList);
+      FulcioVerifier fv = FulcioVerifier.newFulcioVerifier(cas, ctLogs);
 
       for (int choice : intArray) {
         switch (choice % 4) {
@@ -56,11 +56,8 @@ public static void fuzzerTestOneInput(FuzzedDataProvider data) {
           case 1:
             sc.getLeafCertificate();
             break;
-          case 2:
-            fv.verifySct(sc);
-            break;
           case 3:
-            fv.verifyCertChain(sc);
+            fv.verifySigningCertificate(sc);
             break;
         }
       }

fuzzing/src/main/java/fuzzing/RekorVerifierFuzzer.java

@@ -21,33 +21,27 @@
 import dev.sigstore.rekor.client.RekorResponse;
 import dev.sigstore.rekor.client.RekorVerificationException;
 import dev.sigstore.rekor.client.RekorVerifier;
-import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.charset.StandardCharsets;
-import java.security.NoSuchAlgorithmException;
-import java.security.spec.InvalidKeySpecException;
+import util.Tuf;
 
 public class RekorVerifierFuzzer {
   private static final String URL = "https://false.url.for.RekorTypes.fuzzing.com";
 
   public static void fuzzerTestOneInput(FuzzedDataProvider data) {
     try {
+      var tLogs = Tuf.transparencyLogsFrom(data);
       byte[] byteArray = data.consumeRemainingAsBytes();
       String string = new String(byteArray, StandardCharsets.UTF_8);
 
       URI uri = new URI(URL);
       RekorEntry entry = RekorResponse.newRekorResponse(uri, string).getEntry();
-      RekorVerifier verifier = RekorVerifier.newRekorVerifier(byteArray);
+      RekorVerifier verifier = RekorVerifier.newRekorVerifier(tLogs);
 
       verifier.verifyEntry(entry);
       verifier.verifyInclusionProof(entry);
-    } catch (URISyntaxException
-        | InvalidKeySpecException
-        | NoSuchAlgorithmException
-        | IOException
-        | RekorParseException
-        | RekorVerificationException e) {
+    } catch (URISyntaxException | RekorParseException | RekorVerificationException e) {
       // Known exception
     }
   }

fuzzing/src/main/java/util/Tuf.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright 2023 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package util;
+
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+import com.google.common.hash.Hashing;
+import dev.sigstore.trustroot.CertificateAuthorities;
+import dev.sigstore.trustroot.CertificateAuthority;
+import dev.sigstore.trustroot.ImmutableCertificateAuthorities;
+import dev.sigstore.trustroot.ImmutableCertificateAuthority;
+import dev.sigstore.trustroot.ImmutableLogId;
+import dev.sigstore.trustroot.ImmutablePublicKey;
+import dev.sigstore.trustroot.ImmutableSubject;
+import dev.sigstore.trustroot.ImmutableTransparencyLog;
+import dev.sigstore.trustroot.ImmutableTransparencyLogs;
+import dev.sigstore.trustroot.ImmutableValidFor;
+import dev.sigstore.trustroot.TransparencyLog;
+import dev.sigstore.trustroot.TransparencyLogs;
+import java.io.ByteArrayInputStream;
+import java.net.URI;
+import java.security.cert.CertPath;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.time.Instant;
+import java.util.ArrayList;
+import java.util.List;
+
+public final class Tuf {
+
+  // arbitrarily decided max certificate size in bytes
+  private static final int MAX_CERT_SIZE = 10240;
+
+  // ecdsa key size in bytes
+  private static final int ECDSA_KEY_BYTES = 91;
+
+  public static TransparencyLogs transparencyLogsFrom(FuzzedDataProvider data) {
+    return ImmutableTransparencyLogs.builder().addTransparencyLog(genTlog(data)).build();
+  }
+
+  public static CertificateAuthorities certificateAuthoritiesFrom(FuzzedDataProvider data)
+      throws CertificateException {
+    return ImmutableCertificateAuthorities.builder().addCertificateAuthority(genCA(data)).build();
+  }
+
+  private static CertPath genCertPath(FuzzedDataProvider data) throws CertificateException {
+    List<Certificate> certList = new ArrayList<Certificate>();
+    CertificateFactory cf = CertificateFactory.getInstance("X.509");
+    certList.add(
+        cf.generateCertificate(new ByteArrayInputStream(data.consumeBytes(MAX_CERT_SIZE))));
+    certList.add(
+        cf.generateCertificate(new ByteArrayInputStream(data.consumeBytes(MAX_CERT_SIZE))));
+    return cf.generateCertPath(certList);
+  }
+
+  private static CertificateAuthority genCA(FuzzedDataProvider data) throws CertificateException {
+    return ImmutableCertificateAuthority.builder()
+        .validFor(ImmutableValidFor.builder().start(Instant.EPOCH).build())
+        .subject(ImmutableSubject.builder().commonName("test").organization("test").build())
+        .certPath(genCertPath(data))
+        .uri(URI.create("test"))
+        .build();
+  }
+
+  private static TransparencyLog genTlog(FuzzedDataProvider data) {
+    var pk =
+        ImmutablePublicKey.builder()
+            .keyDetails("PKIX_ECDSA_P256_SHA_256")
+            .rawBytes(data.consumeBytes(ECDSA_KEY_BYTES))
+            .validFor(ImmutableValidFor.builder().start(Instant.EPOCH).build())
+            .build();
+    var logId = Hashing.sha256().hashBytes(pk.getRawBytes()).asBytes();
+    return ImmutableTransparencyLog.builder()
+        .baseUrl(URI.create("test"))
+        .hashAlgorithm("SHA2_256")
+        .publicKey(pk)
+        .logId(ImmutableLogId.builder().keyId(logId).build())
+        .build();
+  }
+}

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/work/SignWorkAction.kt

@@ -19,6 +19,7 @@ package dev.sigstore.sign.work
 import dev.sigstore.KeylessSigner
 import dev.sigstore.bundle.BundleFactory
 import dev.sigstore.oidc.client.OidcClient
+import dev.sigstore.oidc.client.OidcClients
 import dev.sigstore.sign.OidcClientConfiguration
 import org.gradle.api.file.RegularFileProperty
 import org.gradle.api.provider.Property
@@ -50,8 +51,7 @@ abstract class SignWorkAction : WorkAction<SignWorkParameters> {
         val signer = clients.computeIfAbsent(oidcClient.key()) {
             KeylessSigner.builder().apply {
                 sigstorePublicDefaults()
-                @Suppress("DEPRECATION")
-                oidcClient(oidcClient.build() as OidcClient)
+                oidcClients(OidcClients.of(oidcClient.build() as OidcClient))
             }.build()
         }