diff --git a/go.mod b/go.mod index c37c7547..809cc9d0 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.22 require ( github.com/fxamacker/cbor/v2 v2.7.0 github.com/golang-jwt/jwt/v4 v4.5.1 - github.com/notaryproject/tspclient-go v0.2.0 + github.com/notaryproject/tspclient-go v0.2.1-0.20241030015323-90a141e7525c github.com/veraison/go-cose v1.3.0 golang.org/x/crypto v0.28.0 ) diff --git a/go.sum b/go.sum index b97bd3e9..bc2a74a4 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,8 @@ github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo= github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ= -github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/tspclient-go v0.2.1-0.20241030015323-90a141e7525c h1:bX6gGxFw9+DShmYTgbD+vr6neF1SoXIMUU2fDgdLsfA= +github.com/notaryproject/tspclient-go v0.2.1-0.20241030015323-90a141e7525c/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/veraison/go-cose v1.3.0 h1:2/H5w8kdSpQJyVtIhx8gmwPJ2uSz1PkyWFx0idbd7rk= github.com/veraison/go-cose v1.3.0/go.mod h1:df09OV91aHoQWLmy1KsDdYiagtXgyAwAl8vFeFn1gMc= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= diff --git a/internal/timestamp/testdata/TimeStampToken.p7s b/internal/timestamp/testdata/TimeStampToken.p7s deleted file mode 100644 index c036aac2..00000000 Binary files a/internal/timestamp/testdata/TimeStampToken.p7s and /dev/null differ diff --git a/internal/timestamp/testdata/TimeStampTokenWithInvalidTSTInfo.p7s b/internal/timestamp/testdata/TimeStampTokenWithInvalidTSTInfo.p7s deleted file mode 100644 index 153ea92f..00000000 Binary files a/internal/timestamp/testdata/TimeStampTokenWithInvalidTSTInfo.p7s and /dev/null differ diff --git a/internal/timestamp/timestamp.go b/internal/timestamp/timestamp.go index bfb4ce89..40f9551d 100644 --- a/internal/timestamp/timestamp.go +++ b/internal/timestamp/timestamp.go @@ -43,17 +43,8 @@ func Timestamp(req *signature.SignRequest, opts tspclient.RequestOptions) ([]byt if err != nil { return nil, err } - info, err := token.Info() - if err != nil { - return nil, err - } - timestamp, err := info.Validate(opts.Content) - if err != nil { - return nil, err - } tsaCertChain, err := token.Verify(ctx, x509.VerifyOptions{ - CurrentTime: timestamp.Value, - Roots: req.TSARootCAs, + Roots: req.TSARootCAs, }) if err != nil { return nil, err diff --git a/internal/timestamp/timestamp_test.go b/internal/timestamp/timestamp_test.go index 6c1da88f..59fa1615 100644 --- a/internal/timestamp/timestamp_test.go +++ b/internal/timestamp/timestamp_test.go @@ -74,7 +74,6 @@ func TestTimestamp(t *testing.T) { opts = tspclient.RequestOptions{ Content: []byte("notation"), HashAlgorithm: crypto.SHA256, - NoNonce: true, } expectedErr = "failed to timestamp" _, err = Timestamp(req, opts) @@ -92,35 +91,9 @@ func TestTimestamp(t *testing.T) { _, err = Timestamp(req, opts) assertErrorEqual(expectedErr, err, t) - req = &signature.SignRequest{ - Timestamper: dummyTimestamper{ - invalidTSTInfo: true, - }, - TSARootCAs: rootCAs, - } - expectedErr = "cannot unmarshal TSTInfo from timestamp token: asn1: structure error: tags don't match (23 vs {class:0 tag:16 length:3 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue: tag: stringType:0 timeType:24 set:false omitEmpty:false} Time @89" - _, err = Timestamp(req, opts) - assertErrorEqual(expectedErr, err, t) - - opts = tspclient.RequestOptions{ - Content: []byte("mismatch"), - HashAlgorithm: crypto.SHA256, - NoNonce: true, - } - req = &signature.SignRequest{ - Timestamper: dummyTimestamper{ - failValidate: true, - }, - TSARootCAs: rootCAs, - } - expectedErr = "invalid TSTInfo: mismatched message" - _, err = Timestamp(req, opts) - assertErrorEqual(expectedErr, err, t) - opts = tspclient.RequestOptions{ Content: []byte("notation"), HashAlgorithm: crypto.SHA256, - NoNonce: true, } req = &signature.SignRequest{ Timestamper: dummyTimestamper{ @@ -141,8 +114,6 @@ func assertErrorEqual(expected string, err error, t *testing.T) { type dummyTimestamper struct { respWithRejectedStatus bool - invalidTSTInfo bool - failValidate bool invalidSignature bool } @@ -154,34 +125,6 @@ func (d dummyTimestamper) Timestamp(context.Context, *tspclient.Request) (*tspcl }, }, nil } - if d.invalidTSTInfo { - token, err := os.ReadFile("testdata/TimeStampTokenWithInvalidTSTInfo.p7s") - if err != nil { - return nil, err - } - return &tspclient.Response{ - Status: pki.StatusInfo{ - Status: pki.StatusGranted, - }, - TimestampToken: asn1.RawValue{ - FullBytes: token, - }, - }, nil - } - if d.failValidate { - token, err := os.ReadFile("testdata/TimeStampToken.p7s") - if err != nil { - return nil, err - } - return &tspclient.Response{ - Status: pki.StatusInfo{ - Status: pki.StatusGranted, - }, - TimestampToken: asn1.RawValue{ - FullBytes: token, - }, - }, nil - } if d.invalidSignature { token, err := os.ReadFile("testdata/TimeStampTokenWithInvalidSignature.p7s") if err != nil { diff --git a/signature/cose/envelope_test.go b/signature/cose/envelope_test.go index b9f2c11c..c1e9f545 100644 --- a/signature/cose/envelope_test.go +++ b/signature/cose/envelope_test.go @@ -14,6 +14,7 @@ package cose import ( + "context" "crypto" "crypto/x509" "errors" @@ -341,11 +342,8 @@ func TestSignErrors(t *testing.T) { if err != nil { t.Fatalf("getSignRequest() failed. Error = %v", err) } - signRequest.Timestamper, err = tspclient.NewHTTPTimestamper(nil, "invalid") - if err != nil { - t.Fatal(err) - } - expected := errors.New("timestamp: Post \"invalid\": unsupported protocol scheme \"\"") + signRequest.Timestamper = &dummyTimestamper{} + expected := errors.New("timestamp: failed to timestamp") encoded, err := env.Sign(signRequest) if !isErrEqual(expected, err) { t.Fatalf("Sign() expects error: %v, but got: %v.", expected, err) @@ -1101,3 +1099,9 @@ func generateTestRawMessage(raw cbor.RawMessage, label string, unmarshalError bo return resRaw } + +type dummyTimestamper tspclient.Timestamp + +func (dts *dummyTimestamper) Timestamp(context.Context, *tspclient.Request) (*tspclient.Response, error) { + return nil, errors.New("failed to timestamp") +} diff --git a/signature/jws/envelope_test.go b/signature/jws/envelope_test.go index 4d765165..6075e5f6 100644 --- a/signature/jws/envelope_test.go +++ b/signature/jws/envelope_test.go @@ -14,6 +14,7 @@ package jws import ( + "context" "crypto" "crypto/ecdsa" "crypto/rand" @@ -266,11 +267,8 @@ func TestSignFailed(t *testing.T) { signReq, err := getSignReq(signature.SigningSchemeX509, signer, nil) checkNoError(t, err) - signReq.Timestamper, err = tspclient.NewHTTPTimestamper(nil, "invalid") - if err != nil { - t.Fatal(err) - } - expected := errors.New("timestamp: Post \"invalid\": unsupported protocol scheme \"\"") + signReq.Timestamper = &dummyTimestamper{} + expected := errors.New("timestamp: failed to timestamp") encoded, err := env.Sign(signReq) if !isErrEqual(expected, err) { t.Fatalf("Sign() expects error: %v, but got: %v.", expected, err) @@ -687,3 +685,9 @@ func isErrEqual(wanted, got error) bool { } return false } + +type dummyTimestamper tspclient.Timestamp + +func (dts *dummyTimestamper) Timestamp(context.Context, *tspclient.Request) (*tspclient.Response, error) { + return nil, errors.New("failed to timestamp") +}