timestamp trust policy

Signed-off-by: Patrick Zheng <[email protected]>
Two-Hearts · Apr 17, 2024 · d7a0396 · d7a0396
1 parent 90424bd
commit d7a0396
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 9 deletions.
diff --git a/verifier/trustpolicy/trustpolicy.go b/verifier/trustpolicy/trustpolicy.go
@@ -180,7 +180,8 @@ type SignatureVerification struct {
 // TimestampVerification represents timestamp countersignature verification
 // configuration in a trust policy
 type TimestampVerification struct {
-	AtTimestampedTime bool `json:"atTimestampedTime"`
+	Enable        bool `json:"enable,omitempty"`
+	ExpiryRelaxed bool `json:"expiryRelaxed,omitempty"`
 }
 
 // Validate validates a policy document according to its version's rule set.

diff --git a/verifier/verifier.go b/verifier/verifier.go
@@ -521,16 +521,16 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
 
 	// under signing scheme notary.x509
 	if signerInfo := outcome.EnvelopeContent.SignerInfo; signerInfo.SignedAttributes.SigningScheme == signature.SigningSchemeX509 {
-		var needTimestamp bool
+		var requireTimestampVerification bool
 		for _, cert := range signerInfo.CertificateChain {
 			if time.Now().Before(cert.NotBefore) || time.Now().After(cert.NotAfter) {
 				// found at least one cert that current time is not in its
-				// validity period; need timestamp to continue this step
-				needTimestamp = true
+				// validity period; require timestamp to continue this step
+				requireTimestampVerification = true
 				break
 			}
 		}
-		if !needTimestamp { // this step is a success
+		if !requireTimestampVerification { // this step is a success
 			return &notation.ValidationResult{
 				Type:   trustpolicy.TypeAuthenticTimestamp,
 				Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
@@ -544,10 +544,10 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
 				Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
 			}
 		}
-		if trustPolicy.TimestampVerification == nil {
-			// if there is no timestamp verification configuration in trust policy
+		if trustPolicy.TimestampVerification == nil || !trustPolicy.TimestampVerification.Enable {
+			// if timestamp verification is disabled in trust policy
 			return &notation.ValidationResult{
-				Error:  errors.New("current time is not in certificate chain validity period and no timestamp verification configuration was found in trust policy"),
+				Error:  errors.New("current time is not in certificate chain validity period and timestamp verification is disabled in trust policy"),
 				Type:   trustpolicy.TypeAuthenticTimestamp,
 				Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
 			}
@@ -600,7 +600,7 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus
 				Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp],
 			}
 		}
-		if trustPolicy.TimestampVerification.AtTimestampedTime {
+		if trustPolicy.TimestampVerification.ExpiryRelaxed {
 			timestampVerifyOpts.CurrentTime = ts
 		}
 		// verify the timestamp countersignature