diff --git a/Cargo.toml b/Cargo.toml index d401720339..177942b048 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -138,6 +138,7 @@ rstest = "0.18.1" serial_test = "3.0.0" tempfile = "3.3.0" testcontainers = "0.15" +tokio = { version = "1.17.0", features = ["rt", "rt-multi-thread"] } tracing-subscriber = { version = "0.3.9", features = ["env-filter"] } # cosign example mappings diff --git a/src/cosign/signature_layers.rs b/src/cosign/signature_layers.rs index 9934d36f08..8e6cce177f 100644 --- a/src/cosign/signature_layers.rs +++ b/src/cosign/signature_layers.rs @@ -876,7 +876,7 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ== use crate::cosign::bundle::Payload; use crate::crypto::tests::{generate_certificate, CertGenerationOptions}; use crate::crypto::SigningScheme; - use chrono::{Duration, Utc}; + use chrono::{TimeDelta, Utc}; impl TryFrom for crate::registry::Certificate { type Error = anyhow::Error; @@ -908,7 +908,9 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ== .try_into()?]; let cert_pool = CertificatePool::from_certificates(certs, []).unwrap(); - let integrated_time = Utc::now().checked_sub_signed(Duration::minutes(1)).unwrap(); + let integrated_time = Utc::now() + .checked_sub_signed(TimeDelta::try_minutes(1).unwrap()) + .unwrap(); let bundle = Bundle { signed_entry_timestamp: "not relevant".to_string(), payload: Payload { @@ -957,7 +959,9 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ== .try_into()?]; let cert_pool = CertificatePool::from_certificates(certs, []).unwrap(); - let integrated_time = Utc::now().checked_sub_signed(Duration::minutes(1)).unwrap(); + let integrated_time = Utc::now() + .checked_sub_signed(TimeDelta::try_minutes(1).unwrap()) + .unwrap(); let bundle = Bundle { signed_entry_timestamp: "not relevant".to_string(), payload: Payload { @@ -1005,7 +1009,9 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ== .try_into()?]; let cert_pool = CertificatePool::from_certificates(certs, []).unwrap(); - let integrated_time = Utc::now().checked_sub_signed(Duration::minutes(1)).unwrap(); + let integrated_time = Utc::now() + .checked_sub_signed(TimeDelta::try_minutes(1).unwrap()) + .unwrap(); let bundle = Bundle { signed_entry_timestamp: "not relevant".to_string(), payload: Payload { diff --git a/src/cosign/verification_constraint/certificate_verifier.rs b/src/cosign/verification_constraint/certificate_verifier.rs index 78d17f857c..7370836594 100644 --- a/src/cosign/verification_constraint/certificate_verifier.rs +++ b/src/cosign/verification_constraint/certificate_verifier.rs @@ -1,4 +1,4 @@ -use chrono::{DateTime, NaiveDateTime, Utc}; +use chrono::{DateTime, Utc}; use pkcs8::der::Decode; use std::convert::TryFrom; use tracing::warn; @@ -89,9 +89,11 @@ impl VerificationConstraint for CertificateVerifier { match &signature_layer.bundle { Some(bundle) => { let it = DateTime::::from_naive_utc_and_offset( - NaiveDateTime::from_timestamp_opt(bundle.payload.integrated_time, 0).ok_or( - SigstoreError::UnexpectedError("timestamp is not legal".into()), - )?, + DateTime::from_timestamp(bundle.payload.integrated_time, 0) + .ok_or(SigstoreError::UnexpectedError( + "timestamp is not legal".into(), + ))? + .naive_utc(), Utc, ); let not_before: DateTime = diff --git a/src/crypto/certificate.rs b/src/crypto/certificate.rs index 943df12923..c7c14e99f3 100644 --- a/src/crypto/certificate.rs +++ b/src/crypto/certificate.rs @@ -13,7 +13,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -use chrono::{DateTime, NaiveDateTime, Utc}; +use chrono::{DateTime, Utc}; use const_oid::db::rfc5912::ID_KP_CODE_SIGNING; use x509_cert::{ ext::pkix::{ExtendedKeyUsage, KeyUsage, KeyUsages, SubjectAltName}, @@ -92,8 +92,9 @@ pub(crate) fn verify_validity(certificate: &Certificate) -> Result<()> { fn verify_expiration(certificate: &Certificate, integrated_time: i64) -> Result<()> { let it = DateTime::::from_naive_utc_and_offset( - NaiveDateTime::from_timestamp_opt(integrated_time, 0) - .ok_or(SigstoreError::X509Error("timestamp is not legal".into()))?, + DateTime::from_timestamp(integrated_time, 0) + .ok_or(SigstoreError::X509Error("timestamp is not legal".into()))? + .naive_utc(), Utc, ); let validity = &certificate.tbs_certificate.validity; @@ -125,7 +126,7 @@ mod tests { use super::*; use crate::crypto::tests::*; - use chrono::{Duration, Utc}; + use chrono::{TimeDelta, Utc}; use x509_cert::der::Decode; #[test] @@ -238,8 +239,12 @@ mod tests { let issued_cert = generate_certificate( Some(&ca_data), CertGenerationOptions { - not_before: Utc::now().checked_add_signed(Duration::days(5)).unwrap(), - not_after: Utc::now().checked_add_signed(Duration::days(6)).unwrap(), + not_before: Utc::now() + .checked_add_signed(TimeDelta::try_days(5).unwrap()) + .unwrap(), + not_after: Utc::now() + .checked_add_signed(TimeDelta::try_days(6).unwrap()) + .unwrap(), ..Default::default() }, )?; @@ -266,8 +271,12 @@ mod tests { let issued_cert = generate_certificate( Some(&ca_data), CertGenerationOptions { - not_before: Utc::now().checked_sub_signed(Duration::days(1)).unwrap(), - not_after: Utc::now().checked_add_signed(Duration::days(1)).unwrap(), + not_before: Utc::now() + .checked_sub_signed(TimeDelta::try_days(1).unwrap()) + .unwrap(), + not_after: Utc::now() + .checked_add_signed(TimeDelta::try_days(1).unwrap()) + .unwrap(), ..Default::default() }, )?; @@ -284,13 +293,19 @@ mod tests { fn verify_cert_expiration_failure() -> anyhow::Result<()> { let ca_data = generate_certificate(None, CertGenerationOptions::default())?; - let integrated_time = Utc::now().checked_add_signed(Duration::days(5)).unwrap(); + let integrated_time = Utc::now() + .checked_add_signed(TimeDelta::try_days(5).unwrap()) + .unwrap(); let issued_cert = generate_certificate( Some(&ca_data), CertGenerationOptions { - not_before: Utc::now().checked_sub_signed(Duration::days(1)).unwrap(), - not_after: Utc::now().checked_add_signed(Duration::days(1)).unwrap(), + not_before: Utc::now() + .checked_sub_signed(TimeDelta::try_days(1).unwrap()) + .unwrap(), + not_after: Utc::now() + .checked_add_signed(TimeDelta::try_days(1).unwrap()) + .unwrap(), ..Default::default() }, )?; diff --git a/src/crypto/mod.rs b/src/crypto/mod.rs index c8a35e22bf..3db1461c7f 100644 --- a/src/crypto/mod.rs +++ b/src/crypto/mod.rs @@ -190,7 +190,7 @@ pub mod signing_key; #[cfg(test)] pub(crate) mod tests { - use chrono::{DateTime, Duration, Utc}; + use chrono::{DateTime, TimeDelta, Utc}; use openssl::asn1::{Asn1Integer, Asn1Time}; use openssl::bn::{BigNum, MsbOption}; use openssl::conf::{Conf, ConfMethod}; @@ -231,8 +231,12 @@ OSWS1X9vPavpiQOoTTGC0xX57OojUadxF1cdQmrsiReWg2Wn4FneJfa8xw== impl Default for CertGenerationOptions { fn default() -> Self { - let not_before = Utc::now().checked_sub_signed(Duration::days(1)).unwrap(); - let not_after = Utc::now().checked_add_signed(Duration::days(1)).unwrap(); + let not_before = Utc::now() + .checked_sub_signed(TimeDelta::try_days(1).unwrap()) + .unwrap(); + let not_after = Utc::now() + .checked_add_signed(TimeDelta::try_days(1).unwrap()) + .unwrap(); // Sigstore relies on NIST P-256 // NIST P-256 is a Weierstrass curve specified in FIPS 186-4: Digital Signature Standard (DSS):