| Server IP : 88.223.91.89 / Your IP : 216.73.216.238 Web Server : LiteSpeed System : Linux id-dci-web1986.main-hosting.eu 5.14.0-611.26.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jan 29 05:24:47 EST 2026 x86_64 User : u686484674 ( 686484674) PHP Version : 8.0.30 Disable Function : system, exec, shell_exec, passthru, mysql_list_dbs, ini_alter, dl, symlink, link, chgrp, leak, popen, apache_child_terminate, virtual, mb_send_mail MySQL : OFF | cURL : ON | WGET : ON | Perl : OFF | Python : OFF | Sudo : OFF | Pkexec : OFF Directory : /opt/alt/alt-nodejs20/root/lib/node_modules/npm/node_modules/@sigstore/verify/dist/timestamp/ |
Upload File : |
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyRFC3161Timestamp = void 0;
const core_1 = require("@sigstore/core");
const error_1 = require("../error");
const certificate_1 = require("../key/certificate");
const trust_1 = require("../trust");
function verifyRFC3161Timestamp(timestamp, data, timestampAuthorities) {
const signingTime = timestamp.signingTime;
// Filter for CAs which were valid at the time of signing
timestampAuthorities = (0, trust_1.filterCertAuthorities)(timestampAuthorities, {
start: signingTime,
end: signingTime,
});
// Filter for CAs which match serial and issuer embedded in the timestamp
timestampAuthorities = filterCAsBySerialAndIssuer(timestampAuthorities, {
serialNumber: timestamp.signerSerialNumber,
issuer: timestamp.signerIssuer,
});
// Check that we can verify the timestamp with AT LEAST ONE of the remaining
// CAs
const verified = timestampAuthorities.some((ca) => {
try {
verifyTimestampForCA(timestamp, data, ca);
return true;
}
catch (e) {
return false;
}
});
if (!verified) {
throw new error_1.VerificationError({
code: 'TIMESTAMP_ERROR',
message: 'timestamp could not be verified',
});
}
}
exports.verifyRFC3161Timestamp = verifyRFC3161Timestamp;
function verifyTimestampForCA(timestamp, data, ca) {
const [leaf, ...cas] = ca.certChain;
const signingKey = core_1.crypto.createPublicKey(leaf.publicKey);
const signingTime = timestamp.signingTime;
// Verify the certificate chain for the provided CA
try {
new certificate_1.CertificateChainVerifier({
untrustedCert: leaf,
trustedCerts: cas,
}).verify();
}
catch (e) {
throw new error_1.VerificationError({
code: 'TIMESTAMP_ERROR',
message: 'invalid certificate chain',
});
}
// Check that all of the CA certs were valid at the time of signing
const validAtSigningTime = ca.certChain.every((cert) => cert.validForDate(signingTime));
if (!validAtSigningTime) {
throw new error_1.VerificationError({
code: 'TIMESTAMP_ERROR',
message: 'timestamp was signed with an expired certificate',
});
}
// Check that the signing certificate's key can be used to verify the
// timestamp signature.
timestamp.verify(data, signingKey);
}
// Filters the list of CAs to those which have a leaf signing certificate which
// matches the given serial number and issuer.
function filterCAsBySerialAndIssuer(timestampAuthorities, criteria) {
return timestampAuthorities.filter((ca) => ca.certChain.length > 0 &&
core_1.crypto.bufferEqual(ca.certChain[0].serialNumber, criteria.serialNumber) &&
core_1.crypto.bufferEqual(ca.certChain[0].issuer, criteria.issuer));
}