Updated the files.

2024-02-08 19:38:41 -05:00 · 2024-02-08 19:38:41 -05:00 · 753967d4f5
commit 753967d4f5
parent 1553e6b971
23418 changed files with 3784666 additions and 0 deletions
--- a/my-app/node_modules/@sigstore/verify/dist/timestamp/tsa.js
+++ b/my-app/node_modules/@sigstore/verify/dist/timestamp/tsa.js
@ -0,0 +1,74 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyRFC3161Timestamp = void 0;
+const core_1 = require("@sigstore/core");
+const error_1 = require("../error");
+const certificate_1 = require("../key/certificate");
+const trust_1 = require("../trust");
+function verifyRFC3161Timestamp(timestamp, data, timestampAuthorities) {
+    const signingTime = timestamp.signingTime;
+    // Filter for CAs which were valid at the time of signing
+    timestampAuthorities = (0, trust_1.filterCertAuthorities)(timestampAuthorities, {
+        start: signingTime,
+        end: signingTime,
+    });
+    // Filter for CAs which match serial and issuer embedded in the timestamp
+    timestampAuthorities = filterCAsBySerialAndIssuer(timestampAuthorities, {
+        serialNumber: timestamp.signerSerialNumber,
+        issuer: timestamp.signerIssuer,
+    });
+    // Check that we can verify the timestamp with AT LEAST ONE of the remaining
+    // CAs
+    const verified = timestampAuthorities.some((ca) => {
+        try {
+            verifyTimestampForCA(timestamp, data, ca);
+            return true;
+        }
+        catch (e) {
+            return false;
+        }
+    });
+    if (!verified) {
+        throw new error_1.VerificationError({
+            code: 'TIMESTAMP_ERROR',
+            message: 'timestamp could not be verified',
+        });
+    }
+}
+exports.verifyRFC3161Timestamp = verifyRFC3161Timestamp;
+function verifyTimestampForCA(timestamp, data, ca) {
+    const [leaf, ...cas] = ca.certChain;
+    const signingKey = core_1.crypto.createPublicKey(leaf.publicKey);
+    const signingTime = timestamp.signingTime;
+    // Verify the certificate chain for the provided CA
+    try {
+        new certificate_1.CertificateChainVerifier({
+            untrustedCert: leaf,
+            trustedCerts: cas,
+        }).verify();
+    }
+    catch (e) {
+        throw new error_1.VerificationError({
+            code: 'TIMESTAMP_ERROR',
+            message: 'invalid certificate chain',
+        });
+    }
+    // Check that all of the CA certs were valid at the time of signing
+    const validAtSigningTime = ca.certChain.every((cert) => cert.validForDate(signingTime));
+    if (!validAtSigningTime) {
+        throw new error_1.VerificationError({
+            code: 'TIMESTAMP_ERROR',
+            message: 'timestamp was signed with an expired certificate',
+        });
+    }
+    // Check that the signing certificate's key can be used to verify the
+    // timestamp signature.
+    timestamp.verify(data, signingKey);
+}
+// Filters the list of CAs to those which have a leaf signing certificate which
+// matches the given serial number and issuer.
+function filterCAsBySerialAndIssuer(timestampAuthorities, criteria) {
+    return timestampAuthorities.filter((ca) => ca.certChain.length > 0 &&
+        core_1.crypto.bufferEqual(ca.certChain[0].serialNumber, criteria.serialNumber) &&
+        core_1.crypto.bufferEqual(ca.certChain[0].issuer, criteria.issuer));
+}