Merge all changes

src/Attestor/StellaOps.Attestor.Verify/AttestorVerificationEngine.cs

@@ -44,7 +44,7 @@ public sealed class AttestorVerificationEngine : IAttestorVerificationEngine
     {
         ArgumentNullException.ThrowIfNull(entry);
 
-        var signatureIssuer = await EvaluateSignatureAndIssuerAsync(entry, bundle, cancellationToken).ConfigureAwait(false);
+        var signatureIssuer = await EvaluateSignatureAndIssuerAsync(entry, bundle, evaluationTime, cancellationToken).ConfigureAwait(false);
         var freshness = EvaluateFreshness(entry, evaluationTime);
         var transparency = EvaluateTransparency(entry);
         var policy = EvaluatePolicy(entry, signatureIssuer.Signatures, signatureIssuer.Issuer, freshness, transparency, bundle is not null);
@@ -55,6 +55,7 @@ public sealed class AttestorVerificationEngine : IAttestorVerificationEngine
     private async Task<(SignatureEvaluationResult Signatures, IssuerEvaluationResult Issuer)> EvaluateSignatureAndIssuerAsync(
         AttestorEntry entry,
         AttestorSubmissionRequest.SubmissionBundle? bundle,
+        DateTimeOffset evaluationTime,
         CancellationToken cancellationToken)
     {
         var signatureIssues = new List<string>();
@@ -178,7 +179,7 @@ public sealed class AttestorVerificationEngine : IAttestorVerificationEngine
                 break;
 
             case "keyless":
-                var keylessResult = EvaluateKeylessSignature(entry, bundle, preAuth, signatureIssues, issuerIssues);
+                var keylessResult = EvaluateKeylessSignature(entry, bundle, preAuth, signatureIssues, issuerIssues, evaluationTime);
                 verifiedSignatures = keylessResult.VerifiedSignatures;
                 subjectAlternativeName = keylessResult.SubjectAlternativeName;
                 break;
@@ -270,7 +271,8 @@ public sealed class AttestorVerificationEngine : IAttestorVerificationEngine
         AttestorSubmissionRequest.SubmissionBundle bundle,
         byte[] preAuthEncoding,
         List<string> signatureIssues,
-        List<string> issuerIssues)
+        List<string> issuerIssues,
+        DateTimeOffset evaluationTime)
     {
         if (bundle.CertificateChain.Count == 0)
         {
@@ -296,46 +298,47 @@ public sealed class AttestorVerificationEngine : IAttestorVerificationEngine
         var leafCertificate = certificates[0];
         var subjectAltName = GetSubjectAlternativeNames(leafCertificate).FirstOrDefault();
 
-            if (_options.Security.SignerIdentity.FulcioRoots.Count > 0)
+        if (_options.Security.SignerIdentity.FulcioRoots.Count > 0)
+        {
+            using var chain = new X509Chain
             {
-                using var chain = new X509Chain
-                {
-                    ChainPolicy =
+                ChainPolicy =
                 {
                     RevocationMode = X509RevocationMode.NoCheck,
                     VerificationFlags = X509VerificationFlags.NoFlag,
-                    TrustMode = X509ChainTrustMode.CustomRootTrust
+                    TrustMode = X509ChainTrustMode.CustomRootTrust,
+                    VerificationTime = evaluationTime.UtcDateTime
                 }
             };
 
-                foreach (var rootPath in _options.Security.SignerIdentity.FulcioRoots)
+            foreach (var rootPath in _options.Security.SignerIdentity.FulcioRoots)
+            {
+                try
                 {
-                    try
+                    if (File.Exists(rootPath))
                     {
-                        if (File.Exists(rootPath))
-                        {
-                            var rootCertificate = X509CertificateLoader.LoadCertificateFromFile(rootPath);
-                            chain.ChainPolicy.CustomTrustStore.Add(rootCertificate);
-                        }
-                    }
-                    catch (Exception ex)
-                    {
-                        _logger.LogWarning(ex, "Failed to load Fulcio root {Root}", rootPath);
+                        var rootCertificate = X509CertificateLoader.LoadCertificateFromFile(rootPath);
+                        chain.ChainPolicy.CustomTrustStore.Add(rootCertificate);
                     }
                 }
-
-                for (var i = 1; i < certificates.Count; i++)
+                catch (Exception ex)
                 {
-                    chain.ChainPolicy.ExtraStore.Add(certificates[i]);
-                }
-
-                if (!chain.Build(leafCertificate))
-                {
-                    var status = string.Join(";", chain.ChainStatus.Select(s => s.StatusInformation.Trim())).Trim(';');
-                    issuerIssues.Add(string.IsNullOrEmpty(status) ? "certificate_chain_untrusted" : $"certificate_chain_untrusted:{status}");
+                    _logger.LogWarning(ex, "Failed to load Fulcio root {Root}", rootPath);
                 }
             }
 
+            for (var i = 1; i < certificates.Count; i++)
+            {
+                chain.ChainPolicy.ExtraStore.Add(certificates[i]);
+            }
+
+            if (!chain.Build(leafCertificate))
+            {
+                var status = string.Join(";", chain.ChainStatus.Select(s => s.StatusInformation.Trim())).Trim(';');
+                issuerIssues.Add(string.IsNullOrEmpty(status) ? "certificate_chain_untrusted" : $"certificate_chain_untrusted:{status}");
+            }
+        }
+
         if (_options.Security.SignerIdentity.AllowedSans.Count > 0)
         {
             var sans = GetSubjectAlternativeNames(leafCertificate);