Start adding more verification with VerificationOpts struct

README.md

@@ -27,7 +27,7 @@ To fetch a timestamp with the provided `timestamp-cli`:
 1. Create test blob to sign: `echo "myblob" > myblob`
 1. Build client: `make timestamp-cli`
 1. Fetch timestamp: `./bin/timestamp-cli --timestamp_server http://localhost:3000 timestamp --hash sha256 --artifact myblob --out response.tsr`
-1. Verify timestamp: `./bin/timestamp-cli verify --timestamp response.tsr --artifact "myblob" --cert-chain ts_chain.pem`
+1. Verify timestamp: `./bin/timestamp-cli verify --timestamp response.tsr --artifact "myblob" --certificate-chain ts_chain.pem`
 1. Inspect timestamp: `./bin/timestamp-cli inspect --timestamp response.tsr --format json`
 
 To fetch a timestamp with `openssl` and `curl`:

cmd/timestamp-cli/app/verify.go

@@ -18,9 +18,13 @@ package app
 import (
 	"crypto/x509"
 	"fmt"
+	"math/big"
 	"os"
 	"path/filepath"
+	"strconv"
+	"strings"
 
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/timestamp-authority/cmd/timestamp-cli/app/format"
 	"github.com/sigstore/timestamp-authority/pkg/log"
 	"github.com/sigstore/timestamp-authority/pkg/verification"
@@ -41,8 +45,12 @@ func addVerifyFlags(cmd *cobra.Command) {
 	cmd.MarkFlagRequired("artifact") //nolint:errcheck
 	cmd.Flags().Var(NewFlagValue(fileFlag, ""), "timestamp", "path to timestamp response to verify")
 	cmd.MarkFlagRequired("timestamp") //nolint:errcheck
-	cmd.Flags().Var(NewFlagValue(fileFlag, ""), "cert-chain", "path to certificate chain PEM file")
-	cmd.MarkFlagRequired("cert-chain") //nolint:errcheck
+	cmd.Flags().Var(NewFlagValue(fileFlag, ""), "certificate-chain", "path to file with PEM-encoded certificate chain. Ordered from intermediate CA certificate that issued the TSA certificate, ending with the root CA certificate.")
+	cmd.MarkFlagRequired("certificate-chain") //nolint:errcheck
+	cmd.Flags().String("nonce", "", "optional nonce passed with the request")
+	cmd.Flags().Var(NewFlagValue(oidFlag, ""), "oid", "optional TSA policy OID passed with the request")
+	cmd.Flags().String("common-name", "", "expected leaf certificate subject common name")
+	cmd.Flags().Var(NewFlagValue(fileFlag, ""), "certificate", "path to file with PEM-encoded leaf certificate")
 }
 
 var verifyCmd = &cobra.Command{
@@ -67,27 +75,135 @@ func runVerify() (interface{}, error) {
 		return nil, fmt.Errorf("error reading request from file: %w", err)
 	}
 
-	certChainPEM := viper.GetString("cert-chain")
-	pemBytes, err := os.ReadFile(filepath.Clean(certChainPEM))
+	artifactPath := viper.GetString("artifact")
+	artifact, err := os.Open(filepath.Clean(artifactPath))
 	if err != nil {
-		return nil, fmt.Errorf("error reading request from file: %w", err)
+		return nil, err
+	}
+
+	opts, err := newVerifyOpts()
+	if err != nil {
+		return verifyCmdOutput{TimestampPath: tsrPath}, fmt.Errorf("failed to created VerifyOpts: %w", err)
+	}
+
+	err = verification.VerifyTimestampResponse(tsrBytes, artifact, opts)
+
+	return &verifyCmdOutput{TimestampPath: tsrPath}, err
+}
+
+func newVerifyOpts() (verification.VerifyOpts, error) {
+	opts := verification.VerifyOpts{}
+
+	oid, err := getOID()
+	if err != nil {
+		return verification.VerifyOpts{}, fmt.Errorf("failed to parse value from oid flag: %w", err)
+	}
+	opts.OID = oid
+
+	certPathFlagVal := viper.GetString("certificate")
+	if certPathFlagVal != "" {
+		cert, err := parseTSACertificate(certPathFlagVal)
+		if err != nil {
+			return verification.VerifyOpts{}, fmt.Errorf("failed to parse cert flag value from PEM file: %w", err)
+		}
+		opts.TSACertificate = cert
+	}
+
+	roots, intermediates, err := getRootAndIntermediateCerts()
+	if err != nil {
+		return verification.VerifyOpts{}, fmt.Errorf("failed to parse root and intermediate certs from certificate-chain flag: %w", err)
+	}
+	opts.Roots = roots
+	opts.Intermediates = intermediates
+
+	nonce, err := getNonce()
+	if err != nil {
+		return verification.VerifyOpts{}, fmt.Errorf("failed to parse value from nonce flag: %w", err)
+	}
+	opts.Nonce = nonce
+
+	commonNameFlagVal := viper.GetString("common-name")
+	opts.CommonName = commonNameFlagVal
+
+	return opts, nil
+}
+
+func getNonce() (*big.Int, error) {
+	nonceFlagVal := viper.GetString("nonce")
+	if nonceFlagVal == "" {
+		return nil, nil
 	}
 
-	certPool := x509.NewCertPool()
-	ok := certPool.AppendCertsFromPEM(pemBytes)
+	nonce := new(big.Int)
+	nonce, ok := nonce.SetString(nonceFlagVal, 10)
 	if !ok {
-		return nil, fmt.Errorf("error parsing response into Timestamp while appending certs from PEM")
+		return nil, fmt.Errorf("failed to convert string to big.Int")
 	}
+	return nonce, nil
+}
 
-	artifactPath := viper.GetString("artifact")
-	artifact, err := os.Open(filepath.Clean(artifactPath))
+func getRootAndIntermediateCerts() ([]*x509.Certificate, []*x509.Certificate, error) {
+	certChainPEM := viper.GetString("certificate-chain")
+	if certChainPEM == "" {
+		return nil, nil, nil
+	}
+
+	pemBytes, err := os.ReadFile(filepath.Clean(certChainPEM))
 	if err != nil {
-		return nil, err
+		return nil, nil, fmt.Errorf("error reading request from file: %w", err)
 	}
 
-	err = verification.VerifyTimestampResponse(tsrBytes, artifact, certPool)
+	certs, err := cryptoutils.UnmarshalCertificatesFromPEM(pemBytes)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to parse intermediate and root certs from PEM file: %w", err)
+	}
 
-	return &verifyCmdOutput{TimestampPath: tsrPath}, err
+	if len(certs) == 0 {
+		return nil, nil, fmt.Errorf("expected at least one certificate to represent the root")
+	}
+
+	// intermediate certs are above the root certificate in the PEM file
+	intermediateCerts := certs[0 : len(certs)-1]
+	// the root certificate is last in the PEM file
+	rootCerts := []*x509.Certificate{certs[len(certs)-1]}
+
+	return rootCerts, intermediateCerts, nil
+}
+
+func getOID() ([]int, error) {
+	oidFlagVal := viper.GetString("oid")
+	if oidFlagVal == "" {
+		return nil, nil
+	}
+
+	oidStrSlice := strings.Split(oidFlagVal, ".")
+	oid := make([]int, len(oidStrSlice))
+	for i, el := range oidStrSlice {
+		intVar, err := strconv.Atoi(el)
+		if err != nil {
+			return nil, err
+		}
+		oid[i] = intVar
+	}
+
+	return oid, nil
+}
+
+func parseTSACertificate(certPath string) (*x509.Certificate, error) {
+	pemBytes, err := os.ReadFile(filepath.Clean(certPath))
+	if err != nil {
+		return nil, fmt.Errorf("error reading TSA's certificate file: %w", err)
+	}
+
+	certs, err := cryptoutils.UnmarshalCertificatesFromPEM(pemBytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse TSA certificate during verification: %w", err)
+	}
+	if len(certs) != 1 {
+		return nil, fmt.Errorf("expected one certificate, received %d instead", len(certs))
+	}
+
+	return certs[0], nil
 }
 
 func init() {

pkg/tests/cli_test.go

@@ -18,6 +18,7 @@ package tests
 import (
 	"bytes"
 	"crypto"
+	"encoding/asn1"
 	"encoding/json"
 	"errors"
 	"io"
@@ -41,7 +42,7 @@ const (
 func TestInspect(t *testing.T) {
 	serverURL := createServer(t)
 
-	tsrPath := getTimestamp(t, serverURL, "blob")
+	tsrPath := getTimestamp(t, serverURL, "blob", big.NewInt(0), nil, true)
 
 	// It should create timestamp successfully.
 	out := runCli(t, "inspect", "--timestamp", tsrPath, "--format", "json")
@@ -79,20 +80,50 @@ func TestVerify(t *testing.T) {
 	artifactContent := "blob"
 	artifactPath := makeArtifact(t, artifactContent)
 
-	tsrPath := getTimestamp(t, restapiURL, artifactContent)
+	// this is the common name for the in-memory leaf certificate, copied
+	// from pkg/signer/memory.go
+	commonName := "Test TSA Timestamping"
+	nonce := big.NewInt(456)
+	policyOID := asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 2}
+	tsrContainsCerts := true
+
+	tsrPath := getTimestamp(t, restapiURL, artifactContent, nonce, policyOID, tsrContainsCerts)
 
 	// write the cert chain to a PEM file
-	pemPath := getCertChainPEM(t, restapiURL)
+	_, certChainPemPath := writeCertChainToPEMFiles(t, restapiURL)
 
 	// It should verify timestamp successfully.
-	out := runCli(t, "--timestamp_server", restapiURL, "verify", "--timestamp", tsrPath, "--artifact", artifactPath, "--cert-chain", pemPath)
+	out := runCli(t, "--timestamp_server", restapiURL, "verify", "--timestamp", tsrPath, "--artifact", artifactPath, "--certificate-chain", certChainPemPath, "--nonce", nonce.String(), "--oid", policyOID.String(), "--common-name", commonName)
+	outputContains(t, out, "Successfully verified timestamp")
+}
+
+func TestVerifyPassLeafCertificate(t *testing.T) {
+	restapiURL := createServer(t)
+
+	artifactContent := "blob"
+	artifactPath := makeArtifact(t, artifactContent)
+
+	// this is the common name for the in-memory leaf certificate, copied
+	// from pkg/signer/memory.go
+	commonName := "Test TSA Timestamping"
+	nonce := big.NewInt(456)
+	policyOID := asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 2}
+	tsrContainsCerts := false
+
+	tsrPath := getTimestamp(t, restapiURL, artifactContent, nonce, policyOID, tsrContainsCerts)
+
+	// write the cert chain to a PEM file
+	leafCertPemPath, certChainPemPath := writeCertChainToPEMFiles(t, restapiURL)
+
+	// It should verify timestamp successfully.
+	out := runCli(t, "--timestamp_server", restapiURL, "verify", "--timestamp", tsrPath, "--artifact", artifactPath, "--certificate-chain", certChainPemPath, "--nonce", nonce.String(), "--oid", policyOID.String(), "--common-name", commonName, "--certificate", leafCertPemPath)
 	outputContains(t, out, "Successfully verified timestamp")
 }
 
 func TestVerify_InvalidTSR(t *testing.T) {
 	restapiURL := createServer(t)
 
-	pemPath := getCertChainPEM(t, restapiURL)
+	_, pemPath := writeCertChainToPEMFiles(t, restapiURL)
 
 	artifactContent := "blob"
 	artifactPath := makeArtifact(t, artifactContent)
@@ -104,7 +135,7 @@ func TestVerify_InvalidTSR(t *testing.T) {
 	}
 
 	// It should return a message that the PEM is not valid
-	out := runCliErr(t, "--timestamp_server", restapiURL, "verify", "--timestamp", invalidTSR, "--artifact", artifactPath, "--cert-chain", pemPath)
+	out := runCliErr(t, "--timestamp_server", restapiURL, "verify", "--timestamp", invalidTSR, "--artifact", artifactPath, "--certificate-chain", pemPath)
 	outputContains(t, out, "error parsing response into Timestamp")
 }
 
@@ -114,17 +145,17 @@ func TestVerify_InvalidPEM(t *testing.T) {
 	artifactContent := "blob"
 	artifactPath := makeArtifact(t, artifactContent)
 
-	tsrPath := getTimestamp(t, restapiURL, artifactContent)
+	tsrPath := getTimestamp(t, restapiURL, artifactContent, big.NewInt(0), nil, true)
 
 	// Create invalid pem
-	invalidPEMPath := filepath.Join(t.TempDir(), "ts_chain.pem")
+	invalidPEMPath := filepath.Join(t.TempDir(), "invalid_pem_path")
 	if err := os.WriteFile(invalidPEMPath, []byte("invalid PEM"), 0600); err != nil {
 		t.Fatal(err)
 	}
 
 	// It should return a message that the PEM is not valid
-	out := runCliErr(t, "--timestamp_server", restapiURL, "verify", "--timestamp", tsrPath, "--artifact", artifactPath, "--cert-chain", invalidPEMPath)
-	outputContains(t, out, "error parsing response into Timestamp while appending certs from PEM")
+	out := runCliErr(t, "--timestamp_server", restapiURL, "verify", "--timestamp", tsrPath, "--artifact", artifactPath, "--certificate-chain", invalidPEMPath)
+	outputContains(t, out, "failed to parse intermediate and root certs from PEM file")
 }
 
 func runCliErr(t *testing.T, arg ...string) string {
@@ -178,17 +209,27 @@ func outputContains(t *testing.T, output, sub string) {
 	}
 }
 
-func getTimestamp(t *testing.T, url string, artifactContent string) string {
+func getTimestamp(t *testing.T, url string, artifactContent string, nonce *big.Int, policyOID asn1.ObjectIdentifier, tsrContainsCerts bool) string {
 	c, err := client.GetTimestampClient(url)
 	if err != nil {
 		t.Fatalf("unexpected error creating client: %v", err)
 	}
 
 	tsNonce := big.NewInt(1234)
+	if nonce != nil {
+		tsNonce = nonce
+	}
+
+	tsPolicyOID := asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 2}
+	if policyOID != nil {
+		tsPolicyOID = policyOID
+	}
+
 	tsq, err := ts.CreateRequest(strings.NewReader(artifactContent), &ts.RequestOptions{
 		Hash:         crypto.SHA256,
-		Certificates: true,
+		Certificates: tsrContainsCerts,
 		Nonce:        tsNonce,
+		TSAPolicyOID: tsPolicyOID,
 	})
 	if err != nil {
 		t.Fatalf("unexpected error creating request: %v", err)
@@ -211,8 +252,10 @@ func getTimestamp(t *testing.T, url string, artifactContent string) string {
 	return path
 }
 
-// getCertChainPEM returns the CA certificates to verify a signed timestamp
-func getCertChainPEM(t *testing.T, restapiURL string) string {
+// getCertChainPEM returns the path of a pem file containaing
+// the leaf certificate and the path of a pem file containing the
+// root and intermediate certificates. Used to verify a signed timestamp
+func writeCertChainToPEMFiles(t *testing.T, restapiURL string) (string, string) {
 	c, err := client.GetTimestampClient(restapiURL)
 	if err != nil {
 		t.Fatalf("unexpected error creating client: %v", err)
@@ -223,8 +266,9 @@ func getCertChainPEM(t *testing.T, restapiURL string) string {
 		t.Fatalf("unexpected error getting timestamp chain: %v", err)
 	}
 
-	path := filepath.Join(t.TempDir(), "artifact")
-	file, err := os.Create(path)
+	// create PEM file containing intermediate and root certificates
+	certChainPath := filepath.Join(t.TempDir(), "ts_certchain.pem")
+	file, err := os.Create(certChainPath)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -243,7 +287,23 @@ func getCertChainPEM(t *testing.T, restapiURL string) string {
 	reader := bytes.NewReader(caCertsPEM)
 	file.ReadFrom(reader)
 
-	return path
+	// create PEM file containing the leaf certificate
+	leafCertPath := filepath.Join(t.TempDir(), "ts_leafcert.pem")
+	file, err = os.Create(leafCertPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer file.Close()
+
+	leafCertPEM, err := cryptoutils.MarshalCertificatesToPEM(certs[0:1])
+	if err != nil {
+		t.Fatalf("unexpected error marshalling leaf cert: %v", err)
+	}
+
+	reader = bytes.NewReader(leafCertPEM)
+	file.ReadFrom(reader)
+
+	return leafCertPath, certChainPath
 }
 
 // Create a random artifact to sign