feat: Timestamp

signer/signer.go

@@ -122,8 +122,12 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
 		SigningTime:   time.Now(),
 		SigningScheme: signature.SigningSchemeX509,
 		SigningAgent:  signingAgentId,
-		Timestamper:   opts.Timestamper,
-		TSARootCAs:    opts.TSARootCAs,
+	}
+	if opts.Timestamper != nil && opts.TSARootCAs != nil {
+		signReq.Timestamper = opts.Timestamper
+		signReq.TSARootCAs = opts.TSARootCAs
+	} else if opts.Timestamper != nil || opts.TSARootCAs != nil {
+		return nil, nil, errors.New("timestamping: both Timestamper and TSARootCAs must be provided")
 	}
 
 	// Add expiry only if ExpiryDuration is not zero

signer/signer_test.go

@@ -227,6 +227,36 @@ func TestSignWithTimestamping(t *testing.T) {
 			})
 		}
 	}
+
+	// timestamping without timestamper
+	envelopeType := signature.RegisteredEnvelopeTypes()[0]
+	keyCert := keyCertPairCollections[0]
+	s, err := New(keyCert.key, keyCert.certs)
+	if err != nil {
+		t.Fatalf("NewSigner() error = %v", err)
+	}
+	ctx := context.Background()
+	desc, sOpts := generateSigningContent()
+	sOpts.SignatureMediaType = envelopeType
+	sOpts.TSARootCAs = x509.NewCertPool()
+	_, _, err = s.Sign(ctx, desc, sOpts)
+	expectedErrMsg := "timestamping: both Timestamper and TSARootCAs must be provided"
+	if err == nil || err.Error() != expectedErrMsg {
+		t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+	}
+
+	// timestamping without TSARootCAs
+	desc, sOpts = generateSigningContent()
+	sOpts.SignatureMediaType = envelopeType
+	sOpts.Timestamper, err = tspclient.NewHTTPTimestamper(nil, rfc3161URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, _, err = s.Sign(ctx, desc, sOpts)
+	expectedErrMsg = "timestamping: both Timestamper and TSARootCAs must be provided"
+	if err == nil || err.Error() != expectedErrMsg {
+		t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+	}
 }
 
 func TestSignBlobWithCertChain(t *testing.T) {

verifier/verifier.go

@@ -132,9 +132,9 @@
 	revocationTimestampClient := verifierOptions.RevocationTimestampClient
 	if revocationTimestampClient == nil {
 		var err error
-		revocationTimestampClient, err = revocation.NewTimestamp(&http.Client{Timeout: 5 * time.Second})
+		revocationTimestampClient, err = revocation.NewTimestamp(&http.Client{Timeout: 2 * time.Second})
 		if err != nil {
 			return nil, err
 		}
 	}
 
@@ -210,13 +210,13 @@
 	logger := log.GetLogger(ctx)
 	logger.Debugf("Verify signature of media type %v", opts.SignatureMediaType)
 	if v.blobTrustPolicyDoc == nil {
 		return nil, errors.New("blobTrustPolicyDoc is nil")
 	}
 
 	var trustPolicy *trustpolicy.BlobTrustPolicy
 	var err error
 	if opts.TrustPolicyName == "" {
 		trustPolicy, err = v.blobTrustPolicyDoc.GetGlobalTrustPolicy()
 	} else {
 		trustPolicy, err = v.blobTrustPolicyDoc.GetApplicableTrustPolicy(opts.TrustPolicyName)
 	}
@@ -298,7 +298,7 @@
 
 	logger.Debugf("Verify signature against artifact %v referenced as %s in signature media type %v", desc.Digest, artifactRef, envelopeMediaType)
 	if v.ociTrustPolicyDoc == nil {
 		return nil, errors.New("ociTrustPolicyDoc is nil")
 	}
 
 	trustPolicy, err := v.ociTrustPolicyDoc.GetApplicableTrustPolicy(artifactRef)
@@ -684,7 +684,7 @@
 	signerInfo := outcome.EnvelopeContent.SignerInfo
 	// under signing scheme notary.x509
 	if signerInfo.SignedAttributes.SigningScheme == signature.SigningSchemeX509 {
-		logger.Info("Under signing scheme notary.x509...")
+		logger.Debug("Under signing scheme notary.x509...")
 		return &notation.ValidationResult{
 			Error:  verifyTimestamp(ctx, policyName, trustStores, signatureVerification, x509TrustStore, r, outcome),
 			Type:   trustpolicy.TypeAuthenticTimestamp,
@@ -693,14 +693,14 @@
 	}
 
 	// under signing scheme notary.x509.signingAuthority
-	logger.Info("Under signing scheme notary.x509.signingAuthority...")
+	logger.Debug("Under signing scheme notary.x509.signingAuthority...")
 	authenticSigningTime := signerInfo.SignedAttributes.SigningTime
 	for _, cert := range signerInfo.CertificateChain {
 		if authenticSigningTime.Before(cert.NotBefore) || authenticSigningTime.After(cert.NotAfter) {
 			return &notation.ValidationResult{
 				Error:  fmt.Errorf("certificate %q was not valid when the digital signature was produced at %q", cert.Subject, authenticSigningTime.Format(time.RFC1123Z)),
 				Type:   trustpolicy.TypeAuthenticTimestamp,
 				Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
 			}
 		}
 	}
@@ -930,8 +930,8 @@
 		var expired bool
 		for _, cert := range signerInfo.CertificateChain {
 			if timeOfVerification.After(cert.NotAfter) {
 				expired = true
 				break
 			}
 		}
 		if !expired {
@@ -945,7 +945,7 @@
 	if !performTimestampVerification {
 		for _, cert := range signerInfo.CertificateChain {
 			if timeOfVerification.Before(cert.NotBefore) {
 				return fmt.Errorf("verification time is before certificate %q validity period, it will be valid from %q", cert.Subject, cert.NotBefore.Format(time.RFC1123Z))
 			}
 			if timeOfVerification.After(cert.NotAfter) {
 				return fmt.Errorf("verification time is after certificate %q validity period, it was expired at %q", cert.Subject, cert.NotAfter.Format(time.RFC1123Z))
@@ -957,14 +957,16 @@
 	}
 
 	// Performing timestamp verification
+	logger.Info("Performing timestamp verification...")
+
 	// 1. Timestamp countersignature MUST be present
-	logger.Info("Checking timestamp countersignature existence...")
+	logger.Debug("Checking timestamp countersignature existence...")
 	if len(signerInfo.UnsignedAttributes.TimestampSignature) == 0 {
 		return errors.New("no timestamp countersignature was found in the signature envelope")
 	}
 
 	// 2. Verify the timestamp countersignature
-	logger.Info("Verifying the timestamp countersignature...")
+	logger.Debug("Verifying the timestamp countersignature...")
 	signedToken, err := tspclient.ParseSignedToken(signerInfo.UnsignedAttributes.TimestampSignature)
 	if err != nil {
 		return fmt.Errorf("failed to parse timestamp countersignature with error: %w", err)
@@ -973,6 +975,10 @@
 	if err != nil {
 		return fmt.Errorf("failed to get the timestamp TSTInfo with error: %w", err)
 	}
+	timestamp, err := info.Validate(signerInfo.Signature)
+	if err != nil {
+		return fmt.Errorf("failed to get timestamp from timestamp countersignature with error: %w", err)
+	}
 	trustTSACerts, err := loadX509TSATrustStores(ctx, outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme, policyName, trustStores, x509TrustStore)
 	if err != nil {
 		return fmt.Errorf("failed to load tsa trust store with error: %w", err)
@@ -984,10 +990,6 @@
 	for _, trustedCerts := range trustTSACerts {
 		rootCertPool.AddCert(trustedCerts)
 	}
-	timestamp, err := info.Validate(signerInfo.Signature)
-	if err != nil {
-		return fmt.Errorf("failed to get timestamp from timestamp countersignature with error: %w", err)
-	}
 	tsaCertChain, err := signedToken.Verify(ctx, x509.VerifyOptions{
 		CurrentTime: timestamp.Value,
 		Roots:       rootCertPool,
@@ -997,41 +999,41 @@
 	}
 
 	// 3. Validate timestamping certificate chain
-	logger.Info("Validating timestamping certificate chain...")
+	logger.Debug("Validating timestamping certificate chain...")
 	if err := nx509.ValidateTimestampingCertChain(tsaCertChain); err != nil {
 		return fmt.Errorf("failed to validate the timestamping certificate chain with error: %w", err)
 	}
 	logger.Info("TSA identity is: ", tsaCertChain[0].Subject)
 
-	// 4. Perform the timestamping certificate chain revocation check
-	logger.Info("Checking timestamping certificate chain revocation...")
+	// 4. Check the timestamp against the signing certificate chain
+	logger.Debug("Checking the timestamp against the signing certificate chain...")
+	logger.Debugf("Timestamp range: [%v, %v]", timestamp.Value.Add(-timestamp.Accuracy), timestamp.Value.Add(timestamp.Accuracy))
+	for _, cert := range signerInfo.CertificateChain {
+		if !timestamp.BoundedAfter(cert.NotBefore) {
+			return fmt.Errorf("timestamp can be before certificate %q validity period, it will be valid from %q", cert.Subject, cert.NotBefore.Format(time.RFC1123Z))
+		}
+		if !timestamp.BoundedBefore(cert.NotAfter) {
+			return fmt.Errorf("timestamp can be after certificate %q validity period, it was expired at %q", cert.Subject, cert.NotAfter.Format(time.RFC1123Z))
+		}
+	}
+
+	// 5. Perform the timestamping certificate chain revocation check
+	logger.Debug("Checking timestamping certificate chain revocation...")
 	certResults, err := r.Validate(tsaCertChain, time.Time{})
 	if err != nil {
 		return fmt.Errorf("failed to check timestamping certificate chain revocation with error: %w", err)
 	}
 	finalResult, problematicCertSubject := revocationFinalResult(certResults, tsaCertChain, logger)
 	switch finalResult {
 	case revocationresult.ResultOK:
 		logger.Debug("No verification impacting errors encountered while checking timestamping certificate chain revocation, status is OK")
 	case revocationresult.ResultRevoked:
 		return fmt.Errorf("timestamping certificate with subject %q is revoked", problematicCertSubject)
 	default:
 		// revocationresult.ResultUnknown
 		return fmt.Errorf("timestamping certificate with subject %q revocation status is unknown", problematicCertSubject)
 	}
 
-	// 5. Check the timestamp against the signing certificate chain
-	logger.Info("Checking the timestamp against the signing certificate chain...")
-	logger.Infof("Timestamp range: [%v, %v]", timestamp.Value.Add(-timestamp.Accuracy), timestamp.Value.Add(timestamp.Accuracy))
-	for _, cert := range signerInfo.CertificateChain {
-		if !timestamp.BoundedAfter(cert.NotBefore) {
-			return fmt.Errorf("timestamp can be before certificate %q validity period, it will be valid from %q", cert.Subject, cert.NotBefore.Format(time.RFC1123Z))
-		}
-		if !timestamp.BoundedBefore(cert.NotAfter) {
-			return fmt.Errorf("timestamp can be after certificate %q validity period, it was expired at %q", cert.Subject, cert.NotAfter.Format(time.RFC1123Z))
-		}
-	}
-
 	// success
 	return nil
 }