From 4b8c3e3b31ab93b2cac1cd6c106060a6642d1ea5 Mon Sep 17 00:00:00 2001
From: KiranSatyaRaj <kiranjamy20021508@gmail.com>
Date: Mon, 15 Jul 2024 23:28:11 +0530
Subject: [PATCH] Implement new SimpleSigstoreSigner and update exceptions in
 Signer

---
 pom.xml                                       |  7 +++
 .../dsse/helpers/SimpleSigstoreSigner.java    | 58 +++++++++++++++++++
 .../io/github/intoto/dsse/models/Signer.java  |  8 ++-
 3 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 src/main/java/io/github/intoto/dsse/helpers/SimpleSigstoreSigner.java

diff --git a/pom.xml b/pom.xml
index 19745da..1882300 100644
--- a/pom.xml
+++ b/pom.xml
@@ -119,6 +119,13 @@
       <artifactId>jakarta.el</artifactId>
       <version>4.0.2</version>
     </dependency>
+    <!-- sigstore-java -->
+    <dependency>
+      <groupId>dev.sigstore</groupId>
+      <artifactId>sigstore-java</artifactId>
+      <version>0.10.0</version>
+    </dependency>
+
 
   </dependencies>
   <properties>
diff --git a/src/main/java/io/github/intoto/dsse/helpers/SimpleSigstoreSigner.java b/src/main/java/io/github/intoto/dsse/helpers/SimpleSigstoreSigner.java
new file mode 100644
index 0000000..79f321e
--- /dev/null
+++ b/src/main/java/io/github/intoto/dsse/helpers/SimpleSigstoreSigner.java
@@ -0,0 +1,58 @@
+package io.github.intoto.dsse.helpers;
+
+import dev.sigstore.KeylessSigner;
+import dev.sigstore.KeylessSignerException;
+import dev.sigstore.bundle.Bundle;
+import io.github.intoto.dsse.models.Signer;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.*;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.util.Optional;
+
+public class SimpleSigstoreSigner implements Signer {
+    private String keyId;
+    Optional<Bundle.DSSESignature> dsseSignature;
+    Bundle result;
+
+    public byte[] sign(byte[] payload) throws InvalidAlgorithmParameterException, CertificateException,  IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, KeylessSignerException {
+        KeylessSigner functionary = new KeylessSigner.Builder().sigstorePublicDefaults().build();
+        this.result = functionary.sign(payload);
+
+        // set keyId
+        X509Certificate certificate = (X509Certificate) (this.result.getCertPath().getCertificates().getFirst());
+        String oid = "1.3.6.1.4.1.57264.1.8";
+        byte[] extensionValue = certificate.getExtensionValue(oid);
+        String issuer = new String(extensionValue, StandardCharsets.UTF_8);
+        this.keyId = issuer.substring(4);
+        Object subAltArr = certificate.getSubjectAlternativeNames().toArray()[0];
+        String subAltName = subAltArr.toString();
+        subAltName = subAltName.substring(4, subAltName.length() - 1);
+        this.keyId = keyId.concat(" " + subAltName);
+
+        this.dsseSignature = result.getDSSESignature();
+        return dsseSignature.get().getSignature();
+    }
+
+    @Override
+    public String getKeyId() {
+        if (this.keyId.isEmpty()) {
+            throw new RuntimeException("Sign the artifact to initialize keyId");
+        }
+        return this.keyId;
+    }
+
+    public byte[] getPayload() {
+        if (this.dsseSignature.isEmpty()) {
+            throw new RuntimeException("Cannot retrieve and unsigned payload");
+        }
+        return this.dsseSignature.get().getPayload().getBytes(StandardCharsets.UTF_8);
+    }
+
+    public Bundle getResult() {
+        return this.result;
+    }
+}
diff --git a/src/main/java/io/github/intoto/dsse/models/Signer.java b/src/main/java/io/github/intoto/dsse/models/Signer.java
index 4928d9e..4566c0d 100644
--- a/src/main/java/io/github/intoto/dsse/models/Signer.java
+++ b/src/main/java/io/github/intoto/dsse/models/Signer.java
@@ -1,8 +1,14 @@
 package io.github.intoto.dsse.models;
 
+import dev.sigstore.KeylessSignerException;
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SignatureException;
+import java.security.cert.CertificateException;
+import java.security.spec.InvalidKeySpecException;
 
 /** Interface for a DSSE Signer. */
 public interface Signer {
@@ -13,7 +19,7 @@ public interface Signer {
    * @param payload the message that you want to sign.
    */
   byte[] sign(byte[] payload)
-      throws NoSuchAlgorithmException, InvalidKeyException, SignatureException;
+      throws NoSuchAlgorithmException, InvalidKeyException, SignatureException, InvalidAlgorithmParameterException, CertificateException, IOException, InvalidKeySpecException, KeylessSignerException;
 
   /** Returns the ID of this key, or null if not supported. */
   String getKeyId();