[DRAFT] Add RekorV2Client

CHANGELOG.md

@@ -17,6 +17,9 @@ All versions prior to 0.9.0 are untracked.
 * Added support for ed25519 keys.
   [#1377](https://github.com/sigstore/sigstore-python/pull/1377)
 
+* Added a `RekorV2Client` for posting new entries to a Rekor V2 instance.
+  [#1400](https://github.com/sigstore/sigstore-python/pull/1400)
+
 ### Fixed
 
 * Avoid instantiation issues with `TransparencyLogEntry` when `InclusionPromise` is not present.

sigstore/_internal/rekor/__init__.py

@@ -16,18 +16,63 @@
 APIs for interacting with Rekor.
 """
 
+from __future__ import annotations
+
 import base64
+from abc import ABC, abstractmethod
+from typing import Any, NewType
 
 import rekor_types
 from cryptography.x509 import Certificate
 
 from sigstore._utils import base64_encode_pem_cert
+from sigstore.dsse import Envelope
 from sigstore.hashes import Hashed
+from sigstore.models import LogEntry
 
 __all__ = [
     "_hashedrekord_from_parts",
 ]
 
+EntryRequest = NewType("EntryRequest", dict[str, Any])
+
+
+class RekorLogSubmitter(ABC):
+    """Abstract class to represent a Rekor log entry submitter.
+
+    Intended to be implemented by RekorClient and RekorV2Client
+    """
+
+    @abstractmethod
+    def create_entry(
+        self,
+        request: EntryRequest,
+    ) -> LogEntry:
+        """
+        Submit the request to Rekor.
+        """
+        pass
+
+    @classmethod
+    @abstractmethod
+    def _build_hashed_rekord_request(
+        self, hashed_input: Hashed, signature: bytes, certificate: Certificate
+    ) -> EntryRequest:
+        """
+        Construct a hashed rekord request to submit to Rekor.
+        """
+        pass
+
+    @classmethod
+    @abstractmethod
+    def _build_dsse_request(
+        self, envelope: Envelope, certificate: Certificate
+    ) -> EntryRequest:
+        """
+        Construct a dsse request to submit to Rekor.
+        """
+        pass
+
 
 # TODO: This should probably live somewhere better.
 def _hashedrekord_from_parts(

sigstore/_internal/rekor/client.py

@@ -18,6 +18,7 @@
 
 from __future__ import annotations
 
+import base64
 import json
 import logging
 from abc import ABC
@@ -26,8 +27,16 @@
 
 import rekor_types
 import requests
+from cryptography.hazmat.primitives import serialization
+from cryptography.x509 import Certificate
 
 from sigstore._internal import USER_AGENT
+from sigstore._internal.rekor import (
+    EntryRequest,
+    RekorLogSubmitter,
+)
+from sigstore.dsse import Envelope
+from sigstore.hashes import Hashed
 from sigstore.models import LogEntry
 
 _logger = logging.getLogger(__name__)
@@ -145,13 +154,12 @@ def get(
 
     def post(
         self,
-        proposed_entry: rekor_types.Hashedrekord | rekor_types.Dsse,
+        payload: EntryRequest,
     ) -> LogEntry:
         """
         Submit a new entry for inclusion in the Rekor log.
         """
 
-        payload = proposed_entry.model_dump(mode="json", by_alias=True)
         _logger.debug(f"proposed: {json.dumps(payload)}")
 
         resp: requests.Response = self.session.post(self.url, json=payload)
@@ -216,7 +224,7 @@ def post(
         return oldest_entry
 
 
-class RekorClient:
+class RekorClient(RekorLogSubmitter):
     """The internal Rekor client"""
 
     def __init__(self, url: str) -> None:
@@ -261,3 +269,63 @@ def log(self) -> RekorLog:
         Returns a `RekorLog` adapter for making requests to a Rekor log.
         """
         return RekorLog(f"{self.url}/log", session=self.session)
+
+    def create_entry(self, request: EntryRequest) -> LogEntry:
+        """
+        Submit the request to Rekor.
+        """
+        return self.log.entries.post(request)
+
+    def _build_hashed_rekord_request(  # type: ignore[override]
+        self, hashed_input: Hashed, signature: bytes, certificate: Certificate
+    ) -> EntryRequest:
+        """
+        Construct a hashed rekord payload to submit to Rekor.
+        """
+        rekord = rekor_types.Hashedrekord(
+            spec=rekor_types.hashedrekord.HashedrekordV001Schema(
+                signature=rekor_types.hashedrekord.Signature(
+                    content=base64.b64encode(signature).decode(),
+                    public_key=rekor_types.hashedrekord.PublicKey(
+                        content=base64.b64encode(
+                            certificate.public_bytes(
+                                encoding=serialization.Encoding.PEM
+                            )
+                        ).decode()
+                    ),
+                ),
+                data=rekor_types.hashedrekord.Data(
+                    hash=rekor_types.hashedrekord.Hash(
+                        algorithm=hashed_input._as_hashedrekord_algorithm(),
+                        value=hashed_input.digest.hex(),
+                    )
+                ),
+            ),
+        )
+        return EntryRequest(rekord.model_dump(mode="json", by_alias=True))
+
+    def _build_dsse_request(  # type: ignore[override]
+        self, envelope: Envelope, certificate: Certificate
+    ) -> EntryRequest:
+        """
+        Construct a dsse request to submit to Rekor.
+        """
+        dsse = rekor_types.Dsse(
+            spec=rekor_types.dsse.DsseSchema(
+                # NOTE: mypy can't see that this kwarg is correct due to two interacting
+                # behaviors/bugs (one pydantic, one datamodel-codegen):
+                # See: <https://github.com/pydantic/pydantic/discussions/7418#discussioncomment-9024927>
+                # See: <https://github.com/koxudaxi/datamodel-code-generator/issues/1903>
+                proposed_content=rekor_types.dsse.ProposedContent(  # type: ignore[call-arg]
+                    envelope=envelope.to_json(),
+                    verifiers=[
+                        base64.b64encode(
+                            certificate.public_bytes(
+                                encoding=serialization.Encoding.PEM
+                            )
+                        ).decode()
+                    ],
+                ),
+            ),
+        )
+        return EntryRequest(dsse.model_dump(mode="json", by_alias=True))

sigstore/_internal/rekor/client_v2.py

@@ -0,0 +1,176 @@
+# Copyright 2025 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+Client implementation for interacting with RekorV2.
+"""
+
+from __future__ import annotations
+
+import json
+import logging
+
+import rekor_types
+import requests
+from cryptography.hazmat.primitives import serialization
+from cryptography.x509 import Certificate
+
+from sigstore._internal import USER_AGENT
+from sigstore._internal.rekor import EntryRequest, RekorLogSubmitter
+from sigstore._internal.rekor.v2_types.dev.sigstore.common import v1 as common_v1
+from sigstore._internal.rekor.v2_types.dev.sigstore.rekor import v2
+from sigstore._internal.rekor.v2_types.io import intoto as v2_intoto
+from sigstore.dsse import Envelope
+from sigstore.hashes import Hashed
+from sigstore.models import LogEntry
+
+_logger = logging.getLogger(__name__)
+
+DEFAULT_REKOR_URL = "https://rekor.sigstore.dev"
+STAGING_REKOR_URL = "https://rekor.sigstage.dev"
+
+# TODO: Link to merged documenation.
+# See https://github.com/sigstore/rekor-tiles/pull/255/files#diff-eb568acf84d583e4d3734b07773e96912277776bad39c560392aa33ea2cf2210R196
+CREATE_ENTRIES_TIMEOUT_SECONDS = 20
+
+DEFAULT_KEY_DETAILS = common_v1.PublicKeyDetails.PKIX_ECDSA_P384_SHA_256
+
+
+class RekorV2Client(RekorLogSubmitter):
+    """The internal Rekor client for the v2 API"""
+
+    # TODO: implement get_tile, get_entry_bundle, get_checkpoint.
+
+    def __init__(self, base_url: str) -> None:
+        """
+        Create a new `RekorV2Client` from the given URL.
+        """
+        self.url = f"{base_url}/api/v2"
+        self.session = requests.Session()
+        self.session.headers.update(
+            {
+                "Content-Type": "application/json",
+                "Accept": "application/json",
+                "User-Agent": USER_AGENT,
+            }
+        )
+
+    def __del__(self) -> None:
+        """
+        Terminates the underlying network session.
+        """
+        self.session.close()
+
+    def create_entry(self, payload: EntryRequest) -> LogEntry:
+        """
+        Submit a new entry for inclusion in the Rekor log.
+        """
+        _logger.debug(f"proposed: {json.dumps(payload)}")
+        resp = self.session.post(
+            f"{self.url}/log/entries",
+            json=payload,
+            timeout=CREATE_ENTRIES_TIMEOUT_SECONDS,
+        )
+
+        try:
+            resp.raise_for_status()
+        except requests.HTTPError as http_error:
+            raise RekorClientError(http_error)
+
+        integrated_entry = resp.json()
+        _logger.debug(f"integrated: {integrated_entry}")
+        return LogEntry._from_dict_rekor(integrated_entry)
+
+    @classmethod
+    def _build_hashed_rekord_request(
+        cls,
+        hashed_input: Hashed,
+        signature: bytes,
+        certificate: Certificate,
+    ) -> EntryRequest:
+        """
+        Construct a hashed rekord request to submit to Rekor.
+        """
+        req = v2.CreateEntryRequest(
+            hashed_rekord_request_v0_0_2=v2.HashedRekordRequestV002(
+                digest=hashed_input.digest,
+                signature=v2.Signature(
+                    content=signature,
+                    verifier=v2.Verifier(
+                        x509_certificate=common_v1.X509Certificate(
+                            raw_bytes=certificate.public_bytes(
+                                encoding=serialization.Encoding.DER
+                            )
+                        ),
+                        key_details=DEFAULT_KEY_DETAILS,  # type: ignore[arg-type]
+                    ),
+                ),
+            )
+        )
+        return EntryRequest(req.to_dict())
+
+    @classmethod
+    def _build_dsse_request(
+        cls, envelope: Envelope, certificate: Certificate
+    ) -> EntryRequest:
+        """
+        Construct a dsse request to submit to Rekor.
+        """
+        req = v2.CreateEntryRequest(
+            dsse_request_v0_0_2=v2.DsseRequestV002(
+                envelope=v2_intoto.Envelope(
+                    payload=envelope._inner.payload,
+                    payload_type=envelope._inner.payload_type,
+                    signatures=[
+                        v2_intoto.Signature(
+                            keyid=signature.keyid,
+                            sig=signature.sig,
+                        )
+                        for signature in envelope._inner.signatures
+                    ],
+                ),
+                verifiers=[
+                    v2.Verifier(
+                        x509_certificate=common_v1.X509Certificate(
+                            raw_bytes=certificate.public_bytes(
+                                encoding=serialization.Encoding.DER
+                            )
+                        ),
+                        key_details=DEFAULT_KEY_DETAILS,  # type: ignore[arg-type]
+                    )
+                ],
+            )
+        )
+        return EntryRequest(req.to_dict())
+
+
+class RekorClientError(Exception):
+    """
+    A generic error in the Rekor client.
+    """
+
+    def __init__(self, http_error: requests.HTTPError):
+        """
+        Create a new `RekorClientError` from the given `requests.HTTPError`.
+        """
+        if http_error.response is not None:
+            try:
+                error = rekor_types.Error.model_validate_json(http_error.response.text)
+                super().__init__(f"{error.code}: {error.message}")
+            except Exception:
+                super().__init__(
+                    f"Rekor returned an unknown error with HTTP {http_error.response.status_code}"
+                )
+        else:
+            super().__init__(f"Unexpected Rekor error: {http_error}")

sigstore/_internal/rekor/v2_types/README.md

@@ -0,0 +1,11 @@
+# V2 Types
+
+TODO: Eventually move these types to sigstore/protobuf-specs.
+
+These are types meant to be used with RekorV2.
+
+Generated from running `make python` in sigstore/rekor-tiles to generate (although not checked into git) and copied into here, **plus** formatting and lint fixes (lots of `noqa` comments).
+
+Linting is still not expected to pass yet, since `interrogate` docstrings for **all** modules and classes.
+
+Eventually, we will move these types into sigstore/protobuf-specs.

sigstore/_internal/rekor/v2_types/__init__.py

@@ -0,0 +1,3 @@
+"""
+Types for RekorV2
+"""

sigstore/_internal/rekor/v2_types/dev/__init__.py

@@ -0,0 +1,3 @@
+"""
+Types used for RekorV2
+"""

sigstore/_internal/rekor/v2_types/dev/sigstore/__init__.py

@@ -0,0 +1,3 @@
+"""
+Types for RekorV2
+"""

sigstore/_internal/rekor/v2_types/dev/sigstore/common/__init__.py

@@ -0,0 +1,3 @@
+"""
+Common types used by Sigstore services
+"""