Adds a check to ensure SCT time is while a CT log key was valid

Fixes #178 (#350) Signed-off-by: Zach Steindler <steiza@github.com>
sigstore · Dec 12, 2024 · ab65d83 · ab65d83
1 parent 1a6bc03
commit ab65d83
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 1 deletion.
diff --git a/pkg/verify/sct.go b/pkg/verify/sct.go
@@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 
+	ct "github.com/google/certificate-transparency-go"
 	"github.com/google/certificate-transparency-go/ctutil"
 	ctx509 "github.com/google/certificate-transparency-go/x509"
 	"github.com/google/certificate-transparency-go/x509util"
@@ -58,6 +59,17 @@ func VerifySignedCertificateTimestamp(chains [][]*x509.Certificate, threshold in
 			continue
 		}
 
+		// Ensure sct is within ctlog validity window
+		sctTime := ct.TimestampToTime(sct.Timestamp)
+		if !key.ValidityPeriodStart.IsZero() && sctTime.Before(key.ValidityPeriodStart) {
+			// skip entries that were before ctlog key start time
+			continue
+		}
+		if !key.ValidityPeriodEnd.IsZero() && sctTime.After(key.ValidityPeriodEnd) {
+			// skip entries that were after ctlog key end time
+			continue
+		}
+
 		for _, chain := range chains {
 			fulcioChain := make([]*ctx509.Certificate, len(leafCTCert))
 			copy(fulcioChain, leafCTCert)

diff --git a/pkg/verify/sct_test.go b/pkg/verify/sct_test.go
@@ -25,6 +25,7 @@ import (
 	"encoding/hex"
 	"math/big"
 	"testing"
+	"time"
 
 	ct "github.com/google/certificate-transparency-go"
 	"github.com/google/certificate-transparency-go/tls"
@@ -123,7 +124,9 @@ func TestVerifySignedCertificateTimestamp(t *testing.T) {
 			trustedMaterial: &fakeTrustedMaterial{
 				transparencyLog: map[string]*root.TransparencyLog{
 					hex.EncodeToString(logID[:]): {
-						PublicKey: &privateKey.PublicKey,
+						PublicKey:           &privateKey.PublicKey,
+						ValidityPeriodStart: time.UnixMilli(12344),
+						ValidityPeriodEnd:   time.UnixMilli(12346),
 					},
 				},
 				cas: []root.CertificateAuthority{
@@ -314,6 +317,35 @@ func TestVerifySignedCertificateTimestamp(t *testing.T) {
 			threshold:       0,
 			trustedMaterial: &fakeTrustedMaterial{},
 		},
+		{
+			name: "sct not valid for ctlog key time range",
+			getCertFn: func() *x509.Certificate {
+				return embedSCTs(t, privateKey, skid, createBaseCert(t, privateKey, skid, big.NewInt(1)), []ct.SignedCertificateTimestamp{
+					{
+						SCTVersion: ct.V1,
+						Timestamp:  12345,
+						LogID:      ct.LogID{KeyID: logID},
+					},
+				})
+			},
+			chain:     []*x509.Certificate{caCert},
+			threshold: 1,
+			trustedMaterial: &fakeTrustedMaterial{
+				transparencyLog: map[string]*root.TransparencyLog{
+					hex.EncodeToString(logID[:]): {
+						PublicKey:           &privateKey.PublicKey,
+						ValidityPeriodStart: time.UnixMilli(10),
+						ValidityPeriodEnd:   time.UnixMilli(10000),
+					},
+				},
+				cas: []root.CertificateAuthority{
+					&root.FulcioCertificateAuthority{
+						Root: caCert,
+					},
+				},
+			},
+			wantErr: true,
+		},
 		{
 			name: "threshold of 2 with 2 valid scts",
 			getCertFn: func() *x509.Certificate {