Add interfaces for sigstore trusted_root (#430)

This should allow us to use it as the source for all validation
materials from TUF.

Signed-off-by: Appu Goundan <[email protected]>

Author: loosebazooka

sigstore-java/src/main/java/dev/sigstore/proto/ProtoMutators.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2023 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.proto;
+
+import com.google.protobuf.Timestamp;
+import dev.sigstore.encryption.certificates.Certificates;
+import dev.sigstore.proto.common.v1.X509Certificate;
+import java.security.cert.CertPath;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.time.Instant;
+import java.util.ArrayList;
+import java.util.List;
+
+public class ProtoMutators {
+
+  public static CertPath toCertPath(List<X509Certificate> certificates)
+      throws CertificateException {
+    CertificateFactory cf = CertificateFactory.getInstance("X.509");
+    List<Certificate> converted = new ArrayList<>(certificates.size());
+    for (var cert : certificates) {
+      converted.add(Certificates.fromDer(cert.getRawBytes().toByteArray()));
+    }
+    return cf.generateCertPath(converted);
+  }
+
+  public static Instant toInstant(Timestamp timestamp) {
+    return Instant.ofEpochSecond(timestamp.getSeconds(), timestamp.getNanos());
+  }
+}

sigstore-java/src/main/java/dev/sigstore/trustroot/CertificateAuthority.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright 2023 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.trustroot;
+
+import dev.sigstore.proto.ProtoMutators;
+import java.net.URI;
+import java.security.cert.CertPath;
+import java.security.cert.CertificateException;
+import org.immutables.value.Value.Immutable;
+
+@Immutable
+public interface CertificateAuthority {
+  CertPath getCertPath();
+
+  URI getUri();
+
+  ValidFor getValidFor();
+
+  Subject getSubject();
+
+  static CertificateAuthority from(dev.sigstore.proto.trustroot.v1.CertificateAuthority proto)
+      throws CertificateException {
+    return ImmutableCertificateAuthority.builder()
+        .certPath(ProtoMutators.toCertPath(proto.getCertChain().getCertificatesList()))
+        .validFor(ValidFor.from(proto.getValidFor()))
+        .uri(URI.create(proto.getUri()))
+        .subject(Subject.from(proto.getSubject()))
+        .build();
+  }
+}

sigstore-java/src/main/java/dev/sigstore/trustroot/LogId.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2023 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.trustroot;
+
+import org.immutables.value.Value.Immutable;
+
+@Immutable
+public interface LogId {
+  byte[] getKeyId();
+
+  static LogId from(dev.sigstore.proto.common.v1.LogId proto) {
+    return ImmutableLogId.builder().keyId(proto.getKeyId().toByteArray()).build();
+  }
+}

sigstore-java/src/main/java/dev/sigstore/trustroot/PublicKey.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2023 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.trustroot;
+
+import dev.sigstore.encryption.Keys;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import org.immutables.value.Value.Immutable;
+
+@Immutable
+public interface PublicKey {
+  byte[] getRawBytes();
+
+  String getKeyDetails();
+
+  ValidFor getValidFor();
+
+  static PublicKey from(dev.sigstore.proto.common.v1.PublicKey proto) {
+    return ImmutablePublicKey.builder()
+        .rawBytes(proto.getRawBytes().toByteArray())
+        .keyDetails(proto.getKeyDetails().name())
+        .validFor(ValidFor.from(proto.getValidFor()))
+        .build();
+  }
+
+  static java.security.PublicKey toJavaPublicKey(PublicKey publicKey)
+      throws InvalidKeySpecException, NoSuchAlgorithmException {
+    if (!publicKey.getKeyDetails().equals("PKIX_ECDSA_P256_SHA_256")) {
+      throw new InvalidKeySpecException("Unsupported key algorithm: " + publicKey.getKeyDetails());
+    }
+    return Keys.parsePkixPublicKey(publicKey.getRawBytes(), "EC");
+  }
+}

sigstore-java/src/main/java/dev/sigstore/trustroot/SigstoreTrustedRoot.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2023 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.trustroot;
+
+import dev.sigstore.proto.trustroot.v1.TrustedRoot;
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.stream.Collectors;
+import org.immutables.value.Value.Immutable;
+
+@Immutable
+public interface SigstoreTrustedRoot {
+
+  List<CertificateAuthority> getCertificateAuthorities();
+
+  List<TransparencyLog> getTLogs();
+
+  List<TransparencyLog> getCTLogs();
+
+  static SigstoreTrustedRoot from(TrustedRoot proto) throws CertificateException {
+    List<CertificateAuthority> certificateAuthorities =
+        new ArrayList<>(proto.getCertificateAuthoritiesCount());
+    for (var certAuthority : proto.getCertificateAuthoritiesList()) {
+      certificateAuthorities.add(CertificateAuthority.from(certAuthority));
+    }
+    var tlogs =
+        proto.getTlogsList().stream().map(TransparencyLog::from).collect(Collectors.toList());
+    var ctlogs =
+        proto.getCtlogsList().stream().map(TransparencyLog::from).collect(Collectors.toList());
+
+    return ImmutableSigstoreTrustedRoot.builder()
+        .certificateAuthorities(certificateAuthorities)
+        .tLogs(tlogs)
+        .cTLogs(ctlogs)
+        .build();
+  }
+}

sigstore-java/src/main/java/dev/sigstore/trustroot/Subject.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2023 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.trustroot;
+
+import dev.sigstore.proto.common.v1.DistinguishedName;
+import org.immutables.value.Value.Immutable;
+
+@Immutable
+interface Subject {
+  String getOrganization();
+
+  String getCommonName();
+
+  static Subject from(DistinguishedName proto) {
+    return ImmutableSubject.builder()
+        .commonName(proto.getCommonName())
+        .organization(proto.getOrganization())
+        .build();
+  }
+}

sigstore-java/src/main/java/dev/sigstore/trustroot/TransparencyLog.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright 2023 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.trustroot;
+
+import static org.immutables.value.Value.*;
+
+import dev.sigstore.proto.trustroot.v1.TransparencyLogInstance;
+import java.net.URI;
+
+@Immutable
+public interface TransparencyLog {
+  URI getBaseUrl();
+
+  String getHashAlgorithm();
+
+  LogId getLogId();
+
+  PublicKey getPublicKey();
+
+  static TransparencyLog from(TransparencyLogInstance proto) {
+    return ImmutableTransparencyLog.builder()
+        .baseUrl(URI.create(proto.getBaseUrl()))
+        .hashAlgorithm(proto.getHashAlgorithm().name())
+        .logId(LogId.from(proto.getLogId()))
+        .publicKey(PublicKey.from(proto.getPublicKey()))
+        .build();
+  }
+}

sigstore-java/src/main/java/dev/sigstore/trustroot/ValidFor.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2023 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.trustroot;
+
+import dev.sigstore.proto.ProtoMutators;
+import dev.sigstore.proto.common.v1.TimeRange;
+import java.time.Instant;
+import java.util.Optional;
+import org.immutables.value.Value.Immutable;
+
+@Immutable
+public interface ValidFor {
+  Instant getStart();
+
+  Optional<Instant> getEnd();
+
+  static ValidFor from(TimeRange proto) {
+    return ImmutableValidFor.builder()
+        .start(ProtoMutators.toInstant(proto.getStart()))
+        .end(
+            proto.hasEnd()
+                ? Optional.of(ProtoMutators.toInstant(proto.getEnd()))
+                : Optional.empty())
+        .build();
+  }
+}

sigstore-java/src/main/java/dev/sigstore/tuf/SigstoreTufClient.java

@@ -20,6 +20,7 @@
 import com.google.common.io.Resources;
 import com.google.protobuf.util.JsonFormat;
 import dev.sigstore.proto.trustroot.v1.TrustedRoot;
+import dev.sigstore.trustroot.SigstoreTrustedRoot;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
@@ -28,6 +29,7 @@
 import java.nio.file.Path;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
 import java.security.spec.InvalidKeySpecException;
 import java.time.Duration;
 import java.time.Instant;
@@ -40,9 +42,9 @@ public class SigstoreTufClient {
 
   @VisibleForTesting static final String TRUST_ROOT_FILENAME = "trusted_root.json";
 
-  private Updater updater;
+  private final Updater updater;
   private Instant lastUpdate;
-  private TrustedRoot sigstoreTrustedRoot;
+  private SigstoreTrustedRoot sigstoreTrustedRoot;
   private final Duration cacheValidity;
 
   @VisibleForTesting
@@ -117,7 +119,8 @@ public SigstoreTufClient build() throws IOException {
    * defined on the client.
    */
   public void update()
-      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
+      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException,
+          CertificateException {
     if (lastUpdate == null
         || Duration.between(lastUpdate, Instant.now()).compareTo(cacheValidity) > 0) {
       this.forceUpdate();
@@ -126,7 +129,8 @@ public void update()
 
   /** Force an update, ignoring any cache validity. */
   public void forceUpdate()
-      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
+      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException,
+          CertificateException {
     updater.update();
     lastUpdate = Instant.now();
     var trustedRootBuilder = TrustedRoot.newBuilder();
@@ -135,10 +139,10 @@ public void forceUpdate()
             new String(
                 updater.getLocalStore().getTargetFile(TRUST_ROOT_FILENAME), StandardCharsets.UTF_8),
             trustedRootBuilder);
-    sigstoreTrustedRoot = trustedRootBuilder.build();
+    sigstoreTrustedRoot = SigstoreTrustedRoot.from(trustedRootBuilder.build());
   }
 
-  public TrustedRoot getSigstoreTrustedRoot() {
+  public SigstoreTrustedRoot getSigstoreTrustedRoot() {
     return sigstoreTrustedRoot;
   }
 }