From caaaa979c2ab104b3d250fed7f4ec98b93873672 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 5 Nov 2024 15:28:08 +0800 Subject: [PATCH 1/3] timestamping Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 +- .../timestamp/testdata/TimeStampToken.p7s | Bin 6595 -> 0 bytes .../TimeStampTokenWithInvalidTSTInfo.p7s | Bin 6578 -> 0 bytes internal/timestamp/timestamp.go | 10 +-- internal/timestamp/timestamp_test.go | 66 ++---------------- 6 files changed, 11 insertions(+), 71 deletions(-) delete mode 100644 internal/timestamp/testdata/TimeStampToken.p7s delete mode 100644 internal/timestamp/testdata/TimeStampTokenWithInvalidTSTInfo.p7s diff --git a/go.mod b/go.mod index c37c7547..809cc9d0 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.22 require ( github.com/fxamacker/cbor/v2 v2.7.0 github.com/golang-jwt/jwt/v4 v4.5.1 - github.com/notaryproject/tspclient-go v0.2.0 + github.com/notaryproject/tspclient-go v0.2.1-0.20241030015323-90a141e7525c github.com/veraison/go-cose v1.3.0 golang.org/x/crypto v0.28.0 ) diff --git a/go.sum b/go.sum index b97bd3e9..bc2a74a4 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,8 @@ github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo= github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ= -github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/tspclient-go v0.2.1-0.20241030015323-90a141e7525c h1:bX6gGxFw9+DShmYTgbD+vr6neF1SoXIMUU2fDgdLsfA= +github.com/notaryproject/tspclient-go v0.2.1-0.20241030015323-90a141e7525c/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/veraison/go-cose v1.3.0 h1:2/H5w8kdSpQJyVtIhx8gmwPJ2uSz1PkyWFx0idbd7rk= github.com/veraison/go-cose v1.3.0/go.mod h1:df09OV91aHoQWLmy1KsDdYiagtXgyAwAl8vFeFn1gMc= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= diff --git a/internal/timestamp/testdata/TimeStampToken.p7s b/internal/timestamp/testdata/TimeStampToken.p7s deleted file mode 100644 index c036aac23cb9bcb4b30960ba940c41a1bdda1805..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6595 zcmc(jcUV)~vcQuN0-*$fNRtwfs+66CUX&uzu>jIUi1dyjbQBVlF1?5fL`6{qgoq#q z5LAjHf(U|$R8gdNkp6-m&*hZ&-SY1FUj9h3%B)#y_L}+49)QGM3xgks)QwzW2Gc>v zB<>P`#9ash)1X-ZW*FQqQWxw<1BHNTK>+b1jPci*@I7ECnb-m)z66Mk5HJ`9KL`Uu z!DI}C20;Ho4vLBpUG<=Uc1IkAST6_LJwrb@SBKpRv^>h<|WzJkbO}TEY<1QL3WO z2hu?EM&vX?Q1lf97Yhc!paCVc0$P^(4Ojs*R83^_JTt%q%?Q9@G-gm3J490(%?)tw zG#Hrn=y-Ua#d(;xI(wnK{H1(xXbC`UXNZOg^<&6)XUNn<1Lfq6M`<|tMl%lHL!}Z-?szsb23v;FNaY8l;q?vSSwCu zEC!IrD1L8Zto{}o03`6u-G`(;bs7>l5k&2eg^<8R&;a0iB_xyC>y~MmlC6WKA5>_| z*wy+syI#IczA>4%Vm4kdrP8u~_S!|wlwgeE>f$`_w=3Gmv2cDSjoq=URIR8COWNlm0p0cEb#f{_}op?HoH{CmK6uBr8asf zhtG?$UPLEDEd9r-)Tex2^YPaw1m$wJ6RS%uJiDlP;Y+qduqb&BRa!mt{(wj}*U1sj zPD6kputn- zq(YDT#8Ra55Mk<*9!A#cv})|*%uRa*igG~=6{k*1;-UL6oJj`V2g5~Z1wLaJzt*`N z2;wBqKxn`q@GTPf8uf`}0to7z;$s1Wx1mrP2wgb9vC|gWX)^%~FnX#>($dn=&;xus z{Rk)r6j^-1hZu-LN)*ipezOGiwA>MfBmjmx!zidWpap3B=Ez`vKo-FKTm%B<5OpCC ze0-H!Jx^SWpBiO zPbsV>9(n9Y8nI>~9ujR>7}jL-x}skAYE>54g~4iE8`n`H*?peOIc*a@$1^;-Q98hf zfr_)pU+jh-l`6kbr@mK+CkW@9SRN^Vbp zC~9~~a>4gw;^60I2mKHoR>KcBJ1gc!P6U5ZDiNgP9-NJ@Jm+&hc}g}n4xPhX-*`y= zpi@_!#yiS>J)w>#wlVVYR$UFp3l1ZUP2uHR%*j3H-sj4z$|l4_RE#V*>9;B*#n}Xp zAG-C4j!rF&8=13K>TEDkPN|^xPRY==F`PzNTE#i};P?@S{peghpS+ zGn(zMWrRG0#quGL6DgO$Wj2?ZzCG9Q>vM>oU$`S!* zN?!9SpLW|5iC+OxFqxKtImX`}I&D5UxDiwCcQcJaA%&ePzjRo+IR9>$W=GHU6KwPI z!CeO@a|}g#Jg+A&3V@I4Hcck3S{F>Noo2<`6;CRhOM7x!FUC;9bHQAN2V`FTBuQEm zM|wA~4I*ZQg3VGNpLO^Oi@a~9?~QF(_+UYMxevUgY9@GTD?~1+A&j#AzNjX9)r>*d zfq;uWm?>|2s%E}>a58jrbt0vc3KmN$STufsg&91_o1)&oDXnf3szca)Uzn&=F+`&P ze(EiRGO}~-qQyyXZ^92soRmki1FSnU7}y#9G2>?^&F;<}jG(Dk83X+I>|jI|O$E!Z z&A*pnB#6-N(|yMYgoTO|2m@rtEoLFZ!2Y$teM46X4R3JdMMje_?&4X+{v?DT>q(LRi)27zBqm*%gV;Txc121 zPz~XP#9tbYZOd!i&zIT^G}emVO6BJ4nMSu&$EtX_)kn`xXD)wS;36Aj@gkz~MTeqa zl0Rn+=PX_~JZxh#=E8>|Jz<%6#zo4TQx2(QT;2gWr*K zpi{6ZZA&vlWsb2lEbQnNM3h>v<3#(Zd(t)Q7HW?!t(jyQSrex41~-{W3fxR@?vGnN zond*GRe5;vnB3fTmJS8>lRYA`QyDYgoX6>(Bz(|#Lvico6782^r#A>%!NO8j*naMjbz0dYDDmdNTkud(Yk5JNlFHb^3P6F;3Ym(SL($!0WpPxNyDq!3}w1aHUXh(>R` zpcwT!%xdTU^7OFjt@r+rbPu=7%|fS_nV_E})(lE`I}`{Pd-$C0%lanrpAS8g(WS;+ zk~toKJlXSsdE|vX3ViN7$bp|Ylc3^EG!`a``iyHNI*(R+7z zFZQ6lmC8PRb9A_yx2tJ3?1i%l894M4B2*&n_=NP&HkC(0yLg28W30zh-48Dh$p65D z3?Ky@BukLRB1QgpJnV=_;pM5^@c?voLIo!F`^+f3TN3N}O)o%RJ0;~sdN{>wG3`bP7H>~htTxROd<^i0hR@;y@B1I71D z>MLX8WzYEXb5kb;w+=1m<|^?N7rvDVMwKoW7Vr&AA+y&q-1r(*n-_X`YfX&ubSy*D z>$NmiMTRB!Tp+G8r{$lYe*|B8Z--Yuo{s9&I`U+VoIZ-OEDvnVb1M*{=7O|3RJh3e zgv-3Trh4n9Q16(>xsBc7_g{kx_9sXFMYt#dm|bweC;?cs;t#x7{g+Yp&uEfP_tm%A zX>}6W9HP3yOg~qq%_vDK(`}rvRxOTrtdW96=6Q#W9cXDRiFR)&k7;kDY$IDwAO$D& z`}SEic12AaDer|%IXE$UrUX1QVpMp%ND z#%~H7c)LwSLJ(cT;yF5i{q)=GCVs@sSm)$(I zyr1%I_)>-M&Bt;D+Vg|i@;AIqW9RUvyriQWPG}z4n>Kx`K{4Z+v9T4S&H_wcF94`M zr||jCq#(WD#upsN;edBN$(a`!JUSspggWHZrqX)E{2Am8XbI!k)^y^K7bAuKA;qFyGz8vL9T2M}Jc$diPN7@`QOGAGp>+#jwH{M6E zv~LdptgDyWu)0glo(@RKV2fiN2K0Ij=?*;hh#o(2zUu!YO0fR{O0a(~O2A-{ zUg4RBhy|-xxC2I+`ge3X!}#$iu}9IoQtVcU)LcF8M9 zm4v6W@|Hmhmx*nJWv;xDA(yt9Fh@(xv1T)+>W&7{>2r!}-GVeM6~;Z*c5Yf_=izVc zaD4?+pfko8{y~aIjwDUe>c}6o{x89K3E)k`z#Kl-)g$9IHp3!=*Pg?%NQym zHdiRx#%l8AW8*MR4zt+W7x9T(dE%MNEj;Lju&VK66V+1A`(NZFS35K%zS!E)6l&t` zl$yI?H3#I-k5rxE~5Nmvv|%Xtv_o+Q8a$zC`7A?5}OUR6@DdcFl0wMI&|_r z6H&*uGgtSD;dN68J? zPDaiYqx3e4)c5MPL(n+xGmkT8iUKMet_IiIK4qV|c6OcFW6;!<;~vciud#^KbN-F4 zmq?sH0*NM|{_g~lzl;&Pto*$cKsBy`dT-tFf~^-!GbaXM_X z`xipxFCeMnJcf>?xjB~DT3=`Vh^8YUfrAgcJiKWn60l0z&l5%}%{>Y>*fJ(f8l^^r zJu1`e*FT!LIG;Kc@wiP+@cB!Zt=13EObS|(V#j7}j>f0=1zU*o$nf>Q1}SJHP95>= zHWAOfu;2{k-`gFVQP$CKD3)iq&)3&~ku&R=KrrHy6nzl`ujIDseKQ10@&);c=jM7( zhNPuJ?c$zmoM7Ld-MWHtPXpi08kNKfD65FPjZ|+{k&Fy{iIYM8GTm$DJ#cZF7H(7{ z{vO}jarU?)|3pe=1iI(pqh=k8!?tJ=jS3-52v*!Ctq)_5Nw;4^-@}SqkMXQj+7IXGF7cMWTG9+Z)>#8ytefgr$vecxc%``7;M?Vv zGl^#@Ba%{8T_s3UZ6}WO^3-eZaPleXuLi5%E@ZdWr?OH=lW#nQM-`xCKf@9vP@kS| z(KX^a7LBOb=hl#e8W{Joje@uAJ3VGVTHWqG9RD>uV&I;XQ{>fgDHQ7V*4AdW0j!?j z7;DOUT_{|2#a3i>=9sGG(8H3h8so+2-q!Z2I#5YMh)EhR+g1Di`mWP?$q9o)9$lE* F{{ssj24?^O diff --git a/internal/timestamp/testdata/TimeStampTokenWithInvalidTSTInfo.p7s b/internal/timestamp/testdata/TimeStampTokenWithInvalidTSTInfo.p7s deleted file mode 100644 index 153ea92f420c97b73ca803085d437cbf20b75c94..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6578 zcmc(jc|6qJ+s9|d7{)TfWXm#SEz5Ui>`PgaeJNy1O!i%4WG!ZtJ^PY`NlFPZiQI_F zQj#Si$(k0jgpmCib$9>V%k%mz&+mRc-+yMVbIx_P@3}tj^SuBPcNq+RAWAoCg&9l- zA(OcC0TOo(1Wbcw0hnQMhbUdJGYu31rUe1S=P<@!Tf+B%p=4q$l=uK3-iLs}F!(_j z7z!q1AT$8_4}MTor07?_Ty?&+hN4KwI`1%fK0>!pUHvgzeWLgq&z57Y5TrE>F&nKa z>Utm@v|vO|Cj`e_MgTO_j>(pV7JwO=5rD&JETAxUh^9808{phA7?}3xc=?{jd6~Jp z`k;KyO8Mi^5`frF6%7;WN0t9hmARP)%EcFt(r`M9^Ko=`LP?=?WXYtxP5=pJ0g#|- zWa>x|$R050sJrP+=`%aX`?>qLqO>%qvoO=uz$(gqpANv!$&5h*au@|bNlp%fwc%vOVgPxJ;&&5c^SA5) zKmr%+UL^G;(~!VPAZmFWgajsnMgaHAp;^p6*Uc-H?47Iwph8>5?!KQm34|Nxj&UK5 zq6FNee|hiR_v~fLwdukYi>cxnmG<@1ITtijLokM`Ul(}4UGAZFHq_&u#0MD#Mm(Z8)t zd&K9nkZ|?0pj_T|QeFA^#}^dOf5>$T5hc%~D(c2w9}vmqIzHjuYX~p|wM!jMoUvp) z9GqcVL{pB9#8j*2eXUH*VrMd~&MU6eFlM|Q+rHi;cqAELn-h$I~8K{GAMEQz?5IX8Nw9SnhWNi9G5R@*lergBIBvWf)_URp@c=SW0#7A zqI4nXn>A>l{iZM^5is1TMnSa!EkNV9xCQeAvH<31ClD})s2hRc=dUay6BrmM?fN~= zc7jRT(broB@9gL6?@sW=2g`hqOFnie1fc3e@=t#-7)p!;h!KF&&k_I}CAHHdwL@P= zf4@KW=!lbX^(Xk_9C7|`IBHC|$^u%yxk928es%SCb_~Ef|Jm8m8Bh3Q2hxss0wA!n z*8NZ}fFlAq#nIya@!fMvZ6$2s7xjl-PwJgBsXIVzAOKYc6ajg%EEy98{5q5)-s{if z{KXhvy90=-5;P_125oVAOX=NbRFQ8B`Yfr_)pU+9M)m8v@5 zsJ>T-Cm83NRmGOnW#S?!ZGONCR+4SJ8Bl62%HX!0D)vpahT9t;iW**&T=ajNH2S{H zNk3GF)$mP0Z}t4dv5*f+<$`qFqhAtg&iI{6nUT$pN9Qp&wH%T^=+f7y@rtrvPpIdi zeXM+fO<%KV@nM9qIlO9%Ic4C?>wI}t*~Hk$>WM`c{SJlXc)O6PL)YKY(W#|#BlFfO zTn#=~QL5>EQ!};g3}+G6Ht{b0IBj|Ts18RhZXcL3{HRhgp~au^lxFt}86huWu_6fM zSn4HkrQOBWZ%;G=hMW=>7BA0ER!75&>KWJph0_AoA0_aC?g2r`+=#6TC`e~eNM)z`FCA7cE4o#w*)wqU7~8@^NZ-NfJVTKI@2e?a z1;8e{tlvcM3(;@6WFHBUb7@|=CKlKzs8QD2^(c-wT zFX0Czj?1Ij0oI)s4D1a5Xz{a6*J=Y73uc-YQ% zx@zvFbEh_=xmty}8C`s~&ja)9xLfE{m4%RV8wjfrqQ_Xd7r!&k zxxegvVk?dhen=SMD%!e1VJ4@SQ_|Z*Ke%q)w4(IB)?j;NvFVf2Tw7sCZ;;ok3G>~@ z^-6xqsjOpjiT1;|OBaGxu%v<&wx4@qomTe96n$B)o-1oS>3yk9RFTUjmIgeWEwXyX zXY#5Y#Lz*t6Oshp#LuSA7qJa%vKdX^7JVNGDM45=!MkyJqA?p!DMo`%U$paod34zP z`s=fh3@?vMZ9*rPnV|0^)(pyddlU#42KZd=$oePop9?#c*{8-`o;8(Vn&N%eGV1&u z1wKz6gi55Hn2`QyQ+Xt`i$|D0YCWDBet3C6{s$gp04d-gS%NGUCGx-H zVaG)ZFHhx;7ofA_hk~jDhX7R=l=>I+AL4b_6_hF#Kj1PRGhpd@P}81R1ZVuEsaBlp zM4w^9;66IPmUTvWDM;A?E1=ZE;mNJ8CqmCZk+afQ$ehHVxe!&rIjqrOGFErz#cbpL zgqDk227859xsFT=JT5HhqI6C_KH2>$!ha_i`4*HH0HWfADlm*F8wP ztgg1j(DbB!{wd@Pe$Sb+elJ-v7pD{~(^I(azP*&K$Zhrb_OnzooH zY=AL^-ar4;wZ80*$#VvolIhZRG=+kDYM%6qcbT^zIddu$fp^#F}obm}Ky{>iZo2cf}V-v43?}g1c zxiF?iv>h4tPd8pHiVZgja-@ICX6mi!B4bn&EN*n1Cypngnwy9?-xOEpWGKk1<<_sJ z8rMv5d6j&n8VzfHIPQ&s-Q-`b`CNScLBm6mqiNR{uGorA1JvLl{pTn|0vDM}M1!t&K$=BjwvEz_!oDc{B~R{Iw`kSo?+ z7|oTx=4&1|k3Zof9n*YF^T^)x+3U@UnK{PBHjFxpFnPT|pze&q`yZnmkk_E)jFVflNn<{Y6#9EO7q~|SOxZcpy77zL=Ce2A zmv~sC{fG>=t_1MqDM!(Q@&+UNL{{I@=80Jwo>j7)TD@`YbtFso_6Webda)C$yVU0G zgp>@iGU+j(*K5vj;&DU-t1aD2XtOH4s;M39gNWunX5D=5Eop7xG9%M9$1Cx}<3s!E{*NfZ{s$<*{=FyxgF$*Fr?AC6 z6;6z~bgujQC#a6q+zKx9z3xR>(0y%qb$%H-wac#M9B`MTny3LRqr1M47Tn26YXiD)OQ*@w3+<2X6Y z*N&mccihUKAG=-0gPsbj8b2^ot>C=#K~8eDM^oa1y#q~&Chlg1r3Y4XL=GL*c1Ypi zo2ECyOU7&qRW;Q*Q?;m497i=7`%WshsP3LBID9`(1YC9!Ako-UZ>Ksxq?8c~qCQ|j zD>M4vrA2mfKmYue{%;B?uv@Yr>a_>tw=xt4>e*K+D9Xcsw~91IH* z;#g{oth&%9p0`PRmbJMw2ETC>qSZ=?%Z1ttKbJNbb08fZJAQ|WsN?4~P@&mV1kaJ}yy^T`!y}I2H zG>-e!gRHsIz-p%}Ar1DA*ynOiuQPj%n!9t{rg`Ht8JTwGY>WFv66X&g(FD~09TE9U zjo7uz-%|n9%{5RTY&0$2ddf7nl4-83SDOifYn0q$kBSnf!?t;TAk_Qe*bG$#(!*D2C2#N|DdCtOC2MMgfN|>n>qwm*EMf7-ys!H5V(+djZ zvxx?X<-5j%$e@X2fS3yquK>g>D2lyrvI({AZ7gPvPjLGfL~?d=9lXNLLUhhr4zFr& zSq1z7`$D__haKFN0*8{o5wC*P^|H(DTtjC)9de|<4P^1K+&N@(t)es3;ChpDv)%U9 zW@sE!Bg^*Ord}W`SIXk4oDv_*zU<=M0Dq&>fF#dZzFcbO6UWR;BoL`p>PYW1@cwI$tMkoNA_^SUkv0e4zPGrQXu!;d$Q#|GDDIIf{@ zW5sPJc~)v1$MbZTcq^VSX-1gz)`Pz`&J3#*9%5s>TvliB?Na-xq|=lMNvYbta-_Mo z3r9v(TFxt+d}_w?(Ylw5xt&dEtQ698m$&do1t>Ydup9|AWn@_OO}J0SAgcFyH0Pm4 zrhM$9;qCiQP8yI_xBCw#e2R!1xh>@qb!AElg}Sk|wV7)GYa%$unX_IMicnp#7g?P% sQMDesSKe1|{558%HALhpY0LlUassI20 diff --git a/internal/timestamp/timestamp.go b/internal/timestamp/timestamp.go index bfb4ce89..aeab45cb 100644 --- a/internal/timestamp/timestamp.go +++ b/internal/timestamp/timestamp.go @@ -43,16 +43,8 @@ func Timestamp(req *signature.SignRequest, opts tspclient.RequestOptions) ([]byt if err != nil { return nil, err } - info, err := token.Info() - if err != nil { - return nil, err - } - timestamp, err := info.Validate(opts.Content) - if err != nil { - return nil, err - } tsaCertChain, err := token.Verify(ctx, x509.VerifyOptions{ - CurrentTime: timestamp.Value, + CurrentTime: req.SigningTime, Roots: req.TSARootCAs, }) if err != nil { diff --git a/internal/timestamp/timestamp_test.go b/internal/timestamp/timestamp_test.go index 6c1da88f..d091e7af 100644 --- a/internal/timestamp/timestamp_test.go +++ b/internal/timestamp/timestamp_test.go @@ -22,6 +22,7 @@ import ( "os" "strings" "testing" + "time" "github.com/notaryproject/notation-core-go/signature" nx509 "github.com/notaryproject/notation-core-go/x509" @@ -48,6 +49,7 @@ func TestTimestamp(t *testing.T) { req := &signature.SignRequest{ Timestamper: timestamper, TSARootCAs: rootCAs, + SigningTime: time.Now(), } opts := tspclient.RequestOptions{ Content: []byte("notation"), @@ -70,11 +72,11 @@ func TestTimestamp(t *testing.T) { req = &signature.SignRequest{ Timestamper: dummyTimestamper{}, TSARootCAs: rootCAs, + SigningTime: time.Now(), } opts = tspclient.RequestOptions{ Content: []byte("notation"), HashAlgorithm: crypto.SHA256, - NoNonce: true, } expectedErr = "failed to timestamp" _, err = Timestamp(req, opts) @@ -86,47 +88,23 @@ func TestTimestamp(t *testing.T) { Timestamper: dummyTimestamper{ respWithRejectedStatus: true, }, - TSARootCAs: rootCAs, + TSARootCAs: rootCAs, + SigningTime: time.Now(), } expectedErr = "invalid timestamping response: invalid response with status code 2: rejected" _, err = Timestamp(req, opts) assertErrorEqual(expectedErr, err, t) - req = &signature.SignRequest{ - Timestamper: dummyTimestamper{ - invalidTSTInfo: true, - }, - TSARootCAs: rootCAs, - } - expectedErr = "cannot unmarshal TSTInfo from timestamp token: asn1: structure error: tags don't match (23 vs {class:0 tag:16 length:3 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue: tag: stringType:0 timeType:24 set:false omitEmpty:false} Time @89" - _, err = Timestamp(req, opts) - assertErrorEqual(expectedErr, err, t) - - opts = tspclient.RequestOptions{ - Content: []byte("mismatch"), - HashAlgorithm: crypto.SHA256, - NoNonce: true, - } - req = &signature.SignRequest{ - Timestamper: dummyTimestamper{ - failValidate: true, - }, - TSARootCAs: rootCAs, - } - expectedErr = "invalid TSTInfo: mismatched message" - _, err = Timestamp(req, opts) - assertErrorEqual(expectedErr, err, t) - opts = tspclient.RequestOptions{ Content: []byte("notation"), HashAlgorithm: crypto.SHA256, - NoNonce: true, } req = &signature.SignRequest{ Timestamper: dummyTimestamper{ invalidSignature: true, }, - TSARootCAs: rootCAs, + TSARootCAs: rootCAs, + SigningTime: time.Now(), } expectedErr = "failed to verify signed token: cms verification failure: crypto/rsa: verification error" _, err = Timestamp(req, opts) @@ -141,8 +119,6 @@ func assertErrorEqual(expected string, err error, t *testing.T) { type dummyTimestamper struct { respWithRejectedStatus bool - invalidTSTInfo bool - failValidate bool invalidSignature bool } @@ -154,34 +130,6 @@ func (d dummyTimestamper) Timestamp(context.Context, *tspclient.Request) (*tspcl }, }, nil } - if d.invalidTSTInfo { - token, err := os.ReadFile("testdata/TimeStampTokenWithInvalidTSTInfo.p7s") - if err != nil { - return nil, err - } - return &tspclient.Response{ - Status: pki.StatusInfo{ - Status: pki.StatusGranted, - }, - TimestampToken: asn1.RawValue{ - FullBytes: token, - }, - }, nil - } - if d.failValidate { - token, err := os.ReadFile("testdata/TimeStampToken.p7s") - if err != nil { - return nil, err - } - return &tspclient.Response{ - Status: pki.StatusInfo{ - Status: pki.StatusGranted, - }, - TimestampToken: asn1.RawValue{ - FullBytes: token, - }, - }, nil - } if d.invalidSignature { token, err := os.ReadFile("testdata/TimeStampTokenWithInvalidSignature.p7s") if err != nil { From e7d6a7d4aacea63e1ad6149e91cf0d6e8346d344 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 5 Nov 2024 17:39:27 +0800 Subject: [PATCH 2/3] fixed tests Signed-off-by: Patrick Zheng --- internal/timestamp/timestamp_test.go | 15 +++++++++++++++ signature/cose/envelope_test.go | 14 +++++++++----- signature/jws/envelope_test.go | 14 +++++++++----- 3 files changed, 33 insertions(+), 10 deletions(-) diff --git a/internal/timestamp/timestamp_test.go b/internal/timestamp/timestamp_test.go index d091e7af..92dff0f8 100644 --- a/internal/timestamp/timestamp_test.go +++ b/internal/timestamp/timestamp_test.go @@ -109,6 +109,21 @@ func TestTimestamp(t *testing.T) { expectedErr = "failed to verify signed token: cms verification failure: crypto/rsa: verification error" _, err = Timestamp(req, opts) assertErrorEqual(expectedErr, err, t) + + req = &signature.SignRequest{ + Timestamper: timestamper, + TSARootCAs: rootCAs, + SigningTime: time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC), + } + opts = tspclient.RequestOptions{ + Content: []byte("notation"), + HashAlgorithm: crypto.SHA256, + } + expectedErr = "failed to verify signed token: cms verification failure: x509: certificate has expired or is not yet valid: current time 2009-11-10T23:00:00Z" + _, err = Timestamp(req, opts) + if err == nil || !strings.Contains(err.Error(), expectedErr) { + t.Fatalf("expected error to include %s, but got %s", expectedErr, err) + } } func assertErrorEqual(expected string, err error, t *testing.T) { diff --git a/signature/cose/envelope_test.go b/signature/cose/envelope_test.go index b9f2c11c..c1e9f545 100644 --- a/signature/cose/envelope_test.go +++ b/signature/cose/envelope_test.go @@ -14,6 +14,7 @@ package cose import ( + "context" "crypto" "crypto/x509" "errors" @@ -341,11 +342,8 @@ func TestSignErrors(t *testing.T) { if err != nil { t.Fatalf("getSignRequest() failed. Error = %v", err) } - signRequest.Timestamper, err = tspclient.NewHTTPTimestamper(nil, "invalid") - if err != nil { - t.Fatal(err) - } - expected := errors.New("timestamp: Post \"invalid\": unsupported protocol scheme \"\"") + signRequest.Timestamper = &dummyTimestamper{} + expected := errors.New("timestamp: failed to timestamp") encoded, err := env.Sign(signRequest) if !isErrEqual(expected, err) { t.Fatalf("Sign() expects error: %v, but got: %v.", expected, err) @@ -1101,3 +1099,9 @@ func generateTestRawMessage(raw cbor.RawMessage, label string, unmarshalError bo return resRaw } + +type dummyTimestamper tspclient.Timestamp + +func (dts *dummyTimestamper) Timestamp(context.Context, *tspclient.Request) (*tspclient.Response, error) { + return nil, errors.New("failed to timestamp") +} diff --git a/signature/jws/envelope_test.go b/signature/jws/envelope_test.go index 4d765165..6075e5f6 100644 --- a/signature/jws/envelope_test.go +++ b/signature/jws/envelope_test.go @@ -14,6 +14,7 @@ package jws import ( + "context" "crypto" "crypto/ecdsa" "crypto/rand" @@ -266,11 +267,8 @@ func TestSignFailed(t *testing.T) { signReq, err := getSignReq(signature.SigningSchemeX509, signer, nil) checkNoError(t, err) - signReq.Timestamper, err = tspclient.NewHTTPTimestamper(nil, "invalid") - if err != nil { - t.Fatal(err) - } - expected := errors.New("timestamp: Post \"invalid\": unsupported protocol scheme \"\"") + signReq.Timestamper = &dummyTimestamper{} + expected := errors.New("timestamp: failed to timestamp") encoded, err := env.Sign(signReq) if !isErrEqual(expected, err) { t.Fatalf("Sign() expects error: %v, but got: %v.", expected, err) @@ -687,3 +685,9 @@ func isErrEqual(wanted, got error) bool { } return false } + +type dummyTimestamper tspclient.Timestamp + +func (dts *dummyTimestamper) Timestamp(context.Context, *tspclient.Request) (*tspclient.Response, error) { + return nil, errors.New("failed to timestamp") +} From 5fa7538ad30c0c3be5ea8c184d0384d6f0bab13d Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 6 Nov 2024 14:20:05 +0800 Subject: [PATCH 3/3] update Signed-off-by: Patrick Zheng --- internal/timestamp/timestamp.go | 3 +-- internal/timestamp/timestamp_test.go | 24 ++---------------------- 2 files changed, 3 insertions(+), 24 deletions(-) diff --git a/internal/timestamp/timestamp.go b/internal/timestamp/timestamp.go index aeab45cb..40f9551d 100644 --- a/internal/timestamp/timestamp.go +++ b/internal/timestamp/timestamp.go @@ -44,8 +44,7 @@ func Timestamp(req *signature.SignRequest, opts tspclient.RequestOptions) ([]byt return nil, err } tsaCertChain, err := token.Verify(ctx, x509.VerifyOptions{ - CurrentTime: req.SigningTime, - Roots: req.TSARootCAs, + Roots: req.TSARootCAs, }) if err != nil { return nil, err diff --git a/internal/timestamp/timestamp_test.go b/internal/timestamp/timestamp_test.go index 92dff0f8..59fa1615 100644 --- a/internal/timestamp/timestamp_test.go +++ b/internal/timestamp/timestamp_test.go @@ -22,7 +22,6 @@ import ( "os" "strings" "testing" - "time" "github.com/notaryproject/notation-core-go/signature" nx509 "github.com/notaryproject/notation-core-go/x509" @@ -49,7 +48,6 @@ func TestTimestamp(t *testing.T) { req := &signature.SignRequest{ Timestamper: timestamper, TSARootCAs: rootCAs, - SigningTime: time.Now(), } opts := tspclient.RequestOptions{ Content: []byte("notation"), @@ -72,7 +70,6 @@ func TestTimestamp(t *testing.T) { req = &signature.SignRequest{ Timestamper: dummyTimestamper{}, TSARootCAs: rootCAs, - SigningTime: time.Now(), } opts = tspclient.RequestOptions{ Content: []byte("notation"), @@ -88,8 +85,7 @@ func TestTimestamp(t *testing.T) { Timestamper: dummyTimestamper{ respWithRejectedStatus: true, }, - TSARootCAs: rootCAs, - SigningTime: time.Now(), + TSARootCAs: rootCAs, } expectedErr = "invalid timestamping response: invalid response with status code 2: rejected" _, err = Timestamp(req, opts) @@ -103,27 +99,11 @@ func TestTimestamp(t *testing.T) { Timestamper: dummyTimestamper{ invalidSignature: true, }, - TSARootCAs: rootCAs, - SigningTime: time.Now(), + TSARootCAs: rootCAs, } expectedErr = "failed to verify signed token: cms verification failure: crypto/rsa: verification error" _, err = Timestamp(req, opts) assertErrorEqual(expectedErr, err, t) - - req = &signature.SignRequest{ - Timestamper: timestamper, - TSARootCAs: rootCAs, - SigningTime: time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC), - } - opts = tspclient.RequestOptions{ - Content: []byte("notation"), - HashAlgorithm: crypto.SHA256, - } - expectedErr = "failed to verify signed token: cms verification failure: x509: certificate has expired or is not yet valid: current time 2009-11-10T23:00:00Z" - _, err = Timestamp(req, opts) - if err == nil || !strings.Contains(err.Error(), expectedErr) { - t.Fatalf("expected error to include %s, but got %s", expectedErr, err) - } } func assertErrorEqual(expected string, err error, t *testing.T) {