From 83409204754abe342abdf946c51ca2afcbc0b59a Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 19 Jul 2024 12:57:53 +0800 Subject: [PATCH] fix: fix usage of SignerInfo.AuthenticSigningTime (#424) Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- verifier/verifier.go | 8 ++++---- verifier/verifier_test.go | 33 +++++++++------------------------ 4 files changed, 16 insertions(+), 31 deletions(-) diff --git a/go.mod b/go.mod index af1edd8f..dc2bbdb5 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.21 require ( github.com/go-ldap/ldap/v3 v3.4.8 - github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 + github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b github.com/notaryproject/notation-plugin-framework-go v1.0.0 github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 github.com/opencontainers/go-digest v1.0.0 diff --git a/go.sum b/go.sum index eab4a3af..fdb03b95 100644 --- a/go.sum +++ b/go.sum @@ -32,8 +32,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= -github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h1:kXRTRPpJqj7DuSxYxfrVKcfQ3CijRisPdQQrt/+Y1bE= -github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= +github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b h1:uJ4bmNieZRkPj3UgmKr3bZr8vs7UJ2MdlJMeB0oOaZw= +github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y= diff --git a/verifier/verifier.go b/verifier/verifier.go index eea10eb2..575fa610 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -721,11 +721,11 @@ func verifyRevocation(outcome *notation.VerificationOutcome, r revocation.Revoca } } - authenticSigningTime, err := outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() - if err != nil { - logger.Debugf("Not using authentic signing time due to error retrieving AuthenticSigningTime, err: %v", err) - authenticSigningTime = time.Time{} + var authenticSigningTime time.Time + if outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme == signature.SigningSchemeX509SigningAuthority { + authenticSigningTime, _ = outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() } + certResults, err := r.Validate(outcome.EnvelopeContent.SignerInfo.CertificateChain, authenticSigningTime) if err != nil { logger.Debug("Error while checking revocation status, err: %s", err.Error()) diff --git a/verifier/verifier_test.go b/verifier/verifier_test.go index c8104012..3e213119 100644 --- a/verifier/verifier_test.go +++ b/verifier/verifier_test.go @@ -623,18 +623,19 @@ func TestVerifyRevocation(t *testing.T) { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error) } }) - t.Run("verifyRevocation zero signing time no invalidity", func(t *testing.T) { + t.Run("verifyRevocation zero signing time", func(t *testing.T) { revocationClient, err := revocation.New(revokedClient) if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } + expectedErrMsg := "signing certificate with subject \"CN=Notation Test Revokable RSA Chain Cert 3,O=Notary,L=Seattle,ST=WA,C=US\" is revoked" result := verifyRevocation(createMockOutcome(revokableChain, zeroTime), revocationClient, logger) + if result.Error == nil || result.Error.Error() != expectedErrMsg { + t.Fatalf("expected verifyRevocation to fail with %s, but got %v", expectedErrMsg, result.Error) + } if !zeroTime.IsZero() { t.Fatalf("exected zeroTime.IsZero() to be true") } - if result.Error == nil || result.Error.Error() != revokedMsg { - t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error) - } }) t.Run("verifyRevocation older signing time with invalidity", func(t *testing.T) { revocationClient, err := revocation.New(revokedInvalidityClient) @@ -646,19 +647,6 @@ func TestVerifyRevocation(t *testing.T) { t.Fatalf("expected verifyRevocation to succeed, but got %v", result.Error) } }) - t.Run("verifyRevocation zero signing time with invalidity", func(t *testing.T) { - revocationClient, err := revocation.New(revokedInvalidityClient) - if err != nil { - t.Fatalf("unexpected error while creating revocation object: %v", err) - } - result := verifyRevocation(createMockOutcome(revokableChain, zeroTime), revocationClient, logger) - if !zeroTime.IsZero() { - t.Fatalf("exected zeroTime.IsZero() to be true") - } - if result.Error == nil || result.Error.Error() != revokedMsg { - t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error) - } - }) t.Run("verifyRevocation non-authentic signing time with invalidity", func(t *testing.T) { revocationClient, err := revocation.New(revokedInvalidityClient) if err != nil { @@ -666,16 +654,13 @@ func TestVerifyRevocation(t *testing.T) { } // Specifying older signing time (which should succeed), but will use zero time since no authentic signing time outcome := createMockOutcome(revokableChain, time.Now().Add(-4*time.Hour)) - outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme = "unsupported scheme" - - time, err := outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() - expectedErr := errors.New("authenticSigningTime not found") - if !time.IsZero() || err == nil || err.Error() != expectedErr.Error() { + outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme = "notary.x509" + authenticSigningTime, err := outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() + expectedErr := errors.New("authentic signing time not supported under signing scheme \"notary.x509\"") + if !authenticSigningTime.IsZero() || err == nil || err.Error() != expectedErr.Error() { t.Fatalf("expected AuthenticSigningTime to fail with %v, but got %v", expectedErr, err) } - result := verifyRevocation(outcome, revocationClient, logger) - if result.Error == nil || result.Error.Error() != revokedMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error) }