PR changes

Signed-off-by: Appu Goundan <[email protected]>

sigstore-java/src/main/java/dev/sigstore/bundle/Bundle.java

@@ -26,36 +26,43 @@
 import org.immutables.value.Value.Immutable;
 import org.immutables.value.Value.Lazy;
 
+/**
+ * A representation of sigstore signing materials. See <a
+ * href="https://github.com/sigstore/protobuf-specs">protobuf-specs</a>
+ */
 @Immutable
-public interface Bundle {
+public abstract class Bundle {
 
-  enum HashAlgorithm {
+  public enum HashAlgorithm {
     SHA2_256
   }
 
-  String BUNDLE_V_0_1 = "application/vnd.dev.sigstore.bundle+json;version=0.1";
-  String BUNDLE_V_0_2 = "application/vnd.dev.sigstore.bundle+json;version=0.2";
-  String BUNDLE_V_0_3 = "application/vnd.dev.sigstore.bundle+json;version=0.3";
+  static final String BUNDLE_V_0_1 = "application/vnd.dev.sigstore.bundle+json;version=0.1";
+  static final String BUNDLE_V_0_2 = "application/vnd.dev.sigstore.bundle+json;version=0.2";
+  static final String BUNDLE_V_0_3 = "application/vnd.dev.sigstore.bundle+json;version=0.3";
   // media_type format switch: https://github.com/sigstore/protobuf-specs/pull/279
-  String BUNDLE_V_0_3_1 = "application/vnd.dev.sigstore.bundle.v0.3+json";
-  List<String> SUPPORTED_MEDIA_TYPES =
+  static final String BUNDLE_V_0_3_1 = "application/vnd.dev.sigstore.bundle.v0.3+json";
+  static final List<String> SUPPORTED_MEDIA_TYPES =
       List.of(BUNDLE_V_0_1, BUNDLE_V_0_2, BUNDLE_V_0_3, BUNDLE_V_0_3_1);
 
-  String getMediaType();
+  /** The bundle version */
+  public abstract String getMediaType();
 
-  Optional<MessageSignature> getMessageSignature();
+  /** A signature represented as a signature and digest */
+  public abstract Optional<MessageSignature> getMessageSignature();
 
-  Optional<DSSESignature> getDSSESignature();
+  /** A DSSE envelope signature type that may contain an arbitrary payload */
+  public abstract Optional<DSSESignature> getDSSESignature();
 
   @Value.Check
-  default void checkOnlyOneSignature() {
+  protected void checkOnlyOneSignature() {
     Preconditions.checkState(
         (getDSSESignature().isEmpty() && getMessageSignature().isPresent())
             || (getDSSESignature().isPresent() && getMessageSignature().isEmpty()));
   }
 
   @Value.Check
-  default void checkAtLeastOneTimestamp() {
+  protected void checkAtLeastOneTimestamp() {
     for (var entry : getEntries()) {
       if (entry.getVerification().getSignedEntryTimestamp() != null) {
         return;
@@ -72,56 +79,75 @@ default void checkAtLeastOneTimestamp() {
    * the artifact, this should NOT contain the trusted root or any trusted intermediates. But users
    * of this object should understand that older signatures may include the full chain.
    */
-  CertPath getCertPath();
+  public abstract CertPath getCertPath();
 
-  /** The entry in the rekor transparency log */
-  List<RekorEntry> getEntries();
+  /** The entry in the rekor transparency log (represented as a list for future compatibility, but
+   * currently only allow for at most one entry. */
+  public abstract List<RekorEntry> getEntries();
 
-  List<Timestamp> getTimestamps();
+  /** A list of timestamps to verify the time of signing. Currently, allows rfc3161 timestamps. */
+  public abstract List<Timestamp> getTimestamps();
 
   @Immutable
   interface MessageSignature {
 
+    /**
+     * An optional message digest, this should not be used to verify signature validity. A digest
+     * should be provided or computed by the system.
+     */
     Optional<MessageDigest> getMessageDigest();
 
+    /**
+     * Signature over an artifact.
+     */
     byte[] getSignature();
   }
 
   @Immutable
   interface MessageDigest {
 
+    /**
+     * The algorithm used to compute the digest.
+     */
     HashAlgorithm getHashAlgorithm();
 
+    /**
+     * The raw bytes of the digest computer using the hashing algorithm described by {@link #getHashAlgorithm()}
+     */
     byte[] getDigest();
   }
 
   @Immutable
   interface DSSESignature {
 
+    /** An arbitrary payload that does not need to be parsed to be validated */
     String getPayload();
 
+    /** Information on how to interpret the payload */
     String getPayloadType();
 
+    /** DSSE specific signature */
     byte[] getSignature();
   }
 
   @Immutable
   interface Timestamp {
 
+    /** Raw bytes of an rfc31616 timestamp */
     byte[] getRfc3161Timestamp();
   }
 
-  static Bundle from(Reader bundleJson) throws BundleParseException {
+  public static Bundle from(Reader bundleJson) throws BundleParseException {
     return BundleReader.readBundle(bundleJson);
   }
 
   @Lazy
-  default String toJson() {
+  public String toJson() {
     return BundleWriter.writeBundle(this);
   }
 
   /** Compat method to convert from keyless signature. Don't use, will be removed. */
-  static Bundle from(KeylessSignature keylessSignature) {
+  public static Bundle from(KeylessSignature keylessSignature) {
     var sig =
         ImmutableMessageSignature.builder()
             .messageDigest(
@@ -142,7 +168,7 @@ static Bundle from(KeylessSignature keylessSignature) {
 
   /** Compat method to convert to keyless signature. Don't use, will be removed. */
   @Lazy
-  default KeylessSignature toKeylessSignature() {
+  public KeylessSignature toKeylessSignature() {
     if (getDSSESignature().isPresent()) {
       throw new IllegalStateException("This client can't process bundles with DSSE signatures.");
     }

sigstore-java/src/main/java/dev/sigstore/bundle/BundleFactory.java

@@ -0,0 +1,10 @@
+package dev.sigstore.bundle;
+
+import dev.sigstore.KeylessSignature;
+
+/** Compat class, needed for build to continue to work while we make API changes. */
+public class BundleFactory {
+    public static String createBundle(KeylessSignature keylessSignature) {
+      return Bundle.from(keylessSignature).toJson();
+    }
+}

sigstore-java/src/main/java/dev/sigstore/bundle/BundleReader.java

@@ -31,7 +31,7 @@
 import java.util.stream.Collectors;
 import org.bouncycastle.util.encoders.Hex;
 
-public class BundleReader {
+class BundleReader {
 
   static Bundle readBundle(Reader jsonReader) throws BundleParseException {
     var protoBundleBuilder = dev.sigstore.proto.bundle.v1.Bundle.newBuilder();

sigstore-java/src/main/java/dev/sigstore/bundle/BundleVerifier.java

@@ -48,7 +48,7 @@ public static List<String> allMissingFields(String bundleJson) {
   }
 
   static List<String> findMissingFields(MessageOrBuilder message) {
-    final List<java.lang.String> missing = new ArrayList<>();
+    final List<String> missing = new ArrayList<>();
     findMissingFields(message, "", missing);
     return missing;
   }
@@ -122,13 +122,6 @@ private static String subMessagePrefix(
   }
 
   static boolean isRequired(Descriptors.FieldDescriptor field) {
-    // while this isn't configured into the spec, we do not support rfc3161 timestamps in java yet,
-    // so make SETs from rekor required in code here
-    if (field
-        .getFullName()
-        .equals("dev.sigstore.rekor.v1.TransparencyLogEntry.inclusion_promise")) {
-      return true;
-    }
     return field.isRequired()
         || field
             .toProto()

sigstore-java/src/main/java/dev/sigstore/bundle/BundleWriter.java

@@ -36,7 +36,7 @@
 import java.util.List;
 import java.util.stream.Collectors;
 
-public class BundleWriter {
+class BundleWriter {
   static final JsonFormat.Printer JSON_PRINTER = JsonFormat.printer();
 
   /**