Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
Signed-off-by: Patrick Zheng <[email protected]>
  • Loading branch information
Two-Hearts committed Jun 11, 2024
1 parent ee0b91b commit 3cdb0b2
Showing 1 changed file with 13 additions and 11 deletions.
24 changes: 13 additions & 11 deletions verifier/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -622,6 +622,17 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
// 3. Validate timestamping certificate chain
logger.Info("Validating timestamping certificate chain...")
if err := nx509.ValidateTimeStampingCertChain(tsaCertChain, nil); err != nil {
return &notation.ValidationResult{
Error: fmt.Errorf("failed to validate the timestamping certificate chain with error: %w", err),
Type: trustpolicy.TypeAuthenticTimestamp,
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
// 4. Check authenticity of the TSA against trust store
logger.Info("Checking TSA authenticity against the trust store...")
trustTSACerts, err := loadX509TSATrustStores(ctx, outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme, trustPolicy, x509TrustStore)
if err != nil {
return &notation.ValidationResult{
Expand Down Expand Up @@ -656,16 +667,7 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
// 3. Validate timestamping certificate chain
logger.Info("Validating timestamping certificate chain...")
if err := nx509.ValidateTimeStampingCertChain(tsaCertChain, nil); err != nil {
return &notation.ValidationResult{
Error: fmt.Errorf("failed to validate the timestamping certificate chain with error: %w", err),
Type: trustpolicy.TypeAuthenticTimestamp,
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
// 4. Perform the timestamping certificate chain revocation check
// 5. Perform the timestamping certificate chain revocation check
logger.Info("Checking timestamping certificate chain revocation...")
timeStampLowerLimit = ts.Add(-accuracy)
timeStampUpperLimit = ts.Add(accuracy)
Expand Down Expand Up @@ -695,7 +697,7 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
// 5. Check the timestamp against the signing certificate chain
// 6. Check the timestamp against the signing certificate chain
logger.Info("Checking the timestamp against the signing certificate chain...")
logger.Infof("Timestamp range: [%v, %v]", timeStampLowerLimit, timeStampUpperLimit)
for _, cert := range signerInfo.CertificateChain {
Expand Down

0 comments on commit 3cdb0b2

Please sign in to comment.