Merge pull request #1024 from sigstore/timestamp-keyless

aaronlew02 · web-flow · commit 6dbfb3820b5f · 2025-07-21T15:19:46.000-04:00
fix: Re-add timestamp verification in KeylessVerifier
diff --git a/sigstore-java/src/main/java/dev/sigstore/KeylessVerifier.java b/sigstore-java/src/main/java/dev/sigstore/KeylessVerifier.java
@@ -42,6 +42,9 @@
 import dev.sigstore.rekor.client.RekorVerifier;
 import dev.sigstore.rekor.dsse.v0_0_1.Dsse;
 import dev.sigstore.rekor.dsse.v0_0_1.PayloadHash;
+import dev.sigstore.timestamp.client.ImmutableTimestampResponse;
+import dev.sigstore.timestamp.client.TimestampException;
+import dev.sigstore.timestamp.client.TimestampVerificationException;
 import dev.sigstore.timestamp.client.TimestampVerifier;
 import dev.sigstore.trustroot.SigstoreConfigurationException;
 import dev.sigstore.tuf.SigstoreTufClient;
@@ -54,6 +57,8 @@
 import java.security.SignatureException;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
 import java.security.spec.InvalidKeySpecException;
 import java.util.Arrays;
@@ -176,13 +181,41 @@ public void verify(byte[] artifactDigest, Bundle bundle, VerificationOptions opt
       signature = dsseEnvelope.getSignature();
     }
 
+    verifyTimestamps(leafCert, bundle.getTimestamps(), signature);
+
     try {
       rekorVerifier.verifyEntry(rekorEntry);
     } catch (RekorVerificationException ex) {
       throw new KeylessVerificationException("Transparency log entry could not be verified", ex);
     }
   }
 
+  private void verifyTimestamps(
+      X509Certificate leafCert, List<Bundle.Timestamp> timestamps, byte[] signature)
+      throws KeylessVerificationException {
+    if (timestamps == null || timestamps.isEmpty()) {
+      return;
+    }
+    for (Bundle.Timestamp timestamp : timestamps) {
+      byte[] tsBytes = timestamp.getRfc3161Timestamp();
+      if (tsBytes == null || tsBytes.length == 0) {
+        throw new KeylessVerificationException(
+            "Found an empty or null RFC3161 timestamp in bundle");
+      }
+      try {
+        var tsResp = ImmutableTimestampResponse.builder().encoded(tsBytes).build();
+        timestampVerifier.verify(tsResp, signature);
+        leafCert.checkValidity(tsResp.getGenTime());
+      } catch (TimestampException
+          | CertificateNotYetValidException
+          | CertificateExpiredException
+          | TimestampVerificationException e) {
+        throw new KeylessVerificationException(
+            "RFC3161 timestamp verification failed: " + e.getMessage(), e);
+      }
+    }
+  }
+
   @VisibleForTesting
   void checkCertificateMatchers(X509Certificate cert, List<CertificateMatcher> matchers)
       throws KeylessVerificationException {
diff --git a/sigstore-java/src/test/java/dev/sigstore/KeylessVerifierTest.java b/sigstore-java/src/test/java/dev/sigstore/KeylessVerifierTest.java
@@ -553,6 +553,94 @@ public void testVerify_unsupportedRekorVersion_rekorV2() throws Exception {
     Assertions.assertEquals("Unsupported hashedrekord version", ex.getMessage());
   }
 
+  @Test
+  public void testVerify_validRfc3161Timestamp() throws Exception {
+    var artifactUrl = Resources.getResource("dev/sigstore/samples/bundles/artifact.txt");
+    var artifactBytes = Resources.toByteArray(artifactUrl);
+    var artifactDigest = Hashing.sha256().hashBytes(artifactBytes).asBytes();
+
+    var bundleFile =
+        Resources.toString(
+            Resources.getResource("dev/sigstore/samples/bundles/bundle-with-timestamp.sigstore"),
+            StandardCharsets.UTF_8);
+    var verifier = KeylessVerifier.builder().sigstoreStagingDefaults().build();
+
+    Assertions.assertDoesNotThrow(
+        () ->
+            verifier.verify(
+                artifactDigest,
+                Bundle.from(new StringReader(bundleFile)),
+                VerificationOptions.empty()));
+  }
+
+  @Test
+  public void testVerify_invalidRfc3161Timestamp() throws Exception {
+    var tsRespBytesInvalid =
+        Resources.toByteArray(
+            Resources.getResource(
+                "dev/sigstore/samples/timestamp-response/invalid/sigstore_tsa_response_invalid.tsr"));
+
+    var artifactUrl = Resources.getResource("dev/sigstore/samples/bundles/artifact.txt");
+    var artifactBytes = Resources.toByteArray(artifactUrl);
+    var artifactDigest = Hashing.sha256().hashBytes(artifactBytes).asBytes();
+
+    var bundleFile =
+        Resources.toString(
+            Resources.getResource("dev/sigstore/samples/bundles/bundle.v3.sigstore"),
+            StandardCharsets.UTF_8);
+
+    var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();
+
+    var baseBundle = Bundle.from(new StringReader(bundleFile));
+    var testBundle =
+        ImmutableBundle.builder()
+            .from(baseBundle)
+            .timestamps(List.of(createTimestamp(tsRespBytesInvalid)))
+            .build();
+    var ex =
+        Assertions.assertThrows(
+            KeylessVerificationException.class,
+            () -> verifier.verify(artifactDigest, testBundle, VerificationOptions.empty()));
+    MatcherAssert.assertThat(
+        ex.getMessage(),
+        CoreMatchers.equalTo(
+            "RFC3161 timestamp verification failed: Failed to parse TimeStampResponse"));
+  }
+
+  @Test
+  public void testVerify_invalidTimestampGenTime() throws Exception {
+    var tsRespBytesInvalidGenTime =
+        Resources.toByteArray(
+            Resources.getResource(
+                "dev/sigstore/samples/timestamp-response/valid/sigstore_tsa_response_with_embedded_certs.tsr"));
+
+    var artifactResourcePath = "dev/sigstore/samples/bundles/artifact.txt";
+    var artifactBytes = Resources.toByteArray(Resources.getResource(artifactResourcePath));
+    var artifactDigest = Hashing.sha256().hashBytes(artifactBytes).asBytes();
+
+    var bundleFileContent =
+        Resources.toString(
+            Resources.getResource("dev/sigstore/samples/bundles/bundle.v3.sigstore"),
+            StandardCharsets.UTF_8);
+    var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();
+
+    var baseBundle = Bundle.from(new StringReader(bundleFileContent));
+    var testBundle =
+        ImmutableBundle.builder()
+            .from(baseBundle)
+            .timestamps(List.of(createTimestamp(tsRespBytesInvalidGenTime)))
+            .build();
+
+    var ex =
+        Assertions.assertThrows(
+            KeylessVerificationException.class,
+            () -> verifier.verify(artifactDigest, testBundle, VerificationOptions.empty()));
+    MatcherAssert.assertThat(
+        ex.getMessage(),
+        CoreMatchers.startsWith(
+            "RFC3161 timestamp verification failed: Certificate was not verifiable against TSAs"));
+  }
+
   @Test
   public void testVerify_validRfc3161Timestamp_rekorV1() throws Exception {
     var artifact = Resources.getResource("dev/sigstore/samples/bundles/artifact.txt").getPath();
@@ -642,32 +730,6 @@ public void testVerify_invalidSet_validRfc3161Timestamp_rekorV1() throws Excepti
         ex.getCause().getMessage(), CoreMatchers.equalTo("Entry SET was not valid"));
   }
 
-  @Test
-  public void testVerify_validSet_invalidRfc3161Timestamp_rekorV1() throws Exception {
-    var bundleFile =
-        Resources.toString(
-            Resources.getResource("dev/sigstore/samples/bundles/bundle.v3.sigstore"),
-            StandardCharsets.UTF_8);
-    var baseBundle = Bundle.from(new StringReader(bundleFile));
-
-    var tsRespBytesInvalid =
-        Resources.toByteArray(
-            Resources.getResource(
-                "dev/sigstore/samples/timestamp-response/invalid/sigstore_tsa_response_invalid.tsr"));
-
-    var testBundle =
-        ImmutableBundle.builder()
-            .from(baseBundle)
-            .timestamps(List.of(createTimestamp(tsRespBytesInvalid)))
-            .build();
-
-    var artifact = Resources.getResource("dev/sigstore/samples/bundles/artifact.txt").getPath();
-    var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();
-
-    Assertions.assertDoesNotThrow(
-        () -> verifier.verify(Path.of(artifact), testBundle, VerificationOptions.empty()));
-  }
-
   private Bundle.Timestamp createTimestamp(byte[] rfc3161Bytes) {
     return () -> rfc3161Bytes;
   }
