fix: change timestamp validation to return new required info fields

sdk/Cargo.toml

@@ -151,9 +151,10 @@ quick-xml = "0.37.1"
 rand = "0.8.5"
 rand_chacha = "0.3.1"
 range-set = "0.0.11"
-rasn = "0.22.0"
-rasn-ocsp = "0.22.0"
-rasn-pkix = "0.22.0"
+rasn = "0.26.0"
+rasn-cms = "0.26.0"
+rasn-ocsp = "0.26.0"
+rasn-pkix = "0.26.0"
 regex = "1.11"
 riff = "2.0.0"
 rsa = { version = "0.9.7", features = ["pem", "sha2", "std"], optional = true }

sdk/src/builder.rs

@@ -1523,7 +1523,7 @@ mod tests {
             "sample1.heic",
             "sample1.heif",
             "sample1.m4a",
-            "video1.mp4",
+            "video1_no_manifest.mp4",
             "cloud_manifest.c2pa", // we need a new test for this since it will always fail
         ];
         for file_name in TESTFILES {

sdk/src/claim.rs

@@ -39,6 +39,7 @@
     cbor_types::{map_cbor_to_type, value_cbor_to_type},
     cose_validator::{get_signing_info, get_signing_info_async, verify_cose, verify_cose_async},
     crypto::{
+        asn1::rfc3161::TstInfo,
         base64,
         cose::{parse_cose_sign1, CertificateInfo, CertificateTrustPolicy, OcspFetchPolicy},
         ocsp::OcspResponse,
@@ -53,8 +54,8 @@
         },
         labels::{
             assertion_label_from_uri, box_name_from_uri, manifest_label_from_uri,
-            manifest_label_to_parts, to_absolute_uri, to_assertion_uri, to_databox_uri, ASSERTIONS,
-            CLAIM, CREDENTIALS, DATABOX, DATABOXES, SIGNATURE,
+            manifest_label_to_parts, to_absolute_uri, to_assertion_uri, to_databox_uri,
+            to_signature_uri, ASSERTIONS, CLAIM, CREDENTIALS, DATABOX, DATABOXES, SIGNATURE,
         },
     },
     jumbf_io::get_assetio_handler,
@@ -1060,6 +1061,11 @@
         }
     }
 
+    /// true algorithm
+    pub fn alg_raw(&self) -> Option<&str> {
+        self.alg.as_deref()
+    }
+
     /// get soft algorithm
     pub fn alg_soft(&self) -> Option<&String> {
         self.alg_soft.as_ref()
@@ -1786,7 +1792,7 @@
         let data = claim.data()?;
 
         // use the signature uri as the current uri while validating the signature info
-        validation_log.push_current_uri(claim.signature.clone());
+        validation_log.push_current_uri(to_signature_uri(claim.label()));
 
         // make sure signature manifest if present points to this manifest
         let sig_box_err = match jumbf::labels::manifest_label_from_uri(&claim.signature) {
@@ -1799,7 +1805,7 @@
 
         if sig_box_err {
             log_item!(
-                claim.signature_uri(),
+                to_signature_uri(claim.label()),
                 "signature missing",
                 "verify_claim_async"
             )
@@ -1810,15 +1816,21 @@
         let sign1 = parse_cose_sign1(&sig, &data, validation_log)?;
 
         // check certificate revocation
-        check_ocsp_status(&sign1, &data, ctp, validation_log)?;
+        check_ocsp_status(
+            &sign1,
+            &data,
+            ctp,
+            svi.timestamps.get(claim.label()),
+            validation_log,
+        )?;
 
         let verified = verify_cose_async(
             &sig,
             &data,
             &additional_bytes,
             cert_check,
             ctp,
-            svi.timestamps.get(claim.label()).cloned(),
+            svi.timestamps.get(claim.label()),
             validation_log,
         )
         .await;
@@ -1844,7 +1856,7 @@
         let additional_bytes: Vec<u8> = Vec::new();
 
         // use the signature uri as the current uri while validating the signature info
-        validation_log.push_current_uri(claim.signature.clone());
+        validation_log.push_current_uri(to_signature_uri(claim.label()));
 
         // make sure signature manifest if present points to this manifest
         let sig_box_err = match jumbf::labels::manifest_label_from_uri(&claim.signature) {
@@ -1856,9 +1868,13 @@
         };
 
         if sig_box_err {
-            log_item!(claim.signature_uri(), "signature missing", "verify_claim")
-                .validation_status(validation_status::CLAIM_SIGNATURE_MISSING)
-                .failure(validation_log, Error::ClaimMissingSignatureBox)?;
+            log_item!(
+                to_signature_uri(claim.label()),
+                "signature missing",
+                "verify_claim"
+            )
+            .validation_status(validation_status::CLAIM_SIGNATURE_MISSING)
+            .failure(validation_log, Error::ClaimMissingSignatureBox)?;
         }
 
         let data = if let Some(ref original_bytes) = claim.original_bytes {
@@ -1870,15 +1886,21 @@
         let sign1 = parse_cose_sign1(sig, data, validation_log)?;
 
         // check certificate revocation
-        check_ocsp_status(&sign1, data, ctp, validation_log)?;
+        check_ocsp_status(
+            &sign1,
+            data,
+            ctp,
+            svi.timestamps.get(claim.label()),
+            validation_log,
+        )?;
 
         let verified = verify_cose(
             sig,
             data,
             &additional_bytes,
             cert_check,
             ctp,
-            svi.timestamps.get(claim.label()).cloned(),
+            svi.timestamps.get(claim.label()),
             validation_log,
         );
 
@@ -1941,6 +1963,9 @@
                     validation_log,
                     Error::ValidationRule("No Action array in Actions".into()),
                 )?;
+
+            // failure full stop
+            return Err(Error::ValidationRule("No Action array in Actions".into()));
         }
 
         // check Claim.v2 first action rules
@@ -2596,7 +2621,7 @@
             Ok(vi) => {
                 if !vi.validated {
                     log_item!(
-                        claim.signature_uri(),
+                        to_signature_uri(claim.label()),
                         "claim signature is not valid",
                         "verify_internal"
                     )
@@ -2605,7 +2630,7 @@
                 } else {
                     // signing cert has not expired
                     log_item!(
-                        claim.signature_uri(),
+                        to_signature_uri(claim.label()),
                         "claim signature valid",
                         "verify_internal"
                     )
@@ -2614,7 +2639,7 @@
 
                     // add signature validated status
                     log_item!(
-                        claim.signature_uri(),
+                        to_signature_uri(claim.label()),
                         "claim signature valid",
                         "verify_internal"
                     )
@@ -2625,7 +2650,7 @@
             Err(parse_err) => {
                 // handle case where lower level failed to log
                 log_item!(
-                    claim.signature_uri(),
+                    to_signature_uri(claim.label()),
                     "claim signature is not valid",
                     "verify_internal"
                 )
@@ -3792,6 +3817,7 @@
     sign1: &coset::CoseSign1,
     data: &[u8],
     ctp: &CertificateTrustPolicy,
+    tst_info: Option<&TstInfo>,
     validation_log: &mut StatusTracker,
 ) -> Result<OcspResponse> {
     // Moved here instead of c2pa-crypto because of the dependency on settings.
@@ -3807,6 +3833,7 @@
             data,
             fetch_policy,
             ctp,
+            tst_info,
             validation_log,
         )?)
     } else {
@@ -3815,6 +3842,7 @@
             data,
             fetch_policy,
             ctp,
+            tst_info,
             validation_log,
         )
         .await?)