From 0946840eee73c73c7c4c6eb7419d5ed2c3f0cf6a Mon Sep 17 00:00:00 2001
From: Zach Steindler <steiza@github.com>
Date: Thu, 14 Dec 2023 11:29:00 -0500
Subject: [PATCH] Use the trust root and bundle contents to construct
 verification policy (#42)

`test_verify_rejects_bad_tsa_timestamp`, which was added in
https://github.com/sigstore/sigstore-conformance/pull/112, expects us reject bundles that have a bad TSA timestamp when the trust root has TSA information in it.

---------

Signed-off-by: Zach Steindler <steiza@github.com>
---
 cmd/conformance/main.go | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go
index 1db1d47e..18f376c0 100644
--- a/cmd/conformance/main.go
+++ b/cmd/conformance/main.go
@@ -221,12 +221,31 @@ func main() {
 		// Load trust root
 		tr := getTrustedRoot()
 
-		// Verify bundle
-		sev, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithSignedCertificateTimestamps(1))
+		verifierConfig := []verify.VerifierOption{}
+		verifierConfig = append(verifierConfig, verify.WithSignedCertificateTimestamps(1))
+
+		// Check bundle and trusted root for signed timestamp information
+		bundleTimestamps, err := b.Timestamps()
+		if err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+
+		if len(tr.TSACertificateAuthorities()) > 0 && len(bundleTimestamps) > 0 {
+			verifierConfig = append(verifierConfig, verify.WithSignedTimestamps(1))
+		}
+
+		// Check bundle and trusted root for Tlog information
+		if len(tr.TlogAuthorities()) > 0 && b.HasInclusionPromise() {
+			verifierConfig = append(verifierConfig, verify.WithTransparencyLog(1))
+		}
+
+		sev, err := verify.NewSignedEntityVerifier(tr, verifierConfig...)
 		if err != nil {
 			log.Fatal(err)
 		}
 
+		// Verify bundle
 		_, err = sev.Verify(b, verify.NewPolicy(verify.WithArtifact(file), identityPolicies...))
 		if err != nil {
 			log.Fatal(err)