| Server IP : 85.214.239.14 / Your IP : 18.117.145.41 Web Server : Apache/2.4.62 (Debian) System : Linux h2886529.stratoserver.net 4.9.0 #1 SMP Tue Jan 9 19:45:01 MSK 2024 x86_64 User : www-data ( 33) PHP Version : 7.4.18 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, MySQL : OFF | cURL : OFF | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : OFF Directory : /proc/3/task/3/cwd/lib/node_modules/npm/node_modules/@sigstore/verify/dist/timestamp/ |
Upload File : |
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyRFC3161Timestamp = void 0;
const core_1 = require("@sigstore/core");
const error_1 = require("../error");
const certificate_1 = require("../key/certificate");
const trust_1 = require("../trust");
function verifyRFC3161Timestamp(timestamp, data, timestampAuthorities) {
const signingTime = timestamp.signingTime;
// Filter for CAs which were valid at the time of signing
timestampAuthorities = (0, trust_1.filterCertAuthorities)(timestampAuthorities, {
start: signingTime,
end: signingTime,
});
// Filter for CAs which match serial and issuer embedded in the timestamp
timestampAuthorities = filterCAsBySerialAndIssuer(timestampAuthorities, {
serialNumber: timestamp.signerSerialNumber,
issuer: timestamp.signerIssuer,
});
// Check that we can verify the timestamp with AT LEAST ONE of the remaining
// CAs
const verified = timestampAuthorities.some((ca) => {
try {
verifyTimestampForCA(timestamp, data, ca);
return true;
}
catch (e) {
return false;
}
});
if (!verified) {
throw new error_1.VerificationError({
code: 'TIMESTAMP_ERROR',
message: 'timestamp could not be verified',
});
}
}
exports.verifyRFC3161Timestamp = verifyRFC3161Timestamp;
function verifyTimestampForCA(timestamp, data, ca) {
const [leaf, ...cas] = ca.certChain;
const signingKey = core_1.crypto.createPublicKey(leaf.publicKey);
const signingTime = timestamp.signingTime;
// Verify the certificate chain for the provided CA
try {
new certificate_1.CertificateChainVerifier({
untrustedCert: leaf,
trustedCerts: cas,
}).verify();
}
catch (e) {
throw new error_1.VerificationError({
code: 'TIMESTAMP_ERROR',
message: 'invalid certificate chain',
});
}
// Check that all of the CA certs were valid at the time of signing
const validAtSigningTime = ca.certChain.every((cert) => cert.validForDate(signingTime));
if (!validAtSigningTime) {
throw new error_1.VerificationError({
code: 'TIMESTAMP_ERROR',
message: 'timestamp was signed with an expired certificate',
});
}
// Check that the signing certificate's key can be used to verify the
// timestamp signature.
timestamp.verify(data, signingKey);
}
// Filters the list of CAs to those which have a leaf signing certificate which
// matches the given serial number and issuer.
function filterCAsBySerialAndIssuer(timestampAuthorities, criteria) {
return timestampAuthorities.filter((ca) => ca.certChain.length > 0 &&
core_1.crypto.bufferEqual(ca.certChain[0].serialNumber, criteria.serialNumber) &&
core_1.crypto.bufferEqual(ca.certChain[0].issuer, criteria.issuer));
}