Skip to content

Commit

Permalink
added timestamp trust policy
Browse files Browse the repository at this point in the history
Signed-off-by: Patrick Zheng <[email protected]>
  • Loading branch information
Two-Hearts committed Apr 16, 2024
1 parent 545e1e7 commit 527b84a
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 21 deletions.
17 changes: 3 additions & 14 deletions notation.go
Original file line number Diff line number Diff line change
Expand Up @@ -319,11 +319,6 @@ type VerifierVerifyOptions struct {
// UserMetadata contains key-value pairs that must be present in the
// signature.
UserMetadata map[string]string

// VerifyAtTimestampedTime verifies the timestamp countersignature at the
// time point been stamped. This time point MUST be within timestamp
// certificate chain's validity period.
VerifyAtTimestampedTime bool
}

// Verifier is a generic interface for verifying an artifact.
Expand Down Expand Up @@ -358,11 +353,6 @@ type VerifyOptions struct {
// UserMetadata contains key-value pairs that must be present in the
// signature
UserMetadata map[string]string

// VerifyAtTimestampedTime verifies the timestamp countersignature at the
// time point been stamped. This time point MUST be within timestamp
// certificate chain's validity period.
VerifyAtTimestampedTime bool
}

// Verify performs signature verification on each of the notation supported
Expand All @@ -386,10 +376,9 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, ve

// opts to be passed in verifier.Verify()
opts := VerifierVerifyOptions{
ArtifactReference: verifyOpts.ArtifactReference,
PluginConfig: verifyOpts.PluginConfig,
UserMetadata: verifyOpts.UserMetadata,
VerifyAtTimestampedTime: verifyOpts.VerifyAtTimestampedTime,
ArtifactReference: verifyOpts.ArtifactReference,
PluginConfig: verifyOpts.PluginConfig,
UserMetadata: verifyOpts.UserMetadata,
}

if skipChecker, ok := verifier.(verifySkipper); ok {
Expand Down
17 changes: 15 additions & 2 deletions verifier/trustpolicy/trustpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ var (
}
)

var supportedPolicyVersions = []string{"1.0"}
var supportedPolicyVersions = []string{"1.0", "1.1"}

// Document represents a trustPolicy.json document
type Document struct {
Expand All @@ -156,6 +156,9 @@ type TrustPolicy struct {
// SignatureVerification setting for this policy statement
SignatureVerification SignatureVerification `json:"signatureVerification"`

// TimestampVerification setting for this policy statement
TimestampVerification *TimestampVerification `json:"timestampVerification,omitempty"`

// TrustStores this policy statement uses
TrustStores []string `json:"trustStores,omitempty"`

Expand All @@ -169,6 +172,12 @@ type SignatureVerification struct {
Override map[ValidationType]ValidationAction `json:"override,omitempty"`
}

// TimestampVerification represents timestamp countersignature verification
// configuration in a trust policy
type TimestampVerification struct {
AtTimestampedTime bool `json:"atTimestampedTime"`
}

// Validate validates a policy document according to its version's rule set.
// if any rule is violated, returns an error
func (policyDoc *Document) Validate() error {
Expand All @@ -185,7 +194,6 @@ func (policyDoc *Document) Validate() error {
return fmt.Errorf("trust policy document uses unsupported version %q", policyDoc.Version)
}

// Validate the policy according to 1.0 rules
if len(policyDoc.TrustPolicies) == 0 {
return errors.New("trust policy document can not have zero trust policy statements")
}
Expand All @@ -206,6 +214,11 @@ func (policyDoc *Document) Validate() error {
return fmt.Errorf("trust policy statement %q has invalid signatureVerification: %w", statement.Name, err)
}

// Verify timestamp verification is valid
if statement.TimestampVerification != nil && policyDoc.Version != "1.1" {
return fmt.Errorf("trust policy document version must be 1.1 to support timestamp verification, but got %q", policyDoc.Version)
}

// Any signature verification other than "skip" needs a trust store and
// trusted identities
if verificationLevel.Name == "skip" {
Expand Down
18 changes: 13 additions & 5 deletions verifier/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ func (v *verifier) Verify(ctx context.Context, desc ocispec.Descriptor, signatur
logger.Debug("Skipping signature verification")
return outcome, nil
}
err = v.processSignature(ctx, signature, envelopeMediaType, trustPolicy, opts.VerifyAtTimestampedTime, pluginConfig, outcome)
err = v.processSignature(ctx, signature, envelopeMediaType, trustPolicy, pluginConfig, outcome)

if err != nil {
outcome.Error = err
Expand Down Expand Up @@ -188,7 +188,7 @@ func (v *verifier) Verify(ctx context.Context, desc ocispec.Descriptor, signatur
return outcome, outcome.Error
}

func (v *verifier) processSignature(ctx context.Context, sigBlob []byte, envelopeMediaType string, trustPolicy *trustpolicy.TrustPolicy, verifyAtTimestampedTime bool, pluginConfig map[string]string, outcome *notation.VerificationOutcome) error {
func (v *verifier) processSignature(ctx context.Context, sigBlob []byte, envelopeMediaType string, trustPolicy *trustpolicy.TrustPolicy, pluginConfig map[string]string, outcome *notation.VerificationOutcome) error {
logger := log.GetLogger(ctx)

// verify integrity first. notation will always verify integrity no matter
Expand Down Expand Up @@ -288,7 +288,7 @@ func (v *verifier) processSignature(ctx context.Context, sigBlob []byte, envelop

// verify authentic timestamp
logger.Debug("Validating authentic timestamp")
authenticTimestampResult := verifyAuthenticTimestamp(ctx, trustPolicy, v.trustStore, verifyAtTimestampedTime, outcome)
authenticTimestampResult := verifyAuthenticTimestamp(ctx, trustPolicy, v.trustStore, outcome)
outcome.VerificationResults = append(outcome.VerificationResults, authenticTimestampResult)
logVerificationResult(logger, authenticTimestampResult)
if isCriticalFailure(authenticTimestampResult) {
Expand Down Expand Up @@ -516,7 +516,7 @@ func verifyExpiry(outcome *notation.VerificationOutcome) *notation.ValidationRes
}
}

func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.TrustPolicy, x509TrustStore truststore.X509TrustStore, verifyAtTimestampedTime bool, outcome *notation.VerificationOutcome) *notation.ValidationResult {
func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.TrustPolicy, x509TrustStore truststore.X509TrustStore, outcome *notation.VerificationOutcome) *notation.ValidationResult {
logger := log.GetLogger(ctx)

// under signing scheme notary.x509
Expand Down Expand Up @@ -544,6 +544,14 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
if trustPolicy.TimestampVerification == nil {
// if there is no timestamp verification configuration in trust policy
return &notation.ValidationResult{
Error: errors.New("current time is not in certificate chain validity period and no timestamp verification configuration was found in trust policy"),
Type: trustpolicy.TypeAuthenticTimestamp,
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
trustTSACerts, err := loadX509TSATrustStores(ctx, outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme, trustPolicy, x509TrustStore)
if err != nil {
return &notation.ValidationResult{
Expand Down Expand Up @@ -592,7 +600,7 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
if verifyAtTimestampedTime {
if trustPolicy.TimestampVerification.AtTimestampedTime {
timestampVerifyOpts.CurrentTime = ts
}
// verify the timestamp countersignature
Expand Down

0 comments on commit 527b84a

Please sign in to comment.