-
Notifications
You must be signed in to change notification settings - Fork 552
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fail timestamp verification if no root is provided (#3224)
* Fail timestamp verification if no root is provided The bug was that we would conditionally check a timestamp if a root was provided. If no root was provided even if a timestamp was provided, then signature verification would succeed. The good news is this will not show a successful signature if the transparency log does not contain the entry too, for timestamp verification. Signed-off-by: Hayden Blauzvern <[email protected]> * Switch to switch Signed-off-by: Hayden Blauzvern <[email protected]> * Fix e2e test Signed-off-by: Hayden Blauzvern <[email protected]> * Fix e2e test Signed-off-by: Hayden Blauzvern <[email protected]> --------- Signed-off-by: Hayden Blauzvern <[email protected]>
- Loading branch information
1 parent
29396d6
commit 0d48aa1
Showing
3 changed files
with
31 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -31,6 +31,7 @@ TIMESTAMP_SERVER_CERT=$CERT_BASE/tsa-mtls-server.crt | |
TIMESTAMP_SERVER_KEY=$CERT_BASE/tsa-mtls-server.key | ||
TIMESTAMP_SERVER_NAME="server.example.com" | ||
TIMESTAMP_SERVER_URL=https://localhost:3000/api/v1/timestamp | ||
TIMESTAMP_CHAIN_FILE="timestamp-chain" | ||
|
||
set +e | ||
COSIGN_CLI=./cosign | ||
|
@@ -50,6 +51,12 @@ timestamp-server serve --disable-ntp-monitoring --tls-host 0.0.0.0 --tls-port 30 | |
--scheme https --tls-ca $TIMESTAMP_CACERT --tls-key $TIMESTAMP_SERVER_KEY \ | ||
--tls-certificate $TIMESTAMP_SERVER_CERT & | ||
|
||
sleep 1 | ||
curl -k -s --key test/testdata/tsa-mtls-client.key \ | ||
--cert test/testdata/tsa-mtls-client.crt \ | ||
--cacert test/testdata/tsa-mtls-ca.crt https://localhost:3000/api/v1/timestamp/certchain \ | ||
> $TIMESTAMP_CHAIN_FILE | ||
echo "DONE: $(ls -l $TIMESTAMP_CHAIN_FILE)" | ||
|
||
IMG=${IMAGE_URI_DIGEST:-} | ||
if [[ "$#" -ge 1 ]]; then | ||
|
@@ -67,7 +74,6 @@ echo "IMG (IMAGE_URI_DIGEST): $IMG, TIMESTAMP_SERVER_URL: $TIMESTAMP_SERVER_URL" | |
|
||
rm -f *.pem import-cosign.* key.pem | ||
|
||
|
||
# use gencert to generate CA, keys and certificates | ||
echo "generate keys and certificates with gencert" | ||
|
||
|
@@ -85,8 +91,8 @@ rm -f key.pem import-cosign.* | |
echo "cosign verify:" | ||
$COSIGN_CLI verify --insecure-ignore-tlog --insecure-ignore-sct --check-claims=true \ | ||
--certificate-identity-regexp '[email protected]' --certificate-oidc-issuer-regexp '.*' \ | ||
--certificate-chain cacert.pem $IMG | ||
--certificate-chain cacert.pem --timestamp-certificate-chain $TIMESTAMP_CHAIN_FILE $IMG | ||
|
||
# cleanup | ||
rm -fr ca-key.pem cacert.pem cert.pem /tmp/timestamp-authority | ||
rm -fr ca-key.pem cacert.pem cert.pem timestamp-chain /tmp/timestamp-authority | ||
pkill -f 'timestamp-server' |