Skip to content

Commit

Permalink
updated timestamping
Browse files Browse the repository at this point in the history
Signed-off-by: Patrick Zheng <[email protected]>
  • Loading branch information
Two-Hearts committed Jun 4, 2024
1 parent c5ececc commit d8f19cf
Showing 1 changed file with 8 additions and 8 deletions.
16 changes: 8 additions & 8 deletions verifier/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -521,7 +521,7 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus

// under signing scheme notary.x509
if signerInfo := outcome.EnvelopeContent.SignerInfo; signerInfo.SignedAttributes.SigningScheme == signature.SigningSchemeX509 {
logger.Info("under signing scheme notary.x509...")
logger.Info("Under signing scheme notary.x509...")
performTimestampVerification := true
timeStampLowerLimit := time.Now()
timeStampUpperLimit := timeStampLowerLimit
Expand Down Expand Up @@ -666,7 +666,7 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
finalResult, problematicCertSubject := revocationFinalResult(certResults, tsaCertChain, logger)
switch finalResult {
case revocationresult.ResultOK:
logger.Debug("no verification impacting errors encountered while checking timestamping certificate chain revocation, status is OK")
logger.Debug("No verification impacting errors encountered while checking timestamping certificate chain revocation, status is OK")
case revocationresult.ResultRevoked:
return &notation.ValidationResult{
Error: fmt.Errorf("timestamping certificate with subject %q is revoked", problematicCertSubject),
Expand All @@ -683,7 +683,7 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
}
// 5. Check the timestamp against the signing certificate chain
logger.Info("Checking the timestamp against the signing certificate chain...")
logger.Infof("timestamp range: [%v, %v]", timeStampLowerLimit, timeStampUpperLimit)
logger.Infof("Timestamp range: [%v, %v]", timeStampLowerLimit, timeStampUpperLimit)
for _, cert := range signerInfo.CertificateChain {
if timeStampLowerLimit.Before(cert.NotBefore) {
return &notation.ValidationResult{
Expand All @@ -702,7 +702,7 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
}
} else if signerInfo.SignedAttributes.SigningScheme == signature.SigningSchemeX509SigningAuthority {
// under signing scheme notary.x509.signingAuthority
logger.Info("under signing scheme notary.x509.signingAuthority...")
logger.Info("Under signing scheme notary.x509.signingAuthority...")
authenticSigningTime := signerInfo.SignedAttributes.SigningTime
for _, cert := range signerInfo.CertificateChain {
if authenticSigningTime.Before(cert.NotBefore) || authenticSigningTime.After(cert.NotAfter) {
Expand Down Expand Up @@ -733,12 +733,12 @@ func verifyRevocation(outcome *notation.VerificationOutcome, r revocation.Revoca

authenticSigningTime, err := outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime()
if err != nil {
logger.Debugf("not using authentic signing time due to error retrieving AuthenticSigningTime, err: %v", err)
logger.Debugf("Not using authentic signing time due to error retrieving AuthenticSigningTime, err: %v", err)
authenticSigningTime = time.Time{}
}
certResults, err := r.Validate(outcome.EnvelopeContent.SignerInfo.CertificateChain, authenticSigningTime)
if err != nil {
logger.Debug("error while checking revocation status, err: %s", err.Error())
logger.Debug("Error while checking revocation status, err: %s", err.Error())
return &notation.ValidationResult{
Type: trustpolicy.TypeRevocation,
Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation],
Expand All @@ -753,7 +753,7 @@ func verifyRevocation(outcome *notation.VerificationOutcome, r revocation.Revoca
finalResult, problematicCertSubject := revocationFinalResult(certResults, outcome.EnvelopeContent.SignerInfo.CertificateChain, logger)
switch finalResult {
case revocationresult.ResultOK:
logger.Debug("no verification impacting errors encountered while checking revocation, status is OK")
logger.Debug("No verification impacting errors encountered while checking revocation, status is OK")
case revocationresult.ResultRevoked:
result.Error = fmt.Errorf("signing certificate with subject %q is revoked", problematicCertSubject)
default:
Expand All @@ -774,7 +774,7 @@ func revocationFinalResult(certResults []*revocationresult.CertRevocationResult,
var revokedCertSubject string
for i := len(certResults) - 1; i >= 0; i-- {
if len(certResults[i].ServerResults) > 0 && certResults[i].ServerResults[0].Error != nil {
logger.Debugf("error for certificate #%d in chain with subject %v for server %q: %v", (i + 1), certChain[i].Subject.String(), certResults[i].ServerResults[0].Server, certResults[i].ServerResults[0].Error)
logger.Debugf("Error for certificate #%d in chain with subject %v for server %q: %v", (i + 1), certChain[i].Subject.String(), certResults[i].ServerResults[0].Server, certResults[i].ServerResults[0].Error)
}

if certResults[i].Result == revocationresult.ResultOK || certResults[i].Result == revocationresult.ResultNonRevokable {
Expand Down

0 comments on commit d8f19cf

Please sign in to comment.