C2PA 2.1: Enhanced timestamp validation

[karlobencic]

• Added validation for C2PA spec v2.1 timestamp requirements in Signature class:
  • Enforce single timestamp requirement per spec
  • Add validation for timestamp falling within signer certificate validity period
  • Add validation for TSA certificates
• Added comprehensive test suite for timestamp validation in COSE signatures

[cyraxx]

In previous spec versions there was a remark that a validator should treat an invalid timestamp as non-existing and continue with the next one. Has this changed?

If there is now a strict requirement that there can be only one timestamp anyway, we can simplify some of the code (no more foreach needed).

[karlobencic]

In previous spec versions there was a remark that a validator should treat an invalid timestamp as non-existing and continue with the next one. Has this changed?

If there is now a strict requirement that there can be only one timestamp anyway, we can simplify some of the code (no more foreach needed).

This is mentioned in spec 2.1: "A manifest shall contain only one time-stamp. Previous versions of this specification allowed for multiple time-stamps to be included in a manifest."

Maybe we should only enforce this validation for timestamp v2 and allow multiple v1 signatures?