feat: Timestamp

go.mod

@@ -5,11 +5,9 @@ go 1.21
 require (
 	github.com/fxamacker/cbor/v2 v2.7.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
-	github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe
+	github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058
 	github.com/veraison/go-cose v1.1.0
 	golang.org/x/crypto v0.24.0
 )
 
 require github.com/x448/float16 v0.8.4 // indirect
-
-replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172

go.sum

@@ -1,9 +1,9 @@
-github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172 h1:ME+WMRNcucfmJ9Le8eCtdV1gR3Xc8ve6Ab/cPnN/z48=
-github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 h1:FlGmQAwbf78rw12fXT4+9EkmD9+ZWuqH08v0fE3sqHc=
+github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4o=
 github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=

internal/timestamp/timestamp.go

@@ -15,10 +15,9 @@
 package timestamp
 
 import (
-	"context"
 	"crypto/x509"
-	"time"
 
+	"github.com/notaryproject/notation-core-go/signature"
 	nx509 "github.com/notaryproject/notation-core-go/x509"
 	"github.com/notaryproject/tspclient-go"
 )
@@ -30,31 +29,37 @@
 // TSA.
 //
 // Reference: https://github.com/notaryproject/specifications/blob/v1.0.0/specs/signature-specification.md#leaf-certificates
-func Timestamp(ctx context.Context, tsaURL string, signingTime *time.Time, tsaRootCAs *x509.CertPool, opts tspclient.RequestOptions) ([]byte, error) {
+func Timestamp(req *signature.SignRequest, opts tspclient.RequestOptions) ([]byte, error) {
 	tsaRequest, err := tspclient.NewRequest(opts)
 	if err != nil {
 		return nil, err
 	}
-	httpTimestamper, err := tspclient.NewHTTPTimestamper(nil, tsaURL)
+	ctx := req.Context()
+	resp, err := req.Timestamper.Timestamp(ctx, tsaRequest)
 	if err != nil {
 		return nil, err
 	}
-	resp, err := httpTimestamper.Timestamp(ctx, tsaRequest)
+	token, err := resp.SignedToken()
 	if err != nil {
 		return nil, err
 	}
-	token, err := resp.SignedToken()
+	info, err := token.Info()
+	if err != nil {
+		return nil, err
+	}
+	timestamp, err := info.Validate(opts.Content)
 	if err != nil {
 		return nil, err
 	}
 	tsaCertChain, err := token.Verify(ctx, x509.VerifyOptions{
-		Roots: tsaRootCAs,
+		CurrentTime: timestamp.Value,
+		Roots:       req.TSARootCAs,
 	})
 	if err != nil {
 		return nil, err
 	}
-	if err := nx509.ValidateTimestampingCertChain(tsaCertChain, signingTime); err != nil {
+	if err := nx509.ValidateTimestampingCertChain(tsaCertChain); err != nil {
 		return nil, err
 	}
 	return resp.TimestampToken.FullBytes, nil
 }

internal/timestamp/timestamp_test.go

@@ -18,15 +18,12 @@ import (
 	"crypto"
 	"crypto/x509"
 	"encoding/asn1"
-	"encoding/hex"
-	"io"
-	"net/http"
-	"net/http/httptest"
+	"errors"
 	"os"
 	"strings"
 	"testing"
-	"time"
 
+	"github.com/notaryproject/notation-core-go/signature"
 	nx509 "github.com/notaryproject/notation-core-go/x509"
 	"github.com/notaryproject/tspclient-go"
 	"github.com/notaryproject/tspclient-go/pki"
@@ -35,11 +32,6 @@ import (
 const rfc3161TSAurl = "http://rfc3161timestamp.globalsign.com/advanced"
 
 func TestTimestamp(t *testing.T) {
-	ctx := context.Background()
-	testResp, err := os.ReadFile("testdata/granted.tsq")
-	if err != nil {
-		t.Fatal("failed to read test response:", err)
-	}
 	rootCerts, err := nx509.ReadCertificateFile("testdata/tsaRootCert.crt")
 	if err != nil || len(rootCerts) == 0 {
 		t.Fatal("failed to read root CA certificate:", err)
@@ -49,12 +41,19 @@ func TestTimestamp(t *testing.T) {
 	rootCAs.AddCert(rootCert)
 
 	// --------------- Success case ----------------------------------
+	timestamper, err := tspclient.NewHTTPTimestamper(nil, rfc3161TSAurl)
+	if err != nil {
+		t.Fatal(err)
+	}
+	req := &signature.SignRequest{
+		Timestamper: timestamper,
+		TSARootCAs:  rootCAs,
+	}
 	opts := tspclient.RequestOptions{
-		Content:                 []byte("notation"),
-		HashAlgorithm:           crypto.SHA256,
-		HashAlgorithmParameters: asn1.NullRawValue,
+		Content:       []byte("notation"),
+		HashAlgorithm: crypto.SHA256,
 	}
-	_, err = Timestamp(ctx, rfc3161TSAurl, nil, rootCAs, opts)
+	_, err = Timestamp(req, opts)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -65,159 +64,137 @@ func TestTimestamp(t *testing.T) {
 		HashAlgorithm: crypto.SHA1,
 	}
 	expectedErr := "malformed timestamping request: unsupported hashing algorithm: SHA-1"
-	_, err = Timestamp(ctx, "", nil, rootCAs, opts)
+	_, err = Timestamp(req, opts)
 	assertErrorEqual(expectedErr, err, t)
 
+	req = &signature.SignRequest{
+		Timestamper: dummyTimestamper{},
+		TSARootCAs:  rootCAs,
+	}
 	opts = tspclient.RequestOptions{
-		Content:                 []byte("notation"),
-		HashAlgorithm:           crypto.SHA256,
-		HashAlgorithmParameters: asn1.NullRawValue,
+		Content:       []byte("notation"),
+		HashAlgorithm: crypto.SHA256,
+		NoNonce:       true,
 	}
-	bs, err := hex.DecodeString("7f")
-	if err != nil {
-		t.Fatal(err)
+	expectedErr = "failed to timestamp"
+	_, err = Timestamp(req, opts)
+	if err == nil || !strings.Contains(err.Error(), expectedErr) {
+		t.Fatalf("expected error message to contain %s, but got %v", expectedErr, err)
+	}
+
+	req = &signature.SignRequest{
+		Timestamper: dummyTimestamper{
+			respWithRejectedStatus: true,
+		},
+		TSARootCAs: rootCAs,
 	}
-	expectedErr = "parse \"http://\\x7f\": net/url: invalid control character in URL"
-	_, err = Timestamp(ctx, "http://"+string(bs), nil, rootCAs, opts)
+	expectedErr = "invalid timestamping response: invalid response with status code 2: rejected"
+	_, err = Timestamp(req, opts)
 	assertErrorEqual(expectedErr, err, t)
 
-	mockInvalidTSA := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		const wantContentType = tspclient.MediaTypeTimestampQuery
-		if got := r.Header.Get("Content-Type"); got != wantContentType {
-			t.Fatalf("TimestampRequest.ContentType = %v, want %v", err, wantContentType)
-		}
-		if _, err := io.ReadAll(r.Body); err != nil {
-			t.Fatalf("TimestampRequest.Body read error = %v", err)
-		}
+	req = &signature.SignRequest{
+		Timestamper: dummyTimestamper{
+			invalidTSTInfo: true,
+		},
+		TSARootCAs: rootCAs,
+	}
+	expectedErr = "cannot unmarshal TSTInfo from timestamp token: asn1: structure error: tags don't match (23 vs {class:0 tag:16 length:3 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:24 set:false omitEmpty:false} Time @89"
+	_, err = Timestamp(req, opts)
+	assertErrorEqual(expectedErr, err, t)
 
-		// write reply
-		w.Header().Set("Content-Type", tspclient.MediaTypeTimestampReply)
-		w.WriteHeader(http.StatusInternalServerError)
-		if _, err := w.Write(testResp); err != nil {
-			t.Error("failed to write response:", err)
-		}
-	}))
-	defer mockInvalidTSA.Close()
-	expectedErr = "https response bad status: 500 Internal Server Error"
-	_, err = Timestamp(ctx, mockInvalidTSA.URL, nil, rootCAs, opts)
-	if err == nil || !strings.Contains(err.Error(), expectedErr) {
-		t.Fatalf("expected error message to contain %s, but got %v", expectedErr, err)
+	opts = tspclient.RequestOptions{
+		Content:       []byte("mismatch"),
+		HashAlgorithm: crypto.SHA256,
+		NoNonce:       true,
 	}
+	req = &signature.SignRequest{
+		Timestamper: dummyTimestamper{
+			failValidate: true,
+		},
+		TSARootCAs: rootCAs,
+	}
+	expectedErr = "invalid TSTInfo: mismatched message"
+	_, err = Timestamp(req, opts)
+	assertErrorEqual(expectedErr, err, t)
 
 	opts = tspclient.RequestOptions{
-		Content:                 []byte("notation"),
-		HashAlgorithm:           crypto.SHA256,
-		HashAlgorithmParameters: asn1.NullRawValue,
-		NoNonce:                 true,
-	}
-	mockInvalidTSA = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		const wantContentType = tspclient.MediaTypeTimestampQuery
-		if got := r.Header.Get("Content-Type"); got != wantContentType {
-			t.Fatalf("TimestampRequest.ContentType = %v, want %v", err, wantContentType)
-		}
-		if _, err := io.ReadAll(r.Body); err != nil {
-			t.Fatalf("TimestampRequest.Body read error = %v", err)
-		}
+		Content:       []byte("notation"),
+		HashAlgorithm: crypto.SHA256,
+		NoNonce:       true,
+	}
+	req = &signature.SignRequest{
+		Timestamper: dummyTimestamper{
+			invalidSignature: true,
+		},
+		TSARootCAs: rootCAs,
+	}
+	expectedErr = "failed to verify signed token: cms verification failure: crypto/rsa: verification error"
+	_, err = Timestamp(req, opts)
+	assertErrorEqual(expectedErr, err, t)
+}
+
+func assertErrorEqual(expected string, err error, t *testing.T) {
+	if err == nil || expected != err.Error() {
+		t.Fatalf("Expected error \"%v\" but was \"%v\"", expected, err)
+	}
+}
 
-		// write reply
-		token, err := os.ReadFile("testdata/TimeStampTokenWithoutCertificate.p7s")
+type dummyTimestamper struct {
+	respWithRejectedStatus bool
+	invalidTSTInfo         bool
+	failValidate           bool
+	invalidSignature       bool
+}
+
+func (d dummyTimestamper) Timestamp(context.Context, *tspclient.Request) (*tspclient.Response, error) {
+	if d.respWithRejectedStatus {
+		return &tspclient.Response{
+			Status: pki.StatusInfo{
+				Status: pki.StatusRejection,
+			},
+		}, nil
+	}
+	if d.invalidTSTInfo {
+		token, err := os.ReadFile("testdata/TimeStampTokenWithInvalidTSTInfo.p7s")
 		if err != nil {
-			t.Fatal(err)
+			return nil, err
 		}
-		resp := &tspclient.Response{
+		return &tspclient.Response{
 			Status: pki.StatusInfo{
 				Status: pki.StatusGranted,
 			},
 			TimestampToken: asn1.RawValue{
 				FullBytes: token,
 			},
-		}
-		respBytes, err := resp.MarshalBinary()
+		}, nil
+	}
+	if d.failValidate {
+		token, err := os.ReadFile("testdata/TimeStampToken.p7s")
 		if err != nil {
-			t.Fatal(err)
-		}
-		w.Header().Set("Content-Type", tspclient.MediaTypeTimestampReply)
-		if _, err := w.Write(respBytes); err != nil {
-			t.Error("failed to write response:", err)
-		}
-	}))
-	defer mockInvalidTSA.Close()
-	expectedErr = "invalid timestamping response: certReq is True in request, but did not find any TSA signing certificate in the response"
-	_, err = Timestamp(ctx, mockInvalidTSA.URL, nil, rootCAs, opts)
-	assertErrorEqual(expectedErr, err, t)
-
-	opts = tspclient.RequestOptions{
-		Content:                 []byte("notation"),
-		HashAlgorithm:           crypto.SHA256,
-		HashAlgorithmParameters: asn1.NullRawValue,
-		NoNonce:                 true,
-	}
-	mockInvalidTSA = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		const wantContentType = tspclient.MediaTypeTimestampQuery
-		if got := r.Header.Get("Content-Type"); got != wantContentType {
-			t.Fatalf("TimestampRequest.ContentType = %v, want %v", err, wantContentType)
-		}
-		if _, err := io.ReadAll(r.Body); err != nil {
-			t.Fatalf("TimestampRequest.Body read error = %v", err)
-		}
-
-		// write reply
-		w.Header().Set("Content-Type", tspclient.MediaTypeTimestampReply)
-		if _, err := w.Write(testResp); err != nil {
-			t.Error("failed to write response:", err)
-		}
-	}))
-	defer mockInvalidTSA.Close()
-	signingTime := time.Date(2100, 1, 1, 0, 0, 0, 0, time.UTC)
-	expectedErr = "certificate with subject \"CN=Globalsign TSA for Advanced - G4,O=GlobalSign nv-sa,C=BE\" was invalid at signing time of 2100-01-01 00:00:00 +0000 UTC. Certificate is valid from [2021-05-27 09:55:23 +0000 UTC] to [2032-06-28 09:55:22 +0000 UTC]"
-	_, err = Timestamp(ctx, mockInvalidTSA.URL, &signingTime, rootCAs, opts)
-	assertErrorEqual(expectedErr, err, t)
-
-	opts = tspclient.RequestOptions{
-		Content:                 []byte("notation"),
-		HashAlgorithm:           crypto.SHA256,
-		HashAlgorithmParameters: asn1.NullRawValue,
-		NoNonce:                 true,
-	}
-	mockInvalidTSA = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		const wantContentType = tspclient.MediaTypeTimestampQuery
-		if got := r.Header.Get("Content-Type"); got != wantContentType {
-			t.Fatalf("TimestampRequest.ContentType = %v, want %v", err, wantContentType)
-		}
-		if _, err := io.ReadAll(r.Body); err != nil {
-			t.Fatalf("TimestampRequest.Body read error = %v", err)
+			return nil, err
 		}
-
-		// write reply
+		return &tspclient.Response{
+			Status: pki.StatusInfo{
+				Status: pki.StatusGranted,
+			},
+			TimestampToken: asn1.RawValue{
+				FullBytes: token,
+			},
+		}, nil
+	}
+	if d.invalidSignature {
 		token, err := os.ReadFile("testdata/TimeStampTokenWithInvalidSignature.p7s")
 		if err != nil {
-			t.Fatal(err)
+			return nil, err
 		}
-		resp := &tspclient.Response{
+		return &tspclient.Response{
 			Status: pki.StatusInfo{
 				Status: pki.StatusGranted,
 			},
 			TimestampToken: asn1.RawValue{
 				FullBytes: token,
 			},
-		}
-		respBytes, err := resp.MarshalBinary()
-		if err != nil {
-			t.Fatal(err)
-		}
-		w.Header().Set("Content-Type", tspclient.MediaTypeTimestampReply)
-		if _, err := w.Write(respBytes); err != nil {
-			t.Error("failed to write response:", err)
-		}
-	}))
-	defer mockInvalidTSA.Close()
-	expectedErr = "failed to verify signed token: cms verification failure: crypto/rsa: verification error"
-	_, err = Timestamp(ctx, mockInvalidTSA.URL, nil, rootCAs, opts)
-	assertErrorEqual(expectedErr, err, t)
-}
-
-func assertErrorEqual(expected string, err error, t *testing.T) {
-	if err == nil || expected != err.Error() {
-		t.Fatalf("Expected error \"%v\" but was \"%v\"", expected, err)
+		}, nil
 	}
+	return nil, errors.New("failed to timestamp")
 }