Introduce acceptableRFC3161Time and acceptableRekorBundleTime

We will use them to decouple the bundle handling from certificate expiry verification. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
sigstore · Nov 25, 2022 · 3b21d42 · 3b21d42
1 parent 3b33e6d
commit 3b21d42
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -650,6 +650,7 @@ func verifySignatures(ctx context.Context, sigs oci.Signatures, h v1.Hash, co *C
 func verifyInternal(ctx context.Context, untrustedSignature oci.Signature, h v1.Hash,
 	verifyFn signatureVerificationFn, co *CheckOpts) (
 	bundleVerified bool, err error) {
+	var acceptableRFC3161Time, acceptableRekorBundleTime *time.Time // Timestamps for the signature we accept, or nil if not applicable.
 	verifier := co.SigVerifier
 	if verifier == nil {
 		// If we don't have a public key to check against, we can try a root untrustedCert.
@@ -708,14 +709,15 @@ func verifyInternal(ctx context.Context, untrustedSignature oci.Signature, h v1.
 		}
 		if acceptableRFC3161Timestamp != nil {
 			bundleVerified = true
+			acceptableRFC3161Time = &acceptableRFC3161Timestamp.Time
 
 			cert, err := untrustedSignature.Cert()
 			if err != nil {
 				return false, err
 			}
 			if cert != nil {
 				// Verify the cert against the integrated time.
-				if err := CheckExpiry(cert, acceptableRFC3161Timestamp.Time); err != nil {
+				if err := CheckExpiry(cert, *acceptableRFC3161Time); err != nil {
 					return false, fmt.Errorf("checking expiry on cert: %w", err)
 				}
 			}
@@ -734,10 +736,11 @@ func verifyInternal(ctx context.Context, untrustedSignature oci.Signature, h v1.
 
 		if bundleVerified {
 			// Update with the verified bundle's integrated time.
-			validityTime, err = getBundleIntegratedTime(untrustedSignature)
+			t, err := getBundleIntegratedTime(untrustedSignature)
 			if err != nil {
 				return false, fmt.Errorf("error getting bundle integrated time: %w", err)
 			}
+			acceptableRekorBundleTime = &t
 		} else {
 			// If the --offline flag was specified, fail here. bundleVerified returns false with
 			// no error when there was no bundle provided.
@@ -757,9 +760,13 @@ func verifyInternal(ctx context.Context, untrustedSignature oci.Signature, h v1.
 				if err != nil {
 					return false, err
 				}
-				validityTime = time.Unix(*e.IntegratedTime, 0)
+				t := time.Unix(*e.IntegratedTime, 0)
+				acceptableRekorBundleTime = &t
 			}
 		}
+		if acceptableRekorBundleTime != nil {
+			validityTime = *acceptableRekorBundleTime
+		}
 
 		// 3. if a certificate was used, verify the cert against the integrated time.
 		cert, err := untrustedSignature.Cert()