make TSA validity end optional (#1368)

ramonpetgrave64 · web-flow · commit 2199d9b5d4c6 · 2025-05-08T18:34:12.000+03:00
* no trailing slash for post to /entries Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> * end date optional Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> * Revert "no trailing slash for post to /entries" This reverts commit 79a6d31. Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> * lint Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> * start is not optional Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> * add changelog Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> * link to PR Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,10 @@ All versions prior to 0.9.0 are untracked.
 
 ### Fixed
 
+* Fixed the certificate calidity period check for Timestamp Authorities (TSA).
+  Certificates need not have and end date, while still requiring a start date.
+  [#1368](https://github.com/sigstore/sigstore-python/pull/1368)
+
 * API: Make Rekor APIs compatible with Rekor v2 by removing trailing slashes
   from endpoints ([#1366](https://github.com/sigstore/sigstore-python/pull/1366))
 
diff --git a/sigstore/_internal/trust.py b/sigstore/_internal/trust.py
@@ -253,7 +253,7 @@ def _verify(self) -> None:
             raise Error("missing a certificate in Certificate Authority")
 
     @property
-    def validity_period_start(self) -> datetime | None:
+    def validity_period_start(self) -> datetime:
         """
         Validity period start.
         """
diff --git a/sigstore/verify/verifier.py b/sigstore/verify/verifier.py
@@ -150,26 +150,19 @@ def _verify_signed_timestamp(
 
             if (
                 certificate_authority.validity_period_start
-                and certificate_authority.validity_period_end
+                <= timestamp_response.tst_info.gen_time
+            ) and (
+                not certificate_authority.validity_period_end
+                or timestamp_response.tst_info.gen_time
+                < certificate_authority.validity_period_end
             ):
-                if (
-                    certificate_authority.validity_period_start
-                    <= timestamp_response.tst_info.gen_time
-                    < certificate_authority.validity_period_end
-                ):
-                    return TimestampVerificationResult(
-                        source=TimestampSource.TIMESTAMP_AUTHORITY,
-                        time=timestamp_response.tst_info.gen_time,
-                    )
-
-                _logger.debug(
-                    "Unable to verify Timestamp because not in CA time range."
-                )
-            else:
-                _logger.debug(
-                    "Unable to verify Timestamp because no validity provided."
+                return TimestampVerificationResult(
+                    source=TimestampSource.TIMESTAMP_AUTHORITY,
+                    time=timestamp_response.tst_info.gen_time,
                 )
 
+            _logger.debug("Unable to verify Timestamp because not in CA time range.")
+
         return None
 
     def _verify_timestamp_authority(
diff --git a/test/unit/verify/test_verifier.py b/test/unit/verify/test_verifier.py
@@ -212,6 +212,16 @@ def test_verifier_verify_timestamp(self, verifier, asset, null_policy):
             null_policy,
         )
 
+    def test_verifier_no_validity_end(self, verifier, asset, null_policy):
+        verifier._trusted_root.get_timestamp_authorities()[
+            0
+        ]._inner.valid_for.end = None
+        verifier.verify_artifact(
+            asset("tsa/bundle.txt").read_bytes(),
+            Bundle.from_json(asset("tsa/bundle.txt.sigstore").read_bytes()),
+            null_policy,
+        )
+
     def test_verifier_without_timestamp(
         self, verifier, asset, null_policy, monkeypatch
     ):
@@ -241,24 +251,6 @@ def test_verifier_duplicate_timestamp(self, verifier, asset, null_policy):
                 null_policy,
             )
 
-    def test_verifier_no_validity(self, caplog, verifier, asset, null_policy):
-        verifier._trusted_root.get_timestamp_authorities()[
-            0
-        ]._inner.valid_for.end = None
-
-        with caplog.at_level(logging.DEBUG, logger="sigstore.verify.verifier"):
-            with pytest.raises(VerificationError, match="not enough timestamps"):
-                verifier.verify_artifact(
-                    asset("tsa/bundle.txt").read_bytes(),
-                    Bundle.from_json(asset("tsa/bundle.txt.sigstore").read_bytes()),
-                    null_policy,
-                )
-
-        assert (
-            "Unable to verify Timestamp because no validity provided."
-            == caplog.records[0].message
-        )
-
     def test_verifier_outside_validity_range(
         self, caplog, verifier, asset, null_policy
     ):
