fix: fix usage of SignerInfo.AuthenticSigningTime (notaryproject#424)

Signed-off-by: Patrick Zheng <[email protected]>

go.mod

@@ -4,7 +4,7 @@ go 1.21
 
 require (
 	github.com/go-ldap/ldap/v3 v3.4.8
-	github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10
+	github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0
 	github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172
 	github.com/opencontainers/go-digest v1.0.0

go.sum

@@ -32,8 +32,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h1:kXRTRPpJqj7DuSxYxfrVKcfQ3CijRisPdQQrt/+Y1bE=
-github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno=
+github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b h1:uJ4bmNieZRkPj3UgmKr3bZr8vs7UJ2MdlJMeB0oOaZw=
+github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
 github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y=

verifier/verifier.go

@@ -721,11 +721,11 @@ func verifyRevocation(outcome *notation.VerificationOutcome, r revocation.Revoca
 		}
 	}
 
-	authenticSigningTime, err := outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime()
-	if err != nil {
-		logger.Debugf("Not using authentic signing time due to error retrieving AuthenticSigningTime, err: %v", err)
-		authenticSigningTime = time.Time{}
+	var authenticSigningTime time.Time
+	if outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme == signature.SigningSchemeX509SigningAuthority {
+		authenticSigningTime, _ = outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime()
 	}
+
 	certResults, err := r.Validate(outcome.EnvelopeContent.SignerInfo.CertificateChain, authenticSigningTime)
 	if err != nil {
 		logger.Debug("Error while checking revocation status, err: %s", err.Error())

verifier/verifier_test.go

@@ -623,18 +623,19 @@ func TestVerifyRevocation(t *testing.T) {
 			t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error)
 		}
 	})
-	t.Run("verifyRevocation zero signing time no invalidity", func(t *testing.T) {
+	t.Run("verifyRevocation zero signing time", func(t *testing.T) {
 		revocationClient, err := revocation.New(revokedClient)
 		if err != nil {
 			t.Fatalf("unexpected error while creating revocation object: %v", err)
 		}
+		expectedErrMsg := "signing certificate with subject \"CN=Notation Test Revokable RSA Chain Cert 3,O=Notary,L=Seattle,ST=WA,C=US\" is revoked"
 		result := verifyRevocation(createMockOutcome(revokableChain, zeroTime), revocationClient, logger)
+		if result.Error == nil || result.Error.Error() != expectedErrMsg {
+			t.Fatalf("expected verifyRevocation to fail with %s, but got %v", expectedErrMsg, result.Error)
+		}
 		if !zeroTime.IsZero() {
 			t.Fatalf("exected zeroTime.IsZero() to be true")
 		}
-		if result.Error == nil || result.Error.Error() != revokedMsg {
-			t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error)
-		}
 	})
 	t.Run("verifyRevocation older signing time with invalidity", func(t *testing.T) {
 		revocationClient, err := revocation.New(revokedInvalidityClient)
@@ -646,36 +647,20 @@ func TestVerifyRevocation(t *testing.T) {
 			t.Fatalf("expected verifyRevocation to succeed, but got %v", result.Error)
 		}
 	})
-	t.Run("verifyRevocation zero signing time with invalidity", func(t *testing.T) {
-		revocationClient, err := revocation.New(revokedInvalidityClient)
-		if err != nil {
-			t.Fatalf("unexpected error while creating revocation object: %v", err)
-		}
-		result := verifyRevocation(createMockOutcome(revokableChain, zeroTime), revocationClient, logger)
-		if !zeroTime.IsZero() {
-			t.Fatalf("exected zeroTime.IsZero() to be true")
-		}
-		if result.Error == nil || result.Error.Error() != revokedMsg {
-			t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error)
-		}
-	})
 	t.Run("verifyRevocation non-authentic signing time with invalidity", func(t *testing.T) {
 		revocationClient, err := revocation.New(revokedInvalidityClient)
 		if err != nil {
 			t.Fatalf("unexpected error while creating revocation object: %v", err)
 		}
 		// Specifying older signing time (which should succeed), but will use zero time since no authentic signing time
 		outcome := createMockOutcome(revokableChain, time.Now().Add(-4*time.Hour))
-		outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme = "unsupported scheme"
-
-		time, err := outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime()
-		expectedErr := errors.New("authenticSigningTime not found")
-		if !time.IsZero() || err == nil || err.Error() != expectedErr.Error() {
+		outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme = "notary.x509"
+		authenticSigningTime, err := outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime()
+		expectedErr := errors.New("authentic signing time not supported under signing scheme \"notary.x509\"")
+		if !authenticSigningTime.IsZero() || err == nil || err.Error() != expectedErr.Error() {
 			t.Fatalf("expected AuthenticSigningTime to fail with %v, but got %v", expectedErr, err)
 		}
-
 		result := verifyRevocation(outcome, revocationClient, logger)
-
 		if result.Error == nil || result.Error.Error() != revokedMsg {
 			t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error)
 		}