feat: Timestamp (#418)

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>

config/base_test.go

@@ -17,6 +17,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/notaryproject/notation-go/dir"
@@ -33,6 +34,9 @@ func TestLoadNonExistentFile(t *testing.T) {
 }
 
 func TestLoadSymlink(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("skipping test on Windows")
+	}
 	root := t.TempDir()
 	dir.UserConfigDir = root
 	fileName := "symlink"

example_localVerify_test.go

@@ -31,7 +31,7 @@ import (
 
 // examplePolicyDocument is an example of a valid trust policy document.
 // trust policy document should follow this spec:
-// https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.1/specs/trust-store-trust-policy.md#trust-policy
+// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-policy
 var examplePolicyDocument = trustpolicy.Document{
 	Version: "1.0",
 	TrustPolicies: []trustpolicy.TrustPolicy{
@@ -75,7 +75,7 @@ func Example_localVerify() {
 	// createTrustStore creates a trust store directory for demo purpose.
 	// Users could use the default trust store from Notary and add trusted
 	// certificates into it following the trust store spec:
-	// https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.1/specs/trust-store-trust-policy.md#trust-store
+	// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-store
 	if err := createTrustStore(); err != nil {
 		panic(err) // Handle error
 	}
@@ -173,7 +173,7 @@ func createTrustStore() error {
 	// Users should replace `exampleX509Certificate` with their own trusted
 	// certificate and add to the trust store, following the
 	// Notary certificate requirements:
-	// https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.1/specs/signature-specification.md#certificate-requirements
+	// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements
 	exampleX509Certificate := `-----BEGIN CERTIFICATE-----
 MIIDQDCCAiigAwIBAgIBUTANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzEL
 MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEP

example_remoteVerify_test.go

@@ -37,7 +37,7 @@ func Example_remoteVerify() {
 
 	// examplePolicyDocument is an example of a valid trust policy document.
 	// trust policy document should follow this spec:
-	// https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.1/specs/trust-store-trust-policy.md#trust-policy
+	// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-policy
 	examplePolicyDocument := trustpolicy.Document{
 		Version: "1.0",
 		TrustPolicies: []trustpolicy.TrustPolicy{
@@ -52,9 +52,9 @@ func Example_remoteVerify() {
 	}
 
 	// generateTrustStore generates a trust store directory for demo purpose.
-	// Users could use the default trust store from Notary and add trusted
-	// certificates into it following the trust store spec:
-	// https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.1/specs/trust-store-trust-policy.md#trust-store
+	// Users should configure their own trust store and add trusted certificates
+	// into it following the trust store spec:
+	// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-store
 	if err := generateTrustStore(); err != nil {
 		panic(err) // Handle error
 	}
@@ -102,7 +102,7 @@ func generateTrustStore() error {
 	// Users should replace `exampleX509Certificate` with their own trusted
 	// certificate and add to the trust store, following the
 	// Notary certificate requirements:
-	// https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.1/specs/signature-specification.md#certificate-requirements
+	// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements
 	exampleX509Certificate := `-----BEGIN CERTIFICATE-----
 MIIDQDCCAiigAwIBAgIBUTANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzEL
 MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEP

example_signWithTimestmap_test.go

@@ -0,0 +1,99 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notation_test
+
+import (
+	"context"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+
+	"oras.land/oras-go/v2/registry/remote"
+
+	"github.com/notaryproject/notation-core-go/testhelper"
+	"github.com/notaryproject/notation-go"
+	"github.com/notaryproject/notation-go/registry"
+	"github.com/notaryproject/notation-go/signer"
+	"github.com/notaryproject/tspclient-go"
+)
+
+// Example_signWithTimestamp demonstrates how to use notation.Sign to sign an
+// artifact with a RFC 3161 compliant timestamp countersignature and
+// user trusted TSA root certificate
+func Example_signWithTimestamp() {
+	// exampleArtifactReference is an example of the target artifact reference
+	var exampleArtifactReference = "localhost:5000/software@sha256:60043cf45eaebc4c0867fea485a039b598f52fd09fd5b07b0b2d2f88fad9d74e"
+
+	// exampleCertTuple contains a RSA privateKey and a self-signed X509
+	// certificate generated for demo purpose ONLY.
+	exampleCertTuple := testhelper.GetRSASelfSignedSigningCertTuple("Notation Example self-signed")
+	exampleCerts := []*x509.Certificate{exampleCertTuple.Cert}
+
+	// exampleSigner is a notation.Signer given key and X509 certificate chain.
+	// Users should replace `exampleCertTuple.PrivateKey` with their own private
+	// key and replace `exampleCerts` with the corresponding full certificate
+	// chain, following the Notary certificate requirements:
+	// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements
+	exampleSigner, err := signer.NewGenericSigner(exampleCertTuple.PrivateKey, exampleCerts)
+	if err != nil {
+		panic(err) // Handle error
+	}
+
+	// exampleRepo is an example of registry.Repository.
+	remoteRepo, err := remote.NewRepository(exampleArtifactReference)
+	if err != nil {
+		panic(err) // Handle error
+	}
+	exampleRepo := registry.NewRepository(remoteRepo)
+
+	// replace exampleRFC3161TSAServer with your trusted TSA server URL.
+	exampleRFC3161TSAServer := "<TSA server URL>"
+	httpTimestamper, err := tspclient.NewHTTPTimestamper(nil, exampleRFC3161TSAServer)
+	if err != nil {
+		panic(err) // Handle error
+	}
+
+	// replace exampleTSARootCertPem with your trusted TSA root cert.
+	exampleTSARootCertPem := "<TSA root cert>"
+	block, _ := pem.Decode([]byte(exampleTSARootCertPem))
+	if block == nil {
+		panic("failed to parse tsa root certificate PEM")
+	}
+	tsaRootCert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		panic("failed to parse tsa root certificate: " + err.Error())
+	}
+	tsaRootCAs := x509.NewCertPool()
+	tsaRootCAs.AddCert(tsaRootCert)
+
+	// exampleSignOptions is an example of notation.SignOptions.
+	exampleSignOptions := notation.SignOptions{
+		SignerSignOptions: notation.SignerSignOptions{
+			SignatureMediaType: exampleSignatureMediaType,
+			Timestamper:        httpTimestamper,
+			TSARootCAs:         tsaRootCAs,
+		},
+		ArtifactReference: exampleArtifactReference,
+	}
+
+	targetDesc, err := notation.Sign(context.Background(), exampleSigner, exampleRepo, exampleSignOptions)
+	if err != nil {
+		panic(err) // Handle error
+	}
+
+	fmt.Println("Successfully signed")
+	fmt.Println("targetDesc MediaType:", targetDesc.MediaType)
+	fmt.Println("targetDesc Digest:", targetDesc.Digest)
+	fmt.Println("targetDesc Size:", targetDesc.Size)
+}

example_verifyWithTimestamp_test.go

@@ -0,0 +1,192 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notation_test
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	_ "github.com/notaryproject/notation-core-go/signature/cose"
+	_ "github.com/notaryproject/notation-core-go/signature/jws"
+	"github.com/notaryproject/notation-go"
+	"github.com/notaryproject/notation-go/dir"
+	"github.com/notaryproject/notation-go/registry"
+	"github.com/notaryproject/notation-go/verifier"
+	"github.com/notaryproject/notation-go/verifier/trustpolicy"
+	"github.com/notaryproject/notation-go/verifier/truststore"
+	"oras.land/oras-go/v2/registry/remote"
+)
+
+// Example_verifyWithTimestamp demonstrates how to use notation.Verify to verify
+// signature of an artifact including RFC 3161 compliant timestamp countersignature
+func Example_verifyWithTimestamp() {
+	// exampleArtifactReference is an example of the target artifact reference
+	exampleArtifactReference := "localhost:5000/software@sha256:60043cf45eaebc4c0867fea485a039b598f52fd09fd5b07b0b2d2f88fad9d74e"
+
+	// examplePolicyDocument is an example of a valid trust policy document with
+	// timestamping configurations.
+	// trust policy document should follow this spec:
+	// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-policy
+	examplePolicyDocument := trustpolicy.Document{
+		Version: "1.0",
+		TrustPolicies: []trustpolicy.TrustPolicy{
+			{
+				Name:           "test-statement-name",
+				RegistryScopes: []string{"*"},
+				SignatureVerification: trustpolicy.SignatureVerification{
+					VerificationLevel: trustpolicy.LevelStrict.Name,
+
+					// verify timestamp countersignature only if the signing
+					// certificate chain has expired.
+					// Default: trustpolicy.OptionAlways
+					VerifyTimestamp: trustpolicy.OptionAfterCertExpiry,
+				},
+
+				// `tsa` trust store type MUST be configured to enable
+				// timestamp verification
+				TrustStores: []string{"ca:valid-trust-store", "tsa:valid-tsa"},
+
+				// TrustedIdentities only contains trusted identities of `ca`
+				// and `signingAuthority`
+				TrustedIdentities: []string{"*"},
+			},
+		},
+	}
+
+	// generateTrustStoreWithTimestamp generates a trust store directory for demo purpose.
+	// Users should configure their own trust store and add trusted certificates
+	// into it following the trust store spec:
+	// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-store
+	if err := generateTrustStoreWithTimestamp(); err != nil {
+		panic(err) // Handle error
+	}
+
+	// exampleVerifier is an example of notation.Verifier given
+	// trust policy document and X509 trust store.
+	exampleVerifier, err := verifier.New(&examplePolicyDocument, truststore.NewX509TrustStore(dir.ConfigFS()), nil)
+	if err != nil {
+		panic(err) // Handle error
+	}
+
+	// exampleRepo is an example of registry.Repository.
+	remoteRepo, err := remote.NewRepository(exampleArtifactReference)
+	if err != nil {
+		panic(err) // Handle error
+	}
+	exampleRepo := registry.NewRepository(remoteRepo)
+
+	// exampleVerifyOptions is an example of notation.VerifyOptions.
+	exampleVerifyOptions := notation.VerifyOptions{
+		ArtifactReference:    exampleArtifactReference,
+		MaxSignatureAttempts: 50,
+	}
+
+	// remote verify core process
+	// upon successful verification, the target manifest descriptor
+	// and signature verification outcome are returned.
+	targetDesc, _, err := notation.Verify(context.Background(), exampleVerifier, exampleRepo, exampleVerifyOptions)
+	if err != nil {
+		panic(err) // Handle error
+	}
+
+	fmt.Println("Successfully verified")
+	fmt.Println("targetDesc MediaType:", targetDesc.MediaType)
+	fmt.Println("targetDesc Digest:", targetDesc.Digest)
+	fmt.Println("targetDesc Size:", targetDesc.Size)
+}
+
+func generateTrustStoreWithTimestamp() error {
+	// changing the path of the trust store for demo purpose.
+	// Users could keep the default value, i.e. os.UserConfigDir.
+	dir.UserConfigDir = "tmp"
+
+	// an example of a valid X509 self-signed certificate for demo purpose ONLY.
+	// Users should replace `exampleX509Certificate` with their own trusted
+	// certificate and add to the trust store, following the
+	// Notary certificate requirements:
+	// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements
+	exampleX509Certificate := `-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgIBUTANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEP
+MA0GA1UEAxMGYWxwaW5lMCAXDTAwMDgyOTEzNTAwMFoYDzIxMjMwODI5MTM1MDAw
+WjBOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUx
+DzANBgNVBAoTBk5vdGFyeTEPMA0GA1UEAxMGYWxwaW5lMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAocg3qEsyNDDLfB8OHD4dhi+M1NPK1Asy5NX84c+g
+vacZuoPLTwmpOfm6nPt7GPPB9G7S6xxhFNbRxTYfYUjK+kaCj38XjBRf5lGewbSJ
+KVkxQ82/axU70ceSW3JpazrageN9JUTZ/Jfi4MfnipITwcmMoiij8eGrHskjyVyZ
+bJd0WMMKRDWVhLPUiPMVWt/4d7YtZItzacaQKtXmXgsTCTWpIols3gftNYjrQoMs
+UelUdD8vOAWN9J28/SyC+uSh/K1KfyUlbqufn4di8DEBxntP5wnXYbJL1jtjsUgE
+xAVjQxT1zI59X36m3t3YKqCQh1cud02L5onObY6zj57N6QIDAQABoycwJTAOBgNV
+HQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQAD
+ggEBAC8AjBLy7EsRpi6oguCdFSb6nRGjvF17N+b6mDb3sARnB8T1pxvzTT26ya+A
+yWR+jjodEwbMIS+13lV+9qT2LwqlbOUNY519Pa2GRRY72JjeowWI3iKkKaMzfZUB
+7lRTGXdEuZApLbTO/3JVcR9ffu00N1UaAP9YGElSt4JDJYA9M+d/Qto+HiIsE0Kj
++jdnwIYovPPOlryKOLfFb/r1GEq7n63xFZz83iyWNaZdsJ5N3YHxdOpkbBbCalOE
+BDJTjQKqeAYBLoANNU0OBslmqHCSBTEnhbqJHN6QKyF09ScOl5LwM1QsTl0UY5si
+GLAfj/jSf9OH9VLTPHOS8/N0Ka4=
+-----END CERTIFICATE-----`
+
+	// Adding the certificate into the trust store.
+	if err := os.MkdirAll("tmp/truststore/x509/ca/valid-trust-store", 0700); err != nil {
+		return err
+	}
+	if err := os.WriteFile("tmp/truststore/x509/ca/valid-trust-store/NotationExample.pem", []byte(exampleX509Certificate), 0600); err != nil {
+		return err
+	}
+
+	// an example of a valid TSA root certificate for demo purpose ONLY.
+	// Users should replace `exampleTSARootCertificate` with their own trusted
+	// TSA root certificate and add to the trust store, following the
+	// Notary certificate requirements:
+	// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements
+	exampleTSARootCertificate := `-----BEGIN CERTIFICATE-----
+		MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi
+		MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+		d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
+		RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV
+		UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu
+		Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG
+		SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y
+		ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If
+		xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV
+		ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO
+		DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ
+		jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/
+		CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi
+		EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM
+		fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY
+		uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK
+		chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t
+		9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+		hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD
+		ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2
+		SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd
+		+SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc
+		fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa
+		sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N
+		cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N
+		0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie
+		4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI
+		r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
+		/YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm
+		gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
+		-----END CERTIFICATE-----`
+
+	// Adding the tsa root certificate into the trust store.
+	if err := os.MkdirAll("tmp/truststore/x509/tsa/valid-tsa", 0700); err != nil {
+		return err
+	}
+	return os.WriteFile("tmp/truststore/x509/tsa/valid-tsa/NotationTSAExample.pem", []byte(exampleTSARootCertificate), 0600)
+}

go.mod

@@ -4,8 +4,9 @@ go 1.21
 
 require (
 	github.com/go-ldap/ldap/v3 v3.4.8
-	github.com/notaryproject/notation-core-go v1.0.3
+	github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0
+	github.com/notaryproject/tspclient-go v0.1.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
 	github.com/veraison/go-cose v1.1.0
@@ -16,7 +17,7 @@ require (
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect