Skip to content

Commit

Permalink
added skip tsa cert expire check
Browse files Browse the repository at this point in the history
Signed-off-by: Patrick Zheng <[email protected]>
  • Loading branch information
Two-Hearts committed Apr 11, 2024
1 parent f4536db commit 998d79f
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 17 deletions.
19 changes: 16 additions & 3 deletions notation.go
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,12 @@ type VerifierVerifyOptions struct {
// UserMetadata contains key-value pairs that must be present in the
// signature.
UserMetadata map[string]string

// SkipTimestampCertificateExpirationCheck skips timestamp certificate
// expiration check during timestamp countersignature verification. The
// time point been stamped still MUST be within timestamp certificate chain's
// validity period, and this check is always enforced.
SkipTimestampCertificateExpirationCheck bool
}

// Verifier is a generic interface for verifying an artifact.
Expand Down Expand Up @@ -353,6 +359,12 @@ type VerifyOptions struct {
// UserMetadata contains key-value pairs that must be present in the
// signature
UserMetadata map[string]string

// SkipTimestampCertificateExpirationCheck skips timestamp certificate
// expiration check during timestamp countersignature verification. The
// time point been stamped still MUST be within timestamp certificate chain's
// validity period, and this check is always enforced.
SkipTimestampCertificateExpirationCheck bool
}

// Verify performs signature verification on each of the notation supported
Expand All @@ -376,9 +388,10 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, ve

// opts to be passed in verifier.Verify()
opts := VerifierVerifyOptions{
ArtifactReference: verifyOpts.ArtifactReference,
PluginConfig: verifyOpts.PluginConfig,
UserMetadata: verifyOpts.UserMetadata,
ArtifactReference: verifyOpts.ArtifactReference,
PluginConfig: verifyOpts.PluginConfig,
UserMetadata: verifyOpts.UserMetadata,
SkipTimestampCertificateExpirationCheck: verifyOpts.SkipTimestampCertificateExpirationCheck,
}

if skipChecker, ok := verifier.(verifySkipper); ok {
Expand Down
33 changes: 19 additions & 14 deletions verifier/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ func (v *verifier) Verify(ctx context.Context, desc ocispec.Descriptor, signatur
logger.Debug("Skipping signature verification")
return outcome, nil
}
err = v.processSignature(ctx, signature, envelopeMediaType, trustPolicy, pluginConfig, outcome)
err = v.processSignature(ctx, signature, envelopeMediaType, trustPolicy, opts.SkipTimestampCertificateExpirationCheck, pluginConfig, outcome)

if err != nil {
outcome.Error = err
Expand Down Expand Up @@ -188,7 +188,7 @@ func (v *verifier) Verify(ctx context.Context, desc ocispec.Descriptor, signatur
return outcome, outcome.Error
}

func (v *verifier) processSignature(ctx context.Context, sigBlob []byte, envelopeMediaType string, trustPolicy *trustpolicy.TrustPolicy, pluginConfig map[string]string, outcome *notation.VerificationOutcome) error {
func (v *verifier) processSignature(ctx context.Context, sigBlob []byte, envelopeMediaType string, trustPolicy *trustpolicy.TrustPolicy, skipTimestampCertExpirationCheck bool, pluginConfig map[string]string, outcome *notation.VerificationOutcome) error {
logger := log.GetLogger(ctx)

// verify integrity first. notation will always verify integrity no matter
Expand Down Expand Up @@ -288,7 +288,7 @@ func (v *verifier) processSignature(ctx context.Context, sigBlob []byte, envelop

// verify authentic timestamp
logger.Debug("Validating authentic timestamp")
authenticTimestampResult := verifyAuthenticTimestamp(ctx, trustPolicy, v.trustStore, outcome)
authenticTimestampResult := verifyAuthenticTimestamp(ctx, trustPolicy, v.trustStore, skipTimestampCertExpirationCheck, outcome)
outcome.VerificationResults = append(outcome.VerificationResults, authenticTimestampResult)
logVerificationResult(logger, authenticTimestampResult)
if isCriticalFailure(authenticTimestampResult) {
Expand Down Expand Up @@ -516,7 +516,7 @@ func verifyExpiry(outcome *notation.VerificationOutcome) *notation.ValidationRes
}
}

func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.TrustPolicy, x509TrustStore truststore.X509TrustStore, outcome *notation.VerificationOutcome) *notation.ValidationResult {
func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.TrustPolicy, x509TrustStore truststore.X509TrustStore, skipTimestampCertExpirationCheck bool, outcome *notation.VerificationOutcome) *notation.ValidationResult {
logger := log.GetLogger(ctx)

// under signing scheme notary.x509
Expand Down Expand Up @@ -571,46 +571,51 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
for _, cert := range trustTSACerts {
roots.AddCert(cert)
}
opts := x509.VerifyOptions{
timestampVerifyOpts := x509.VerifyOptions{
Roots: roots,
}
tsaCertChain, err := signedToken.Verify(ctx, opts)
// get the timestamp token info
info, err := signedToken.Info()
if err != nil {
return &notation.ValidationResult{
Error: err,
Type: trustpolicy.TypeAuthenticTimestamp,
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
// validate TSA cert chain
if err := nx509.ValidateTimeStampingCertChain(tsaCertChain, nil); err != nil {
// validate the info
ts, accuracy, err := info.Timestamp(signerInfo.Signature)
if err != nil {
return &notation.ValidationResult{
Error: err,
Type: trustpolicy.TypeAuthenticTimestamp,
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
// get the timestamp token info
info, err := signedToken.Info()
if skipTimestampCertExpirationCheck {
timestampVerifyOpts.CurrentTime = ts
}
// verify the timestamp countersignature
tsaCertChain, err := signedToken.Verify(ctx, timestampVerifyOpts)
if err != nil {
return &notation.ValidationResult{
Error: err,
Type: trustpolicy.TypeAuthenticTimestamp,
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
// validate the info and consume timestamp
ts, accuracy, err := info.Timestamp(signerInfo.Signature)
if err != nil {
// validate timestamp certificate chain
if err := nx509.ValidateTimeStampingCertChain(tsaCertChain, nil); err != nil {
return &notation.ValidationResult{
Error: err,
Type: trustpolicy.TypeAuthenticTimestamp,
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
// get the timestamp token time range
timeStampLowerLimit := ts.Add(-accuracy)
timeStampUpperLimit := ts.Add(accuracy)
fmt.Printf("timestamp token time range: [%v, %v]\n", timeStampLowerLimit, timeStampUpperLimit)
logger.Info("timestamp token time range: [%v, %v]\n", timeStampLowerLimit, timeStampUpperLimit)
// TSA certificate chain revocation check
certResults, err := revocation.ValidateTimestampCertChain(tsaCertChain, timeStampUpperLimit)
if err != nil {
Expand Down

0 comments on commit 998d79f

Please sign in to comment.