From d66c7ab85786ab3c0ce22caed90ccd34a024dff0 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Sat, 2 Nov 2024 01:40:07 +0800 Subject: [PATCH] fix: added tsa trust store root cert validation (#471) This PR adds tsa trust store root cert validation while getting certificates from trust store. This is to fail fast if cert in TSA trust store is not a root CA certificate. Resolves #470 --------- Signed-off-by: Patrick Zheng --- .../test-mismatch/DigiCertTSARootSHA384.cer | Bin 0 -> 1428 bytes .../wabbit-networks.io.crt | 0 .../tsa/test-nonSelfIssued/nonSelfIssued.crt | Bin 0 -> 1309 bytes verifier/truststore/truststore.go | 20 +++++++++++++ verifier/truststore/truststore_test.go | 28 ++++++++++++++++++ 5 files changed, 48 insertions(+) create mode 100644 verifier/testdata/truststore/x509/tsa/test-mismatch/DigiCertTSARootSHA384.cer rename verifier/testdata/truststore/x509/tsa/{test-mismatch => test-nonCA}/wabbit-networks.io.crt (100%) create mode 100644 verifier/testdata/truststore/x509/tsa/test-nonSelfIssued/nonSelfIssued.crt diff --git a/verifier/testdata/truststore/x509/tsa/test-mismatch/DigiCertTSARootSHA384.cer b/verifier/testdata/truststore/x509/tsa/test-mismatch/DigiCertTSARootSHA384.cer new file mode 100644 index 0000000000000000000000000000000000000000..99bcc84b7e68b5b28e4444f6fa21bc7c2baf497d GIT binary patch literal 1428 zcmXqLVx3^n#9Xm}nTe5!Nq}{>bojhJMWaWS?0c7&m&O?IvTn?JkswJuAWqo zP1e*s_a@Ho#N;1}iL*^!vmT3k6D_sp^~v*R*O)lOZ>&mtSAN1{MOt|H{E&z~9_{V^ z%MEUZy*pJM`*`h1|G1~7&kaxCnjCkhufO5ewuv(wCR84-IKFM;k*!%07R&;@H?Ej3 z(PORc_}XMAFtK2DXp^JS_1i4PT6q&0YZQI1>{%zxTpC-EcGJqxWtOqSeva!=o=Xlr zTe%?p?h^Gq3;iv(3Py;3SBY`!Px*c@v!iTAnQdgOQ(1fG^vo)c4-XazNvF*!Id#ul z?m1ubx@TA3Pnu*k&-M<(6Ia#FZL?e?wd)Q{*>Wi{_qFlOqxZd87|ztnOg-HHU2)SU z!R@>2KV9u9&~Z#ywJ}-3WvWzJQr)+P4ZmNcEHl2?$^LNf_GivZBz7z-XMD&%g-20# zQ;4Q&XUw*5U*l71pZrEK z{)j?gcK*iIZQcHduDQm~Rrs?|?&yL3MH}n5)MkEtlBqvKR`=`8m78RrN;5GtGB7T7 zGH@{92PS7(VMfOPEUX61K+1p*B)|_6U;*Z-HUn7@pN~b1MdZ!($4!?CV^e(Y>!sU2 z-!)^M48K2eDg$OPU@Bu|*qwN@c4f{!@gozZ4=-HA(EB(ggFozi`MQFie`k5k+~v@ z;|G_o$XKF&XYNn+bq1|Fzoq+H+4VTN((ZIU8a!-?Xwiwjs2;$JM? zvV8rD@42RPYNEQXEwY&TxuW}v?-ZoX1m*e!D1M{-ku zW1+3RZ-H_fkJp{XOJ|IxwD59pPM7gN@Ge`S#Ng5cOA~=sMNvkM7okS?3O#RXhzIyS z+vj_+bj^iRza4itFI{!{FsqBdj@j%-zaF{nP!7&v%TEujciZY?pQjO3sdj0}ilph6 zfR&$*WHWvetKHnrfA0t)=$1ze_=^}`TkG{L*Rlgt&`^}&Rl)f&LXk-+o%1iN!lfsC)s~w6 z?Tp>inj~vqxWQ7QGU@KxG3!Bhh+^5 ouE}lQ!_OaFs=4ZwaQTyaJ&lTM*#+DM*S6cTUo72o{&QL#0GZBIfB*mh literal 0 HcmV?d00001 diff --git a/verifier/testdata/truststore/x509/tsa/test-mismatch/wabbit-networks.io.crt b/verifier/testdata/truststore/x509/tsa/test-nonCA/wabbit-networks.io.crt similarity index 100% rename from verifier/testdata/truststore/x509/tsa/test-mismatch/wabbit-networks.io.crt rename to verifier/testdata/truststore/x509/tsa/test-nonCA/wabbit-networks.io.crt diff --git a/verifier/testdata/truststore/x509/tsa/test-nonSelfIssued/nonSelfIssued.crt b/verifier/testdata/truststore/x509/tsa/test-nonSelfIssued/nonSelfIssued.crt new file mode 100644 index 0000000000000000000000000000000000000000..6ec500520a70677de8fe99e14e217bc41f44be7c GIT binary patch literal 1309 zcmXqLVwE&#Vs2c(%*4pV#Kf@BfR~L^tIebBJ1-+6H!Fidu_3nsCmVAp3!5-gXfTY! zA?1ek@jK>{V2`FRQ< zsl_DZmRk>LXCs%sMu?+!8w z3(n9`Ru})z-RGfBJbGt&RE}cm89ZKyUxgOqJ|X`#BG8w%=X5 z*Lr6svGv1%EMFrV3ud9h0Zc5{3C zn3+VjWQF`cXv_R-$6TQczGlxaeR_A#J-hzWe{*r>c;%dMKYrgyN_=_II>PBYU$1A{ z-6kiOeZaBb;Dk2&-uXUSz!>L)qojD8OVYJ_*lePM9Lbcw-^1*-xnqsldq~GG;QVzPXPmYkhC(3 zgn?KCb_LdK9NKJ*tgP&ej4b*Fx(3=Xz5!#Kd`3x0ft9{~YDHphK~Ab(a(=FUGAMb+ z=O-5z=o=V_flOBgxrWDp3#O5o137g8^BpjCH8P}koLt}Ovq4!=A$D&%OUIi@#goqo zmY+ZCZ#UU;0o%L&jcp?Ns_V|R={hnkyLii0?%cVXEnl>z>obIGb#J|FKPg4I`;opb ztLE$e^{2N@_Ihu-BOz58ipvCp#oN4t7=UB2WTT0J%Bm-DK>@2_>TPIEZolVq?r$B|oTW$ZNuw!{6^ zaUz;Fd++p|4_H#Orh4-B4X4Ukl<(xfNiw&&!`#aw(DhGX4PWtnk;IlD)~dFvtJIg= z71WcPca5z(E6X(2v{}mZTKVdElJ<&@lAVmo3_7p*?=@=`dgLDdbKuIuMpfJQ5t?$V zrW$!Y>-@gEZ04ps%b=tynrr5D21m6BT