From d3a4bf2f85494d295f8486ef624b4884a578c64c Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 8 May 2025 14:47:23 +0000 Subject: [PATCH 1/5] request timestamp with sha256 Signed-off-by: Ramon Petgrave --- sigstore/_internal/timestamp.py | 7 ++++++- test/unit/internal/test_timestamping.py | 9 +++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/sigstore/_internal/timestamp.py b/sigstore/_internal/timestamp.py index f279e9d47..fe210f4fc 100644 --- a/sigstore/_internal/timestamp.py +++ b/sigstore/_internal/timestamp.py @@ -26,6 +26,7 @@ TimeStampResponse, decode_timestamp_response, ) +from rfc3161_client.base import HashAlgorithm from sigstore._internal import USER_AGENT @@ -93,7 +94,11 @@ def request_timestamp(self, signature: bytes) -> TimeStampResponse: # Build the timestamp request try: timestamp_request = ( - TimestampRequestBuilder().data(signature).nonce(nonce=True).build() + TimestampRequestBuilder() + .hash_algorithm(HashAlgorithm.SHA256) + .data(signature) + .nonce(nonce=True) + .build() ) except ValueError as error: msg = f"invalid request: {error}" diff --git a/test/unit/internal/test_timestamping.py b/test/unit/internal/test_timestamping.py index ac7382b83..01dadffa0 100644 --- a/test/unit/internal/test_timestamping.py +++ b/test/unit/internal/test_timestamping.py @@ -15,6 +15,8 @@ import requests from sigstore._internal.timestamp import TimestampAuthorityClient, TimestampError +from sigstore._utils import sha256_digest +from cryptography.hazmat.primitives.hashes import SHA256 @pytest.mark.timestamp_authority @@ -23,6 +25,13 @@ def test_sign_request(self, tsa_url: str): tsa = TimestampAuthorityClient(tsa_url) response = tsa.request_timestamp(b"hello") assert response + assert ( + response.tst_info.message_imprint.message == sha256_digest(b"hello").digest + ) + assert ( + response.tst_info.message_imprint.hash_algorithm.dotted_string + == "2.16.840.1.101.3.4.2.1" + ) # SHA256 OID def test_sign_request_invalid_url(self): tsa = TimestampAuthorityClient("http://fake-url") From 0bc24c21b532ba1d080d64f9150dd144bd535c4c Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 8 May 2025 16:05:32 +0000 Subject: [PATCH 2/5] changelog Signed-off-by: Ramon Petgrave --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4212def42..c1b9d6129 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,8 @@ All versions prior to 0.9.0 are untracked. ### Fixed +* TSA: Changed the Timestamp Authority requests to explicitly use sha256 for message digests. + * API: Make Rekor APIs compatible with Rekor v2 by removing trailing slashes from endpoints ([#1366](https://github.com/sigstore/sigstore-python/pull/1366)) From 2fac58e6342a7f4c0b542d2f3112741c58db4df0 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 8 May 2025 16:08:10 +0000 Subject: [PATCH 3/5] backling Signed-off-by: Ramon Petgrave --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e2c01eb9..e9fcfde60 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ All versions prior to 0.9.0 are untracked. ### Fixed * TSA: Changed the Timestamp Authority requests to explicitly use sha256 for message digests. + [#1371](https://github.com/sigstore/sigstore-python/pull/1371) * Fixed the certificate calidity period check for Timestamp Authorities (TSA). Certificates need not have and end date, while still requiring a start date. From 3b10d016ed4b90bef497f36e3b6b0bd9acf20404 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 8 May 2025 16:09:13 +0000 Subject: [PATCH 4/5] correct backlink Signed-off-by: Ramon Petgrave --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e9fcfde60..a133db911 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ All versions prior to 0.9.0 are untracked. ### Fixed * TSA: Changed the Timestamp Authority requests to explicitly use sha256 for message digests. - [#1371](https://github.com/sigstore/sigstore-python/pull/1371) + [#1373](https://github.com/sigstore/sigstore-python/pull/1373) * Fixed the certificate calidity period check for Timestamp Authorities (TSA). Certificates need not have and end date, while still requiring a start date. From 73c3cdfbcb597fac88a148a359783132db5136c5 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 8 May 2025 23:38:58 +0000 Subject: [PATCH 5/5] lint Signed-off-by: Ramon Petgrave --- test/unit/internal/test_timestamping.py | 1 - 1 file changed, 1 deletion(-) diff --git a/test/unit/internal/test_timestamping.py b/test/unit/internal/test_timestamping.py index 01dadffa0..f0e3555a2 100644 --- a/test/unit/internal/test_timestamping.py +++ b/test/unit/internal/test_timestamping.py @@ -16,7 +16,6 @@ from sigstore._internal.timestamp import TimestampAuthorityClient, TimestampError from sigstore._utils import sha256_digest -from cryptography.hazmat.primitives.hashes import SHA256 @pytest.mark.timestamp_authority