Server IP : 85.214.239.14 / Your IP : 18.217.237.68 Web Server : Apache/2.4.62 (Debian) System : Linux h2886529.stratoserver.net 4.9.0 #1 SMP Tue Jan 9 19:45:01 MSK 2024 x86_64 User : www-data ( 33) PHP Version : 7.4.18 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, MySQL : OFF | cURL : OFF | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : OFF Directory : /proc/3/root/proc/2/root/lib/node_modules/npm/node_modules/@sigstore/verify/dist/timestamp/ |
Upload File : |
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.verifyRFC3161Timestamp = void 0; const core_1 = require("@sigstore/core"); const error_1 = require("../error"); const certificate_1 = require("../key/certificate"); const trust_1 = require("../trust"); function verifyRFC3161Timestamp(timestamp, data, timestampAuthorities) { const signingTime = timestamp.signingTime; // Filter for CAs which were valid at the time of signing timestampAuthorities = (0, trust_1.filterCertAuthorities)(timestampAuthorities, { start: signingTime, end: signingTime, }); // Filter for CAs which match serial and issuer embedded in the timestamp timestampAuthorities = filterCAsBySerialAndIssuer(timestampAuthorities, { serialNumber: timestamp.signerSerialNumber, issuer: timestamp.signerIssuer, }); // Check that we can verify the timestamp with AT LEAST ONE of the remaining // CAs const verified = timestampAuthorities.some((ca) => { try { verifyTimestampForCA(timestamp, data, ca); return true; } catch (e) { return false; } }); if (!verified) { throw new error_1.VerificationError({ code: 'TIMESTAMP_ERROR', message: 'timestamp could not be verified', }); } } exports.verifyRFC3161Timestamp = verifyRFC3161Timestamp; function verifyTimestampForCA(timestamp, data, ca) { const [leaf, ...cas] = ca.certChain; const signingKey = core_1.crypto.createPublicKey(leaf.publicKey); const signingTime = timestamp.signingTime; // Verify the certificate chain for the provided CA try { new certificate_1.CertificateChainVerifier({ untrustedCert: leaf, trustedCerts: cas, }).verify(); } catch (e) { throw new error_1.VerificationError({ code: 'TIMESTAMP_ERROR', message: 'invalid certificate chain', }); } // Check that all of the CA certs were valid at the time of signing const validAtSigningTime = ca.certChain.every((cert) => cert.validForDate(signingTime)); if (!validAtSigningTime) { throw new error_1.VerificationError({ code: 'TIMESTAMP_ERROR', message: 'timestamp was signed with an expired certificate', }); } // Check that the signing certificate's key can be used to verify the // timestamp signature. timestamp.verify(data, signingKey); } // Filters the list of CAs to those which have a leaf signing certificate which // matches the given serial number and issuer. function filterCAsBySerialAndIssuer(timestampAuthorities, criteria) { return timestampAuthorities.filter((ca) => ca.certChain.length > 0 && core_1.crypto.bufferEqual(ca.certChain[0].serialNumber, criteria.serialNumber) && core_1.crypto.bufferEqual(ca.certChain[0].issuer, criteria.issuer)); }