diff --git a/pom.xml b/pom.xml
index 19745da..1882300 100644
--- a/pom.xml
+++ b/pom.xml
@@ -119,6 +119,13 @@
jakarta.el
4.0.2
+
+
+ dev.sigstore
+ sigstore-java
+ 0.10.0
+
+
diff --git a/src/main/java/io/github/intoto/dsse/helpers/SimpleSigstoreSigner.java b/src/main/java/io/github/intoto/dsse/helpers/SimpleSigstoreSigner.java
new file mode 100644
index 0000000..79f321e
--- /dev/null
+++ b/src/main/java/io/github/intoto/dsse/helpers/SimpleSigstoreSigner.java
@@ -0,0 +1,58 @@
+package io.github.intoto.dsse.helpers;
+
+import dev.sigstore.KeylessSigner;
+import dev.sigstore.KeylessSignerException;
+import dev.sigstore.bundle.Bundle;
+import io.github.intoto.dsse.models.Signer;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.*;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.util.Optional;
+
+public class SimpleSigstoreSigner implements Signer {
+ private String keyId;
+ Optional dsseSignature;
+ Bundle result;
+
+ public byte[] sign(byte[] payload) throws InvalidAlgorithmParameterException, CertificateException, IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, KeylessSignerException {
+ KeylessSigner functionary = new KeylessSigner.Builder().sigstorePublicDefaults().build();
+ this.result = functionary.sign(payload);
+
+ // set keyId
+ X509Certificate certificate = (X509Certificate) (this.result.getCertPath().getCertificates().getFirst());
+ String oid = "1.3.6.1.4.1.57264.1.8";
+ byte[] extensionValue = certificate.getExtensionValue(oid);
+ String issuer = new String(extensionValue, StandardCharsets.UTF_8);
+ this.keyId = issuer.substring(4);
+ Object subAltArr = certificate.getSubjectAlternativeNames().toArray()[0];
+ String subAltName = subAltArr.toString();
+ subAltName = subAltName.substring(4, subAltName.length() - 1);
+ this.keyId = keyId.concat(" " + subAltName);
+
+ this.dsseSignature = result.getDSSESignature();
+ return dsseSignature.get().getSignature();
+ }
+
+ @Override
+ public String getKeyId() {
+ if (this.keyId.isEmpty()) {
+ throw new RuntimeException("Sign the artifact to initialize keyId");
+ }
+ return this.keyId;
+ }
+
+ public byte[] getPayload() {
+ if (this.dsseSignature.isEmpty()) {
+ throw new RuntimeException("Cannot retrieve and unsigned payload");
+ }
+ return this.dsseSignature.get().getPayload().getBytes(StandardCharsets.UTF_8);
+ }
+
+ public Bundle getResult() {
+ return this.result;
+ }
+}
diff --git a/src/main/java/io/github/intoto/dsse/models/Signer.java b/src/main/java/io/github/intoto/dsse/models/Signer.java
index 4928d9e..4566c0d 100644
--- a/src/main/java/io/github/intoto/dsse/models/Signer.java
+++ b/src/main/java/io/github/intoto/dsse/models/Signer.java
@@ -1,8 +1,14 @@
package io.github.intoto.dsse.models;
+import dev.sigstore.KeylessSignerException;
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
+import java.security.cert.CertificateException;
+import java.security.spec.InvalidKeySpecException;
/** Interface for a DSSE Signer. */
public interface Signer {
@@ -13,7 +19,7 @@ public interface Signer {
* @param payload the message that you want to sign.
*/
byte[] sign(byte[] payload)
- throws NoSuchAlgorithmException, InvalidKeyException, SignatureException;
+ throws NoSuchAlgorithmException, InvalidKeyException, SignatureException, InvalidAlgorithmParameterException, CertificateException, IOException, InvalidKeySpecException, KeylessSignerException;
/** Returns the ID of this key, or null if not supported. */
String getKeyId();