3131import dev .sigstore .fulcio .client .FulcioVerifier ;
3232import dev .sigstore .json .JsonParseException ;
3333import dev .sigstore .proto .ProtoMutators ;
34- import dev .sigstore .proto .rekor .v2 .DSSELogEntryV002 ;
3534import dev .sigstore .proto .rekor .v2 .HashedRekordLogEntryV002 ;
3635import dev .sigstore .proto .rekor .v2 .Signature ;
3736import dev .sigstore .rekor .client .HashedRekordRequest ;
3837import dev .sigstore .rekor .client .RekorEntry ;
38+ import dev .sigstore .rekor .client .RekorEntryBody ;
3939import dev .sigstore .rekor .client .RekorTypeException ;
4040import dev .sigstore .rekor .client .RekorTypes ;
4141import dev .sigstore .rekor .client .RekorVerificationException ;
@@ -469,13 +469,15 @@ private void checkDsseEnvelope(
469469 throw new KeylessVerificationException ("Signature could not be processed" , se );
470470 }
471471
472- String version ;
472+ RekorEntryBody entryBody ;
473473 try {
474- version = rekorEntry .getBodyDecoded (). getApiVersion ();
474+ entryBody = rekorEntry .getBodyDecoded ();
475475 } catch (JsonParseException ex ) {
476476 throw new KeylessVerificationException ("Could not extract body from log entry" );
477477 }
478- if ("0.0.1" .equals (version )) {
478+ var kind = entryBody .getKind ();
479+ var version = entryBody .getApiVersion ();
480+ if ("0.0.1" .equals (version ) && "dsse" .equals (kind )) {
479481 Dsse rekorDsse ;
480482 try {
481483 rekorDsse = RekorTypes .getDsseV001 (rekorEntry );
@@ -517,45 +519,30 @@ private void checkDsseEnvelope(
517519 throw new KeylessVerificationException (
518520 "Provided DSSE signature materials are inconsistent with DSSE log entry" );
519521 }
520- } else if ("0.0.2" .equals (version )) {
521- DSSELogEntryV002 logEntrySpec ;
522+ } else if ("0.0.2" .equals (version ) && "hashedrekord" . equals ( kind ) ) {
523+ HashedRekordLogEntryV002 logEntrySpec ;
522524 try {
523- logEntrySpec = RekorTypes .getDsseV002 (rekorEntry );
525+ logEntrySpec = RekorTypes .getHashedRekordV002 (rekorEntry );
524526 } catch (RekorTypeException re ) {
525527 throw new KeylessVerificationException ("Could not parse DSSE from log entry body" , re );
526528 }
527529
528- try {
529- ProtoMutators .toHashAlgorithm (logEntrySpec .getPayloadHash ().getAlgorithm ());
530- } catch (UnsupportedAlgorithmException ex ) {
531- throw new KeylessVerificationException ("Unsupported digest algorithm in log entry" , ex );
532- }
533-
534- // check if the digest over the dsse payload matches the digest in the transparency log entry
535- byte [] calculatedDigest = hashing .hashBytes (dsseEnvelope .getPayload ()).asBytes ();
536- if (!Arrays .equals (
537- logEntrySpec .getPayloadHash ().getDigest ().toByteArray (), calculatedDigest )) {
538- throw new KeylessVerificationException (
539- "Digest of DSSE payload in bundle does not match DSSE payload digest in log entry" );
540- }
541-
542- // check if the signature over the dsse payload matches the signature in the rekorEntry
543- if (logEntrySpec .getSignaturesCount () != 1 ) {
530+ // check if the digest over the dsse pae matches the digest in the transparency log entry
531+ byte [] calculatedDigest = hashing .hashBytes (dsseEnvelope .getPAE ()).asBytes ();
532+ if (!Arrays .equals (logEntrySpec .getData ().getDigest ().toByteArray (), calculatedDigest )) {
544533 throw new KeylessVerificationException (
545- "Log entry spec must have exactly 1 signature, but found: "
546- + logEntrySpec .getSignaturesCount ());
534+ "Digest of DSSE.pae in bundle does not match digest in log entry" );
547535 }
548536
549- Signature logSignature = logEntrySpec .getSignatures ( 0 );
537+ Signature logSignature = logEntrySpec .getSignature ( );
550538 if (!Arrays .equals (dsseEnvelope .getSignature (), logSignature .getContent ().toByteArray ())) {
551539 throw new KeylessVerificationException (
552- "Signature in DSSE envelope does not match signature in log entry spec " );
540+ "Signature in DSSE envelope does not match signature in log entry" );
553541 }
554542
555543 var verifier = logSignature .getVerifier ();
556544 if (!verifier .hasX509Certificate ()) {
557- throw new KeylessVerificationException (
558- "Rekor entry DSSE verifier is missing X.509 certificate" );
545+ throw new KeylessVerificationException ("Log entry is missing X.509 certificate" );
559546 }
560547 try {
561548 byte [] certFromRekor = verifier .getX509Certificate ().getRawBytes ().toByteArray ();
@@ -569,7 +556,8 @@ private void checkDsseEnvelope(
569556 "Could not encode leaf certificate for comparison" , e );
570557 }
571558 } else {
572- throw new KeylessVerificationException ("Unsupported DSSE version: " + version );
559+ throw new KeylessVerificationException (
560+ "Unsupported entry type: '" + kind + ":" + version + "' for DSSE bundle" );
573561 }
574562 }
575563}
0 commit comments