Add verify goal

pom.xml

@@ -164,6 +164,21 @@
       <artifactId>maven-jarsigner</artifactId>
       <version>3.0.0</version>
     </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-core</artifactId>
+      <version>2.13.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-databind</artifactId>
+      <version>2.13.0</version>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcutil-jdk15on</artifactId>
+      <version>1.70</version>
+    </dependency>
   </dependencies>
 
   <build>

src/it/verify/pom.xml

@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Copyright 2021 The Sigstore Authors
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>sigstore.plugin.it</groupId>
+  <artifactId>verify-it</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <description>A simple IT verifying the verify use case.</description>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>@project.groupId@</groupId>
+        <artifactId>@project.artifactId@</artifactId>
+        <version>@project.version@</version>
+        <executions>
+          <execution>
+            <id>verify</id>
+            <goals>
+              <goal>verify</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <binaryFile>src/main/resources/test.jar</binaryFile>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

src/it/verify/verify.groovy

@@ -0,0 +1,26 @@
+// Copyright 2021 The Sigstore Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+File contentResult = new File( basedir, "target/verify-receipt.txt" )
+
+//As the plugin isn't doing actual signature validation yet, just data retrieval, just do some assertions against
+//the data
+assert contentResult.isFile()
+assert contentResult.text.contains("sha256 536d91853bf1d29af438e5e2478f1a9113c081e03367fb2f82e2ddb711291e6d")
+assert contentResult.text.contains("-----BEGIN CERTIFICATE-----")
+assert contentResult.text.contains("-----END CERTIFICATE-----")
+assert contentResult.text.contains("-----BEGIN PKCS7-----")
+assert contentResult.text.contains("-----END PKCS7-----")
+
+println "Assertions succeeded!"

src/main/java/dev/sigstore/plugin/Sign.java

@@ -29,25 +29,21 @@
 import org.apache.maven.plugins.annotations.Mojo;
 import org.apache.maven.plugins.annotations.Parameter;
 
-import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.FileWriter;
 import java.net.URL;
 import java.security.cert.CertPath;
-import java.security.cert.CertificateFactory;
 import java.security.spec.AlgorithmParameterSpec;
 import java.security.spec.ECGenParameterSpec;
-import java.security.cert.X509Certificate;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.SecureRandom;
 import java.security.Signature;
-import java.util.ArrayList;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.Map;
@@ -64,13 +60,10 @@
 import com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp;
 import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver;
 import com.google.api.client.json.JsonFactory;
-import com.google.api.client.util.PemReader;
-import com.google.api.client.util.PemReader.Section;
 import com.google.api.client.util.store.DataStoreFactory;
 import com.google.api.client.util.store.MemoryDataStoreFactory;
 
 import java.io.IOException;
-import java.io.InputStreamReader;
 import java.io.InvalidObjectException;
 import java.util.List;
 
@@ -84,6 +77,8 @@
 
 import jdk.security.jarsigner.JarSigner;
 
+import static dev.sigstore.plugin.Utils.getCertPath;
+
 /**
  * Goal which:<ul>
  * <li>generates ephemeral key pair
@@ -408,22 +403,7 @@ public CertPath getSigningCert(String signedEmail, PublicKey pubKey, String idTo
             }
 
             getLog().info("parsing signing certificate");
-            CertificateFactory cf = CertificateFactory.getInstance("X.509");
-            ArrayList<X509Certificate> certList = new ArrayList<>();
-            PemReader pemReader = new PemReader(new InputStreamReader(resp.getContent()));
-            while (true) {
-                Section section = pemReader.readNextSection();
-                if (section == null) {
-                    break;
-                }
-
-                byte[] certBytes = section.getBase64DecodedBytes();
-                certList.add((X509Certificate) cf.generateCertificate(new ByteArrayInputStream(certBytes)));
-            }
-            if (certList.isEmpty()) {
-                throw new IOException("no certificates were found in response from Fulcio instance");
-            }
-            return cf.generateCertPath(certList);
+            return getCertPath(resp.getContent());
         } catch (Exception e) {
             throw new MojoExecutionException(String.format("Error obtaining signing certificate from Fulcio @%s:", fulcioInstanceURL), e);
         }
@@ -568,4 +548,4 @@ public URL submitToRekor(byte[] jarBytes) throws MojoExecutionException {
                     String.format("Error in submitting entry to Rekor @ %s:", rekorInstanceURL), e);
         }
     }
-}
+}

src/main/java/dev/sigstore/plugin/Utils.java

@@ -0,0 +1,53 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package dev.sigstore.plugin;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.StringReader;
+import java.security.cert.CertPath;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+
+import com.google.api.client.util.PemReader;
+import com.google.api.client.util.PemReader.Section;
+
+public class Utils
+{
+  public static CertPath getCertPath(final InputStream publicSigningCert)
+      throws CertificateException, IOException
+  {
+    CertificateFactory cf = CertificateFactory.getInstance("X.509");
+    ArrayList<X509Certificate> certList = new ArrayList<>();
+    PemReader pemReader = new PemReader(new InputStreamReader(publicSigningCert));
+    while (true) {
+      Section section = pemReader.readNextSection();
+      if (section == null) {
+        break;
+      }
+
+      byte[] certBytes = section.getBase64DecodedBytes();
+      certList.add((X509Certificate) cf.generateCertificate(new ByteArrayInputStream(certBytes)));
+    }
+    if (certList.isEmpty()) {
+      throw new IOException("no certificates were found in publicSigningCert");
+    }
+    return cf.generateCertPath(certList);
+  }
+}

src/main/java/dev/sigstore/plugin/Verify.java

@@ -0,0 +1,51 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package dev.sigstore.plugin;
+
+import java.io.File;
+
+import javax.inject.Inject;
+
+import dev.sigstore.plugin.verify.SigstoreVerifier;
+import org.apache.maven.plugin.AbstractMojo;
+import org.apache.maven.plugin.MojoExecutionException;
+import org.apache.maven.plugins.annotations.LifecyclePhase;
+import org.apache.maven.plugins.annotations.Mojo;
+import org.apache.maven.plugins.annotations.Parameter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Goal which:<ul>
+ * <li>verifies dependency signatures against Rekor
+ * </ul>
+ */
+@Mojo(name = "verify", defaultPhase = LifecyclePhase.VERIFY)
+public class Verify
+    extends AbstractMojo
+{
+  private static final Logger LOG = LoggerFactory.getLogger(Verify.class);
+
+  @Parameter(property = "binary-file")
+  private File binaryFile;
+
+  @Inject
+  private SigstoreVerifier sigstoreVerifier;
+
+  @Override
+  public final void execute() throws MojoExecutionException {
+    sigstoreVerifier.verifySignature(binaryFile);
+  }
+}