Skip to content

Commit

Permalink
Implement new SimpleSigstoreSigner and update exceptions in Signer
Browse files Browse the repository at this point in the history
  • Loading branch information
KiranSatyaRaj committed Jul 15, 2024
1 parent c3325e4 commit a795f08
Show file tree
Hide file tree
Showing 3 changed files with 72 additions and 1 deletion.
7 changes: 7 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,13 @@
<artifactId>jakarta.el</artifactId>
<version>4.0.2</version>
</dependency>
<!-- sigstore-java -->
<dependency>
<groupId>dev.sigstore</groupId>
<artifactId>sigstore-java</artifactId>
<version>0.10.0</version>
</dependency>


</dependencies>
<properties>
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
package io.github.intoto.dsse.helpers;

import dev.sigstore.KeylessSigner;
import dev.sigstore.KeylessSignerException;
import dev.sigstore.bundle.Bundle;
import io.github.intoto.dsse.models.Signer;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.*;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Optional;

public class SimpleSigstoreSigner implements Signer {
private String keyId;
Optional<Bundle.DSSESignature> dsseSignature;
Bundle result;

public byte[] sign(byte[] payload) throws InvalidAlgorithmParameterException, CertificateException, IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, KeylessSignerException {
KeylessSigner functionary = new KeylessSigner.Builder().sigstorePublicDefaults().build();
this.result = functionary.sign(payload);

// set keyId
X509Certificate certificate = (X509Certificate) (this.result.getCertPath().getCertificates().getFirst());
String oid = "1.3.6.1.4.1.57264.1.8";
byte[] extensionValue = certificate.getExtensionValue(oid);
String issuer = new String(extensionValue, StandardCharsets.UTF_8);
this.keyId = issuer.substring(4);
Object subAltArr = certificate.getSubjectAlternativeNames().toArray()[0];
String subAltName = subAltArr.toString();
subAltName = subAltName.substring(4, subAltName.length() - 1);
this.keyId = keyId.concat(" " + subAltName);

this.dsseSignature = result.getDSSESignature();
return dsseSignature.get().getSignature();
}

@Override
public String getKeyId() {
if (this.keyId.isEmpty()) {
throw new RuntimeException("Sign the artifact to initialize keyId");
}
return this.keyId;
}

public byte[] getPayload() {
if (this.dsseSignature.isEmpty()) {
throw new RuntimeException("Cannot retrieve and unsigned payload");
}
return this.dsseSignature.get().getPayload().getBytes(StandardCharsets.UTF_8);
}

public Bundle getResult() {
return this.result;
}
}
8 changes: 7 additions & 1 deletion src/main/java/io/github/intoto/dsse/models/Signer.java
Original file line number Diff line number Diff line change
@@ -1,8 +1,14 @@
package io.github.intoto.dsse.models;

import dev.sigstore.KeylessSignerException;

import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;

/** Interface for a DSSE Signer. */
public interface Signer {
Expand All @@ -13,7 +19,7 @@ public interface Signer {
* @param payload the message that you want to sign.
*/
byte[] sign(byte[] payload)
throws NoSuchAlgorithmException, InvalidKeyException, SignatureException;
throws NoSuchAlgorithmException, InvalidKeyException, SignatureException, InvalidAlgorithmParameterException, CertificateException, IOException, InvalidKeySpecException, KeylessSignerException;

/** Returns the ID of this key, or null if not supported. */
String getKeyId();
Expand Down

0 comments on commit a795f08

Please sign in to comment.