Merge pull request #701 from sigstore/bundle_first_class

Make bundle a first class type -- part 1

Author: loosebazooka

fuzzing/src/main/java/fuzzing/BundleFactoryFuzzer.java renamed to fuzzing/src/main/java/fuzzing/BundleReaderFuzzer.java

@@ -16,15 +16,15 @@
 package fuzzing;
 
 import com.code_intelligence.jazzer.api.FuzzedDataProvider;
-import dev.sigstore.bundle.BundleFactory;
+import dev.sigstore.bundle.Bundle;
 import dev.sigstore.bundle.BundleParseException;
 import java.io.StringReader;
 
-public class BundleFactoryFuzzer {
+public class BundleReaderFuzzer {
   public static void fuzzerTestOneInput(FuzzedDataProvider data) {
     try {
       String string = data.consumeRemainingAsString();
-      BundleFactory.createBundle(BundleFactory.readBundle(new StringReader(string)));
+      Bundle.from(new StringReader(string));
     } catch (BundleParseException | IllegalArgumentException e) {
       // Known exception
     }

fuzzing/src/main/java/fuzzing/BundleVerifierFuzzer.java

@@ -22,7 +22,7 @@ public class BundleVerifierFuzzer {
   public static void fuzzerTestOneInput(FuzzedDataProvider data) {
     try {
       String string = data.consumeRemainingAsString();
-      BundleVerifier.findMissingFields(string);
+      BundleVerifier.allMissingFields(string);
     } catch (IllegalArgumentException e) {
       // Known exception
     }

sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java

@@ -16,7 +16,7 @@
 package dev.sigstore.cli;
 
 import dev.sigstore.KeylessSigner;
-import dev.sigstore.bundle.BundleFactory;
+import dev.sigstore.bundle.Bundle;
 import dev.sigstore.encryption.certificates.Certificates;
 import dev.sigstore.oidc.client.OidcClients;
 import java.nio.charset.StandardCharsets;
@@ -77,7 +77,7 @@ public Integer call() throws Exception {
     } else {
       Files.write(
           signatureFiles.bundleFile,
-          BundleFactory.createBundle(signingResult).getBytes(StandardCharsets.UTF_8));
+          Bundle.from(signingResult).toJson().getBytes(StandardCharsets.UTF_8));
     }
     return 0;
   }

sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java

@@ -24,7 +24,7 @@
 import dev.sigstore.KeylessVerificationRequest.CertificateIdentity;
 import dev.sigstore.KeylessVerificationRequest.VerificationOptions;
 import dev.sigstore.KeylessVerifier;
-import dev.sigstore.bundle.BundleFactory;
+import dev.sigstore.bundle.Bundle;
 import dev.sigstore.encryption.certificates.Certificates;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
@@ -101,9 +101,9 @@ public Integer call() throws Exception {
       keylessSignature =
           KeylessSignature.builder().signature(signature).certPath(certPath).digest(digest).build();
     } else {
-      keylessSignature =
-          BundleFactory.readBundle(
-              newReader(signatureFiles.bundleFile.toFile(), StandardCharsets.UTF_8));
+      Bundle bundle =
+          Bundle.from(newReader(signatureFiles.bundleFile.toFile(), StandardCharsets.UTF_8));
+      keylessSignature = bundle.toKeylessSignature();
     }
 
     var verificationOptionsBuilder = VerificationOptions.builder();

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/work/SignWorkAction.kt

@@ -17,7 +17,7 @@
 package dev.sigstore.sign.work
 
 import dev.sigstore.KeylessSigner
-import dev.sigstore.bundle.BundleFactory
+import dev.sigstore.bundle.Bundle
 import dev.sigstore.oidc.client.OidcClient
 import dev.sigstore.oidc.client.OidcClients
 import dev.sigstore.sign.OidcClientConfiguration
@@ -56,7 +56,7 @@ abstract class SignWorkAction : WorkAction<SignWorkParameters> {
         }
 
         val result = signer.signFile(inputFile.toPath())
-        val bundleJson = BundleFactory.createBundle(result)
+        val bundleJson = Bundle.from(result).toJson()
         parameters.outputSignature.get().asFile.writeText(bundleJson)
     }
 }

sigstore-java/src/main/java/dev/sigstore/bundle/Bundle.java

@@ -0,0 +1,189 @@
+/*
+ * Copyright 2024 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.bundle;
+
+import com.google.common.base.Preconditions;
+import dev.sigstore.KeylessSignature;
+import dev.sigstore.rekor.client.RekorEntry;
+import java.io.Reader;
+import java.security.cert.CertPath;
+import java.util.List;
+import java.util.Optional;
+import org.immutables.value.Value;
+import org.immutables.value.Value.Immutable;
+import org.immutables.value.Value.Lazy;
+
+/**
+ * A representation of sigstore signing materials. See <a
+ * href="https://github.com/sigstore/protobuf-specs">protobuf-specs</a>
+ */
+@Immutable
+public abstract class Bundle {
+
+  public enum HashAlgorithm {
+    SHA2_256
+  }
+
+  static final String BUNDLE_V_0_1 = "application/vnd.dev.sigstore.bundle+json;version=0.1";
+  static final String BUNDLE_V_0_2 = "application/vnd.dev.sigstore.bundle+json;version=0.2";
+  static final String BUNDLE_V_0_3 = "application/vnd.dev.sigstore.bundle+json;version=0.3";
+  // media_type format switch: https://github.com/sigstore/protobuf-specs/pull/279
+  static final String BUNDLE_V_0_3_1 = "application/vnd.dev.sigstore.bundle.v0.3+json";
+  static final List<String> SUPPORTED_MEDIA_TYPES =
+      List.of(BUNDLE_V_0_1, BUNDLE_V_0_2, BUNDLE_V_0_3, BUNDLE_V_0_3_1);
+
+  /** The bundle version */
+  public abstract String getMediaType();
+
+  /** A signature represented as a signature and digest */
+  public abstract Optional<MessageSignature> getMessageSignature();
+
+  /** A DSSE envelope signature type that may contain an arbitrary payload */
+  public abstract Optional<DSSESignature> getDSSESignature();
+
+  @Value.Check
+  protected void checkOnlyOneSignature() {
+    Preconditions.checkState(
+        (getDSSESignature().isEmpty() && getMessageSignature().isPresent())
+            || (getDSSESignature().isPresent() && getMessageSignature().isEmpty()));
+  }
+
+  @Value.Check
+  protected void checkAtLeastOneTimestamp() {
+    for (var entry : getEntries()) {
+      if (entry.getVerification().getSignedEntryTimestamp() != null) {
+        return;
+      }
+    }
+    if (getTimestamps().size() > 0) {
+      return;
+    }
+    throw new IllegalStateException("No timestamp verification (set, timestamp) was provided");
+  }
+
+  /**
+   * The partial certificate chain provided by fulcio for the public key and identity used to sign
+   * the artifact, this should NOT contain the trusted root or any trusted intermediates. But users
+   * of this object should understand that older signatures may include the full chain.
+   */
+  public abstract CertPath getCertPath();
+
+  /**
+   * The entry in the rekor transparency log (represented as a list for future compatibility, but
+   * currently only allow for at most one entry.
+   */
+  public abstract List<RekorEntry> getEntries();
+
+  /** A list of timestamps to verify the time of signing. Currently, allows rfc3161 timestamps. */
+  public abstract List<Timestamp> getTimestamps();
+
+  @Immutable
+  interface MessageSignature {
+
+    /**
+     * An optional message digest, this should not be used to verify signature validity. A digest
+     * should be provided or computed by the system.
+     */
+    Optional<MessageDigest> getMessageDigest();
+
+    /** Signature over an artifact. */
+    byte[] getSignature();
+  }
+
+  @Immutable
+  interface MessageDigest {
+
+    /** The algorithm used to compute the digest. */
+    HashAlgorithm getHashAlgorithm();
+
+    /**
+     * The raw bytes of the digest computer using the hashing algorithm described by {@link
+     * #getHashAlgorithm()}
+     */
+    byte[] getDigest();
+  }
+
+  @Immutable
+  interface DSSESignature {
+
+    /** An arbitrary payload that does not need to be parsed to be validated */
+    String getPayload();
+
+    /** Information on how to interpret the payload */
+    String getPayloadType();
+
+    /** DSSE specific signature */
+    byte[] getSignature();
+  }
+
+  @Immutable
+  interface Timestamp {
+
+    /** Raw bytes of an rfc31616 timestamp */
+    byte[] getRfc3161Timestamp();
+  }
+
+  public static Bundle from(Reader bundleJson) throws BundleParseException {
+    return BundleReader.readBundle(bundleJson);
+  }
+
+  @Lazy
+  public String toJson() {
+    return BundleWriter.writeBundle(this);
+  }
+
+  /** Compat method to convert from keyless signature. Don't use, will be removed. */
+  public static Bundle from(KeylessSignature keylessSignature) {
+    var sig =
+        ImmutableMessageSignature.builder()
+            .messageDigest(
+                ImmutableMessageDigest.builder()
+                    .hashAlgorithm(HashAlgorithm.SHA2_256)
+                    .digest(keylessSignature.getDigest())
+                    .build())
+            .signature(keylessSignature.getSignature())
+            .build();
+
+    return ImmutableBundle.builder()
+        .mediaType(BUNDLE_V_0_3_1)
+        .messageSignature(sig)
+        .addEntries(keylessSignature.getEntry().get())
+        .certPath(keylessSignature.getCertPath())
+        .build();
+  }
+
+  /** Compat method to convert to keyless signature. Don't use, will be removed. */
+  @Lazy
+  public KeylessSignature toKeylessSignature() {
+    if (getDSSESignature().isPresent()) {
+      throw new IllegalStateException("This client can't process bundles with DSSE signatures.");
+    }
+    if (getTimestamps().size() >= 1) {
+      throw new IllegalStateException("This client can't process bundles with RFC3161 Timestamps");
+    }
+    var builder =
+        KeylessSignature.builder()
+            .certPath(getCertPath())
+            .signature(getMessageSignature().get().getSignature())
+            .entry(getEntries().get(0));
+    if (getMessageSignature().get().getMessageDigest().isPresent()) {
+      builder.digest(getMessageSignature().get().getMessageDigest().get().getDigest());
+    } else {
+      builder.digest();
+    }
+    return builder.build();
+  }
+}

sigstore-java/src/main/java/dev/sigstore/bundle/BundleFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022 The Sigstore Authors.
+ * Copyright 2024 The Sigstore Authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,54 +15,11 @@
  */
 package dev.sigstore.bundle;
 
-import com.google.protobuf.InvalidProtocolBufferException;
 import dev.sigstore.KeylessSignature;
-import dev.sigstore.proto.bundle.v1.Bundle;
-import java.io.Reader;
-import java.util.List;
 
-/**
- * Generates Sigstore Bundle.
- *
- * @see <a href="https://github.com/sigstore/protobuf-specs">Sigstore Bundle Protobuf
- *     specifications</a>
- */
+/** Compat class, needed for build to continue to work while we make API changes. */
 public class BundleFactory {
-  /**
-   * Generates Sigstore Bundle JSON from {@link KeylessSignature}.
-   *
-   * @param signingResult Keyless signing result.
-   * @return Sigstore Bundle in JSON format
-   */
-  public static String createBundle(KeylessSignature signingResult) {
-    Bundle bundle = BundleFactoryInternal.createBundleBuilder(signingResult).build();
-    try {
-      String jsonBundle = BundleFactoryInternal.JSON_PRINTER.print(bundle);
-      List<String> missingFields = BundleVerifierInternal.findMissingFields(bundle);
-      if (!missingFields.isEmpty()) {
-        throw new IllegalStateException(
-            "Some of the fields were not initialized: "
-                + String.join(", ", missingFields)
-                + "; bundle JSON: "
-                + jsonBundle);
-      }
-      return jsonBundle;
-    } catch (InvalidProtocolBufferException e) {
-      throw new IllegalArgumentException(
-          "Can't serialize signing result to Sigstore Bundle JSON", e);
-    }
-  }
-
-  /**
-   * Read a bundle json and convert it back into a keyless signing result for use within this
-   * library
-   *
-   * @param jsonReader a reader to a valid bundle json file
-   * @return the converted signing result object
-   * @throws BundleParseException if all or parts of the bundle were not convertible to library
-   *     types
-   */
-  public static KeylessSignature readBundle(Reader jsonReader) throws BundleParseException {
-    return BundleFactoryInternal.readBundle(jsonReader);
+  public static String createBundle(KeylessSignature keylessSignature) {
+    return Bundle.from(keylessSignature).toJson();
   }
 }