deps: @sigstore/verify@2.1.1

wraithgar · wraithgar · commit f48613d0403a · 2025-05-13T09:39:43.000-07:00
diff --git a/node_modules/@sigstore/verify/dist/key/certificate.js b/node_modules/@sigstore/verify/dist/key/certificate.js
@@ -4,20 +4,18 @@ exports.CertificateChainVerifier = void 0;
 exports.verifyCertificateChain = verifyCertificateChain;
 const error_1 = require("../error");
 const trust_1 = require("../trust");
-function verifyCertificateChain(leaf, certificateAuthorities) {
+function verifyCertificateChain(timestamp, leaf, certificateAuthorities) {
     // Filter list of trusted CAs to those which are valid for the given
-    // leaf certificate.
-    const cas = (0, trust_1.filterCertAuthorities)(certificateAuthorities, {
-        start: leaf.notBefore,
-        end: leaf.notAfter,
-    });
+    // timestamp
+    const cas = (0, trust_1.filterCertAuthorities)(certificateAuthorities, timestamp);
     /* eslint-disable-next-line @typescript-eslint/no-explicit-any */
     let error;
     for (const ca of cas) {
         try {
             const verifier = new CertificateChainVerifier({
                 trustedCerts: ca.certChain,
                 untrustedCert: leaf,
+                timestamp,
             });
             return verifier.verify();
         }
@@ -41,12 +39,20 @@ class CertificateChainVerifier {
             ...opts.trustedCerts,
             opts.untrustedCert,
         ]);
+        this.timestamp = opts.timestamp;
     }
     verify() {
         // Construct certificate path from leaf to root
         const certificatePath = this.sort();
         // Perform validation checks on each certificate in the path
         this.checkPath(certificatePath);
+        const validForDate = certificatePath.every((cert) => cert.validForDate(this.timestamp));
+        if (!validForDate) {
+            throw new error_1.VerificationError({
+                code: 'CERTIFICATE_ERROR',
+                message: 'certificate is not valid or expired at the specified date',
+            });
+        }
         // Return verified certificate path
         return certificatePath;
     }
diff --git a/node_modules/@sigstore/verify/dist/key/index.js b/node_modules/@sigstore/verify/dist/key/index.js
@@ -37,15 +37,10 @@ function verifyPublicKey(hint, timestamps, trustMaterial) {
 }
 function verifyCertificate(leaf, timestamps, trustMaterial) {
     // Check that leaf certificate chains to a trusted CA
-    const path = (0, certificate_1.verifyCertificateChain)(leaf, trustMaterial.certificateAuthorities);
-    // Check that ALL certificates are valid for ALL of the timestamps
-    const validForDate = timestamps.every((timestamp) => path.every((cert) => cert.validForDate(timestamp)));
-    if (!validForDate) {
-        throw new error_1.VerificationError({
-            code: 'CERTIFICATE_ERROR',
-            message: 'certificate is not valid or expired at the specified date',
-        });
-    }
+    let path = [];
+    timestamps.forEach((timestamp) => {
+        path = (0, certificate_1.verifyCertificateChain)(timestamp, leaf, trustMaterial.certificateAuthorities);
+    });
     return {
         scts: (0, sct_1.verifySCTs)(path[0], path[1], trustMaterial.ctlogs),
         signer: getSigner(path[0]),
diff --git a/node_modules/@sigstore/verify/dist/timestamp/tsa.js b/node_modules/@sigstore/verify/dist/timestamp/tsa.js
@@ -8,10 +8,7 @@ const trust_1 = require("../trust");
 function verifyRFC3161Timestamp(timestamp, data, timestampAuthorities) {
     const signingTime = timestamp.signingTime;
     // Filter for CAs which were valid at the time of signing
-    timestampAuthorities = (0, trust_1.filterCertAuthorities)(timestampAuthorities, {
-        start: signingTime,
-        end: signingTime,
-    });
+    timestampAuthorities = (0, trust_1.filterCertAuthorities)(timestampAuthorities, signingTime);
     // Filter for CAs which match serial and issuer embedded in the timestamp
     timestampAuthorities = filterCAsBySerialAndIssuer(timestampAuthorities, {
         serialNumber: timestamp.signerSerialNumber,
@@ -44,6 +41,7 @@ function verifyTimestampForCA(timestamp, data, ca) {
         new certificate_1.CertificateChainVerifier({
             untrustedCert: leaf,
             trustedCerts: cas,
+            timestamp: signingTime,
         }).verify();
     }
     catch (e) {
@@ -52,14 +50,6 @@ function verifyTimestampForCA(timestamp, data, ca) {
             message: 'invalid certificate chain',
         });
     }
-    // Check that all of the CA certs were valid at the time of signing
-    const validAtSigningTime = ca.certChain.every((cert) => cert.validForDate(signingTime));
-    if (!validAtSigningTime) {
-        throw new error_1.VerificationError({
-            code: 'TIMESTAMP_ERROR',
-            message: 'timestamp was signed with an expired certificate',
-        });
-    }
     // Check that the signing certificate's key can be used to verify the
     // timestamp signature.
     timestamp.verify(data, signingKey);
diff --git a/node_modules/@sigstore/verify/dist/trust/filter.js b/node_modules/@sigstore/verify/dist/trust/filter.js
@@ -2,9 +2,9 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.filterCertAuthorities = filterCertAuthorities;
 exports.filterTLogAuthorities = filterTLogAuthorities;
-function filterCertAuthorities(certAuthorities, criteria) {
+function filterCertAuthorities(certAuthorities, timestamp) {
     return certAuthorities.filter((ca) => {
-        return (ca.validFor.start <= criteria.start && ca.validFor.end >= criteria.end);
+        return ca.validFor.start <= timestamp && ca.validFor.end >= timestamp;
     });
 }
 // Filter the list of tlog instances to only those which match the given log
diff --git a/node_modules/@sigstore/verify/package.json b/node_modules/@sigstore/verify/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/verify",
-  "version": "2.1.0",
+  "version": "2.1.1",
   "description": "Verification of Sigstore signatures",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -26,7 +26,7 @@
     "provenance": true
   },
   "dependencies": {
-    "@sigstore/protobuf-specs": "^0.4.0",
+    "@sigstore/protobuf-specs": "^0.4.1",
     "@sigstore/bundle": "^3.1.0",
     "@sigstore/core": "^2.0.0"
   },
diff --git a/package-lock.json b/package-lock.json
@@ -4959,15 +4959,15 @@
       }
     },
     "node_modules/@sigstore/verify": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/@sigstore/verify/-/verify-2.1.0.tgz",
-      "integrity": "sha512-kAAM06ca4CzhvjIZdONAL9+MLppW3K48wOFy1TbuaWFW/OMfl8JuTgW0Bm02JB1WJGT/ET2eqav0KTEKmxqkIA==",
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@sigstore/verify/-/verify-2.1.1.tgz",
+      "integrity": "sha512-hVJD77oT67aowHxwT4+M6PGOp+E2LtLdTK3+FC0lBO9T7sYwItDMXZ7Z07IDCvR1M717a4axbIWckrW67KMP/w==",
       "inBundle": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@sigstore/bundle": "^3.1.0",
         "@sigstore/core": "^2.0.0",
-        "@sigstore/protobuf-specs": "^0.4.0"
+        "@sigstore/protobuf-specs": "^0.4.1"
       },
       "engines": {
         "node": "^18.17.0 || >=20.5.0"
