Open iamsamirzon opened 2 years ago
@gokarnm - This is the roadmap item related to timestamping.
@FeynmanZhou - We discussed this in our NV2 community meeting today. Propose we include the "Sign" part in RC-1 and the "Verify" part of it can come in "RC-2". Do discuss with @shizhMSFT on it.
@iamsamirzon It looks like Notation CLI has supported timestamp, see https://github.com/notaryproject/notation/pull/171/files#diff-4f0565caf9b5f059f3b256722911a83386beb3d5c0dc75b30b6fc91d451e551cR65
Yes, there was support added back in Alpha-1. This roadmap item is to ensure the implementation ( along with tests) meets the agreed on spec
Yes, there was support added back in Alpha-1. This roadmap item is to ensure the implementation ( along with tests) meets the agreed on spec
Okay, we need to verify it for the next step.
There are open questions and work related to
x509/tsa/public-tsa
@shizhMSFT , @dtzar - We need to bring in the signing part back into RC-1. This item is not yet complete for RC-1.
Looks like this work could be included in whomever implements https://github.com/notaryproject/notation-go/issues/78 I would recommend putting the three bullets from @gokarnm above either into that issue or a separate issue(s) depending on the rough size of the work to be done.
This issue also relevant to the completion of this item: https://github.com/notaryproject/notation-go/issues/13
@dtzar - There was an item in the spreadsheet for this , row #22. It is marked green ( to indicate complete), but it is not. @shizhMSFT team was looking to implement this. Lets touch base on this with them
The default TSA to use during signing
As discussed in previous Notary community meetings, we will not provide a default TSA for signing. Users must specify their trusted TSA when signing.
Distribute public TSA roots in a default named trust store
x509/tsa/public-tsa
This item is a successor of distributing roots for x509/ca/...
.
Improvements to custom CMS verification code for TSA verification
We need more clarification on the "improvements".
@gokarnm , @rgnote - Could you elaborate on the "improvements" https://github.com/notaryproject/roadmap/issues/59#issuecomment-1160734080
Based on the agreement in NV2 community call on 12/5/2022, moving this out of RC-2
It would be great if we can accelerate TSA signature support for an upcoming release, and as such would like to get feedback around the potential to leverage an existing golang timestamping library to implement this roadmap item.
I have a positive experience with the library and it is even being used by the Sigstore/cosign project.
@priteshbandi
The prerequisites of TSA signature support are
Unfortunately, there are no known reliable mature go libraries implementing RFC 3161 and RFC 2315.
The timestamp library github.com/digitorus/timestamp, which is also used by cosign, is built on top of github.com/digitorus/pkcs7, which is a fork of https://github.com/mozilla-services/pkcs7 with enhanced features (but not security). However, the maturity of those libraries are still in an early stage and should not be used for production.
Here are some code snippets from github.com/digitorus/pkcs7
:
https://github.com/digitorus/pkcs7/blob/51331ccfc40f27dab73cbc42e99f765f618fca70/ber.go#L57-L75
func ber2der(ber []byte) ([]byte, error) {
if len(ber) == 0 {
return nil, errors.New("ber2der: input ber is empty")
}
//fmt.Printf("--> ber2der: Transcoding %d bytes\n", len(ber))
out := new(bytes.Buffer)
obj, _, err := readObject(ber, 0)
if err != nil {
return nil, err
}
obj.EncodeTo(out)
// if offset < len(ber) {
// return nil, fmt.Errorf("ber2der: Content longer than expected. Got %d, expected %d", offset, len(ber))
//}
return out.Bytes(), nil
}
if tag == 0x1F {
tag = 0
for ber[offset] >= 0x80 {
tag = tag*128 + ber[offset] - 0x80
offset++
if offset > berLen {
return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached")
}
}
// jvehent 20170227: this doesn't appear to be used anywhere...
//tag = tag*128 + ber[offset] - 0x80
offset++
if offset > berLen {
return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached")
}
}
Note: Unit tests in github.com/digitorus/pkcs7
are failing due to lack of maintenance :(
To ensure security of notation, we need to ensure that we have production-level CMS and Timestamp go libraries (we don't need to implement the full spec but implement what we need).
There was an attempt in notation-core-go but it was at a prototype maturity (insufficient unit tests) and has its own security vulnerability.
Summary - Notation client to support TSA signatures and verification support as per RFC 3161 Intended Outcome - The implementation matches with the specification