Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: invalid signing time prompt improvement #173

Merged
merged 10 commits into from
Nov 29, 2023
Merged

chore: invalid signing time prompt improvement #173

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
25fd4da
fix: The notation spec link in annotation is unavailable
fanndu Jul 16, 2023
3427146
chore: add license header to files and github action workflow to chec…
Two-Hearts Jul 18, 2023
5a3a96f
build(deps): bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#153)
dependabot[bot] Jul 18, 2023
0523d06
Merge branch 'main' into main
fanndu Jul 21, 2023
fb926a1
Merge branch 'notaryproject:main' into main
fanndu Sep 10, 2023
c02eb73
Merge branch 'notaryproject:main' into main
fanndu Nov 12, 2023
8ffa3e7
chroe:invalid signing time prompt improvement
fanndu Nov 17, 2023
b18de92
build(deps): bump golang.org/x/crypto from 0.14.0 to 0.15.0 (#172)
dependabot[bot] Nov 20, 2023
1f31663
Merge branch 'notaryproject:main' into main
fanndu Nov 23, 2023
40b1813
Merge branch 'main' into main
fanndu Nov 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions x509/cert_validations.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,8 @@ func validateCertChain(certChain []*x509.Certificate, expectedLeafEku x509.ExtKe
// For self-signed signing certificate (not a CA)
if len(certChain) == 1 {
cert := certChain[0]
if signingTime != nil && (signingTime.Before(cert.NotBefore) || signingTime.After(cert.NotAfter)) {
return fmt.Errorf("certificate with subject %q was not valid at signing time of %s", cert.Subject, signingTime.UTC())
if signedTimeError := validateSigningTime(cert, signingTime); signedTimeError != nil {
return signedTimeError
}
if err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature); err != nil {
return fmt.Errorf("invalid self-signed certificate. subject: %q. Error: %w", cert.Subject, err)
Expand All @@ -61,8 +61,8 @@ func validateCertChain(certChain []*x509.Certificate, expectedLeafEku x509.ExtKe
}

for i, cert := range certChain {
if signingTime != nil && (signingTime.Before(cert.NotBefore) || signingTime.After(cert.NotAfter)) {
return fmt.Errorf("certificate with subject %q was not valid at signing time of %s", cert.Subject, signingTime.UTC())
if signedTimeError := validateSigningTime(cert, signingTime); signedTimeError != nil {
return signedTimeError
}
if i == len(certChain)-1 {
selfSigned, selfSignedError := isSelfSigned(cert)
Expand Down Expand Up @@ -120,6 +120,14 @@ func isIssuedBy(subject *x509.Certificate, issuer *x509.Certificate) (bool, erro
return bytes.Equal(issuer.RawSubject, subject.RawIssuer), nil
}

func validateSigningTime(cert *x509.Certificate, signingTime *time.Time) error {
if signingTime != nil && (signingTime.Before(cert.NotBefore) || signingTime.After(cert.NotAfter)) {
return fmt.Errorf("certificate with subject %q was invalid at signing time of %s. Certificate is valid from [%s] to [%s]",
cert.Subject, signingTime.UTC(), cert.NotBefore.UTC(), cert.NotAfter.UTC())
}
return nil
}

func validateCACertificate(cert *x509.Certificate, expectedPathLen int) error {
if err := validateCABasicConstraints(cert, expectedPathLen); err != nil {
return err
Expand Down
32 changes: 31 additions & 1 deletion x509/cert_validations_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,37 @@ func TestFailInvalidSigningTime(t *testing.T) {

st := time.Unix(1625690922, 0)
err := ValidateCodeSigningCertChain(certChain, &st)
assertErrorEqual("certificate with subject \"CN=CodeSigningLeaf\" was not valid at signing time of 2021-07-07 20:48:42 +0000 UTC", err, t)
assertErrorEqual("certificate with subject \"CN=CodeSigningLeaf\" was invalid at signing time of 2021-07-07 20:48:42 +0000 UTC. Certificate is valid from [2022-06-30 19:20:03 +0000 UTC] to [3021-10-31 19:20:03 +0000 UTC]", err, t)
}

func TestValidateSigningTime(t *testing.T) {
// codeSigningCert is valid from 2022-06-30 19:20:03 +0000 UTC to 3021-10-31 19:20:03 +0000 UTC
testCases := []struct {
name string
certChain *x509.Certificate
signingTime time.Time
expectErr string
}{
{"invalid before certificate period",
codeSigningCert,
time.Date(2022, 6, 29, 0, 0, 0, 0, time.UTC),
"certificate with subject \"CN=CodeSigningLeaf\" was invalid at signing time of 2022-06-29 00:00:00 +0000 UTC. Certificate is valid from [2022-06-30 19:20:03 +0000 UTC] to [3021-10-31 19:20:03 +0000 UTC]"},
{"invalid after certificate period",
codeSigningCert,
time.Date(3021, 11, 1, 0, 0, 0, 0, time.UTC),
"certificate with subject \"CN=CodeSigningLeaf\" was invalid at signing time of 3021-11-01 00:00:00 +0000 UTC. Certificate is valid from [2022-06-30 19:20:03 +0000 UTC] to [3021-10-31 19:20:03 +0000 UTC]"},
{"valid in certificate period",
codeSigningCert,
time.Date(2023, 10, 10, 0, 0, 0, 0, time.UTC),
""},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
if err := validateSigningTime(tc.certChain, &tc.signingTime); err != nil {
assertErrorEqual(tc.expectErr, err, t)
}
})
}
}

func TestFailChainNotEndingInRoot(t *testing.T) {
Expand Down
Loading