Merge pull request #978 from sigstore/reader-writer

Add RFC3161 timestamps to bundle reader and writer

Author: aaronlew02

sigstore-java/src/main/java/dev/sigstore/bundle/Bundle.java

@@ -185,7 +185,7 @@ interface Signature {
   @Immutable
   public interface Timestamp {
 
-    /** Raw bytes of an rfc31616 timestamp */
+    /** Raw bytes of an rfc3161 timestamp */
     byte[] getRfc3161Timestamp();
   }
 

sigstore-java/src/main/java/dev/sigstore/bundle/BundleReader.java

@@ -177,7 +177,9 @@ static Bundle readBundle(Reader jsonReader) throws BundleParseException {
               .getTimestampVerificationData()
               .getRfc3161TimestampsList()) {
         bundleBuilder.addTimestamps(
-            ImmutableTimestamp.builder().rfc3161Timestamp(timestamp.toByteArray()).build());
+            ImmutableTimestamp.builder()
+                .rfc3161Timestamp(timestamp.getSignedTimestamp().toByteArray())
+                .build());
       }
     }
 

sigstore-java/src/main/java/dev/sigstore/bundle/BundleWriter.java

@@ -20,10 +20,12 @@
 import com.google.protobuf.InvalidProtocolBufferException;
 import com.google.protobuf.util.JsonFormat;
 import dev.sigstore.proto.ProtoMutators;
+import dev.sigstore.proto.bundle.v1.TimestampVerificationData;
 import dev.sigstore.proto.bundle.v1.VerificationMaterial;
 import dev.sigstore.proto.common.v1.HashOutput;
 import dev.sigstore.proto.common.v1.LogId;
 import dev.sigstore.proto.common.v1.MessageSignature;
+import dev.sigstore.proto.common.v1.RFC3161SignedTimestamp;
 import dev.sigstore.proto.common.v1.X509Certificate;
 import dev.sigstore.proto.rekor.v1.Checkpoint;
 import dev.sigstore.proto.rekor.v1.InclusionPromise;
@@ -34,6 +36,7 @@
 import java.security.cert.CertificateEncodingException;
 import java.util.Base64;
 import java.util.List;
+import java.util.Optional;
 import java.util.stream.Collectors;
 
 class BundleWriter {
@@ -110,6 +113,8 @@ private static VerificationMaterial.Builder buildVerificationMaterial(Bundle bun
           "Exactly 1 rekor entry must be present in the signing result");
     }
     builder.addTlogEntries(buildTlogEntries(bundle.getEntries().get(0)));
+    buildTimestampVerificationData(bundle.getTimestamps())
+        .ifPresent(data -> builder.setTimestampVerificationData(data));
     return builder;
   }
 
@@ -148,4 +153,23 @@ private static void addInclusionProof(
                     .collect(Collectors.toList()))
             .setCheckpoint(Checkpoint.newBuilder().setEnvelope(inclusionProof.getCheckpoint())));
   }
+
+  private static Optional<TimestampVerificationData> buildTimestampVerificationData(
+      List<Bundle.Timestamp> bundleTimestamps) {
+    if (bundleTimestamps == null || bundleTimestamps.isEmpty()) {
+      return Optional.empty();
+    }
+    TimestampVerificationData.Builder tsvBuilder = TimestampVerificationData.newBuilder();
+    for (Bundle.Timestamp ts : bundleTimestamps) {
+      byte[] tsBytes = ts.getRfc3161Timestamp();
+      if (tsBytes != null && tsBytes.length > 0) {
+        tsvBuilder.addRfc3161Timestamps(
+            RFC3161SignedTimestamp.newBuilder().setSignedTimestamp(ByteString.copyFrom(tsBytes)));
+      }
+    }
+    if (tsvBuilder.getRfc3161TimestampsCount() > 0) {
+      return Optional.of(tsvBuilder.build());
+    }
+    return Optional.empty();
+  }
 }

sigstore-java/src/test/java/dev/sigstore/bundle/BundleReaderTest.java

@@ -87,6 +87,11 @@ public void readDSSEBundle() throws Exception {
     Assertions.assertEquals("https://slsa.dev/provenance/v1", intotoPayload.getPredicateType());
   }
 
+  @Test
+  public void readBundle_timestamp() throws Exception {
+    readBundle("dev/sigstore/samples/bundles/bundle-with-timestamp.sigstore");
+  }
+
   private Bundle readBundle(String resourcePath) throws Exception {
     try (var reader =
         new InputStreamReader(

sigstore-java/src/test/resources/dev/sigstore/samples/bundles/bundle-with-timestamp.sigstore

@@ -0,0 +1,44 @@
+{
+  "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
+  "verificationMaterial": {
+    "tlogEntries": [{
+      "logIndex": "42526129",
+      "logId": {
+        "keyId": "0y8wo8MtY5wrdiIFohx7sHeI5oKDpK5vQhGHI6G+pJY="
+      },
+      "kindVersion": {
+        "kind": "hashedrekord",
+        "version": "0.0.1"
+      },
+      "integratedTime": "1747928754",
+      "inclusionPromise": {
+        "signedEntryTimestamp": "MEUCIQDb6hFD6jFyxQkhaTwmhZff4OEsCRGzrJDUzpZegs3jawIgb3zIyIG6Jl668RiBWl1ruYJe+1zmL2eDItz/8B6xpN0="
+      },
+      "inclusionProof": {
+        "logIndex": "10843717",
+        "rootHash": "RHR6sLAcLFR3TSZvk7xjQNhhJcvIJ9vdGUaLzI2lPnQ=",
+        "treeSize": "10843718",
+        "hashes": ["7detk7zciZ8J25BEY8vnk3Q++C939iksS9riXXDjLgA=", "aAG4ljdHqt6d4fSfWKCEc1gZ6KbrzL+5/LfeJDNDPS0=", "IfARZxUnm+0Ca2AZPbdVK6gcrWRTrC1gyH5j4immJbs=", "nJ7X9be7ongRfyJWHcM5SkDHab0Z7pIOAcbu39U6S7Q=", "vFPYRnY3euO/rJBLyB2FSQ6SGWhUlBKxlWiEa+6Zob8=", "1bnzlpz1mUbCBkGSgZWTHMRvywOoCYdVf8S+fZPCnKs=", "rX5Ef4SVBizgYyu1+QRR4GTPYJwreTrY2gRNd3elTmE=", "bI8RkKJpochUYXwnNqOOUvrkcJuRhIbnPDaVcl3Ej1c=", "iy7T8tqDDvtO+yXkGSlT0aWzNoZ6ExItEs+EOgI4kC0=", "ilFXtFIHdJH0+r+CQ/dG37NJepm0LsZqJrAd3MGR5uA=", "3itMWeZPQXMyYki8lnPZVbzzneXD3w/xvhQsm7VP1ck=", "OdoqbUqBYHhj2W1RLM8APkQOnM2K9gzGm1KPFmwIIeQ="],
+        "checkpoint": {
+          "envelope": "rekor.sigstage.dev - 8202293616175992157\n10843718\nRHR6sLAcLFR3TSZvk7xjQNhhJcvIJ9vdGUaLzI2lPnQ\u003d\n\n— rekor.sigstage.dev 0y8wozBFAiA6lsxGcHHUCsYG7eHrwuXkKxu6c9kYGOkoppCzS9rrPAIhALr8TeKA0pmvaUo+oXzYmTRdUIWBVn3gJOiuYQPQksos\n"
+        }
+      },
+      "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJhMGNmYzcxMjcxZDZlMjc4ZTU3Y2QzMzJmZjk1N2MzZjcwNDNmZGRhMzU0YzRjYmIxOTBhMzBkNTZlZmEwMWJmIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUNMbldZdDNmL0FFWmVYbThvWkpsUXVZaEZMTFF6TDZPeVFGc2JRUHYrMnl3SWdaZk1ZRHVWVkpEejFVQ1UvYUxTSXg0aFhEUVlZSkVkbHFUMDllSlpMUlRnPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4UFowRjNTVUpCWjBsVlpXZDRZMlpQVm5GNk1XTnFlamx1V1hNeE1UWkJlQ3RNYlZCTmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDVVU1hsTlZGVXdUbFJWZWxkb1kwNU5hbFYzVGxSSmVVMVVWVEZPVkZWNlYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZ5WW1SUk0xQXZaMEY1YW00MmNFczFWRmhEZEc1cGNVeDZPRXB1V25WcU1YbE9jM01LVkhKbVNHTm1lVWx0UWtrMVkyeGthR0ZqU1V3cmJXUktSR1JzTUVSTk1UbENOMkpLT0hwNFprWmhaSFZoWlRoUmNXRlBRMEZZU1hkblowWjFUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZXUVhwYUNtaFNUVmxzYTJGaFFrWnNRM0JJT0dnMk1UZHJLMWRyZDBoM1dVUldVakJxUWtKbmQwWnZRVlZqV1ZsM2NHaFNPRmx0THpVNU9XSXdRbEp3TDFndkwzSUtZalozZDBsUldVUldVakJTUVZGSUwwSkNZM2RHV1VWVVdWZEdlV0l5TlhOYVdHUkJXakk1ZGxveWVHeE1iVTUyWWxSQmNFSm5iM0pDWjBWRlFWbFBMd3BOUVVWQ1FrSjBiMlJJVW5kamVtOTJUREpHYWxreU9URmlibEo2VEcxa2RtSXlaSE5hVXpWcVlqSXdkMHQzV1V0TGQxbENRa0ZIUkhaNlFVSkRRVkZrQ2tSQ2RHOWtTRkozWTNwdmRrd3lSbXBaTWpreFltNVNla3h0WkhaaU1tUnpXbE0xYW1JeU1IZG5XWE5IUTJselIwRlJVVUl4Ym10RFFrRkpSV1pSVWpjS1FVaHJRV1IzUVhKTlRIcGpZVWxxU2pSMVNGbEthV3hsWkVJNVNVOVVSMWRCZGt0alRUaDBaVkV3UkN0emNYbEhaV2RCUVVGYVlqUnlRMk55UVVGQlJRcEJkMEpKVFVWWlEwbFJRelkzYzNkRVIyTmFhMEZGTVZSblJYVkRPRW93YUhOWU1VNXFWa3hNYTFGeVZreDJhMlJLU1dwQ1JGRkphRUZQZUVoU1VsRkdDakJsVFdoMlFrbGpjV0ZKY201c2QwZEVkMVEyZHlzM2VXWlFZWGhWS3pkUWNVbFhaVTFCYjBkRFEzRkhVMDAwT1VKQlRVUkJNbXRCVFVkWlEwMVJSRFVLZHpVeVdUZHFWVFpyZEN0R1NsaHZaMjU2WkVoMVRHWkdibFpVYlZsTFFVNXNXRTFaTVhORmRGUXpVRXd3UTIxQ1dEUmxhMDFDTlhkc05qVlJlbVJ6UXdwTlVVTkRWbWMxU25wRmJFWnhPV1ZCU3prcmNsRkxNMkZoT1ZwTlEwZGxValoyWTFoVlVVdDVUVUpCY2s5eVFXcEthMUpGZEhWMFJuTlljMWQwZVVndkNrbFdhejBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="
+    }],
+    "timestampVerificationData": {
+      "rfc3161Timestamps": [{
+        "signedTimestamp": "MIIC1DADAgEAMIICywYJKoZIhvcNAQcCoIICvDCCArgCAQMxDTALBglghkgBZQMEAgEwgcIGCyqGSIb3DQEJEAEEoIGyBIGvMIGsAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQg+W1ptazwQEH3WWJYvSD8k7mBD0sukwxxLoY1O797LQ8CFQCNmL6bHDPfDLI1pYdm/HYTm+g/iBgPMjAyNTA1MjIxNTQ1NTRaMAMCAQECCFWBYCIgMDUnoDKkMDAuMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxFTATBgNVBAMTDHNpZ3N0b3JlLXRzYaAAMYIB2zCCAdcCAQEwUTA5MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxIDAeBgNVBAMTF3NpZ3N0b3JlLXRzYS1zZWxmc2lnbmVkAhQKNaEGYdXiQXPGiZan8n3yfgN8pzALBglghkgBZQMEAgGggfwwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNTA1MjIxNTQ1NTRaMC8GCSqGSIb3DQEJBDEiBCBBoLsCXV9DBcEGu5MDDDPOyNn8BZepkpDg6kZQUEYMlTCBjgYLKoZIhvcNAQkQAi8xfzB9MHsweQQgBvT/4Ef+s1mZtzOw16MjUBz8GOTAM2aoRdd1NudLJ0QwVTA9pDswOTEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MSAwHgYDVQQDExdzaWdzdG9yZS10c2Etc2VsZnNpZ25lZAIUCjWhBmHV4kFzxomWp/J98n4DfKcwCgYIKoZIzj0EAwIEZzBlAjBarxOk09BZ6k3/IRcCRiZ2uEDLkWrN7+BTW4NJw0+h0hRaUd7DGlNpsd3Kne6HokwCMQCba5x2yv6vm9a/1wfuxa0+mEyv6NcIcdi4ESi+4jIQPTIEfefhgADA/U6vhpD3a24="
+      }]
+    },
+    "certificate": {
+      "rawBytes": "MIICzjCCAlOgAwIBAgIUegxcfOVqz1cjz9nYs116Ax+LmPMwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwNTIyMTU0NTUzWhcNMjUwNTIyMTU1NTUzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErbdQ3P/gAyjn6pK5TXCtniqLz8JnZuj1yNssTrfHcfyImBI5cldhacIL+mdJDdl0DM19B7bJ8zxfFaduae8QqaOCAXIwggFuMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUVAzZhRMYlkaaBFlCpH8h617k+WkwHwYDVR0jBBgwFoAUcYYwphR8Ym/599b0BRp/X//rb6wwIQYDVR0RAQH/BBcwFYETYWFyb25sZXdAZ29vZ2xlLmNvbTApBgorBgEEAYO/MAEBBBtodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20wKwYKKwYBBAGDvzABCAQdDBtodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20wgYsGCisGAQQB1nkCBAIEfQR7AHkAdwArMLzcaIjJ4uHYJiledB9IOTGWAvKcM8teQ0D+sqyGegAAAZb4rCcrAAAEAwBIMEYCIQC67swDGcZkAE1TgEuC8J0hsX1NjVLLkQrVLvkdJIjBDQIhAOxHRRQF0eMhvBIcqaIrnlwGDwT6w+7yfPaxU+7PqIWeMAoGCCqGSM49BAMDA2kAMGYCMQD5w52Y7jU6kt+FJXognzdHuLfFnVTmYKANlXMY1sEtT3PL0CmBX4ekMB5wl65QzdsCMQCCVg5JzElFq9eAK9+rQK3aa9ZMCGeR6vcXUQKyMBArOrAjJkREtutFsXsWtyH/IVk="
+    }
+  },
+  "messageSignature": {
+    "messageDigest": {
+      "algorithm": "SHA2_256",
+      "digest": "oM/HEnHW4njlfNMy/5V8P3BD/do1TEy7GQow1W76Ab8="
+    },
+    "signature": "MEUCIQCLnWYt3f/AEZeXm8oZJlQuYhFLLQzL6OyQFsbQPv+2ywIgZfMYDuVVJDz1UCU/aLSIx4hXDQYYJEdlqT09eJZLRTg="
+  }
+}