feat: Timestamp

go.mod

@@ -5,8 +5,11 @@ go 1.21
 require (
 	github.com/fxamacker/cbor/v2 v2.7.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe
 	github.com/veraison/go-cose v1.1.0
 	golang.org/x/crypto v0.24.0
 )
 
 require github.com/x448/float16 v0.8.4 // indirect
+
+replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172

go.sum

@@ -1,3 +1,5 @@
+github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172 h1:ME+WMRNcucfmJ9Le8eCtdV1gR3Xc8ve6Ab/cPnN/z48=
+github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=

internal/oid/oid.go

@@ -0,0 +1,31 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package oid
+
+import "encoding/asn1"
+
+// KeyUsage (id-ce-keyUsage) is defined in RFC 5280
+//
+// Reference: https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.3
+var KeyUsage = asn1.ObjectIdentifier{2, 5, 29, 15}
+
+// ExtKeyUsage (id-ce-extKeyUsage) is defined in RFC 5280
+//
+// Reference: https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.12
+var ExtKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37}
+
+// Timestamping (id-kp-timeStamping) is defined in RFC 3161 2.3
+//
+// Reference: https://datatracker.ietf.org/doc/html/rfc3161#section-2.3
+var Timestamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}

internal/timestamp/timestamp.go

@@ -0,0 +1,60 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package timestamp provides functionalities of timestamp countersignature
+package timestamp
+
+import (
+	"context"
+	"crypto/x509"
+	"time"
+
+	nx509 "github.com/notaryproject/notation-core-go/x509"
+	"github.com/notaryproject/tspclient-go"
+)
+
+// Timestamp generates a timestamp request and sends to TSA. It then validates
+// the TSA certificate chain against Notary Project certificate and signature
+// algorithm requirements.
+// On success, it returns the full bytes of the timestamp token received from
+// TSA.
+//
+// Reference: https://github.com/notaryproject/specifications/blob/v1.0.0/specs/signature-specification.md#leaf-certificates
+func Timestamp(ctx context.Context, tsaURL string, signingTime *time.Time, tsaRootCAs *x509.CertPool, opts tspclient.RequestOptions) ([]byte, error) {
+	tsaRequest, err := tspclient.NewRequest(opts)
+	if err != nil {
+		return nil, err
+	}
+	httpTimestamper, err := tspclient.NewHTTPTimestamper(nil, tsaURL)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := httpTimestamper.Timestamp(ctx, tsaRequest)
+	if err != nil {
+		return nil, err
+	}
+	token, err := resp.SignedToken()
+	if err != nil {
+		return nil, err
+	}
+	tsaCertChain, err := token.Verify(ctx, x509.VerifyOptions{
+		Roots: tsaRootCAs,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if err := nx509.ValidateTimestampingCertChain(tsaCertChain, signingTime); err != nil {
+		return nil, err
+	}
+	return resp.TimestampToken.FullBytes, nil
+}

internal/timestamp/timestamp_test.go

@@ -0,0 +1,223 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package timestamp
+
+import (
+	"context"
+	"crypto"
+	"crypto/x509"
+	"encoding/asn1"
+	"encoding/hex"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	nx509 "github.com/notaryproject/notation-core-go/x509"
+	"github.com/notaryproject/tspclient-go"
+	"github.com/notaryproject/tspclient-go/pki"
+)
+
+const rfc3161TSAurl = "http://rfc3161timestamp.globalsign.com/advanced"
+
+func TestTimestamp(t *testing.T) {
+	ctx := context.Background()
+	testResp, err := os.ReadFile("testdata/granted.tsq")
+	if err != nil {
+		t.Fatal("failed to read test response:", err)
+	}
+	rootCerts, err := nx509.ReadCertificateFile("testdata/tsaRootCert.crt")
+	if err != nil || len(rootCerts) == 0 {
+		t.Fatal("failed to read root CA certificate:", err)
+	}
+	rootCert := rootCerts[0]
+	rootCAs := x509.NewCertPool()
+	rootCAs.AddCert(rootCert)
+
+	// --------------- Success case ----------------------------------
+	opts := tspclient.RequestOptions{
+		Content:                 []byte("notation"),
+		HashAlgorithm:           crypto.SHA256,
+		HashAlgorithmParameters: asn1.NullRawValue,
+	}
+	_, err = Timestamp(ctx, rfc3161TSAurl, nil, rootCAs, opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// ------------- Failure cases ------------------------
+	opts = tspclient.RequestOptions{
+		Content:       []byte("notation"),
+		HashAlgorithm: crypto.SHA1,
+	}
+	expectedErr := "malformed timestamping request: unsupported hashing algorithm: SHA-1"
+	_, err = Timestamp(ctx, "", nil, rootCAs, opts)
+	assertErrorEqual(expectedErr, err, t)
+
+	opts = tspclient.RequestOptions{
+		Content:                 []byte("notation"),
+		HashAlgorithm:           crypto.SHA256,
+		HashAlgorithmParameters: asn1.NullRawValue,
+	}
+	bs, err := hex.DecodeString("7f")
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectedErr = "parse \"http://\\x7f\": net/url: invalid control character in URL"
+	_, err = Timestamp(ctx, "http://"+string(bs), nil, rootCAs, opts)
+	assertErrorEqual(expectedErr, err, t)
+
+	mockInvalidTSA := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		const wantContentType = tspclient.MediaTypeTimestampQuery
+		if got := r.Header.Get("Content-Type"); got != wantContentType {
+			t.Fatalf("TimestampRequest.ContentType = %v, want %v", err, wantContentType)
+		}
+		if _, err := io.ReadAll(r.Body); err != nil {
+			t.Fatalf("TimestampRequest.Body read error = %v", err)
+		}
+
+		// write reply
+		w.Header().Set("Content-Type", tspclient.MediaTypeTimestampReply)
+		w.WriteHeader(http.StatusInternalServerError)
+		if _, err := w.Write(testResp); err != nil {
+			t.Error("failed to write response:", err)
+		}
+	}))
+	defer mockInvalidTSA.Close()
+	expectedErr = "https response bad status: 500 Internal Server Error"
+	_, err = Timestamp(ctx, mockInvalidTSA.URL, nil, rootCAs, opts)
+	if err == nil || !strings.Contains(err.Error(), expectedErr) {
+		t.Fatalf("expected error message to contain %s, but got %v", expectedErr, err)
+	}
+
+	opts = tspclient.RequestOptions{
+		Content:                 []byte("notation"),
+		HashAlgorithm:           crypto.SHA256,
+		HashAlgorithmParameters: asn1.NullRawValue,
+		NoNonce:                 true,
+	}
+	mockInvalidTSA = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		const wantContentType = tspclient.MediaTypeTimestampQuery
+		if got := r.Header.Get("Content-Type"); got != wantContentType {
+			t.Fatalf("TimestampRequest.ContentType = %v, want %v", err, wantContentType)
+		}
+		if _, err := io.ReadAll(r.Body); err != nil {
+			t.Fatalf("TimestampRequest.Body read error = %v", err)
+		}
+
+		// write reply
+		token, err := os.ReadFile("testdata/TimeStampTokenWithoutCertificate.p7s")
+		if err != nil {
+			t.Fatal(err)
+		}
+		resp := &tspclient.Response{
+			Status: pki.StatusInfo{
+				Status: pki.StatusGranted,
+			},
+			TimestampToken: asn1.RawValue{
+				FullBytes: token,
+			},
+		}
+		respBytes, err := resp.MarshalBinary()
+		if err != nil {
+			t.Fatal(err)
+		}
+		w.Header().Set("Content-Type", tspclient.MediaTypeTimestampReply)
+		if _, err := w.Write(respBytes); err != nil {
+			t.Error("failed to write response:", err)
+		}
+	}))
+	defer mockInvalidTSA.Close()
+	expectedErr = "invalid timestamping response: certReq is True in request, but did not find any TSA signing certificate in the response"
+	_, err = Timestamp(ctx, mockInvalidTSA.URL, nil, rootCAs, opts)
+	assertErrorEqual(expectedErr, err, t)
+
+	opts = tspclient.RequestOptions{
+		Content:                 []byte("notation"),
+		HashAlgorithm:           crypto.SHA256,
+		HashAlgorithmParameters: asn1.NullRawValue,
+		NoNonce:                 true,
+	}
+	mockInvalidTSA = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		const wantContentType = tspclient.MediaTypeTimestampQuery
+		if got := r.Header.Get("Content-Type"); got != wantContentType {
+			t.Fatalf("TimestampRequest.ContentType = %v, want %v", err, wantContentType)
+		}
+		if _, err := io.ReadAll(r.Body); err != nil {
+			t.Fatalf("TimestampRequest.Body read error = %v", err)
+		}
+
+		// write reply
+		w.Header().Set("Content-Type", tspclient.MediaTypeTimestampReply)
+		if _, err := w.Write(testResp); err != nil {
+			t.Error("failed to write response:", err)
+		}
+	}))
+	defer mockInvalidTSA.Close()
+	signingTime := time.Date(2100, 1, 1, 0, 0, 0, 0, time.UTC)
+	expectedErr = "certificate with subject \"CN=Globalsign TSA for Advanced - G4,O=GlobalSign nv-sa,C=BE\" was invalid at signing time of 2100-01-01 00:00:00 +0000 UTC. Certificate is valid from [2021-05-27 09:55:23 +0000 UTC] to [2032-06-28 09:55:22 +0000 UTC]"
+	_, err = Timestamp(ctx, mockInvalidTSA.URL, &signingTime, rootCAs, opts)
+	assertErrorEqual(expectedErr, err, t)
+
+	opts = tspclient.RequestOptions{
+		Content:                 []byte("notation"),
+		HashAlgorithm:           crypto.SHA256,
+		HashAlgorithmParameters: asn1.NullRawValue,
+		NoNonce:                 true,
+	}
+	mockInvalidTSA = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		const wantContentType = tspclient.MediaTypeTimestampQuery
+		if got := r.Header.Get("Content-Type"); got != wantContentType {
+			t.Fatalf("TimestampRequest.ContentType = %v, want %v", err, wantContentType)
+		}
+		if _, err := io.ReadAll(r.Body); err != nil {
+			t.Fatalf("TimestampRequest.Body read error = %v", err)
+		}
+
+		// write reply
+		token, err := os.ReadFile("testdata/TimeStampTokenWithInvalidSignature.p7s")
+		if err != nil {
+			t.Fatal(err)
+		}
+		resp := &tspclient.Response{
+			Status: pki.StatusInfo{
+				Status: pki.StatusGranted,
+			},
+			TimestampToken: asn1.RawValue{
+				FullBytes: token,
+			},
+		}
+		respBytes, err := resp.MarshalBinary()
+		if err != nil {
+			t.Fatal(err)
+		}
+		w.Header().Set("Content-Type", tspclient.MediaTypeTimestampReply)
+		if _, err := w.Write(respBytes); err != nil {
+			t.Error("failed to write response:", err)
+		}
+	}))
+	defer mockInvalidTSA.Close()
+	expectedErr = "failed to verify signed token: cms verification failure: crypto/rsa: verification error"
+	_, err = Timestamp(ctx, mockInvalidTSA.URL, nil, rootCAs, opts)
+	assertErrorEqual(expectedErr, err, t)
+}
+
+func assertErrorEqual(expected string, err error, t *testing.T) {
+	if err == nil || expected != err.Error() {
+		t.Fatalf("Expected error \"%v\" but was \"%v\"", expected, err)
+	}
+}

revocation/ocsp/ocsp.go

@@ -36,11 +36,24 @@ import (
 	"golang.org/x/crypto/ocsp"
 )
 
+// Purpose is an enum for purpose of the certificate chain whose OCSP status
+// is checked
+type Purpose int
+
+const (
+	// PurposeCodeSigning means the certificate chain is a code signing chain
+	PurposeCodeSigning Purpose = iota
+
+	// PurposeTimestamping means the certificate chain is a timestamping chain
+	PurposeTimestamping
+)
+
 // Options specifies values that are needed to check OCSP revocation
 type Options struct {
-	CertChain   []*x509.Certificate
-	SigningTime time.Time
-	HTTPClient  *http.Client
+	CertChain        []*x509.Certificate
+	CertChainPurpose Purpose
+	SigningTime      time.Time
+	HTTPClient       *http.Client
 }
 
 const (
@@ -64,8 +77,15 @@ func CheckStatus(opts Options) ([]*result.CertRevocationResult, error) {
 	// Since this is using authentic signing time, signing time may be zero.
 	// Thus, it is better to pass nil here than fail for a cert's NotBefore
 	// being after zero time
-	if err := coreX509.ValidateCodeSigningCertChain(opts.CertChain, nil); err != nil {
-		return nil, result.InvalidChainError{Err: err}
+	switch opts.CertChainPurpose {
+	case PurposeCodeSigning:
+		if err := coreX509.ValidateCodeSigningCertChain(opts.CertChain, nil); err != nil {
+			return nil, result.InvalidChainError{Err: err}
+		}
+	case PurposeTimestamping:
+		if err := coreX509.ValidateTimestampingCertChain(opts.CertChain, nil); err != nil {
+			return nil, result.InvalidChainError{Err: err}
+		}
 	}
 
 	certResults := make([]*result.CertRevocationResult, len(opts.CertChain))