Notation CLI support for Timestamp Authority signatures

[iamsamirzon]

Summary - Notation client to support TSA signatures and verification support as per RFC 3161
Intended Outcome - The implementation matches with the specification

• As par of this task also fix: Add more validations for timestamp response notation-go#13

[iamsamirzon]

@gokarnm - This is the roadmap item related to timestamping.

[iamsamirzon]

@FeynmanZhou - We discussed this in our NV2 community meeting today. Propose we include the "Sign" part in RC-1 and the "Verify" part of it can come in "RC-2". Do discuss with @shizhMSFT on it.

[FeynmanZhou]

@iamsamirzon
It looks like Notation CLI has supported timestamp, see https://github.com/notaryproject/notation/pull/171/files#diff-4f0565caf9b5f059f3b256722911a83386beb3d5c0dc75b30b6fc91d451e551cR65

[iamsamirzon]

Yes, there was support added back in Alpha-1. This roadmap item is to ensure the implementation ( along with tests) meets the agreed on spec

[FeynmanZhou]

Yes, there was support added back in Alpha-1. This roadmap item is to ensure the implementation ( along with tests) meets the agreed on spec

Okay, we need to verify it for the next step.

[gokarnm]

There are open questions and work related to

• The default TSA to use during signing
• Distribute public TSA roots in a default named trust store x509/tsa/public-tsa
• Improvements to custom CMS verification code for TSA verification

[iamsamirzon]

@shizhMSFT , @dtzar - We need to bring in the signing part back into RC-1. This item is not yet complete for RC-1.

[dtzar]

Looks like this work could be included in whomever implements notaryproject/notation-go#78
I would recommend putting the three bullets from @gokarnm above either into that issue or a separate issue(s) depending on the rough size of the work to be done.

[dtzar]

This issue also relevant to the completion of this item: notaryproject/notation-go#13

[iamsamirzon]

@dtzar - There was an item in the spreadsheet for this , row #22. It is marked green ( to indicate complete), but it is not. @shizhMSFT team was looking to implement this. Lets touch base on this with them

[shizhMSFT]

The default TSA to use during signing

As discussed in previous Notary community meetings, we will not provide a default TSA for signing. Users must specify their trusted TSA when signing.

Distribute public TSA roots in a default named trust store x509/tsa/public-tsa

This item is a successor of distributing roots for x509/ca/....

Improvements to custom CMS verification code for TSA verification

We need more clarification on the "improvements".

[iamsamirzon]

@gokarnm , @rgnote - Could you elaborate on the "improvements" #59 (comment)

[iamsamirzon]

Based on the agreement in NV2 community call on 12/5/2022, moving this out of RC-2

[zosocanuck]

It would be great if we can accelerate TSA signature support for an upcoming release, and as such would like to get feedback around the potential to leverage an existing golang timestamping library to implement this roadmap item.

I have a positive experience with the library and it is even being used by the Sigstore/cosign project.

@priteshbandi

[shizhMSFT]

The prerequisites of TSA signature support are

• A go library for RFC 3161 a.k.a. timestamp
• A go library for RFC 2315 since Timestamp relies on CMS a.k.a PKCS7.

Unfortunately, there are no known reliable mature go libraries implementing RFC 3161 and RFC 2315.

The timestamp library github.com/digitorus/timestamp, which is also used by cosign, is built on top of github.com/digitorus/pkcs7, which is a fork of https://github.com/mozilla-services/pkcs7 with enhanced features (but not security). However, the maturity of those libraries are still in an early stage and should not be used for production.

Here are some code snippets from github.com/digitorus/pkcs7:

• https://github.com/digitorus/pkcs7/blob/51331ccfc40f27dab73cbc42e99f765f618fca70/ber.go#L57-L75

  func ber2der(ber []byte) ([]byte, error) {
      if len(ber) == 0 {
    	  return nil, errors.New("ber2der: input ber is empty")
      }
      //fmt.Printf("--> ber2der: Transcoding %d bytes\n", len(ber))
      out := new(bytes.Buffer)
  
      obj, _, err := readObject(ber, 0)
      if err != nil {
    	  return nil, err
      }
      obj.EncodeTo(out)
  
      // if offset < len(ber) {
      //	return nil, fmt.Errorf("ber2der: Content longer than expected. Got %d, expected %d", offset, len(ber))
      //}
  
      return out.Bytes(), nil
  }

• https://github.com/digitorus/pkcs7/blob/51331ccfc40f27dab73cbc42e99f765f618fca70/ber.go#L147-L162

  if tag == 0x1F {
          tag = 0
          for ber[offset] >= 0x80 {
                  tag = tag*128 + ber[offset] - 0x80
                  offset++
                  if offset > berLen {
                          return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached")
                  }
          }
          // jvehent 20170227: this doesn't appear to be used anywhere...
          //tag = tag*128 + ber[offset] - 0x80
          offset++
          if offset > berLen {
                  return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached")
          }
  }

Note: Unit tests in github.com/digitorus/pkcs7 are failing due to lack of maintenance :(

[shizhMSFT]

To ensure security of notation, we need to ensure that we have production-level CMS and Timestamp go libraries (we don't need to implement the full spec but implement what we need).

There was an attempt in notation-core-go but it was at a prototype maturity (insufficient unit tests) and has its own security vulnerability.