From d94d7b32eb2ec758dc62e812761542a68df814e4 Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Wed, 3 Jul 2024 14:11:59 +0800
Subject: [PATCH] added more tests

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 config/base_test.go                       |   4 +++
 example_signWithTimestmap_test.go         |   7 ++++-
 go.mod                                    |   6 ++--
 go.sum                                    |   8 +++---
 internal/mock/ocilayout/ocilayout_test.go |   6 +++-
 notation.go                               |   5 ++--
 registry/repository_test.go               |   4 +++
 signer/signer.go                          |   6 ++--
 signer/signer_test.go                     |  32 ++++++++++++++++++++--
 signer/testdata/DigiCertTSARootSHA384.cer | Bin 0 -> 1428 bytes
 verifier/verifier.go                      |   2 +-
 11 files changed, 63 insertions(+), 17 deletions(-)
 create mode 100644 signer/testdata/DigiCertTSARootSHA384.cer

diff --git a/config/base_test.go b/config/base_test.go
index 7fb8d8ff..1241ec38 100644
--- a/config/base_test.go
+++ b/config/base_test.go
@@ -17,6 +17,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/notaryproject/notation-go/dir"
@@ -33,6 +34,9 @@ func TestLoadNonExistentFile(t *testing.T) {
 }
 
 func TestLoadSymlink(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("skipping test on Windows")
+	}
 	root := t.TempDir()
 	dir.UserConfigDir = root
 	fileName := "symlink"
diff --git a/example_signWithTimestmap_test.go b/example_signWithTimestmap_test.go
index 5f3ee7b2..5be401a6 100644
--- a/example_signWithTimestmap_test.go
+++ b/example_signWithTimestmap_test.go
@@ -25,6 +25,7 @@ import (
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/registry"
 	"github.com/notaryproject/notation-go/signer"
+	"github.com/notaryproject/tspclient-go"
 )
 
 // Example_signWithTimestamp demonstrates how to use notation.Sign to sign an
@@ -105,10 +106,14 @@ gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
 	tsaRootCAs.AddCert(tsaRootCert)
 
 	// exampleSignOptions is an example of notation.SignOptions.
+	httpTimestamper, err := tspclient.NewHTTPTimestamper(nil, exampleRFC3161TSAServer)
+	if err != nil {
+		panic(err) // Handle error
+	}
 	exampleSignOptions := notation.SignOptions{
 		SignerSignOptions: notation.SignerSignOptions{
 			SignatureMediaType: exampleSignatureMediaType,
-			TSAServerURL:       exampleRFC3161TSAServer,
+			Timestamper:        httpTimestamper,
 			TSARootCAs:         tsaRootCAs,
 		},
 		ArtifactReference: exampleArtifactReference,
diff --git a/go.mod b/go.mod
index bda0a29e..60792761 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/go-ldap/ldap/v3 v3.4.8
 	github.com/notaryproject/notation-core-go v1.0.3
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0
-	github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe
+	github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
 	github.com/veraison/go-cose v1.1.0
@@ -25,6 +25,4 @@ require (
 	golang.org/x/sync v0.6.0 // indirect
 )
 
-replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e
-
-replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172
+replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240703022152-7f0c50591e18
diff --git a/go.sum b/go.sum
index 5ca06941..4a361236 100644
--- a/go.sum
+++ b/go.sum
@@ -1,9 +1,7 @@
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
-github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e h1:yDGu0wnuX+3xSDLXeIPV751jaBaTjMjcpVz5NwTypm4=
-github.com/Two-Hearts/notation-core-go v0.0.0-20240628104035-de8a46ce468e/go.mod h1:hXbhc81hiH9tQOZ4w5pI+Z83y8qhpXKbsLXHWA/74TE=
-github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172 h1:ME+WMRNcucfmJ9Le8eCtdV1gR3Xc8ve6Ab/cPnN/z48=
-github.com/Two-Hearts/tspclient-go v0.0.0-20240628085816-98b1c64c4172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
+github.com/Two-Hearts/notation-core-go v0.0.0-20240703022152-7f0c50591e18 h1:lYX4Y5ZkbWbsAJkdMCSfg0Nc3lxsKWmOaHtnKejoIMY=
+github.com/Two-Hearts/notation-core-go v0.0.0-20240703022152-7f0c50591e18/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -38,6 +36,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
+github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058 h1:FlGmQAwbf78rw12fXT4+9EkmD9+ZWuqH08v0fE3sqHc=
+github.com/notaryproject/tspclient-go v0.0.0-20240702050734-d91848411058/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
diff --git a/internal/mock/ocilayout/ocilayout_test.go b/internal/mock/ocilayout/ocilayout_test.go
index 81b464f7..ad4bcb9f 100644
--- a/internal/mock/ocilayout/ocilayout_test.go
+++ b/internal/mock/ocilayout/ocilayout_test.go
@@ -15,6 +15,7 @@ package ocilayout
 
 import (
 	"os"
+	"runtime"
 	"testing"
 )
 
@@ -26,7 +27,10 @@ func TestCopy(t *testing.T) {
 		}
 	})
 
-	t.Run("invalid target path", func(t *testing.T) {
+	t.Run("invalid target path permission", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("skipping test on Windows")
+		}
 		tempDir := t.TempDir()
 		// change the permission of the tempDir to make it invalid
 		if err := os.Chmod(tempDir, 0); err != nil {
diff --git a/notation.go b/notation.go
index 2bed4f1c..fcad813c 100644
--- a/notation.go
+++ b/notation.go
@@ -38,6 +38,7 @@ import (
 	"github.com/notaryproject/notation-go/log"
 	"github.com/notaryproject/notation-go/registry"
 	"github.com/notaryproject/notation-go/verifier/trustpolicy"
+	"github.com/notaryproject/tspclient-go"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
@@ -63,8 +64,8 @@ type SignerSignOptions struct {
 	// SigningAgent sets the signing agent name
 	SigningAgent string
 
-	// TSAServerURL denotes the TSA server URL
-	TSAServerURL string
+	// Timestamper denotes the timestamper for RFC 3161 timestamping
+	Timestamper tspclient.Timestamper
 
 	// TSARootCAs is the cert pool holding caller's TSA trust anchor
 	TSARootCAs *x509.CertPool
diff --git a/registry/repository_test.go b/registry/repository_test.go
index 50ea6885..708a974a 100644
--- a/registry/repository_test.go
+++ b/registry/repository_test.go
@@ -23,6 +23,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"runtime"
 	"strings"
 	"testing"
 
@@ -607,6 +608,9 @@ func TestNewOCIRepositoryFailed(t *testing.T) {
 	})
 
 	t.Run("no permission to create new path", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("skipping test on Windows")
+		}
 		// create a directory in the temp dir
 		dirPath := filepath.Join(t.TempDir(), "dir")
 		err := os.Mkdir(dirPath, 0000)
diff --git a/signer/signer.go b/signer/signer.go
index 5f117391..eea87651 100644
--- a/signer/signer.go
+++ b/signer/signer.go
@@ -122,7 +122,7 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
 		SigningTime:   time.Now(),
 		SigningScheme: signature.SigningSchemeX509,
 		SigningAgent:  signingAgentId,
-		TSAServerURL:  opts.TSAServerURL,
+		Timestamper:   opts.Timestamper,
 		TSARootCAs:    opts.TSARootCAs,
 	}
 
@@ -137,7 +137,9 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
 	logger.Debugf("  Expiry:        %v", signReq.Expiry)
 	logger.Debugf("  SigningScheme: %v", signReq.SigningScheme)
 	logger.Debugf("  SigningAgent:  %v", signReq.SigningAgent)
-	logger.Debugf("  TSAServerURL:  %v", signReq.TSAServerURL)
+
+	// Add ctx to the SignRequest
+	signReq = signReq.WithContext(ctx)
 
 	// perform signing
 	sigEnv, err := signature.NewEnvelope(opts.SignatureMediaType)
diff --git a/signer/signer_test.go b/signer/signer_test.go
index e6797a71..ebfe8a0c 100644
--- a/signer/signer_test.go
+++ b/signer/signer_test.go
@@ -34,13 +34,17 @@ import (
 	_ "github.com/notaryproject/notation-core-go/signature/cose"
 	_ "github.com/notaryproject/notation-core-go/signature/jws"
 	"github.com/notaryproject/notation-core-go/testhelper"
+	nx509 "github.com/notaryproject/notation-core-go/x509"
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/internal/envelope"
 	"github.com/notaryproject/notation-go/plugin/proto"
+	"github.com/notaryproject/tspclient-go"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
+const rfc3161URL = "http://timestamp.digicert.com"
+
 type keyCertPair struct {
 	keySpecName string
 	key         crypto.PrivateKey
@@ -208,7 +212,18 @@ func TestSignWithCertChain(t *testing.T) {
 	for _, envelopeType := range signature.RegisteredEnvelopeTypes() {
 		for _, keyCert := range keyCertPairCollections {
 			t.Run(fmt.Sprintf("envelopeType=%v_keySpec=%v", envelopeType, keyCert.keySpecName), func(t *testing.T) {
-				validateSignWithCerts(t, envelopeType, keyCert.key, keyCert.certs)
+				validateSignWithCerts(t, envelopeType, keyCert.key, keyCert.certs, false)
+			})
+		}
+	}
+}
+
+func TestSignWithTimestamping(t *testing.T) {
+	// sign with key
+	for _, envelopeType := range signature.RegisteredEnvelopeTypes() {
+		for _, keyCert := range keyCertPairCollections {
+			t.Run(fmt.Sprintf("envelopeType=%v_keySpec=%v", envelopeType, keyCert.keySpecName), func(t *testing.T) {
+				validateSignWithCerts(t, envelopeType, keyCert.key, keyCert.certs, true)
 			})
 		}
 	}
@@ -354,7 +369,7 @@ func verifySigningAgent(t *testing.T, signingAgentId string, metadata *proto.Get
 	}
 }
 
-func validateSignWithCerts(t *testing.T, envelopeType string, key crypto.PrivateKey, certs []*x509.Certificate) {
+func validateSignWithCerts(t *testing.T, envelopeType string, key crypto.PrivateKey, certs []*x509.Certificate, timestamp bool) {
 	s, err := New(key, certs)
 	if err != nil {
 		t.Fatalf("NewSigner() error = %v", err)
@@ -363,6 +378,19 @@ func validateSignWithCerts(t *testing.T, envelopeType string, key crypto.Private
 	ctx := context.Background()
 	desc, sOpts := generateSigningContent()
 	sOpts.SignatureMediaType = envelopeType
+	if timestamp {
+		sOpts.Timestamper, err = tspclient.NewHTTPTimestamper(nil, rfc3161URL)
+		if err != nil {
+			t.Fatal(err)
+		}
+		rootCerts, err := nx509.ReadCertificateFile("./testdata/DigiCertTSARootSHA384.cer")
+		if err != nil {
+			t.Fatal(err)
+		}
+		rootCAs := x509.NewCertPool()
+		rootCAs.AddCert(rootCerts[0])
+		sOpts.TSARootCAs = rootCAs
+	}
 	sig, _, err := s.Sign(ctx, desc, sOpts)
 	if err != nil {
 		t.Fatalf("Sign() error = %v", err)
diff --git a/signer/testdata/DigiCertTSARootSHA384.cer b/signer/testdata/DigiCertTSARootSHA384.cer
new file mode 100644
index 0000000000000000000000000000000000000000..99bcc84b7e68b5b28e4444f6fa21bc7c2baf497d
GIT binary patch
literal 1428
zcmXqLVx3^n#9Xm}nTe5!Nq}{>bojhJMWaWS?0c7&m&O?IvT<s)d9;1!Wn|=GWiUuG
z<Tl`BV-96u6J`nxHWW1w264EAd0aBnGo4e5N)$Zvk_{yd#6iN`!UE;x<$5VVsbrv(
zUUGh}p`w92NQzll0<I&ZsI<5wHANvPKfgr5-NZmnoY&CUz{0@L(8vG?qQrTPK^#*k
zmo9E-Vp2l(IwLCsa}yIkgFzD$7gG}xBg6h@6N)qL?S2yLWn-XZkZJtp&~jD1lZv*V
zx^6@sdZ@YFHez+zth4K?rCWH97|4H?USc8kI_%i=T-nu|DnFePy!0gg8mmnZe~|pK
zd7?|}_RU`zE*2SDv_4~U!J$pNN@r#j8%?<=;3A-Rzv(l3%d-;e+`>n?JkswJuAWqo
zP1e*s_a@Ho#N;1}iL*^!vmT3k6D_sp^~v*R*O)lOZ>&mtSAN1{MOt|H{E&z~9_{V^
z%MEUZy*pJM`*`h1|G1~7&kaxCnjCkhufO5ewuv(wCR84-IKFM;k*!%07R&;@H?Ej3
z(PORc_}XMAFtK2DXp^JS_1i4PT6q&0YZQI1>{%zxTpC-EcGJqxWtOqSeva!=o=Xlr
zTe%?p?h^Gq3;iv(3Py;3SBY`!Px*c@v!iTAnQdgOQ(1fG^vo)c4-XazNvF*!Id#ul
z?m1ubx@TA3Pnu*k&-M<(6Ia#FZL?e?wd)Q{*>Wi{_qFlOqxZd87|ztnOg-HHU2)SU
z!R@>2KV9u9&~Z#ywJ}-3WvWzJQr)+P4ZmNcEHl2?$^LNf_GivZBz7z-XMD&%g-20#
zQ;4Q&XU<c;pg{MMeQImAIhNk5S`*)Ee{#=dM?s<Jrvd@54Ue8G5>w*5U*l71pZrEK
z{)j?gcK*iIZQcHduDQm~Rrs?|?&yL3MH}n5)MkEtlBqvKR`=`8m78RrN;5GtGB7T7
zGH@{92PS7(VMfOPEUX61K+1p*B)|_6U;*Z-HUn7@pN~b1MdZ!($4!?CV^e(Y>!sU2
z-!)^M48K2eDg$OPU@Bu|*qwN@c4f{!@gozZ4=-HA(EB(ggFozi`MQFie`k5k+<CGh
zhKDEq$ukknFm5x?SeN7nYv)XpNRw9PwXJ-an|&?h$0eJC&JOEj1HK0RnP9zp#>~v@
z;|G_o$XKF&XYNn+bq1|Fzoq+H+4V<SDh0c|J`u}&>TN((ZIU8a!-?Xwiwjs2;$JM?
zvV8rD@42RPYNEQXEwY&TxuW}v?<EE9do1sIX1g~Q@g5K{dT$V^x9&mVr?4kk)AJ_<
z<WB3&sG7COOr(nKlgds`!GP-=8+UY8wJ0Y#X+B+ic9DYP^^0>-ZoX1m*e!D1M{-ku
zW1+3RZ-H_fkJp{XOJ|IxwD59pPM7gN@Ge`S#Ng5cOA~=sMNvkM7okS?3O#RXhzIyS
z+vj_+bj^iRza4itFI{!{FsqBdj@j%-zaF{nP!7&v%TEujciZY?pQjO3sdj0}ilph6
z<Q~2C>fR&$*WHWvetKHnrfA0t)=$1ze_=^}`TkG{L*Rlgt&`^}&Rl)f&LXk-+<MQB
z^`9rr+_w2yBLAgUhUWoNPo$^Lm0Y-U&c@jr8RXty;P-dRImxx>o%1iN!lfsC)s~w6
z?Tp>inj~v<X@Pdg+gafUZ~qcFFS)(jOS+$NoBGt?7uz~>qxWQ7QGU@KxG3!Bhh+^5
ouE}lQ!_OaFs=4ZwaQTyaJ&lTM*#+DM*S6cTUo72o{&QL#0GZBIfB*mh

literal 0
HcmV?d00001

diff --git a/verifier/verifier.go b/verifier/verifier.go
index ece9e396..6ef4ab27 100644
--- a/verifier/verifier.go
+++ b/verifier/verifier.go
@@ -809,7 +809,7 @@ func verifyAuthenticTimestamp(ctx context.Context, policyName string, trustStore
 		}
 		// 3. Validate timestamping certificate chain
 		logger.Info("Validating timestamping certificate chain...")
-		if err := nx509.ValidateTimestampingCertChain(tsaCertChain, nil); err != nil {
+		if err := nx509.ValidateTimestampingCertChain(tsaCertChain); err != nil {
 			return &notation.ValidationResult{
 				Error:  fmt.Errorf("failed to validate the timestamping certificate chain with error: %w", err),
 				Type:   trustpolicy.TypeAuthenticTimestamp,