fix: timestamp against signing time (#518)

Two-Hearts · web-flow · commit bb2ee7a8a7ac · 2025-02-21T16:11:11.000+08:00
Signed-off-by: Patrick Zheng &lt;patrickzheng@microsoft.com&gt;
diff --git a/verifier/timestamp_test.go b/verifier/timestamp_test.go
@@ -287,29 +287,6 @@ func TestAuthenticTimestamp(t *testing.T) {
 		}
 	})
 
-	t.Run("verify Authentic Timestamp failed due to signing time after timestamp value", func(t *testing.T) {
-		signedToken, err := os.ReadFile("testdata/timestamp/countersignature/TimeStampToken.p7s")
-		if err != nil {
-			t.Fatalf("failed to get signedToken: %v", err)
-		}
-		envContent, err := parseEnvContent("testdata/timestamp/sigEnv/withoutTimestamp.sig", jws.MediaTypeEnvelope)
-		if err != nil {
-			t.Fatalf("failed to get signature envelope content: %v", err)
-		}
-		envContent.SignerInfo.UnsignedAttributes.TimestampSignature = signedToken
-		envContent.SignerInfo.Signature = []byte("notation")
-		envContent.SignerInfo.SignedAttributes.SigningTime = time.Date(3000, time.November, 10, 23, 0, 0, 0, time.UTC)
-		outcome := &notation.VerificationOutcome{
-			EnvelopeContent:   envContent,
-			VerificationLevel: trustpolicy.LevelStrict,
-		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome)
-		expectedErrMsg := "timestamp [2021-09-17T14:09:09Z, 2021-09-17T14:09:11Z] is not bounded after the signing time \"3000-11-10 23:00:00 +0000 UTC\""
-		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
-			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
-		}
-	})
-
 	t.Run("verify Authentic Timestamp failed due to trust store does not exist", func(t *testing.T) {
 		dummyTrustPolicy := &trustpolicy.TrustPolicy{
 			Name:           "test-timestamp",
diff --git a/verifier/verifier.go b/verifier/verifier.go
@@ -1082,9 +1082,6 @@ func verifyTimestamp(ctx context.Context, policyName string, trustStores []strin
 	if err != nil {
 		return fmt.Errorf("failed to verify the timestamp countersignature with error: %w", err)
 	}
-	if !timestamp.BoundedAfter(signerInfo.SignedAttributes.SigningTime) {
-		return fmt.Errorf("timestamp %s is not bounded after the signing time %q", timestamp.Format(time.RFC3339), signerInfo.SignedAttributes.SigningTime)
-	}
 
 	// 3. Validate timestamping certificate chain
 	logger.Debug("Validating timestamping certificate chain...")

Original file line number	Diff line number	Diff line change
`@@ -1082,9 +1082,6 @@ func verifyTimestamp(ctx context.Context, policyName string, trustStores []strin`
`1082`	`1082`	`if err != nil {`
`1083`	`1083`	`return fmt.Errorf("failed to verify the timestamp countersignature with error: %w", err)`
`1084`	`1084`	`}`
`1085`		`- if !timestamp.BoundedAfter(signerInfo.SignedAttributes.SigningTime) {`
`1086`		`- return fmt.Errorf("timestamp %s is not bounded after the signing time %q", timestamp.Format(time.RFC3339), signerInfo.SignedAttributes.SigningTime)`
`1087`		`- }`
`1088`	`1085`
`1089`	`1086`	`// 3. Validate timestamping certificate chain`
`1090`	`1087`	`logger.Debug("Validating timestamping certificate chain...")`