Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate time is always valid when no timestamp is provided #276

Open
haydentherapper opened this issue Aug 19, 2024 · 1 comment · May be fixed by #277
Open

Certificate time is always valid when no timestamp is provided #276

haydentherapper opened this issue Aug 19, 2024 · 1 comment · May be fixed by #277
Assignees
@haydentherapper
Labels
bug Something isn't working v1.0 items we want to consider for a v1.0 release

Comments

@haydentherapper
Copy link
Contributor

Following up from #193 (comment), we are using the certificate's timestamp to verify itself. This will always pass the time verification because a certificate's "not before" time always falls in the range of "not before" to "not after".

Instead, we should only use current time to verify a certificate's validity. I've started making the change, but some tests are failing, so I wanted to check if I'm missing something and this behavior is what you had expected from the policy flag?

@codysoyland @steiza @cmurphy
@haydentherapper haydentherapper added the bug Something isn't working label Aug 19, 2024
@haydentherapper haydentherapper self-assigned this Aug 19, 2024
haydentherapper added a commit to haydentherapper/sigstore-go that referenced this issue Aug 19, 2024
@haydentherapper
Verify certificate validity with only current time
6e31232 
Using a certificate's NBF will always pass the time verification. We
should be using only the current time to try to verify a certificate's
validity. This is likely to only work with long-lived certificates or
where verification happens immediately after signing.

Fixes sigstore#276

Signed-off-by: Hayden Blauzvern <[email protected]>
@haydentherapper haydentherapper linked a pull request Aug 19, 2024 that will close this issue
Draft
@haydentherapper
Copy link
Contributor Author

#277 for the fix. Had to update some tests to use the SET timestamp.

@haydentherapper haydentherapper added the v1.0 items we want to consider for a v1.0 release label Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@haydentherapper haydentherapper

Labels
bug Something isn't working v1.0 items we want to consider for a v1.0 release
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Verify certificate validity with only current time haydentherapper/sigstore-go
1 participant
@haydentherapper