Don't fail on TSA signatures we can't verify (#45)

For #43 As long as there are enough TSA signatures that do verify to meet the threshold specified by the verification policy. --------- Signed-off-by: Zach Steindler <[email protected]>
sigstore · Dec 15, 2023 · 9a59c7f · 9a59c7f
1 parent 0946840
commit 9a59c7f
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 5 deletions.
diff --git a/pkg/verify/tsa.go b/pkg/verify/tsa.go
@@ -33,6 +33,9 @@ import (
 // verified.
 func VerifyTimestampAuthority(entity SignedEntity, trustedMaterial root.TrustedMaterial, threshold int) ([]time.Time, error) { //nolint:revive
 	signedTimestamps, err := entity.Timestamps()
+	if err != nil {
+		return nil, err
+	}
 
 	// disallow duplicate timestamps, as a malicious actor could use duplicates to bypass the threshold
 	for i := 0; i < len(signedTimestamps); i++ {
@@ -43,10 +46,6 @@ func VerifyTimestampAuthority(entity SignedEntity, trustedMaterial root.TrustedM
 		}
 	}
 
-	if err != nil || (len(signedTimestamps) < threshold) {
-		return nil, fmt.Errorf("not enough signed timestamps: %d < %d", len(signedTimestamps), threshold)
-	}
-
 	sigContent, err := entity.SignatureContent()
 	if err != nil {
 		return nil, err
@@ -62,11 +61,19 @@ func VerifyTimestampAuthority(entity SignedEntity, trustedMaterial root.TrustedM
 	verifiedTimestamps := []time.Time{}
 	for _, timestamp := range signedTimestamps {
 		verifiedSignedTimestamp, err := verifySignedTimestamp(timestamp, signatureBytes, trustedMaterial, verificationContent)
+
+		// Timestamps from unknown source are okay, but don't count as verified
 		if err != nil {
-			return nil, errors.New("unable to verify timestamp")
+			continue
 		}
+
 		verifiedTimestamps = append(verifiedTimestamps, verifiedSignedTimestamp)
 	}
+
+	if len(verifiedTimestamps) < threshold {
+		return nil, fmt.Errorf("not enough verified timestamps: %d < %d", len(verifiedTimestamps), threshold)
+	}
+
 	return verifiedTimestamps, nil
 }
 

diff --git a/pkg/verify/tsa_test.go b/pkg/verify/tsa_test.go
@@ -39,6 +39,34 @@ func TestTimestampAuthorityVerifier(t *testing.T) {
 
 	_, err = verify.VerifyTimestampAuthority(entity, virtualSigstore2, 1)
 	assert.Error(t, err) // different sigstore instance should fail to verify
+
+	untrustedEntity, err := virtualSigstore2.Attest("[email protected]", "issuer", []byte("statement"))
+	assert.NoError(t, err)
+
+	_, err = verify.VerifyTimestampAuthority(&oneTrustedOneUntrustedTimestampEntity{entity, untrustedEntity}, virtualSigstore, 1)
+	assert.NoError(t, err)
+
+	_, err = verify.VerifyTimestampAuthority(&oneTrustedOneUntrustedTimestampEntity{entity, untrustedEntity}, virtualSigstore, 2)
+	assert.Error(t, err) // only 1 trusted should not meet threshold of 2
+}
+
+type oneTrustedOneUntrustedTimestampEntity struct {
+	*ca.TestEntity
+	UntrustedTestEntity *ca.TestEntity
+}
+
+func (e *oneTrustedOneUntrustedTimestampEntity) Timestamps() ([][]byte, error) {
+	timestamps, err := e.TestEntity.Timestamps()
+	if err != nil {
+		return nil, err
+	}
+
+	untrustedTimestamps, err := e.UntrustedTestEntity.Timestamps()
+	if err != nil {
+		return nil, err
+	}
+
+	return append(timestamps, untrustedTimestamps...), nil
 }
 
 type dupTimestampEntity struct {