Skip to content

Commit

Permalink
tsa root cert pool
Browse files Browse the repository at this point in the history
Signed-off-by: Patrick Zheng <[email protected]>
  • Loading branch information
Two-Hearts committed Jun 21, 2024
1 parent 0697044 commit a75b224
Show file tree
Hide file tree
Showing 4 changed files with 62 additions and 42 deletions.
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,6 @@ require (
golang.org/x/sync v0.6.0 // indirect
)

replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240620060810-a57701ff7655
replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240621043238-b2551ef71fb2

replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9
replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240621042808-c9a7560c8168
8 changes: 4 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
github.com/Two-Hearts/notation-core-go v0.0.0-20240620060810-a57701ff7655 h1:Up2oCElFITYHvwKayXRCUq23wREpbMew/OwsRV8kYEI=
github.com/Two-Hearts/notation-core-go v0.0.0-20240620060810-a57701ff7655/go.mod h1:2+fC2xU0ai2zw1NhZS5h1lhv6mYTKorAh6xv3OnDKE4=
github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9 h1:AV5JQ4TOXFoAKgjq68j3VQJNId5CPIp7x+HUUadiyhc=
github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
github.com/Two-Hearts/notation-core-go v0.0.0-20240621043238-b2551ef71fb2 h1:oqjGDjiyHhbIIBlxpfwpIpwO30z1aahqEZf1bC/AMkI=
github.com/Two-Hearts/notation-core-go v0.0.0-20240621043238-b2551ef71fb2/go.mod h1:vKJt67z3v3bj4MNXNLQ3LDoXMCfEdQCLkpwsgwqqCgE=
github.com/Two-Hearts/tspclient-go v0.0.0-20240621042808-c9a7560c8168 h1:zkzAWIQRB+OLkeqy3rJT3zZ0xdR8nGLMtbOpPF5yE0s=
github.com/Two-Hearts/tspclient-go v0.0.0-20240621042808-c9a7560c8168/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
Expand Down
2 changes: 1 addition & 1 deletion verifier/timestamp_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -336,7 +336,7 @@ func TestAuthenticTimestamp(t *testing.T) {
VerificationLevel: trustpolicy.LevelStrict,
}
authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome)
expectedErrMsg := "failed to verify the timestamp countersignature with error: tsa certificate chain does not contain trusted certificate in trust store"
expectedErrMsg := "failed to verify the timestamp countersignature with error: failed to verify signed token: cms verification failure: x509: certificate signed by unknown authority"
if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
}
Expand Down
90 changes: 55 additions & 35 deletions verifier/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -605,6 +605,25 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
trustTSACerts, err := loadX509TSATrustStores(ctx, outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme, trustPolicy, x509TrustStore)
if err != nil {
return &notation.ValidationResult{
Error: fmt.Errorf("failed to load tsa trust store with error: %w", err),
Type: trustpolicy.TypeAuthenticTimestamp,
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
if len(trustTSACerts) < 1 {
return &notation.ValidationResult{
Error: errors.New("no trusted TSA certificate found in trust store"),
Type: trustpolicy.TypeAuthenticTimestamp,
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
rootCertPool := x509.NewCertPool()
for _, trustedCerts := range trustTSACerts {
rootCertPool.AddCert(trustedCerts)
}
ts, accuracy, err := info.Validate(signerInfo.Signature)
if err != nil {
return &notation.ValidationResult{
Expand All @@ -615,6 +634,7 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
}
tsaCertChain, err := signedToken.Verify(ctx, x509.VerifyOptions{
CurrentTime: ts,
Roots: rootCertPool,
})
if err != nil {
return &notation.ValidationResult{
Expand All @@ -634,41 +654,41 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
}
logger.Info("TSA identity is: %s", tsaCertChain[0].Subject)
// 4. Check authenticity of the TSA against trust store
logger.Info("Checking TSA authenticity against the trust store...")
trustTSACerts, err := loadX509TSATrustStores(ctx, outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme, trustPolicy, x509TrustStore)
if err != nil {
return &notation.ValidationResult{
Error: fmt.Errorf("failed to load tsa trust store with error: %w", err),
Type: trustpolicy.TypeAuthenticTimestamp,
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
if len(trustTSACerts) < 1 {
return &notation.ValidationResult{
Error: errors.New("no trusted TSA certificate found in trust store"),
Type: trustpolicy.TypeAuthenticTimestamp,
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
var foundTrustedCert bool
for _, trust := range trustTSACerts {
for _, cert := range tsaCertChain {
if trust.Equal(cert) {
foundTrustedCert = true
break
}
}
if foundTrustedCert {
break
}
}
if !foundTrustedCert {
return &notation.ValidationResult{
Error: errors.New("failed to verify the timestamp countersignature with error: tsa certificate chain does not contain trusted certificate in trust store"),
Type: trustpolicy.TypeAuthenticTimestamp,
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
}
}
// logger.Info("Checking TSA authenticity against the trust store...")
// trustTSACerts, err := loadX509TSATrustStores(ctx, outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme, trustPolicy, x509TrustStore)
// if err != nil {
// return &notation.ValidationResult{
// Error: fmt.Errorf("failed to load tsa trust store with error: %w", err),
// Type: trustpolicy.TypeAuthenticTimestamp,
// Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
// }
// }
// if len(trustTSACerts) < 1 {
// return &notation.ValidationResult{
// Error: errors.New("no trusted TSA certificate found in trust store"),
// Type: trustpolicy.TypeAuthenticTimestamp,
// Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
// }
// }
// var foundTrustedCert bool
// for _, trust := range trustTSACerts {
// for _, cert := range tsaCertChain {
// if trust.Equal(cert) {
// foundTrustedCert = true
// break
// }
// }
// if foundTrustedCert {
// break
// }
// }
// if !foundTrustedCert {
// return &notation.ValidationResult{
// Error: errors.New("failed to verify the timestamp countersignature with error: tsa certificate chain does not contain trusted certificate in trust store"),
// Type: trustpolicy.TypeAuthenticTimestamp,
// Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
// }
// }
// 5. Perform the timestamping certificate chain revocation check
logger.Info("Checking timestamping certificate chain revocation...")
timeStampLowerLimit = ts.Add(-accuracy)
Expand Down

0 comments on commit a75b224

Please sign in to comment.