Skip to content

Commit

Permalink
Fix bug where TSA signing fails if cert hash != content hash.
Browse files Browse the repository at this point in the history
This was fixed upstream in
digitorus/timestamp#19.

We should cut a patch release - the buggy behavior was introduced in
v1.1.2.

NOTE: This potentially breaks some users if they are relying on the new
cert hash behavior introduced in v1.1.2 to support other hash types, but
this fixes those who were broken by the v1.1.2 update.
Support for other hash types can be added in another PR by moving to using
[timestamp.CreateResponseWithOpts](https://pkg.go.dev/github.com/digitorus/timestamp#Timestamp.CreateResponseWithOpts)
and passing in the appropriate hash (but I'm considering that out of
scope for this PR).

Signed-off-by: Billy Lynch <billy@chainguard.dev>
  • Loading branch information
wlynch committed Sep 6, 2023
1 parent 2c6d8fe commit 20368f3
Show file tree
Hide file tree
Showing 5 changed files with 6 additions and 6 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ require (
cloud.google.com/go/security v1.15.1
github.com/beevik/ntp v1.3.0
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352
github.com/digitorus/timestamp v0.0.0-20230821155606-d1ad5ca9624c
github.com/digitorus/timestamp v0.0.0-20230902153158-687734543647
github.com/go-chi/chi v4.1.2+incompatible
github.com/go-openapi/errors v0.20.4
github.com/go-openapi/loads v0.21.2
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -134,8 +134,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
github.com/digitorus/pkcs7 v0.0.0-20230713084857-e76b763bdc49/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc=
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 h1:ge14PCmCvPjpMQMIAH7uKg0lrtNSOdpYsRXlwk3QbaE=
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc=
github.com/digitorus/timestamp v0.0.0-20230821155606-d1ad5ca9624c h1:kgG83Hfj3YXkUbrihwBxDc0COzP1ZejiDSr4/fItT0E=
github.com/digitorus/timestamp v0.0.0-20230821155606-d1ad5ca9624c/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y=
github.com/digitorus/timestamp v0.0.0-20230902153158-687734543647 h1:WOk5Aclr/+sZ2/SX2YyxulNFwZOUhSrDJLw5KbHKmdE=
github.com/digitorus/timestamp v0.0.0-20230902153158-687734543647/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y=
github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
Expand Down
2 changes: 1 addition & 1 deletion pkg/api/timestamp.go
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ func TimestampResponseHandler(params ts.GetTimestampResponseParams) middleware.R
ExtraExtensions: req.Extensions,
}

resp, err := tsStruct.CreateResponse(api.certChain[0], api.tsaSigner)
resp, err := tsStruct.CreateResponseWithOpts(api.certChain[0], api.tsaSigner, crypto.SHA256)
if err != nil {
return handleTimestampAPIError(params, http.StatusInternalServerError, err, failedToGenerateTimestampResponse)
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/client/mock/mock_tsa_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ func (c *TSAClient) GetTimestampResponse(params *ts.GetTimestampResponseParams,
tsStruct.Time = c.Time
}

resp, err := tsStruct.CreateResponse(c.CertChain[0], c.Signer)
resp, err := tsStruct.CreateResponseWithOpts(c.CertChain[0], c.Signer, crypto.SHA256)
if err != nil {
return nil, err
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/verification/verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -510,7 +510,7 @@ func createSignedTimestamp(certChain []*x509.Certificate, sv *signature.ECDSASig
ExtraExtensions: req.Extensions,
}

resp, err := tsTemplate.CreateResponse(certChain[0], sv)
resp, err := tsTemplate.CreateResponseWithOpts(certChain[0], sv, crypto.SHA256)
if err != nil {
return nil, fmt.Errorf("unexpectedly failed to create timestamp response: %v", err)
}
Expand Down

0 comments on commit 20368f3

Please sign in to comment.