From 20368f3fc2bea4f860f01bb5530427b12bffd99e Mon Sep 17 00:00:00 2001
From: Billy Lynch <billy@chainguard.dev>
Date: Tue, 5 Sep 2023 18:44:52 -0400
Subject: [PATCH] Fix bug where TSA signing fails if cert hash != content hash.

This was fixed upstream in
https://github.com/digitorus/timestamp/pull/19.

We should cut a patch release - the buggy behavior was introduced in
v1.1.2.

NOTE: This potentially breaks some users if they are relying on the new
cert hash behavior introduced in v1.1.2 to support other hash types, but
this fixes those who were broken by the v1.1.2 update.
Support for other hash types can be added in another PR by moving to using
[timestamp.CreateResponseWithOpts](https://pkg.go.dev/github.com/digitorus/timestamp#Timestamp.CreateResponseWithOpts)
and passing in the appropriate hash (but I'm considering that out of
scope for this PR).

Signed-off-by: Billy Lynch <billy@chainguard.dev>
---
 go.mod                             | 2 +-
 go.sum                             | 4 ++--
 pkg/api/timestamp.go               | 2 +-
 pkg/client/mock/mock_tsa_client.go | 2 +-
 pkg/verification/verify_test.go    | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index ee22d258..841b0005 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
 	cloud.google.com/go/security v1.15.1
 	github.com/beevik/ntp v1.3.0
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352
-	github.com/digitorus/timestamp v0.0.0-20230821155606-d1ad5ca9624c
+	github.com/digitorus/timestamp v0.0.0-20230902153158-687734543647
 	github.com/go-chi/chi v4.1.2+incompatible
 	github.com/go-openapi/errors v0.20.4
 	github.com/go-openapi/loads v0.21.2
diff --git a/go.sum b/go.sum
index dae3f2df..6a3d4d63 100644
--- a/go.sum
+++ b/go.sum
@@ -134,8 +134,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/digitorus/pkcs7 v0.0.0-20230713084857-e76b763bdc49/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc=
 github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 h1:ge14PCmCvPjpMQMIAH7uKg0lrtNSOdpYsRXlwk3QbaE=
 github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc=
-github.com/digitorus/timestamp v0.0.0-20230821155606-d1ad5ca9624c h1:kgG83Hfj3YXkUbrihwBxDc0COzP1ZejiDSr4/fItT0E=
-github.com/digitorus/timestamp v0.0.0-20230821155606-d1ad5ca9624c/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y=
+github.com/digitorus/timestamp v0.0.0-20230902153158-687734543647 h1:WOk5Aclr/+sZ2/SX2YyxulNFwZOUhSrDJLw5KbHKmdE=
+github.com/digitorus/timestamp v0.0.0-20230902153158-687734543647/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y=
 github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
diff --git a/pkg/api/timestamp.go b/pkg/api/timestamp.go
index cbedb1ef..c4abfd36 100644
--- a/pkg/api/timestamp.go
+++ b/pkg/api/timestamp.go
@@ -173,7 +173,7 @@ func TimestampResponseHandler(params ts.GetTimestampResponseParams) middleware.R
 		ExtraExtensions:   req.Extensions,
 	}
 
-	resp, err := tsStruct.CreateResponse(api.certChain[0], api.tsaSigner)
+	resp, err := tsStruct.CreateResponseWithOpts(api.certChain[0], api.tsaSigner, crypto.SHA256)
 	if err != nil {
 		return handleTimestampAPIError(params, http.StatusInternalServerError, err, failedToGenerateTimestampResponse)
 	}
diff --git a/pkg/client/mock/mock_tsa_client.go b/pkg/client/mock/mock_tsa_client.go
index cb708ba9..78eb99cc 100644
--- a/pkg/client/mock/mock_tsa_client.go
+++ b/pkg/client/mock/mock_tsa_client.go
@@ -137,7 +137,7 @@ func (c *TSAClient) GetTimestampResponse(params *ts.GetTimestampResponseParams,
 		tsStruct.Time = c.Time
 	}
 
-	resp, err := tsStruct.CreateResponse(c.CertChain[0], c.Signer)
+	resp, err := tsStruct.CreateResponseWithOpts(c.CertChain[0], c.Signer, crypto.SHA256)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/verification/verify_test.go b/pkg/verification/verify_test.go
index ceb9879a..b97e679c 100644
--- a/pkg/verification/verify_test.go
+++ b/pkg/verification/verify_test.go
@@ -510,7 +510,7 @@ func createSignedTimestamp(certChain []*x509.Certificate, sv *signature.ECDSASig
 		ExtraExtensions:   req.Extensions,
 	}
 
-	resp, err := tsTemplate.CreateResponse(certChain[0], sv)
+	resp, err := tsTemplate.CreateResponseWithOpts(certChain[0], sv, crypto.SHA256)
 	if err != nil {
 		return nil, fmt.Errorf("unexpectedly failed to create timestamp response: %v", err)
 	}