From 444d6e31204da07419aabd0b8b4b96fe2259f7d2 Mon Sep 17 00:00:00 2001 From: Billy Lynch <1844673+wlynch@users.noreply.github.com> Date: Wed, 6 Sep 2023 12:24:58 -0400 Subject: [PATCH] Fix bug where TSA signing fails if cert hash != content hash. (#465) This was fixed upstream in https://github.com/digitorus/timestamp/pull/19. We should cut a patch release - the buggy behavior was introduced in v1.1.2. NOTE: This potentially breaks some users if they are relying on the new cert hash behavior introduced in v1.1.2 to support other hash types, but this fixes those who were broken by the v1.1.2 update. Support for other hash types can be added in another PR by moving to using [timestamp.CreateResponseWithOpts](https://pkg.go.dev/github.com/digitorus/timestamp#Timestamp.CreateResponseWithOpts) and passing in the appropriate hash (but I'm considering that out of scope for this PR). Signed-off-by: Billy Lynch --- go.mod | 2 +- go.sum | 4 ++-- pkg/api/timestamp.go | 2 +- pkg/client/mock/mock_tsa_client.go | 2 +- pkg/verification/verify_test.go | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index a30df726..5991b8bc 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( cloud.google.com/go/security v1.15.1 github.com/beevik/ntp v1.3.0 github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 - github.com/digitorus/timestamp v0.0.0-20230821155606-d1ad5ca9624c + github.com/digitorus/timestamp v0.0.0-20230902153158-687734543647 github.com/go-chi/chi v4.1.2+incompatible github.com/go-openapi/errors v0.20.4 github.com/go-openapi/loads v0.21.2 diff --git a/go.sum b/go.sum index 5464fc22..175f9ac8 100644 --- a/go.sum +++ b/go.sum @@ -134,8 +134,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/digitorus/pkcs7 v0.0.0-20230713084857-e76b763bdc49/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 h1:ge14PCmCvPjpMQMIAH7uKg0lrtNSOdpYsRXlwk3QbaE= github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= -github.com/digitorus/timestamp v0.0.0-20230821155606-d1ad5ca9624c h1:kgG83Hfj3YXkUbrihwBxDc0COzP1ZejiDSr4/fItT0E= -github.com/digitorus/timestamp v0.0.0-20230821155606-d1ad5ca9624c/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y= +github.com/digitorus/timestamp v0.0.0-20230902153158-687734543647 h1:WOk5Aclr/+sZ2/SX2YyxulNFwZOUhSrDJLw5KbHKmdE= +github.com/digitorus/timestamp v0.0.0-20230902153158-687734543647/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= diff --git a/pkg/api/timestamp.go b/pkg/api/timestamp.go index cbedb1ef..c4abfd36 100644 --- a/pkg/api/timestamp.go +++ b/pkg/api/timestamp.go @@ -173,7 +173,7 @@ func TimestampResponseHandler(params ts.GetTimestampResponseParams) middleware.R ExtraExtensions: req.Extensions, } - resp, err := tsStruct.CreateResponse(api.certChain[0], api.tsaSigner) + resp, err := tsStruct.CreateResponseWithOpts(api.certChain[0], api.tsaSigner, crypto.SHA256) if err != nil { return handleTimestampAPIError(params, http.StatusInternalServerError, err, failedToGenerateTimestampResponse) } diff --git a/pkg/client/mock/mock_tsa_client.go b/pkg/client/mock/mock_tsa_client.go index cb708ba9..78eb99cc 100644 --- a/pkg/client/mock/mock_tsa_client.go +++ b/pkg/client/mock/mock_tsa_client.go @@ -137,7 +137,7 @@ func (c *TSAClient) GetTimestampResponse(params *ts.GetTimestampResponseParams, tsStruct.Time = c.Time } - resp, err := tsStruct.CreateResponse(c.CertChain[0], c.Signer) + resp, err := tsStruct.CreateResponseWithOpts(c.CertChain[0], c.Signer, crypto.SHA256) if err != nil { return nil, err } diff --git a/pkg/verification/verify_test.go b/pkg/verification/verify_test.go index ceb9879a..b97e679c 100644 --- a/pkg/verification/verify_test.go +++ b/pkg/verification/verify_test.go @@ -510,7 +510,7 @@ func createSignedTimestamp(certChain []*x509.Certificate, sv *signature.ECDSASig ExtraExtensions: req.Extensions, } - resp, err := tsTemplate.CreateResponse(certChain[0], sv) + resp, err := tsTemplate.CreateResponseWithOpts(certChain[0], sv, crypto.SHA256) if err != nil { return nil, fmt.Errorf("unexpectedly failed to create timestamp response: %v", err) }