build cert chain from tsa token

Signed-off-by: Patrick Zheng <[email protected]>
Two-Hearts · Jun 11, 2024 · ee0b91b · ee0b91b
1 parent 6b29b3d
commit ee0b91b
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 19 deletions.
diff --git a/go.mod b/go.mod
@@ -25,6 +25,6 @@ require (
 	golang.org/x/sync v0.6.0 // indirect
 )
 
-replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240611053818-29d77ead8420
+replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240611085403-02dce641a74d
 
 replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240604030442-e5d82db3a4d4
diff --git a/go.sum b/go.sum
@@ -1,7 +1,7 @@
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
-github.com/Two-Hearts/notation-core-go v0.0.0-20240611053818-29d77ead8420 h1:csyLPcBqLKcgEqyqjEsbCplRxcMk9P1oHuP3ECzitwk=
-github.com/Two-Hearts/notation-core-go v0.0.0-20240611053818-29d77ead8420/go.mod h1:uk5VrENYWqPdnnBOZCEk1XEfilOscHJckfhaWzuMJlU=
+github.com/Two-Hearts/notation-core-go v0.0.0-20240611085403-02dce641a74d h1:Jang//VKYgXC2lxp7E2YaTk+FpsAmUSEs9NVrNBrAHE=
+github.com/Two-Hearts/notation-core-go v0.0.0-20240611085403-02dce641a74d/go.mod h1:uk5VrENYWqPdnnBOZCEk1XEfilOscHJckfhaWzuMJlU=
 github.com/Two-Hearts/tspclient-go v0.0.0-20240604030442-e5d82db3a4d4 h1:WCm4ObRL++IM3gVexV7evDbhzk2c4iAZYJmlTWIBOnQ=
 github.com/Two-Hearts/tspclient-go v0.0.0-20240604030442-e5d82db3a4d4/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=

diff --git a/signer/signer.go b/signer/signer.go
@@ -144,14 +144,9 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
 		return nil, nil, err
 	}
 
-	var timestampErr *signature.TimestampError
 	sig, err := sigEnv.Sign(signReq)
 	if err != nil {
-		if !errors.As(err, &timestampErr) {
-			return nil, nil, err
-		}
-		// warn on timestamping error, but do not fail the signing process
-		logger.Warnf("Failed to timestamp the signature. Error: %v", timestampErr)
+		return nil, nil, err
 	}
 
 	envContent, err := sigEnv.Verify()

diff --git a/verifier/verifier.go b/verifier/verifier.go
@@ -612,7 +612,16 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
 				Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
 			}
 		}
-		roots := x509.NewCertPool()
+		tsaCertChain, err := signedToken.Verify(ctx, x509.VerifyOptions{
+			CurrentTime: ts,
+		})
+		if err != nil {
+			return &notation.ValidationResult{
+				Error:  fmt.Errorf("failed to verify the timestamp countersignature with error: %w", err),
+				Type:   trustpolicy.TypeAuthenticTimestamp,
+				Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
+			}
+		}
 		trustTSACerts, err := loadX509TSATrustStores(ctx, outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme, trustPolicy, x509TrustStore)
 		if err != nil {
 			return &notation.ValidationResult{
@@ -623,21 +632,26 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
 		}
 		if len(trustTSACerts) < 1 {
 			return &notation.ValidationResult{
-				Error:  errors.New("no TSA root cert found in trust store"),
+				Error:  errors.New("no trusted TSA certificate found in trust store"),
 				Type:   trustpolicy.TypeAuthenticTimestamp,
 				Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
 			}
 		}
-		for _, cert := range trustTSACerts {
-			roots.AddCert(cert)
+		var foundTrustedCert bool
+		for _, trust := range trustTSACerts {
+			for _, cert := range tsaCertChain {
+				if trust.Equal(cert) {
+					foundTrustedCert = true
+					break
+				}
+			}
+			if foundTrustedCert {
+				break
+			}
 		}
-		tsaCertChain, err := signedToken.Verify(ctx, x509.VerifyOptions{
-			Roots:       roots,
-			CurrentTime: ts,
-		})
-		if err != nil {
+		if !foundTrustedCert {
 			return &notation.ValidationResult{
-				Error:  fmt.Errorf("failed to verify the timestamp countersignature with error: %w", err),
+				Error:  errors.New("failed to verify the timestamp countersignature with error: tsa certificate chain does not contain trusted certificate in trust store"),
 				Type:   trustpolicy.TypeAuthenticTimestamp,
 				Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
 			}