diff --git a/CHANGELOG.md b/CHANGELOG.md index 64148f3f..e7746791 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,9 @@ All versions prior to 0.9.0 are untracked. ### Fixed +* TSA: Changed the Timestamp Authority requests to explicitly use sha256 for message digests. + [#1373](https://github.com/sigstore/sigstore-python/pull/1373) + * Fixed the certificate calidity period check for Timestamp Authorities (TSA). Certificates need not have and end date, while still requiring a start date. [#1368](https://github.com/sigstore/sigstore-python/pull/1368) diff --git a/sigstore/_internal/timestamp.py b/sigstore/_internal/timestamp.py index f279e9d4..fe210f4f 100644 --- a/sigstore/_internal/timestamp.py +++ b/sigstore/_internal/timestamp.py @@ -26,6 +26,7 @@ TimeStampResponse, decode_timestamp_response, ) +from rfc3161_client.base import HashAlgorithm from sigstore._internal import USER_AGENT @@ -93,7 +94,11 @@ def request_timestamp(self, signature: bytes) -> TimeStampResponse: # Build the timestamp request try: timestamp_request = ( - TimestampRequestBuilder().data(signature).nonce(nonce=True).build() + TimestampRequestBuilder() + .hash_algorithm(HashAlgorithm.SHA256) + .data(signature) + .nonce(nonce=True) + .build() ) except ValueError as error: msg = f"invalid request: {error}" diff --git a/test/unit/internal/test_timestamping.py b/test/unit/internal/test_timestamping.py index ac7382b8..f0e3555a 100644 --- a/test/unit/internal/test_timestamping.py +++ b/test/unit/internal/test_timestamping.py @@ -15,6 +15,7 @@ import requests from sigstore._internal.timestamp import TimestampAuthorityClient, TimestampError +from sigstore._utils import sha256_digest @pytest.mark.timestamp_authority @@ -23,6 +24,13 @@ def test_sign_request(self, tsa_url: str): tsa = TimestampAuthorityClient(tsa_url) response = tsa.request_timestamp(b"hello") assert response + assert ( + response.tst_info.message_imprint.message == sha256_digest(b"hello").digest + ) + assert ( + response.tst_info.message_imprint.hash_algorithm.dotted_string + == "2.16.840.1.101.3.4.2.1" + ) # SHA256 OID def test_sign_request_invalid_url(self): tsa = TimestampAuthorityClient("http://fake-url")