expose rekor option to choose 'intoto' or 'dsse' (#820)

Signed-off-by: Brian DeHamer <[email protected]>
sigstore · Oct 20, 2023 · c0a43d5 · c0a43d5
1 parent 8fe010c
commit c0a43d5
Show file tree

Hide file tree

Showing 4 changed files with 149 additions and 65 deletions.
diff --git a/.changeset/cyan-impalas-look.md b/.changeset/cyan-impalas-look.md
@@ -0,0 +1,5 @@
+---
+'@sigstore/sign': minor
+---
+
+Expose `entryType` option on `RekorWitness` constructor
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/sign/src/__tests__/witness/tlog/index.test.ts b/packages/sign/src/__tests__/witness/tlog/index.test.ts
@@ -158,65 +158,140 @@ describe('RekorWitness', () => {
           },
         };
 
-        it('returns the tlog entry', async () => {
-          const vm = await subject.testify(sigBundle, publicKey);
+        describe('when the Rekor entry type is "intoto"', () => {
+          const subject = new RekorWitness({
+            rekorBaseURL,
+            entryType: 'intoto',
+          });
 
-          expect(vm).toBeDefined();
-          assert(vm.tlogEntries);
-          expect(vm.tlogEntries).toHaveLength(1);
+          it('returns the tlog entry', async () => {
+            const vm = await subject.testify(sigBundle, publicKey);
 
-          const tlogEntry = vm.tlogEntries[0];
-          expect(tlogEntry).toBeDefined();
-          expect(tlogEntry.logIndex).toEqual(
-            rekorEntry[uuid].logIndex.toString()
-          );
-          expect(tlogEntry.logId?.keyId).toEqual(
-            Buffer.from(rekorEntry[uuid].logID, 'hex')
-          );
-          expect(tlogEntry.kindVersion?.kind).toEqual(proposedEntry.kind);
-          expect(tlogEntry.kindVersion?.version).toEqual(
-            proposedEntry.apiVersion
-          );
-          expect(tlogEntry.integratedTime).toEqual(
-            rekorEntry[uuid].integratedTime.toString()
-          );
-          expect(tlogEntry.inclusionPromise?.signedEntryTimestamp).toEqual(
-            Buffer.from(
-              rekorEntry[uuid].verification.signedEntryTimestamp,
-              'base64'
-            )
-          );
-          expect(tlogEntry.inclusionProof?.checkpoint?.envelope).toEqual(
-            rekorEntry[uuid].verification.inclusionProof.checkpoint
-          );
-          expect(tlogEntry.inclusionProof?.hashes).toHaveLength(2);
-          expect(tlogEntry.inclusionProof?.hashes[0]).toEqual(
-            Buffer.from(
-              rekorEntry[uuid].verification.inclusionProof.hashes[0],
-              'hex'
-            )
-          );
-          expect(tlogEntry.inclusionProof?.hashes[1]).toEqual(
-            Buffer.from(
-              rekorEntry[uuid].verification.inclusionProof.hashes[1],
-              'hex'
-            )
-          );
-          expect(tlogEntry.inclusionProof?.logIndex).toEqual(
-            rekorEntry[uuid].verification.inclusionProof.logIndex.toString()
-          );
-          expect(tlogEntry.inclusionProof?.rootHash).toEqual(
-            Buffer.from(
-              rekorEntry[uuid].verification.inclusionProof.rootHash,
-              'hex'
-            )
-          );
-          expect(tlogEntry.inclusionProof?.treeSize).toEqual(
-            rekorEntry[uuid].verification.inclusionProof.treeSize.toString()
-          );
-          expect(tlogEntry.canonicalizedBody).toEqual(
-            Buffer.from(rekorEntry[uuid].body, 'base64')
-          );
+            expect(vm).toBeDefined();
+            assert(vm.tlogEntries);
+            expect(vm.tlogEntries).toHaveLength(1);
+
+            const tlogEntry = vm.tlogEntries[0];
+            expect(tlogEntry).toBeDefined();
+            expect(tlogEntry.logIndex).toEqual(
+              rekorEntry[uuid].logIndex.toString()
+            );
+            expect(tlogEntry.logId?.keyId).toEqual(
+              Buffer.from(rekorEntry[uuid].logID, 'hex')
+            );
+            expect(tlogEntry.kindVersion?.kind).toEqual(proposedEntry.kind);
+            expect(tlogEntry.kindVersion?.version).toEqual(
+              proposedEntry.apiVersion
+            );
+            expect(tlogEntry.integratedTime).toEqual(
+              rekorEntry[uuid].integratedTime.toString()
+            );
+            expect(tlogEntry.inclusionPromise?.signedEntryTimestamp).toEqual(
+              Buffer.from(
+                rekorEntry[uuid].verification.signedEntryTimestamp,
+                'base64'
+              )
+            );
+            expect(tlogEntry.inclusionProof?.checkpoint?.envelope).toEqual(
+              rekorEntry[uuid].verification.inclusionProof.checkpoint
+            );
+            expect(tlogEntry.inclusionProof?.hashes).toHaveLength(2);
+            expect(tlogEntry.inclusionProof?.hashes[0]).toEqual(
+              Buffer.from(
+                rekorEntry[uuid].verification.inclusionProof.hashes[0],
+                'hex'
+              )
+            );
+            expect(tlogEntry.inclusionProof?.hashes[1]).toEqual(
+              Buffer.from(
+                rekorEntry[uuid].verification.inclusionProof.hashes[1],
+                'hex'
+              )
+            );
+            expect(tlogEntry.inclusionProof?.logIndex).toEqual(
+              rekorEntry[uuid].verification.inclusionProof.logIndex.toString()
+            );
+            expect(tlogEntry.inclusionProof?.rootHash).toEqual(
+              Buffer.from(
+                rekorEntry[uuid].verification.inclusionProof.rootHash,
+                'hex'
+              )
+            );
+            expect(tlogEntry.inclusionProof?.treeSize).toEqual(
+              rekorEntry[uuid].verification.inclusionProof.treeSize.toString()
+            );
+            expect(tlogEntry.canonicalizedBody).toEqual(
+              Buffer.from(rekorEntry[uuid].body, 'base64')
+            );
+          });
+        });
+
+        describe('when the Rekor entry type is "dsse"', () => {
+          const subject = new RekorWitness({
+            rekorBaseURL,
+            entryType: 'dsse',
+          });
+
+          it('returns the tlog entry', async () => {
+            const vm = await subject.testify(sigBundle, publicKey);
+
+            expect(vm).toBeDefined();
+            assert(vm.tlogEntries);
+            expect(vm.tlogEntries).toHaveLength(1);
+
+            const tlogEntry = vm.tlogEntries[0];
+            expect(tlogEntry).toBeDefined();
+            expect(tlogEntry.logIndex).toEqual(
+              rekorEntry[uuid].logIndex.toString()
+            );
+            expect(tlogEntry.logId?.keyId).toEqual(
+              Buffer.from(rekorEntry[uuid].logID, 'hex')
+            );
+            expect(tlogEntry.kindVersion?.kind).toEqual(proposedEntry.kind);
+            expect(tlogEntry.kindVersion?.version).toEqual(
+              proposedEntry.apiVersion
+            );
+            expect(tlogEntry.integratedTime).toEqual(
+              rekorEntry[uuid].integratedTime.toString()
+            );
+            expect(tlogEntry.inclusionPromise?.signedEntryTimestamp).toEqual(
+              Buffer.from(
+                rekorEntry[uuid].verification.signedEntryTimestamp,
+                'base64'
+              )
+            );
+            expect(tlogEntry.inclusionProof?.checkpoint?.envelope).toEqual(
+              rekorEntry[uuid].verification.inclusionProof.checkpoint
+            );
+            expect(tlogEntry.inclusionProof?.hashes).toHaveLength(2);
+            expect(tlogEntry.inclusionProof?.hashes[0]).toEqual(
+              Buffer.from(
+                rekorEntry[uuid].verification.inclusionProof.hashes[0],
+                'hex'
+              )
+            );
+            expect(tlogEntry.inclusionProof?.hashes[1]).toEqual(
+              Buffer.from(
+                rekorEntry[uuid].verification.inclusionProof.hashes[1],
+                'hex'
+              )
+            );
+            expect(tlogEntry.inclusionProof?.logIndex).toEqual(
+              rekorEntry[uuid].verification.inclusionProof.logIndex.toString()
+            );
+            expect(tlogEntry.inclusionProof?.rootHash).toEqual(
+              Buffer.from(
+                rekorEntry[uuid].verification.inclusionProof.rootHash,
+                'hex'
+              )
+            );
+            expect(tlogEntry.inclusionProof?.treeSize).toEqual(
+              rekorEntry[uuid].verification.inclusionProof.treeSize.toString()
+            );
+            expect(tlogEntry.canonicalizedBody).toEqual(
+              Buffer.from(rekorEntry[uuid].body, 'base64')
+            );
+          });
         });
       });
     });

diff --git a/packages/sign/src/witness/tlog/index.ts b/packages/sign/src/witness/tlog/index.ts
@@ -30,12 +30,16 @@ export const DEFAULT_REKOR_URL = 'https://rekor.sigstore.dev';
 
 type TransparencyLogEntries = { tlogEntries: TransparencyLogEntry[] };
 
-export type RekorWitnessOptions = Partial<TLogClientOptions>;
+export type RekorWitnessOptions = Partial<TLogClientOptions> & {
+  entryType?: 'dsse' | 'intoto';
+};
 
 export class RekorWitness implements Witness {
   private tlog: TLog;
+  private entryType?: 'dsse' | 'intoto';
 
   constructor(options: RekorWitnessOptions) {
+    this.entryType = options.entryType;
     this.tlog = new TLogClient({
       ...options,
       rekorBaseURL:
@@ -47,7 +51,7 @@ export class RekorWitness implements Witness {
     content: SignatureBundle,
     publicKey: string
   ): Promise<TransparencyLogEntries> {
-    const proposedEntry = toProposedEntry(content, publicKey);
+    const proposedEntry = toProposedEntry(content, publicKey, this.entryType);
     const entry = await this.tlog.createEntry(proposedEntry);
     return toTransparencyLogEntry(entry);
   }