From a8811e595ce9058f115acc679ace18d3990f6428 Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Wed, 19 Jun 2024 17:41:36 +0800
Subject: [PATCH] added more tests

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .../countersignature/TimeStampToken.p7s       | Bin 0 -> 6595 bytes
 .../TimeStampTokenWithInvalidTSTInfo.p7s      | Bin 0 -> 6578 bytes
 .../TimeStampTokenWithInvalideContentType.p7s | Bin 0 -> 6593 bytes
 .../TimeStampTokenWithoutCertificate.p7s      | Bin 0 -> 1117 bytes
 .../TimestampTokenWithSHA1RootCert.p7s        | Bin 0 -> 5955 bytes
 .../coseExpiredWithTimestamp.sig}             | Bin
 .../coseWithTimestamp.sig}                    | Bin
 .../jwsExpiredWithTimestamp.sig}              |   0
 .../jwsWithTimestamp.sig}                     |   0
 .../sigEnv/timestampAfterNotAfter.sig         | Bin 0 -> 7365 bytes
 .../sigEnv/timestampBeforeNotBefore.sig       |   1 +
 .../withoutTimestamp.sig}                     |   0
 .../TestTimestampNotYetValid.crt              |  20 ++
 .../tsa/test-mismatch/wabbit-networks.io.crt  |  20 ++
 verifier/timestamp_test.go                    | 265 +++++++++++++++++-
 verifier/verifier.go                          |   7 +-
 16 files changed, 296 insertions(+), 17 deletions(-)
 create mode 100644 verifier/testdata/timestamp/countersignature/TimeStampToken.p7s
 create mode 100644 verifier/testdata/timestamp/countersignature/TimeStampTokenWithInvalidTSTInfo.p7s
 create mode 100644 verifier/testdata/timestamp/countersignature/TimeStampTokenWithInvalideContentType.p7s
 create mode 100644 verifier/testdata/timestamp/countersignature/TimeStampTokenWithoutCertificate.p7s
 create mode 100644 verifier/testdata/timestamp/countersignature/TimestampTokenWithSHA1RootCert.p7s
 rename verifier/testdata/timestamp/{coseSigEnvExpiredWithTimestamp.sig => sigEnv/coseExpiredWithTimestamp.sig} (100%)
 rename verifier/testdata/timestamp/{coseSigEnvWithTimestamp.sig => sigEnv/coseWithTimestamp.sig} (100%)
 rename verifier/testdata/timestamp/{jwsSigEnvExpiredWithTimestamp.sig => sigEnv/jwsExpiredWithTimestamp.sig} (100%)
 rename verifier/testdata/timestamp/{jwsSigEnvWithTimestamp.sig => sigEnv/jwsWithTimestamp.sig} (100%)
 create mode 100644 verifier/testdata/timestamp/sigEnv/timestampAfterNotAfter.sig
 create mode 100644 verifier/testdata/timestamp/sigEnv/timestampBeforeNotBefore.sig
 rename verifier/testdata/timestamp/{sigEnvWithoutTimestamp.sig => sigEnv/withoutTimestamp.sig} (100%)
 create mode 100644 verifier/testdata/truststore/x509/ca/valid-trust-store/TestTimestampNotYetValid.crt
 create mode 100644 verifier/testdata/truststore/x509/tsa/test-mismatch/wabbit-networks.io.crt

diff --git a/verifier/testdata/timestamp/countersignature/TimeStampToken.p7s b/verifier/testdata/timestamp/countersignature/TimeStampToken.p7s
new file mode 100644
index 0000000000000000000000000000000000000000..c036aac23cb9bcb4b30960ba940c41a1bdda1805
GIT binary patch
literal 6595
zcmc(jcUV)~vcQuN0-*$fNRtwfs+66CUX&uzu>jIUi1dyjbQBVlF1?5fL`6{qgoq#q
z5LAjHf(U|$R8gdNkp6-m&*hZ&-SY1FUj9h3%B)#y_L}+49)QGM3xgks)QwzW2Gc>v
zB<>P`#9ash)1X-ZW*FQqQWxw<1BHNTK>+b1jPci*@I7ECnb-m)z66Mk5HJ`9KL`Uu
z!DI}C20;Ho4vLBpUG&LT=Uc1IkAST6_LJwrb@SBKpRv^>h<|WzJkbO}TEY<1QL3WO
z2hu?EM&vX?Q1lf97Yhc!paCVc0$P^(4Ojs*R83^_JTt%q%?Q9@G-gm3J490(%?)tw
zG#Hrn=y-Ua#d(;xI(wnK{H1(xXbC`UXNZOg^<&6)XUNn<1Lfq6M`<|t<Gk!09Z*sz
z9a%DIuLD4WnE@oI8kwpI0@(uw9d$i^2YRo^=PTb^BaPghgZ*j%FeB9<)_=VX_CId}
z4aj`o2D|vK9h$m&I{FfDo<6Q#&L}Mn>Ml%lHL!}Z-?szsb23v;FNaY8l;q?vSSwCu
zEC!IrD1L8Zto{}o03`6u-G`(;bs7>l5k&2eg^<8R&;a0iB_xyC>y~MmlC6WKA5>_|
z*wy<hCxLML{0T0^QIvp-^e>+syI#IczA>4%Vm4kdrP8u~_S!|wlwgeE>f$`_w=3<H
zXrf3_(J5!lovkR$!s+KyXXlJ!m=wywCJubEi}UtSL(fmWv<bf^k!?0OT)#c;pUTDW
zaqoV}OMW)oySh>Gmv2cDSjoq=URIR8COWNlm0p0cEb#f{_}op?HoH{CmK6uBr8asf
zhtG?$UPLEDEd9r-)Tex2^YPaw1m$wJ6RS%uJiDlP;Y+qduqb&BRa!mt{(wj}*U1sj
zPD6kputn-<!jw7V;h^;6`7|Zi2uy`~&SF_gCOgydikyNn4P(YDF)i!$f=7}t3A*!=
z227kI7tO8j6s~7RtX_67eKzT)#oxx@pF-JFJJody#qy{fNZ?T~l^=bR5V*izC&L(>
zq(YDT#8Ra55Mk<*9!A#cv})|*%uRa*igG~=6{k*1;-UL6oJj`V2g5~Z1wLaJzt*`N
z2;wBqKxn`q@GTPf8uf`}0to7z;$s1Wx1mrP2wgb9vC|gWX)^%~FnX#>($dn=&;xus
z{Rk)r6j^-1hZu-LN)*ipezOGiwA>MfBmjmx!zidWpap3B=Ez`vKo-FKTm%B<5OpCC
ze0-H<WC8*Lq@BO}*^V<w+k1P;;2nLueO(FO_#m0@e#yrUg#grmk@Qm@42BXT0Ae_x
z^s@&5M@sFiNL|p|-q+`kE862^oP7ztID4G03y$g&&a!~kZ=#S$g<nN|9qs+_j(--m
zcf=F^xPY`ho&X5!oOM5x3*ZPxj&n4+j(&P&uC0X4n^k}E=6Q`{2Gs)82?9`MKoO89
z%aSpXz^|(8@g9HH^A|cib~_L?O3;uXU{KiEuWLO4GMe7*EZu$Dma2<>!Jx^SWpBiO
zPbsV>9(n9Y8nI>~9ujR>7}jL-x}skAYE>54g~4iE8`n`H*?peOIc*a@$1^;-Q98hf
zfr_)pU+jh-l`6kbr@mK+CkW@9S<aUD=9rVDwCMp0SYej&reBe%D1*y(ir6>RN^Vbp
zC~9~~a>4gw;^60I2mKHoR>KcBJ1gc!P6U5ZDiNgP9-NJ@Jm+&hc}g}n4xPhX-*`y=
zpi@_!#yiS>J)w>#wlVVYR$UFp3l1ZUP2uHR%*j3H-sj4z$|l4_RE#V*>9;B*#n}Xp
zAG-C4j!rF&8=13K>TEDkPN|^xPRY==F`PzNTE#i};<V-UBU|mYxV>P?@S{peghpS+
zGn(zMWrRG0#quGL6DgO$Wj2?ZzCG9Q>vM>oU$`<oRuKiyuVG*Z6wV4*j!NJIT>S!*
zN?!9SpLW|5iC+OxFqxKtImX`}I&D5UxDiwCcQcJaA%&ePzjRo+IR9>$W=GHU6KwPI
z!CeO@a|}g#Jg+A&3V@I4Hcck3S{F>Noo2<`6;CRhOM7x!FUC;9bHQAN2V`FTBuQEm
zM|wA~4I*ZQg3VGNpLO^Oi@a~9?~QF(_+UYMxevUgY9@GTD?~1+A&j#AzNjX9)r>*d
zfq;uWm?>|2s%E}>a58jrbt0vc3KmN$STufsg&91_o1)&oDXnf3szca)Uzn&=F+`&P
ze(EiRGO}~-qQyyXZ^92soRmki1FSnU7}y#9G2>?^&F;<}jG(Dk83X+I>|jI|O$E!Z
z&A*pnB#6-N(|yMYgoTO|2m@rtEoLFZ!2Y$teM46X4<GnN*xu7Q*@RQJ4^`S9<Vn~-
zj}X|nGuB$g&RQ4K#fnXv->R3JdMMje_?&4X+{v?DT>q(LRi)27zBqm*%gV;Txc121
zPz~XP#9tbYZOd!i&zIT^G}emVO6BJ4nMSu&$EtX_)kn`xXD)wS;36Aj@gkz~MTeqa
zl0Rn+=PX_~JZxh<Sw8dDu}z!NRISw1gf1@2>#=E8>|Jz<%6#zo4TQx2(QT;2gWr*K
zpi{6ZZA&vlWsb2lEbQnNM3h>v<3#(Zd(t)Q7HW?!t(jyQSrex41~-{W3fxR@?vGnN
zond*GRe5;vnB3fTmJS8>lRYA`QyDYgoX6>(B<clkCzW=tNbK!iWwz;x(&8u7`-qo?
zhtwRnR&{X*QRvNF`Doem)K)AX{E#rhS+r?`!c0ypp`^8hd~x2oV?pVBufg`zY||^b
zp{mr7-XNz_6Xv~->z(|#Lvico6782^r#A>%!NO8j*naMjbz0dY<MhSZdd{qIq|ZfG
zk@-%WSQ>DDmdNTkud(Yk5JNlFHb^3P6F;3Ym(SL($!0WpPxNyDq!3}w1aHUXh(>R`
zpcwT!%xdTU^7OFjt@r+rbPu=7%|fS_nV_E})(lE`I}`{Pd-$C0%lanrpAS8g(WS;+
zk~toKJlXSsdE|vX3ViN7$bp|Ylc3^E<o7rOM*?g+p_qLKXY>G!`a``iyHNI*(R+7z
zFZQ6lmC8PRb9A_yx2tJ3?1i%l894M4B2*&n_=NP&HkC(0yLg28W30zh-48Dh$p65D
z3?Ky@BukLRB1QgpJnV=_;pM5^@c?vo<WNv`;1Hk+gHr#3{zJU(N<pc?;s;!YqkGJq
z4{F*H^WluY)K`gfo$4~I?cGP`)40wEF9IpsVFi>LIo!F`^+f3TN3N}O<uNDnXUs?5
z<m}g|JvLN*|Mhg;{`kgATLycDSGkT%3Ovgzd_!rQe0Iu_uO@7{pY)<47uWIVsP2_a
zh;uMUx_<B3#y1ZkEwZ}WW_^=m`nhM2Q}{jS{C(cCWGsv;n5QLkJ@|MzOOe~+*}WSV
zZhGw%9WPrAJ1{z`>)<N$_UaA%@`|tl!RkCdQtlzdTp;fHMpdC<|60F^VZ<g|X}O-+
zF~96WZ~Yh2Zk5f^&)EQD3cYXcnHybMtz+j6G9+6#+__$lSSm!qC5N@UD6hRpez!kd
z=C81piI!G7KR2HY&|Ys12_-iaJ~#oJWo_aE8cv+D`x=_ACiLkYgRqHMX84+JjF@E5
zu<GY){GSRgl41_k=`RUxo!v9V2W%|2jO&Vp#`$T6xxZSt?Vc_GwUA|qnIat@X%D&k
z^2-z5f`eu~mn%e2h<zu>o%RJ0;~sdN{>wG3`bP7H>~htTxROd<^i0hR@;y@B1I71D
z>MLX8WzYEXb5kb;w+=1m<|^?N7rvDVMwKoW7Vr&AA+y&q-1r(*n-_X`YfX&ubSy*D
z>$NmiMTRB!Tp+G8r{$lYe*|B8Z--Yuo{s9&I`U+VoIZ-OEDvnVb1M*{=7O|3RJh3e
zgv-3Trh4n9Q16(>xsBc7_g{kx_9sXFMYt#dm|bweC;?cs;t#x7{g+Yp&uEfP_tm%A
zX>}6W9HP3yOg~qq%_vDK(`}rvRxOTrtdW96=6Q#W9cXDRiFR)&k7;kDY$IDwAO$D&
z`}SEic12AaDer|%IXE$<gf}1Q_f0ci$d3s-7HCiZg6+7crjv|OWstbhNuF4q@Ct4s
z;zE6FwS%D`ua--<nrdtV#pzwr)e1DM;mNQk26l&kwQ{21*5leIB>UrUX1QVpMp%ND
z#%~H7c<Un_GFqKl<!Lgk8ydfdPI23b5`eofI3BNBP?op6kgm^0=eZeAiD`R7#s$2v
zAe40OS6;DEZob)@4ez%(B9$~pd~KexcA@$>)LwSLJ(cT;yF5i{q)=GCVs@sSm)$(I
zyr1%I_)>-M&Bt;D+Vg|i@;AIqW9RUvyriQWPG}z4n>Kx`K{4Z+v9T4S&H_wcF94`M
zr||jCq#(WD#upsN;edBN$(a`!JUSspggWHZrqX)E{2Am8XbI!k)^y^K7bAuKA<hZz
zRti&g%&@GRmD_yzLHsfgYm^U>;qFyGz8vL9T2M}Jc$diPN7@`QOGAGp>+#jwH{M6E
zv~LdptgDyWu)0glo(@RKV2fiN2K0Ij=?*;hh#<A4hw;r8Mb|a8gS-$?+^0=T9m{Lu
zuYF`6WA=V5{n6R$WgP3Hi^y0Iw@*Y+a%OTTk65h&KZfo-(q2{E@WD@-h*D`H^aq;2
z0G8iqLJQDPX|f9?e@TknC`p_(2)iq-EnIALe9iu9T>o(2zUu!YO0fR{O0a(~O2A-{
zUg4RBhy|-xxC2I+`g<jEN03Pc@YVX@Tsf{-2JBu>e3X!}#$iu}9IoQtVcU)LcF8M9
zm4v6W@|Hmhmx*nJWv;xDA(yt9Fh@(xv1T)+>W&7{>2r!}-GVeM6~;Z*c5Yf_=izVc
zaD4?+pfko8{y~aIjw<C@)s>DUe>c}6o{x89K3E)k`z#Kl-)g$9IHp3!=*Pg?%NQym
zHdiRx#%l8AW8*MR4zt+W7x9T(dE%MNEj;Lju&VK66V+1A`(NZFS35K%zS!E)6l&t`
zl$yI?H3#I-k<Et`4t}WrAiQMEHeX&@p)+2ED#CG8kg=bnV)CmWs)EDz^Mu1?#{d$I
zEj2sU`4LJPp&;r9ENEdu|GTotPVMKPXX*cDAO&_uPHOFEck{ojZO1)!<q<!sJUeMQ
zn3|STZ$XQQe^L-EP>5rxE~5Nmvv|%Xtv_o+Q8a$zC`7A?5}OUR6@DdcFl0wMI&|_r
z6H&*<qtBszVoCBA3rUUXU~y)5IWlrjP?ZXMctAY;kltIjvoZo_)-qfMV#LxFb79?w
zUcM5wWcKYZc`+u6h}hdWV;%PvYS*lHM|{~;W%<<$@#N3hu{d*uLIUz5VNiJ*FC%?@
z{Y_Qvk{W0ThW$!9SZs1fnZq}}PXmEct}DyGF-AF-B#p5fGk;YHO>uGgtSD;dN68J?
zPDaiYqx3e4)c5MPL(n+xGmkT8iUKMet_IiIK4qV|c6OcFW6;!<;~vciud#^KbN-F4
zmq?sH0*NM|{_g~lzl;&Pto*$cKsBy`dT-tFf~^-!Gb<UU+Im$PAh<^1L-xo>aXM_X
z`xipxFCeMnJcf>?xjB~DT3=`Vh^8YUfrAgcJiKWn60l0z&l5%}%{>Y>*fJ(f8l^^r
zJu1`e*FT!LIG;Kc@wiP+@cB!Zt=13EObS|(V#j7}j>f0=1zU*o$nf>Q1}SJHP95>=
zHWAOfu;2{k-`gFVQP$CKD3)iq&)3&~ku&R=KrrHy6nzl`ujIDseKQ10@&);c=jM7(
zhNPuJ?c$zmoM7Ld-MWHtPXpi08kNKfD65FPjZ|+{k&Fy{iIYM8GTm$DJ#cZF7H(7{
z{vO}jarU?)|3pe=1iI(pqh=k8!?tJ=jS<z&^r*F5!254~{ru|!?yib9nFN*rcz&zt
z!fDXVzpHQqQvVo}-FYkD@tR%oH-7(ksWsl8<zYA!Ed)h{4!mMvtA+$rVkJye3eb<L
z$HO~3L{%jor0N9*@L5Fx#FAb5ATnqo86ai@#H#=?6N+N*8mmWbdm4+G;^SRL14)h!
z&b?Q;S%{9A%VFg$jjMn!V4G+2|6svgC2%MS9R4myT`#M|#yMo#-R_$7x1LNMmivdS
zZj`o#7~HCNY_QqB-T;kds$<!n+0+YQ<w{;SbFI(|voEV4+t1gi$S;w$^ri<cxe}(r
zk<%SqR*+|9eVUwl_&__o_5Q;g<;kpxh1hnX+xP8SHr<o?YwbIml)ctL%LzlKg%XIA
za&@HVIe7PtXBD|>3-52v*!Ctq<Wl4+X~Y+5pM=5M-o24XY0+cs%H?%l4g~Hu4ra7B
zGlrdP7>)_5Nw;4^-@}SqkMXQj+7IXGF7cMWTG9+Z)>#8ytefgr$vecxc%``7;M?Vv
zGl^#@Ba%{8T_s3UZ6}WO^3-eZaPleXuLi5%E@ZdWr?OH=lW#nQM-`xCKf@9vP@kS|
z(KX^a7LBOb=hl#e8W{Joje@uAJ3VGVTHWqG9RD>uV&I;XQ{>fgDHQ7V*4AdW0j!?j
z7;DOUT_{|2#a3i>=9sGG(8H3h8so+2-q!Z2I#5YMh)EhR+g1Di`mWP?$q9o)9$lE*
F{{ssj24?^O

literal 0
HcmV?d00001

diff --git a/verifier/testdata/timestamp/countersignature/TimeStampTokenWithInvalidTSTInfo.p7s b/verifier/testdata/timestamp/countersignature/TimeStampTokenWithInvalidTSTInfo.p7s
new file mode 100644
index 0000000000000000000000000000000000000000..153ea92f420c97b73ca803085d437cbf20b75c94
GIT binary patch
literal 6578
zcmc(jc|6qJ+s9|d7{)TfWXm#SEz5Ui>`PgaeJNy1O!i%4WG!ZtJ^PY`NlFPZiQI_F
zQj#Si$(k0jgpmCib$9>V%k%mz&+mRc-+yMVbIx_P@3}tj^SuBPcNq+RAWAoCg&9l-
zA(OcC0TOo(1Wbcw0hnQMhbUdJGYu31rUe1S=P<@!Tf+B%p=4q$l=uK3-iLs}F!(_j
z7z!q1AT$8_4}MTor07?_Ty?&+hN4KwI`1%fK0>!pUHvgzeWLgq&z57Y5TrE>F&nKa
z>Utm@v|vO|Cj`e_MgTO_j>(pV7JwO=5rD&JETAxUh^9808{phA7?}3xc=?{jd6~Jp
z`k;KyO8Mi^5`frF6%7;WN0t9hmARP)%EcFt(r`M9^Ko=`LP?=?WXYtxP5=pJ0g#|-
zWa>x|$R050sJrP+=<NZ&Pkb+pH1c=W@#}iQjMVkp{`EB2|2z#eAoG11?Bcs-XzuRq
z>`%aX`?>qLqO>%qvoO=uz$(gqpANv!$&5h*au@|bNlp%fwc%vOVgPxJ;&&5c^SA5)
zKmr%+UL^G;(~!VPAZmFWgajsnMgaHAp;^p6*Uc-H?47Iwph8>5?!KQm34|Nxj&UK5
zq6FNee|hiR_v~fLwdukYi>cxnmG<@1ITtijLokM`Ul(}4UGA<y6Gci(Pq<=kZbf4j
zPd<@4J#Q4tq)-|D`M^7ecwa9y^uo+DyNDc#T#M21rtPV-X<YnXx9@~L<7dOYYWzt4
z@GV&aEBT<o$A&W0N~hJWG6*nM20fXcnlCW#bVyTdUvbh}>ZFHq_&u#0MD#Mm(Z8)t
zd&K9nkZ|?0pj_T|QeFA^#}^dOf5>$T5hc%~D(c2w9}vmqIzHjuYX~p|wM!jMoUvp)
z9GqcVL{pB9#8j*2eXUH*VrMd~&MU6eFlM|Q+rHi;cqAE<sJkF(z{ELm!P53-$$D1g
z>Ln-h$I~8K{GAMEQz?5IX8Nw9SnhWNi9G5R@*lergBIBvWf)_URp@c=SW0#7A<X?U
z!pT~_HZ4P(`RUI=(Qb&bvb0%AJaiw1Gufd3V1x**z<cc1PmOK|f;q`^5E?KDe4PZ&
zp}vtU06{%dd@Nw_HWW$&p^E@Gc5IOyn+afm(NiOkmX?l&9^l(4M?g8C$g=Z(#2^$>
zqI4nXn>A>l{iZM^5is1TMnSa!EkNV9xCQeAvH<31ClD})s2hRc=dUay6BrmM?fN~=
zc7jRT(broB@9gL6?@sW=2g`hqOFnie1fc3e@=t#-7)p!;h!KF&&k_I}CAHHdwL@P=
zf4@KW=!lbX^(Xk_9C7|`IBHC|$^u%yxk928es%SCb_~Ef|Jm8m8Bh3Q2hxss0wA!n
z*8NZ}fFlAq#nIya@!fMvZ6$2s7xjl-PwJgBsXIVzAOKYc6ajg%EEy98{5q5)-s{if
z{KXhvy90=-5;P<T7!-c`)7n6wjHa(AOaG9zwd&V^5YTk}vM*x4w-i<rk2E=wPOSf&
z0Esay32(J~QQahbr8XPv#$Yq0jq53w>_125oVAOX=NbRFQ8B`Yfr_)pU+9M)m8v@5
zsJ>T-Cm83NRmGOnW#S?!ZGONCR+4SJ8Bl62%HX!0D)vpahT9t;iW**&T=ajNH2S{H
zNk3GF)$mP0Z}t4dv5*f+<$`qFqhAtg&iI{6nUT$pN9Qp&wH%T^=+f7y@rtrvPpIdi
zeXM+fO<%KV@nM9qIlO9%Ic4C?>wI}t*~Hk$>WM`c{SJlXc)O6PL)YKY(W#|#BlFfO
zTn#=~QL5>EQ!};g3}+G6Ht{b0IBj|Ts18RhZXcL3{HRhgp~au^lxFt}86huWu_6fM
zSn4HkrQOBWZ%;G=hMW=>7BA0ER!75&>KWJph0_AoA0_aC?g2r`<u7=ZPkQW$!mofR
zm@Mm{JmYWoTsH3>+=#6TC`e~eNM)z`FCA7cE4o#w*)wqU7~8@^NZ-NfJVTKI@2e?a
z1;8e{t<y=Xw#CzHCt2|hWz!00(jT7Gi#3$+UbIx<0a?~POqSNfkzS2#gNT`7V2iW|
zr=32*qV8De`(m3H-&oOJ8Uin=S_od;3Y80P4yUZYF0Id9wO|l-BH-c<X35*1s9)$G
zoetYv{hZoM1&cKmEE+$+!VI3~O;sP>lvcM3(;@6WFHBUb7@|=CKlKzs8QD2^(c-wT
zFX0Czj?1Ij0oI)s4D1a5Xz{a<W_RHZM$puwi~)W;I~b8gQ^E49`S&u61QFW3y6-rF
zuuyRVVSwy}#TUppuzziI-`Ewxy}JRC_P2G8x8jr?!<6<1dlNR$69hKy%(V`&)3#-F
zabmNU*PG;K?#Z^6JYo7A;o{vbuK!4~w#IJ(UzV_vZDV(~tl`M5Fb(0vq+gm%w&gYM
z6iICc8EeICrEzl(%%VH%;#7P*nqt1pW-Y&6<RTkn^CF^)M8{&Dk>6*J=Y73uc-YQ%
zx@zvFbEh_=xmty}8C`s~&ja)9xLfE{m4%RV8wjfrqQ_Xd7r!&<K(AnH`j%#<$~<F5
zc=*xFh-kGC=g-|IZcEp%TdCc@xMr4ZWJ{RA8x$~;6u6nX?o8P{nqzsDU32)WiQN2E
zmL3K6;{zhHGnsSWT&L(CCh3K2Cs*{YNbK!jWwz^!*5W5L`H5FXgw`L(sl70UDDh>k
zxxegvVk?dhen=SMD%!e1VJ4@SQ_|Z*Ke%q)w4(IB)?j;NvFVf2Tw7sCZ;;ok3G>~@
z^-6xqsjOpjiT1;|OBaGxu%v<&wx4@qomTe96n$B)o-1oS>3yk9RFTUjmIgeWEwXyX
zXY#5Y#Lz*t6Oshp#LuSA7qJa%vKdX^7JVNGDM45=!MkyJqA?p!DMo`%U$paod34zP
z`s=fh3@?vMZ9*rPnV|0^)(pyddlU#42KZd=$oePop9?#c*{8-`o;8(Vn&N%eGV1&u
z1wKz6<j7B)Nl<Yn@_U?tqX4!YDQ4fn89e}_{!kChE|mSHdheF^GB4WeY3$<#AIJN7
z`&z$*KXo-D1BZS>gi55Hn2`QyQ+Xt`i$|D0YCWDBet3C6{s$gp04d-gS%NGUCGx-H
zVaG)ZFHhx;7ofA_hk~jDhX7R=l=>I+AL4b_6_hF#Kj1PRGhpd@P}81R1ZVuEsaBlp
zM4w^9;66IPmUTvWDM;A?E1=ZE;mNJ8CqmCZk+afQ$ehHVxe!&rIjqrOGFErz#cbpL
zgqDk227859xsFT=JT5HhqI6C_KH<z)AHF<HdRm>2>$!ha_i`4*HH0HWfADlm*F8wP
ztgg1j(DbB!{wd@Pe$Sb+elJ-v7pD{~(^I(azP*&K$Zhrb_O<f`K6^!{Dp$h~eEg{E
z<Sz5_$~FA*im(B}<{Ums?jFQaApYt`ZHeLV+OU~n<R)81m7ax3KyHbz{!?j>nzooH
zY=AL^-ar4;wZ80*$#VvolI<LxTrVc96{6sh<Jx_c7e1tb8*eW0SKG?ONUNQjUq}IH
zuXconk(*2I9)o>hZRG=+kDYM%6qcbT^zIddu$fp^#F}obm}Ky{>iZo2cf}V-v4<M<
zmjt&?@0sBPHkR9`bj8Br12n@upD*6<%n*QD$uh*wkW44KLvKC%@KCq-pvAzYY7rD-
z-!XEpV{zn^7aphoY)z}F#j-iKO0_(`yoMJ&S3ie*ja2tS@jaIM#MpAlJE7{#%yGf3
zL(BR3N<3vHFJ(ed6<<q=`NpM?xoepod@ZVNivzq3W=4fN)?pb<S{kb&<C1&M6IYqj
zi_R_FhcCT$z^j{PpnA2AJX|AZd_-AS1+^4<6bn)Bg0wnRxXAp3%YwS5ddH^F;H1}?
zjotG5ufYZTlOz8kT$BLJF1TQn04!SZ2VQLc%P9M2G|8a*<lpA9I*n`#Rb64GpRd$r
zlq6N^wtTi#EsK1hk%~nY`i4&)Xm2Tx@ocV&?QWrLBRh^E1*i3g_Sv-bMb8>3?}g1c
zxiF?iv>h4tPd8pHiVZgja-@ICX6mi!B4bn&EN*n1Cypngnwy9?-xOEpWGKk1<<_sJ
z8rMv5d6j&n8VzfHIPQ&s-Q-`b`CNScLBm6mqiNR{uGo<Ymf)qS0)YcB{iH)b)}_^Y
zn~m#+CG4S7+;*V^;?9pwC8!ox7A`Ml=(EvzZzfP;JG;oZz^7J(^4|T*D|X6l1%tWp
zVY?$z$@9b)mZ@v!>rA1JvLl{pTn|0vDM}M1!t&K$=BjwvEz_!oDc{B~R{Iw`kSo?+
z7|oTx=4&1|k3Zof9n*YF^T^)x+3U@UnK{PBHjFxpFnPT|pze&q`<v5(^Z^?ma2$sN
zUk#*WU10F)g%}YUku#f0>yZnmkk_E)jFVflNn<{Y6#9EO7q~|SOxZcpy77zL=Ce2A
zmv~sC{fG>=t_1MqDM!(Q@&+UNL{{I@=80Jwo>j7)TD@`YbtFso_6Webda)C$yVU0G
zgp>@iGU+j(*K5vj;&DU-t1aD2XtOH4s;M39gNWunX<p%6)sT?$mVJ`h_kr|VSD$C`
ztoJV<<3QYgk-;fhDZM;m4GR1iy4OfYRdK_+KWQRLrHRlVXaWORexnI3KtrX;E|mNw
zDR!eI>5D=5Eop7xG9%M9$1Cx}<3s!E{*NfZ{s$<*{=FyxgF$*Fr<x-dZJy%}7-i}2
zmB^n!CKtn3n?myCxZ)VFd%f||LdF`0y&3Yj$_B^nH!`{<FC$eFAAOOx4qm)O>?AC6
z6;6z~b<Tx5TWe0XSt!-@G>gujQC#a6q+zKx9<X)r(5gHK?{dHm70-Z98DscIDPDQ1
zl*hG~dy>z3xR>(0y%qb$%H-wac#M9B`MTny3LRqr1M47Tn26YXiD)OQ*@w3+<2X6Y
z*N&mccihUKAG=-0gPsbj8b2^ot>C=#K~8eDM^oa1y#q~&Chlg1r3Y4XL=GL*c1Ypi
zo2ECyOU7&qRW;Q*Q?;m497i=7`%WshsP3LBID9`(1YC9!Ako-UZ>Ksxq?8c~qCQ|j
zD>M4vrA2mfKmYue{%;B?uv<B)xu4zUe|fZ>@Yr>a_>tw=xt4>e*K+D9Xcsw~91IH*
z;#g{oth&%9p0`PRmbJMw2ETC>qSZ=?%Z1ttKbJNbb08fZJAQ|WsN?4~<kbCnN%A@i
zNsZ}XSyq1)GHOq7tqOZYU;_P^-b;_uG6JX8GTlaE#WEE0Vf}}mJr}iR_8%^PIw^{X
z+}ko|8~+mO(581&eA!)P`T0}vl=r!DI7@{R0`e_kRCyLJBYkzftF~cD4KxPBej*(#
zGrOtG;h!+1fj}uYRu)~Gq?ja2V;m+epVvTB-Q3<QiaG>P@&mV1kaJ}yy^T`!y}I2H
zG>-e!gRHsIz-p%}Ar1DA*ynOiuQPj%n!9t{rg`Ht8JTwGY>WFv66X&g(FD~09TE9U
zjo7uz-%|n9%{5RTY&0$2ddf7nl4-83SDOifYn0q$kBSnf!?t;TAk_Q<k}4}?=vkVd
zXNha@ch!$<JrWu;de_IxmqsEHtEBxTaiYf3t9XMgbK0y$YC_nnCf#xUt(lwai9?YO
zI^_hPJagOXc=On-xIH;;@{8Tkgp8pOD{&qfzTp=j1&yScBi{XH;#ubxU7`GY`{Obz
zdxj0g3Jv%9`=9;Fnf+KG1o2LazLbGia$EI|1%f5zy!_`UmU<7zq@}_f;-6?7W8a_K
zv4ZhT2j9y6D2WwNRuOp_rQV?;85Q&lCxiTDcF@9i<iad1+^AmsHNK<gw5c=y=hUo7
z^uWFQZ8}zm?a?F}BWjrGQFFO~@8A0Q`PT{DT?uS52`mHf{Fc*&)1aAum(T{J{!u5p
z^HshRHM{(;{r>e*bG$#(!*D2C2#N|DdCtOC2MMgfN|>n>qwm*EMf7-ys!H5V(+djZ
zvxx?X<-5j%$e@X2fS3yquK>g>D2lyrvI({AZ7gPvPjLGfL~?d=9lXNLLUhhr4zFr&
zSq1z7`$D__haKFN0*8{o5wC*P^|H(DTtjC)9de|<4P^1K+&N@(t)es3;ChpDv)%U9
zW@sE!Bg^*Ord}W`SIXk4oDv_*zU<=M0Dq&>fF#<A0xw)j4NQe2uRo-+xX{M-BsuNy
zfo^)+{f9ZKQdpBpu-!s8?l`n>dZzF<IQF(G`>cbO6UWR;BoL`p>PYW1@cwI$tMk<s
zUl+{T4<_B?QsgRc!Ix+shrv2ubxEYQ>oNA_^SUkv0e4zPGrQXu!;d$Q#|GDDIIf{@
zW5sPJc~)v1$MbZTcq^VSX-1gz)`Pz`&J3#*9%5s>TvliB?Na-xq|=lMNvYbta-_Mo
z3r9v(TFxt+d}_w?(Ylw5xt&dEtQ698m$&do1t>Ydup9|AWn@_OO}J0SAgcFyH0Pm4
zrhM$9;qCiQP8yI_xBCw#e2R!1xh>@qb!AElg}Sk|wV7)GYa%$unX_IMicnp#7g?P%
sQMDesSKe1|{558<qr0{dRGt`Wmd?v|#c{Z)?_^<0;^>%HALhpY0LlUassI20

literal 0
HcmV?d00001

diff --git a/verifier/testdata/timestamp/countersignature/TimeStampTokenWithInvalideContentType.p7s b/verifier/testdata/timestamp/countersignature/TimeStampTokenWithInvalideContentType.p7s
new file mode 100644
index 0000000000000000000000000000000000000000..07522e1964033896420b890ec53b8fa203e3ddad
GIT binary patch
literal 6593
zcmc(jc|6qX_rPby82bp5Ez6KS%V%cnOIebADP&7b_FZG_3Zv}VmsFUfln_JYB9f&f
z5|Lz0$sR)X->BQY?)~21>%08E_w}1UX69MWbDrmXo^#&ka{vNIJ&Z;yN;_(e0ZauU
z5;#f$0!I-9Oo3tq7+^GZQQBZf3Md3j2?8SC{XP>+jOc(yJO?6LAz(0!<_HW71ryN_
z3IO#dDJU{h=&MhTD)&Z1VI*XeYnZqgu3ez2+QeL+DDuv|^<*0aVF`oJM=J|Ci=~5>
z42bFYpqQ(0c1ARSMga;aIg~W{8?XW>$eM`e1!jN=iVmQGQJ6ttED&`~6bHbz*Px|8
zpylCx4(nm!>g<K|@|W<%qC^4Vy&(#E<c}fWy&+Q*HKda_4yoqgkM**5bU;cVwWNuJ
zgAM=zW(E+TDnzm-2;=}5bi&p64)orD&u8w}25NbG2m94fU^=ontp9o&EdRI-6d?6|
z8!RIGc4+GA>FA5cdiuC}IU_aH$h$DnR>R0kf8P$k!^S{9y$o6oP>_*9W31R1Flay)
zE&siVw)$Ia01&|W`wvNe<`e{Q5{TR%2O)qXKqG+b)sQR(uUn>-3bqcGeo+1$Ls#$5
zY<T?b3n$s(Cy=}@lD~X(?0fz?<>qX`n%Q*GoKnZ;x$BqIQ-jg^>tC0+zFqCEK}86b
zl$>@(-`R;qFQ0iTac<EdmR_zhY)0&ZUA(u43TkQYxlQ<W(HyhU@#fuW|1@?Uk9+q+
zp7Stc-!x7VKYdFU#fU#@@UkKewNYtwD-8m4m4Q!Zrx){0yX?~BJJuXDR=TL6tUk{w
z2jRW6an$c?)1Gj9EhXHT;giYTO{y!q*mOz$;-?&kU?Jinvb=8Wt(agA`>6@fUVVTz
zutVZR;+#3%v7ij&LW(j>B)VEP_iJTp77M*`b#76mnjziQ*pAI+zT?U0MC~PUJ$kl@
zOXk*hiZ`<&*RMF3HqE+e@O07or;-jd%=O(uGCu4E5;;}NWhY-H1}?KSO3}q6D^X)V
zFqUXlz)gKJ!iXBZR;@#9dFd}e(Jt_@(zJPT9P|*HEm^PsNVp&+??=qn&y6l(L2SeY
z2n84fzC{3ECqI!a08YMB+>BuGE)+@up$Z3B_u7JcZF+zfMoo4}N=hmUYJhvM9}Z=O
zB1$j%L<Axcq9sd#-z-4`9d`sEiGcpzFcPW>XaH)zIWm|BkOt5{7lD9Tg<SA>A74c&
zseph0N$2l=w&zTe_THXSI7c6EUst?0E=cOTUvjfRApkjCB>$8LgP{?TKtwp8@UsU1
zM@j6hNM6v}-q+{PE81hFoPF`WSbMCm3zqB?&eDL!Z=#SWxnD(n9qs*aj{hiZ?})?y
zc>zg#93J4^JL_R6JHQ%_m}YHto&4~^TvGv4@J03UtEcsjnPdx)C-6cQ0eL`{C{091
z0l%uU$9eptp1;uHvEPBnQG$X10fWNMecl)dkW%+{XY3!+v{e4;7Yv%MU-gC`_LRV=
z;}Ay2(<AC<5+E`9#bIqWFRPmcuGMCPU1+VQHL*Qq;{6whZ1XnZi=5+=Tje9%Xs8II
z?4^F16B1Py8&wbTa|U6Zv#OYrUKu%wOPY#Vz>2dCxBW^?g=k%NQ-!}N*Kl|O5kmTx
z#g~2GCyjn=chC*dV$y$?-&?&naWeRmLKz<w$LN=Yn)5yvQs$)d;!(K_&8<gek2v);
zs=Xl{*5U7YY#S?^VAa=RTyzX>Xi8JH!;ms?{%xMDvUFl>Wc9?dlWwP6a=cCO^wC=%
zsHjxZIS{!U<<5FDRitWa@6=398~u5>rB%F>FIH1lH>%TKgTo7^NOM9V8Q<zlcUHao
zr4+x1fN&uMax(P_xYFiw+qb7`enSokOUqa1r>diA3hQZE0J(F#mXo5m09U`j<g%As
zif7yoMB&yzBy^T#V6Ne}3a9M{N48?C{PNRj<x*M5@+-#_OAGH-s`m`sILW-U6x?@Y
zHdkM8!1G4RS6;A@cH3;yx^>a)#u+A@UFodc`SizUbYk^IJ(tauI6>xhkCP?Uv4l4x
zyP$~7P_S9rqjL_QVNv(ZbiFYx%kL~GuMB}#l+E}q?}W$%wS<v2-<H(pteepaIN-5y
zN3vvXPuDN?kIsf}ug|3RlEGq028-GcurPpUxl&b!w<T3=LbdSw?+ZPdD*7lSz(c-;
zP&yX2eY7~`?T!CIiBqyD7JzAQ1}zKi?=yaOQta>C!w8CemC?YD&mKmkQDm_E+WdPN
zMu70|KizknKp4q5fzU$s+~Nyl95}o&dT8t#zT$yjr0qSeQ*Bs9`%s0$L7w<6)C8WH
zBXgru_?&eqRh;m=`K@M|xeDpF;-~a8;ZC02BDzn+YioR#aHR=r*;Y3Gr47gLhN=l9
zCjHW4v@5H2zffX3&`=|0Cyj$`U>?;~7pLUq)*SO?K5O;;GCNT(n+qOYC^Q!HocJ+&
zJooDj{bM%PvsDYP9lJE?OjXKFO{n6ty&jon$K6GxDlG+H*n(S(M7WKWdGI(A#CrMK
z(s$G|l@{sB!@^Eng-5FdJI-{Uz9(6~X`%A)@`g#afi->(r<cz_kmI0#b${CG$pYh>
z?3!a=jbs*YF!so?oEi|6p37YL<~&XPI7ugXH@UobP4r;@I)hDLv<45p*+--@JfvRi
zdhMk#c(FG_&BImC(>rn8G)D#C&O&WlBnD!787aLZ<dgHx9Sc(LTQ%k<X4_sVEw$zP
z)OxwS>M-v^>~CbJ9ZEa5S13P?JH3Ka@)ege!47jwY*I=epQbL&(Q#&qCwwfiiYj#4
z#!!HVvjx}BdrjT2f#};QcR`ZC+qn7E#X{y`b!LOvdqN)rAjNQVdYW!*u29U@Gm^oe
z!xzoGU!EK@z4g`~lHuWYrJeuGDn0ar=!RYySC1V2(g3&9eQDn$o(rL8Gy7CH%Ce>t
zj8i-xm`7baAjj>_i5U5bGf^_m1pkOLa1_A27m8W-a7GQl$Uo!@vkzr|8NK(1_fika
zTWKug`IF=QTzzd{!k#&s5P_pVAwnk7o=-^rY?FD!zmG@gKgW6;+5K>`fb0)ENC6VS
z5uzwjI7;w;$HSh81WuOB9S=ZjPYwxH1&#vBFev#i=s(2kz7&)kEPlXcJZ8Y$`G~r0
zL?I2`FU_?g?5F$m8wL+i`Lu4*(UgD`?J&Fwt*q`Gsyc$yJQLT~`U)75crurw^4W&f
z8jQy3?!TOGJe<&ac}MS{z&iW!S>C3C;#Z`u*{0Ku-1T9r!-QwmdDxzZC$z6-L7anG
zGjs>fwZ5u=bVzG!nhniP>E@k9%;654_xE|tn7KSHXP%zI{^0$UY<Uigrh7Lp=6f9!
znyy?A6PujWc5sz?eeEW0bxlAIZ*>6|B~t-0=Z(LyRa>k-yfJK|AGyt3UZrDZ<d;+I
zt@}*Ut)@NZDKlV5qV~-@d$TXQbLxU#rg#UdJNwHCOSvc-@o~*Q(n~Lb-|cr-c&e?X
zVkA{AEH0%0ls7s<LWwQK4^G0qFtu?5EhkUgeGbh~;s5Z4R=`9!D||ycR#-e}T>0a5
zo)1Nr2(d>SbyxUy&K;QJ2DVl^rnQAb<Negb++Qr;cF*92T1eBz&Jm0!x<l?h|MXb9
z=!n_Cm1;pG{Lo2auYFPEv<D8W`+P&Axz)TSr%JgjzO04|wNSr+c#BZ=Kyo)pe5Px?
z;+ar&e(n_C&e7GpJO$3u;@48a$nvknMcm^Oh@6c~H||#D_T>St1`~q<Ez8i1W(~D<
z!Ex~e7bDgg(hDyvJ)~KAYll-c&Or8R9Dlq)%$P)4Rt2^exE1k}b3sZiGF+s7!evQS
zUA1$Ye{jm<{MP>P`>(+T^OGb0B3u*z^gg(t6#xuM{s&&H{>v!)XEe#6`s~~8v_6Yy
z4^duYpkA!hq!TApYPZf<E0;z-QcJ}k3cSOn#5!8bV%%G*V!K;OyNJ${2)<d}p+i=!
zebMs<iU(nH4o-Bb;qAwVebWt>3uD8K0_~}vF&lfTJ4qST1c?}&;*8@AujYt=Uu=%6
zbI|AG(s1clQI2aNIlW1~R*izSJRbK%!|w2`*US{%derckU~l~D3w!Ly1Y^+3bUv@x
zYahvw$-1;!Pm^)&(1Zh2^1Du?0PMxl=>+AX%7WG93|(d_&+P<KY}YFyHsF~BzO47K
z;+l<Od;VY!&9KdJiR8tIm*%M(7we3n_R=HnY3z^PWl0JX#R9U`UlyvkSj^L^hDqPX
zFIW5KKawfZTpG=hz3FWlw}?CKB^lFlQvLYB^!ZyY@|o8S4Xx<3mSM6w0YKe(xsP{d
z`KbN2K4Dpp1-uzZ$+|@A(F-xaHzMY?6*eQ6&LVC?%jl+d=99*}=t$HRSSK2{a+soH
zre)(7neFHAM6Pf$Mf*h1-o56>ovRo{3CbM|?-N{qPnj!hsqe2~J-vSW=G#cd?%ff9
zY5j5+Mth~*(*YqKY+=-+N3GM6;lODR4^mmFNNBexxuLEZ<OPrBIAdDwSk;hl{XNSR
zgZCrJ_s(9=<Cz{_Ld1bMd?JHVvQm0Eg&X8}&{S^`_R1pq4}Q`_h)fgyKhXpRF#bjp
zN`Qh)lYJ=pOH%AdNzxa+u)C6)0;LAV8}`@YhsTEw)%_n)g82_ng86$<0tSP0iqE!0
zE?d38iWy|-9u&=+KqME@tTzYe$*{-KVh(!ZqWKNgj(O7NvX>5y+iqoai(f@3B|iBg
zYZ<hBC87(z%3d%r=F+tg=4h!t)o!Lx*V7_2e_np0pO1pE+Hk<y&P}880?jKs>`>7h
z=&T`{XO!fTt4wODz1oxP@8(*<`TlO~I}4-NP4Q^mPSZ{KDJ3d8KU$_ix==yk#bTi@
zCX-L^TgS07=&zkaksmk|XPR7Y;Xuy>lno!5D3`O{|0E;6-lH!1$<~gdSRH$(+}sVL
zJ|csPYCkG><X!VSffYmMrK*~0t?62136`~*i1{E9TUb}23=TWY8BQZT1rR7~$=Rva
zk5Ebn1(82sJ_{4-Ka@rGYCr!xOaC_mDX>3sl50QvoBw5Pd+xC>kN8pL*-Oj8<g}c8
z3pxb-lY?M^{H!aDkyV%4MRK<({h3-yVsKk0AR29?xE!dhzza#eF+0MEu~YZyBeZ-x
zh8((QR>W^H5>)7qlxFo;A)*ch)he-s2P9CB>AZG3C&hbqBhzIhRyadG57vM5`3oUS
z2H)YbXH!D($b+p5*72{QcI`TML{?puR$n|5N%@!)hc%Zg#v|V2M-}IBQj#||U)46O
zsDQ>`n9qbGr6zY2S$z|R)Zj?P#>&E*QzWBgNwnRR`HLE8s*B4<c_BMLQeMDr3SyxY
zsk2q0dQiI?g2Hl~eU!CO5>V}MEx5t<3CqIubDInvqo%H`_bA?ZO+}`i_iuH*Okn#F
zNYnw<e<z6iWsKNo<?p2cvT^lP2OEuxcAn8MtYw;N>eOa}Xw-@;SfZjts4(sBpYS!m
zfFw!_XnR%`7a8Lke4TY8+m43>jy~}6@TL$=#3*P!O`NDP_bA$8&YU%Am6#Cls7bfq
zd~f37eEMkQqb?b~r_Wt>I^Q*!6m=xWO?|OBk&rPIY$3ua#XbBIB&U`%cigkzL?r9t
zvNM$DV1Ha@WzVp_aDo0IUtj;PY}rk`!SD|f)FrfB;=9WC&ESkF7iDLjn(I6slavUx
zi+`$ilI3tt=Nj5Q9eg)?QXIpps3iD0O0`o-JSy-xRtoXU{Ggfl$fbEo8iRU~x46!p
zbH<K5GpSjTsDX-y?OGPcY*7RX1G1axkZZYs_uu;Z`PT*9ef4Z20W1Y@{#Mhap+GUf
z=zcBm(i{Lo0g2zor1##+_q=AG{LMc;UUH51XL*<gisFYNLq}dPGS@)@YA~WEN=2xL
zb<^QJ9zx2Z57Kl31GufCfrzqw`XExM2qF-X14LW{BC?=JmcFTG<gTZouqiIVWipW9
z=-@nfje{}5F>5ufs-txs@C9rOZ2liCxUU2bC4j@<1gYv|m)SUn%)8rNm;5%6#mRX8
zsMXE#t`NOj&5kWLyEj^(arBLhy9?Vo0Zi;E%V)0_d!Y|y7v=c*8kG1YQI_X>U{h*f
zO02p4!Ieb?R@P^TX~)F6sjUwmW35VIN-D;5^WVO2*Rk!M!qZ^i+otHX30h4YGc6W{
zr&g&VJkQhg-)ySRQ(1nSzhFC<RKYIKUe<~$);tA+b-j5dn%bd5*O$lTyc!7HZyn9-
zZl?=7)iNF%RG(qLfx3qgv7X{wtFa%?)n4H$f3cz-Zq!>3{@OS<tW<E6neJ+7o!+-A
z9cPoyktW0?YWvC%rkYNy8C7Z5-(Y1^GhU3=y<X1gYEEM!5oTX`3QWpDiGKQJ2%tG5
z!=i7(bt(p4eaNjP7dbNRWgAV?ap=sH9$|gA|5(E3@W_#S5>8RqrX`Tb+dDhkIeM^W
zykndx(+&P`<uzNu^#vnk%dv{GzIwy2F@v4mwT+;%#1NBoF6L|Y!_9qX3Q`hB$2|Jb
GxBmycum(o}

literal 0
HcmV?d00001

diff --git a/verifier/testdata/timestamp/countersignature/TimeStampTokenWithoutCertificate.p7s b/verifier/testdata/timestamp/countersignature/TimeStampTokenWithoutCertificate.p7s
new file mode 100644
index 0000000000000000000000000000000000000000..6a86a7953dfd1c82670990161dfff5445c68a0c6
GIT binary patch
literal 1117
zcmXqLVu@tq)N1o+`_9YA&a|M3#mk_H#f^!P*^u9WmyI)_&4V$OnT3gwmBFC#4jVUA
zC8q!*%Yw!;ER81(8jmqCGO}@MvoW$TE-+$ZHZVlf$D+`z_N8F1gY2*U%bS^g%iLS=
zvB6`BgTo=Ay?q+DvX2EGXA+5I<9pX`qn55Uh2fL$f+;1H9W(eO_>ByV3=J#|%?(X}
zq(PJcGtj05;Y&gdf(^M1IN6v(S=fY`oLmhh4a7klE*=5*ocyH3oZ!s#JcYb6-Qq+;
zO#^k16f=(kM5-7h6%y>Ikd|Mh;FwaDn3tTIqM)nbZnA*Eu!-5%po!TNXp2F<K{R$d
zgfZ<fG|&gzA*_L9eMn|*YH>+oZb4>Vx`MMK(28IWM`H^Uuw6_7j0|p>0n1oc-Yj?_
zd&$>vK3bS9Xkyeikb*}HC$k|hO4u9dBIHaA6%6Fi^e+TP9W<&Kxq(rq59e~S7%H(S
z)Z9PKFSLiLe5bKyu=Og#t$SWIT+UIm(Of^-v!Yx!s@<S*1Co7A`i6}Q3>xPeG|n<;
zoX(;keC_2Ch5xyJ>LEov8P6-4Qd81z&ywVCOr8F%e%qO2KMjfv;+Mn@KnNmvnWc%b
z;cBIW=gbYU>DBMD6K3oExH(;lf3;oI!j0#vy%!%zJsSIe&QX>wo&)^<-~aV27nGRz
zId1lvJR|9utLBy#`>rkRXWh6cCvoCVHfynY*Q>UyS`rl<vtY8l)<uqJWqYx069xO%
z7++Lcx;o*^-|UHU`;)I6x61p?@U8D*$Qn()N!uJmatk@HFFdq;zU}85i{8iI?%yn7
zA+h0D(HhqvHn#IuFKA9W<H>z(zD)YJ3WL?h9!$G<in~7O=%dccy;GBa8Ll+eh<+*c
zeP{Bcc^+S7HlF_K)Zl+*FXNX3Z|_+zu@mB+v2Ks|kKQwJ{Yjgi=;-dgwm~GsHBD^l
zw#l=vCYnu}diuehOP}YSKQdWxQ`4IZxhl`iSr(M~Y!ERxGIeUiwI`V`JNULsXC0lV
zaQ{_ad^_hE>6n+^O+Wu%x9@q;(0qTTZd%){SGo!cOaJ}*JJ*}-NJ(l}h~ONh2Al8k
xsz2ZR+eALxyy4njzb_rP&t2SofMG*lb?_7!p;^iIj$DgbGO_Q$!<=hIO95z?m3sgH

literal 0
HcmV?d00001

diff --git a/verifier/testdata/timestamp/countersignature/TimestampTokenWithSHA1RootCert.p7s b/verifier/testdata/timestamp/countersignature/TimestampTokenWithSHA1RootCert.p7s
new file mode 100644
index 0000000000000000000000000000000000000000..9785befeaa780d07ee25db374aac490fb3cd2cce
GIT binary patch
literal 5955
zcmciGc|276{|9ih*!O*B>_nVl?2%z?r7YP}mh2O<j2XKaMN}kWl4WGeQkJaQA`+79
zYgD$1BE*f#Z*<eu{odd2-tXi0cwB$Y=bX>yb3SLB*Llw84d6KsQ&1m>Hi+J&2T_8F
zcuoMobIO205I7@1PeJVvZ2)qCK*1n#G9WUZg7!yGY9<hrcpe%Cgn&Vy-+M)W^`ry=
z@IMWL!lK02eKNH8x0(y0z}tLN#E%gMxmsGSERFG!;~tMqJHX6jrBA!^g12<zQ-U*?
zRHF>NxftaEc?6&YR|Vh*WjNdh%;wa0PWA>?VW%s>zQ{Q>e*s3mx=6&cQUiF3Rsatz
zB0|6*FqnxPRl1g(L8Y4CJaO25?hME7YJMykL`%8_CpaxYO#!ihQm}$8PQW<<_T2^z
zD+3DchSqWM^Ou1co^z6gs{^XLCm^iydnaJ#eprmZi!)3g0W&*+L;$KvuoDJIc||3d
zIoiwRg#Q^YAM`mlm<|#U;G~yV0F>bf;QOBqC%pm!4!{-U6%<t!Rc!!+f4B%3An^Ml
zIR97#=~9^8OTkFrkOF`Q3-7-}(mx4;2Q!k9j?;kgU=Uf(3Edd}sQ6PQn&$UKUiM~<
z%=ItWW;0Mv${FOO2CE-Pcbjx%w{9s+VlL<@syO?CNh(gj(Fr|Zov!HHtd_c%Y?8nS
zd)JYsE|=mugI+*?JN0N-8phX>np~M@61m#jO_>k4cSUKBe>qPrnw*R089)1ARK3e~
ziks`=w(dLnGoBgWeC^sO(hjY(%LXy>x|+>A8P>EP*BQ9*>3PS7!9hD+Yzp?<3#M$|
zsFvD!vl~_VBY{$?9xnq=rp}<Gj||;-woJwO4)1(yM`Wfe`a@-|kh9O?&>V5x>Avh+
z@()EDqM!I1Zt+#r*iWx~z=gqYy69VE91)c(kxp&On*ADr(UkvShS(mgUmPULAa2b}
zopa`<R0bt7@>QAk6dAcjU2=D<Z$R<}a(m5=F}}1$ZjYAByfQ7Vyvt6(_Rf)tbpS08
z>U=DNar#-G-IbzZ6ZX#gT@52`>h7qVJaz4_n6M8oXm)}SOyT*bX{?RNG%upD9Z}B1
z*q#IyoMoQq)<~O&(1SOE2!fp2I}cFV=JtW;r4TcfLIQQRZ-u9Csb;Nr%Frt&)^BI@
zX|8-*sqPr+nDP`|Y1YPf5q&k%uO~q((LNIN#x+$+eVz7Hxjs2dG#{B|onLkfOLu*g
zWEC<r4X1D&P;c5=OjH>)rR++sd2N!trZx~4)vXl*hJeUGIe5@z01t`*7)VbOKO+dV
z1BF7slo0^kZku(t4F<>nj@_2nZi^0}p`enc0FjeZLZ|@P?r|8D8{h<}C@9<_=|H6J
zwEHtJxZ6Vn$^~#lusz@y^E!4>4kLw2lfzy)3rom+;tlZcc3^;VK-u!DmsuB<d!9RI
z4_Owvz;mXCW()zF-P3~56M!jTOgu(B8g1zA@9(1~C+FnnsUYi2N~RMjnX*paUUGXu
z_z^~Z#E&Tcp2Yn@)IrLUh69n;_HG3Pf<{IGkr9CC-Vp#4&Gq9--cA^wU#<jL|Lg^h
zHriXyncan8e(Ct%F3Ep?U`ekeQeZ)3kvzjw#KI~9XM@jG<G4fa>7!yh-7>R1?`(yy
zFI^D^7uNPh+!<S#X@4({kMot|dU3pZ%5&tEL%Q_)_ZkNAwH^;bZ5vz9D7za5<Sbq*
zVi}RRxE3#PeY{mmCCl~+QC2KaEaL!q@C7MCwN+5Ugt(=2*;+xPGTkTvXKYz#)>@sR
zQW&}5g*<%)-B%~w_Bf<BeJk*F5)bY+8arSzi(+Yl(PtK-p8qyy7(its)Lz+3xWQxo
zpst|>&HbR4V>L<{ajpz0{$k1|)mY)`;MIUItZsImwfI?x?$nq`mC2P-%SNO2S9<M|
z19um6$b6=r5;D1CA@2qgm6wm1t#vvGwOQ)FA7?&#MgGyHdF$8J6Plmx%e03RW;hf3
ziXK|bL^qd6$RMAmDIB?@G+5`C5}q2QVqo9ZI;kN)jU85Uvx)s}qo8BXSn&{9V^jJ8
z&mhp`IBH&PN=2R0PStun6a%*)Mlg4?(S_e@_?EjE<Wl55EZn8On1)xhlH}+{uga%Y
z^pC35mg_}(JmCD=7U0S5d9Sz>qxQy7uV(1{(`uE6qf30Bs<Uf#WTuZBg$cO(JPe>2
z1iw7(P%pWoGG}HpT*4_Va(sPhfOFf#V}~+8&^Hx@?5x!r@RSd=mUGj0nd8M&-~8+$
zL!q~f6j)iYe>pLB_gVz1G=d2kM^fw_NwJh4icu;l*NB>jj_Q|um2^E|cj`}%4B+@H
zAnX7uDM2K~==S2Vix`}g*xkdltV{s`0lz%6a3Nqfvn1ZQeva7V&CJ`|pJd#3#N+{z
zS$`m=Olr#SA@;9G`gguPj#i{Fyx*eXXJ~5CAqHt%O;j#SHO(IGkLt@by6r_Qdm8oG
zW`j8!#jb6iduh#mD{L)2miByxU?!u2pb0CjI3~sGH>*3~u&+9m7si=CV#@D-kdC+z
zC(JdyIIhvgdA^uiT2p({E&iRU#>%ke;DY4A#ewoF?1CVL%hhD5fw3j@^w_l+J+hDq
z6f$-)^sH6zigHkvZAtf=3(l2ht2q75Gf~_x>?_S_h1}063)O3t*jG#)348WQmBnqD
zA<xNkHou*}M~VLQ&^+&*7H5C0f`@+X4~`3#S6Lqm`Zkh)Nh*<1eVu18yix{dEwqwK
zk&yiqlb>)L$8I6+Ll8et<k5%e%;-2pgkaA}h+QM7sW9K)*vOn$KeZG&CCoO4KhSZ#
znK(70c^k8}AZX*6ylQrXS=!oPOR^ZF^KAM^HlK$|yVP1&Q3^)eJ*!&peui4k5aea^
z%I!m4+LK%c=h+aw{YJ&hw=}*n)H)y7!b*xF-)lFMr@I=OnXH?xDH$HS4C|M%QVf#5
zv!?6NAad1ubMnko(l^zIpDTboqmj3SBi5P&kW1h0Ck)sf#j%(sbzY%UKNTl@r$wCV
zGaC~NB+Oo<-g(C9W&SJ8jaL7P!vfT}rD9t>>}!V{Yif`r8N&th56|A(KCuH>8uc=(
z25@!#3?4V>`V}gB%J+P;CHZy|VA*x#yJu7Y1qm|Ji*+A8e<{;`x|T*}@cq8F&PLO+
zZig2h5bp6Y8vkl0DEfQS_{IK2WWb&kBx5`P^gk2^xi<;`M=Smp!t5qgA3@U1AJEyo
zV?pR4Kn+kKDiIOU@_Y0Aot!@>@%#tC|N0~PyI5f-;~yqfdlL##!k}>1;ZY&&S7ltX
zOvhMzffLV~xwbn@Y+oOh+V+W~FOoukLAUhsQ@+)7crr>mcly+bSIpK0m>2@?)>F-r
z;@xIq<j7A)g}=kmSZLYHj=2gF7JGIBeONzW+s~hEWT)6TPA0hcVvmmfdxz>G<3!g?
znar1QC39b|G&qaLcwTSJ2z~BD6S{n-0c-rgX0wo~!uIWsq<QShP@FH$W&G)iUyjJu
zLkT?U-c1SKVo?F{mYS&piyN8cK{q3FETfBQbUUZpt`Zjr+uQjWex+?4EiGq##~!mr
zP`6cQ^~A)8)*I&-)&;mGe)LO!dlYO|pd6lbqC}ma%8)U+M>Y7xj+oO;2^o#U9t9s=
zA0c~;tF>+k328mAVHNF}<PTJv&AdB@@V!1F?lG%^Db5EOHy&0GylZrKyX{8Edm4KM
z)fi-8u*%!?S1&}q@=FeMe17whV81Or8osKRft3-EkP)BoW)BhIzN}Q6G&sM?dGlnK
z&x&$0fovMaVJxxj;Kq^d`rw7dLp7=BG6GTh{S9P|+7LSdUg=29NYfZO#`>)}w{OjA
ztO2@(pOT-3#;%a{*tULtE^?lXb`}Q~A6s$3Y3EDDQ0q(2pXbTF$oPejvSDE^Ef}%&
zaFs!NZg{&;4#j?Cft7)OLRp0;TYBUDaOf8RPkxmo7WRi&47a%AKR-XXusmV%no5hy
zX1`c;q<xpm|5q$gK=^mDcz=q8#9**~qz#!N3ichXA3HC3K!vmm{kijk!{LDH9$Nnf
zoPTFl^ZYf8`&9j`?U6%(Fo0HAYAq0x?G(~jjT=4L`bw%m!@3xk)^jg}_X2$zAh^bx
ztHQBp`8d^!zqlf3wTrob)_$1$kQt+y;Nwj8yzr*1LMx7w7JjAfNj|L=53o1SV&s$i
zm{3fz)A%*Y3-kW!UcRpn((!(P4Ryl!oum#vTe3U;B<VMyGq(_n<d5x^PVqD>cJ}s^
zAhhhugIzxaJTbWAYGsvWZXHi2U1MATj9Gr@3bCEJ+i7e!r?>#`9#68Hj8BLduTCUr
zT?={?*il{HR&|z31;TW7bWk~0mOSjzC%h(8qEE2}9w|RE0mU3Rmk0_KG8$~S#|y#Q
z2D*-^!BJ@nTFq1=Hio&a^MypW7r7D**~Y3>%+{QnqNnu|oHtw0mv97}#z|XkTuf{#
zI@n<4<!u&T*EIjGsiOi53{Lmv2bZs3SIg9xB%9S0i>*#WaZ86kOs?!d<F%+T);@g{
zO7=92@5ZBqO`(bk=9>ERt3y|OWRMO;<xX6v8$3A2@QsMF?KjT(3VpGZuNrISb#l3C
z^8-My7?bIQ_$$n%#9}??7|cxd{hP!~s*%{K;1c_*hdUbvkjyNn=9o+t;q6_19KzJo
zp+?xlPD?`eZ7@?0@ABg4%f_w4y7n2cFWCa^4-;;ehtr7P{4|S}Bk&*mG*(!_KgYXg
zmKw<{C4lj#S>ynOWY#{g{?eoUVCgR2E?vLgjfWpJy<AWrl(FXZgz-PX3ffbKWRn-*
z@egg%*&9W&NqNtd|7-X2BaDWq-6($Fd-(&pzw4w4kbEMNe2PZw&Gf(O^q<ps0?fP9
zz@Rh$Np%V+=_A>n-YyV42t?*XY}Pq#v7lm4%<<>dsOA{iY__6oOe@Kbky*NESIAQ@
z{96nU+Fba3?xg^)Mjp0x)+51k2WwQ8*LNc7e#_om^_voHFoQff{`|ny)<MhO&+D5d
zKycdS3cJDHJ{{C89ihb(ziflbo81}41r!k0014FK!udBR@2oV-(dNHhMI2h%gmlE*
z={M5iR@6I-HZQBqwv1oO9nyGHKKYezbUnc4wD}e9<!lp;FF0!V3t8S>6R@j_4t!up
zH>|A0n#iE#)J_m?sW|z`!lPHB*c126Tjbz+xbImJ58)k_TJwVv;iGC}E7dV6Ur+U&
zF5!A~EDKWuD$KGfvXgvWmkh^4Z~z|SN2<pG0sl&!>#wVA`wE7{$UcDQXZ?*D0;m6_
zehBdWagH3$NGh7`FZlt|`#OW^;CuiNK&mi6*<4qo<y%`j8S%EyisCvS8*``kY5{V8
zOa+AtLt#4A({JL_KHU6Dt*jSBjY{gnoO8u#51AiE-{uxMv4{Ya_s=c|mjuKC5;0I%
z|HiD>dw=1leS=z7?notXeB8K2+C2r1(qlYngLHwC`yV}0xeba3lZoEzJ;go5KHIY8
zhrP8^fvp_3t?-L&F?gLIdPQ7J4LQ>6NXAz`pZ4z1@+_@;Z$9cx)io!TmaK`sBc%+&
zW}^?)+Und@2ox;Lk~>YN)csYrMq=bLFC{OuxF&*1VQiPPPnSIn91EeRaCJ^gV+B45
zJmPZD)4M(SE@qSUj2Xk191KEb#Bgq^i&N`uN=gV2)Ee9J7Ty!7#vu~-Sz|6Z9Mnaw
zALz5{z}awY5!b|ZHzczt2kRK$)TpauYt_UaD05CZV_x}@vcUklEuwF`Xnkmuf$#46
zsa3L<uX|rG%+v`zUeqbb)1lD2==3gjD91BE*-G{BUFMxfAG~SvrWSOYPjVC`saKXe
z$|_Sn3TvfU_aS`NY`RnHp<a~7T&X1CgS!X0T@S9gZ(Q(XGyuk5UGJaXey(oAiO2um
zigAr!M~PtiC4N^%_}diwR+;Xc9eEtvUA2puAq}B6;3nLHc3xI^lWjLH?kJym;!8~U
zr(7&;4u{I&vEW=01l4F|t#%&$=ggA9Dm`59{R{zircf8HVN~5h*R!CB7$+J%g;z<A
zwjLJ<hFRN-{`iRvj@4s5%hK~_uDjFGr#X0n2dA^WW9#b6SW3Qf@R>`Q#%dp`nNI1Q
qoqi4H!$}x*xX$_W+)hBmUOyqPGuYBb(Q00<D<ZC_<Rq95?EDV}MM_8j

literal 0
HcmV?d00001

diff --git a/verifier/testdata/timestamp/coseSigEnvExpiredWithTimestamp.sig b/verifier/testdata/timestamp/sigEnv/coseExpiredWithTimestamp.sig
similarity index 100%
rename from verifier/testdata/timestamp/coseSigEnvExpiredWithTimestamp.sig
rename to verifier/testdata/timestamp/sigEnv/coseExpiredWithTimestamp.sig
diff --git a/verifier/testdata/timestamp/coseSigEnvWithTimestamp.sig b/verifier/testdata/timestamp/sigEnv/coseWithTimestamp.sig
similarity index 100%
rename from verifier/testdata/timestamp/coseSigEnvWithTimestamp.sig
rename to verifier/testdata/timestamp/sigEnv/coseWithTimestamp.sig
diff --git a/verifier/testdata/timestamp/jwsSigEnvExpiredWithTimestamp.sig b/verifier/testdata/timestamp/sigEnv/jwsExpiredWithTimestamp.sig
similarity index 100%
rename from verifier/testdata/timestamp/jwsSigEnvExpiredWithTimestamp.sig
rename to verifier/testdata/timestamp/sigEnv/jwsExpiredWithTimestamp.sig
diff --git a/verifier/testdata/timestamp/jwsSigEnvWithTimestamp.sig b/verifier/testdata/timestamp/sigEnv/jwsWithTimestamp.sig
similarity index 100%
rename from verifier/testdata/timestamp/jwsSigEnvWithTimestamp.sig
rename to verifier/testdata/timestamp/sigEnv/jwsWithTimestamp.sig
diff --git a/verifier/testdata/timestamp/sigEnv/timestampAfterNotAfter.sig b/verifier/testdata/timestamp/sigEnv/timestampAfterNotAfter.sig
new file mode 100644
index 0000000000000000000000000000000000000000..05a27dbf78af381dcd3fc81a76b16600807f575c
GIT binary patch
literal 7365
zcmchcc{tSVzsJpD>`Rsj+4p4mj$KW%mR&`5WsI>i%uKdyGh~;@l1R3)gzTX#C2NbU
zr9>36Z_$HrMm;@0&vMT1y3Tce#~-e__s_k2-mm-qeEY&JvhISEg~3EWZWpXH+7s<4
z?TICzaQ@PG7bi~_PbU+!GsXi0@jHg{@^W`UqX;foPZ=Lihd<TzLixL6Q4Z2Rh-0pJ
ztfwE>Klf$o;(>X><%qi%@IQ~{_PYsw3V=!;hXBzMq79HB>HrCRG#dg2fx%#k5`Y0l
zBN3q!@r?llqNAh$j1hDI4GeMt3S$LdF!`0BW(Aw8BbWik{SqoxDiaKfKyb$(n8?k^
zIkc=WqaU;VRRzLIMZn+*rY7nD?_mZ208|jl2!w*XoV*n|i8zq_zaNkU5<EC55G4hK
z1Y)89NFZ7;2?U~OU9^hDd<}QJh&9MyZ=f5Qofg^@K3pAP5eRK+I<iQKGkjTgV{pRt
z!u6o<?s-Q&U>d2pS?1@?-We(LN*;XaAolji4WX%zpHEl^1XfU1@5BwrYMNCk+*sgP
zPr#hWq&1y^+*$CVshz5{tlP@VrSj*mXdN6E3cdNh)7&vZY}KF}QF%<TvcC5rqypq8
zPueYvGSv=FroTxy;-~unZ`HuA{M=39IkLSMb0XewZH`t_DLP=Ywxw?m<7{@{CMJH>
zh@up=$2tL>Vd;557xS&n8!8m^2Hu#$K4^FI1bvL#4r|X|aCl_VU841JZJsb5ZBx!2
zm{eKVBW??gWCBA#6remYK;*}6@-Trwdr&9@Oce^SlJ}BF1WFIk!l;kIK$MhJ5Xix$
zB%crRQi3R)chIrUwab(ztFg>1VMmjq6Do)f$}(57k2zn^l%V%z5KL(F0Ut{CS)}R2
zMp7fe{mUsTqYj*I%deX)`uJ7@TfRiJOT{jdycQ<sn#0bwsbjg1Gz{lk3T<Zv&z6_t
z;gXq4dY@ti?j%>=u$DMK&3M#XYbvRLVz)kM+N5g1-HpfPWR;Blb}ct!QpaMPp4mVl
zrf>AkYk}GN!q4g|Uo(!}s(dq?bI4Ans6)J7-}PC0P)ns|1^m)m%-2G<&OSy}>&Qxo
z{tS$p6MDl(WcrqIJw%ajY3?4yr2p~=jUAj#;EkYzHAl+?cp0)pz1XB`VGlWMf8J-M
z)@4?L)9=VX`=z=Q#*^T=?+HJ=8zBuy1AYR3sY@U`FP?z%@G>C_1B!4Nhp~h|2T1Ua
zKm3pioK1q)k+Z77AP9m1po7uaMd*Mq5GWV~5Vv7;zxyi<GYFbZoP!d-0K`c!2n3@c
zZyFSoEenQ_U5xD4f3%{cfb!$Kk)M#4Z<J~-T2=S3?;@NVzh}bBeBk%vN3nftU29-A
z0CsfN&HbG_TxSIxK6Q9h|NZ+W4klSZRvu79r~oQ*3JS_r09iOdU^blYb6Y9Kk;k_2
z@5buBoV!vew5O77mwyqk`6U@-{m{@xZ~}*a2n0Rz8F#Eb%6)&*{GL8icoaew0QQR@
z^hbXd?F%J8Suyw>u{eHp2OpFt8soq(#eYVg{Euvf90HL|Vle?oFgJh%HTkJv%plIo
z1n;h-H(FzNQ|Icv*#B}~0qcLZhxPCFAOM*k_OOZ{Fm+#Qf9w`n!ud7T$(EStsLLtu
zn{-BgU)%Q00%Q?@9016YwM|Z*JTLj*lmFSpAPZXV!P)*4x`ch9iy;dgk)l%JG@&>w
zelWEFsWaHtT{vdiM14PJ%w|USwcW*<yIkKiEi}`RU!Bm@vPjO5W5X9t4-Uk&*!1ML
z-Q{X1IQB|ZLjXDXC?_xFgWW94g|ekrBeLNOc{LwT;d>S8G9I;QeHgEsTeB>U-tbPa
zqTQlRq6}w912t1V`fdTLitieryjpPmm}g1<u+h5$VTDv|aaFeZiI1Dphpr7ef<vWF
zzUbl2PmMhsI%1&0C45=3%@;nL7$zDr%^I7lZ8}w}=R4geB|Tk^)ERD%-wybC?D0K8
zo!mF0rG96k=r3h_P1J*NZ$YwL&3KOipVqEfmRIxfqLd^2H^ah`6KDVpxoXCTQ6vtj
zQ*Vf|V%aV${gh?x+Idg;GD>G!I*s2<w->0(I`3I_o7!wQ5A(s7&-eAzDWu#@e3i$u
z?sNX;d?G5ACZ{w#{Yy!*c$#t?O&K!tx8QTRO0J#W4LrsSq9C(i^VZ86Z%sa;(I0}d
zcna;myxL8-G}&0Ah}pT3($o7>Xi1<#@{Z*HO>E&m#CBhN59%#7z_Xvv2!%u0o;58-
zBBKe6qg9KXN3PPpQa1{@4Vdj0^FxgRLx36vb0X4%pkP4#57!6r0`h?DFZl+8;G)h1
zf*1a{jEt|Zue8$-AKZ5|X*AYD28Z#&;#~+>oWBe}zuzzGzByok0w7-h)ddIyC58dS
zP(bBZ4giXf+V7OyCl-zO`fI0Xl#COefJdQGcxM#ZQ=H@h%|DugBb0t`ipQYI()ahq
zXbg_<*AAr7I0C@8Z=evA1AvFJ&BEJVrawJ5*H)3sUsh{+-P(vrB`*TG0w44^pbRKx
z%V*0*0KX4~#<~A}oPQX@{h&AfU>z7lQ6<|u>$LZNte{#+%XWdc$w#Q`6=cD1z;#+K
z4ta^+{{7;NyRyn;y7#tdBA-|V-Uh<i<1G7naLUI|uNavo+sD2bz%7fkD^TyQS6xw`
zZS7y_m~0y5YJYM~aBL`aGGVo(QXt;1_E~gXa-%H1?roYD@{OZA12?nH#lk4H#_Td9
zD=7zKn8@Amc4e;)Q#@O|IlKtqE~L>Ny9<Irnpvv|$r)6{2Mp@hFB~nmD>B_u=9ha#
z)4*upWI>E5T8N4$y7{Sg@^qT;8F!stX4h`-N>$s|lTrdCw=gs|ttD}HJ1DijxP|-W
z-O}rRp+i9)(GqIcN<_Biq7;RKBUZO-U<=}5l2z|+1z>d!!IKqhwAF4C6&Tto;xbN5
zA!h<O&Tgv2B>6r{6!grlx0V2@iGS|ZDFUwLMzAOuc3Gx(+=GOSC(;Jd{zj+4=v}ta
z(=dtnZIe%G`6F#yc-&o;yc6YXio=?N88?NQUO)XLs#-d}z0G@n6t=PLtUiwzE9&Bn
z<J?f);Jqo`Ye%#eC44nCQiG1wTpakexXciVRZ}Z)nHBHMDKhqDiAK22+zRuJEo#$}
zTYTtZBw1Zho#K}<RIDbc$W@@FS#|!cT|3^qIdDj!UntK`LvRSr{)&}r=GFRSk5yC2
zDg4Y9zM1o7Zkl5^w;e-nqv;DWZY;^TQU8e>2GBfrlG^Bww3=<;8N$KyLQlRs8zA@r
zUh*k~(y<;sz>xD;Ea4|R&MP8VfkXQ>Xjy6hRpVDC<Y4ALToB}=OvdDozu)14_?7(6
zl8prZ`z0E@e~AW@FVSSTSO!l3LR%k?jNc+uJ-8fpsp!o44%BgUpo);c2jM&7Gl7LO
zb?cRwy>%H?jM$=i-ZO=TD*29*R{FV6M~_}{y(f~7>b+KRWpUrqt!#bDnzaf8)rGGm
zG_)D-DXQNuklOJx(u~@@!FhOi5z+HF=7gu~v#908w2hH9j%@vOZpO$0(ebFR?8)?r
ztgo2{r);g~YnS>kJ=%1pCo4=%sAAJS>rB&Q3K2;sRs({*Gg^!hUB}Dac`+o30fCO>
zU5(TeD|8hhA*XLLMxG47%=MZTNjGj=oUFOJWs+`aO<2I`=Q5C#IO$*CpS60j#59;*
zf9k8T!b&DnzY^>DVG;R-)TQ5?W~rMJbOZLTR}6eR%Km1P!FDK8lb7(!OT0StN~1)^
zqwsOY5-dY~&4!2BZVV5NsxYIIXvg<ThV10>%H$VUrkr-~SyT?ZRcCo}VaGGE?NNmR
zwSLxs1`K<IV^DF{q3qSpI_1=a<7-Arfs%?tFd@#*+m!NJv(#m`b)62yk|s;7A_^RL
z<RGBYbdgPO&zVeHuz?-22b=)f!7V1O6tIkHuo%u4iB9^0OBl`RX?jsvqEX*FD-GW}
zENkCscyh`#@2w9w#oaZ&ThL~M9{TC%mVP;RzY-yQn8)$HJU)RpDDYzH&`HknwAr|`
zi5?HkBZ8Tgc-*+y#(uHwD4A`4c}RdF0G53z{s9we07hmC`M@0D+CQrIL3uB8r_8&-
zI*~g)@rHY-V>zVL$s`+4{RI&+k@kH;`d6CFBf$ealKrdJ<H+uZQv?)$;z0(G0*+-L
z%@&Ig`S0<t-$V+hNal_^aAv<9KU57+1&}Z(`6tEylCTFJ+GMeS?0ZqjMAWdk(=m-p
z!~z<+hG&n&In0I(n%^Ix@@n6vqba30ZYRg5(hhgyRMQoq=KY-UZ7821fj4zEBKPp9
zdb9EP<NGfcTZH1;ukPxz3vY60&GS9YFL_<rGyl{K!_yeDF-q!ucn8&Ab6V$S8rUfS
zo}%~OzWsF-_=UWV_Jt4gGkSL}vMu14y?wm;m{QkfmCTb9IUbC}rz>+>JT1xz&h=y$
zovq#sk(i#=ad468yOo36_$I7RunNLOC{%&X`C>D_KPoX8-5ND92-{()sMWn-eED_>
zR<BdqwZ1#5l?5=Wq{iR5m@}0AY9>fORq_SgjpOBKOQi@J$qDVD%9oy`%Xi<!^FFke
ziIP4Uw6dBAP-ecm5}4gq^57h7`A`QB(00zu?n_|GNx@Hpw8AE0X`x#>(PEPR6UfO7
z-cQBhq-fO^y>)?Id*%fm;QPjlSsk&!*vlFrZqL{5x~1?zE#zsV7f5G6_g*RNnrhN1
zK6YU^{-Fpz<B@aO1L)$gS$7;tuWL*5S-W}L?OJ4cY<WF5VySV7?Jb*{J3r4;sV{Wx
z@g8xt-V5gic2zg-+)?2wE9sL7;IH^vQp__U#ddou)s?3m*}XQ*-E3l*f5tK}<(a1X
zrpSaOb1-p}A-N!EwT5Q>tsPG7YzqH?rdHEdcFHurWvyR(zH6~y20)?=BS&Q1e!_)O
zd+HG+Os@4RMrUeI``mw?F66h$A2|8>bonFsf6TIfhm#blFZgc9&3U%&E68sQ)GO86
zbdscMo%T6vWLa39dXgMlJ~m`V;zfITlv`VEbZ>j*9^0#PYy$IoAC6eH4@E8-9%qLw
zI5^TJg?4L=;**Wm3Zg@d{m|5%EN4A59Ayma{lyK>bH#9lKI9}a20x2=>|h|kt?B&c
zBr>M0(sA(mt%nF$ThoMxEbJcdX8l}oUR`q&34QkUGDq~-XD0vk*<3z}J}>Dj(~oaF
z@-Ugu35;W=Qr>f{^hE`KoQ*>kSLbi6rRcFxdF;ehM)$nVM)`JH5XuLHj(@W~-ktmY
zHqEH5melnX;!E?St>DLJp=kLrw;LQyZi<yEpG$-lA1*J|a<iJ>s2#2RZQ|-fd~TgW
zvG(f6+lo0@)0h>UnWuDA+c^y__T<I9Hs#a|BO@!iGixwKU0>j_x6<Ujc>(In-=|RU
zQ@(@4iD}`q?gL;$LJQl%j>>k}>P5C3XgS@??qb5YCtW3V70QvuwE}h=lWN(rtgzGd
zPCTCLP^1@;w(!<vo~+{$loVO-Lx)5*M<}zzEDd~AtY<gx=DZDK>fIXy4sBlTk<(f4
z_Hba646rcn*QeHPOL5>rGy0!guZruoD9zN+_V;9r<g_uZz|=O!WsI=SFktJXN1Qyn
zVh`1Xv&B$wdWHEXrX>z=i8U+n%2K^$LnFlv9{j`!8bJN|nFN9XOn;z+5`d6Va)2ZM
zh>3s8k$;fkFp-5Xy*nxAUuLyHvlCsWY+i?tj+Evae>vkfgt=K{U5Jbf1jqDxK7`|^
zF148693(V7c{y<?u~dlT<cD#bR%&(1#g;4A(*59?tY+p_xm71>d`Hx9C3$lh3aS;<
z0y)#qG?n~in`)*rB@G^H9!<Xn^p^;H{KT{MmP*dYltNIV-jH9~%lX};$@egu{@bg2
zTJ&0ut9_puPg8JtfEz??<8u(_KA4{7HhiC+y2Ql|wYkT><oD5k*Y>??vB8C%TkJ*H
z@q622UcgN2qQ>ckr#C30w}Q}DPQCUf22y;vS;pum-zu{Gfc6f*+lLdZ2`q6F>RdVj
z_-tR7j#`@#QYY`O#S!sih3=&nJz6OHt~{Iz-4#*V1!p*yXxO$cuD=*rK6|-O(Is>0
z3Utg9=2AOKOQT~MId_H4F2JGKMRO^!!(g7{gZq++R9yP_#Z{bYk7;M4(|kUYf%aa1
zJs?D7kigs=kvg1iRh@3mo&Vwyd$dV|Bqh`5XIY#T9P)z(w;L9|@jVbuf%+9f9xW0l
z-(3of)yug~5Gklq)$f!vYwYM;Ql79$TK4~z8QwsULV@^$gL_wvsVpzWN@<>-J58TF
zzV3L&-*?c|ny*w?>AAL*QMQ&&=iBo1Hui9ujUip#7EIj~m$zqj;R@-CwyOIO_zkU7
z7^PKLJ~M&@(Iv~UHaW5dVE?1{YVhCVRR^Pc*(8t@!1YHUkcJ%n`%|<JIQFkHc?2)O
z{ioPq&Vi%7AIg{cS7j(d5X$d8v>d8mvXDFc?!Ktiy5m$*yd_W+t5J3RSp*`Y>k~CV
zEI%+BSO!7N28g!-;w^xf2IZ&o&s8bYV2)oht1_i*PI!6EvOqt4abmP}*!#)sVflFg
z4_wN({r_IQKTjD-0)-M3S7JA*YGQepJ_ho}hNM17{QMEZkw$@c85i}@Ha$`3T10DE
zBU(GvmvD==Xg$^#P?udP4SgilekkRO$5T!^ntq!Q-V2|`c+8u|w?7mbzhIbkEpoqp
zyam#Fo3<6MJ9JNHRac@tgp%;i_M(Y>fkHzti-pJ%uK&!<UUx{6urGKmKGrx+yLzxE
zD>YPat9JPU9K_YBSW`z;--N4Yv5L7|g2X=XM=NF>KL50_ZRm+%96XFl9quXCWe`Ga
z&METF;=Ys!-sR8q-bn0iyz3<MmNHYX+ECL=m?=T2FWKJ*f8DUxui<gAKgejv$7xpc
zmSYUsOZ<L%P5N2c{NCkq<A<&ddPB!eLRjP@4@*4wT7v&35V`iHiCuv%v^{<^FqrEO
z>`oNjNe$L+Z8kesjk@3>A<PEj%)EYAv6){%m5MGnb?<#q)?F2mcbp1?J9-8gp1U+@
zfzaWbqqrLP5lPP_M8z;e(VB_q^P21L>hNbXjbNv0;1*xq=qzfk2$Da1IbjIuID(5K
z3QZ6^enrp&<KTia_4mRE9vA%U7cd7b+6{w~c5uNHa4z<j_haYM9w<*2M{?v<+DG=s
zr!YZDK?fHnat66QIj$tDpm-b&C@QL89OdNE4rqkDoSZBga73W&0W|ps0)@6$K{%)=
z0tk6~gpw?|KuOV24kf38QIvB)I0E(#C~}v0mjJRs3bM*UL6#s2Cn4H(r0td_V#OQr
z;`TFYhgy3oFm=C9Y{(->Z^eeW4#ZwIFy`XvJ4||m?ISfv$0?DWgbyFCYC9VFpFZu)
z_WaUz(qhYfEy_9eW+~T}3r44EGR{b32fa;#yqDarsQIkKcE5dCn439Q=z(f8e2aBW
zynnR@J>0?Irc+}-Z+b+c$NQ?K%ox$vUGNb7n*@sVYpL)Y`vx}P)R!}>S@BQhsLCDI
za0QJUH<uIEDf~?5uCCX%oM2qt6+>)JR62`w@F1&TtsN)dIM7Qxzh#O}md<xCgVE3G
r>PHkxBknjOdn@|7%*x_(!pF==S-y<o&se0g1TiU>uD=^lINtbQZES$A

literal 0
HcmV?d00001

diff --git a/verifier/testdata/timestamp/sigEnv/timestampBeforeNotBefore.sig b/verifier/testdata/timestamp/sigEnv/timestampBeforeNotBefore.sig
new file mode 100644
index 00000000..266a3c2f
--- /dev/null
+++ b/verifier/testdata/timestamp/sigEnv/timestampBeforeNotBefore.sig
@@ -0,0 +1 @@
+{"payload":"eyJ0YXJnZXRBcnRpZmFjdCI6eyJkaWdlc3QiOiJzaGEyNTY6YzA2NjllZjM0Y2RjMTQzMzJjMGYxYWIwYzJjMDFhY2I5MWQ5NjAxNGIxNzJmMWE3NmYzYTM5ZTYzZDFmMGJkYSIsIm1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuZGlzdHJpYnV0aW9uLm1hbmlmZXN0LnYyK2pzb24iLCJzaXplIjo1Mjh9fQ","protected":"eyJhbGciOiJQUzI1NiIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSJdLCJjdHkiOiJhcHBsaWNhdGlvbi92bmQuY25jZi5ub3RhcnkucGF5bG9hZC52MStqc29uIiwiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSI6Im5vdGFyeS54NTA5IiwiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1RpbWUiOiIyMDI0LTA2LTE5VDE3OjMwOjExKzA4OjAwIn0","header":{"io.cncf.notary.timestampSignature":"MIIWxwYJKoZIhvcNAQcCoIIWuDCCFrQCAQMxDTALBglghkgBZQMEAgEwgfsGCyqGSIb3DQEJEAEEoIHrBIHoMIHlAgEBBgkrBgEEAaAyAgMwMTANBglghkgBZQMEAgEFAAQgobZw/34jR09Y539sHffP97pzdDD9eB8hb9GvG8rFoKwCFEUCRS0+BQyd7vbAoGoD3L+AMGaUGA8yMDI0MDYxOTA5MzAxNFowAwIBAQIUfVQs1Q0Ij8odYfCaVHTDPQ8UyPugYKReMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKDBBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDDClHbG9iYWxzaWduIFRTQSBmb3IgQWR2YW5jZWQgLSBHNCAtIDIwMjMxMaCCElMwggZrMIIEU6ADAgECAhABGXV0ccmS10TfpZbruXAVMA0GCSqGSIb3DQEBCwUAMFsxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTEwLwYDVQQDEyhHbG9iYWxTaWduIFRpbWVzdGFtcGluZyBDQSAtIFNIQTM4NCAtIEc0MB4XDTIzMTEwMjEwMzAwMloXDTM0MTIwNDEwMzAwMlowXDELMAkGA1UEBhMCQkUxGTAXBgNVBAoMEEdsb2JhbFNpZ24gbnYtc2ExMjAwBgNVBAMMKUdsb2JhbHNpZ24gVFNBIGZvciBBZHZhbmNlZCAtIEc0IC0gMjAyMzExMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAsjVGdKqDjdWWpzxI1cXKqN9Uvgirod9c6UnQYF61pRr3Q1hDlzz0Z2MIMjwZfyvZVUbV1IzAXM+kxaUauqcrziZCITzlu6Gjld1g6hJVru/O3DKE7aO14D9z0TW4m7vFRN3huOvzWa2J9nGPWgr6CpIFhA2XAb8Fu/xYAbONydQFhaeQK26s09lO2qckNZZvqrOgQTvg+ecRjtVmAoAtPczPHqSWixeA3Ew5GiR1LMV3FtmRgyZ/5xOLokVU5rZKd+fSLS7nsDxI2caN+3r0K7ymIkii196teEeIDF+b9JFKBhz6A55qVh4rMOPzjlmwtB8eYTiGefmDg5SPCTBCM7QOt4iCGC0/14GLJ6Bp8dMFrsZFo8Ifm63pwMhP1+fGp0EyaP9ZylRc+7/ZHxbwUtLPuDWVpZHOox31dlKY7JFhiwmhrZmZ6KyUKJc4jAmuPJz4flGiN2rIcbodTw0mAVZ+V8N1QthT4GNj3X6eHahi6M7+mVlT9vMAiv2Tlc/RAgMBAAGjggGoMIIBpDAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwHQYDVR0OBBYEFMS+7oc8iXQO3rPuGRuFDM5BTn+dMFYGA1UdIARPME0wCAYGZ4EMAQQCMEEGCSsGAQQBoDIBHjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAMBgNVHRMBAf8EAjAAMIGQBggrBgEFBQcBAQSBgzCBgDA5BggrBgEFBQcwAYYtaHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vY2EvZ3N0c2FjYXNoYTM4NGc0MEMGCCsGAQUFBzAChjdodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc3RzYWNhc2hhMzg0ZzQuY3J0MB8GA1UdIwQYMBaAFOoWxmnn48tXRTkzpPBAvtDDvWWWMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vY2EvZ3N0c2FjYXNoYTM4NGc0LmNybDANBgkqhkiG9w0BAQsFAAOCAgEAszLR6mf/29+ntDdEXe0evnYjyc4D7U3UauczjDxfIGLb7ulsODnlmXH7JpEfJ7FzXAMZz2gy0NXmdnhKqjyXMtIV7nocMjxgp0HKuT7xQerD0/HH5b7eGsbBjiLf1oDlj/KssiGNeLbEiYyUvTJzuNiXRDzXZmwNHBBcXqiIQL2grk5aLWRPBiWlhMY4cMdUcxSNVxapMByoCUnfpQEGA78Ts3SUmweBrw1BkFUpsGCpVPo4IDPOCboOTGdYgYap7YiGqZjjtuVGlyRHbEjREGrKcbI+XcM9LSGCa4Njb5fAkf77fZa5qsAczaWtkHiA1n1tiSpAjqwl+uuINiN+hvL7tQbtKIMss9qaem9IERaUNrVFQJ2BNQ3FsYybO+Y86XoYUPk5ipJ3u5EibqC5WyoBQCjk0UipMI6ihhI3TclZmcemA3/hkQp9CvgLQg5xrvbPuuUx+PkfLfDgCoyEjKU5ozuw8zbZQ9WbmCQP0MLjJj6t4fv7HqveBvb7aEHsMd+pyR6MGfY+9h6YLtFggVsmdPRUTkAE37Ve1Pfu8A2Hb0BAp2nqKMihqU93Eokxaumag3eLqcVEM+63aU4stKe0lXib1qpALDYap0RDs1LYYMZzV7981jXTI6NgQiLWFhXOExrpzvXlz1q+rD9z6fpzvxnNopdmyhxgDaK9VMwwggZZMIIEQaADAgECAg0B7BySQN79LkBdfEd0MA0GCSqGSIb3DQEBDAUAMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFI2MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTE4MDYyMDAwMDAwMFoXDTM0MTIxMDAwMDAwMFowWzELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExMTAvBgNVBAMTKEdsb2JhbFNpZ24gVGltZXN0YW1waW5nIENBIC0gU0hBMzg0IC0gRzQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDwAuIwI/rgG+GadLOvdYNfqUdSx2E6Y3w5I3ltdPwx5HQSGZb6zidiW64HiifuV6PENe2zNMeswwzrgGZt0ShKwSy7uXDycq6M95laXXauv0SofEEkjo+6xU//NkGrpy39eE5DiP6TGRfZ7jHPvIo7bmrEiPDul/bc8xigS5kcDoenJuGIyaDlmeKe9JxMP11b7Lbv0mXPRQtUPbFUUweLmW64VJmKqDGSO/J6ffwOWN+BauGwbB5lgirUIceU/kKWO/ELsX9/RpgOhz16ZevRVqkuvftYPbWF+lOZTVt07XJLog2CNxkM0KvqWsHvD9WZuT/0TzXxnA/TNxNS2SU07Zbv+GfqCL6PSXr/kLHU9ykV1/kNXdaHQx50xHAotIB7vSqbu4ThDqxvDbm19m1W/oodCT4kDmcmx/yyDaCUsLKUzHvmZ/6mWLLU2EESwVX9bpHFu7FMCEue1EIGbxsY1TbqZK7O/fUF5uJm0A4FIayxEQYjGeT7BTRE6giunUlnEYuC5a1ahqdm/TMDAd6ZJflxbumcXQJMYDzPAo8B/XLukvGnEt5CEk3sqSbldwKsDlcMCdFhniaI/MiyTdtk8EWfusE/VKPYdgKVbGqNyiJc9gwE4yn6S7Ac0zd0hNkdZqs0c48efXxeltY9GbCX6oxQkW2vV4Z+EDcdaxoU3wIDAQABo4IBKTCCASUwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFOoWxmnn48tXRTkzpPBAvtDDvWWWMB8GA1UdIwQYMBaAFK5sBaOTE+Ki5+LXHNbH8H/IZ1OgMD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL3Jvb3RyNjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL3Jvb3QtcjYuY3JsMEcGA1UdIARAMD4wPAYEVR0gADA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQwFAAOCAgEAf+KI2VdnK0JfgacJC7rEuygYVtZMv9sbB3DG+wsJrQA6YDMfOcYWaxlASSUIHuSb99akDY8elvKGohfeQb9P4byrze7AI4zGhf5LFST5GETsH8KkrNCyz+zCVmUdvX/23oLIt59h07VGSJiXAmd6FpVK22LG0LMCzDRIRVXd7OlKn14U7XIQcXZw0g+W8+o3V5SRGK/cjZk4GVjCqaF+om4VJuq0+X8q5+dIZGkv0pqhcvb3JEt0Wn1yhjWzAlcfi5z8u6xM3vreU0yD/RKxtklVT3WdrG9KyC5qucqIwxIwTrIIc59eodaZzul9S5YszBZrGM3kWTeGCSziRdayzW6CdaXajR63Wy+ILj198fKRMAWcznt8oMWsr1EG8BHHHTDFUVZg6HyVPSLj1QokUyeXgPpIiScseeI85Zse46qEgok+wEr1If5iEO0dMPz2zOpIJ3yLdUJ/a8vzpWuVHwRYNAqJ7YJQ5NF7qMnmvkiqK1XZjbclIA4bUaDUY6qD6mxyYUrJ+kPExlfFnbY8sIuwuRwx773vFNgUQGwgHcIt6AvGjW2MtnHtUiH+PvafnzkarqzSL3ogsfSsqh3iLRSd+pZqHcY8yvPZHL9TTaRHWXyVxENB+SXiLBB+gfkNlKd98rUJ9dhgckBQlSDUQ0S++qCV5yBZtnjGpGqqIpswggWDMIIDa6ADAgECAg5F5rsDgzPDhWVI5v9FUTANBgkqhkiG9w0BAQwFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSNjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNDEyMTAwMDAwMDBaFw0zNDEyMTAwMDAwMDBaMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFI2MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlQfoc8pm+ewUyns89w0I8bRFCyyCtEjG61s8roO4QZIzFKRvf+kqzMawiGvFtonRxrL/FM5RFCHsSt0bWsbWh+5NOhUG7WRmC5KAykTec5RO86eJf094YwjIElBtQmYvTbl5KE1SGooagLcZgQ5+xIq8ZEwhHENo1z08isWyZtWQmrcxBsW+4m0yBqYe+bnrqqO4v76CY1DQ8BiJ3+QPefXqoh8q0nAue+e8k7ttU+JIfIwQBzj/ZrJ3YX7g6ow8qrSk9vOVShIHbf2MsonP0KBhd8hYdLDUIzr3XTrKotudCd5dRC2Q8YHNV5L6frxQBGM032uTGL5rNrI55KwkNrfw77YcE1eTtt6y+OKFt3OiuDWqRfLgnTahb1SK8XJWbi6IxVFCRBWU7qPFOJabTk5aC0fzBjZJdzC8cTflpuwhCHX85mEWP3fV2ZGXhAps1AJNdMAU7f05+4PyXhShBLAL6f7uj+FuC7IIs2FmCWqxBjplllnA8DX9ydoojRoRh3CBCqiadR2eOoYFAJ7bgNYl+dwFnidZTHY5W+r5paHYgw/R/98wEfmFzzNI9cptZBQselhP00sIScWVZBpjDnk99bOMylitnEJFeW4OhxlcVLFltr+Mm9wT6Q1vuC7cZ27JixG1hBSKABlwg3mRl5HUGie/Nx4yB9gUYzwoTK8CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFK5sBaOTE+Ki5+LXHNbH8H/IZ1OgMB8GA1UdIwQYMBaAFK5sBaOTE+Ki5+LXHNbH8H/IZ1OgMA0GCSqGSIb3DQEBDAUAA4ICAQCDJe3o0f2VUs2ewASgkWnmXNCE3tytok/oR3jWZZipW6g8h3wCitFutxZz5l/AVJjVdL7BzeIRka0jGD3d4XJElrSVXsB7jpl4FkMTVlezorM7tXfcQHKso+ubNT6xCCGh58RDN3kyvrXnnCxMvEMpmY4w06wh4OMd+tgHM3ZUACIquU0gLnBo2uVT/INc053y/0QMRGby0uO9RgAabQK6JV2NoTFR3VRGHE3bmZbvGhwEXKYV73jgef5d2z6qTFX9mhWpb+Gm+99wMOnD7kJG7cKTBYn6fWN7P9BxgXwA6JiuDng0wyX7rwqfIGvdOxOPEoziQRpIenOgd2nHtlx/gsge/lgbKCuobK1ebcAF0nu364D+JTf+AptorEJdw+71zNzwUHXSNmmc5nsE324GabbeCglIWYfrexRgemSqaUPvkcdM7BjdbO9TLYyZ4V7ycj7PVMi9Z+ykD0xF/9O5MCMHTI8Qv4aW2ZlatJlXHKTMuxWJU7osBQ/kxJ4ZsRg01Uyduu33H68klQR4qAO77oHl2l98i0qhkHQlp7M+S8gsVr3HyO844lyS8Hn3nIS6dC1hASB+ftHyTwdZX4stQ1LrRgyU4fVmR3l31VRbH60kN8tFWk6gREjI2LCZxRWECfbWSUnAZbjmGnFuoKjxguhFPmzWAtcKZ4MFWsmkEDGCA0kwggNFAgEBMG8wWzELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExMTAvBgNVBAMTKEdsb2JhbFNpZ24gVGltZXN0YW1waW5nIENBIC0gU0hBMzg0IC0gRzQCEAEZdXRxyZLXRN+lluu5cBUwCwYJYIZIAWUDBAIBoIIBLTAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwKwYJKoZIhvcNAQk0MR4wHDALBglghkgBZQMEAgGhDQYJKoZIhvcNAQELBQAwLwYJKoZIhvcNAQkEMSIEICktYskcc3KyxPm5x9gyYYT9PRVOUPSmcJ9kDjiLPczJMIGwBgsqhkiG9w0BCRACLzGBoDCBnTCBmjCBlwQgC3miOa5CEI3vVrNUBb+PzY5Zp0uE7uLew9lxweoXNOwwczBfpF0wWzELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExMTAvBgNVBAMTKEdsb2JhbFNpZ24gVGltZXN0YW1waW5nIENBIC0gU0hBMzg0IC0gRzQCEAEZdXRxyZLXRN+lluu5cBUwDQYJKoZIhvcNAQELBQAEggGADVoZuMULq3djCO+GBYUNk72EqqsL6e4X5YkaQr9fHFZNMtRABuLGBHwLXf5X62LEDvsY8XuncdR8yRm37+qOb++YWzqy14GZkymRLE6CVmc9Bk0ubMr0NFEEqoi5UAkJ+uw4cdshxZz8OBh7jRQ6A5g1pmCuLUlWyLOpYwghZkrhf7LjbaPGXoW506UXpSMVpzCOhS/xZLQCb3qk6/+giVF13cws/vFRImkeBjcHjZb+Mg9BfzHAcCeF9AM6VZqGfACWVKHKAQohGIaKOe13ckHCXsET91DTkkvnJjyyoNjGTOpxBlg5UH4vdB8iUlaed/B80zOZiXzhwR7Tl1Si3D5n/LBak+ef8+fB7AZZBWF6u1iQaIcaf5u0TdTseFMiJyEg4AjaJCXesa5v2G23yBxZNC1UIfqiD506uFg1E6zX59krRhR3dZRK0qd4P3NcRwuXH4rRzRg+44B9+ICUnh5QmnRDqhnhKXPtDUnSVgcfIQ6W8/IU1N9vLylRJe4q","x5c":["MIIDRTCCAi2gAwIBAgICAKYwDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxEDAOBgNVBAMTB3Rlc3RUU0EwIhgPMjA5OTA5MTgxMTU0MzRaGA8yMTAwMDkxODExNTQzNFowTzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxEDAOBgNVBAMTB3Rlc3RUU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDI7xKl3GyBZregnHgxUw7rb3yO5jSo31Pa+EhxghQ0/rRKc/1DtfMQURjDYDdjqRmEXq8rVyEAuaBXSKqBMq9bazP7Ot8N/B0OgRCgXwizn//Ha5XfpHqV9lUud4oztdxapejfT6UQSIVqtgWEbZkr4N74G5NV13LlITtWmHpTLo2LfE7jAXTaoCjo/U/eVFFc6X7jyXwaAVyNC2Pi45d/GOaFx/MGHnK6zbN8PeIh5KqInp0UNcHZLBbduxWQhdISULR/x6pVocqExv6zLmRbn5I65wrYL/8gpQPTeZv4S2COpB+25Xy8oyaM6tPa96Pi1NIXtChWO8+muXj1Z4VfAgMBAAGjJzAlMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAXFaaITvi3skq+czzmbyebtrAa8I9iEbjmWSPjoaUir2NYOLWsyQ7+gkBlMcw5+anP+BC98VBgNVjuQ5oXwdu57xouW7jk/dI5uuKLOFxFdCG7FwW3ycD6GGgj+/2LthxNOxc7CnnMjUuSw2FKJKesiuHQJpdPjgw9cKs+fZF5tr6ZhX4yAUFqouZJ7Hc5JSj3zyEpIbFapVpSAK8O1/mct4KDtt1SmyYn34o55ggyLurrlZ9ctQWHT8xyjc6+b4lEKbilA+xjTt+/BLIs/v/8CVIUzz6OzTCwBraj3kayM7CdGKSysocnJZ/yUcHVw1hLs1+JIMj75i0T6s+GtuT4A=="],"io.cncf.notary.signingAgent":"Notation/1.0.0"},"signature":"pWbiEQRI4e_8nPV2AJPGNHg289WVwqnK7xqH6byLwXjc0hWrkniUSkIPLd3XDhGdpqLbqSLazU3cVTbSphV25aW1GS1G3Qsa3W3wzcwfq5ZhVDmuwO4u_322SAw01s3hVVxXciYK-9bTKkkfHfE_9ZKVSf7zEr28vyuQ92aZd85P-oz3YfvvnAxBGLYp-RPOQNSmtD2IxJWWTNLtwnnntBqr0WdGXS7wWSmUWzcKS9kNEAER1CN8L9SCh2mvBcNfDJlwCoLNaQZK_ZtBIrDQHmQjYkjSBupFTKp_TFic45j79AS7_-4sMdscJbZJzR9Tav7JInMhIKvh0mIfSfkIVQ"}
\ No newline at end of file
diff --git a/verifier/testdata/timestamp/sigEnvWithoutTimestamp.sig b/verifier/testdata/timestamp/sigEnv/withoutTimestamp.sig
similarity index 100%
rename from verifier/testdata/timestamp/sigEnvWithoutTimestamp.sig
rename to verifier/testdata/timestamp/sigEnv/withoutTimestamp.sig
diff --git a/verifier/testdata/truststore/x509/ca/valid-trust-store/TestTimestampNotYetValid.crt b/verifier/testdata/truststore/x509/ca/valid-trust-store/TestTimestampNotYetValid.crt
new file mode 100644
index 00000000..b135a840
--- /dev/null
+++ b/verifier/testdata/truststore/x509/ca/valid-trust-store/TestTimestampNotYetValid.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgICAKYwDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3Rhcnkx
+EDAOBgNVBAMTB3Rlc3RUU0EwIhgPMjA5OTA5MTgxMTU0MzRaGA8yMTAwMDkxODEx
+NTQzNFowTzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0
+dGxlMQ8wDQYDVQQKEwZOb3RhcnkxEDAOBgNVBAMTB3Rlc3RUU0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDI7xKl3GyBZregnHgxUw7rb3yO5jSo31Pa
++EhxghQ0/rRKc/1DtfMQURjDYDdjqRmEXq8rVyEAuaBXSKqBMq9bazP7Ot8N/B0O
+gRCgXwizn//Ha5XfpHqV9lUud4oztdxapejfT6UQSIVqtgWEbZkr4N74G5NV13Ll
+ITtWmHpTLo2LfE7jAXTaoCjo/U/eVFFc6X7jyXwaAVyNC2Pi45d/GOaFx/MGHnK6
+zbN8PeIh5KqInp0UNcHZLBbduxWQhdISULR/x6pVocqExv6zLmRbn5I65wrYL/8g
+pQPTeZv4S2COpB+25Xy8oyaM6tPa96Pi1NIXtChWO8+muXj1Z4VfAgMBAAGjJzAl
+MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
+AQsFAAOCAQEAXFaaITvi3skq+czzmbyebtrAa8I9iEbjmWSPjoaUir2NYOLWsyQ7
++gkBlMcw5+anP+BC98VBgNVjuQ5oXwdu57xouW7jk/dI5uuKLOFxFdCG7FwW3ycD
+6GGgj+/2LthxNOxc7CnnMjUuSw2FKJKesiuHQJpdPjgw9cKs+fZF5tr6ZhX4yAUF
+qouZJ7Hc5JSj3zyEpIbFapVpSAK8O1/mct4KDtt1SmyYn34o55ggyLurrlZ9ctQW
+HT8xyjc6+b4lEKbilA+xjTt+/BLIs/v/8CVIUzz6OzTCwBraj3kayM7CdGKSysoc
+nJZ/yUcHVw1hLs1+JIMj75i0T6s+GtuT4A==
+-----END CERTIFICATE-----
diff --git a/verifier/testdata/truststore/x509/tsa/test-mismatch/wabbit-networks.io.crt b/verifier/testdata/truststore/x509/tsa/test-mismatch/wabbit-networks.io.crt
new file mode 100644
index 00000000..60028b63
--- /dev/null
+++ b/verifier/testdata/truststore/x509/tsa/test-mismatch/wabbit-networks.io.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVjCCAj6gAwIBAgIBUTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEb
+MBkGA1UEAxMSd2FiYml0LW5ldHdvcmtzLmlvMB4XDTIzMDExOTA4MTkwN1oXDTMz
+MDExOTA4MTkwN1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQH
+EwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEndhYmJpdC1uZXR3
+b3Jrcy5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANHhlP+SiY7h
+sGlf2mADOzJW/J9siqMkiQvSOx0OSM2yxetfVQL/abi4iqCXM6wkSxviBeNwIoYE
+s4thMA8NGEbnKoXktyh9vmiLB1FW7HHr4QLwjgLzgWJKIQTy1JmDBecXZh56d0f3
+w3Yj1IDTvkIScXCNI+5v/08GUQKhyBwv7Fq9MYpo2lfXSI7V33BKKddXIxPGVWwK
+GvPE0sg2VV7WM84ZZLdDKz2mq0PtPTHrSwg3hlK/mjn+blg3gsYQ4h9/7Z6nNaF9
+X0SdyESl841ZWrtMhAOFpIzLbz9ete8NRd3bYCRBIr5gscHWTf6lyUgy4xzsSwMH
+PsGLM4A+Z00CAwEAAaMnMCUwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG
+AQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBAQAbN0Eru56uTQSC28ZTf8D7VyCkYrrW
+LYiJMYdOKBzzKV9mKaM0OGF2uyWwDaPxp9KTdLXmBp9EFq5SXXArFA+nRS7KinDA
+e2O7A/9Std2XjKi927rkA2cj239d5lRsjWXqJXf9vAMV9a2FjUM/in2Eevlq7bvj
+FE3l26VXCKtOs9ErmfxrL+6ETRKSVYOOG/rSHFv/SB2MlqDg5QsXC9lZjzL5/X/i
+oe2qZKhp6X5DPpad1q1Q4ItKdTN+2EXyMyoHn1BJKNba7CUUvXf03EJebT/Im+qo
+zfEksJeZJUSlSujANUPoCpsEYGWWQx5G+ViG05Sqs+6ppKrut+P+DVPo
+-----END CERTIFICATE-----
diff --git a/verifier/timestamp_test.go b/verifier/timestamp_test.go
index 8c1d3021..73479023 100644
--- a/verifier/timestamp_test.go
+++ b/verifier/timestamp_test.go
@@ -15,8 +15,11 @@ package verifier
 
 import (
 	"context"
+	"crypto/x509"
+	"net/http"
 	"os"
 	"testing"
+	"time"
 
 	"github.com/notaryproject/notation-core-go/signature"
 	"github.com/notaryproject/notation-core-go/signature/cose"
@@ -27,6 +30,8 @@ import (
 	"github.com/notaryproject/notation-go/verifier/truststore"
 )
 
+var revocationHttpClient = &http.Client{Timeout: 2 * time.Second}
+
 func TestAuthenticTimestamp(t *testing.T) {
 	dir.UserConfigDir = "testdata"
 	trustStore := truststore.NewX509TrustStore(dir.ConfigFS())
@@ -41,13 +46,13 @@ func TestAuthenticTimestamp(t *testing.T) {
 		TrustedIdentities: []string{"*"},
 	}
 	// valid JWS signature envelope with timestamp countersignature
-	jwsEnvContent, err := parseEnvContent("testdata/timestamp/jwsSigEnvWithTimestamp.sig", jws.MediaTypeEnvelope)
+	jwsEnvContent, err := parseEnvContent("testdata/timestamp/sigEnv/jwsWithTimestamp.sig", jws.MediaTypeEnvelope)
 	if err != nil {
 		t.Fatalf("failed to get signature envelope content: %v", err)
 	}
 
 	// valid COSE signature envelope with timestamp countersignature
-	coseEnvContent, err := parseEnvContent("testdata/timestamp/coseSigEnvWithTimestamp.sig", cose.MediaTypeEnvelope)
+	coseEnvContent, err := parseEnvContent("testdata/timestamp/sigEnv/coseWithTimestamp.sig", cose.MediaTypeEnvelope)
 	if err != nil {
 		t.Fatalf("failed to get signature envelope content: %v", err)
 	}
@@ -57,7 +62,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   jwsEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
 		if err := authenticTimestampResult.Error; err != nil {
 			t.Fatalf("expected nil error, but got %s", err)
 		}
@@ -68,14 +73,14 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   coseEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
 		if err := authenticTimestampResult.Error; err != nil {
 			t.Fatalf("expected nil error, but got %s", err)
 		}
 	})
 
 	t.Run("verify Authentic Timestamp jws with expired codeSigning cert", func(t *testing.T) {
-		jwsEnvContent, err := parseEnvContent("testdata/timestamp/jwsSigEnvExpiredWithTimestamp.sig", jws.MediaTypeEnvelope)
+		jwsEnvContent, err := parseEnvContent("testdata/timestamp/sigEnv/jwsExpiredWithTimestamp.sig", jws.MediaTypeEnvelope)
 		if err != nil {
 			t.Fatalf("failed to get signature envelope content: %v", err)
 		}
@@ -83,14 +88,14 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   jwsEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
 		if err := authenticTimestampResult.Error; err != nil {
 			t.Fatalf("expected nil error, but got %s", err)
 		}
 	})
 
 	t.Run("verify Authentic Timestamp cose with expired codeSigning cert", func(t *testing.T) {
-		coseEnvContent, err := parseEnvContent("testdata/timestamp/coseSigEnvExpiredWithTimestamp.sig", cose.MediaTypeEnvelope)
+		coseEnvContent, err := parseEnvContent("testdata/timestamp/sigEnv/coseExpiredWithTimestamp.sig", cose.MediaTypeEnvelope)
 		if err != nil {
 			t.Fatalf("failed to get signature envelope content: %v", err)
 		}
@@ -98,7 +103,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   coseEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
 		if err := authenticTimestampResult.Error; err != nil {
 			t.Fatalf("expected nil error, but got %s", err)
 		}
@@ -119,7 +124,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   coseEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
 		if err := authenticTimestampResult.Error; err != nil {
 			t.Fatalf("expected nil error, but got %s", err)
 		}
@@ -140,7 +145,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   jwsEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
 		expectedErrMsg := "failed to check tsa trust store configuration in turst policy with error: invalid trust policy statement: \"test-timestamp\" is missing separator in trust store value \"tsa\". The required format is <TrustStoreType>:<TrustStoreName>"
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
@@ -158,7 +163,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			TrustStores:       []string{"ca:valid-trust-store"},
 			TrustedIdentities: []string{"*"},
 		}
-		coseEnvContent, err := parseEnvContent("testdata/timestamp/coseSigEnvExpiredWithTimestamp.sig", cose.MediaTypeEnvelope)
+		coseEnvContent, err := parseEnvContent("testdata/timestamp/sigEnv/coseExpiredWithTimestamp.sig", cose.MediaTypeEnvelope)
 		if err != nil {
 			t.Fatalf("failed to get signature envelope content: %v", err)
 		}
@@ -166,7 +171,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   coseEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
 		expectedErrMsg := "verification time is after certificate \"CN=testTSA,O=Notary,L=Seattle,ST=WA,C=US\" validity period, it was expired at \"Tue, 18 Jun 2024 07:30:31 +0000\""
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
@@ -174,7 +179,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 	})
 
 	t.Run("verify Authentic Timestamp failed due to missing timestamp countersignature", func(t *testing.T) {
-		envContent, err := parseEnvContent("testdata/timestamp/sigEnvWithoutTimestamp.sig", jws.MediaTypeEnvelope)
+		envContent, err := parseEnvContent("testdata/timestamp/sigEnv/withoutTimestamp.sig", jws.MediaTypeEnvelope)
 		if err != nil {
 			t.Fatalf("failed to get signature envelope content: %v", err)
 		}
@@ -182,12 +187,238 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   envContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
 		expectedErrMsg := "no timestamp countersignature was found in the signature envelope"
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
 		}
 	})
+
+	t.Run("verify Authentic Timestamp failed due to invalid timestamp countersignature content type", func(t *testing.T) {
+		signedToken, err := os.ReadFile("testdata/timestamp/countersignature/TimeStampTokenWithInvalideContentType.p7s")
+		if err != nil {
+			t.Fatalf("failed to get signedToken: %v", err)
+		}
+		envContent, err := parseEnvContent("testdata/timestamp/sigEnv/withoutTimestamp.sig", jws.MediaTypeEnvelope)
+		if err != nil {
+			t.Fatalf("failed to get signature envelope content: %v", err)
+		}
+		envContent.SignerInfo.UnsignedAttributes.TimestampSignature = signedToken
+		outcome := &notation.VerificationOutcome{
+			EnvelopeContent:   envContent,
+			VerificationLevel: trustpolicy.LevelStrict,
+		}
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
+		expectedErrMsg := "failed to parse timestamp countersignature with error: unexpected content type: 1.2.840.113549.1.7.1"
+		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("verify Authentic Timestamp failed due to invalid TSTInfo", func(t *testing.T) {
+		signedToken, err := os.ReadFile("testdata/timestamp/countersignature/TimeStampTokenWithInvalidTSTInfo.p7s")
+		if err != nil {
+			t.Fatalf("failed to get signedToken: %v", err)
+		}
+		envContent, err := parseEnvContent("testdata/timestamp/sigEnv/withoutTimestamp.sig", jws.MediaTypeEnvelope)
+		if err != nil {
+			t.Fatalf("failed to get signature envelope content: %v", err)
+		}
+		envContent.SignerInfo.UnsignedAttributes.TimestampSignature = signedToken
+		outcome := &notation.VerificationOutcome{
+			EnvelopeContent:   envContent,
+			VerificationLevel: trustpolicy.LevelStrict,
+		}
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
+		expectedErrMsg := "failed to get the timestamp TSTInfo with error: cannot unmarshal TSTInfo from timestamp token: asn1: structure error: tags don't match (23 vs {class:0 tag:16 length:3 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:24 set:false omitEmpty:false} Time @89"
+		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("verify Authentic Timestamp failed due to failed to validate TSTInfo", func(t *testing.T) {
+		signedToken, err := os.ReadFile("testdata/timestamp/countersignature/TimeStampToken.p7s")
+		if err != nil {
+			t.Fatalf("failed to get signedToken: %v", err)
+		}
+		envContent, err := parseEnvContent("testdata/timestamp/sigEnv/withoutTimestamp.sig", jws.MediaTypeEnvelope)
+		if err != nil {
+			t.Fatalf("failed to get signature envelope content: %v", err)
+		}
+		envContent.SignerInfo.UnsignedAttributes.TimestampSignature = signedToken
+		envContent.SignerInfo.Signature = []byte("mismatch")
+		outcome := &notation.VerificationOutcome{
+			EnvelopeContent:   envContent,
+			VerificationLevel: trustpolicy.LevelStrict,
+		}
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
+		expectedErrMsg := "failed to get timestamp from timestamp countersignature with error: invalid TSTInfo: mismatched message"
+		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("verify Authentic Timestamp failed due to failed to verify timestamp countersignature", func(t *testing.T) {
+		signedToken, err := os.ReadFile("testdata/timestamp/countersignature/TimeStampTokenWithoutCertificate.p7s")
+		if err != nil {
+			t.Fatalf("failed to get signedToken: %v", err)
+		}
+		envContent, err := parseEnvContent("testdata/timestamp/sigEnv/withoutTimestamp.sig", jws.MediaTypeEnvelope)
+		if err != nil {
+			t.Fatalf("failed to get signature envelope content: %v", err)
+		}
+		envContent.SignerInfo.UnsignedAttributes.TimestampSignature = signedToken
+		envContent.SignerInfo.Signature = []byte("notation")
+		outcome := &notation.VerificationOutcome{
+			EnvelopeContent:   envContent,
+			VerificationLevel: trustpolicy.LevelStrict,
+		}
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
+		expectedErrMsg := "failed to verify the timestamp countersignature with error: failed to verify signed token: signing certificate not found in the timestamp token"
+		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("verify Authentic Timestamp failed due to failed to validate tsa cert chain", func(t *testing.T) {
+		signedToken, err := os.ReadFile("testdata/timestamp/countersignature/TimeStampTokenWithSHA1RootCert.p7s")
+		if err != nil {
+			t.Fatalf("failed to get signedToken: %v", err)
+		}
+		envContent, err := parseEnvContent("testdata/timestamp/sigEnv/withoutTimestamp.sig", jws.MediaTypeEnvelope)
+		if err != nil {
+			t.Fatalf("failed to get signature envelope content: %v", err)
+		}
+		envContent.SignerInfo.UnsignedAttributes.TimestampSignature = signedToken
+		envContent.SignerInfo.Signature = []byte("notation")
+		outcome := &notation.VerificationOutcome{
+			EnvelopeContent:   envContent,
+			VerificationLevel: trustpolicy.LevelStrict,
+		}
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
+		expectedErrMsg := "failed to validate the timestamping certificate chain with error: root certificate with subject \"CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US\" is invalid or not self-signed. Certificate chain must end with a valid self-signed root certificate. Error: x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)"
+		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("verify Authentic Timestamp failed due to trust store does not exist", func(t *testing.T) {
+		dummyTrustPolicy := &trustpolicy.TrustPolicy{
+			Name:           "test-timestamp",
+			RegistryScopes: []string{"*"},
+			SignatureVerification: trustpolicy.SignatureVerification{
+				VerificationLevel: trustpolicy.LevelStrict.Name,
+				VerifyTimestamp:   trustpolicy.OptionAlways,
+			},
+			TrustStores:       []string{"ca:valid-trust-store", "tsa:does-not-exist"},
+			TrustedIdentities: []string{"*"},
+		}
+		outcome := &notation.VerificationOutcome{
+			EnvelopeContent:   coseEnvContent,
+			VerificationLevel: trustpolicy.LevelStrict,
+		}
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
+		expectedErrMsg := "failed to load tsa trust store with error: the trust store \"does-not-exist\" of type \"tsa\" does not exist"
+		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("verify Authentic Timestamp failed due to empty trust store", func(t *testing.T) {
+		dummyTrustPolicy := &trustpolicy.TrustPolicy{
+			Name:           "test-timestamp",
+			RegistryScopes: []string{"*"},
+			SignatureVerification: trustpolicy.SignatureVerification{
+				VerificationLevel: trustpolicy.LevelStrict.Name,
+				VerifyTimestamp:   trustpolicy.OptionAlways,
+			},
+			TrustStores:       []string{"ca:valid-trust-store", "tsa:test-empty"},
+			TrustedIdentities: []string{"*"},
+		}
+		outcome := &notation.VerificationOutcome{
+			EnvelopeContent:   coseEnvContent,
+			VerificationLevel: trustpolicy.LevelStrict,
+		}
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, dummyTrustStore{}, outcome, revocationHttpClient)
+		expectedErrMsg := "no trusted TSA certificate found in trust store"
+		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("verify Authentic Timestamp failed due to tsa not trust", func(t *testing.T) {
+		dummyTrustPolicy := &trustpolicy.TrustPolicy{
+			Name:           "test-timestamp",
+			RegistryScopes: []string{"*"},
+			SignatureVerification: trustpolicy.SignatureVerification{
+				VerificationLevel: trustpolicy.LevelStrict.Name,
+				VerifyTimestamp:   trustpolicy.OptionAlways,
+			},
+			TrustStores:       []string{"ca:valid-trust-store", "tsa:test-mismatch"},
+			TrustedIdentities: []string{"*"},
+		}
+		outcome := &notation.VerificationOutcome{
+			EnvelopeContent:   coseEnvContent,
+			VerificationLevel: trustpolicy.LevelStrict,
+		}
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
+		expectedErrMsg := "failed to verify the timestamp countersignature with error: tsa certificate chain does not contain trusted certificate in trust store"
+		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("verify Authentic Timestamp failed due to timestamp before signing cert not before", func(t *testing.T) {
+		dummyTrustPolicy := &trustpolicy.TrustPolicy{
+			Name:           "test-timestamp",
+			RegistryScopes: []string{"*"},
+			SignatureVerification: trustpolicy.SignatureVerification{
+				VerificationLevel: trustpolicy.LevelStrict.Name,
+				VerifyTimestamp:   trustpolicy.OptionAlways,
+			},
+			TrustStores:       []string{"ca:valid-trust-store", "tsa:test-timestamp"},
+			TrustedIdentities: []string{"*"},
+		}
+		envContent, err := parseEnvContent("testdata/timestamp/sigEnv/timestampBeforeNotBefore.sig", jws.MediaTypeEnvelope)
+		if err != nil {
+			t.Fatalf("failed to get signature envelope content: %v", err)
+		}
+		outcome := &notation.VerificationOutcome{
+			EnvelopeContent:   envContent,
+			VerificationLevel: trustpolicy.LevelStrict,
+		}
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
+		expectedErrMsg := "timestamp lower limit \"Wed, 19 Jun 2024 09:30:13 +0000\" is before certificate \"CN=testTSA,O=Notary,L=Seattle,ST=WA,C=US\" validity period, it will be valid from \"Fri, 18 Sep 2099 11:54:34 +0000\""
+		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("verify Authentic Timestamp failed due to timestamp after signing cert not after", func(t *testing.T) {
+		dummyTrustPolicy := &trustpolicy.TrustPolicy{
+			Name:           "test-timestamp",
+			RegistryScopes: []string{"*"},
+			SignatureVerification: trustpolicy.SignatureVerification{
+				VerificationLevel: trustpolicy.LevelStrict.Name,
+				VerifyTimestamp:   trustpolicy.OptionAlways,
+			},
+			TrustStores:       []string{"ca:valid-trust-store", "tsa:test-timestamp"},
+			TrustedIdentities: []string{"*"},
+		}
+		envContent, err := parseEnvContent("testdata/timestamp/sigEnv/timestampAfterNotAfter.sig", cose.MediaTypeEnvelope)
+		if err != nil {
+			t.Fatalf("failed to get signature envelope content: %v", err)
+		}
+		outcome := &notation.VerificationOutcome{
+			EnvelopeContent:   envContent,
+			VerificationLevel: trustpolicy.LevelStrict,
+		}
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy, trustStore, outcome, revocationHttpClient)
+		expectedErrMsg := "timestamp upper limit \"Wed, 19 Jun 2024 09:35:59 +0000\" is after certificate \"CN=testTSA,O=Notary,L=Seattle,ST=WA,C=US\" validity period, it was expired at \"Tue, 18 Sep 2001 11:54:34 +0000\""
+		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+		}
+	})
 }
 
 func parseEnvContent(filepath, format string) (*signature.EnvelopeContent, error) {
@@ -201,3 +432,9 @@ func parseEnvContent(filepath, format string) (*signature.EnvelopeContent, error
 	}
 	return sigEnv.Content()
 }
+
+type dummyTrustStore struct{}
+
+func (ts dummyTrustStore) GetCertificates(ctx context.Context, storeType truststore.Type, namedStore string) ([]*x509.Certificate, error) {
+	return nil, nil
+}
diff --git a/verifier/verifier.go b/verifier/verifier.go
index f9315134..8973a85f 100644
--- a/verifier/verifier.go
+++ b/verifier/verifier.go
@@ -288,7 +288,7 @@ func (v *verifier) processSignature(ctx context.Context, sigBlob []byte, envelop
 
 	// verify authentic timestamp
 	logger.Debug("Validating authentic timestamp")
-	authenticTimestampResult := verifyAuthenticTimestamp(ctx, trustPolicy, v.trustStore, outcome)
+	authenticTimestampResult := verifyAuthenticTimestamp(ctx, trustPolicy, v.trustStore, outcome, &http.Client{Timeout: 2 * time.Second})
 	outcome.VerificationResults = append(outcome.VerificationResults, authenticTimestampResult)
 	logVerificationResult(logger, authenticTimestampResult)
 	if isCriticalFailure(authenticTimestampResult) {
@@ -516,7 +516,7 @@ func verifyExpiry(outcome *notation.VerificationOutcome) *notation.ValidationRes
 	}
 }
 
-func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.TrustPolicy, x509TrustStore truststore.X509TrustStore, outcome *notation.VerificationOutcome) *notation.ValidationResult {
+func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.TrustPolicy, x509TrustStore truststore.X509TrustStore, outcome *notation.VerificationOutcome, revocationHttpClient *http.Client) *notation.ValidationResult {
 	logger := log.GetLogger(ctx)
 
 	// under signing scheme notary.x509
@@ -554,6 +554,7 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
 		// not performing any timestamp verification, signing cert chain MUST
 		// be valid at time of verification
 		if !performTimestampVerification {
+			logger.Info("Timestamp verification disabled")
 			for _, cert := range signerInfo.CertificateChain {
 				if timeStampLowerLimit.Before(cert.NotBefore) {
 					return &notation.ValidationResult{
@@ -672,7 +673,7 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
 		logger.Info("Checking timestamping certificate chain revocation...")
 		timeStampLowerLimit = ts.Add(-accuracy)
 		timeStampUpperLimit = ts.Add(accuracy)
-		certResults, err := revocation.ValidateTimestampCertChain(tsaCertChain, timeStampUpperLimit, &http.Client{Timeout: 2 * time.Second})
+		certResults, err := revocation.ValidateTimestampCertChain(tsaCertChain, timeStampUpperLimit, revocationHttpClient)
 		if err != nil {
 			return &notation.ValidationResult{
 				Error:  fmt.Errorf("failed to check timestamping certificate chain revocation with error: %w", err),