From ff8d358106de99d68fc41b46b5506082d9bdf19d Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Thu, 7 Dec 2023 14:34:21 -0500
Subject: [PATCH] fixup DSSE signing, refactor RekorClientError

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 sigstore/_internal/dsse.py         |  6 ++++--
 sigstore/_internal/rekor/client.py | 22 ++++++++++++++--------
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/sigstore/_internal/dsse.py b/sigstore/_internal/dsse.py
index e89e87368..8a0bc30ad 100644
--- a/sigstore/_internal/dsse.py
+++ b/sigstore/_internal/dsse.py
@@ -34,8 +34,10 @@ def sign_intoto(key: ec.EllipticCurvePrivateKey, payload: Statement) -> Envelope
     # https://github.com/in-toto/attestation/blob/v1.0/spec/v1.0/envelope.md
 
     type_ = "application/vnd.in-toto+json"
-    payload_encoded = MessageToJson(payload.pb).encode()
-    pae = f"DSSEv1 {len(type_)} {type_} {len(payload_encoded)} {payload_encoded}"
+    payload_encoded = MessageToJson(payload.pb, sort_keys=True).encode()
+    pae = (
+        f"DSSEv1 {len(type_)} {type_} {len(payload_encoded)} {payload_encoded.decode()}"
+    )
 
     signature = key.sign(pae.encode(), ec.ECDSA(hashes.SHA256()))
     return Envelope(
diff --git a/sigstore/_internal/rekor/client.py b/sigstore/_internal/rekor/client.py
index 262f8feb0..1d554f277 100644
--- a/sigstore/_internal/rekor/client.py
+++ b/sigstore/_internal/rekor/client.py
@@ -73,7 +73,14 @@ class RekorClientError(Exception):
     A generic error in the Rekor client.
     """
 
-    pass
+    def __init__(self, http_error: requests.HTTPError):
+        try:
+            error = rekor_types.Error.model_validate_json(http_error.response.text)
+            super().__init__(f"{error.code}: {error.message}")
+        except Exception:
+            super().__init__(
+                f"Rekor returned an unknown error with HTTP {http_error.response.status_code}"
+            )
 
 
 class _Endpoint(ABC):
@@ -95,7 +102,7 @@ def get(self) -> RekorLogInfo:
         try:
             resp.raise_for_status()
         except requests.HTTPError as http_error:
-            raise RekorClientError from http_error
+            raise RekorClientError(http_error)
         return RekorLogInfo.from_response(resp.json())
 
     @property
@@ -121,7 +128,7 @@ def get(
         Either `uuid` or `log_index` must be present, but not both.
         """
         if not (bool(uuid) ^ bool(log_index)):
-            raise RekorClientError("uuid or log_index required, but not both")
+            raise ValueError("uuid or log_index required, but not both")
 
         resp: requests.Response
 
@@ -133,7 +140,7 @@ def get(
         try:
             resp.raise_for_status()
         except requests.HTTPError as http_error:
-            raise RekorClientError from http_error
+            raise RekorClientError(http_error)
         return LogEntry._from_response(resp.json())
 
     def post(
@@ -145,14 +152,13 @@ def post(
         """
 
         payload = proposed_entry.model_dump(mode="json", by_alias=True)
-        logger.debug(json.dumps(payload))
+        logger.debug(f"PROPOSED ENTRY: {json.dumps(payload)}")
 
         resp: requests.Response = self.session.post(self.url, json=payload)
         try:
             resp.raise_for_status()
         except requests.HTTPError as http_error:
-            logger.debug(http_error.response.content)
-            raise RekorClientError from http_error
+            raise RekorClientError(http_error)
 
         return LogEntry._from_response(resp.json())
 
@@ -190,7 +196,7 @@ def post(
         except requests.HTTPError as http_error:
             if http_error.response and http_error.response.status_code == 404:
                 return None
-            raise RekorClientError(resp.text) from http_error
+            raise RekorClientError(http_error)
 
         results = resp.json()