verifier: Fix TSA cert chain construction (#1482)

* verifier: Fix TSA cert chain construction

Using add_root_certificate() multiple times looks like a bug: it usually
works but in the case of timestamps with no embedded certs verification
seems to fails with
    Certificates neither found in the answer or in the Verification Options

Signed-off-by: Jussi Kukkonen <[email protected]>

* verify: avoid modifying the cert list

We don't need to modify the list so let's avoid it to make it easier to
review.

Signed-off-by: Jussi Kukkonen <[email protected]>

* tests: Add regression test for timestamp without certs

Signed-off-by: Jussi Kukkonen <[email protected]>

---------

Signed-off-by: Jussi Kukkonen <[email protected]>

Author: jku

sigstore/verify/verifier.py

@@ -128,9 +128,18 @@ def _verify_signed_timestamp(
         for certificate_authority in cert_authorities:
             certificates = certificate_authority.certificates(allow_expired=True)
 
-            builder = VerifierBuilder()
-            for certificate in certificates:
-                builder.add_root_certificate(certificate)
+            # We expect at least a signing cert and a root cert but there may be intermediates
+            if len(certificates) < 2:
+                _logger.debug("Unable to verify Timestamp: cert chain is incomplete")
+                continue
+
+            builder = (
+                VerifierBuilder()
+                .tsa_certificate(certificates[0])
+                .add_root_certificate(certificates[-1])
+            )
+            for certificate in certificates[1:-1]:
+                builder = builder.add_intermediate_certificate(certificate)
 
             verifier = builder.build()
             try:

test/assets/tsa/issue1482-message

@@ -377,3 +377,18 @@ def test_verifier_not_enough_timestamp(
                 Bundle.from_json(asset("tsa/bundle.txt.sigstore").read_bytes()),
                 null_policy,
             )
+
+    def test_verify_signed_timestamp_regression(self, asset):
+        """
+        Ensure we correctly verify a timestamp with no embedded certs.
+
+        This is a regression test for # 1482
+        """
+        verifier = Verifier.staging(offline=True)
+        ts = rfc3161_client.decode_timestamp_response(
+            asset("tsa/issue1482-timestamp-with-no-cert").read_bytes()
+        )
+        res = verifier._verify_signed_timestamp(
+            ts, asset("tsa/issue1482-message").read_bytes()
+        )
+        assert res is not None