diff --git a/go.mod b/go.mod index e409695b..1799e1f9 100644 --- a/go.mod +++ b/go.mod @@ -25,6 +25,6 @@ require ( golang.org/x/sync v0.6.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240620060810-a57701ff7655 +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240621043238-b2551ef71fb2 -replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9 +replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240621042808-c9a7560c8168 diff --git a/go.sum b/go.sum index 69370976..2ca549e3 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,9 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240620060810-a57701ff7655 h1:Up2oCElFITYHvwKayXRCUq23wREpbMew/OwsRV8kYEI= -github.com/Two-Hearts/notation-core-go v0.0.0-20240620060810-a57701ff7655/go.mod h1:2+fC2xU0ai2zw1NhZS5h1lhv6mYTKorAh6xv3OnDKE4= -github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9 h1:AV5JQ4TOXFoAKgjq68j3VQJNId5CPIp7x+HUUadiyhc= -github.com/Two-Hearts/tspclient-go v0.0.0-20240618021928-8938258a8bd9/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/Two-Hearts/notation-core-go v0.0.0-20240621043238-b2551ef71fb2 h1:oqjGDjiyHhbIIBlxpfwpIpwO30z1aahqEZf1bC/AMkI= +github.com/Two-Hearts/notation-core-go v0.0.0-20240621043238-b2551ef71fb2/go.mod h1:vKJt67z3v3bj4MNXNLQ3LDoXMCfEdQCLkpwsgwqqCgE= +github.com/Two-Hearts/tspclient-go v0.0.0-20240621042808-c9a7560c8168 h1:zkzAWIQRB+OLkeqy3rJT3zZ0xdR8nGLMtbOpPF5yE0s= +github.com/Two-Hearts/tspclient-go v0.0.0-20240621042808-c9a7560c8168/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/verifier/timestamp_test.go b/verifier/timestamp_test.go index 00466d53..a7f20928 100644 --- a/verifier/timestamp_test.go +++ b/verifier/timestamp_test.go @@ -336,7 +336,7 @@ func TestAuthenticTimestamp(t *testing.T) { VerificationLevel: trustpolicy.LevelStrict, } authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome) - expectedErrMsg := "failed to verify the timestamp countersignature with error: tsa certificate chain does not contain trusted certificate in trust store" + expectedErrMsg := "failed to verify the timestamp countersignature with error: failed to verify signed token: cms verification failure: x509: certificate signed by unknown authority" if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) } diff --git a/verifier/verifier.go b/verifier/verifier.go index 96ba2890..90d687e1 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -605,6 +605,25 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp], } } + trustTSACerts, err := loadX509TSATrustStores(ctx, outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme, trustPolicy, x509TrustStore) + if err != nil { + return ¬ation.ValidationResult{ + Error: fmt.Errorf("failed to load tsa trust store with error: %w", err), + Type: trustpolicy.TypeAuthenticTimestamp, + Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp], + } + } + if len(trustTSACerts) < 1 { + return ¬ation.ValidationResult{ + Error: errors.New("no trusted TSA certificate found in trust store"), + Type: trustpolicy.TypeAuthenticTimestamp, + Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp], + } + } + rootCertPool := x509.NewCertPool() + for _, trustedCerts := range trustTSACerts { + rootCertPool.AddCert(trustedCerts) + } ts, accuracy, err := info.Validate(signerInfo.Signature) if err != nil { return ¬ation.ValidationResult{ @@ -615,6 +634,7 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus } tsaCertChain, err := signedToken.Verify(ctx, x509.VerifyOptions{ CurrentTime: ts, + Roots: rootCertPool, }) if err != nil { return ¬ation.ValidationResult{ @@ -634,41 +654,41 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus } logger.Info("TSA identity is: %s", tsaCertChain[0].Subject) // 4. Check authenticity of the TSA against trust store - logger.Info("Checking TSA authenticity against the trust store...") - trustTSACerts, err := loadX509TSATrustStores(ctx, outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme, trustPolicy, x509TrustStore) - if err != nil { - return ¬ation.ValidationResult{ - Error: fmt.Errorf("failed to load tsa trust store with error: %w", err), - Type: trustpolicy.TypeAuthenticTimestamp, - Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp], - } - } - if len(trustTSACerts) < 1 { - return ¬ation.ValidationResult{ - Error: errors.New("no trusted TSA certificate found in trust store"), - Type: trustpolicy.TypeAuthenticTimestamp, - Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp], - } - } - var foundTrustedCert bool - for _, trust := range trustTSACerts { - for _, cert := range tsaCertChain { - if trust.Equal(cert) { - foundTrustedCert = true - break - } - } - if foundTrustedCert { - break - } - } - if !foundTrustedCert { - return ¬ation.ValidationResult{ - Error: errors.New("failed to verify the timestamp countersignature with error: tsa certificate chain does not contain trusted certificate in trust store"), - Type: trustpolicy.TypeAuthenticTimestamp, - Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp], - } - } + // logger.Info("Checking TSA authenticity against the trust store...") + // trustTSACerts, err := loadX509TSATrustStores(ctx, outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme, trustPolicy, x509TrustStore) + // if err != nil { + // return ¬ation.ValidationResult{ + // Error: fmt.Errorf("failed to load tsa trust store with error: %w", err), + // Type: trustpolicy.TypeAuthenticTimestamp, + // Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp], + // } + // } + // if len(trustTSACerts) < 1 { + // return ¬ation.ValidationResult{ + // Error: errors.New("no trusted TSA certificate found in trust store"), + // Type: trustpolicy.TypeAuthenticTimestamp, + // Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp], + // } + // } + // var foundTrustedCert bool + // for _, trust := range trustTSACerts { + // for _, cert := range tsaCertChain { + // if trust.Equal(cert) { + // foundTrustedCert = true + // break + // } + // } + // if foundTrustedCert { + // break + // } + // } + // if !foundTrustedCert { + // return ¬ation.ValidationResult{ + // Error: errors.New("failed to verify the timestamp countersignature with error: tsa certificate chain does not contain trusted certificate in trust store"), + // Type: trustpolicy.TypeAuthenticTimestamp, + // Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp], + // } + // } // 5. Perform the timestamping certificate chain revocation check logger.Info("Checking timestamping certificate chain revocation...") timeStampLowerLimit = ts.Add(-accuracy)