Skip to content

Commit 0172eed

Browse files
Merge branch 'main' into kindversion
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
2 parents 7777935 + 2199d9b commit 0172eed

File tree

6 files changed

+37
-46
lines changed

6 files changed

+37
-46
lines changed

CHANGELOG.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,15 @@ All versions prior to 0.9.0 are untracked.
1414
either from the root of the response, or from the reponse's inner base64-encoded JSON `body`.
1515
[#1370](https://github.com/sigstore/sigstore-python/pull/1370)
1616

17+
### Fixed
18+
19+
* Fixed the certificate calidity period check for Timestamp Authorities (TSA).
20+
Certificates need not have and end date, while still requiring a start date.
21+
[#1368](https://github.com/sigstore/sigstore-python/pull/1368)
22+
23+
* API: Make Rekor APIs compatible with Rekor v2 by removing trailing slashes
24+
from endpoints ([#1366](https://github.com/sigstore/sigstore-python/pull/1366))
25+
1726
## [3.6.2]
1827

1928
### Fixed

sigstore/_internal/rekor/client.py

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,6 @@
2323
from abc import ABC
2424
from dataclasses import dataclass
2525
from typing import Any, Optional
26-
from urllib.parse import urljoin
2726

2827
import rekor_types
2928
import requests
@@ -112,7 +111,7 @@ def entries(self) -> RekorEntries:
112111
Returns a `RekorEntries` capable of accessing detailed information
113112
about individual log entries.
114113
"""
115-
return RekorEntries(urljoin(self.url, "entries/"), session=self.session)
114+
return RekorEntries(f"{self.url}/entries", session=self.session)
116115

117116

118117
class RekorEntries(_Endpoint):
@@ -134,7 +133,7 @@ def get(
134133
resp: requests.Response
135134

136135
if uuid is not None:
137-
resp = self.session.get(urljoin(self.url, uuid))
136+
resp = self.session.get(f"{self.url}/{uuid}")
138137
else:
139138
resp = self.session.get(self.url, params={"logIndex": log_index})
140139

@@ -170,9 +169,7 @@ def retrieve(self) -> RekorEntriesRetrieve:
170169
"""
171170
Returns a `RekorEntriesRetrieve` capable of retrieving entries.
172171
"""
173-
return RekorEntriesRetrieve(
174-
urljoin(self.url, "retrieve/"), session=self.session
175-
)
172+
return RekorEntriesRetrieve(f"{self.url}/retrieve/", session=self.session)
176173

177174

178175
class RekorEntriesRetrieve(_Endpoint):
@@ -226,7 +223,7 @@ def __init__(self, url: str) -> None:
226223
"""
227224
Create a new `RekorClient` from the given URL.
228225
"""
229-
self.url = urljoin(url, "api/v1/")
226+
self.url = f"{url}/api/v1"
230227
self.session = requests.Session()
231228
self.session.headers.update(
232229
{
@@ -263,4 +260,4 @@ def log(self) -> RekorLog:
263260
"""
264261
Returns a `RekorLog` adapter for making requests to a Rekor log.
265262
"""
266-
return RekorLog(urljoin(self.url, "log/"), session=self.session)
263+
return RekorLog(f"{self.url}/log", session=self.session)

sigstore/_internal/trust.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -253,7 +253,7 @@ def _verify(self) -> None:
253253
raise Error("missing a certificate in Certificate Authority")
254254

255255
@property
256-
def validity_period_start(self) -> datetime | None:
256+
def validity_period_start(self) -> datetime:
257257
"""
258258
Validity period start.
259259
"""

sigstore/models.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -492,9 +492,9 @@ def _verify(self) -> None:
492492
# We expect some old bundles to violate the rules around root
493493
# and intermediate CAs, so we issue warnings and not hard errors
494494
# in those cases.
495-
leaf_cert, *chain_certs = [
495+
leaf_cert, *chain_certs = (
496496
load_der_x509_certificate(cert.raw_bytes) for cert in certs
497-
]
497+
)
498498
if not cert_is_leaf(leaf_cert):
499499
raise InvalidBundle(
500500
"bundle contains an invalid leaf or non-leaf certificate in the leaf position"

sigstore/verify/verifier.py

Lines changed: 10 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -150,26 +150,19 @@ def _verify_signed_timestamp(
150150

151151
if (
152152
certificate_authority.validity_period_start
153-
and certificate_authority.validity_period_end
153+
<= timestamp_response.tst_info.gen_time
154+
) and (
155+
not certificate_authority.validity_period_end
156+
or timestamp_response.tst_info.gen_time
157+
< certificate_authority.validity_period_end
154158
):
155-
if (
156-
certificate_authority.validity_period_start
157-
<= timestamp_response.tst_info.gen_time
158-
< certificate_authority.validity_period_end
159-
):
160-
return TimestampVerificationResult(
161-
source=TimestampSource.TIMESTAMP_AUTHORITY,
162-
time=timestamp_response.tst_info.gen_time,
163-
)
164-
165-
_logger.debug(
166-
"Unable to verify Timestamp because not in CA time range."
167-
)
168-
else:
169-
_logger.debug(
170-
"Unable to verify Timestamp because no validity provided."
159+
return TimestampVerificationResult(
160+
source=TimestampSource.TIMESTAMP_AUTHORITY,
161+
time=timestamp_response.tst_info.gen_time,
171162
)
172163

164+
_logger.debug("Unable to verify Timestamp because not in CA time range.")
165+
173166
return None
174167

175168
def _verify_timestamp_authority(

test/unit/verify/test_verifier.py

Lines changed: 10 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -212,6 +212,16 @@ def test_verifier_verify_timestamp(self, verifier, asset, null_policy):
212212
null_policy,
213213
)
214214

215+
def test_verifier_no_validity_end(self, verifier, asset, null_policy):
216+
verifier._trusted_root.get_timestamp_authorities()[
217+
0
218+
]._inner.valid_for.end = None
219+
verifier.verify_artifact(
220+
asset("tsa/bundle.txt").read_bytes(),
221+
Bundle.from_json(asset("tsa/bundle.txt.sigstore").read_bytes()),
222+
null_policy,
223+
)
224+
215225
def test_verifier_without_timestamp(
216226
self, verifier, asset, null_policy, monkeypatch
217227
):
@@ -241,24 +251,6 @@ def test_verifier_duplicate_timestamp(self, verifier, asset, null_policy):
241251
null_policy,
242252
)
243253

244-
def test_verifier_no_validity(self, caplog, verifier, asset, null_policy):
245-
verifier._trusted_root.get_timestamp_authorities()[
246-
0
247-
]._inner.valid_for.end = None
248-
249-
with caplog.at_level(logging.DEBUG, logger="sigstore.verify.verifier"):
250-
with pytest.raises(VerificationError, match="not enough timestamps"):
251-
verifier.verify_artifact(
252-
asset("tsa/bundle.txt").read_bytes(),
253-
Bundle.from_json(asset("tsa/bundle.txt.sigstore").read_bytes()),
254-
null_policy,
255-
)
256-
257-
assert (
258-
"Unable to verify Timestamp because no validity provided."
259-
== caplog.records[0].message
260-
)
261-
262254
def test_verifier_outside_validity_range(
263255
self, caplog, verifier, asset, null_policy
264256
):

0 commit comments

Comments
 (0)