Replace sigstore_proto_buf with sigstore_models

In many cases the classes of sigstore_models can be called with unchanged
parameters. However, in some cases explicit base64 encoding needs to be
done.

Signed-off-by: Stefan Berger <[email protected]>

Author: stefanberger

pyproject.toml

@@ -32,8 +32,8 @@ dependencies = [
   "click",
   "cryptography",
   "in-toto-attestation",
-  "sigstore-protobuf-specs == 0.3.2",
   "sigstore==3.6.5",
+  "sigstore-models>=0.0.5",
   "typing_extensions",
 ]
 requires-python = ">=3.9"

src/model_signing/_signing/sign_certificate.py

@@ -14,6 +14,7 @@
 
 """Signers and verifiers using certificates."""
 
+import base64
 from collections.abc import Iterable
 import logging
 import pathlib
@@ -26,8 +27,8 @@
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.x509 import oid
 from OpenSSL import crypto
-from sigstore_protobuf_specs.dev.sigstore.bundle import v1 as bundle_pb
-from sigstore_protobuf_specs.dev.sigstore.common import v1 as common_pb
+from sigstore_models.bundle import v1 as bundle_pb
+from sigstore_models.common import v1 as common_pb
 from typing_extensions import override
 
 from model_signing._signing import sign_ec_key as ec_key
@@ -79,8 +80,10 @@ def __init__(
     def _get_verification_material(self) -> bundle_pb.VerificationMaterial:
         def _to_protobuf_certificate(certificate):
             return common_pb.X509Certificate(
-                raw_bytes=certificate.public_bytes(
-                    encoding=serialization.Encoding.DER
+                raw_bytes=base64.b64encode(
+                    certificate.public_bytes(
+                        encoding=serialization.Encoding.DER
+                    )
                 )
             )
 
@@ -95,7 +98,8 @@ def _to_protobuf_certificate(certificate):
         return bundle_pb.VerificationMaterial(
             x509_certificate_chain=common_pb.X509CertificateChain(
                 certificates=chain
-            )
+            ),
+            tlog_entries=[],
         )
 
 

src/model_signing/_signing/sign_ec_key.py

@@ -14,6 +14,7 @@
 
 """Signers and verifiers using elliptic curve keys."""
 
+import base64
 import hashlib
 import pathlib
 from typing import Optional
@@ -23,9 +24,9 @@
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import ec
 from google.protobuf import json_format
-from sigstore_protobuf_specs.dev.sigstore.bundle import v1 as bundle_pb
-from sigstore_protobuf_specs.dev.sigstore.common import v1 as common_pb
-from sigstore_protobuf_specs.io import intoto as intoto_pb
+from sigstore_models import intoto as intoto_pb
+from sigstore_models.bundle import v1 as bundle_pb
+from sigstore_models.common import v1 as common_pb
 from typing_extensions import override
 
 from model_signing._signing import sign_sigstore_pb as sigstore_pb
@@ -102,15 +103,17 @@ def sign(self, payload: signing.Payload) -> signing.Signature:
         )
 
         raw_signature = intoto_pb.Signature(
-            sig=self._private_key.sign(
-                sigstore_pb.pae(raw_payload),
-                ec.ECDSA(get_ec_key_hash(self._private_key.public_key())),
+            sig=base64.b64encode(
+                self._private_key.sign(
+                    sigstore_pb.pae(raw_payload),
+                    ec.ECDSA(get_ec_key_hash(self._private_key.public_key())),
+                )
             ),
             keyid="",
         )
 
         envelope = intoto_pb.Envelope(
-            payload=raw_payload,
+            payload=base64.b64encode(raw_payload),
             payload_type=signing._IN_TOTO_JSON_PAYLOAD_TYPE,
             signatures=[raw_signature],
         )
@@ -135,7 +138,8 @@ def _get_verification_material(self) -> bundle_pb.VerificationMaterial:
         hash_bytes = hashlib.sha256(raw_bytes).digest().hex()
 
         return bundle_pb.VerificationMaterial(
-            public_key=common_pb.PublicKeyIdentifier(hint=hash_bytes)
+            public_key=common_pb.PublicKeyIdentifier(hint=hash_bytes),
+            tlog_entries=[],
         )
 
 

src/model_signing/_signing/sign_pkcs11.py

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import base64
 from collections.abc import Iterable
 import hashlib
 import pathlib
@@ -27,9 +28,9 @@
 from cryptography.hazmat.primitives.asymmetric import ec
 from google.protobuf import json_format
 import PyKCS11
-from sigstore_protobuf_specs.dev.sigstore.bundle import v1 as bundle_pb
-from sigstore_protobuf_specs.dev.sigstore.common import v1 as common_pb
-from sigstore_protobuf_specs.io import intoto as intoto_pb
+from sigstore_models import intoto as intoto_pb
+from sigstore_models.bundle import v1 as bundle_pb
+from sigstore_models.common import v1 as common_pb
 from typing_extensions import override
 
 from model_signing._signing import sign_ec_key as ec_key
@@ -175,10 +176,10 @@ def sign(self, payload: signing.Payload) -> signing.Signature:
         # Convert plain r & s signature values to ASN.1
         sig = DSASignature.from_p1363(rs_sig).dump()
 
-        raw_signature = intoto_pb.Signature(sig=sig, keyid="")
+        raw_signature = intoto_pb.Signature(sig=base64.b64encode(sig), keyid="")
 
         envelope = intoto_pb.Envelope(
-            payload=raw_payload,
+            payload=base64.b64encode(raw_payload),
             payload_type=signing._IN_TOTO_JSON_PAYLOAD_TYPE,
             signatures=[raw_signature],
         )
@@ -203,7 +204,8 @@ def _get_verification_material(self) -> bundle_pb.VerificationMaterial:
         hash_bytes = hashlib.sha256(raw_bytes).digest().hex()
 
         return bundle_pb.VerificationMaterial(
-            public_key=common_pb.PublicKeyIdentifier(hint=hash_bytes)
+            public_key=common_pb.PublicKeyIdentifier(hint=hash_bytes),
+            tlog_entries=[],
         )
 
 

src/model_signing/_signing/sign_sigstore_pb.py

@@ -27,7 +27,7 @@
 import sys
 from typing import cast
 
-from sigstore_protobuf_specs.dev.sigstore.bundle import v1 as bundle_pb
+from sigstore_models.bundle import v1 as bundle_pb
 from typing_extensions import override
 
 from model_signing._signing import signing
@@ -112,7 +112,18 @@ def write(self, path: pathlib.Path) -> None:
     def read(cls, path: pathlib.Path) -> Self:
         content = path.read_text()
         parsed_dict = json.loads(content)
-        return cls(bundle_pb.Bundle().from_dict(parsed_dict))
+
+        # adjust parsed_dict due to previous usage of protobufs
+        if "tlogEntries" not in parsed_dict["verificationMaterial"]:
+            parsed_dict["verificationMaterial"]["tlogEntries"] = []
+        if "publicKey" in parsed_dict["verificationMaterial"]:
+            if "hint" not in parsed_dict["verificationMaterial"]["publicKey"]:
+                parsed_dict["verificationMaterial"]["publicKey"]["hint"] = None
+            for k in ["rawBytes", "keyDetails"]:
+                if k in parsed_dict["verificationMaterial"]["publicKey"]:
+                    del parsed_dict["verificationMaterial"]["publicKey"][k]
+
+        return cls(bundle_pb.Bundle.from_dict(parsed_dict))
 
 
 class Signer(signing.Signer):