From d7a03968d75f38809c66959a85d50de9d3d86ba2 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 17 Apr 2024 16:57:55 +0800 Subject: [PATCH] timestamp trust policy Signed-off-by: Patrick Zheng --- verifier/trustpolicy/trustpolicy.go | 3 ++- verifier/verifier.go | 16 ++++++++-------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/verifier/trustpolicy/trustpolicy.go b/verifier/trustpolicy/trustpolicy.go index dc1b1efb..e5297e78 100644 --- a/verifier/trustpolicy/trustpolicy.go +++ b/verifier/trustpolicy/trustpolicy.go @@ -180,7 +180,8 @@ type SignatureVerification struct { // TimestampVerification represents timestamp countersignature verification // configuration in a trust policy type TimestampVerification struct { - AtTimestampedTime bool `json:"atTimestampedTime"` + Enable bool `json:"enable,omitempty"` + ExpiryRelaxed bool `json:"expiryRelaxed,omitempty"` } // Validate validates a policy document according to its version's rule set. diff --git a/verifier/verifier.go b/verifier/verifier.go index eb0e6a44..92866c06 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -521,16 +521,16 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus // under signing scheme notary.x509 if signerInfo := outcome.EnvelopeContent.SignerInfo; signerInfo.SignedAttributes.SigningScheme == signature.SigningSchemeX509 { - var needTimestamp bool + var requireTimestampVerification bool for _, cert := range signerInfo.CertificateChain { if time.Now().Before(cert.NotBefore) || time.Now().After(cert.NotAfter) { // found at least one cert that current time is not in its - // validity period; need timestamp to continue this step - needTimestamp = true + // validity period; require timestamp to continue this step + requireTimestampVerification = true break } } - if !needTimestamp { // this step is a success + if !requireTimestampVerification { // this step is a success return ¬ation.ValidationResult{ Type: trustpolicy.TypeAuthenticTimestamp, Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp], @@ -544,10 +544,10 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp], } } - if trustPolicy.TimestampVerification == nil { - // if there is no timestamp verification configuration in trust policy + if trustPolicy.TimestampVerification == nil || !trustPolicy.TimestampVerification.Enable { + // if timestamp verification is disabled in trust policy return ¬ation.ValidationResult{ - Error: errors.New("current time is not in certificate chain validity period and no timestamp verification configuration was found in trust policy"), + Error: errors.New("current time is not in certificate chain validity period and timestamp verification is disabled in trust policy"), Type: trustpolicy.TypeAuthenticTimestamp, Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp], } @@ -600,7 +600,7 @@ func verifyAuthenticTimestamp(ctx context.Context, trustPolicy *trustpolicy.Trus Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeAuthenticTimestamp], } } - if trustPolicy.TimestampVerification.AtTimestampedTime { + if trustPolicy.TimestampVerification.ExpiryRelaxed { timestampVerifyOpts.CurrentTime = ts } // verify the timestamp countersignature