Add timestamp to bundle and validate

Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>

Author: aaronlew02

sigstore-java/src/main/java/dev/sigstore/KeylessSigner.java

@@ -26,6 +26,7 @@
 import dev.sigstore.bundle.Bundle.HashAlgorithm;
 import dev.sigstore.bundle.Bundle.MessageSignature;
 import dev.sigstore.bundle.ImmutableBundle;
+import dev.sigstore.bundle.ImmutableTimestamp;
 import dev.sigstore.encryption.certificates.Certificates;
 import dev.sigstore.encryption.signers.Signer;
 import dev.sigstore.encryption.signers.Signers;
@@ -46,6 +47,13 @@
 import dev.sigstore.rekor.client.RekorResponse;
 import dev.sigstore.rekor.client.RekorVerificationException;
 import dev.sigstore.rekor.client.RekorVerifier;
+import dev.sigstore.timestamp.client.ImmutableTimestampRequest;
+import dev.sigstore.timestamp.client.TimestampClient;
+import dev.sigstore.timestamp.client.TimestampClientHttp;
+import dev.sigstore.timestamp.client.TimestampException;
+import dev.sigstore.timestamp.client.TimestampResponse;
+import dev.sigstore.timestamp.client.TimestampVerificationException;
+import dev.sigstore.timestamp.client.TimestampVerifier;
 import dev.sigstore.trustroot.SigstoreConfigurationException;
 import dev.sigstore.tuf.SigstoreTufClient;
 import java.io.IOException;
@@ -89,6 +97,8 @@ public class KeylessSigner implements AutoCloseable {
   private final FulcioVerifier fulcioVerifier;
   private final RekorClient rekorClient;
   private final RekorVerifier rekorVerifier;
+  private final TimestampClient timestampClient;
+  private final TimestampVerifier timestampVerifier;
   private final OidcClients oidcClients;
   private final List<OidcTokenMatcher> oidcIdentities;
   private final Signer signer;
@@ -114,6 +124,8 @@ private KeylessSigner(
       FulcioVerifier fulcioVerifier,
       RekorClient rekorClient,
       RekorVerifier rekorVerifier,
+      TimestampClient timestampClient,
+      TimestampVerifier timestampVerifier,
       OidcClients oidcClients,
       List<OidcTokenMatcher> oidcIdentities,
       Signer signer,
@@ -122,6 +134,8 @@ private KeylessSigner(
     this.fulcioVerifier = fulcioVerifier;
     this.rekorClient = rekorClient;
     this.rekorVerifier = rekorVerifier;
+    this.timestampClient = timestampClient;
+    this.timestampVerifier = timestampVerifier;
     this.oidcClients = oidcClients;
     this.oidcIdentities = oidcIdentities;
     this.signer = signer;
@@ -152,6 +166,7 @@ public static class Builder {
     private Duration minSigningCertificateLifetime = DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME;
     private URI fulcioUri;
     private URI rekorUri;
+    private URI timestampUri;
 
     @CanIgnoreReturnValue
     public Builder fulcioUrl(URI uri) {
@@ -165,6 +180,12 @@ public Builder rekorUrl(URI uri) {
       return this;
     }
 
+    @CanIgnoreReturnValue
+    public Builder timestampUrl(URI uri) {
+      this.timestampUri = uri;
+      return this;
+    }
+
     @CanIgnoreReturnValue
     public Builder trustedRootProvider(TrustedRootProvider trustedRootProvider) {
       this.trustedRootProvider = trustedRootProvider;
@@ -233,11 +254,19 @@ public KeylessSigner build()
       var fulcioVerifier = FulcioVerifier.newFulcioVerifier(trustedRoot);
       var rekorClient = RekorClientHttp.builder().setUri(rekorUri).build();
       var rekorVerifier = RekorVerifier.newRekorVerifier(trustedRoot);
+      TimestampClient timestampClient = null;
+      TimestampVerifier timestampVerifier = null;
+      if (timestampUri != null) { // Building with staging defaults
+        timestampClient = TimestampClientHttp.builder().setUri(timestampUri).build();
+        timestampVerifier = TimestampVerifier.newTimestampVerifier(trustedRoot);
+      }
       return new KeylessSigner(
           fulcioClient,
           fulcioVerifier,
           rekorClient,
           rekorVerifier,
+          timestampClient,
+          timestampVerifier,
           oidcClients,
           oidcIdentities,
           signer,
@@ -270,6 +299,7 @@ public Builder sigstoreStagingDefaults() {
       trustedRootProvider = TrustedRootProvider.from(sigstoreTufClientBuilder);
       fulcioUri = FulcioClient.STAGING_URI;
       rekorUri = RekorClient.STAGING_URI;
+      timestampUri = TimestampClient.STAGING_URI;
       oidcClients(OidcClients.STAGING);
       signer(Signers.newEcdsaSigner());
       minSigningCertificateLifetime(DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME);
@@ -355,13 +385,43 @@ public List<Bundle> sign(List<byte[]> artifactDigests) throws KeylessSignerExcep
         throw new KeylessSignerException("Failed to validate rekor response after signing", ex);
       }
 
-      result.add(
+      var bundleBuilder =
           ImmutableBundle.builder()
               .certPath(signingCert)
               .addEntries(rekorResponse.getEntry())
               .messageSignature(
-                  MessageSignature.of(HashAlgorithm.SHA2_256, artifactDigest, signature))
-              .build());
+                  MessageSignature.of(HashAlgorithm.SHA2_256, artifactDigest, signature));
+
+      if (timestampClient != null
+          && timestampVerifier != null) { // Timestamp funcionality enabled only in staging
+        var signatureDigest = Hashing.sha256().hashBytes(signature).asBytes();
+
+        var tsReq =
+            ImmutableTimestampRequest.builder()
+                .hashAlgorithm(dev.sigstore.timestamp.client.HashAlgorithm.SHA256)
+                .hash(signatureDigest)
+                .build();
+
+        TimestampResponse tsResp;
+        try {
+          tsResp = timestampClient.timestamp(tsReq);
+        } catch (TimestampException ex) {
+          throw new KeylessSignerException("Failed to generate timestamp", ex);
+        }
+
+        try {
+          timestampVerifier.verify(tsResp, signature);
+        } catch (TimestampVerificationException ex) {
+          throw new KeylessSignerException("Failed to validate timestamp against signature", ex);
+        }
+
+        Bundle.Timestamp timestamp =
+            ImmutableTimestamp.builder().rfc3161Timestamp(tsResp.getEncoded()).build();
+
+        bundleBuilder.addTimestamps(timestamp);
+      }
+
+      result.add(bundleBuilder.build());
     }
     return result.build();
   }

sigstore-java/src/main/java/dev/sigstore/KeylessVerifier.java

@@ -37,6 +37,9 @@
 import dev.sigstore.rekor.client.RekorVerifier;
 import dev.sigstore.rekor.dsse.v0_0_1.Dsse;
 import dev.sigstore.rekor.dsse.v0_0_1.PayloadHash;
+import dev.sigstore.timestamp.client.ImmutableTimestampResponse;
+import dev.sigstore.timestamp.client.TimestampVerificationException;
+import dev.sigstore.timestamp.client.TimestampVerifier;
 import dev.sigstore.trustroot.SigstoreConfigurationException;
 import dev.sigstore.tuf.SigstoreTufClient;
 import java.io.IOException;
@@ -51,12 +54,16 @@
 import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
 import java.security.spec.InvalidKeySpecException;
-import java.sql.Date;
 import java.util.Arrays;
 import java.util.Base64;
+import java.util.Date;
 import java.util.List;
 import java.util.Objects;
 import java.util.stream.Collectors;
+import org.bouncycastle.tsp.TSPException;
+import org.bouncycastle.tsp.TimeStampResponse;
+import org.bouncycastle.tsp.TimeStampToken;
+import org.bouncycastle.tsp.TimeStampTokenInfo;
 import org.bouncycastle.util.encoders.DecoderException;
 import org.bouncycastle.util.encoders.Hex;
 
@@ -65,10 +72,15 @@ public class KeylessVerifier {
 
   private final FulcioVerifier fulcioVerifier;
   private final RekorVerifier rekorVerifier;
+  private final TimestampVerifier timestampVerifier;
 
-  private KeylessVerifier(FulcioVerifier fulcioVerifier, RekorVerifier rekorVerifier) {
+  private KeylessVerifier(
+      FulcioVerifier fulcioVerifier,
+      RekorVerifier rekorVerifier,
+      TimestampVerifier timestampVerifier) {
     this.fulcioVerifier = fulcioVerifier;
     this.rekorVerifier = rekorVerifier;
+    this.timestampVerifier = timestampVerifier;
   }
 
   public static KeylessVerifier.Builder builder() {
@@ -89,7 +101,8 @@ public KeylessVerifier build()
       var trustedRoot = trustedRootProvider.get();
       var fulcioVerifier = FulcioVerifier.newFulcioVerifier(trustedRoot);
       var rekorVerifier = RekorVerifier.newRekorVerifier(trustedRoot);
-      return new KeylessVerifier(fulcioVerifier, rekorVerifier);
+      var timestampVerifier = TimestampVerifier.newTimestampVerifier(trustedRoot);
+      return new KeylessVerifier(fulcioVerifier, rekorVerifier, timestampVerifier);
     }
 
     public Builder sigstorePublicDefaults() {
@@ -148,11 +161,6 @@ public void verify(byte[] artifactDigest, Bundle bundle, VerificationOptions opt
           "Bundle verification expects 1 entry, but found " + bundle.getEntries().size());
     }
 
-    if (!bundle.getTimestamps().isEmpty()) {
-      throw new KeylessVerificationException(
-          "Cannot verify bundles with timestamp verification material");
-    }
-
     var signingCert = bundle.getCertPath();
     var leafCert = Certificates.getLeaf(signingCert);
 
@@ -188,11 +196,55 @@ public void verify(byte[] artifactDigest, Bundle bundle, VerificationOptions opt
       throw new KeylessVerificationException("Signing time was after certificate expiry", e);
     }
 
+    byte[] signature;
     if (bundle.getMessageSignature().isPresent()) { // hashedrekord
-      checkMessageSignature(
-          bundle.getMessageSignature().get(), rekorEntry, artifactDigest, leafCert);
+      var messageSignature = bundle.getMessageSignature().get();
+      checkMessageSignature(messageSignature, rekorEntry, artifactDigest, leafCert);
+      signature = messageSignature.getSignature();
     } else { // dsse
-      checkDsseEnvelope(rekorEntry, bundle.getDsseEnvelope().get(), artifactDigest, leafCert);
+      var dsseEnvelope = bundle.getDsseEnvelope().get();
+      checkDsseEnvelope(rekorEntry, dsseEnvelope, artifactDigest, leafCert);
+      signature = dsseEnvelope.getSignature();
+    }
+
+    verifyTimestamps(leafCert, bundle.getTimestamps(), signature);
+  }
+
+  private void verifyTimestamps(
+      X509Certificate leafCert, List<Bundle.Timestamp> timestamps, byte[] signature)
+      throws KeylessVerificationException {
+    if (timestamps == null || timestamps.isEmpty()) {
+      return;
+    }
+    for (Bundle.Timestamp timestamp : timestamps) {
+      byte[] tsBytes = timestamp.getRfc3161Timestamp();
+      if (tsBytes == null || tsBytes.length == 0) {
+        throw new KeylessVerificationException(
+            "Found an empty or null RFC3161 timestamp in bundle");
+      }
+      try {
+        TimeStampResponse bcTsResp = new TimeStampResponse(tsBytes);
+        TimeStampToken tsToken = bcTsResp.getTimeStampToken();
+        if (tsToken == null) {
+          throw new KeylessVerificationException(
+              "Timestamp token is missing from timestamp response");
+        }
+        TimeStampTokenInfo tsInfo = tsToken.getTimeStampInfo();
+        if (tsInfo == null) {
+          throw new KeylessVerificationException("Timestamp info is missing from timestamp token");
+        }
+        Date timestampGenerationTime = Date.from(tsInfo.getGenTime().toInstant());
+        leafCert.checkValidity(timestampGenerationTime);
+        var tsResp = ImmutableTimestampResponse.builder().encoded(tsBytes).build();
+        timestampVerifier.verify(tsResp, signature);
+      } catch (IOException
+          | TSPException
+          | CertificateNotYetValidException
+          | CertificateExpiredException
+          | TimestampVerificationException e) {
+        throw new KeylessVerificationException(
+            "RFC3161 timestamp verification failed: " + e.getMessage(), e);
+      }
     }
   }
 

sigstore-java/src/main/java/dev/sigstore/bundle/Bundle.java

@@ -185,7 +185,7 @@ interface Signature {
   @Immutable
   public interface Timestamp {
 
-    /** Raw bytes of an rfc31616 timestamp */
+    /** Raw bytes of an rfc3161 timestamp */
     byte[] getRfc3161Timestamp();
   }
 

sigstore-java/src/main/java/dev/sigstore/bundle/BundleReader.java

@@ -177,7 +177,9 @@ static Bundle readBundle(Reader jsonReader) throws BundleParseException {
               .getTimestampVerificationData()
               .getRfc3161TimestampsList()) {
         bundleBuilder.addTimestamps(
-            ImmutableTimestamp.builder().rfc3161Timestamp(timestamp.toByteArray()).build());
+            ImmutableTimestamp.builder()
+                .rfc3161Timestamp(timestamp.getSignedTimestamp().toByteArray())
+                .build());
       }
     }
 

sigstore-java/src/main/java/dev/sigstore/bundle/BundleWriter.java

@@ -20,10 +20,12 @@
 import com.google.protobuf.InvalidProtocolBufferException;
 import com.google.protobuf.util.JsonFormat;
 import dev.sigstore.proto.ProtoMutators;
+import dev.sigstore.proto.bundle.v1.TimestampVerificationData;
 import dev.sigstore.proto.bundle.v1.VerificationMaterial;
 import dev.sigstore.proto.common.v1.HashOutput;
 import dev.sigstore.proto.common.v1.LogId;
 import dev.sigstore.proto.common.v1.MessageSignature;
+import dev.sigstore.proto.common.v1.RFC3161SignedTimestamp;
 import dev.sigstore.proto.common.v1.X509Certificate;
 import dev.sigstore.proto.rekor.v1.Checkpoint;
 import dev.sigstore.proto.rekor.v1.InclusionPromise;
@@ -110,6 +112,11 @@ private static VerificationMaterial.Builder buildVerificationMaterial(Bundle bun
           "Exactly 1 rekor entry must be present in the signing result");
     }
     builder.addTlogEntries(buildTlogEntries(bundle.getEntries().get(0)));
+    TimestampVerificationData timestampData =
+        buildTimestampVerificationData(bundle.getTimestamps());
+    if (timestampData != null) {
+      builder.setTimestampVerificationData(timestampData);
+    }
     return builder;
   }
 
@@ -148,4 +155,20 @@ private static void addInclusionProof(
                     .collect(Collectors.toList()))
             .setCheckpoint(Checkpoint.newBuilder().setEnvelope(inclusionProof.getCheckpoint())));
   }
+
+  private static TimestampVerificationData buildTimestampVerificationData(
+      List<Bundle.Timestamp> bundleTimestamps) {
+    if (bundleTimestamps == null || bundleTimestamps.isEmpty()) {
+      return null;
+    }
+    TimestampVerificationData.Builder tsvBuilder = TimestampVerificationData.newBuilder();
+    for (Bundle.Timestamp ts : bundleTimestamps) {
+      byte[] tsBytes = ts.getRfc3161Timestamp();
+      if (tsBytes != null && tsBytes.length > 0) {
+        tsvBuilder.addRfc3161Timestamps(
+            RFC3161SignedTimestamp.newBuilder().setSignedTimestamp(ByteString.copyFrom(tsBytes)));
+      }
+    }
+    return tsvBuilder.getRfc3161TimestampsCount() > 0 ? tsvBuilder.build() : null;
+  }
 }

sigstore-java/src/main/java/dev/sigstore/timestamp/client/HashAlgorithm.java

@@ -39,4 +39,13 @@ public String getAlgorithmName() {
   public ASN1ObjectIdentifier getOid() {
     return oid;
   }
+
+  public static HashAlgorithm from(ASN1ObjectIdentifier oid) throws TimestampException {
+    for (HashAlgorithm value : values()) {
+      if (value.getOid().equals(oid)) {
+        return value;
+      }
+    }
+    throw new TimestampException("Unsupported hash algorithm: " + oid.getId());
+  }
 }

sigstore-java/src/main/java/dev/sigstore/timestamp/client/TimestampClient.java

@@ -15,8 +15,13 @@
  */
 package dev.sigstore.timestamp.client;
 
+import java.net.URI;
+
 /** A client to communicate with a timestamp service instance. */
 public interface TimestampClient {
+  URI PUBLIC_GOOD_URI = URI.create("https://timestamp.sigstore.dev");
+  URI STAGING_URI = URI.create("https://timestamp.sigstage.dev");
+
   /**
    * Request a timestanp for a timestamp authority.
    *