profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/TomHennen/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Tom Hennen TomHennen Google Software Engineer at Google.

in-toto/attestation 27

ITE-6 Attestation Definitions

secure-systems-lab/dsse 10

A specification for signing methods and formats used by Secure Systems Lab projects.

TomHennen/AntennaPod 1

A podcast manager for Android

TomHennen/Concordance 0

Concordance

TomHennen/cosign 0

Container Signing

TomHennen/iron-collapse 0

Adds collapsible behavior to a target element

TomHennen/ITE 0

in-toto Enhancements

TomHennen/RxAndroid 0

RxJava bindings for Android

TomHennen/slsa 0

Supply-chain Levels for Software Artifacts

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

+package io.github.intoto.models;++import com.fasterxml.jackson.annotation.JsonValue;++/**+ * This enumeration is meant to represent the supported predicate types.+ *+ * @see <a+ *     href="https://github.com/in-toto/attestation/blob/main/spec/README.md#predicate">in-toto/attestation/blob/main/spec/README.md#predicate</a>+ */+public enum PredicateType {

optional: Make this an inner enum of the base Predicate class?

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

+package io.github.slsa.models;++import java.util.Objects;+import javax.validation.constraints.NotNull;++/**+ * Identifies the configuration used for the build. When combined with materials, this SHOULD fully+ * describe the build, such that re-running this recipe results in bit-for-bit identical output (if+ * the build is reproducible).+ *+ * <p>MAY be unset/null if unknown, but this is DISCOURAGED.+ *+ * <p>NOTE: The Recipe entity has additional properties: arguments and environment that are+ * classified as generic objects in the spec. For this reason it would be expected that builders+ * using this library would extend from the default Recipe and create their own custom class.+ */+public class Recipe {++  /**+   * URI indicating what type of recipe was performed. It determines the meaning of+   * recipe.entryPoint, recipe.arguments, recipe.environment, and materials. (<a+   * href="https://github.com/in-toto/attestation/blob/main/spec/field_types.md#TypeURI">TypeURI</a>)+   */+  @NotNull(message = "recipe type must not be blank")+  private String type;++  /**+   * Index in materials containing the recipe steps that are not implied by recipe.type. For+   * example, if the recipe type were “make”, then this would point to the source containing the+   * Makefile, not the make program itself.+   *+   * <p>Omit this field (or use null) if the recipe does’t come from a material.

Can an 'int' be omitted or set to null?

Maybe https://docs.oracle.com/javase/8/docs/api/java/util/OptionalInt.html ?

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

+package io.github.dsse.helpers;++import io.github.dsse.models.Verifier;+import java.security.InvalidKeyException;+import java.security.KeyFactory;+import java.security.NoSuchAlgorithmException;+import java.security.PublicKey;+import java.security.Signature;+import java.security.SignatureException;+import java.security.spec.InvalidKeySpecException;+import java.security.spec.X509EncodedKeySpec;++public class SimpleECDSAVerifier implements Verifier {++  private PublicKey publicKey;++  @Override+  public boolean verify(byte[] publicKeyByteArray, byte[] encryptedMessage, String message)+      throws NoSuchAlgorithmException, SignatureException, InvalidKeySpecException,+          InvalidKeyException {+    Signature signature = Signature.getInstance("SHA1withECDSA");+    // Create the public key from the byte array+    PublicKey publicKey =+        KeyFactory.getInstance("ECDSA").generatePublic(new X509EncodedKeySpec(publicKeyByteArray));+    this.publicKey = publicKey;+    signature.initVerify(publicKey);+    signature.update(message.getBytes());+    return signature.verify(encryptedMessage);+  }++  @Override+  public String getKeyId() {

FWIW the keyId isn't usually the public key itself but rather a user-friendly string that can be used to identify it.

Would it make sense to let people set this themselves? (I actually don't see a constructor which is a bit confusing...)

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

 its current limitations.  # Usage -## installation+## Installation -This library is intended to be used with maven buildsystem, although you can-probably easily move it to any other if you're familiar with those. To add it-to your mvn project edit the pom.xml file to add:+This library is intended to be used with maven build system, although you can+probably easily move it to any other if you're familiar with those. To add it to+your mvn project edit the pom.xml file to add:  ```xml     ...-    <dependency>-      <groupId>io.github.in-toto</groupId>-      <artifactId>in-toto</artifactId>-      <version>0.1</version>-      <scope>compile</scope>-    </dependency>+<dependency>+  <groupId>io.github.in-toto</groupId>+  <artifactId>in-toto</artifactId>+  <version>0.3.3</version>+</dependency>     ... ``` -With it you should be able to use the library inside of your project.+With it, you should be able to use the library inside your project. -## Using the library+## Using the new library -The library exposes a series of objects and convenience methods to create,-sign, and serialize in-toto metadata. As of now, only Link metadata is-supported (see the Limitations section to see what exactly is supported as of-now).+The library exposes a new set of models used for in-toto 0.1.0, DSSE 1.0.0 and .+If you wish to use the deprecated legacy Link library, please skip to the next+section. -Metadata classes are located in the `io.in_toto.models.*` namespace. You can,-for example create a link as follows:+The new library allows you to instantiate a Statement and populate it as+follows:  ```java-    Link link = new Link(null, null, "test", null, null);+Subject subject=new Subject();+    subject.setName("curl-7.72.0.tar.bz2");+    subject.setDigest(+    Map.of(+    DigestSetAlgorithmType.SHA256.toString(),+    "d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2"));+    Predicate predicate=new Predicate(); // Let's pretend this is an SLSA predicate+    Statement statement=new Statement();+    statement.set_type(StatementType.STATEMENT_V_0_1);+    statement.setSubject(List.of(subject));+    statement.setPredicateType(PredicateType.SLSA_PROVENANCE_V_0_1);+    statement.setPredicate(predicate); ``` -This will create a link object that you can operate with. +Finally, you can use the built-in `IntotoHelper` class to validate and transform+it into its JSON representation as follows:++```java+    String jsonStatement=IntotoHelper.validateAndTransformToJson(statement);+```++If the statement passed to the method is malformed the library will throw+an `InvalidModelException` that will contain a message with the errors.++If you, however wish to create a DSSE based In-toto envelope, The library+features a convenience method:++```java+IntotoEnvelope intotoEnvelope=IntotoHelper.produceIntotoEnvelope(statement,signer);

nit: Instead of IntotoEnvelope what about just 'Dsse' ? At this point there shouldn't be anything 'in-toto' about it.

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

+package io.github.intoto.models;++import java.util.Map;+import java.util.Objects;+import javax.validation.constraints.NotBlank;+import javax.validation.constraints.NotEmpty;++/**+ * Set of software artifacts that the attestation applies to. Each element represents a single *+ * software artifact.+ */+public class Subject {+  /**+   * Identifier to distinguish this artifact from others within the subject.+   *+   * <p>The semantics are up to the producer and consumer. Because consumers evaluate the name+   * against a policy, the name SHOULD be stable between attestations. If the name is not+   * meaningful, use "_". For example, a SLSA Provenance attestation might use the name to specify+   * output filename, expecting the consumer to only considers entries with a particular name.+   * Alternatively, a vulnerability scan attestation might use the name "_" because the results+   * apply regardless of what the artifact is named.+   *+   * <p>MUST be non-empty and unique within subject.+   */+  @NotBlank(message = "subject name must not be blank")+  private String name;+  /**+   * Collection of cryptographic digests for the contents of this artifact.+   *+   * <p>Two DigestSets are considered matching if ANY of the fields match. The producer and consumer+   * must agree on acceptable algorithms. If there are no overlapping algorithms, the subject is+   * considered not matching.+   */+  @NotEmpty(message = "digest must not be empty")+  private Map<+          @NotBlank(message = "digest key contents can be empty strings") String,+          @NotBlank(message = "digest value contents can be empty strings") String>+      digest;++  public String getName() {+    return name;+  }++  public void setName(String name) {+    this.name = name;+  }++  public Map<String, String> getDigest() {

optional: create a standalone type called DigestSet (https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet) and move DigestSetAlgorithmType into an inner enum of that class?

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

+package io.github.dsse.models;++import java.util.List;+import java.util.Objects;+import javax.validation.constraints.NotBlank;+import javax.validation.constraints.NotEmpty;++/**+ * Implementation of the a DSSE Envelope. The Envelope is the outermost layer of the attestation,+ * handling authentication and serialization. The format and protocol are defined in DSSE and+ * adopted by in-toto in ITE-5. It is a JSON object with the following fields: payloadType string,+ * required+ *+ * <p>Identifier for the encoding of the payload. Always application/vnd.in-toto+json, which

nit: perhaps it's because I'm not seeing the rendered JavaDoc, but this format confuses me a bit. The <p> parts seem to reference individual fields, but I don't actually see them named.

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

+package io.github.intoto.models;++/**+ * A generic attestation type with a schema isomorphic to in-toto 0.9. This allows existing in-toto+ * users to make minimal changes to upgrade to the new attestation format.+ *+ * <p>Most users should migrate to a more specific attestation type, such as Provenance.+ */+public class Predicate {}

optional: Have the predicate know it's own type so that users don't have to set it themselves.

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

+package io.github.intoto.helpers;++import com.fasterxml.jackson.core.JsonProcessingException;+import com.fasterxml.jackson.databind.ObjectMapper;+import com.fasterxml.jackson.databind.SerializationFeature;+import io.github.dsse.models.IntotoEnvelope;+import io.github.dsse.models.Signature;+import io.github.dsse.models.Signer;+import io.github.intoto.exceptions.InvalidModelException;+import io.github.intoto.models.Statement;+import java.security.InvalidKeyException;+import java.security.NoSuchAlgorithmException;+import java.security.SignatureException;+import java.util.Base64;+import java.util.List;+import java.util.Set;+import java.util.stream.Collectors;+import javax.validation.ConstraintViolation;+import javax.validation.Validation;+import javax.validation.Validator;++/**+ * Helper class for the intoto-java implementation. This class provides with helper methods to+ * validate and transform {@link Statement} into their JSON representations.+ */+public class IntotoHelper {++  private static final ObjectMapper objectMapper = new ObjectMapper();+  private static final Validator validator =+      Validation.buildDefaultValidatorFactory().getValidator();++  /**+   * Creates a JSON String representation of a DSSE Envelope.+   *+   * @param statement the Statement to add to the envelope+   * @param signer the Signer that will be used to sign the payloads.+   * @param prettyPrint if true it will pretty print the final Envelope JSON representation+   * @return a JSON representation for the envelope.+   * @throws InvalidModelException thrown when the given statement is not valid+   * @throws JsonProcessingException thrown when there are issues generating the JSON string+   * @throws NoSuchAlgorithmException thrown when there are issues encrypting the payloads in the+   *     Envelope+   * @throws SignatureException thrown when there are issues with the given key in the Signer+   * @throws InvalidKeyException thrown when there are issues matching the key with the given+   *     algorithm+   */+  public static String produceIntotoEnvelopeAsJson(+      Statement statement, Signer signer, boolean prettyPrint)+      throws InvalidModelException, JsonProcessingException, NoSuchAlgorithmException,+          SignatureException, InvalidKeyException {+    // Get the Base64 encoded Statement to use as the payload+    String jsonStatement = validateAndTransformToJson(statement, false);+    String base64EncodedStatement = Base64.getEncoder().encodeToString(jsonStatement.getBytes());++    IntotoEnvelope envelope = new IntotoEnvelope();+    // Create the signed payload with the DSSEv1 format and sign it!+    byte[] signedDsseV1Payload =+        signer.sign(+            createPreAuthenticationEncoding(envelope.getPayloadType(), base64EncodedStatement));++    Signature signature = new Signature();+    signature.setKeyId(signer.getKeyId());+    // The sig contains the base64 encoded version of the signedDsseV1Payload+    signature.setSig(Base64.getEncoder().encodeToString(signedDsseV1Payload));+    // Let's complete the envelope+    envelope.setPayload(base64EncodedStatement);+    envelope.setSignatures(List.of(signature));+    if (prettyPrint) {+      return objectMapper.writerWithDefaultPrettyPrinter().writeValueAsString(envelope);+    }+    return objectMapper.writeValueAsString(envelope);+  }++  /**+   * Produces an {@link IntotoEnvelope} and signs the payload with the given Signer. Note: There is+   * another convenience method that returns the serialized JSON representation for the envelope+   *+   * @param statement the Statement to add to the envelope+   * @param signer the Signer that will be used to sign the payloads.+   * @return will return a {@link IntotoEnvelope} instead of the JSON representation.+   * @throws InvalidModelException thrown when the given statement is not valid+   * @throws JsonProcessingException thrown when there are issues generating the JSON string+   * @throws NoSuchAlgorithmException thrown when there are issues encrypting the payloads in the *+   *     Envelope+   * @throws SignatureException thrown when there are issues with the given key in the Signer+   * @throws InvalidKeyException thrown when there are issues matching the key with the given *+   *     algorithm+   */+  public static IntotoEnvelope produceIntotoEnvelope(Statement statement, Signer signer)

Instead of having produceIntotoEnvelope and productIntotoEnvelopeAsJson duplicate each other's logic, why not have productIntotoEnvelopeAsJson call produceIntotoEnvelope and then just convert the result to JSON?

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

+package io.github.intoto.helpers;++import com.fasterxml.jackson.core.JsonProcessingException;+import com.fasterxml.jackson.databind.ObjectMapper;+import com.fasterxml.jackson.databind.SerializationFeature;+import io.github.dsse.models.IntotoEnvelope;+import io.github.dsse.models.Signature;+import io.github.dsse.models.Signer;+import io.github.intoto.exceptions.InvalidModelException;+import io.github.intoto.models.Statement;+import java.security.InvalidKeyException;+import java.security.NoSuchAlgorithmException;+import java.security.SignatureException;+import java.util.Base64;+import java.util.List;+import java.util.Set;+import java.util.stream.Collectors;+import javax.validation.ConstraintViolation;+import javax.validation.Validation;+import javax.validation.Validator;++/**+ * Helper class for the intoto-java implementation. This class provides with helper methods to+ * validate and transform {@link Statement} into their JSON representations.+ */+public class IntotoHelper {++  private static final ObjectMapper objectMapper = new ObjectMapper();+  private static final Validator validator =+      Validation.buildDefaultValidatorFactory().getValidator();++  /**+   * Creates a JSON String representation of a DSSE Envelope.+   *+   * @param statement the Statement to add to the envelope+   * @param signer the Signer that will be used to sign the payloads.+   * @param prettyPrint if true it will pretty print the final Envelope JSON representation+   * @return a JSON representation for the envelope.+   * @throws InvalidModelException thrown when the given statement is not valid+   * @throws JsonProcessingException thrown when there are issues generating the JSON string+   * @throws NoSuchAlgorithmException thrown when there are issues encrypting the payloads in the+   *     Envelope+   * @throws SignatureException thrown when there are issues with the given key in the Signer+   * @throws InvalidKeyException thrown when there are issues matching the key with the given+   *     algorithm+   */+  public static String produceIntotoEnvelopeAsJson(+      Statement statement, Signer signer, boolean prettyPrint)+      throws InvalidModelException, JsonProcessingException, NoSuchAlgorithmException,+          SignatureException, InvalidKeyException {+    // Get the Base64 encoded Statement to use as the payload+    String jsonStatement = validateAndTransformToJson(statement, false);+    String base64EncodedStatement = Base64.getEncoder().encodeToString(jsonStatement.getBytes());++    IntotoEnvelope envelope = new IntotoEnvelope();+    // Create the signed payload with the DSSEv1 format and sign it!+    byte[] signedDsseV1Payload =

nit: this is the signature, not the payload.

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

+package io.github.slsa.models;++import java.time.Instant;++/** Other properties of the build. */+public class Metadata {++  /**+   * Identifies this particular build invocation, which can be useful for finding associated logs or+   * other ad-hoc analysis. The exact meaning and format is defined by builder.id; by default it is+   * treated as opaque and case-sensitive. The value SHOULD be globally unique.+   */+  private String buildInvocationId;++  /** The timestamp of when the build started. */+  private Instant buildStartedOn;

How will this get serialized to json? As a string? https://github.com/in-toto/attestation/blob/main/spec/field_types.md#Timestamp

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

+package io.github.dsse.helpers;++import io.github.dsse.models.Signer;+import java.security.InvalidKeyException;+import java.security.NoSuchAlgorithmException;+import java.security.PrivateKey;+import java.security.Signature;+import java.security.SignatureException;++public class SimpleECDSASigner implements Signer {+  private final PrivateKey privateKey;++  public SimpleECDSASigner(PrivateKey privateKey) {+    this.privateKey = privateKey;+  }++  @Override+  public byte[] sign(String payload)+      throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {+    Signature signature = Signature.getInstance("SHA1withECDSA");+    signature.initSign(privateKey);+    signature.update(payload.getBytes());+    return signature.sign();+  }++  @Override+  public String getKeyId() {

instead of returning 'null' could you add a keyid parameter to the constructor?

We plan to use the keyid hint pretty heavily and it would be a bummer if people didn't usually set it.

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

+package io.github.intoto.helpers;++import com.fasterxml.jackson.core.JsonProcessingException;+import com.fasterxml.jackson.databind.ObjectMapper;+import com.fasterxml.jackson.databind.SerializationFeature;+import io.github.dsse.models.IntotoEnvelope;+import io.github.dsse.models.Signature;+import io.github.dsse.models.Signer;+import io.github.intoto.exceptions.InvalidModelException;+import io.github.intoto.models.Statement;+import java.security.InvalidKeyException;+import java.security.NoSuchAlgorithmException;+import java.security.SignatureException;+import java.util.Base64;+import java.util.List;+import java.util.Set;+import java.util.stream.Collectors;+import javax.validation.ConstraintViolation;+import javax.validation.Validation;+import javax.validation.Validator;++/**+ * Helper class for the intoto-java implementation. This class provides with helper methods to+ * validate and transform {@link Statement} into their JSON representations.+ */+public class IntotoHelper {++  private static final ObjectMapper objectMapper = new ObjectMapper();+  private static final Validator validator =+      Validation.buildDefaultValidatorFactory().getValidator();++  /**+   * Creates a JSON String representation of a DSSE Envelope.+   *+   * @param statement the Statement to add to the envelope+   * @param signer the Signer that will be used to sign the payloads.+   * @param prettyPrint if true it will pretty print the final Envelope JSON representation+   * @return a JSON representation for the envelope.+   * @throws InvalidModelException thrown when the given statement is not valid+   * @throws JsonProcessingException thrown when there are issues generating the JSON string+   * @throws NoSuchAlgorithmException thrown when there are issues encrypting the payloads in the+   *     Envelope+   * @throws SignatureException thrown when there are issues with the given key in the Signer+   * @throws InvalidKeyException thrown when there are issues matching the key with the given+   *     algorithm+   */+  public static String produceIntotoEnvelopeAsJson(+      Statement statement, Signer signer, boolean prettyPrint)+      throws InvalidModelException, JsonProcessingException, NoSuchAlgorithmException,+          SignatureException, InvalidKeyException {+    // Get the Base64 encoded Statement to use as the payload+    String jsonStatement = validateAndTransformToJson(statement, false);+    String base64EncodedStatement = Base64.getEncoder().encodeToString(jsonStatement.getBytes());++    IntotoEnvelope envelope = new IntotoEnvelope();+    // Create the signed payload with the DSSEv1 format and sign it!+    byte[] signedDsseV1Payload =+        signer.sign(+            createPreAuthenticationEncoding(envelope.getPayloadType(), base64EncodedStatement));++    Signature signature = new Signature();+    signature.setKeyId(signer.getKeyId());+    // The sig contains the base64 encoded version of the signedDsseV1Payload+    signature.setSig(Base64.getEncoder().encodeToString(signedDsseV1Payload));+    // Let's complete the envelope+    envelope.setPayload(base64EncodedStatement);+    envelope.setSignatures(List.of(signature));+    if (prettyPrint) {+      return objectMapper.writerWithDefaultPrettyPrinter().writeValueAsString(envelope);+    }+    return objectMapper.writeValueAsString(envelope);

optional: would it make any sense to have the default return value be in JSON Lines format so that it's ready for a Bundle?

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

 its current limitations.  # Usage -## installation+## Installation -This library is intended to be used with maven buildsystem, although you can-probably easily move it to any other if you're familiar with those. To add it-to your mvn project edit the pom.xml file to add:+This library is intended to be used with maven build system, although you can+probably easily move it to any other if you're familiar with those. To add it to+your mvn project edit the pom.xml file to add:  ```xml     ...-    <dependency>-      <groupId>io.github.in-toto</groupId>-      <artifactId>in-toto</artifactId>-      <version>0.1</version>-      <scope>compile</scope>-    </dependency>+<dependency>+  <groupId>io.github.in-toto</groupId>+  <artifactId>in-toto</artifactId>+  <version>0.3.3</version>+</dependency>     ... ``` -With it you should be able to use the library inside of your project.+With it, you should be able to use the library inside your project. -## Using the library+## Using the new library -The library exposes a series of objects and convenience methods to create,-sign, and serialize in-toto metadata. As of now, only Link metadata is-supported (see the Limitations section to see what exactly is supported as of-now).+The library exposes a new set of models used for in-toto 0.1.0, DSSE 1.0.0 and .+If you wish to use the deprecated legacy Link library, please skip to the next+section. -Metadata classes are located in the `io.in_toto.models.*` namespace. You can,-for example create a link as follows:+The new library allows you to instantiate a Statement and populate it as+follows:  ```java-    Link link = new Link(null, null, "test", null, null);+Subject subject=new Subject();+    subject.setName("curl-7.72.0.tar.bz2");+    subject.setDigest(+    Map.of(+    DigestSetAlgorithmType.SHA256.toString(),+    "d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2"));+    Predicate predicate=new Predicate(); // Let's pretend this is an SLSA predicate+    Statement statement=new Statement();+    statement.set_type(StatementType.STATEMENT_V_0_1);+    statement.setSubject(List.of(subject));+    statement.setPredicateType(PredicateType.SLSA_PROVENANCE_V_0_1);+    statement.setPredicate(predicate); ``` -This will create a link object that you can operate with. +Finally, you can use the built-in `IntotoHelper` class to validate and transform+it into its JSON representation as follows:++```java+    String jsonStatement=IntotoHelper.validateAndTransformToJson(statement);+```++If the statement passed to the method is malformed the library will throw+an `InvalidModelException` that will contain a message with the errors.++If you, however wish to create a DSSE based In-toto envelope, The library+features a convenience method:++```java+IntotoEnvelope intotoEnvelope=IntotoHelper.produceIntotoEnvelope(statement,signer);

nit: produceIntotoEnvelope -> produceSignedDsse()

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

+package io.github.dsse.helpers;++import io.github.dsse.models.Signer;+import java.security.InvalidKeyException;+import java.security.NoSuchAlgorithmException;+import java.security.PrivateKey;+import java.security.Signature;+import java.security.SignatureException;++public class SimpleECDSASigner implements Signer {

nit: Would it make sense to have comments for this class? (and maybe the others too)

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

 its current limitations.  # Usage -## installation+## Installation -This library is intended to be used with maven buildsystem, although you can-probably easily move it to any other if you're familiar with those. To add it-to your mvn project edit the pom.xml file to add:+This library is intended to be used with maven build system, although you can+probably easily move it to any other if you're familiar with those. To add it to+your mvn project edit the pom.xml file to add:  ```xml     ...-    <dependency>-      <groupId>io.github.in-toto</groupId>-      <artifactId>in-toto</artifactId>-      <version>0.1</version>-      <scope>compile</scope>-    </dependency>+<dependency>+  <groupId>io.github.in-toto</groupId>+  <artifactId>in-toto</artifactId>+  <version>0.3.3</version>+</dependency>     ... ``` -With it you should be able to use the library inside of your project.+With it, you should be able to use the library inside your project. -## Using the library+## Using the new library -The library exposes a series of objects and convenience methods to create,-sign, and serialize in-toto metadata. As of now, only Link metadata is-supported (see the Limitations section to see what exactly is supported as of-now).+The library exposes a new set of models used for in-toto 0.1.0, DSSE 1.0.0 and .+If you wish to use the deprecated legacy Link library, please skip to the next+section. -Metadata classes are located in the `io.in_toto.models.*` namespace. You can,-for example create a link as follows:+The new library allows you to instantiate a Statement and populate it as+follows:  ```java-    Link link = new Link(null, null, "test", null, null);+Subject subject=new Subject();+    subject.setName("curl-7.72.0.tar.bz2");+    subject.setDigest(+    Map.of(+    DigestSetAlgorithmType.SHA256.toString(),+    "d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2"));+    Predicate predicate=new Predicate(); // Let's pretend this is an SLSA predicate+    Statement statement=new Statement();+    statement.set_type(StatementType.STATEMENT_V_0_1);+    statement.setSubject(List.of(subject));+    statement.setPredicateType(PredicateType.SLSA_PROVENANCE_V_0_1);+    statement.setPredicate(predicate); ``` -This will create a link object that you can operate with. +Finally, you can use the built-in `IntotoHelper` class to validate and transform+it into its JSON representation as follows:++```java+    String jsonStatement=IntotoHelper.validateAndTransformToJson(statement);+```++If the statement passed to the method is malformed the library will throw+an `InvalidModelException` that will contain a message with the errors.++If you, however wish to create a DSSE based In-toto envelope, The library+features a convenience method:++```java+IntotoEnvelope intotoEnvelope=IntotoHelper.produceIntotoEnvelope(statement,signer);+```++This method will accept a `io.github.intoto.models.Statement` and an

nit: the method exists now so maybe use present tense instead of past? E.g. "This method accepts" or maybe just leave it out entirely since folks can go look at the code/docs?

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

 its current limitations.  # Usage -## installation+## Installation -This library is intended to be used with maven buildsystem, although you can-probably easily move it to any other if you're familiar with those. To add it-to your mvn project edit the pom.xml file to add:+This library is intended to be used with maven build system, although you can+probably easily move it to any other if you're familiar with those. To add it to+your mvn project edit the pom.xml file to add:  ```xml     ...-    <dependency>-      <groupId>io.github.in-toto</groupId>-      <artifactId>in-toto</artifactId>-      <version>0.1</version>-      <scope>compile</scope>-    </dependency>+<dependency>+  <groupId>io.github.in-toto</groupId>+  <artifactId>in-toto</artifactId>+  <version>0.3.3</version>+</dependency>     ... ``` -With it you should be able to use the library inside of your project.+With it, you should be able to use the library inside your project. -## Using the library+## Using the new library -The library exposes a series of objects and convenience methods to create,-sign, and serialize in-toto metadata. As of now, only Link metadata is-supported (see the Limitations section to see what exactly is supported as of-now).+The library exposes a new set of models used for in-toto 0.1.0, DSSE 1.0.0 and .+If you wish to use the deprecated legacy Link library, please skip to the next+section. -Metadata classes are located in the `io.in_toto.models.*` namespace. You can,-for example create a link as follows:+The new library allows you to instantiate a Statement and populate it as+follows:  ```java-    Link link = new Link(null, null, "test", null, null);+Subject subject=new Subject();+    subject.setName("curl-7.72.0.tar.bz2");+    subject.setDigest(+    Map.of(+    DigestSetAlgorithmType.SHA256.toString(),+    "d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2"));+    Predicate predicate=new Predicate(); // Let's pretend this is an SLSA predicate+    Statement statement=new Statement();+    statement.set_type(StatementType.STATEMENT_V_0_1);+    statement.setSubject(List.of(subject));+    statement.setPredicateType(PredicateType.SLSA_PROVENANCE_V_0_1);+    statement.setPredicate(predicate); ``` -This will create a link object that you can operate with. +Finally, you can use the built-in `IntotoHelper` class to validate and transform+it into its JSON representation as follows:++```java+    String jsonStatement=IntotoHelper.validateAndTransformToJson(statement);+```++If the statement passed to the method is malformed the library will throw+an `InvalidModelException` that will contain a message with the errors.++If you, however wish to create a DSSE based In-toto envelope, The library+features a convenience method:++```java+IntotoEnvelope intotoEnvelope=IntotoHelper.produceIntotoEnvelope(statement,signer);+```++This method will accept a `io.github.intoto.models.Statement` and an+implementation of the ` io.github.dsse.models.Signer` interface.++### Implementing a Signer and a Verifier++The Signer and Verifier are used to abstract away the sign and verify mechanism+from this library. This allows the user to implement their own Signer/Verifier.+An example of such an implementation is available in+the `io.github.dsse.helpers package`.

optional: Can you link directly to it?

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

 ArtifactHash subclass. You can also use the link's convenience method:     link.addArtifact("alice"); ``` -Once the artfifact is populated, it hashes the target artifact with any of the+Once the artifact is populated, it hashes the target artifact with any of the supported hashes.  Finally, you can sign and dump a link by calling sign and dump respectively.  ```java-import io.github.in_toto.keys.Key;-import io.github.in_toto.keys.RSAKey;+ ...-    Key thiskey = RSAKey.read("src/test/resources/somekey.pem");-    System.out.println("Loaded key: " + thiskey.computeKeyId());+    Key thiskey=RSAKey.read("src/test/resources/somekey.pem");

Why the change from a = b to a=b ?

Alos

comment created time in 2 days

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

 its current limitations.  # Usage -## installation+## Installation -This library is intended to be used with maven buildsystem, although you can-probably easily move it to any other if you're familiar with those. To add it-to your mvn project edit the pom.xml file to add:+This library is intended to be used with maven build system, although you can+probably easily move it to any other if you're familiar with those. To add it to+your mvn project edit the pom.xml file to add:  ```xml     ...-    <dependency>-      <groupId>io.github.in-toto</groupId>-      <artifactId>in-toto</artifactId>-      <version>0.1</version>-      <scope>compile</scope>-    </dependency>+<dependency>+  <groupId>io.github.in-toto</groupId>+  <artifactId>in-toto</artifactId>+  <version>0.3.3</version>+</dependency>     ... ``` -With it you should be able to use the library inside of your project.+With it, you should be able to use the library inside your project. -## Using the library+## Using the new library -The library exposes a series of objects and convenience methods to create,-sign, and serialize in-toto metadata. As of now, only Link metadata is-supported (see the Limitations section to see what exactly is supported as of-now).+The library exposes a new set of models used for in-toto 0.1.0, DSSE 1.0.0 and .+If you wish to use the deprecated legacy Link library, please skip to the next+section. -Metadata classes are located in the `io.in_toto.models.*` namespace. You can,-for example create a link as follows:+The new library allows you to instantiate a Statement and populate it as+follows:  ```java-    Link link = new Link(null, null, "test", null, null);+Subject subject=new Subject();+    subject.setName("curl-7.72.0.tar.bz2");+    subject.setDigest(+    Map.of(+    DigestSetAlgorithmType.SHA256.toString(),+    "d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2"));+    Predicate predicate=new Predicate(); // Let's pretend this is an SLSA predicate

WDYT about:

Predicate predicate = CreateSlsaPredicate(...); // Then just don't define CreateSlsaPredicate
Alos

comment created time in 2 days

PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

 its current limitations.  # Usage -## installation+## Installation -This library is intended to be used with maven buildsystem, although you can-probably easily move it to any other if you're familiar with those. To add it-to your mvn project edit the pom.xml file to add:+This library is intended to be used with maven build system, although you can+probably easily move it to any other if you're familiar with those. To add it to+your mvn project edit the pom.xml file to add:  ```xml     ...-    <dependency>-      <groupId>io.github.in-toto</groupId>-      <artifactId>in-toto</artifactId>-      <version>0.1</version>-      <scope>compile</scope>-    </dependency>+<dependency>+  <groupId>io.github.in-toto</groupId>+  <artifactId>in-toto</artifactId>+  <version>0.3.3</version>+</dependency>     ... ``` -With it you should be able to use the library inside of your project.+With it, you should be able to use the library inside your project. -## Using the library+## Using the new library -The library exposes a series of objects and convenience methods to create,-sign, and serialize in-toto metadata. As of now, only Link metadata is-supported (see the Limitations section to see what exactly is supported as of-now).+The library exposes a new set of models used for in-toto 0.1.0, DSSE 1.0.0 and .+If you wish to use the deprecated legacy Link library, please skip to the next+section. -Metadata classes are located in the `io.in_toto.models.*` namespace. You can,-for example create a link as follows:+The new library allows you to instantiate a Statement and populate it as+follows:  ```java-    Link link = new Link(null, null, "test", null, null);+Subject subject=new Subject();+    subject.setName("curl-7.72.0.tar.bz2");+    subject.setDigest(+    Map.of(+    DigestSetAlgorithmType.SHA256.toString(),+    "d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2"));+    Predicate predicate=new Predicate(); // Let's pretend this is an SLSA predicate+    Statement statement=new Statement();+    statement.set_type(StatementType.STATEMENT_V_0_1);+    statement.setSubject(List.of(subject));+    statement.setPredicateType(PredicateType.SLSA_PROVENANCE_V_0_1);

Would it be possible for the statement to infer the predicate type from the predicate that gets set in statement.setPredicate?

Alos

comment created time in 2 days

PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentin-toto/in-toto-java

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1

 its current limitations.  # Usage -## installation+## Installation -This library is intended to be used with maven buildsystem, although you can-probably easily move it to any other if you're familiar with those. To add it-to your mvn project edit the pom.xml file to add:+This library is intended to be used with maven build system, although you can+probably easily move it to any other if you're familiar with those. To add it to+your mvn project edit the pom.xml file to add:  ```xml     ...-    <dependency>-      <groupId>io.github.in-toto</groupId>-      <artifactId>in-toto</artifactId>-      <version>0.1</version>-      <scope>compile</scope>-    </dependency>+<dependency>+  <groupId>io.github.in-toto</groupId>+  <artifactId>in-toto</artifactId>+  <version>0.3.3</version>+</dependency>     ... ``` -With it you should be able to use the library inside of your project.+With it, you should be able to use the library inside your project. -## Using the library+## Using the new library -The library exposes a series of objects and convenience methods to create,-sign, and serialize in-toto metadata. As of now, only Link metadata is-supported (see the Limitations section to see what exactly is supported as of-now).+The library exposes a new set of models used for in-toto 0.1.0, DSSE 1.0.0 and .+If you wish to use the deprecated legacy Link library, please skip to the next+section. -Metadata classes are located in the `io.in_toto.models.*` namespace. You can,-for example create a link as follows:+The new library allows you to instantiate a Statement and populate it as+follows:  ```java-    Link link = new Link(null, null, "test", null, null);+Subject subject=new Subject();+    subject.setName("curl-7.72.0.tar.bz2");+    subject.setDigest(+    Map.of(+    DigestSetAlgorithmType.SHA256.toString(),+    "d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2"));

nit: should these two lines be indented?

Alos

comment created time in 2 days

Pull request review commentslsa-framework/github-actions-demo

Properly name each artifact in GH Actions.

 jobs:       - name: Upload provenance         uses: actions/upload-artifact@v2         with:+          name: build.provenance

Ah, got it. Two very important points.

MarkLodato

comment created time in 3 days

PullRequestReviewEvent

Pull request review commentslsa-framework/github-actions-demo

Properly name each artifact in GH Actions.

 jobs:       - name: Upload provenance         uses: actions/upload-artifact@v2         with:+          name: build.provenance

Should we update this to use the in-toto bundle naming? https://github.com/in-toto/attestation/blob/main/spec/bundle.md

MarkLodato

comment created time in 3 days

PullRequestReviewEvent

pull request commentslsa-framework/slsa

Make source control recommended at L1

Done

TomHennen

comment created time in 3 days

push eventTomHennen/slsa

Tom Hennen

commit sha 7c70e6d2ad406b80c849d7d2928391851ea12607

add clarification that '○' = RECOMMENDED Signed-off-by: Tom Hennen <tomhennen@google.com>

view details

push time in 3 days