Start adding more verification with VerificationOpts struct

[malancas]

Summary

Part of #121. This PR starts adding additional verification using a VerificationOpts struct. More verification will be added in follow ups after some upstream changes to the timestamp package.

This PR adds the following verifications:

• Verify the TSR's certificate identifier matches a provided TSA certificate
• Verify the leaf certificate's subject name matches a provided subject
• Verify that the TSR's embedded leaf certificate matches a provided TSA certificate
• Verify the TSA certificate and the intermediates have the extended key usage set to only timestamping
• Verify the OID of the TSR matches an expected OID
• Verify the status of the TSR does not contain an error
• Verify the TSR's nonce matches a provided nonce

Release Note

Documentation

[hectorj2f]

nit: we could omit adding --tsa- as prefix to the flag.

Q: Is this an intermediate or root cert ?

[malancas]

@haydentherapper currently all verification is handled in a single function VerifyTimestampResponse exported from the verification package. Here I add new verification functions separately. Do you have thoughts on whether all new verification functions should be called from VerifyTimestampResponse or if they should be called directly from here?

[haydentherapper]

I think it'd be best to have a single exported verification function that performs all other verifications. If you think there's value in exporting the sub-verification functions, maybe we put them under an internal package?

[malancas]

Happy to use a single exported function, I'll make that change.

[haydentherapper]

Sorry, I might have misunderstood, but we should keep flags out of the core library and just in the client. If you want to have this function that handles things like parsing OIDs, it should take in values that are already read in from the flags. Also, personally I prefer to not have files read from disk as part of the library, so I think this should also be handled in the client and the chain passed into the function.

So I'd say either:

• Move NewVerifyOpts to the client application with all flag parsing there
• Move NewVerifyOpts to the client app, but provide some helper utilities for constructing OIDs and splitting PEM chains into cert pools
• Keep NewVerifyOpts here, but have it take in all values (OID as a string, PEM chain as a string), and read in flags in the client app

Does that seem reasonable?

[malancas]

I agree about keeping the flag parsing in the app CLI package. Just moved that over.

[hectorj2f]

Does this refer to the hash algorithm OID ? If so, we might want to explain it in the description.

[hectorj2f]

If so, we could rename this flag to hash-algorithm-oid

[malancas]

No, this refers to the TSA policy OID. I'll update the description to "optional TSA policy OID passed with the request".

[hectorj2f]

Suggestion: The code looks good. I just share a suggestion here, feel free to adjust it.
To avoid all these != nil if statements for all the VerifyOpts fields, you could create functions for verifyOpts as such:

(v *VerifyOpts) OID(...) where you set the OID if passed.
(v *VerifyOpts) Nonce(...) where you set the Nonce if passed.
...
So you move all that logic inside these functions and only check for errors here.

[malancas]

Since the VerifyOpts fields will be initialized to their respective zero values when the struct instance is created, we could just set the fields to the values returned by the getter functions like getCerts and remove the if statements altogether, since the getters will return zero values if no valid flag value is found. But I'm happy to add methods if you prefer.

[malancas]

@haydentherapper there are changes to the PKCS7 methods in haydentherapper/pkcs7#2 that can be used in this pull request. I think it would be better to merge that one first and then pull the updated dependency into this pull request. The dependency update should be straight forward.

[haydentherapper]

It should be fine to unconditionally set the options. Also if there's only a root provided and no intermediates, will this conditional be skipped?

[malancas]

Yes it will be skipped, I'll remove that.

[haydentherapper]

LGTM, just a few nits

[haydentherapper]

@malancas what do you think if we first merged this PR, rather than wait for the other? Then we'll get the pkcs7 changes merged, update the timestamp repo fork too, and then update verification to pass the intermediates/roots? We won't cut a new release til we get the CA cert verification in

[malancas]

@haydentherapper that sounds good. I just want to call out the skipped test TestVerifyPassLeafCertificate. This test is currently failing because verifySignature expects that the TSR contain certificates. This function gets called by the PKCS7#VerifyWithChain method in the VerifyTSRWithChain function.

We can change the verifySignature function upstream along with the other changes discussed or I can change the code here and make sure the test passes. Let me know what you think.

[haydentherapper]

@malancas Hm, yea, that's unfortunate. What do you think about updating the verifier to reject timestamps that do not include a certificate? We can leave all the other code in place, just add a TODO to remove the rejection once we update the pkcs7 library.

[haydentherapper]

Another idea, can you populate p7.Certificates without affecting the signature verification? you might be able to, if nothing is recomputed that would mess up signature verification

[haydentherapper]

Looking over the code, the signature is verified against p7.Content. I think signer.IssuerAndSerialNumber is unconditionally set, so then if you just populate p7.Certificates = []*x509.Certificate{leafCert}, I think it might work?

[malancas]

@haydentherapper populating p7.Certificates = []*x509.Certificate{leafCert} seems to work. I'll push a change with that.

[haydentherapper]

Awesome!!