From 58314ba25bea8bfb697de38bfb74f0832d2941c8 Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Mon, 15 Jul 2024 14:59:12 +0800
Subject: [PATCH 1/3] updated authentic signing time

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 signature/types.go      | 21 +++++++++++----------
 signature/types_test.go | 29 +++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/signature/types.go b/signature/types.go
index ab53bee8..2ef08405 100644
--- a/signature/types.go
+++ b/signature/types.go
@@ -17,6 +17,7 @@ import (
 	"context"
 	"crypto/x509"
 	"errors"
+	"fmt"
 	"time"
 
 	"github.com/notaryproject/tspclient-go"
@@ -197,17 +198,17 @@ func (signerInfo *SignerInfo) ExtendedAttribute(key string) (Attribute, error) {
 	return Attribute{}, errors.New("key not in ExtendedAttributes")
 }
 
-// AuthenticSigningTime returns the authentic signing time
+// AuthenticSigningTime returns the authentic signing time under signing scheme
+// notary.x509.signingAuthority.
+// For signing scheme notary.x509, since it only supports authentic timestamp,
+// an error is returned.
+//
+// Reference: https://github.com/notaryproject/specifications/blob/main/specs/signature-specification.md#signing-time--authentic-signing-time
 func (signerInfo *SignerInfo) AuthenticSigningTime() (time.Time, error) {
-	switch signerInfo.SignedAttributes.SigningScheme {
-	case SigningSchemeX509SigningAuthority:
+	switch signingScheme := signerInfo.SignedAttributes.SigningScheme; {
+	case signingScheme == SigningSchemeX509SigningAuthority:
 		return signerInfo.SignedAttributes.SigningTime, nil
-	case SigningSchemeX509:
-		if len(signerInfo.UnsignedAttributes.TimestampSignature) > 0 {
-			// TODO: Add TSA support for AutheticSigningTime
-			// https://github.com/notaryproject/notation-core-go/issues/38
-			return time.Time{}, errors.New("TSA checking has not been implemented")
-		}
+	default:
+		return time.Time{}, fmt.Errorf("authenticSigningTime not supported under signing scheme %q", signingScheme)
 	}
-	return time.Time{}, errors.New("authenticSigningTime not found")
 }
diff --git a/signature/types_test.go b/signature/types_test.go
index f8ff5625..7a3ce963 100644
--- a/signature/types_test.go
+++ b/signature/types_test.go
@@ -17,6 +17,7 @@ import (
 	"context"
 	"fmt"
 	"testing"
+	"time"
 )
 
 func TestSignRequestContext(t *testing.T) {
@@ -51,3 +52,31 @@ func TestSignRequestWithContext(t *testing.T) {
 	}()
 	r.WithContext(nil) // should panic
 }
+
+func TestAuthenticSigningTime(t *testing.T) {
+	testTime := time.Now()
+	signerInfo := SignerInfo{
+		SignedAttributes: SignedAttributes{
+			SigningScheme: "notary.x509.signingAuthority",
+			SigningTime:   testTime,
+		},
+	}
+	authenticSigningTime, err := signerInfo.AuthenticSigningTime()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !authenticSigningTime.Equal(testTime) {
+		t.Fatalf("expected %s, but got %s", testTime, authenticSigningTime)
+	}
+
+	signerInfo = SignerInfo{
+		SignedAttributes: SignedAttributes{
+			SigningScheme: "notary.x509",
+		},
+	}
+	expectedErrMsg := "authenticSigningTime not supported under signing scheme \"notary.x509\""
+	_, err = signerInfo.AuthenticSigningTime()
+	if err == nil || err.Error() != expectedErrMsg {
+		t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+	}
+}

From 8f3f397b6bbcc4400447868d9fc0ecf5a7bc77e1 Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Mon, 15 Jul 2024 15:20:42 +0800
Subject: [PATCH 2/3] update

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 signature/types.go      |  5 ++++-
 signature/types_test.go | 13 ++++++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/signature/types.go b/signature/types.go
index 2ef08405..702c54f8 100644
--- a/signature/types.go
+++ b/signature/types.go
@@ -207,8 +207,11 @@ func (signerInfo *SignerInfo) ExtendedAttribute(key string) (Attribute, error) {
 func (signerInfo *SignerInfo) AuthenticSigningTime() (time.Time, error) {
 	switch signingScheme := signerInfo.SignedAttributes.SigningScheme; {
 	case signingScheme == SigningSchemeX509SigningAuthority:
+		if signerInfo.SignedAttributes.SigningTime.IsZero() {
+			return time.Time{}, fmt.Errorf("authentic signing time must be present under signing scheme %q", signingScheme)
+		}
 		return signerInfo.SignedAttributes.SigningTime, nil
 	default:
-		return time.Time{}, fmt.Errorf("authenticSigningTime not supported under signing scheme %q", signingScheme)
+		return time.Time{}, fmt.Errorf("authentic signing time not supported under signing scheme %q", signingScheme)
 	}
 }
diff --git a/signature/types_test.go b/signature/types_test.go
index 7a3ce963..74fe4ef3 100644
--- a/signature/types_test.go
+++ b/signature/types_test.go
@@ -69,12 +69,23 @@ func TestAuthenticSigningTime(t *testing.T) {
 		t.Fatalf("expected %s, but got %s", testTime, authenticSigningTime)
 	}
 
+	signerInfo = SignerInfo{
+		SignedAttributes: SignedAttributes{
+			SigningScheme: "notary.x509.signingAuthority",
+		},
+	}
+	expectedErrMsg := "authentic signing time must be present under signing scheme \"notary.x509.signingAuthority\""
+	_, err = signerInfo.AuthenticSigningTime()
+	if err == nil || err.Error() != expectedErrMsg {
+		t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+	}
+
 	signerInfo = SignerInfo{
 		SignedAttributes: SignedAttributes{
 			SigningScheme: "notary.x509",
 		},
 	}
-	expectedErrMsg := "authenticSigningTime not supported under signing scheme \"notary.x509\""
+	expectedErrMsg = "authentic signing time not supported under signing scheme \"notary.x509\""
 	_, err = signerInfo.AuthenticSigningTime()
 	if err == nil || err.Error() != expectedErrMsg {
 		t.Fatalf("expected %s, but got %s", expectedErrMsg, err)

From 74ad57be772a91d147eafe2d452d1edfa6abf72f Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Mon, 15 Jul 2024 16:34:11 +0800
Subject: [PATCH 3/3] updated per code review

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 signature/types.go | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/signature/types.go b/signature/types.go
index 702c54f8..df69236c 100644
--- a/signature/types.go
+++ b/signature/types.go
@@ -203,14 +203,15 @@ func (signerInfo *SignerInfo) ExtendedAttribute(key string) (Attribute, error) {
 // For signing scheme notary.x509, since it only supports authentic timestamp,
 // an error is returned.
 //
-// Reference: https://github.com/notaryproject/specifications/blob/main/specs/signature-specification.md#signing-time--authentic-signing-time
+// Reference: https://github.com/notaryproject/specifications/blob/3b0743cd9bb99faee60600dc31d706149775fd49/specs/signature-specification.md#signing-time--authentic-signing-time
 func (signerInfo *SignerInfo) AuthenticSigningTime() (time.Time, error) {
-	switch signingScheme := signerInfo.SignedAttributes.SigningScheme; {
-	case signingScheme == SigningSchemeX509SigningAuthority:
-		if signerInfo.SignedAttributes.SigningTime.IsZero() {
+	switch signingScheme := signerInfo.SignedAttributes.SigningScheme; signingScheme {
+	case SigningSchemeX509SigningAuthority:
+		signingTime := signerInfo.SignedAttributes.SigningTime
+		if signingTime.IsZero() {
 			return time.Time{}, fmt.Errorf("authentic signing time must be present under signing scheme %q", signingScheme)
 		}
-		return signerInfo.SignedAttributes.SigningTime, nil
+		return signingTime, nil
 	default:
 		return time.Time{}, fmt.Errorf("authentic signing time not supported under signing scheme %q", signingScheme)
 	}