diff -pruN 1.1.0-6/.github/.codecov.yml 1.3.0-1/.github/.codecov.yml --- 1.1.0-6/.github/.codecov.yml 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/.github/.codecov.yml 2025-10-31 12:58:40.000000000 +0000 @@ -15,4 +15,7 @@ coverage: status: project: default: - target: 89% \ No newline at end of file + target: 89% + patch: + default: + target: 90% \ No newline at end of file diff -pruN 1.1.0-6/.github/workflows/reusable-build.yml 1.3.0-1/.github/workflows/reusable-build.yml --- 1.1.0-6/.github/workflows/reusable-build.yml 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/.github/workflows/reusable-build.yml 2025-10-31 12:58:40.000000000 +0000 @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: ["1.22", "1.23"] + go-version: ["1.23", "1.24"] fail-fast: true steps: - name: Checkout @@ -37,6 +37,6 @@ jobs: - name: Run unit tests run: make test - name: Upload coverage to codecov.io - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@v5 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} \ No newline at end of file diff -pruN 1.1.0-6/.github/workflows/reusable-codeql.yml 1.3.0-1/.github/workflows/reusable-codeql.yml --- 1.1.0-6/.github/workflows/reusable-codeql.yml 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/.github/workflows/reusable-codeql.yml 2025-10-31 12:58:40.000000000 +0000 @@ -26,7 +26,7 @@ jobs: security-events: write strategy: matrix: - go-version: ["1.22", "1.23"] + go-version: ["1.23", "1.24"] fail-fast: false steps: - name: Checkout repository diff -pruN 1.1.0-6/.github/workflows/reusable-license-checker.yml 1.3.0-1/.github/workflows/reusable-license-checker.yml --- 1.1.0-6/.github/workflows/reusable-license-checker.yml 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/.github/workflows/reusable-license-checker.yml 2025-10-31 12:58:40.000000000 +0000 @@ -23,13 +23,13 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Check license header - uses: apache/skywalking-eyes/header@cd7b195c51fd3d6ad52afceb760719ddc6b3ee91 + uses: apache/skywalking-eyes/header@5c5b974209f0de5d905f37deb69369068ebfc15c with: mode: check config: .github/licenserc.yml - name: Check dependencies license - uses: apache/skywalking-eyes/dependency@cd7b195c51fd3d6ad52afceb760719ddc6b3ee91 + uses: apache/skywalking-eyes/dependency@5c5b974209f0de5d905f37deb69369068ebfc15c with: config: .github/licenserc.yml flags: diff -pruN 1.1.0-6/Makefile 1.3.0-1/Makefile --- 1.1.0-6/Makefile 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/Makefile 2025-10-31 12:58:40.000000000 +0000 @@ -29,7 +29,7 @@ clean: .PHONY: check-line-endings check-line-endings: ## check line endings ! find . -name "*.go" -type f -exec file "{}" ";" | grep CRLF - ! find scripts -name "*.sh" -type f -exec file "{}" ";" | grep CRLF + ! find . -name "*.sh" -type f -exec file "{}" ";" | grep CRLF .PHONY: fix-line-endings fix-line-endings: ## fix line endings diff -pruN 1.1.0-6/debian/changelog 1.3.0-1/debian/changelog --- 1.1.0-6/debian/changelog 2024-12-28 20:59:49.000000000 +0000 +++ 1.3.0-1/debian/changelog 2025-10-31 13:05:20.000000000 +0000 @@ -1,3 +1,24 @@ +golang-github-notaryproject-notation-core-go (1.3.0-1) unstable; urgency=medium + + * Team upload. + * Use watch v5. + * New upstream version 1.3.0 + * Drop upstreamed tsa-cert-chain fix. + * Drop unneeded auto-gitignore patch. + * Bump debian/* copyright years. + * Drop Rules-Requires-Root: no. + * Standards-Version: 4.7.2. + * Refresh patch. + + -- Simon Josefsson Fri, 31 Oct 2025 14:05:20 +0100 + +golang-github-notaryproject-notation-core-go (1.1.0-7) experimental; urgency=medium + + * fix: add tsa cert chain revocation check after timestamping (#246) + Needed for CVE-2024-56138 + + -- Reinhard Tartler Sat, 31 May 2025 12:52:39 -0400 + golang-github-notaryproject-notation-core-go (1.1.0-6) unstable; urgency=medium * Increase timeout for golang tests further (30min) diff -pruN 1.1.0-6/debian/control 1.3.0-1/debian/control --- 1.1.0-6/debian/control 2024-12-28 20:59:49.000000000 +0000 +++ 1.3.0-1/debian/control 2025-10-31 13:05:20.000000000 +0000 @@ -3,7 +3,6 @@ Section: golang Priority: optional Maintainer: Debian Go Packaging Team Uploaders: Reinhard Tartler -Rules-Requires-Root: no Build-Depends: debhelper-compat (= 13), dh-sequence-golang, golang-any, @@ -13,7 +12,7 @@ Build-Depends: debhelper-compat (= 13), golang-github-veraison-go-cose-dev, golang-golang-x-crypto-dev Testsuite: autopkgtest-pkg-go -Standards-Version: 4.6.2 +Standards-Version: 4.7.2 Vcs-Browser: https://salsa.debian.org/go-team/packages/golang-github-notaryproject-notation-core-go Vcs-Git: https://salsa.debian.org/go-team/packages/golang-github-notaryproject-notation-core-go.git Homepage: https://github.com/notaryproject/notation-core-go diff -pruN 1.1.0-6/debian/copyright 1.3.0-1/debian/copyright --- 1.1.0-6/debian/copyright 2024-12-28 20:59:49.000000000 +0000 +++ 1.3.0-1/debian/copyright 2025-10-31 13:05:20.000000000 +0000 @@ -8,6 +8,7 @@ License: Apache-2.0 Files: debian/* Copyright: 2024 Reinhard Tartler + 2025 Simon Josefsson License: Apache-2.0 Comment: Debian packaging is licensed under the same terms as upstream diff -pruN 1.1.0-6/debian/patches/0001-Skip-tests-that-fail-to-connect-to-the-internet.patch 1.3.0-1/debian/patches/0001-Skip-tests-that-fail-to-connect-to-the-internet.patch --- 1.1.0-6/debian/patches/0001-Skip-tests-that-fail-to-connect-to-the-internet.patch 2024-12-28 20:59:49.000000000 +0000 +++ 1.3.0-1/debian/patches/0001-Skip-tests-that-fail-to-connect-to-the-internet.patch 2025-10-31 13:05:20.000000000 +0000 @@ -1,6 +1,7 @@ From: Reinhard Tartler Date: Thu, 19 Dec 2024 18:08:47 -0500 Subject: Skip tests that fail to connect to the internet +Forwarded: not-needed --- internal/timestamp/timestamp_test.go | 4 ++-- @@ -9,41 +10,83 @@ Subject: Skip tests that fail to connect 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/internal/timestamp/timestamp_test.go b/internal/timestamp/timestamp_test.go -index 6c1da88..2757ddb 100644 +index 0c551cc..8131187 100644 --- a/internal/timestamp/timestamp_test.go +++ b/internal/timestamp/timestamp_test.go -@@ -43,7 +43,7 @@ func TestTimestamp(t *testing.T) { - // --------------- Success case ---------------------------------- - timestamper, err := tspclient.NewHTTPTimestamper(nil, rfc3161TSAurl) - if err != nil { -- t.Fatal(err) -+ t.Skipf("Failed to connect to %s: %v", rfc3161TSAurl, err) - } - req := &signature.SignRequest{ - Timestamper: timestamper, -@@ -55,7 +55,7 @@ func TestTimestamp(t *testing.T) { - } - _, err = Timestamp(req, opts) - if err != nil { -- t.Fatal(err) -+ t.Skipf("Failed to connect to %s: %v", rfc3161TSAurl, err) - } +@@ -47,7 +47,7 @@ func TestTimestamp(t *testing.T) { + t.Run("Timestamping success", func(t *testing.T) { + timestamper, err := tspclient.NewHTTPTimestamper(nil, rfc3161TSAurl) + if err != nil { +- t.Fatal(err) ++ t.Skipf("Failed to connect to %s: %v", rfc3161TSAurl, err) + } + req := &signature.SignRequest{ + Timestamper: timestamper, +@@ -59,7 +59,7 @@ func TestTimestamp(t *testing.T) { + } + _, err = Timestamp(req, opts) + if err != nil { +- t.Fatal(err) ++ t.Skipf("Failed to connect to %s: %v", rfc3161TSAurl, err) + } + }) + +@@ -133,7 +133,7 @@ func TestTimestamp(t *testing.T) { + t.Run("Timestamping revocation failed", func(t *testing.T) { + timestamper, err := tspclient.NewHTTPTimestamper(nil, rfc3161TSAurl) + if err != nil { +- t.Fatal(err) ++ t.Skipf("Failed to connect to %s: %v", rfc3161TSAurl, err) + } + req := &signature.SignRequest{ + Timestamper: timestamper, +@@ -146,15 +146,16 @@ func TestTimestamp(t *testing.T) { + Content: []byte("notation"), + HashAlgorithm: crypto.SHA256, + } +- expectedErr := "failed to validate the revocation status of timestamping certificate chain with error: failed in ValidateContext" + _, err = Timestamp(req, opts) +- assertErrorEqual(expectedErr, err, t) ++ if err != nil { ++ t.Skipf("Failed to connect to %s: %v", rfc3161TSAurl, err) ++ } + }) + + t.Run("Timestamping certificate revoked", func(t *testing.T) { + timestamper, err := tspclient.NewHTTPTimestamper(nil, rfc3161TSAurl) + if err != nil { +- t.Fatal(err) ++ t.Skipf("Failed to connect to %s: %v", rfc3161TSAurl, err) + } + req := &signature.SignRequest{ + Timestamper: timestamper, +@@ -167,9 +168,10 @@ func TestTimestamp(t *testing.T) { + Content: []byte("notation"), + HashAlgorithm: crypto.SHA256, + } +- expectedErr := `timestamping certificate with subject "CN=DigiCert Timestamp 2024,O=DigiCert,C=US" is revoked` + _, err = Timestamp(req, opts) +- assertErrorEqual(expectedErr, err, t) ++ if err != nil { ++ t.Skipf("Failed to connect to %s: %v", rfc3161TSAurl, err) ++ } + }) - // ------------- Failure cases ------------------------ + } diff --git a/signature/cose/envelope_test.go b/signature/cose/envelope_test.go -index b9f2c11..bccae19 100644 +index d7faa96..a80b877 100644 --- a/signature/cose/envelope_test.go +++ b/signature/cose/envelope_test.go -@@ -135,7 +135,7 @@ func TestSign(t *testing.T) { +@@ -136,7 +136,7 @@ func TestSign(t *testing.T) { } signRequest.Timestamper, err = tspclient.NewHTTPTimestamper(nil, rfc3161TSAurl) if err != nil { - t.Fatal(err) + t.Skipf("Failed to connect to %s: %v", rfc3161TSAurl, err) } - rootCerts, err := nx509.ReadCertificateFile("../../internal/timestamp/testdata/tsaRootCert.crt") + rootCerts, err := nx509.ReadCertificateFile("../../internal/timestamp/testdata/tsaRootCert.cer") if err != nil || len(rootCerts) == 0 { -@@ -147,7 +147,7 @@ func TestSign(t *testing.T) { +@@ -148,7 +148,7 @@ func TestSign(t *testing.T) { signRequest.TSARootCAs = rootCAs encoded, err := env.Sign(signRequest) if err != nil || encoded == nil { @@ -53,19 +96,19 @@ index b9f2c11..bccae19 100644 content, err := env.Content() if err != nil { diff --git a/signature/jws/envelope_test.go b/signature/jws/envelope_test.go -index 4d76516..d8f59a8 100644 +index d2ca93d..bafe19c 100644 --- a/signature/jws/envelope_test.go +++ b/signature/jws/envelope_test.go -@@ -341,7 +341,7 @@ func TestSignWithTimestamp(t *testing.T) { +@@ -339,7 +339,7 @@ func TestSignWithTimestamp(t *testing.T) { signReq.Timestamper, err = tspclient.NewHTTPTimestamper(nil, rfc3161TSAurl) if err != nil { - t.Fatal(err) + t.Skipf("Failed to connect to %s: %v", rfc3161TSAurl, err) } - rootCerts, err := nx509.ReadCertificateFile("../../internal/timestamp/testdata/tsaRootCert.crt") + rootCerts, err := nx509.ReadCertificateFile("../../internal/timestamp/testdata/tsaRootCert.cer") if err != nil || len(rootCerts) == 0 { -@@ -354,7 +354,7 @@ func TestSignWithTimestamp(t *testing.T) { +@@ -352,7 +352,7 @@ func TestSignWithTimestamp(t *testing.T) { env := envelope{} encoded, err := env.Sign(signReq) if err != nil || encoded == nil { diff -pruN 1.1.0-6/debian/patches/auto-gitignore 1.3.0-1/debian/patches/auto-gitignore --- 1.1.0-6/debian/patches/auto-gitignore 2024-12-28 20:59:49.000000000 +0000 +++ 1.3.0-1/debian/patches/auto-gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,21 +0,0 @@ -Subject: Update .gitignore from Debian packaging branch - -The Debian packaging git branch contains these updates to the upstream -.gitignore file(s). This patch is autogenerated, to provide these -updates to users of the official Debian archive view of the package. - -[dgit (11.11) update-gitignore] ---- -diff --git a/.gitignore b/.gitignore -index 37fa510..9fee1c3 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -15,4 +15,6 @@ - .vscode - - # Custom --coverage.txt -\ No newline at end of file -+coverage.txt -+/.pc/ -+/_build/ diff -pruN 1.1.0-6/debian/patches/series 1.3.0-1/debian/patches/series --- 1.1.0-6/debian/patches/series 2024-12-28 20:59:49.000000000 +0000 +++ 1.3.0-1/debian/patches/series 2025-10-31 13:05:20.000000000 +0000 @@ -1,2 +1 @@ 0001-Skip-tests-that-fail-to-connect-to-the-internet.patch -auto-gitignore diff -pruN 1.1.0-6/debian/watch 1.3.0-1/debian/watch --- 1.1.0-6/debian/watch 2024-12-28 20:59:49.000000000 +0000 +++ 1.3.0-1/debian/watch 2025-10-31 13:05:20.000000000 +0000 @@ -1,4 +1,4 @@ -version=4 -opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%@PACKAGE@-$1.tar.gz%,\ - uversionmangle=s/(\d)[_\.\-\+]?(RC|rc|pre|dev|beta|alpha)[.]?(\d*)$/$1~$2$3/" \ - https://github.com/notaryproject/notation-core-go/tags .*/v?(\d\S*)\.tar\.gz debian +Version: 5 +Template: Github +Owner: notaryproject +Project: notation-core-go diff -pruN 1.1.0-6/go.mod 1.3.0-1/go.mod --- 1.1.0-6/go.mod 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/go.mod 2025-10-31 12:58:40.000000000 +0000 @@ -1,13 +1,13 @@ module github.com/notaryproject/notation-core-go -go 1.22 +go 1.23.0 require ( - github.com/fxamacker/cbor/v2 v2.7.0 - github.com/golang-jwt/jwt/v4 v4.5.0 - github.com/notaryproject/tspclient-go v0.2.0 - github.com/veraison/go-cose v1.1.0 - golang.org/x/crypto v0.26.0 + github.com/fxamacker/cbor/v2 v2.8.0 + github.com/golang-jwt/jwt/v4 v4.5.2 + github.com/notaryproject/tspclient-go v1.0.0 + github.com/veraison/go-cose v1.3.0 + golang.org/x/crypto v0.37.0 ) require github.com/x448/float16 v0.8.4 // indirect diff -pruN 1.1.0-6/go.sum 1.3.0-1/go.sum --- 1.1.0-6/go.sum 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/go.sum 2025-10-31 12:58:40.000000000 +0000 @@ -1,12 +1,12 @@ -github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= -github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= -github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ= -github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= -github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4o= -github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= +github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU= +github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= +github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI= +github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/notaryproject/tspclient-go v1.0.0 h1:AwQ4x0gX8IHnyiZB1tggpn5NFqHpTEm1SDX8YNv4Dg4= +github.com/notaryproject/tspclient-go v1.0.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/veraison/go-cose v1.3.0 h1:2/H5w8kdSpQJyVtIhx8gmwPJ2uSz1PkyWFx0idbd7rk= +github.com/veraison/go-cose v1.3.0/go.mod h1:df09OV91aHoQWLmy1KsDdYiagtXgyAwAl8vFeFn1gMc= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= -golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= +golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE= +golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc= diff -pruN 1.1.0-6/internal/algorithm/algorithm.go 1.3.0-1/internal/algorithm/algorithm.go --- 1.1.0-6/internal/algorithm/algorithm.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/internal/algorithm/algorithm.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,121 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package algorithm includes signature algorithms accepted by Notary Project +package algorithm + +import ( + "crypto" + "crypto/ecdsa" + "crypto/rsa" + "crypto/x509" + "errors" + "fmt" +) + +// Algorithm defines the signature algorithm. +type Algorithm int + +// Signature algorithms supported by this library. +// +// Reference: https://github.com/notaryproject/notaryproject/blob/main/specs/signature-specification.md#algorithm-selection +const ( + AlgorithmPS256 Algorithm = 1 + iota // RSASSA-PSS with SHA-256 + AlgorithmPS384 // RSASSA-PSS with SHA-384 + AlgorithmPS512 // RSASSA-PSS with SHA-512 + AlgorithmES256 // ECDSA on secp256r1 with SHA-256 + AlgorithmES384 // ECDSA on secp384r1 with SHA-384 + AlgorithmES512 // ECDSA on secp521r1 with SHA-512 +) + +// Hash returns the hash function of the algorithm. +func (alg Algorithm) Hash() crypto.Hash { + switch alg { + case AlgorithmPS256, AlgorithmES256: + return crypto.SHA256 + case AlgorithmPS384, AlgorithmES384: + return crypto.SHA384 + case AlgorithmPS512, AlgorithmES512: + return crypto.SHA512 + } + return 0 +} + +// KeyType defines the key type. +type KeyType int + +const ( + KeyTypeRSA KeyType = 1 + iota // KeyType RSA + KeyTypeEC // KeyType EC +) + +// KeySpec defines a key type and size. +type KeySpec struct { + // KeyType is the type of the key. + Type KeyType + + // KeySize is the size of the key in bits. + Size int +} + +// SignatureAlgorithm returns the signing algorithm associated with the KeySpec. +func (k KeySpec) SignatureAlgorithm() Algorithm { + switch k.Type { + case KeyTypeEC: + switch k.Size { + case 256: + return AlgorithmES256 + case 384: + return AlgorithmES384 + case 521: + return AlgorithmES512 + } + case KeyTypeRSA: + switch k.Size { + case 2048: + return AlgorithmPS256 + case 3072: + return AlgorithmPS384 + case 4096: + return AlgorithmPS512 + } + } + return 0 +} + +// ExtractKeySpec extracts KeySpec from the signing certificate. +func ExtractKeySpec(signingCert *x509.Certificate) (KeySpec, error) { + switch key := signingCert.PublicKey.(type) { + case *rsa.PublicKey: + switch bitSize := key.Size() << 3; bitSize { + case 2048, 3072, 4096: + return KeySpec{ + Type: KeyTypeRSA, + Size: bitSize, + }, nil + default: + return KeySpec{}, fmt.Errorf("rsa key size %d bits is not supported", bitSize) + } + case *ecdsa.PublicKey: + switch bitSize := key.Curve.Params().BitSize; bitSize { + case 256, 384, 521: + return KeySpec{ + Type: KeyTypeEC, + Size: bitSize, + }, nil + default: + return KeySpec{}, fmt.Errorf("ecdsa key size %d bits is not supported", bitSize) + } + } + return KeySpec{}, errors.New("unsupported public key type") +} diff -pruN 1.1.0-6/internal/algorithm/algorithm_test.go 1.3.0-1/internal/algorithm/algorithm_test.go --- 1.1.0-6/internal/algorithm/algorithm_test.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/internal/algorithm/algorithm_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,244 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package algorithm + +import ( + "crypto" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "reflect" + "strconv" + "testing" + + "github.com/notaryproject/notation-core-go/testhelper" +) + +func TestHash(t *testing.T) { + tests := []struct { + name string + alg Algorithm + expect crypto.Hash + }{ + { + name: "PS256", + alg: AlgorithmPS256, + expect: crypto.SHA256, + }, + { + name: "ES256", + alg: AlgorithmES256, + expect: crypto.SHA256, + }, + { + name: "PS384", + alg: AlgorithmPS384, + expect: crypto.SHA384, + }, + { + name: "ES384", + alg: AlgorithmES384, + expect: crypto.SHA384, + }, + { + name: "PS512", + alg: AlgorithmPS512, + expect: crypto.SHA512, + }, + { + name: "ES512", + alg: AlgorithmES512, + expect: crypto.SHA512, + }, + { + name: "UnsupportedAlgorithm", + alg: 0, + expect: 0, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + hash := tt.alg.Hash() + if hash != tt.expect { + t.Fatalf("Expected %v, got %v", tt.expect, hash) + } + }) + } +} + +func TestSignatureAlgorithm(t *testing.T) { + tests := []struct { + name string + keySpec KeySpec + expect Algorithm + }{ + { + name: "EC 256", + keySpec: KeySpec{ + Type: KeyTypeEC, + Size: 256, + }, + expect: AlgorithmES256, + }, + { + name: "EC 384", + keySpec: KeySpec{ + Type: KeyTypeEC, + Size: 384, + }, + expect: AlgorithmES384, + }, + { + name: "EC 521", + keySpec: KeySpec{ + Type: KeyTypeEC, + Size: 521, + }, + expect: AlgorithmES512, + }, + { + name: "RSA 2048", + keySpec: KeySpec{ + Type: KeyTypeRSA, + Size: 2048, + }, + expect: AlgorithmPS256, + }, + { + name: "RSA 3072", + keySpec: KeySpec{ + Type: KeyTypeRSA, + Size: 3072, + }, + expect: AlgorithmPS384, + }, + { + name: "RSA 4096", + keySpec: KeySpec{ + Type: KeyTypeRSA, + Size: 4096, + }, + expect: AlgorithmPS512, + }, + { + name: "Unsupported key spec", + keySpec: KeySpec{ + Type: 0, + Size: 0, + }, + expect: 0, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + alg := tt.keySpec.SignatureAlgorithm() + if alg != tt.expect { + t.Errorf("unexpected signature algorithm: %v, expect: %v", alg, tt.expect) + } + }) + } +} + +func TestExtractKeySpec(t *testing.T) { + type testCase struct { + name string + cert *x509.Certificate + expect KeySpec + expectErr bool + } + // invalid cases + tests := []testCase{ + { + name: "RSA wrong size", + cert: testhelper.GetUnsupportedRSACert().Cert, + expect: KeySpec{}, + expectErr: true, + }, + { + name: "ECDSA wrong size", + cert: testhelper.GetUnsupportedECCert().Cert, + expect: KeySpec{}, + expectErr: true, + }, + { + name: "Unsupported type", + cert: &x509.Certificate{ + PublicKey: ed25519.PublicKey{}, + }, + expect: KeySpec{}, + expectErr: true, + }, + } + + // append valid RSA cases + for _, k := range []int{2048, 3072, 4096} { + rsaRoot := testhelper.GetRSARootCertificate() + priv, _ := rsa.GenerateKey(rand.Reader, k) + + certTuple := testhelper.GetRSACertTupleWithPK( + priv, + "Test RSA_"+strconv.Itoa(priv.Size()), + &rsaRoot, + ) + tests = append(tests, testCase{ + name: "RSA " + strconv.Itoa(k), + cert: certTuple.Cert, + expect: KeySpec{ + Type: KeyTypeRSA, + Size: k, + }, + expectErr: false, + }) + } + + // append valid EDCSA cases + for _, curve := range []elliptic.Curve{elliptic.P256(), elliptic.P384(), elliptic.P521()} { + ecdsaRoot := testhelper.GetECRootCertificate() + priv, _ := ecdsa.GenerateKey(curve, rand.Reader) + bitSize := priv.Params().BitSize + + certTuple := testhelper.GetECDSACertTupleWithPK( + priv, + "Test EC_"+strconv.Itoa(bitSize), + &ecdsaRoot, + ) + tests = append(tests, testCase{ + name: "EC " + strconv.Itoa(bitSize), + cert: certTuple.Cert, + expect: KeySpec{ + Type: KeyTypeEC, + Size: bitSize, + }, + expectErr: false, + }) + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + keySpec, err := ExtractKeySpec(tt.cert) + + if (err != nil) != tt.expectErr { + t.Errorf("error = %v, expectErr = %v", err, tt.expectErr) + } + if !reflect.DeepEqual(keySpec, tt.expect) { + t.Errorf("expect %+v, got %+v", tt.expect, keySpec) + } + }) + } +} Binary files 1.1.0-6/internal/timestamp/testdata/TimeStampToken.p7s and 1.3.0-1/internal/timestamp/testdata/TimeStampToken.p7s differ Binary files 1.1.0-6/internal/timestamp/testdata/TimeStampTokenWithInvalidTSTInfo.p7s and 1.3.0-1/internal/timestamp/testdata/TimeStampTokenWithInvalidTSTInfo.p7s differ Binary files 1.1.0-6/internal/timestamp/testdata/tsaRootCert.cer and 1.3.0-1/internal/timestamp/testdata/tsaRootCert.cer differ Binary files 1.1.0-6/internal/timestamp/testdata/tsaRootCert.crt and 1.3.0-1/internal/timestamp/testdata/tsaRootCert.crt differ diff -pruN 1.1.0-6/internal/timestamp/timestamp.go 1.3.0-1/internal/timestamp/timestamp.go --- 1.1.0-6/internal/timestamp/timestamp.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/internal/timestamp/timestamp.go 2025-10-31 12:58:40.000000000 +0000 @@ -16,7 +16,11 @@ package timestamp import ( "crypto/x509" + "errors" + "fmt" + "github.com/notaryproject/notation-core-go/revocation" + "github.com/notaryproject/notation-core-go/revocation/result" "github.com/notaryproject/notation-core-go/signature" nx509 "github.com/notaryproject/notation-core-go/x509" "github.com/notaryproject/tspclient-go" @@ -43,17 +47,8 @@ func Timestamp(req *signature.SignReques if err != nil { return nil, err } - info, err := token.Info() - if err != nil { - return nil, err - } - timestamp, err := info.Validate(opts.Content) - if err != nil { - return nil, err - } tsaCertChain, err := token.Verify(ctx, x509.VerifyOptions{ - CurrentTime: timestamp.Value, - Roots: req.TSARootCAs, + Roots: req.TSARootCAs, }) if err != nil { return nil, err @@ -61,5 +56,54 @@ func Timestamp(req *signature.SignReques if err := nx509.ValidateTimestampingCertChain(tsaCertChain); err != nil { return nil, err } + // certificate chain revocation check after timestamping + if req.TSARevocationValidator != nil { + certResults, err := req.TSARevocationValidator.ValidateContext(ctx, revocation.ValidateContextOptions{ + CertChain: tsaCertChain, + }) + if err != nil { + return nil, fmt.Errorf("failed to validate the revocation status of timestamping certificate chain with error: %w", err) + } + if err := revocationResult(certResults, tsaCertChain); err != nil { + return nil, err + } + } return resp.TimestampToken.FullBytes, nil } + +// revocationResult returns an error if any cert in the cert chain has +// a revocation status other than ResultOK or ResultNonRevokable. +// When ResultRevoked presents, always return the revoked error. +func revocationResult(certResults []*result.CertRevocationResult, certChain []*x509.Certificate) error { + //sanity check + if len(certResults) == 0 { + return errors.New("certificate revocation result cannot be empty") + } + if len(certResults) != len(certChain) { + return fmt.Errorf("length of certificate revocation result %d does not match length of the certificate chain %d", len(certResults), len(certChain)) + } + + numOKResults := 0 + var problematicCertSubject string + var hasUnknownResult bool + for i := len(certResults) - 1; i >= 0; i-- { + cert := certChain[i] + certResult := certResults[i] + if certResult.Result == result.ResultOK || certResult.Result == result.ResultNonRevokable { + numOKResults++ + } else { + if certResult.Result == result.ResultRevoked { // revoked + return fmt.Errorf("timestamping certificate with subject %q is revoked", cert.Subject.String()) + } + if !hasUnknownResult { // unknown + // not returning because a following cert can be revoked + problematicCertSubject = cert.Subject.String() + hasUnknownResult = true + } + } + } + if numOKResults != len(certResults) { + return fmt.Errorf("timestamping certificate with subject %q revocation status is unknown", problematicCertSubject) + } + return nil +} diff -pruN 1.1.0-6/internal/timestamp/timestamp_test.go 1.3.0-1/internal/timestamp/timestamp_test.go --- 1.1.0-6/internal/timestamp/timestamp_test.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/internal/timestamp/timestamp_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -17,22 +17,25 @@ import ( "context" "crypto" "crypto/x509" + "crypto/x509/pkix" "encoding/asn1" "errors" "os" "strings" "testing" + "github.com/notaryproject/notation-core-go/revocation" + "github.com/notaryproject/notation-core-go/revocation/result" "github.com/notaryproject/notation-core-go/signature" nx509 "github.com/notaryproject/notation-core-go/x509" "github.com/notaryproject/tspclient-go" "github.com/notaryproject/tspclient-go/pki" ) -const rfc3161TSAurl = "http://rfc3161timestamp.globalsign.com/advanced" +const rfc3161TSAurl = "http://timestamp.digicert.com" func TestTimestamp(t *testing.T) { - rootCerts, err := nx509.ReadCertificateFile("testdata/tsaRootCert.crt") + rootCerts, err := nx509.ReadCertificateFile("testdata/tsaRootCert.cer") if err != nil || len(rootCerts) == 0 { t.Fatal("failed to read root CA certificate:", err) } @@ -41,96 +44,261 @@ func TestTimestamp(t *testing.T) { rootCAs.AddCert(rootCert) // --------------- Success case ---------------------------------- - timestamper, err := tspclient.NewHTTPTimestamper(nil, rfc3161TSAurl) - if err != nil { - t.Fatal(err) - } - req := &signature.SignRequest{ - Timestamper: timestamper, - TSARootCAs: rootCAs, - } - opts := tspclient.RequestOptions{ - Content: []byte("notation"), - HashAlgorithm: crypto.SHA256, - } - _, err = Timestamp(req, opts) - if err != nil { - t.Fatal(err) - } + t.Run("Timestamping success", func(t *testing.T) { + timestamper, err := tspclient.NewHTTPTimestamper(nil, rfc3161TSAurl) + if err != nil { + t.Fatal(err) + } + req := &signature.SignRequest{ + Timestamper: timestamper, + TSARootCAs: rootCAs, + } + opts := tspclient.RequestOptions{ + Content: []byte("notation"), + HashAlgorithm: crypto.SHA256, + } + _, err = Timestamp(req, opts) + if err != nil { + t.Fatal(err) + } + }) // ------------- Failure cases ------------------------ - opts = tspclient.RequestOptions{ - Content: []byte("notation"), - HashAlgorithm: crypto.SHA1, - } - expectedErr := "malformed timestamping request: unsupported hashing algorithm: SHA-1" - _, err = Timestamp(req, opts) - assertErrorEqual(expectedErr, err, t) - - req = &signature.SignRequest{ - Timestamper: dummyTimestamper{}, - TSARootCAs: rootCAs, - } - opts = tspclient.RequestOptions{ - Content: []byte("notation"), - HashAlgorithm: crypto.SHA256, - NoNonce: true, - } - expectedErr = "failed to timestamp" - _, err = Timestamp(req, opts) - if err == nil || !strings.Contains(err.Error(), expectedErr) { - t.Fatalf("expected error message to contain %s, but got %v", expectedErr, err) - } - - req = &signature.SignRequest{ - Timestamper: dummyTimestamper{ - respWithRejectedStatus: true, + t.Run("Timestamping SHA-1", func(t *testing.T) { + timestamper, err := tspclient.NewHTTPTimestamper(nil, rfc3161TSAurl) + if err != nil { + t.Fatal(err) + } + req := &signature.SignRequest{ + Timestamper: timestamper, + TSARootCAs: rootCAs, + } + opts := tspclient.RequestOptions{ + Content: []byte("notation"), + HashAlgorithm: crypto.SHA1, + } + expectedErr := "malformed timestamping request: unsupported hashing algorithm: SHA-1" + _, err = Timestamp(req, opts) + assertErrorEqual(expectedErr, err, t) + }) + + t.Run("Timestamping failed", func(t *testing.T) { + req := &signature.SignRequest{ + Timestamper: dummyTimestamper{}, + TSARootCAs: rootCAs, + } + opts := tspclient.RequestOptions{ + Content: []byte("notation"), + HashAlgorithm: crypto.SHA256, + } + expectedErr := "failed to timestamp" + _, err = Timestamp(req, opts) + if err == nil || !strings.Contains(err.Error(), expectedErr) { + t.Fatalf("expected error message to contain %s, but got %v", expectedErr, err) + } + }) + + t.Run("Timestamping rejected", func(t *testing.T) { + req := &signature.SignRequest{ + Timestamper: dummyTimestamper{ + respWithRejectedStatus: true, + }, + TSARootCAs: rootCAs, + } + opts := tspclient.RequestOptions{ + Content: []byte("notation"), + HashAlgorithm: crypto.SHA256, + } + expectedErr := "invalid timestamping response: invalid response with status code 2: rejected" + _, err = Timestamp(req, opts) + assertErrorEqual(expectedErr, err, t) + }) + + t.Run("Timestamping with cms verification failure", func(t *testing.T) { + opts := tspclient.RequestOptions{ + Content: []byte("notation"), + HashAlgorithm: crypto.SHA256, + } + req := &signature.SignRequest{ + Timestamper: dummyTimestamper{ + invalidSignature: true, + }, + TSARootCAs: rootCAs, + } + expectedErr := "failed to verify signed token: cms verification failure: x509: certificate signed by unknown authority" + _, err = Timestamp(req, opts) + assertErrorEqual(expectedErr, err, t) + }) + + t.Run("Timestamping revocation failed", func(t *testing.T) { + timestamper, err := tspclient.NewHTTPTimestamper(nil, rfc3161TSAurl) + if err != nil { + t.Fatal(err) + } + req := &signature.SignRequest{ + Timestamper: timestamper, + TSARootCAs: rootCAs, + TSARevocationValidator: &dummyTSARevocationValidator{ + failOnValidate: true, + }, + } + opts := tspclient.RequestOptions{ + Content: []byte("notation"), + HashAlgorithm: crypto.SHA256, + } + expectedErr := "failed to validate the revocation status of timestamping certificate chain with error: failed in ValidateContext" + _, err = Timestamp(req, opts) + assertErrorEqual(expectedErr, err, t) + }) + + t.Run("Timestamping certificate revoked", func(t *testing.T) { + timestamper, err := tspclient.NewHTTPTimestamper(nil, rfc3161TSAurl) + if err != nil { + t.Fatal(err) + } + req := &signature.SignRequest{ + Timestamper: timestamper, + TSARootCAs: rootCAs, + TSARevocationValidator: &dummyTSARevocationValidator{ + revoked: true, + }, + } + opts := tspclient.RequestOptions{ + Content: []byte("notation"), + HashAlgorithm: crypto.SHA256, + } + expectedErr := `timestamping certificate with subject "CN=DigiCert Timestamp 2024,O=DigiCert,C=US" is revoked` + _, err = Timestamp(req, opts) + assertErrorEqual(expectedErr, err, t) + }) + +} + +func TestRevocationResult(t *testing.T) { + certResult := []*result.CertRevocationResult{ + { + // update leaf cert result in each sub-test }, - TSARootCAs: rootCAs, - } - expectedErr = "invalid timestamping response: invalid response with status code 2: rejected" - _, err = Timestamp(req, opts) - assertErrorEqual(expectedErr, err, t) - - req = &signature.SignRequest{ - Timestamper: dummyTimestamper{ - invalidTSTInfo: true, + { + Result: result.ResultNonRevokable, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultNonRevokable, + }, + }, }, - TSARootCAs: rootCAs, } - expectedErr = "cannot unmarshal TSTInfo from timestamp token: asn1: structure error: tags don't match (23 vs {class:0 tag:16 length:3 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue: tag: stringType:0 timeType:24 set:false omitEmpty:false} Time @89" - _, err = Timestamp(req, opts) - assertErrorEqual(expectedErr, err, t) - - opts = tspclient.RequestOptions{ - Content: []byte("mismatch"), - HashAlgorithm: crypto.SHA256, - NoNonce: true, - } - req = &signature.SignRequest{ - Timestamper: dummyTimestamper{ - failValidate: true, + certChain := []*x509.Certificate{ + { + Subject: pkix.Name{ + CommonName: "leafCert", + }, }, - TSARootCAs: rootCAs, - } - expectedErr = "invalid TSTInfo: mismatched message" - _, err = Timestamp(req, opts) - assertErrorEqual(expectedErr, err, t) - - opts = tspclient.RequestOptions{ - Content: []byte("notation"), - HashAlgorithm: crypto.SHA256, - NoNonce: true, - } - req = &signature.SignRequest{ - Timestamper: dummyTimestamper{ - invalidSignature: true, + { + Subject: pkix.Name{ + CommonName: "rootCert", + }, }, - TSARootCAs: rootCAs, } - expectedErr = "failed to verify signed token: cms verification failure: crypto/rsa: verification error" - _, err = Timestamp(req, opts) - assertErrorEqual(expectedErr, err, t) + t.Run("OCSP error without fallback", func(t *testing.T) { + certResult[0] = &result.CertRevocationResult{ + Result: result.ResultUnknown, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultUnknown, + Error: errors.New("ocsp error"), + RevocationMethod: result.RevocationMethodOCSP, + }, + }, + } + err := revocationResult(certResult, certChain) + assertErrorEqual(`timestamping certificate with subject "CN=leafCert" revocation status is unknown`, err, t) + }) + + t.Run("OCSP error with fallback", func(t *testing.T) { + certResult[0] = &result.CertRevocationResult{ + Result: result.ResultOK, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultUnknown, + Error: errors.New("ocsp error"), + RevocationMethod: result.RevocationMethodOCSP, + }, + { + Result: result.ResultOK, + RevocationMethod: result.RevocationMethodCRL, + }, + }, + RevocationMethod: result.RevocationMethodOCSPFallbackCRL, + } + if err := revocationResult(certResult, certChain); err != nil { + t.Fatal(err) + } + }) + + t.Run("OCSP error with fallback and CRL error", func(t *testing.T) { + certResult[0] = &result.CertRevocationResult{ + Result: result.ResultUnknown, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultUnknown, + Error: errors.New("ocsp error"), + RevocationMethod: result.RevocationMethodOCSP, + }, + { + Result: result.ResultUnknown, + Error: errors.New("crl error"), + RevocationMethod: result.RevocationMethodCRL, + }, + }, + RevocationMethod: result.RevocationMethodOCSPFallbackCRL, + } + err := revocationResult(certResult, certChain) + assertErrorEqual(`timestamping certificate with subject "CN=leafCert" revocation status is unknown`, err, t) + }) + + t.Run("revoked", func(t *testing.T) { + certResult[0] = &result.CertRevocationResult{ + Result: result.ResultRevoked, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultRevoked, + Error: errors.New("revoked"), + RevocationMethod: result.RevocationMethodCRL, + }, + }, + } + err := revocationResult(certResult, certChain) + assertErrorEqual(`timestamping certificate with subject "CN=leafCert" is revoked`, err, t) + }) + + t.Run("revocation method unknown error(should never reach here)", func(t *testing.T) { + certResult[0] = &result.CertRevocationResult{ + Result: result.ResultUnknown, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultUnknown, + Error: errors.New("unknown error"), + RevocationMethod: result.RevocationMethodUnknown, + }, + }, + } + err := revocationResult(certResult, certChain) + assertErrorEqual(`timestamping certificate with subject "CN=leafCert" revocation status is unknown`, err, t) + }) + + t.Run("empty cert result", func(t *testing.T) { + err := revocationResult([]*result.CertRevocationResult{}, certChain) + assertErrorEqual("certificate revocation result cannot be empty", err, t) + }) + + t.Run("cert result length does not equal to cert chain", func(t *testing.T) { + err := revocationResult([]*result.CertRevocationResult{ + certResult[1], + }, certChain) + assertErrorEqual("length of certificate revocation result 1 does not match length of the certificate chain 2", err, t) + }) + } func assertErrorEqual(expected string, err error, t *testing.T) { @@ -141,8 +309,6 @@ func assertErrorEqual(expected string, e type dummyTimestamper struct { respWithRejectedStatus bool - invalidTSTInfo bool - failValidate bool invalidSignature bool } @@ -154,8 +320,8 @@ func (d dummyTimestamper) Timestamp(cont }, }, nil } - if d.invalidTSTInfo { - token, err := os.ReadFile("testdata/TimeStampTokenWithInvalidTSTInfo.p7s") + if d.invalidSignature { + token, err := os.ReadFile("testdata/TimeStampTokenWithInvalidSignature.p7s") if err != nil { return nil, err } @@ -168,33 +334,50 @@ func (d dummyTimestamper) Timestamp(cont }, }, nil } - if d.failValidate { - token, err := os.ReadFile("testdata/TimeStampToken.p7s") - if err != nil { - return nil, err + return nil, errors.New("failed to timestamp") +} + +type dummyTSARevocationValidator struct { + failOnValidate bool + revoked bool +} + +func (v *dummyTSARevocationValidator) ValidateContext(ctx context.Context, validateContextOpts revocation.ValidateContextOptions) ([]*result.CertRevocationResult, error) { + if v.failOnValidate { + return nil, errors.New("failed in ValidateContext") + } + if v.revoked { + certResults := make([]*result.CertRevocationResult, len(validateContextOpts.CertChain)) + for i := range certResults { + certResults[i] = &result.CertRevocationResult{ + Result: result.ResultOK, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultOK, + RevocationMethod: result.RevocationMethodOCSP, + }, + }, + } } - return &tspclient.Response{ - Status: pki.StatusInfo{ - Status: pki.StatusGranted, - }, - TimestampToken: asn1.RawValue{ - FullBytes: token, + certResults[0] = &result.CertRevocationResult{ + Result: result.ResultRevoked, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultRevoked, + Error: errors.New("revoked"), + RevocationMethod: result.RevocationMethodCRL, + }, }, - }, nil - } - if d.invalidSignature { - token, err := os.ReadFile("testdata/TimeStampTokenWithInvalidSignature.p7s") - if err != nil { - return nil, err } - return &tspclient.Response{ - Status: pki.StatusInfo{ - Status: pki.StatusGranted, - }, - TimestampToken: asn1.RawValue{ - FullBytes: token, + certResults[len(certResults)-1] = &result.CertRevocationResult{ + Result: result.ResultNonRevokable, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultNonRevokable, + }, }, - }, nil + } + return certResults, nil } - return nil, errors.New("failed to timestamp") + return nil, nil } diff -pruN 1.1.0-6/revocation/crl/bundle.go 1.3.0-1/revocation/crl/bundle.go --- 1.1.0-6/revocation/crl/bundle.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/crl/bundle.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,28 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package crl + +import "crypto/x509" + +// Bundle is a collection of CRLs, including base and delta CRLs +type Bundle struct { + // BaseCRL is the parsed base CRL + BaseCRL *x509.RevocationList + + // DeltaCRL is the parsed delta CRL + // + // TODO: support delta CRL https://github.com/notaryproject/notation-core-go/issues/228 + // It will always be nil until we support delta CRL + DeltaCRL *x509.RevocationList +} diff -pruN 1.1.0-6/revocation/crl/cache.go 1.3.0-1/revocation/crl/cache.go --- 1.1.0-6/revocation/crl/cache.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/crl/cache.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,32 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package crl + +import "context" + +// Cache is an interface that specifies methods used for caching +type Cache interface { + // Get retrieves the CRL bundle with the given url + // + // url is the key to retrieve the CRL bundle + // + // if the key does not exist or the content is expired, return ErrCacheMiss. + Get(ctx context.Context, url string) (*Bundle, error) + + // Set stores the CRL bundle with the given url + // + // url is the key to store the CRL bundle + // bundle is the CRL collections to store + Set(ctx context.Context, url string, bundle *Bundle) error +} diff -pruN 1.1.0-6/revocation/crl/errors.go 1.3.0-1/revocation/crl/errors.go --- 1.1.0-6/revocation/crl/errors.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/crl/errors.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,22 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package crl + +import "errors" + +// ErrCacheMiss is returned when a cache miss occurs. +var ErrCacheMiss = errors.New("cache miss") + +// errDeltaCRLNotFound is returned when a delta CRL is not found. +var errDeltaCRLNotFound = errors.New("delta CRL not found") diff -pruN 1.1.0-6/revocation/crl/fetcher.go 1.3.0-1/revocation/crl/fetcher.go --- 1.1.0-6/revocation/crl/fetcher.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/crl/fetcher.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,266 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package crl provides Fetcher interface with its implementation, and the +// Cache interface. +package crl + +import ( + "context" + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" + "errors" + "fmt" + "io" + "net/http" + "net/url" + "time" + + "github.com/notaryproject/notation-core-go/revocation/internal/x509util" + "golang.org/x/crypto/cryptobyte" + cbasn1 "golang.org/x/crypto/cryptobyte/asn1" +) + +// oidFreshestCRL is the object identifier for the distribution point +// for the delta CRL. (See RFC 5280, Section 5.2.6) +var oidFreshestCRL = asn1.ObjectIdentifier{2, 5, 29, 46} + +// maxCRLSize is the maximum size of CRL in bytes +// +// The 32 MiB limit is based on investigation that even the largest CRLs +// are less than 16 MiB. The limit is set to 32 MiB to prevent +const maxCRLSize = 32 * 1024 * 1024 // 32 MiB + +// Fetcher is an interface that specifies methods used for fetching CRL +// from the given URL +type Fetcher interface { + // Fetch retrieves the CRL from the given URL. + Fetch(ctx context.Context, url string) (*Bundle, error) +} + +// HTTPFetcher is a Fetcher implementation that fetches CRL from the given URL +type HTTPFetcher struct { + // Cache stores fetched CRLs and reuses them until the CRL reaches the + // NextUpdate time. + // If Cache is nil, no cache is used. + Cache Cache + + // DiscardCacheError specifies whether to discard any error on cache. + // + // ErrCacheMiss is not considered as an failure and will not be returned as + // an error if DiscardCacheError is false. + DiscardCacheError bool + + httpClient *http.Client +} + +// NewHTTPFetcher creates a new HTTPFetcher with the given HTTP client +func NewHTTPFetcher(httpClient *http.Client) (*HTTPFetcher, error) { + if httpClient == nil { + return nil, errors.New("httpClient cannot be nil") + } + + return &HTTPFetcher{ + httpClient: httpClient, + }, nil +} + +// Fetch retrieves the CRL from the given URL +// +// If cache is not nil, try to get the CRL from the cache first. On failure +// (e.g. cache miss), it will download the CRL from the URL and store it to the +// cache. +func (f *HTTPFetcher) Fetch(ctx context.Context, url string) (*Bundle, error) { + if url == "" { + return nil, errors.New("CRL URL cannot be empty") + } + + if f.Cache != nil { + bundle, err := f.Cache.Get(ctx, url) + if err == nil { + // check expiry of base CRL and delta CRL + if isEffective(bundle.BaseCRL) && (bundle.DeltaCRL == nil || isEffective(bundle.DeltaCRL)) { + return bundle, nil + } + } else if !errors.Is(err, ErrCacheMiss) && !f.DiscardCacheError { + return nil, fmt.Errorf("failed to retrieve CRL from cache: %w", err) + } + } + + bundle, err := f.fetch(ctx, url) + if err != nil { + return nil, fmt.Errorf("failed to retrieve CRL: %w", err) + } + + if f.Cache != nil { + err = f.Cache.Set(ctx, url, bundle) + if err != nil && !f.DiscardCacheError { + return nil, fmt.Errorf("failed to store CRL to cache: %w", err) + } + } + + return bundle, nil +} + +// isEffective checks if the CRL is effective by checking the NextUpdate time. +func isEffective(crl *x509.RevocationList) bool { + return !crl.NextUpdate.IsZero() && !time.Now().After(crl.NextUpdate) +} + +// fetch downloads the CRL from the given URL. +func (f *HTTPFetcher) fetch(ctx context.Context, url string) (*Bundle, error) { + // fetch base CRL + base, err := fetchCRL(ctx, url, f.httpClient) + if err != nil { + return nil, err + } + + // fetch delta CRL from base CRL extension + deltaCRL, err := f.fetchDeltaCRL(ctx, base.Extensions) + if err != nil && !errors.Is(err, errDeltaCRLNotFound) { + return nil, err + } + + return &Bundle{ + BaseCRL: base, + DeltaCRL: deltaCRL, + }, nil +} + +// fetchDeltaCRL fetches the delta CRL from the given extensions of base CRL. +// +// It returns errDeltaCRLNotFound if the delta CRL is not found. +func (f *HTTPFetcher) fetchDeltaCRL(ctx context.Context, extensions []pkix.Extension) (*x509.RevocationList, error) { + extension := x509util.FindExtensionByOID(extensions, oidFreshestCRL) + if extension == nil { + return nil, errDeltaCRLNotFound + } + + // RFC 5280, 4.2.1.15 + // id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } + // + // FreshestCRL ::= CRLDistributionPoints + urls, err := parseCRLDistributionPoint(extension.Value) + if err != nil { + return nil, fmt.Errorf("failed to parse Freshest CRL extension: %w", err) + } + if len(urls) == 0 { + return nil, errDeltaCRLNotFound + } + + var ( + lastError error + deltaCRL *x509.RevocationList + ) + for _, cdpURL := range urls { + // RFC 5280, 5.2.6 + // Delta CRLs from the base CRL have the same scope as the base + // CRL, so the URLs are for redundancy and should be tried in + // order until one succeeds. + deltaCRL, lastError = fetchCRL(ctx, cdpURL, f.httpClient) + if lastError == nil { + return deltaCRL, nil + } + } + return nil, lastError +} + +// parseCRLDistributionPoint parses the CRL extension and returns the CRL URLs +// +// value is the raw value of the CRL distribution point extension +func parseCRLDistributionPoint(value []byte) ([]string, error) { + var urls []string + // borrowed from crypto/x509: https://cs.opensource.google/go/go/+/refs/tags/go1.23.4:src/crypto/x509/parser.go;l=700-743 + // + // RFC 5280, 4.2.1.13 + // + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + // + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + val := cryptobyte.String(value) + if !val.ReadASN1(&val, cbasn1.SEQUENCE) { + return nil, errors.New("x509: invalid CRL distribution points") + } + for !val.Empty() { + var dpDER cryptobyte.String + if !val.ReadASN1(&dpDER, cbasn1.SEQUENCE) { + return nil, errors.New("x509: invalid CRL distribution point") + } + var dpNameDER cryptobyte.String + var dpNamePresent bool + if !dpDER.ReadOptionalASN1(&dpNameDER, &dpNamePresent, cbasn1.Tag(0).Constructed().ContextSpecific()) { + return nil, errors.New("x509: invalid CRL distribution point") + } + if !dpNamePresent { + continue + } + if !dpNameDER.ReadASN1(&dpNameDER, cbasn1.Tag(0).Constructed().ContextSpecific()) { + return nil, errors.New("x509: invalid CRL distribution point") + } + for !dpNameDER.Empty() { + if !dpNameDER.PeekASN1Tag(cbasn1.Tag(6).ContextSpecific()) { + break + } + var uri cryptobyte.String + if !dpNameDER.ReadASN1(&uri, cbasn1.Tag(6).ContextSpecific()) { + return nil, errors.New("x509: invalid CRL distribution point") + } + urls = append(urls, string(uri)) + } + } + return urls, nil +} + +func fetchCRL(ctx context.Context, crlURL string, client *http.Client) (*x509.RevocationList, error) { + // validate URL + parsedURL, err := url.Parse(crlURL) + if err != nil { + return nil, fmt.Errorf("invalid CRL URL: %w", err) + } + if parsedURL.Scheme != "http" { + return nil, fmt.Errorf("unsupported scheme: %s. Only supports CRL URL in HTTP protocol", parsedURL.Scheme) + } + + // download CRL + req, err := http.NewRequestWithContext(ctx, http.MethodGet, crlURL, nil) + if err != nil { + return nil, fmt.Errorf("failed to create CRL request: %w", err) + } + resp, err := client.Do(req) + if err != nil { + return nil, fmt.Errorf("request failed: %w", err) + } + defer resp.Body.Close() + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("failed to download with status code: %d", resp.StatusCode) + } + // read with size limit + data, err := io.ReadAll(io.LimitReader(resp.Body, maxCRLSize)) + if err != nil { + return nil, fmt.Errorf("failed to read CRL response: %w", err) + } + if len(data) == maxCRLSize { + return nil, fmt.Errorf("CRL size exceeds the limit: %d", maxCRLSize) + } + + // parse CRL + return x509.ParseRevocationList(data) +} diff -pruN 1.1.0-6/revocation/crl/fetcher_test.go 1.3.0-1/revocation/crl/fetcher_test.go --- 1.1.0-6/revocation/crl/fetcher_test.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/crl/fetcher_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,638 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package crl + +import ( + "bytes" + "context" + "crypto/rand" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "errors" + "fmt" + "io" + "math/big" + "net/http" + "os" + "strings" + "sync" + "testing" + "time" + + "github.com/notaryproject/notation-core-go/testhelper" +) + +func TestNewHTTPFetcher(t *testing.T) { + t.Run("httpClient is nil", func(t *testing.T) { + _, err := NewHTTPFetcher(nil) + if err.Error() != "httpClient cannot be nil" { + t.Errorf("NewHTTPFetcher() error = %v, want %v", err, "httpClient cannot be nil") + } + }) +} + +func TestFetch(t *testing.T) { + // prepare crl + certChain := testhelper.GetRevokableRSAChainWithRevocations(2, false, true) + crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + Number: big.NewInt(1), + NextUpdate: time.Now().Add(1 * time.Hour), + }, certChain[1].Cert, certChain[1].PrivateKey) + if err != nil { + t.Fatalf("failed to create base CRL: %v", err) + } + baseCRL, err := x509.ParseRevocationList(crlBytes) + if err != nil { + t.Fatalf("failed to parse base CRL: %v", err) + } + const exampleURL = "http://localhost.test" + const uncachedURL = "http://uncached.test" + + bundle := &Bundle{ + BaseCRL: baseCRL, + } + + t.Run("url is empty", func(t *testing.T) { + c := &memoryCache{} + httpClient := &http.Client{} + f, err := NewHTTPFetcher(httpClient) + if err != nil { + t.Errorf("NewHTTPFetcher() error = %v, want nil", err) + } + f.Cache = c + _, err = f.Fetch(context.Background(), "") + if err.Error() != "CRL URL cannot be empty" { + t.Fatalf("Fetcher.Fetch() error = %v, want CRL URL cannot be empty", err) + } + }) + + t.Run("fetch without cache", func(t *testing.T) { + httpClient := &http.Client{ + Transport: &expectedRoundTripperMock{Body: baseCRL.Raw}, + } + f, err := NewHTTPFetcher(httpClient) + if err != nil { + t.Errorf("NewHTTPFetcher() error = %v, want nil", err) + } + bundle, err := f.Fetch(context.Background(), exampleURL) + if err != nil { + t.Errorf("Fetcher.Fetch() error = %v, want nil", err) + } + if !bytes.Equal(bundle.BaseCRL.Raw, baseCRL.Raw) { + t.Errorf("Fetcher.Fetch() base.Raw = %v, want %v", bundle.BaseCRL.Raw, baseCRL.Raw) + } + }) + + t.Run("cache hit", func(t *testing.T) { + // set the cache + c := &memoryCache{} + if err := c.Set(context.Background(), exampleURL, bundle); err != nil { + t.Errorf("Cache.Set() error = %v, want nil", err) + } + + httpClient := &http.Client{} + f, err := NewHTTPFetcher(httpClient) + if err != nil { + t.Errorf("NewHTTPFetcher() error = %v, want nil", err) + } + f.Cache = c + bundle, err := f.Fetch(context.Background(), exampleURL) + if err != nil { + t.Errorf("Fetcher.Fetch() error = %v, want nil", err) + } + if !bytes.Equal(bundle.BaseCRL.Raw, baseCRL.Raw) { + t.Errorf("Fetcher.Fetch() base.Raw = %v, want %v", bundle.BaseCRL.Raw, baseCRL.Raw) + } + }) + + t.Run("cache miss and download failed error", func(t *testing.T) { + c := &memoryCache{} + httpClient := &http.Client{ + Transport: errorRoundTripperMock{}, + } + f, err := NewHTTPFetcher(httpClient) + f.Cache = c + if err != nil { + t.Errorf("NewHTTPFetcher() error = %v, want nil", err) + } + _, err = f.Fetch(context.Background(), uncachedURL) + if err == nil { + t.Errorf("Fetcher.Fetch() error = nil, want not nil") + } + }) + + t.Run("cache miss", func(t *testing.T) { + c := &memoryCache{} + httpClient := &http.Client{ + Transport: &expectedRoundTripperMock{Body: baseCRL.Raw}, + } + f, err := NewHTTPFetcher(httpClient) + if err != nil { + t.Errorf("NewHTTPFetcher() error = %v, want nil", err) + } + f.Cache = c + f.DiscardCacheError = false + bundle, err := f.Fetch(context.Background(), uncachedURL) + if err != nil { + t.Errorf("Fetcher.Fetch() error = %v, want nil", err) + } + if !bytes.Equal(bundle.BaseCRL.Raw, baseCRL.Raw) { + t.Errorf("Fetcher.Fetch() base.Raw = %v, want %v", bundle.BaseCRL.Raw, baseCRL.Raw) + } + }) + + t.Run("cache expired", func(t *testing.T) { + c := &memoryCache{} + // prepare an expired CRL + certChain := testhelper.GetRevokableRSAChainWithRevocations(2, false, true) + expiredCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + Number: big.NewInt(1), + NextUpdate: time.Now().Add(-1 * time.Hour), + }, certChain[1].Cert, certChain[1].PrivateKey) + if err != nil { + t.Fatalf("failed to create base CRL: %v", err) + } + expiredCRL, err := x509.ParseRevocationList(expiredCRLBytes) + if err != nil { + t.Fatalf("failed to parse base CRL: %v", err) + } + // store the expired CRL + const expiredCRLURL = "http://localhost.test/expired" + bundle := &Bundle{ + BaseCRL: expiredCRL, + } + if err := c.Set(context.Background(), expiredCRLURL, bundle); err != nil { + t.Errorf("Cache.Set() error = %v, want nil", err) + } + + // fetch the expired CRL + httpClient := &http.Client{ + Transport: &expectedRoundTripperMock{Body: baseCRL.Raw}, + } + f, err := NewHTTPFetcher(httpClient) + if err != nil { + t.Errorf("NewHTTPFetcher() error = %v, want nil", err) + } + f.Cache = c + f.DiscardCacheError = true + bundle, err = f.Fetch(context.Background(), expiredCRLURL) + if err != nil { + t.Errorf("Fetcher.Fetch() error = %v, want nil", err) + } + // should re-download the CRL + if !bytes.Equal(bundle.BaseCRL.Raw, baseCRL.Raw) { + t.Errorf("Fetcher.Fetch() base.Raw = %v, want %v", bundle.BaseCRL.Raw, baseCRL.Raw) + } + }) + + t.Run("Set cache error", func(t *testing.T) { + c := &errorCache{ + GetError: ErrCacheMiss, + SetError: errors.New("cache error"), + } + httpClient := &http.Client{ + Transport: &expectedRoundTripperMock{Body: baseCRL.Raw}, + } + f, err := NewHTTPFetcher(httpClient) + if err != nil { + t.Errorf("NewHTTPFetcher() error = %v, want nil", err) + } + f.Cache = c + f.DiscardCacheError = true + bundle, err = f.Fetch(context.Background(), exampleURL) + if err != nil { + t.Errorf("Fetcher.Fetch() error = %v, want nil", err) + } + if !bytes.Equal(bundle.BaseCRL.Raw, baseCRL.Raw) { + t.Errorf("Fetcher.Fetch() base.Raw = %v, want %v", bundle.BaseCRL.Raw, baseCRL.Raw) + } + }) + + t.Run("Get error without discard", func(t *testing.T) { + c := &errorCache{ + GetError: errors.New("cache error"), + } + httpClient := &http.Client{ + Transport: &expectedRoundTripperMock{Body: baseCRL.Raw}, + } + f, err := NewHTTPFetcher(httpClient) + if err != nil { + t.Errorf("NewHTTPFetcher() error = %v, want nil", err) + } + f.Cache = c + f.DiscardCacheError = false + _, err = f.Fetch(context.Background(), exampleURL) + if !strings.HasPrefix(err.Error(), "failed to retrieve CRL from cache:") { + t.Errorf("Fetcher.Fetch() error = %v, want failed to retrieve CRL from cache:", err) + } + }) + + t.Run("Set error without discard", func(t *testing.T) { + c := &errorCache{ + GetError: ErrCacheMiss, + SetError: errors.New("cache error"), + } + httpClient := &http.Client{ + Transport: &expectedRoundTripperMock{Body: baseCRL.Raw}, + } + f, err := NewHTTPFetcher(httpClient) + if err != nil { + t.Errorf("NewHTTPFetcher() error = %v, want nil", err) + } + f.Cache = c + f.DiscardCacheError = false + _, err = f.Fetch(context.Background(), exampleURL) + if !strings.HasPrefix(err.Error(), "failed to store CRL to cache:") { + t.Errorf("Fetcher.Fetch() error = %v, want failed to store CRL to cache:", err) + } + }) + + t.Run("test fetch delta CRL from base CRL extension failed", func(t *testing.T) { + crlWithDeltaCRL, err := os.ReadFile("testdata/crlWithMultipleFreshestCRLs.crl") + if err != nil { + t.Fatalf("failed to read CRL: %v", err) + } + httpClient := &http.Client{ + Transport: &expectedRoundTripperMock{ + Body: crlWithDeltaCRL, + SecondRoundBody: []byte("invalid crl"), + }, + } + f, err := NewHTTPFetcher(httpClient) + if err != nil { + t.Errorf("NewHTTPFetcher() error = %v, want nil", err) + } + _, err = f.Fetch(context.Background(), exampleURL) + expectedErrorMsg := "failed to retrieve CRL: x509: malformed crl" + if err == nil || err.Error() != expectedErrorMsg { + t.Fatalf("expected error %q, got %v", expectedErrorMsg, err) + } + }) +} + +func TestParseFreshestCRL(t *testing.T) { + loadExtentsion := func(certPath string) pkix.Extension { + certData, err := os.ReadFile(certPath) + if err != nil { + t.Fatalf("failed to read certificate: %v", err) + } + + block, _ := pem.Decode(certData) + if block == nil { + t.Fatalf("failed to decode PEM block") + } + + cert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + t.Fatalf("failed to parse certificate: %v", err) + } + + for _, ext := range cert.Extensions { + if ext.Id.Equal([]int{2, 5, 29, 46}) { // id-ce-freshestCRL + return ext + } + } + + t.Fatalf("freshestCRL extension not found") + return pkix.Extension{} + } + + t.Run("valid 1 delta CRL URL", func(t *testing.T) { + certPath := "testdata/certificateWithDeltaCRL.cer" + freshestCRLExtension := loadExtentsion(certPath) + urls, err := parseCRLDistributionPoint(freshestCRLExtension.Value) + if err != nil { + t.Fatalf("failed to parse freshest CRL: %v", err) + } + + if len(urls) != 1 { + t.Fatalf("expected 1 URL, got %d", len(urls)) + } + + if !strings.HasPrefix(urls[0], "http://localhost:80") { + t.Fatalf("unexpected URL: %s", urls[0]) + } + }) + + t.Run("empty extension", func(t *testing.T) { + _, err := parseCRLDistributionPoint(nil) + if err == nil { + t.Fatalf("expected error") + } + }) + + t.Run("URL doesn't exist", func(t *testing.T) { + certPath := "testdata/certificateWithZeroDeltaCRLURL.cer" + freshestCRLExtension := loadExtentsion(certPath) + url, err := parseCRLDistributionPoint(freshestCRLExtension.Value) + if err != nil { + t.Fatalf("failed to parse freshest CRL: %v", err) + } + if len(url) != 0 { + t.Fatalf("expected 0 URL, got %d", len(url)) + } + }) + + t.Run("non URI freshest CRL extension", func(t *testing.T) { + certPath := "testdata/certificateWithNonURIDeltaCRL.cer" + freshestCRLExtension := loadExtentsion(certPath) + url, err := parseCRLDistributionPoint(freshestCRLExtension.Value) + if err != nil { + t.Fatalf("failed to parse freshest CRL: %v", err) + } + if len(url) != 0 { + t.Fatalf("expected 0 URL, got %d", len(url)) + } + }) + + t.Run("certificate with incomplete freshest CRL extension", func(t *testing.T) { + certPath := "testdata/certificateWithIncompleteFreshestCRL.cer" + freshestCRLExtension := loadExtentsion(certPath) + _, err := parseCRLDistributionPoint(freshestCRLExtension.Value) + expectErrorMsg := "x509: invalid CRL distribution point" + if err == nil || err.Error() != expectErrorMsg { + t.Fatalf("expected error %q, got %v", expectErrorMsg, err) + } + }) + + t.Run("certificate with incomplete freshest CRL extension2", func(t *testing.T) { + certPath := "testdata/certificateWithIncompleteFreshestCRL2.cer" + freshestCRLExtension := loadExtentsion(certPath) + url, err := parseCRLDistributionPoint(freshestCRLExtension.Value) + if err != nil { + t.Fatalf("failed to parse freshest CRL: %v", err) + } + if len(url) != 0 { + t.Fatalf("expected 0 URL, got %d", len(url)) + } + }) +} + +func TestFetchDeltaCRL(t *testing.T) { + loadExtentsion := func(certPath string) []pkix.Extension { + certData, err := os.ReadFile(certPath) + if err != nil { + t.Fatalf("failed to read certificate: %v", err) + } + + block, _ := pem.Decode(certData) + if block == nil { + t.Fatalf("failed to decode PEM block") + } + + cert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + t.Fatalf("failed to parse certificate: %v", err) + } + + return cert.Extensions + } + + deltaCRL, err := os.ReadFile("testdata/delta.crl") + if err != nil { + t.Fatalf("failed to read delta CRL: %v", err) + } + + fetcher, err := NewHTTPFetcher(&http.Client{ + Transport: &expectedRoundTripperMock{Body: deltaCRL}, + }) + if err != nil { + t.Fatalf("failed to create fetcher: %v", err) + } + + t.Run("parse freshest CRL failed", func(t *testing.T) { + certPath := "testdata/certificateWithIncompleteFreshestCRL.cer" + extensions := loadExtentsion(certPath) + _, err := fetcher.fetchDeltaCRL(context.Background(), extensions) + expectedErrorMsg := "failed to parse Freshest CRL extension: x509: invalid CRL distribution point" + if err == nil || err.Error() != expectedErrorMsg { + t.Fatalf("expected error %q, got %v", expectedErrorMsg, err) + } + }) + + t.Run("zero freshest CRL URL", func(t *testing.T) { + certPath := "testdata/certificateWithZeroDeltaCRLURL.cer" + extensions := loadExtentsion(certPath) + _, err := fetcher.fetchDeltaCRL(context.Background(), extensions) + expectedErr := errDeltaCRLNotFound + if err == nil || !errors.Is(err, expectedErr) { + t.Fatalf("expected error %v, got %v", expectedErr, err) + } + }) + + t.Run("one freshest CRL URL", func(t *testing.T) { + certPath := "testdata/certificateWithDeltaCRL.cer" + extensions := loadExtentsion(certPath) + deltaCRL, err := fetcher.fetchDeltaCRL(context.Background(), extensions) + if err != nil { + t.Fatalf("failed to process delta CRL: %v", err) + } + if deltaCRL == nil { + t.Fatalf("expected non-nil delta CRL") + } + }) + + t.Run("multiple freshest CRL URLs failed", func(t *testing.T) { + fetcherWithError, err := NewHTTPFetcher(&http.Client{ + Transport: errorRoundTripperMock{}, + }) + if err != nil { + t.Fatalf("failed to create fetcher: %v", err) + } + certPath := "testdata/certificateWith2DeltaCRL.cer" + extensions := loadExtentsion(certPath) + _, err = fetcherWithError.fetchDeltaCRL(context.Background(), extensions) + expectedErrorMsg := "request failed" + if err == nil || !strings.Contains(err.Error(), expectedErrorMsg) { + t.Fatalf("expected error %q, got %v", expectedErrorMsg, err) + } + }) + + t.Run("process delta crl from certificate extension failed", func(t *testing.T) { + certPath := "testdata/certificateWithIncompleteFreshestCRL.cer" + extensions := loadExtentsion(certPath) + _, err := fetcher.fetchDeltaCRL(context.Background(), extensions) + expectedErrorMsg := "failed to parse Freshest CRL extension: x509: invalid CRL distribution point" + if err == nil || err.Error() != expectedErrorMsg { + t.Fatalf("expected error %q, got %v", expectedErrorMsg, err) + } + }) +} + +func TestDownload(t *testing.T) { + t.Run("parse url error", func(t *testing.T) { + _, err := fetchCRL(context.Background(), ":", http.DefaultClient) + if err == nil { + t.Fatal("expected error") + } + }) + t.Run("https download", func(t *testing.T) { + _, err := fetchCRL(context.Background(), "https://localhost.test", http.DefaultClient) + if err == nil { + t.Fatal("expected error") + } + }) + + t.Run("http.NewRequestWithContext error", func(t *testing.T) { + var ctx context.Context = nil + _, err := fetchCRL(ctx, "http://localhost.test", &http.Client{}) + if err == nil { + t.Fatal("expected error") + } + }) + + t.Run("client.Do error", func(t *testing.T) { + _, err := fetchCRL(context.Background(), "http://localhost.test", &http.Client{ + Transport: errorRoundTripperMock{}, + }) + + if err == nil { + t.Fatal("expected error") + } + }) + + t.Run("status code is not 2xx", func(t *testing.T) { + _, err := fetchCRL(context.Background(), "http://localhost.test", &http.Client{ + Transport: serverErrorRoundTripperMock{}, + }) + if err == nil { + t.Fatal("expected error") + } + }) + + t.Run("readAll error", func(t *testing.T) { + _, err := fetchCRL(context.Background(), "http://localhost.test", &http.Client{ + Transport: readFailedRoundTripperMock{}, + }) + if err == nil { + t.Fatal("expected error") + } + }) + + t.Run("exceed the size limit", func(t *testing.T) { + _, err := fetchCRL(context.Background(), "http://localhost.test", &http.Client{ + Transport: &expectedRoundTripperMock{Body: make([]byte, maxCRLSize+1)}, + }) + if err == nil { + t.Fatal("expected error") + } + }) + + t.Run("invalid crl", func(t *testing.T) { + _, err := fetchCRL(context.Background(), "http://localhost.test", &http.Client{ + Transport: &expectedRoundTripperMock{Body: []byte("invalid crl")}, + }) + if err == nil { + t.Fatal("expected error") + } + }) +} + +type errorRoundTripperMock struct{} + +func (rt errorRoundTripperMock) RoundTrip(req *http.Request) (*http.Response, error) { + return nil, fmt.Errorf("error") +} + +type serverErrorRoundTripperMock struct{} + +func (rt serverErrorRoundTripperMock) RoundTrip(req *http.Request) (*http.Response, error) { + return &http.Response{ + Request: req, + StatusCode: http.StatusInternalServerError, + }, nil +} + +type readFailedRoundTripperMock struct{} + +func (rt readFailedRoundTripperMock) RoundTrip(req *http.Request) (*http.Response, error) { + return &http.Response{ + StatusCode: http.StatusOK, + Body: errorReaderMock{}, + }, nil +} + +type errorReaderMock struct{} + +func (r errorReaderMock) Read(p []byte) (n int, err error) { + return 0, fmt.Errorf("error") +} + +func (r errorReaderMock) Close() error { + return nil +} + +type expectedRoundTripperMock struct { + Body []byte + SecondRoundBody []byte + count int +} + +func (rt *expectedRoundTripperMock) RoundTrip(req *http.Request) (*http.Response, error) { + if rt.count == 0 { + rt.count += 1 + return &http.Response{ + Request: req, + StatusCode: http.StatusOK, + Body: io.NopCloser(bytes.NewBuffer(rt.Body)), + }, nil + } + return &http.Response{ + Request: req, + StatusCode: http.StatusOK, + Body: io.NopCloser(bytes.NewBuffer(rt.SecondRoundBody)), + }, nil +} + +// memoryCache is an in-memory cache that stores CRL bundles for testing. +type memoryCache struct { + store sync.Map +} + +// Get retrieves the CRL from the memory store. +// +// - if the key does not exist, return ErrNotFound +// - if the CRL is expired, return ErrCacheMiss +func (c *memoryCache) Get(ctx context.Context, url string) (*Bundle, error) { + value, ok := c.store.Load(url) + if !ok { + return nil, ErrCacheMiss + } + bundle, ok := value.(*Bundle) + if !ok { + return nil, fmt.Errorf("invalid type: %T", value) + } + + return bundle, nil +} + +// Set stores the CRL in the memory store. +func (c *memoryCache) Set(ctx context.Context, url string, bundle *Bundle) error { + c.store.Store(url, bundle) + return nil +} + +type errorCache struct { + GetError error + SetError error +} + +func (c *errorCache) Get(ctx context.Context, url string) (*Bundle, error) { + return nil, c.GetError +} + +func (c *errorCache) Set(ctx context.Context, url string, bundle *Bundle) error { + return c.SetError +} diff -pruN 1.1.0-6/revocation/crl/testdata/certificateWith2DeltaCRL.cer 1.3.0-1/revocation/crl/testdata/certificateWith2DeltaCRL.cer --- 1.1.0-6/revocation/crl/testdata/certificateWith2DeltaCRL.cer 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/crl/testdata/certificateWith2DeltaCRL.cer 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFdTCCA92gAwIBAgIUaHnHWrIVx0qzAZIwvELkQUEs+3cwDQYJKoZIhvcNAQEL +BQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMG53d296cXZhd3ZhbzNlY2gxFTATBgNV +BAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr +c3RhcnQwHhcNMjQxMTI1MDc1NzI3WhcNMjYxMTI1MDc1NzI2WjAYMRYwFAYDVQQD +DA1Ob3RhdGlvblRlc3QzMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAuJlXlrTm +VhEiLz75HgJlZGm0TE7W/7mYn0m03vV+9tBEA/ZV50ACkMDY0ewxxh4Ko6UsGq71 +E466hSVggiaYaE4AdbL5kAolsnEm9/EDfYQNfgiQw0BI7axri9tJ19yZhj4Es31+ +j4RJHAydB4i/qJi6T8cITdT6ViyzWM6AWGl7yRajggJ0MIICcDAMBgNVHRMBAf8E +AjAAMB8GA1UdIwQYMBaAFFPceeG3G4d5oezFSybFwehynbPqMIIBTQYDVR0uBIIB +RDCCAUAwggE8oIIBOKCCATSGgZdodHRwOi8vbG9jYWxob3N0OjgwL2VqYmNhL3B1 +YmxpY3dlYi93ZWJkaXN0L2NlcnRkaXN0P2NtZD1kZWx0YWNybCZpc3N1ZXI9VUlE +JTNEYy0wbnd3b3pxdmF3dmFvM2VjaCUyQ0NOJTNETWFuYWdlbWVudENBJTJDTyUz +REVKQkNBK0NvbnRhaW5lcitRdWlja3N0YXJ0hoGXaHR0cDovL2xvY2FsaG9zdDo4 +MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9ZGVsdGFjcmwm +aXNzdWVyPVVJRCUzRGMtMG53d296cXZhd3ZhbzNlY2glMkNDTiUzRE1hbmFnZW1l +bnRDQSUyQ08lM0RFSkJDQStDb250YWluZXIrUXVpY2tzdGFydDATBgNVHSUEDDAK +BggrBgEFBQcDATCBqQYDVR0fBIGhMIGeMIGboIGYoIGVhoGSaHR0cDovL2xvY2Fs +aG9zdDo4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9Y3Js +Jmlzc3Vlcj1VSUQlM0RjLTBud3dvenF2YXd2YW8zZWNoJTJDQ04lM0RNYW5hZ2Vt +ZW50Q0ElMkNPJTNERUpCQ0ErQ29udGFpbmVyK1F1aWNrc3RhcnQwHQYDVR0OBBYE +FDHE82/06xOocYbvMIyGt2gofk88MA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0B +AQsFAAOCAYEAV7G7WMPn3tQNqB8RxYATV3eVhB3WC5BxqBbQzp2loNycDRmX95fa +7EV5xcPIUv42B+TzLu/ann9FLOMkqEhA+F5zsEomikUA+L4cuIWLXUhwIWwE2I/p +fgHJ61JtMMxv3rWQHyo6YpzpIAG23oxGXzrlN4/oNfWzWMIYlcl4xiHxC2vOKnNO +wId3Ck3jsJE10tImdD/tQYXh7h5ueESyPUZtqM/g2QPap+tEHArpgfAQdpEvRj1v +ZWAotcEIr+a5popE56UaE4a29DspVTA1rVchhKYl2gpDxieSQgQr61fWHXzRoKcd +FZ+NgqJuwd9CxrXbkl6EKDpefivwz9G4b3b6R8lMl+wmeTgPvSUYO34c8GsF143H +V/VKNoBvoz44QyLUf+1+XiHuUjfHaXCtXmDOoQ64M3d9gGrz23G5KJAUBubcbcdu +7Ah3D5zqvieGgoYt8qye1nsIVYC1KrYP2Kp5jWCadLvIwu2B0j7eA+LwN2MBWdlh +dRTSOVkICjWU +-----END CERTIFICATE----- diff -pruN 1.1.0-6/revocation/crl/testdata/certificateWithDeltaCRL.cer 1.3.0-1/revocation/crl/testdata/certificateWithDeltaCRL.cer --- 1.1.0-6/revocation/crl/testdata/certificateWithDeltaCRL.cer 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/crl/testdata/certificateWithDeltaCRL.cer 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIE1TCCAz2gAwIBAgIUaHnHWrIVx0qzAZIwvELkQUEs+3cwDQYJKoZIhvcNAQEL +BQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMG53d296cXZhd3ZhbzNlY2gxFTATBgNV +BAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr +c3RhcnQwHhcNMjQxMTI1MDc1NzI3WhcNMjYxMTI1MDc1NzI2WjAYMRYwFAYDVQQD +DA1Ob3RhdGlvblRlc3QzMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAuJlXlrTm +VhEiLz75HgJlZGm0TE7W/7mYn0m03vV+9tBEA/ZV50ACkMDY0ewxxh4Ko6UsGq71 +E466hSVggiaYaE4AdbL5kAolsnEm9/EDfYQNfgiQw0BI7axri9tJ19yZhj4Es31+ +j4RJHAydB4i/qJi6T8cITdT6ViyzWM6AWGl7yRajggHUMIIB0DAMBgNVHRMBAf8E +AjAAMB8GA1UdIwQYMBaAFFPceeG3G4d5oezFSybFwehynbPqMIGuBgNVHS4EgaYw +gaMwgaCggZ2ggZqGgZdodHRwOi8vbG9jYWxob3N0OjgwL2VqYmNhL3B1YmxpY3dl +Yi93ZWJkaXN0L2NlcnRkaXN0P2NtZD1kZWx0YWNybCZpc3N1ZXI9VUlEJTNEYy0w +bnd3b3pxdmF3dmFvM2VjaCUyQ0NOJTNETWFuYWdlbWVudENBJTJDTyUzREVKQkNB +K0NvbnRhaW5lcitRdWlja3N0YXJ0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMIGpBgNV +HR8EgaEwgZ4wgZuggZiggZWGgZJodHRwOi8vbG9jYWxob3N0OjgwL2VqYmNhL3B1 +YmxpY3dlYi93ZWJkaXN0L2NlcnRkaXN0P2NtZD1jcmwmaXNzdWVyPVVJRCUzRGMt +MG53d296cXZhd3ZhbzNlY2glMkNDTiUzRE1hbmFnZW1lbnRDQSUyQ08lM0RFSkJD +QStDb250YWluZXIrUXVpY2tzdGFydDAdBgNVHQ4EFgQUMcTzb/TrE6hxhu8wjIa3 +aCh+TzwwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBCwUAA4IBgQBXsbtYw+fe +1A2oHxHFgBNXd5WEHdYLkHGoFtDOnaWg3JwNGZf3l9rsRXnFw8hS/jYH5PMu79qe +f0Us4ySoSED4XnOwSiaKRQD4vhy4hYtdSHAhbATYj+l+AcnrUm0wzG/etZAfKjpi +nOkgAbbejEZfOuU3j+g19bNYwhiVyXjGIfELa84qc07Ah3cKTeOwkTXS0iZ0P+1B +heHuHm54RLI9Rm2oz+DZA9qn60QcCumB8BB2kS9GPW9lYCi1wQiv5rmmikTnpRoT +hrb0OylVMDWtVyGEpiXaCkPGJ5JCBCvrV9YdfNGgpx0Vn42Com7B30LGtduSXoQo +Ol5+K/DP0bhvdvpHyUyX7CZ5OA+9JRg7fhzwawXXjcdX9Uo2gG+jPjhDItR/7X5e +Ie5SN8dpcK1eYM6hDrgzd32AavPbcbkokBQG5txtx27sCHcPnOq+J4aChi3yrJ7W +ewhVgLUqtg/YqnmNYJp0u8jC7YHSPt4D4vA3YwFZ2WF1FNI5WQgKNZQ= +-----END CERTIFICATE----- diff -pruN 1.1.0-6/revocation/crl/testdata/certificateWithIncompleteFreshestCRL.cer 1.3.0-1/revocation/crl/testdata/certificateWithIncompleteFreshestCRL.cer --- 1.1.0-6/revocation/crl/testdata/certificateWithIncompleteFreshestCRL.cer 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/crl/testdata/certificateWithIncompleteFreshestCRL.cer 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDmTCCAgGgAwIBAgIUaHnHWrIVx0qzAZIwvELkQUEs+3cwDQYJKoZIhvcNAQEL +BQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMG53d296cXZhd3ZhbzNlY2gxFTATBgNV +BAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr +c3RhcnQwHhcNMjQxMTI1MDc1NzI3WhcNMjYxMTI1MDc1NzI2WjAYMRYwFAYDVQQD +DA1Ob3RhdGlvblRlc3QzMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAuJlXlrTm +VhEiLz75HgJlZGm0TE7W/7mYn0m03vV+9tBEA/ZV50ACkMDY0ewxxh4Ko6UsGq71 +E466hSVggiaYaE4AdbL5kAolsnEm9/EDfYQNfgiQw0BI7axri9tJ19yZhj4Es31+ +j4RJHAydB4i/qJi6T8cITdT6ViyzWM6AWGl7yRajgZkwgZYwDAYDVR0TAQH/BAIw +ADAfBgNVHSMEGDAWgBRT3HnhtxuHeaHsxUsmxcHocp2z6jANBgNVHS4EBjAEMAKg +ADATBgNVHSUEDDAKBggrBgEFBQcDATASBgNVHR8ECzAJMAegBaADhQH/MB0GA1Ud +DgQWBBQxxPNv9OsTqHGG7zCMhrdoKH5PPDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZI +hvcNAQELBQADggGBAFexu1jD597UDagfEcWAE1d3lYQd1guQcagW0M6dpaDcnA0Z +l/eX2uxFecXDyFL+Ngfk8y7v2p5/RSzjJKhIQPhec7BKJopFAPi+HLiFi11IcCFs +BNiP6X4ByetSbTDMb961kB8qOmKc6SABtt6MRl865TeP6DX1s1jCGJXJeMYh8Qtr +zipzTsCHdwpN47CRNdLSJnQ/7UGF4e4ebnhEsj1GbajP4NkD2qfrRBwK6YHwEHaR +L0Y9b2VgKLXBCK/muaaKROelGhOGtvQ7KVUwNa1XIYSmJdoKQ8YnkkIEK+tX1h18 +0aCnHRWfjYKibsHfQsa125JehCg6Xn4r8M/RuG92+kfJTJfsJnk4D70lGDt+HPBr +BdeNx1f1SjaAb6M+OEMi1H/tfl4h7lI3x2lwrV5gzqEOuDN3fYBq89txuSiQFAbm +3G3HbuwIdw+c6r4nhoKGLfKsntZ7CFWAtSq2D9iqeY1gmnS7yMLtgdI+3gPi8Ddj +AVnZYXUU0jlZCAo1lA== +-----END CERTIFICATE----- diff -pruN 1.1.0-6/revocation/crl/testdata/certificateWithIncompleteFreshestCRL2.cer 1.3.0-1/revocation/crl/testdata/certificateWithIncompleteFreshestCRL2.cer --- 1.1.0-6/revocation/crl/testdata/certificateWithIncompleteFreshestCRL2.cer 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/crl/testdata/certificateWithIncompleteFreshestCRL2.cer 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDlzCCAf+gAwIBAgIUaHnHWrIVx0qzAZIwvELkQUEs+3cwDQYJKoZIhvcNAQEL +BQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMG53d296cXZhd3ZhbzNlY2gxFTATBgNV +BAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr +c3RhcnQwHhcNMjQxMTI1MDc1NzI3WhcNMjYxMTI1MDc1NzI2WjAYMRYwFAYDVQQD +DA1Ob3RhdGlvblRlc3QzMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAuJlXlrTm +VhEiLz75HgJlZGm0TE7W/7mYn0m03vV+9tBEA/ZV50ACkMDY0ewxxh4Ko6UsGq71 +E466hSVggiaYaE4AdbL5kAolsnEm9/EDfYQNfgiQw0BI7axri9tJ19yZhj4Es31+ +j4RJHAydB4i/qJi6T8cITdT6ViyzWM6AWGl7yRajgZcwgZQwDAYDVR0TAQH/BAIw +ADAfBgNVHSMEGDAWgBRT3HnhtxuHeaHsxUsmxcHocp2z6jALBgNVHS4EBDACMAAw +EwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0fBAswCTAHoAWgA4UB/zAdBgNVHQ4E +FgQUMcTzb/TrE6hxhu8wjIa3aCh+TzwwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3 +DQEBCwUAA4IBgQBXsbtYw+fe1A2oHxHFgBNXd5WEHdYLkHGoFtDOnaWg3JwNGZf3 +l9rsRXnFw8hS/jYH5PMu79qef0Us4ySoSED4XnOwSiaKRQD4vhy4hYtdSHAhbATY +j+l+AcnrUm0wzG/etZAfKjpinOkgAbbejEZfOuU3j+g19bNYwhiVyXjGIfELa84q +c07Ah3cKTeOwkTXS0iZ0P+1BheHuHm54RLI9Rm2oz+DZA9qn60QcCumB8BB2kS9G +PW9lYCi1wQiv5rmmikTnpRoThrb0OylVMDWtVyGEpiXaCkPGJ5JCBCvrV9YdfNGg +px0Vn42Com7B30LGtduSXoQoOl5+K/DP0bhvdvpHyUyX7CZ5OA+9JRg7fhzwawXX +jcdX9Uo2gG+jPjhDItR/7X5eIe5SN8dpcK1eYM6hDrgzd32AavPbcbkokBQG5txt +x27sCHcPnOq+J4aChi3yrJ7WewhVgLUqtg/YqnmNYJp0u8jC7YHSPt4D4vA3YwFZ +2WF1FNI5WQgKNZQ= +-----END CERTIFICATE----- diff -pruN 1.1.0-6/revocation/crl/testdata/certificateWithNonURIDeltaCRL.cer 1.3.0-1/revocation/crl/testdata/certificateWithNonURIDeltaCRL.cer --- 1.1.0-6/revocation/crl/testdata/certificateWithNonURIDeltaCRL.cer 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/crl/testdata/certificateWithNonURIDeltaCRL.cer 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnjCCAgagAwIBAgIUaHnHWrIVx0qzAZIwvELkQUEs+3cwDQYJKoZIhvcNAQEL +BQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMG53d296cXZhd3ZhbzNlY2gxFTATBgNV +BAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr +c3RhcnQwHhcNMjQxMTI1MDc1NzI3WhcNMjYxMTI1MDc1NzI2WjAYMRYwFAYDVQQD +DA1Ob3RhdGlvblRlc3QzMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAuJlXlrTm +VhEiLz75HgJlZGm0TE7W/7mYn0m03vV+9tBEA/ZV50ACkMDY0ewxxh4Ko6UsGq71 +E466hSVggiaYaE4AdbL5kAolsnEm9/EDfYQNfgiQw0BI7axri9tJ19yZhj4Es31+ +j4RJHAydB4i/qJi6T8cITdT6ViyzWM6AWGl7yRajgZ4wgZswDAYDVR0TAQH/BAIw +ADAfBgNVHSMEGDAWgBRT3HnhtxuHeaHsxUsmxcHocp2z6jASBgNVHS4ECzAJMAeg +BaADhQH/MBMGA1UdJQQMMAoGCCsGAQUFBwMBMBIGA1UdHwQLMAkwB6AFoAOFAf8w +HQYDVR0OBBYEFDHE82/06xOocYbvMIyGt2gofk88MA4GA1UdDwEB/wQEAwIFoDAN +BgkqhkiG9w0BAQsFAAOCAYEAV7G7WMPn3tQNqB8RxYATV3eVhB3WC5BxqBbQzp2l +oNycDRmX95fa7EV5xcPIUv42B+TzLu/ann9FLOMkqEhA+F5zsEomikUA+L4cuIWL +XUhwIWwE2I/pfgHJ61JtMMxv3rWQHyo6YpzpIAG23oxGXzrlN4/oNfWzWMIYlcl4 +xiHxC2vOKnNOwId3Ck3jsJE10tImdD/tQYXh7h5ueESyPUZtqM/g2QPap+tEHArp +gfAQdpEvRj1vZWAotcEIr+a5popE56UaE4a29DspVTA1rVchhKYl2gpDxieSQgQr +61fWHXzRoKcdFZ+NgqJuwd9CxrXbkl6EKDpefivwz9G4b3b6R8lMl+wmeTgPvSUY +O34c8GsF143HV/VKNoBvoz44QyLUf+1+XiHuUjfHaXCtXmDOoQ64M3d9gGrz23G5 +KJAUBubcbcdu7Ah3D5zqvieGgoYt8qye1nsIVYC1KrYP2Kp5jWCadLvIwu2B0j7e +A+LwN2MBWdlhdRTSOVkICjWU +-----END CERTIFICATE----- diff -pruN 1.1.0-6/revocation/crl/testdata/certificateWithZeroDeltaCRLURL.cer 1.3.0-1/revocation/crl/testdata/certificateWithZeroDeltaCRLURL.cer --- 1.1.0-6/revocation/crl/testdata/certificateWithZeroDeltaCRLURL.cer 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/crl/testdata/certificateWithZeroDeltaCRLURL.cer 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENTCCAp2gAwIBAgIUaHnHWrIVx0qzAZIwvELkQUEs+3cwDQYJKoZIhvcNAQEL +BQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMG53d296cXZhd3ZhbzNlY2gxFTATBgNV +BAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr +c3RhcnQwHhcNMjQxMTI1MDc1NzI3WhcNMjYxMTI1MDc1NzI2WjAYMRYwFAYDVQQD +DA1Ob3RhdGlvblRlc3QzMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAuJlXlrTm +VhEiLz75HgJlZGm0TE7W/7mYn0m03vV+9tBEA/ZV50ACkMDY0ewxxh4Ko6UsGq71 +E466hSVggiaYaE4AdbL5kAolsnEm9/EDfYQNfgiQw0BI7axri9tJ19yZhj4Es31+ +j4RJHAydB4i/qJi6T8cITdT6ViyzWM6AWGl7yRajggE0MIIBMDAMBgNVHRMBAf8E +AjAAMB8GA1UdIwQYMBaAFFPceeG3G4d5oezFSybFwehynbPqMA8GA1UdLgQIMAYw +BKACoAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwgakGA1UdHwSBoTCBnjCBm6CBmKCB +lYaBkmh0dHA6Ly9sb2NhbGhvc3Q6ODAvZWpiY2EvcHVibGljd2ViL3dlYmRpc3Qv +Y2VydGRpc3Q/Y21kPWNybCZpc3N1ZXI9VUlEJTNEYy0wbnd3b3pxdmF3dmFvM2Vj +aCUyQ0NOJTNETWFuYWdlbWVudENBJTJDTyUzREVKQkNBK0NvbnRhaW5lcitRdWlj +a3N0YXJ0MB0GA1UdDgQWBBQxxPNv9OsTqHGG7zCMhrdoKH5PPDAOBgNVHQ8BAf8E +BAMCBaAwDQYJKoZIhvcNAQELBQADggGBAFexu1jD597UDagfEcWAE1d3lYQd1guQ +cagW0M6dpaDcnA0Zl/eX2uxFecXDyFL+Ngfk8y7v2p5/RSzjJKhIQPhec7BKJopF +APi+HLiFi11IcCFsBNiP6X4ByetSbTDMb961kB8qOmKc6SABtt6MRl865TeP6DX1 +s1jCGJXJeMYh8QtrzipzTsCHdwpN47CRNdLSJnQ/7UGF4e4ebnhEsj1GbajP4NkD +2qfrRBwK6YHwEHaRL0Y9b2VgKLXBCK/muaaKROelGhOGtvQ7KVUwNa1XIYSmJdoK +Q8YnkkIEK+tX1h180aCnHRWfjYKibsHfQsa125JehCg6Xn4r8M/RuG92+kfJTJfs +Jnk4D70lGDt+HPBrBdeNx1f1SjaAb6M+OEMi1H/tfl4h7lI3x2lwrV5gzqEOuDN3 +fYBq89txuSiQFAbm3G3HbuwIdw+c6r4nhoKGLfKsntZ7CFWAtSq2D9iqeY1gmnS7 +yMLtgdI+3gPi8DdjAVnZYXUU0jlZCAo1lA== +-----END CERTIFICATE----- Binary files 1.1.0-6/revocation/crl/testdata/crlWithMultipleFreshestCRLs.crl and 1.3.0-1/revocation/crl/testdata/crlWithMultipleFreshestCRLs.crl differ Binary files 1.1.0-6/revocation/crl/testdata/delta.crl and 1.3.0-1/revocation/crl/testdata/delta.crl differ diff -pruN 1.1.0-6/revocation/internal/crl/crl.go 1.3.0-1/revocation/internal/crl/crl.go --- 1.1.0-6/revocation/internal/crl/crl.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/internal/crl/crl.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,388 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package crl provides methods for checking the revocation status of a +// certificate using CRL +package crl + +import ( + "context" + "crypto/x509" + "encoding/asn1" + "errors" + "fmt" + "math/big" + "time" + + "github.com/notaryproject/notation-core-go/revocation/crl" + "github.com/notaryproject/notation-core-go/revocation/internal/x509util" + "github.com/notaryproject/notation-core-go/revocation/result" + "golang.org/x/crypto/cryptobyte" +) + +// RFC 5280, 5.3.1 +// +// CRLReason ::= ENUMERATED { +// unspecified (0), +// keyCompromise (1), +// cACompromise (2), +// affiliationChanged (3), +// superseded (4), +// cessationOfOperation (5), +// certificateHold (6), +// -- value 7 is not used +// removeFromCRL (8), +// privilegeWithdrawn (9), +// aACompromise (10) } +const ( + reasonCodeCertificateHold = 6 // certificateHold + reasonCodeRemoveFromCRL = 8 // removeFromCRL +) + +var ( + // oidFreshestCRL is the object identifier for the distribution point + // for the delta CRL. (See RFC 5280, Section 5.2.6) + oidFreshestCRL = asn1.ObjectIdentifier{2, 5, 29, 46} + + // oidIssuingDistributionPoint is the object identifier for the issuing + // distribution point CRL extension. (See RFC 5280, Section 5.2.5) + oidIssuingDistributionPoint = asn1.ObjectIdentifier{2, 5, 29, 28} + + // oidDeltaCRLIndicator is the object identifier for the delta CRL indicator + // (See RFC 5280, Section 5.2.4) + oidDeltaCRLIndicator = asn1.ObjectIdentifier{2, 5, 29, 27} + + // oidInvalidityDate is the object identifier for the invalidity date + // CRL entry extension. (See RFC 5280, Section 5.3.2) + oidInvalidityDate = asn1.ObjectIdentifier{2, 5, 29, 24} +) + +// CertCheckStatusOptions specifies values that are needed to check CRL. +type CertCheckStatusOptions struct { + // Fetcher is used to fetch the CRL from the CRL distribution points. + Fetcher crl.Fetcher + + // SigningTime is used to compare with the invalidity date during revocation + // check. + SigningTime time.Time +} + +// CertCheckStatus checks the revocation status of a certificate using CRL +// +// The function checks the revocation status of the certificate by downloading +// the CRL from the CRL distribution points specified in the certificate. +// +// If the invalidity date extension is present in the CRL entry and SigningTime +// is not zero, the certificate is considered revoked if the SigningTime is +// after the invalidity date. (See RFC 5280, Section 5.3.2) +func CertCheckStatus(ctx context.Context, cert, issuer *x509.Certificate, opts CertCheckStatusOptions) *result.CertRevocationResult { + if !Supported(cert) { + // CRL not enabled for this certificate. + return &result.CertRevocationResult{ + Result: result.ResultNonRevokable, + ServerResults: []*result.ServerResult{{ + RevocationMethod: result.RevocationMethodCRL, + Error: errors.New("CRL is not supported"), + Result: result.ResultNonRevokable, + }}, + RevocationMethod: result.RevocationMethodCRL, + } + } + + if opts.Fetcher == nil { + return &result.CertRevocationResult{ + Result: result.ResultUnknown, + ServerResults: []*result.ServerResult{{ + RevocationMethod: result.RevocationMethodCRL, + Error: errors.New("CRL fetcher cannot be nil"), + Result: result.ResultUnknown, + }}, + RevocationMethod: result.RevocationMethodCRL, + } + } + + var ( + serverResults = make([]*result.ServerResult, 0, len(cert.CRLDistributionPoints)) + lastErr error + crlURL string + hasFreshestCRLInCertificate = x509util.FindExtensionByOID(cert.Extensions, oidFreshestCRL) != nil + ) + + // The CRLDistributionPoints contains the URIs of all the CRL distribution + // points. Since it does not distinguish the reason field, it needs to check + // all the URIs to avoid missing any partial CRLs. + // + // For the majority of the certificates, there is only one CRL distribution + // point with one CRL URI, which will be cached, so checking all the URIs is + // not a performance issue. + for _, crlURL = range cert.CRLDistributionPoints { + bundle, err := opts.Fetcher.Fetch(ctx, crlURL) + if err != nil { + lastErr = fmt.Errorf("failed to download CRL from %s: %w", crlURL, err) + break + } + + if hasFreshestCRLInCertificate && bundle.DeltaCRL == nil { + // | deltaCRL URL in cert | deltaCRL URL in baseCRL | support it? | + // |----------------------|-------------------------|-------------| + // | True | True | Yes | + // | True | False | No | + // | False | True | Yes | + // | False | False | Yes | + // + // if only the certificate has the freshest CRL, the bundle.DeltaCRL + // should be nil. We don't support this case now because the delta + // CRLs may have different scopes, but the Go built-in function + // skips the scope of the base CRL when parsing the certificate. + lastErr = errors.New("freshest CRL from certificate extension is not supported") + break + } + + if err = validate(bundle, issuer); err != nil { + lastErr = fmt.Errorf("failed to validate CRL from %s: %w", crlURL, err) + break + } + + crlResult, err := checkRevocation(cert, bundle, opts.SigningTime, crlURL) + if err != nil { + lastErr = fmt.Errorf("failed to check revocation status from %s: %w", crlURL, err) + break + } + + if crlResult.Result == result.ResultRevoked { + return &result.CertRevocationResult{ + Result: result.ResultRevoked, + ServerResults: []*result.ServerResult{crlResult}, + RevocationMethod: result.RevocationMethodCRL, + } + } + + serverResults = append(serverResults, crlResult) + } + + if lastErr != nil { + return &result.CertRevocationResult{ + Result: result.ResultUnknown, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultUnknown, + Server: crlURL, + Error: lastErr, + RevocationMethod: result.RevocationMethodCRL, + }}, + RevocationMethod: result.RevocationMethodCRL, + } + } + + return &result.CertRevocationResult{ + Result: result.ResultOK, + ServerResults: serverResults, + RevocationMethod: result.RevocationMethodCRL, + } +} + +// Supported checks if the certificate supports CRL. +func Supported(cert *x509.Certificate) bool { + return cert != nil && len(cert.CRLDistributionPoints) > 0 +} + +func validate(bundle *crl.Bundle, issuer *x509.Certificate) error { + // validate base CRL + baseCRL := bundle.BaseCRL + if err := validateCRL(baseCRL, issuer); err != nil { + return fmt.Errorf("failed to validate base CRL: %w", err) + } + + if bundle.DeltaCRL == nil { + return nil + } + + // validate delta CRL + // RFC 5280, Section 5.2.4 + deltaCRL := bundle.DeltaCRL + if err := validateCRL(deltaCRL, issuer); err != nil { + return fmt.Errorf("failed to validate delta CRL: %w", err) + } + if deltaCRL.Number.Cmp(baseCRL.Number) <= 0 { + return fmt.Errorf("delta CRL number %d is not greater than the base CRL number %d", deltaCRL.Number, baseCRL.Number) + } + + // check delta CRL indicator extension + extension := x509util.FindExtensionByOID(deltaCRL.Extensions, oidDeltaCRLIndicator) + if extension == nil { + return errors.New("delta CRL indicator extension is not found") + } + minimumBaseCRLNumber := new(big.Int) + value := cryptobyte.String(extension.Value) + if !value.ReadASN1Integer(minimumBaseCRLNumber) { + return errors.New("failed to parse delta CRL indicator extension") + } + if minimumBaseCRLNumber.Cmp(baseCRL.Number) > 0 { + return fmt.Errorf("delta CRL indicator %d is not less than or equal to the base CRL number %d", minimumBaseCRLNumber, baseCRL.Number) + } + return nil +} + +func validateCRL(crl *x509.RevocationList, issuer *x509.Certificate) error { + // check signature + if err := crl.CheckSignatureFrom(issuer); err != nil { + return fmt.Errorf("CRL is not signed by CA %s: %w,", issuer.Subject, err) + } + + // check validity + if crl.NextUpdate.IsZero() { + return errors.New("CRL NextUpdate is not set") + } + now := time.Now() + if now.After(crl.NextUpdate) { + return fmt.Errorf("expired CRL. Current time %v is after CRL NextUpdate %v", now, crl.NextUpdate) + } + + for _, ext := range crl.Extensions { + switch { + case ext.Id.Equal(oidIssuingDistributionPoint): + // IssuingDistributionPoint is a critical extension that identifies + // the scope of the CRL. Since we will check all the CRL + // distribution points, it is not necessary to check this extension. + case ext.Id.Equal(oidDeltaCRLIndicator): + // will be checked in validate() + default: + if ext.Critical { + // unsupported critical extensions is not allowed. (See RFC 5280, Section 5.2) + return fmt.Errorf("unsupported critical extension found in CRL: %v", ext.Id) + } + } + } + + return nil +} + +// checkRevocation checks if the certificate is revoked or not +func checkRevocation(cert *x509.Certificate, b *crl.Bundle, signingTime time.Time, crlURL string) (*result.ServerResult, error) { + if cert == nil { + return nil, errors.New("certificate cannot be nil") + } + if b == nil { + return nil, errors.New("CRL bundle cannot be nil") + } + if b.BaseCRL == nil { + return nil, errors.New("baseCRL cannot be nil") + } + + // merge the base and delta CRLs in a single iterator + revocationListIter := func(yield func(*x509.RevocationListEntry) bool) { + for i := range b.BaseCRL.RevokedCertificateEntries { + if !yield(&b.BaseCRL.RevokedCertificateEntries[i]) { + return + } + } + if b.DeltaCRL != nil { + for i := range b.DeltaCRL.RevokedCertificateEntries { + if !yield(&b.DeltaCRL.RevokedCertificateEntries[i]) { + return + } + } + } + } + + // latestTempRevokedEntry contains the most recent revocation entry with + // reasons such as CertificateHold or RemoveFromCRL. + // + // If the certificate is revoked with CertificateHold, it is temporarily + // revoked. If the certificate is shown in the CRL with RemoveFromCRL, + // it is unrevoked. + var latestTempRevokedEntry *x509.RevocationListEntry + + // iterate over all the entries in the base and delta CRLs + for revocationEntry := range revocationListIter { + if revocationEntry.SerialNumber.Cmp(cert.SerialNumber) == 0 { + extensions, err := parseEntryExtensions(revocationEntry) + if err != nil { + return nil, err + } + + // validate signingTime and invalidityDate + if !signingTime.IsZero() && !extensions.invalidityDate.IsZero() && + signingTime.Before(extensions.invalidityDate) { + // signing time is before the invalidity date which means the + // certificate is not revoked at the time of signing. + return &result.ServerResult{ + Result: result.ResultOK, + Server: crlURL, + RevocationMethod: result.RevocationMethodCRL, + }, nil + } + + switch revocationEntry.ReasonCode { + case reasonCodeCertificateHold, reasonCodeRemoveFromCRL: + // temporarily revoked or unrevoked + if latestTempRevokedEntry == nil || latestTempRevokedEntry.RevocationTime.Before(revocationEntry.RevocationTime) { + // the revocation status depends on the most recent reason + latestTempRevokedEntry = revocationEntry + } + default: + // permanently revoked + return &result.ServerResult{ + Result: result.ResultRevoked, + Server: crlURL, + RevocationMethod: result.RevocationMethodCRL, + }, nil + } + } + } + if latestTempRevokedEntry != nil && latestTempRevokedEntry.ReasonCode == reasonCodeCertificateHold { + // revoked with CertificateHold + return &result.ServerResult{ + Result: result.ResultRevoked, + Server: crlURL, + RevocationMethod: result.RevocationMethodCRL, + }, nil + } + + return &result.ServerResult{ + Result: result.ResultOK, + Server: crlURL, + RevocationMethod: result.RevocationMethodCRL, + }, nil +} + +type entryExtensions struct { + // invalidityDate is the date when the key is invalid. + invalidityDate time.Time +} + +func parseEntryExtensions(entry *x509.RevocationListEntry) (entryExtensions, error) { + var extensions entryExtensions + for _, ext := range entry.Extensions { + switch { + case ext.Id.Equal(oidInvalidityDate): + var invalidityDate time.Time + rest, err := asn1.UnmarshalWithParams(ext.Value, &invalidityDate, "generalized") + if err != nil { + return entryExtensions{}, fmt.Errorf("failed to parse invalidity date: %w", err) + } + if len(rest) > 0 { + return entryExtensions{}, fmt.Errorf("invalid invalidity date extension: trailing data") + } + + extensions.invalidityDate = invalidityDate + default: + if ext.Critical { + // unsupported critical extensions is not allowed. (See RFC 5280, Section 5.2) + return entryExtensions{}, fmt.Errorf("unsupported critical extension found in CRL: %v", ext.Id) + } + } + } + + return extensions, nil +} diff -pruN 1.1.0-6/revocation/internal/crl/crl_test.go 1.3.0-1/revocation/internal/crl/crl_test.go --- 1.1.0-6/revocation/internal/crl/crl_test.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/internal/crl/crl_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,1125 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package crl + +import ( + "bytes" + "context" + "crypto/rand" + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" + "fmt" + "io" + "math/big" + "net/http" + "strings" + "sync" + "testing" + "time" + + crlutils "github.com/notaryproject/notation-core-go/revocation/crl" + "github.com/notaryproject/notation-core-go/revocation/result" + "github.com/notaryproject/notation-core-go/testhelper" +) + +func TestCertCheckStatus(t *testing.T) { + t.Run("certificate does not have CRLDistributionPoints", func(t *testing.T) { + cert := &x509.Certificate{} + r := CertCheckStatus(context.Background(), cert, &x509.Certificate{}, CertCheckStatusOptions{}) + if r.ServerResults[0].Error.Error() != "CRL is not supported" { + t.Fatalf("expected CRL is not supported, got %v", r.ServerResults[0].Error) + } + }) + + t.Run("fetcher is nil", func(t *testing.T) { + cert := &x509.Certificate{ + CRLDistributionPoints: []string{"http://localhost.test"}, + } + r := CertCheckStatus(context.Background(), cert, &x509.Certificate{}, CertCheckStatusOptions{}) + if r.ServerResults[0].Error.Error() != "CRL fetcher cannot be nil" { + t.Fatalf("expected CRL fetcher cannot be nil, got %v", r.ServerResults[0].Error) + } + }) + + t.Run("download error", func(t *testing.T) { + memoryCache := &memoryCache{} + + cert := &x509.Certificate{ + CRLDistributionPoints: []string{"http://localhost.test"}, + } + fetcher, err := crlutils.NewHTTPFetcher( + &http.Client{Transport: errorRoundTripperMock{}}, + ) + if err != nil { + t.Fatal(err) + } + fetcher.Cache = memoryCache + + r := CertCheckStatus(context.Background(), cert, &x509.Certificate{}, CertCheckStatusOptions{ + Fetcher: fetcher, + }) + + if r.ServerResults[0].Error == nil { + t.Fatal("expected error") + } + }) + + t.Run("CRL validate failed", func(t *testing.T) { + memoryCache := &memoryCache{} + + cert := &x509.Certificate{ + CRLDistributionPoints: []string{"http://localhost.test"}, + } + fetcher, err := crlutils.NewHTTPFetcher( + &http.Client{Transport: expiredCRLRoundTripperMock{}}, + ) + if err != nil { + t.Fatal(err) + } + fetcher.Cache = memoryCache + + r := CertCheckStatus(context.Background(), cert, &x509.Certificate{}, CertCheckStatusOptions{ + Fetcher: fetcher, + }) + if r.ServerResults[0].Error == nil { + t.Fatal("expected error") + } + }) + + // prepare a certificate chain + chain := testhelper.GetRevokableRSAChainWithRevocations(2, false, true) + issuerCert := chain[1].Cert + issuerKey := chain[1].PrivateKey + + t.Run("revoked", func(t *testing.T) { + memoryCache := &memoryCache{} + + crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240720), + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: chain[0].Cert.SerialNumber, + RevocationTime: time.Now().Add(-time.Hour), + }, + }, + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + + fetcher, err := crlutils.NewHTTPFetcher( + &http.Client{Transport: expectedRoundTripperMock{Body: crlBytes}}, + ) + if err != nil { + t.Fatal(err) + } + fetcher.Cache = memoryCache + fetcher.DiscardCacheError = true + r := CertCheckStatus(context.Background(), chain[0].Cert, issuerCert, CertCheckStatusOptions{ + Fetcher: fetcher, + }) + if r.Result != result.ResultRevoked { + t.Fatalf("expected revoked, got %s", r.Result) + } + }) + + t.Run("unknown critical extension", func(t *testing.T) { + memoryCache := &memoryCache{} + + crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240720), + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: chain[0].Cert.SerialNumber, + RevocationTime: time.Now().Add(-time.Hour), + ExtraExtensions: []pkix.Extension{ + { + Id: []int{1, 2, 3}, + Critical: true, + }, + }, + }, + }, + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + + fetcher, err := crlutils.NewHTTPFetcher( + &http.Client{Transport: expectedRoundTripperMock{Body: crlBytes}}, + ) + if err != nil { + t.Fatal(err) + } + + fetcher.Cache = memoryCache + fetcher.DiscardCacheError = true + r := CertCheckStatus(context.Background(), chain[0].Cert, issuerCert, CertCheckStatusOptions{ + Fetcher: fetcher, + }) + if r.ServerResults[0].Error == nil { + t.Fatal("expected error") + } + }) + + t.Run("Not revoked", func(t *testing.T) { + memoryCache := &memoryCache{} + + crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240720), + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + + fetcher, err := crlutils.NewHTTPFetcher( + &http.Client{Transport: expectedRoundTripperMock{Body: crlBytes}}, + ) + if err != nil { + t.Fatal(err) + } + fetcher.Cache = memoryCache + fetcher.DiscardCacheError = true + r := CertCheckStatus(context.Background(), chain[0].Cert, issuerCert, CertCheckStatusOptions{ + Fetcher: fetcher, + }) + if r.Result != result.ResultOK { + t.Fatalf("expected OK, got %s", r.Result) + } + }) + + memoryCache := &memoryCache{} + + // create a stale CRL + crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(-time.Hour), + Number: big.NewInt(20240720), + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + base, err := x509.ParseRevocationList(crlBytes) + if err != nil { + t.Fatal(err) + } + bundle := &crlutils.Bundle{ + BaseCRL: base, + } + + chain[0].Cert.CRLDistributionPoints = []string{"http://localhost.test"} + + t.Run("invalid stale CRL cache, and re-download failed", func(t *testing.T) { + // save to cache + if err := memoryCache.Set(context.Background(), "http://localhost.test", bundle); err != nil { + t.Fatal(err) + } + + fetcher, err := crlutils.NewHTTPFetcher( + &http.Client{Transport: errorRoundTripperMock{}}, + ) + if err != nil { + t.Fatal(err) + } + fetcher.Cache = memoryCache + fetcher.DiscardCacheError = true + r := CertCheckStatus(context.Background(), chain[0].Cert, issuerCert, CertCheckStatusOptions{ + Fetcher: fetcher, + }) + if !strings.HasPrefix(r.ServerResults[0].Error.Error(), "failed to download CRL from") { + t.Fatalf("unexpected error, got %v", r.ServerResults[0].Error) + } + }) + + t.Run("invalid stale CRL cache, re-download and still validate failed", func(t *testing.T) { + // save to cache + if err := memoryCache.Set(context.Background(), "http://localhost.test", bundle); err != nil { + t.Fatal(err) + } + + fetcher, err := crlutils.NewHTTPFetcher( + &http.Client{Transport: expectedRoundTripperMock{Body: crlBytes}}, + ) + if err != nil { + t.Fatal(err) + } + fetcher.Cache = memoryCache + fetcher.DiscardCacheError = true + r := CertCheckStatus(context.Background(), chain[0].Cert, issuerCert, CertCheckStatusOptions{ + Fetcher: fetcher, + }) + if !strings.HasPrefix(r.ServerResults[0].Error.Error(), "failed to validate CRL from") { + t.Fatalf("unexpected error, got %v", r.ServerResults[0].Error) + } + }) + + t.Run("invalid stale CRL cache, re-download and validate seccessfully", func(t *testing.T) { + // save to cache + if err := memoryCache.Set(context.Background(), "http://localhost.test", bundle); err != nil { + t.Fatal(err) + } + + crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240720), + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + + fetcher, err := crlutils.NewHTTPFetcher( + &http.Client{Transport: expectedRoundTripperMock{Body: crlBytes}}, + ) + if err != nil { + t.Fatal(err) + } + fetcher.Cache = memoryCache + fetcher.DiscardCacheError = true + r := CertCheckStatus(context.Background(), chain[0].Cert, issuerCert, CertCheckStatusOptions{ + Fetcher: fetcher, + }) + if r.Result != result.ResultOK { + t.Fatalf("expected OK, got %s", r.Result) + } + }) + + t.Run("freshest CRL from certificate extension is not supported", func(t *testing.T) { + chain[0].Cert.Extensions = []pkix.Extension{ + { + Id: oidFreshestCRL, + }, + } + + crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240720), + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + + fetcher, err := crlutils.NewHTTPFetcher( + &http.Client{Transport: expectedRoundTripperMock{Body: crlBytes}}, + ) + if err != nil { + t.Fatal(err) + } + fetcher.DiscardCacheError = true + r := CertCheckStatus(context.Background(), chain[0].Cert, issuerCert, CertCheckStatusOptions{ + Fetcher: fetcher, + }) + if r.Result != result.ResultUnknown { + t.Fatalf("expected Unknown, got %s", r.Result) + } + expectedErrorMsg := "freshest CRL from certificate extension is not supported" + if r.ServerResults[0].Error == nil || r.ServerResults[0].Error.Error() != expectedErrorMsg { + t.Fatalf("expected error %q, got %v", expectedErrorMsg, r.ServerResults[0].Error) + } + }) +} + +func TestValidate(t *testing.T) { + t.Run("expired CRL", func(t *testing.T) { + chain := testhelper.GetRevokableRSAChainWithRevocations(1, false, true) + issuerCert := chain[0].Cert + issuerKey := chain[0].PrivateKey + + crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(-time.Hour), + Number: big.NewInt(20240720), + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + + crl, err := x509.ParseRevocationList(crlBytes) + if err != nil { + t.Fatal(err) + } + + if err := validateCRL(crl, issuerCert); err == nil { + t.Fatal("expected error") + } + }) + + t.Run("check signature failed", func(t *testing.T) { + crl := &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + } + + if err := validateCRL(crl, &x509.Certificate{}); err == nil { + t.Fatal("expected error") + } + }) + + t.Run("unsupported CRL critical extensions", func(t *testing.T) { + chain := testhelper.GetRevokableRSAChainWithRevocations(1, false, true) + issuerCert := chain[0].Cert + issuerKey := chain[0].PrivateKey + + crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240720), + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + + crl, err := x509.ParseRevocationList(crlBytes) + if err != nil { + t.Fatal(err) + } + + // add unsupported critical extension + crl.Extensions = []pkix.Extension{ + { + Id: []int{1, 2, 3}, + Critical: true, + }, + } + + if err := validateCRL(crl, issuerCert); err == nil { + t.Fatal("expected error") + } + }) + + t.Run("issuing distribution point extension exists", func(t *testing.T) { + chain := testhelper.GetRevokableRSAChainWithRevocations(1, false, true) + issuerCert := chain[0].Cert + issuerKey := chain[0].PrivateKey + + crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240720), + ExtraExtensions: []pkix.Extension{ + { + Id: oidIssuingDistributionPoint, + Critical: true, + }, + }, + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + + crl, err := x509.ParseRevocationList(crlBytes) + if err != nil { + t.Fatal(err) + } + + if err := validateCRL(crl, issuerCert); err != nil { + t.Fatal(err) + } + }) + + chain := testhelper.GetRevokableRSAChainWithRevocations(1, false, true) + issuerCert := chain[0].Cert + issuerKey := chain[0].PrivateKey + + crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240720), + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + + crl, err := x509.ParseRevocationList(crlBytes) + if err != nil { + t.Fatal(err) + } + + t.Run("valid crl and delta crl", func(t *testing.T) { + deltaCRLIndicator := big.NewInt(20240720) + deltaCRLIndicatorBytes, err := asn1.Marshal(deltaCRLIndicator) + if err != nil { + t.Fatal(err) + } + deltaCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240721), + ExtraExtensions: []pkix.Extension{ + { + Id: oidDeltaCRLIndicator, + Critical: true, + Value: deltaCRLIndicatorBytes, + }, + }, + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + deltaCRL, err := x509.ParseRevocationList(deltaCRLBytes) + if err != nil { + t.Fatal(err) + } + bundle := &crlutils.Bundle{ + BaseCRL: crl, + DeltaCRL: deltaCRL, + } + if err := validate(bundle, issuerCert); err != nil { + t.Fatal(err) + } + }) + + t.Run("invalid delta crl", func(t *testing.T) { + deltaCRLIndicator := big.NewInt(20240720) + deltaCRLIndicatorBytes, err := asn1.Marshal(deltaCRLIndicator) + if err != nil { + t.Fatal(err) + } + deltaCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + Number: big.NewInt(20240721), + ExtraExtensions: []pkix.Extension{ + { + Id: oidDeltaCRLIndicator, + Critical: true, + Value: deltaCRLIndicatorBytes, + }, + }, + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + deltaCRL, err := x509.ParseRevocationList(deltaCRLBytes) + if err != nil { + t.Fatal(err) + } + bundle := &crlutils.Bundle{ + BaseCRL: crl, + DeltaCRL: deltaCRL, + } + err = validate(bundle, issuerCert) + expectedErrorMsg := "failed to validate delta CRL: CRL NextUpdate is not set" + if err == nil || err.Error() != expectedErrorMsg { + t.Fatalf("expected error %q, got %v", expectedErrorMsg, err) + } + }) + + t.Run("invalid delta crl number", func(t *testing.T) { + deltaCRLIndicator := big.NewInt(20240720) + deltaCRLIndicatorBytes, err := asn1.Marshal(deltaCRLIndicator) + if err != nil { + t.Fatal(err) + } + deltaCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240719), + ExtraExtensions: []pkix.Extension{ + { + Id: oidDeltaCRLIndicator, + Critical: true, + Value: deltaCRLIndicatorBytes, + }, + }, + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + deltaCRL, err := x509.ParseRevocationList(deltaCRLBytes) + if err != nil { + t.Fatal(err) + } + bundle := &crlutils.Bundle{ + BaseCRL: crl, + DeltaCRL: deltaCRL, + } + err = validate(bundle, issuerCert) + expectedErrorMsg := "delta CRL number 20240719 is not greater than the base CRL number 20240720" + if err == nil || err.Error() != expectedErrorMsg { + t.Fatalf("expected error %q, got %v", expectedErrorMsg, err) + } + }) + + t.Run("delta crl without delta crl indicator", func(t *testing.T) { + deltaCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240721), + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + deltaCRL, err := x509.ParseRevocationList(deltaCRLBytes) + if err != nil { + t.Fatal(err) + } + bundle := &crlutils.Bundle{ + BaseCRL: crl, + DeltaCRL: deltaCRL, + } + err = validate(bundle, issuerCert) + expectedErrorMsg := "delta CRL indicator extension is not found" + if err == nil || err.Error() != expectedErrorMsg { + t.Fatalf("expected error %q, got %v", expectedErrorMsg, err) + } + }) + + t.Run("delta crl minimum base crl number is greater than base crl", func(t *testing.T) { + deltaCRLIndicator := big.NewInt(20240721) + deltaCRLIndicatorBytes, err := asn1.Marshal(deltaCRLIndicator) + if err != nil { + t.Fatal(err) + } + deltaCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240722), + ExtraExtensions: []pkix.Extension{ + { + Id: oidDeltaCRLIndicator, + Critical: true, + Value: deltaCRLIndicatorBytes, + }, + }, + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + deltaCRL, err := x509.ParseRevocationList(deltaCRLBytes) + if err != nil { + t.Fatal(err) + } + bundle := &crlutils.Bundle{ + BaseCRL: crl, + DeltaCRL: deltaCRL, + } + err = validate(bundle, issuerCert) + expectedErrorMsg := "delta CRL indicator 20240721 is not less than or equal to the base CRL number 20240720" + if err == nil || err.Error() != expectedErrorMsg { + t.Fatalf("expected error %q, got %v", expectedErrorMsg, err) + } + }) + + t.Run("delta crl with invalid delta indicator extension", func(t *testing.T) { + deltaCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240722), + ExtraExtensions: []pkix.Extension{ + { + Id: oidDeltaCRLIndicator, + Critical: true, + Value: []byte("invalid"), + }, + }, + }, issuerCert, issuerKey) + if err != nil { + t.Fatal(err) + } + deltaCRL, err := x509.ParseRevocationList(deltaCRLBytes) + if err != nil { + t.Fatal(err) + } + bundle := &crlutils.Bundle{ + BaseCRL: crl, + DeltaCRL: deltaCRL, + } + err = validate(bundle, issuerCert) + expectedErrorMsg := "failed to parse delta CRL indicator extension" + if err == nil || err.Error() != expectedErrorMsg { + t.Fatalf("expected error %q, got %v", expectedErrorMsg, err) + } + }) +} + +func TestCheckRevocation(t *testing.T) { + cert := &x509.Certificate{ + SerialNumber: big.NewInt(1), + } + signingTime := time.Now() + + t.Run("certificate is nil", func(t *testing.T) { + _, err := checkRevocation(nil, &crlutils.Bundle{BaseCRL: &x509.RevocationList{}}, signingTime, "") + if err == nil { + t.Fatal("expected error") + } + }) + + t.Run("bundle is nil", func(t *testing.T) { + _, err := checkRevocation(cert, nil, signingTime, "") + expectedErrorMsg := "CRL bundle cannot be nil" + if err == nil || err.Error() != expectedErrorMsg { + t.Fatalf("expected error %q, got %v", expectedErrorMsg, err) + } + }) + + t.Run("CRL is nil", func(t *testing.T) { + _, err := checkRevocation(cert, &crlutils.Bundle{}, signingTime, "") + if err == nil { + t.Fatal("expected error") + } + }) + + t.Run("not revoked", func(t *testing.T) { + baseCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(2), + }, + }, + } + r, err := checkRevocation(cert, &crlutils.Bundle{BaseCRL: baseCRL}, signingTime, "") + if err != nil { + t.Fatal(err) + } + if r.Result != result.ResultOK { + t.Fatalf("unexpected result, got %s", r.Result) + } + }) + + t.Run("revoked", func(t *testing.T) { + baseCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(1), + RevocationTime: time.Now().Add(-time.Hour), + }, + }, + } + r, err := checkRevocation(cert, &crlutils.Bundle{BaseCRL: baseCRL}, signingTime, "") + if err != nil { + t.Fatal(err) + } + if r.Result != result.ResultRevoked { + t.Fatalf("expected revoked, got %s", r.Result) + } + }) + + t.Run("revoked in delta CRL", func(t *testing.T) { + baseCRL := &x509.RevocationList{} + deltaCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(1), + RevocationTime: time.Now().Add(-time.Hour), + }, + }, + } + r, err := checkRevocation(cert, &crlutils.Bundle{BaseCRL: baseCRL, DeltaCRL: deltaCRL}, signingTime, "") + if err != nil { + t.Fatal(err) + } + if r.Result != result.ResultRevoked { + t.Fatalf("expected revoked, got %s", r.Result) + } + }) + + t.Run("revoked but signing time is before invalidityDate", func(t *testing.T) { + invalidityDate := time.Now().Add(time.Hour) + invalidityDateBytes, err := marshalGeneralizedTimeToBytes(invalidityDate) + if err != nil { + t.Fatal(err) + } + + extensions := []pkix.Extension{ + { + Id: oidInvalidityDate, + Critical: false, + Value: invalidityDateBytes, + }, + } + + baseCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(1), + RevocationTime: time.Now().Add(time.Hour), + Extensions: extensions, + }, + }, + } + r, err := checkRevocation(cert, &crlutils.Bundle{BaseCRL: baseCRL}, signingTime, "") + if err != nil { + t.Fatal(err) + } + if r.Result != result.ResultOK { + t.Fatalf("unexpected result, got %s", r.Result) + } + }) + + t.Run("revoked; signing time is after invalidityDate", func(t *testing.T) { + invalidityDate := time.Now().Add(-time.Hour) + invalidityDateBytes, err := marshalGeneralizedTimeToBytes(invalidityDate) + if err != nil { + t.Fatal(err) + } + + extensions := []pkix.Extension{ + { + Id: oidInvalidityDate, + Critical: false, + Value: invalidityDateBytes, + }, + } + + baseCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(1), + RevocationTime: time.Now().Add(-time.Hour), + Extensions: extensions, + }, + }, + } + r, err := checkRevocation(cert, &crlutils.Bundle{BaseCRL: baseCRL}, signingTime, "") + if err != nil { + t.Fatal(err) + } + if r.Result != result.ResultRevoked { + t.Fatalf("expected revoked, got %s", r.Result) + } + }) + + t.Run("revoked and signing time is zero", func(t *testing.T) { + baseCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(1), + RevocationTime: time.Time{}, + }, + }, + } + r, err := checkRevocation(cert, &crlutils.Bundle{BaseCRL: baseCRL}, time.Time{}, "") + if err != nil { + t.Fatal(err) + } + if r.Result != result.ResultRevoked { + t.Fatalf("expected revoked, got %s", r.Result) + } + }) + + t.Run("revocation entry validation error", func(t *testing.T) { + baseCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(1), + Extensions: []pkix.Extension{ + { + Id: []int{1, 2, 3}, + Critical: true, + }, + }, + }, + }, + } + _, err := checkRevocation(cert, &crlutils.Bundle{BaseCRL: baseCRL}, signingTime, "") + if err == nil { + t.Fatal("expected error") + } + }) + + t.Run("delta crl with certificate hold", func(t *testing.T) { + baseCRL := &x509.RevocationList{} + deltaCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(1), + ReasonCode: reasonCodeCertificateHold, + }, + }, + } + r, err := checkRevocation(cert, &crlutils.Bundle{BaseCRL: baseCRL, DeltaCRL: deltaCRL}, signingTime, "") + if err != nil { + t.Fatal(err) + } + if r.Result != result.ResultRevoked { + t.Fatalf("expected revoked, got %s", r.Result) + } + }) + + t.Run("certificate hold and remove hold", func(t *testing.T) { + baseCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(1), + ReasonCode: reasonCodeCertificateHold, + RevocationTime: time.Now().Add(-time.Hour), + }, + }, + } + deltaCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(1), + ReasonCode: reasonCodeRemoveFromCRL, + RevocationTime: time.Now(), + }, + }, + } + r, err := checkRevocation(cert, &crlutils.Bundle{BaseCRL: baseCRL, DeltaCRL: deltaCRL}, signingTime, "") + if err != nil { + t.Fatal(err) + } + if r.Result != result.ResultOK { + t.Fatalf("expected OK, got %s", r.Result) + } + }) + + t.Run("certificate hold and remove hold with other other certificate hold", func(t *testing.T) { + baseCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(1), + ReasonCode: reasonCodeCertificateHold, + RevocationTime: time.Now().Add(-time.Hour), + }, + }, + } + deltaCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(1), + ReasonCode: reasonCodeRemoveFromCRL, + RevocationTime: time.Now(), + }, + { + SerialNumber: big.NewInt(2), + ReasonCode: reasonCodeCertificateHold, + RevocationTime: time.Now(), + }, + }, + } + r, err := checkRevocation(cert, &crlutils.Bundle{BaseCRL: baseCRL, DeltaCRL: deltaCRL}, signingTime, "") + if err != nil { + t.Fatal(err) + } + if r.Result != result.ResultOK { + t.Fatalf("expected OK, got %s", r.Result) + } + }) + + t.Run("certificate hold, remove hold and hold again", func(t *testing.T) { + baseCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(1), + ReasonCode: reasonCodeCertificateHold, + RevocationTime: time.Now().Add(-2 * time.Hour), + }, + }, + } + deltaCRL := &x509.RevocationList{ + RevokedCertificateEntries: []x509.RevocationListEntry{ + { + SerialNumber: big.NewInt(1), + ReasonCode: reasonCodeRemoveFromCRL, + RevocationTime: time.Now().Add(-time.Hour), + }, + { + SerialNumber: big.NewInt(1), + ReasonCode: reasonCodeCertificateHold, + RevocationTime: time.Now(), + }, + }, + } + r, err := checkRevocation(cert, &crlutils.Bundle{BaseCRL: baseCRL, DeltaCRL: deltaCRL}, signingTime, "") + if err != nil { + t.Fatal(err) + } + if r.Result != result.ResultRevoked { + t.Fatalf("expected revoked, got %s", r.Result) + } + }) +} + +func TestParseEntryExtension(t *testing.T) { + t.Run("unsupported critical extension", func(t *testing.T) { + entry := &x509.RevocationListEntry{ + Extensions: []pkix.Extension{ + { + Id: []int{1, 2, 3}, + Critical: true, + }, + }, + } + if _, err := parseEntryExtensions(entry); err == nil { + t.Fatal("expected error") + } + }) + + t.Run("valid extension", func(t *testing.T) { + entry := &x509.RevocationListEntry{ + Extensions: []pkix.Extension{ + { + Id: []int{1, 2, 3}, + Critical: false, + }, + }, + } + if _, err := parseEntryExtensions(entry); err != nil { + t.Fatal(err) + } + }) + + t.Run("parse invalidityDate", func(t *testing.T) { + + // create a time and marshal it to be generalizedTime + invalidityDate := time.Now() + invalidityDateBytes, err := marshalGeneralizedTimeToBytes(invalidityDate) + if err != nil { + t.Fatal(err) + } + + entry := &x509.RevocationListEntry{ + Extensions: []pkix.Extension{ + { + Id: oidInvalidityDate, + Critical: false, + Value: invalidityDateBytes, + }, + }, + } + extensions, err := parseEntryExtensions(entry) + if err != nil { + t.Fatal(err) + } + + if extensions.invalidityDate.IsZero() { + t.Fatal("expected invalidityDate") + } + }) + + t.Run("parse invalidityDate with error", func(t *testing.T) { + // invalid invalidityDate extension + entry := &x509.RevocationListEntry{ + Extensions: []pkix.Extension{ + { + Id: oidInvalidityDate, + Critical: false, + Value: []byte{0x00, 0x01, 0x02, 0x03}, + }, + }, + } + _, err := parseEntryExtensions(entry) + if err == nil { + t.Fatal("expected error") + } + + // invalidityDate extension with extra bytes + invalidityDate := time.Now() + invalidityDateBytes, err := marshalGeneralizedTimeToBytes(invalidityDate) + if err != nil { + t.Fatal(err) + } + invalidityDateBytes = append(invalidityDateBytes, 0x00) + + entry = &x509.RevocationListEntry{ + Extensions: []pkix.Extension{ + { + Id: oidInvalidityDate, + Critical: false, + Value: invalidityDateBytes, + }, + }, + } + _, err = parseEntryExtensions(entry) + if err == nil { + t.Fatal("expected error") + } + }) +} + +// marshalGeneralizedTimeToBytes converts a time.Time to ASN.1 GeneralizedTime bytes. +func marshalGeneralizedTimeToBytes(t time.Time) ([]byte, error) { + // ASN.1 GeneralizedTime requires the time to be in UTC + t = t.UTC() + // Use asn1.Marshal to directly get the ASN.1 GeneralizedTime bytes + return asn1.Marshal(t) +} + +func TestSupported(t *testing.T) { + t.Run("supported", func(t *testing.T) { + cert := &x509.Certificate{ + CRLDistributionPoints: []string{"http://localhost.test"}, + } + if !Supported(cert) { + t.Fatal("expected supported") + } + }) + + t.Run("unsupported", func(t *testing.T) { + cert := &x509.Certificate{} + if Supported(cert) { + t.Fatal("expected unsupported") + } + }) +} + +type errorRoundTripperMock struct{} + +func (rt errorRoundTripperMock) RoundTrip(req *http.Request) (*http.Response, error) { + return nil, fmt.Errorf("error") +} + +type expiredCRLRoundTripperMock struct{} + +func (rt expiredCRLRoundTripperMock) RoundTrip(req *http.Request) (*http.Response, error) { + chain := testhelper.GetRevokableRSAChainWithRevocations(1, false, true) + issuerCert := chain[0].Cert + issuerKey := chain[0].PrivateKey + + crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{ + NextUpdate: time.Now().Add(-time.Hour), + Number: big.NewInt(20240720), + }, issuerCert, issuerKey) + if err != nil { + return nil, err + } + + return &http.Response{ + StatusCode: http.StatusOK, + Body: io.NopCloser(bytes.NewBuffer(crlBytes)), + }, nil +} + +type expectedRoundTripperMock struct { + Body []byte +} + +func (rt expectedRoundTripperMock) RoundTrip(req *http.Request) (*http.Response, error) { + return &http.Response{ + Request: req, + StatusCode: http.StatusOK, + Body: io.NopCloser(bytes.NewBuffer(rt.Body)), + }, nil +} + +// memoryCache is an in-memory cache that stores CRL bundles for testing. +type memoryCache struct { + store sync.Map +} + +// Get retrieves the CRL from the memory store. +// +// - if the key does not exist, return ErrNotFound +// - if the CRL is expired, return ErrCacheMiss +func (c *memoryCache) Get(ctx context.Context, url string) (*crlutils.Bundle, error) { + value, ok := c.store.Load(url) + if !ok { + return nil, crlutils.ErrCacheMiss + } + bundle, ok := value.(*crlutils.Bundle) + if !ok { + return nil, fmt.Errorf("invalid type: %T", value) + } + + return bundle, nil +} + +// Set stores the CRL in the memory store. +func (c *memoryCache) Set(ctx context.Context, url string, bundle *crlutils.Bundle) error { + c.store.Store(url, bundle) + return nil +} diff -pruN 1.1.0-6/revocation/internal/ocsp/errors.go 1.3.0-1/revocation/internal/ocsp/errors.go --- 1.1.0-6/revocation/internal/ocsp/errors.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/internal/ocsp/errors.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,68 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package ocsp provides methods for checking the OCSP revocation status of a +// certificate chain, as well as errors related to these checks +package ocsp + +import ( + "fmt" + "time" +) + +// RevokedError is returned when the certificate's status for OCSP is +// ocsp.Revoked +type RevokedError struct{} + +func (e RevokedError) Error() string { + return "certificate is revoked via OCSP" +} + +// UnknownStatusError is returned when the certificate's status for OCSP is +// ocsp.Unknown +type UnknownStatusError struct{} + +func (e UnknownStatusError) Error() string { + return "certificate has unknown status via OCSP" +} + +// GenericError is returned when there is an error during the OCSP revocation +// check, not necessarily a revocation +type GenericError struct { + Err error +} + +func (e GenericError) Error() string { + msg := "error checking revocation status via OCSP" + if e.Err != nil { + return fmt.Sprintf("%s: %v", msg, e.Err) + } + return msg +} + +// NoServerError is returned when the OCSPServer is not specified. +type NoServerError struct{} + +func (e NoServerError) Error() string { + return "no valid OCSP server found" +} + +// TimeoutError is returned when the connection attempt to an OCSP URL exceeds +// the specified threshold +type TimeoutError struct { + timeout time.Duration +} + +func (e TimeoutError) Error() string { + return fmt.Sprintf("exceeded timeout threshold of %.2f seconds for OCSP check", e.timeout.Seconds()) +} diff -pruN 1.1.0-6/revocation/internal/ocsp/errors_test.go 1.3.0-1/revocation/internal/ocsp/errors_test.go --- 1.1.0-6/revocation/internal/ocsp/errors_test.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/internal/ocsp/errors_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,78 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ocsp + +import ( + "errors" + "fmt" + "testing" + "time" +) + +func TestRevokedError(t *testing.T) { + err := &RevokedError{} + expectedMsg := "certificate is revoked via OCSP" + + if err.Error() != expectedMsg { + t.Errorf("Expected %v but got %v", expectedMsg, err.Error()) + } +} + +func TestUnknownStatusError(t *testing.T) { + err := &UnknownStatusError{} + expectedMsg := "certificate has unknown status via OCSP" + + if err.Error() != expectedMsg { + t.Errorf("Expected %v but got %v", expectedMsg, err.Error()) + } +} + +func TestGenericError(t *testing.T) { + t.Run("without_inner_error", func(t *testing.T) { + err := &GenericError{} + expectedMsg := "error checking revocation status via OCSP" + + if err.Error() != expectedMsg { + t.Errorf("Expected %v but got %v", expectedMsg, err.Error()) + } + }) + + t.Run("with_inner_error", func(t *testing.T) { + err := &GenericError{Err: errors.New("inner error")} + expectedMsg := "error checking revocation status via OCSP: inner error" + + if err.Error() != expectedMsg { + t.Errorf("Expected %v but got %v", expectedMsg, err.Error()) + } + }) +} + +func TestNoServerError(t *testing.T) { + err := &NoServerError{} + expectedMsg := "no valid OCSP server found" + + if err.Error() != expectedMsg { + t.Errorf("Expected %v but got %v", expectedMsg, err.Error()) + } +} + +func TestTimeoutError(t *testing.T) { + duration := 5 * time.Second + err := &TimeoutError{duration} + expectedMsg := fmt.Sprintf("exceeded timeout threshold of %.2f seconds for OCSP check", duration.Seconds()) + + if err.Error() != expectedMsg { + t.Errorf("Expected %v but got %v", expectedMsg, err.Error()) + } +} diff -pruN 1.1.0-6/revocation/internal/ocsp/ocsp.go 1.3.0-1/revocation/internal/ocsp/ocsp.go --- 1.1.0-6/revocation/internal/ocsp/ocsp.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/internal/ocsp/ocsp.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,254 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package ocsp provides methods for checking the OCSP revocation status of a +// certificate chain, as well as errors related to these checks +package ocsp + +import ( + "bytes" + "context" + "crypto" + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" + "encoding/base64" + "errors" + "fmt" + "io" + "net/http" + "net/url" + "strings" + "time" + + "github.com/notaryproject/notation-core-go/revocation/result" + "golang.org/x/crypto/ocsp" +) + +// CertCheckStatusOptions specifies values that are needed to check OCSP revocation +type CertCheckStatusOptions struct { + // HTTPClient is the HTTP client used to perform the OCSP request + HTTPClient *http.Client + + // SigningTime is used to compare with the invalidity date during revocation + SigningTime time.Time +} + +const ( + pkixNoCheckOID string = "1.3.6.1.5.5.7.48.1.5" + invalidityDateOID string = "2.5.29.24" + // Max size determined from https://www.ibm.com/docs/en/sva/9.0.6?topic=stanza-ocsp-max-response-size. + // Typical size is ~4 KB + ocspMaxResponseSize int64 = 20480 //bytes +) + +// CertCheckStatus checks the revocation status of a certificate using OCSP +func CertCheckStatus(ctx context.Context, cert, issuer *x509.Certificate, opts CertCheckStatusOptions) *result.CertRevocationResult { + if !Supported(cert) { + // OCSP not enabled for this certificate. + return &result.CertRevocationResult{ + Result: result.ResultNonRevokable, + ServerResults: []*result.ServerResult{toServerResult("", NoServerError{})}, + RevocationMethod: result.RevocationMethodOCSP, + } + } + ocspURLs := cert.OCSPServer + + serverResults := make([]*result.ServerResult, len(ocspURLs)) + for serverIndex, server := range ocspURLs { + serverResult := checkStatusFromServer(ctx, cert, issuer, server, opts) + if serverResult.Result == result.ResultOK || + serverResult.Result == result.ResultRevoked || + (serverResult.Result == result.ResultUnknown && errors.Is(serverResult.Error, UnknownStatusError{})) { + // A valid response has been received from an OCSP server + // Result should be based on only this response, not any errors from + // other servers + return serverResultsToCertRevocationResult([]*result.ServerResult{serverResult}) + } + serverResults[serverIndex] = serverResult + } + return serverResultsToCertRevocationResult(serverResults) +} + +// Supported returns true if the certificate supports OCSP. +func Supported(cert *x509.Certificate) bool { + return cert != nil && len(cert.OCSPServer) > 0 +} + +func checkStatusFromServer(ctx context.Context, cert, issuer *x509.Certificate, server string, opts CertCheckStatusOptions) *result.ServerResult { + // Check valid server + if serverURL, err := url.Parse(server); err != nil || !strings.EqualFold(serverURL.Scheme, "http") { + // This function is only able to check servers that are accessible via HTTP + return toServerResult(server, GenericError{Err: fmt.Errorf("OCSPServer protocol %s is not supported", serverURL.Scheme)}) + } + + // Create OCSP Request + resp, err := executeOCSPCheck(ctx, cert, issuer, server, opts) + if err != nil { + // If there is a server error, attempt all servers before determining what to return + // to the user + return toServerResult(server, err) + } + + // Validate OCSP response isn't expired + if time.Now().After(resp.NextUpdate) { + return toServerResult(server, GenericError{Err: errors.New("expired OCSP response")}) + } + + // Handle pkix-ocsp-no-check and id-ce-invalidityDate extensions if present + // in response + extensionMap := extensionsToMap(resp.Extensions) + if _, foundNoCheck := extensionMap[pkixNoCheckOID]; !foundNoCheck { + // This will be ignored until CRL is implemented + // If it isn't found, CRL should be used to verify the OCSP response + _ = foundNoCheck // needed to bypass linter warnings (Remove after adding CRL) + // TODO: add CRL support + // https://github.com/notaryproject/notation-core-go/issues/125 + } + if invalidityDateBytes, foundInvalidityDate := extensionMap[invalidityDateOID]; foundInvalidityDate && !opts.SigningTime.IsZero() && resp.Status == ocsp.Revoked { + var invalidityDate time.Time + rest, err := asn1.UnmarshalWithParams(invalidityDateBytes, &invalidityDate, "generalized") + if len(rest) == 0 && err == nil && opts.SigningTime.Before(invalidityDate) { + return toServerResult(server, nil) + } + } + + // No errors, valid server response + switch resp.Status { + case ocsp.Good: + return toServerResult(server, nil) + case ocsp.Revoked: + return toServerResult(server, RevokedError{}) + default: + // ocsp.Unknown + return toServerResult(server, UnknownStatusError{}) + } +} + +func extensionsToMap(extensions []pkix.Extension) map[string][]byte { + extensionMap := make(map[string][]byte) + for _, extension := range extensions { + extensionMap[extension.Id.String()] = extension.Value + } + return extensionMap +} + +func executeOCSPCheck(ctx context.Context, cert, issuer *x509.Certificate, server string, opts CertCheckStatusOptions) (*ocsp.Response, error) { + // TODO: Look into other alternatives for specifying the Hash + // https://github.com/notaryproject/notation-core-go/issues/139 + // The following do not support SHA256 hashes: + // - Microsoft + // - Entrust + // - Let's Encrypt + // - Digicert (sometimes) + // As this represents a large percentage of public CAs, we are using the + // hashing algorithm SHA1, which has been confirmed to be supported by all + // that were tested. + ocspRequest, err := ocsp.CreateRequest(cert, issuer, &ocsp.RequestOptions{Hash: crypto.SHA1}) + if err != nil { + return nil, GenericError{Err: err} + } + + var resp *http.Response + postRequired := base64.StdEncoding.EncodedLen(len(ocspRequest)) >= 255 + if !postRequired { + encodedReq := url.QueryEscape(base64.StdEncoding.EncodeToString(ocspRequest)) + if len(encodedReq) < 255 { + var reqURL string + reqURL, err = url.JoinPath(server, encodedReq) + if err != nil { + return nil, GenericError{Err: err} + } + var httpReq *http.Request + httpReq, err = http.NewRequestWithContext(ctx, http.MethodGet, reqURL, nil) + if err != nil { + return nil, err + } + resp, err = opts.HTTPClient.Do(httpReq) + } else { + resp, err = postRequest(ctx, ocspRequest, server, opts.HTTPClient) + } + } else { + resp, err = postRequest(ctx, ocspRequest, server, opts.HTTPClient) + } + + if err != nil { + var urlErr *url.Error + if errors.As(err, &urlErr) && urlErr.Timeout() { + return nil, TimeoutError{ + timeout: opts.HTTPClient.Timeout, + } + } + return nil, GenericError{Err: err} + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("failed to retrieve OCSP: response had status code %d", resp.StatusCode) + } + + body, err := io.ReadAll(io.LimitReader(resp.Body, ocspMaxResponseSize)) + if err != nil { + return nil, GenericError{Err: err} + } + + switch { + case bytes.Equal(body, ocsp.UnauthorizedErrorResponse): + return nil, GenericError{Err: errors.New("OCSP unauthorized")} + case bytes.Equal(body, ocsp.MalformedRequestErrorResponse): + return nil, GenericError{Err: errors.New("OCSP malformed")} + case bytes.Equal(body, ocsp.InternalErrorErrorResponse): + return nil, GenericError{Err: errors.New("OCSP internal error")} + case bytes.Equal(body, ocsp.TryLaterErrorResponse): + return nil, GenericError{Err: errors.New("OCSP try later")} + case bytes.Equal(body, ocsp.SigRequredErrorResponse): + return nil, GenericError{Err: errors.New("OCSP signature required")} + } + + return ocsp.ParseResponseForCert(body, cert, issuer) +} + +func postRequest(ctx context.Context, req []byte, server string, httpClient *http.Client) (*http.Response, error) { + httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, server, bytes.NewReader(req)) + if err != nil { + return nil, err + } + httpReq.Header.Set("Content-Type", "application/ocsp-request") + return httpClient.Do(httpReq) +} + +func toServerResult(server string, err error) *result.ServerResult { + var serverResult *result.ServerResult + switch t := err.(type) { + case nil: + serverResult = result.NewServerResult(result.ResultOK, server, nil) + case NoServerError: + serverResult = result.NewServerResult(result.ResultNonRevokable, server, nil) + case RevokedError: + serverResult = result.NewServerResult(result.ResultRevoked, server, t) + default: + // Includes GenericError, UnknownStatusError, result.InvalidChainError, + // and TimeoutError + serverResult = result.NewServerResult(result.ResultUnknown, server, t) + } + serverResult.RevocationMethod = result.RevocationMethodOCSP + return serverResult +} + +func serverResultsToCertRevocationResult(serverResults []*result.ServerResult) *result.CertRevocationResult { + return &result.CertRevocationResult{ + Result: serverResults[len(serverResults)-1].Result, + ServerResults: serverResults, + RevocationMethod: result.RevocationMethodOCSP, + } +} diff -pruN 1.1.0-6/revocation/internal/ocsp/ocsp_test.go 1.3.0-1/revocation/internal/ocsp/ocsp_test.go --- 1.1.0-6/revocation/internal/ocsp/ocsp_test.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/internal/ocsp/ocsp_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,296 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ocsp + +import ( + "context" + "crypto/x509" + "fmt" + "net/http" + "net/url" + "strings" + "testing" + "time" + + "github.com/notaryproject/notation-core-go/revocation/result" + "github.com/notaryproject/notation-core-go/testhelper" + "golang.org/x/crypto/ocsp" +) + +func validateEquivalentCertResults(certResults, expectedCertResults []*result.CertRevocationResult, t *testing.T) { + if len(certResults) != len(expectedCertResults) { + t.Errorf("Length of certResults (%d) did not match expected length (%d)", len(certResults), len(expectedCertResults)) + return + } + for i, certResult := range certResults { + if certResult.Result != expectedCertResults[i].Result { + t.Errorf("Expected certResults[%d].Result to be %s, but got %s", i, expectedCertResults[i].Result, certResult.Result) + } + if len(certResult.ServerResults) != len(expectedCertResults[i].ServerResults) { + t.Errorf("Length of certResults[%d].ServerResults (%d) did not match expected length (%d)", i, len(certResult.ServerResults), len(expectedCertResults[i].ServerResults)) + return + } + for j, serverResult := range certResult.ServerResults { + if serverResult.Result != expectedCertResults[i].ServerResults[j].Result { + t.Errorf("Expected certResults[%d].ServerResults[%d].Result to be %s, but got %s", i, j, expectedCertResults[i].ServerResults[j].Result, serverResult.Result) + } + if serverResult.Server != expectedCertResults[i].ServerResults[j].Server { + t.Errorf("Expected certResults[%d].ServerResults[%d].Server to be %s, but got %s", i, j, expectedCertResults[i].ServerResults[j].Server, serverResult.Server) + } + if serverResult.Error == nil { + if expectedCertResults[i].ServerResults[j].Error == nil { + continue + } + t.Errorf("certResults[%d].ServerResults[%d].Error was nil, but expected %v", i, j, expectedCertResults[i].ServerResults[j].Error) + } else if expectedCertResults[i].ServerResults[j].Error == nil { + t.Errorf("Unexpected error for certResults[%d].ServerResults[%d].Error: %v", i, j, serverResult.Error) + } else if serverResult.Error.Error() != expectedCertResults[i].ServerResults[j].Error.Error() { + t.Errorf("Expected certResults[%d].ServerResults[%d].Error to be %v, but got %v", i, j, expectedCertResults[i].ServerResults[j].Error, serverResult.Error) + } + } + } +} + +func getOKCertResult(server string) *result.CertRevocationResult { + return &result.CertRevocationResult{ + Result: result.ResultOK, + ServerResults: []*result.ServerResult{ + result.NewServerResult(result.ResultOK, server, nil), + }, + } +} + +func TestCheckStatus(t *testing.T) { + revokableCertTuple := testhelper.GetRevokableRSALeafCertificate() + revokableIssuerTuple := testhelper.GetRSARootCertificate() + ocspServer := revokableCertTuple.Cert.OCSPServer[0] + revokableChain := []*x509.Certificate{revokableCertTuple.Cert, revokableIssuerTuple.Cert} + testChain := []testhelper.RSACertTuple{revokableCertTuple, revokableIssuerTuple} + ctx := context.Background() + + t.Run("check non-revoked cert", func(t *testing.T) { + client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good}, nil, true) + opts := CertCheckStatusOptions{ + SigningTime: time.Now(), + HTTPClient: client, + } + + certResult := CertCheckStatus(ctx, revokableChain[0], revokableChain[1], opts) + expectedCertResults := []*result.CertRevocationResult{getOKCertResult(ocspServer)} + validateEquivalentCertResults([]*result.CertRevocationResult{certResult}, expectedCertResults, t) + }) + t.Run("check cert with Unknown OCSP response", func(t *testing.T) { + client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Unknown}, nil, true) + opts := CertCheckStatusOptions{ + SigningTime: time.Now(), + HTTPClient: client, + } + + certResult := CertCheckStatus(ctx, revokableChain[0], revokableChain[1], opts) + expectedCertResults := []*result.CertRevocationResult{{ + Result: result.ResultUnknown, + ServerResults: []*result.ServerResult{ + result.NewServerResult(result.ResultUnknown, ocspServer, UnknownStatusError{}), + }, + }} + validateEquivalentCertResults([]*result.CertRevocationResult{certResult}, expectedCertResults, t) + }) + t.Run("check OCSP revoked cert", func(t *testing.T) { + client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Revoked}, nil, true) + opts := CertCheckStatusOptions{ + SigningTime: time.Now(), + HTTPClient: client, + } + + certResult := CertCheckStatus(ctx, revokableChain[0], revokableChain[1], opts) + expectedCertResults := []*result.CertRevocationResult{{ + Result: result.ResultRevoked, + ServerResults: []*result.ServerResult{ + result.NewServerResult(result.ResultRevoked, ocspServer, RevokedError{}), + }, + }} + validateEquivalentCertResults([]*result.CertRevocationResult{certResult}, expectedCertResults, t) + }) + t.Run("check OCSP future revoked cert", func(t *testing.T) { + revokedTime := time.Now().Add(time.Hour) + client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Revoked}, &revokedTime, true) + opts := CertCheckStatusOptions{ + SigningTime: time.Now(), + HTTPClient: client, + } + + certResult := CertCheckStatus(ctx, revokableChain[0], revokableChain[1], opts) + expectedCertResults := []*result.CertRevocationResult{getOKCertResult(ocspServer)} + validateEquivalentCertResults([]*result.CertRevocationResult{certResult}, expectedCertResults, t) + }) + + t.Run("certificate doesn't support OCSP", func(t *testing.T) { + ocspResult := CertCheckStatus(ctx, &x509.Certificate{}, revokableIssuerTuple.Cert, CertCheckStatusOptions{}) + expectedResult := &result.CertRevocationResult{ + Result: result.ResultNonRevokable, + ServerResults: []*result.ServerResult{toServerResult("", NoServerError{})}, + } + + validateEquivalentCertResults([]*result.CertRevocationResult{ocspResult}, []*result.CertRevocationResult{expectedResult}, t) + }) +} + +func TestCheckStatusFromServer(t *testing.T) { + revokableCertTuple := testhelper.GetRevokableRSALeafCertificate() + revokableIssuerTuple := testhelper.GetRSARootCertificate() + ctx := context.Background() + + t.Run("server url is not http", func(t *testing.T) { + server := "https://localhost.test" + serverResult := checkStatusFromServer(ctx, revokableCertTuple.Cert, revokableIssuerTuple.Cert, server, CertCheckStatusOptions{}) + expectedResult := toServerResult(server, GenericError{Err: fmt.Errorf("OCSPServer protocol %s is not supported", "https")}) + if serverResult.Result != expectedResult.Result { + t.Errorf("Expected Result to be %s, but got %s", expectedResult.Result, serverResult.Result) + } + if serverResult.Server != expectedResult.Server { + t.Errorf("Expected Server to be %s, but got %s", expectedResult.Server, serverResult.Server) + } + if serverResult.Error == nil { + t.Errorf("Expected Error to be %v, but got nil", expectedResult.Error) + } else if serverResult.Error.Error() != expectedResult.Error.Error() { + t.Errorf("Expected Error to be %v, but got %v", expectedResult.Error, serverResult.Error) + } + }) + + t.Run("request error", func(t *testing.T) { + server := "http://localhost.test" + serverResult := checkStatusFromServer(ctx, revokableCertTuple.Cert, revokableIssuerTuple.Cert, server, CertCheckStatusOptions{ + HTTPClient: &http.Client{ + Transport: &failedTransport{}, + }, + }) + errorMessage := "failed to execute request" + if !strings.Contains(serverResult.Error.Error(), errorMessage) { + t.Errorf("Expected Error to contain %v, but got %v", errorMessage, serverResult.Error) + } + }) + + t.Run("ocsp expired", func(t *testing.T) { + client := testhelper.MockClient([]testhelper.RSACertTuple{revokableCertTuple, revokableIssuerTuple}, []ocsp.ResponseStatus{ocsp.Good}, nil, true) + server := "http://localhost.test/expired_ocsp" + serverResult := checkStatusFromServer(ctx, revokableCertTuple.Cert, revokableIssuerTuple.Cert, server, CertCheckStatusOptions{ + HTTPClient: client, + }) + errorMessage := "expired OCSP response" + if !strings.Contains(serverResult.Error.Error(), errorMessage) { + t.Errorf("Expected Error to contain %v, but got %v", errorMessage, serverResult.Error) + } + }) + + t.Run("ocsp request roundtrip failed", func(t *testing.T) { + client := testhelper.MockClient([]testhelper.RSACertTuple{revokableCertTuple, revokableIssuerTuple}, []ocsp.ResponseStatus{ocsp.Good}, nil, true) + server := "http://localhost.test" + serverResult := checkStatusFromServer(nil, revokableCertTuple.Cert, revokableIssuerTuple.Cert, server, CertCheckStatusOptions{ + HTTPClient: client, + }) + errorMessage := "net/http: nil Context" + if !strings.Contains(serverResult.Error.Error(), errorMessage) { + t.Errorf("Expected Error to contain %v, but got %v", errorMessage, serverResult.Error) + } + }) + + t.Run("ocsp request roundtrip timeout", func(t *testing.T) { + server := "http://localhost.test" + serverResult := checkStatusFromServer(ctx, revokableCertTuple.Cert, revokableIssuerTuple.Cert, server, CertCheckStatusOptions{ + HTTPClient: &http.Client{ + Timeout: 1 * time.Second, + Transport: &failedTransport{ + timeout: true, + }, + }, + }) + errorMessage := "exceeded timeout threshold of 1.00 seconds for OCSP check" + if !strings.Contains(serverResult.Error.Error(), errorMessage) { + t.Errorf("Expected Error to contain %v, but got %v", errorMessage, serverResult.Error) + } + }) +} + +func TestPostRequest(t *testing.T) { + t.Run("failed to generate request", func(t *testing.T) { + _, err := postRequest(nil, nil, "http://localhost.test", &http.Client{ + Transport: &failedTransport{}, + }) + expectedErrMsg := "net/http: nil Context" + if err == nil || err.Error() != expectedErrMsg { + t.Errorf("Expected error %s, but got %s", expectedErrMsg, err) + } + }) + + t.Run("failed to execute request", func(t *testing.T) { + _, err := postRequest(context.Background(), nil, "http://localhost.test", &http.Client{ + Transport: &failedTransport{}, + }) + expectedErrMsg := "Post \"http://localhost.test\": failed to execute request" + if err == nil || err.Error() != expectedErrMsg { + t.Errorf("Expected error %s, but got %s", expectedErrMsg, err) + } + }) +} + +func TestExecuteOCSPCheck(t *testing.T) { + revokableCertTuple := testhelper.GetRevokableRSALeafCertificate() + revokableIssuerTuple := testhelper.GetRSARootCertificate() + ctx := context.Background() + + t.Run("http response status is not 200", func(t *testing.T) { + _, err := executeOCSPCheck(ctx, revokableCertTuple.Cert, revokableIssuerTuple.Cert, "localhost.test", CertCheckStatusOptions{ + HTTPClient: &http.Client{ + Transport: &failedTransport{ + statusCode: http.StatusNotFound, + }, + }, + }) + expectedErrMsg := "failed to retrieve OCSP: response had status code 404" + if err == nil || err.Error() != expectedErrMsg { + t.Errorf("Expected error %s, but got %s", expectedErrMsg, err) + } + }) +} + +type testTimeoutError struct{} + +func (e testTimeoutError) Error() string { + return "test timeout" +} + +func (e testTimeoutError) Timeout() bool { + return true +} + +type failedTransport struct { + timeout bool + statusCode int +} + +func (f *failedTransport) RoundTrip(req *http.Request) (*http.Response, error) { + if f.timeout { + return nil, &url.Error{ + Err: testTimeoutError{}, + } + } + + if f.statusCode != 0 { + return &http.Response{ + StatusCode: f.statusCode, + }, nil + } + + return nil, fmt.Errorf("failed to execute request") +} diff -pruN 1.1.0-6/revocation/internal/x509util/extension.go 1.3.0-1/revocation/internal/x509util/extension.go --- 1.1.0-6/revocation/internal/x509util/extension.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/internal/x509util/extension.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,31 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package x509util + +import ( + "crypto/x509/pkix" + "encoding/asn1" + "slices" +) + +// FindExtensionByOID finds the extension by the given OID. +func FindExtensionByOID(extensions []pkix.Extension, oid asn1.ObjectIdentifier) *pkix.Extension { + idx := slices.IndexFunc(extensions, func(ext pkix.Extension) bool { + return ext.Id.Equal(oid) + }) + if idx < 0 { + return nil + } + return &extensions[idx] +} diff -pruN 1.1.0-6/revocation/internal/x509util/extension_test.go 1.3.0-1/revocation/internal/x509util/extension_test.go --- 1.1.0-6/revocation/internal/x509util/extension_test.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/internal/x509util/extension_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,58 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package x509util + +import ( + "crypto/x509/pkix" + "encoding/asn1" + "testing" +) + +func TestFindExtensionByOID(t *testing.T) { + oid1 := asn1.ObjectIdentifier{1, 2, 3, 4} + oid2 := asn1.ObjectIdentifier{1, 2, 3, 5} + extensions := []pkix.Extension{ + {Id: oid1, Value: []byte("value1")}, + {Id: oid2, Value: []byte("value2")}, + } + + tests := []struct { + name string + oid asn1.ObjectIdentifier + extensions []pkix.Extension + expected *pkix.Extension + }{ + { + name: "Extension found", + oid: oid1, + extensions: extensions, + expected: &extensions[0], + }, + { + name: "Extension not found", + oid: asn1.ObjectIdentifier{1, 2, 3, 6}, + extensions: extensions, + expected: nil, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := FindExtensionByOID(tt.extensions, tt.oid) + if result != tt.expected { + t.Errorf("expected %v, got %v", tt.expected, result) + } + }) + } +} diff -pruN 1.1.0-6/revocation/internal/x509util/validate.go 1.3.0-1/revocation/internal/x509util/validate.go --- 1.1.0-6/revocation/internal/x509util/validate.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/internal/x509util/validate.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,48 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package x509util provides the method to validate the certificate chain for a +// specific purpose, including code signing and timestamping. It also provides +// the method to find the extension by the given OID. +package x509util + +import ( + "crypto/x509" + "fmt" + + "github.com/notaryproject/notation-core-go/revocation/purpose" + "github.com/notaryproject/notation-core-go/revocation/result" + coreX509 "github.com/notaryproject/notation-core-go/x509" +) + +// ValidateChain checks the certificate chain for a specific purpose, including +// code signing and timestamping. +func ValidateChain(certChain []*x509.Certificate, certChainPurpose purpose.Purpose) error { + switch certChainPurpose { + case purpose.CodeSigning: + // Since ValidateCodeSigningCertChain is using authentic signing time, + // signing time may be zero. + // Thus, it is better to pass nil here than fail for a cert's NotBefore + // being after zero time + if err := coreX509.ValidateCodeSigningCertChain(certChain, nil); err != nil { + return result.InvalidChainError{Err: err} + } + case purpose.Timestamping: + if err := coreX509.ValidateTimestampingCertChain(certChain); err != nil { + return result.InvalidChainError{Err: err} + } + default: + return result.InvalidChainError{Err: fmt.Errorf("unsupported certificate chain purpose %v", certChainPurpose)} + } + return nil +} diff -pruN 1.1.0-6/revocation/internal/x509util/validate_test.go 1.3.0-1/revocation/internal/x509util/validate_test.go --- 1.1.0-6/revocation/internal/x509util/validate_test.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/revocation/internal/x509util/validate_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,60 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package x509util + +import ( + "crypto/x509" + "testing" + + "github.com/notaryproject/notation-core-go/revocation/purpose" + "github.com/notaryproject/notation-core-go/testhelper" +) + +func TestValidate(t *testing.T) { + t.Run("unsupported_certificate_chain_purpose", func(t *testing.T) { + certChain := []*x509.Certificate{} + certChainPurpose := purpose.Purpose(-1) + err := ValidateChain(certChain, certChainPurpose) + if err == nil { + t.Errorf("Validate() failed, expected error, got nil") + } + }) + + t.Run("invalid code signing certificate chain", func(t *testing.T) { + certChain := []*x509.Certificate{} + certChainPurpose := purpose.CodeSigning + err := ValidateChain(certChain, certChainPurpose) + if err == nil { + t.Errorf("Validate() failed, expected error, got nil") + } + }) + + t.Run("invalid timestamping certificate chain", func(t *testing.T) { + certChain := []*x509.Certificate{} + certChainPurpose := purpose.Timestamping + err := ValidateChain(certChain, certChainPurpose) + if err == nil { + t.Errorf("Validate() failed, expected error, got nil") + } + }) + + t.Run("valid code signing certificate chain", func(t *testing.T) { + certChain := testhelper.GetRevokableRSAChain(2) + certChainPurpose := purpose.CodeSigning + err := ValidateChain([]*x509.Certificate{certChain[0].Cert, certChain[1].Cert}, certChainPurpose) + if err != nil { + t.Errorf("Validate() failed, expected nil, got %v", err) + } + }) +} diff -pruN 1.1.0-6/revocation/ocsp/errors.go 1.3.0-1/revocation/ocsp/errors.go --- 1.1.0-6/revocation/ocsp/errors.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/revocation/ocsp/errors.go 2025-10-31 12:58:40.000000000 +0000 @@ -11,58 +11,27 @@ // See the License for the specific language governing permissions and // limitations under the License. -// Package ocsp provides methods for checking the OCSP revocation status of a -// certificate chain, as well as errors related to these checks package ocsp -import ( - "fmt" - "time" -) +import "github.com/notaryproject/notation-core-go/revocation/internal/ocsp" -// RevokedError is returned when the certificate's status for OCSP is -// ocsp.Revoked -type RevokedError struct{} - -func (e RevokedError) Error() string { - return "certificate is revoked via OCSP" -} - -// UnknownStatusError is returned when the certificate's status for OCSP is -// ocsp.Unknown -type UnknownStatusError struct{} - -func (e UnknownStatusError) Error() string { - return "certificate has unknown status via OCSP" -} - -// GenericError is returned when there is an error during the OCSP revocation -// check, not necessarily a revocation -type GenericError struct { - Err error -} - -func (e GenericError) Error() string { - msg := "error checking revocation status via OCSP" - if e.Err != nil { - return fmt.Sprintf("%s: %v", msg, e.Err) - } - return msg -} - -// NoServerError is returned when the OCSPServer is not specified. -type NoServerError struct{} - -func (e NoServerError) Error() string { - return "no valid OCSP server found" -} - -// TimeoutError is returned when the connection attempt to an OCSP URL exceeds -// the specified threshold -type TimeoutError struct { - timeout time.Duration -} - -func (e TimeoutError) Error() string { - return fmt.Sprintf("exceeded timeout threshold of %.2f seconds for OCSP check", e.timeout.Seconds()) -} +type ( + // RevokedError is returned when the certificate's status for OCSP is + // ocsp.Revoked + RevokedError = ocsp.RevokedError + + // UnknownStatusError is returned when the certificate's status for OCSP is + // ocsp.Unknown + UnknownStatusError = ocsp.UnknownStatusError + + // GenericError is returned when there is an error during the OCSP revocation + // check, not necessarily a revocation + GenericError = ocsp.GenericError + + // NoServerError is returned when the OCSPServer is not specified. + NoServerError = ocsp.NoServerError + + // TimeoutError is returned when the connection attempt to an OCSP URL exceeds + // the specified threshold + TimeoutError = ocsp.TimeoutError +) diff -pruN 1.1.0-6/revocation/ocsp/errors_test.go 1.3.0-1/revocation/ocsp/errors_test.go --- 1.1.0-6/revocation/ocsp/errors_test.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/revocation/ocsp/errors_test.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -// Copyright The Notary Project Authors. -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package ocsp - -import ( - "errors" - "fmt" - "testing" - "time" -) - -func TestRevokedError(t *testing.T) { - err := &RevokedError{} - expectedMsg := "certificate is revoked via OCSP" - - if err.Error() != expectedMsg { - t.Errorf("Expected %v but got %v", expectedMsg, err.Error()) - } -} - -func TestUnknownStatusError(t *testing.T) { - err := &UnknownStatusError{} - expectedMsg := "certificate has unknown status via OCSP" - - if err.Error() != expectedMsg { - t.Errorf("Expected %v but got %v", expectedMsg, err.Error()) - } -} - -func TestGenericError(t *testing.T) { - t.Run("without_inner_error", func(t *testing.T) { - err := &GenericError{} - expectedMsg := "error checking revocation status via OCSP" - - if err.Error() != expectedMsg { - t.Errorf("Expected %v but got %v", expectedMsg, err.Error()) - } - }) - - t.Run("with_inner_error", func(t *testing.T) { - err := &GenericError{Err: errors.New("inner error")} - expectedMsg := "error checking revocation status via OCSP: inner error" - - if err.Error() != expectedMsg { - t.Errorf("Expected %v but got %v", expectedMsg, err.Error()) - } - }) -} - -func TestNoServerError(t *testing.T) { - err := &NoServerError{} - expectedMsg := "no valid OCSP server found" - - if err.Error() != expectedMsg { - t.Errorf("Expected %v but got %v", expectedMsg, err.Error()) - } -} - -func TestTimeoutError(t *testing.T) { - duration := 5 * time.Second - err := &TimeoutError{duration} - expectedMsg := fmt.Sprintf("exceeded timeout threshold of %.2f seconds for OCSP check", duration.Seconds()) - - if err.Error() != expectedMsg { - t.Errorf("Expected %v but got %v", expectedMsg, err.Error()) - } -} diff -pruN 1.1.0-6/revocation/ocsp/ocsp.go 1.3.0-1/revocation/ocsp/ocsp.go --- 1.1.0-6/revocation/ocsp/ocsp.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/revocation/ocsp/ocsp.go 2025-10-31 12:58:40.000000000 +0000 @@ -16,25 +16,17 @@ package ocsp import ( - "bytes" - "crypto" + "context" "crypto/x509" - "crypto/x509/pkix" - "encoding/asn1" - "encoding/base64" "errors" - "fmt" - "io" "net/http" - "net/url" - "strings" "sync" "time" + "github.com/notaryproject/notation-core-go/revocation/internal/ocsp" + "github.com/notaryproject/notation-core-go/revocation/internal/x509util" "github.com/notaryproject/notation-core-go/revocation/purpose" "github.com/notaryproject/notation-core-go/revocation/result" - coreX509 "github.com/notaryproject/notation-core-go/x509" - "golang.org/x/crypto/ocsp" ) // Options specifies values that are needed to check OCSP revocation @@ -45,19 +37,10 @@ type Options struct { // values are CodeSigning and Timestamping. // When not provided, the default value is CodeSigning. CertChainPurpose purpose.Purpose - - SigningTime time.Time - HTTPClient *http.Client + SigningTime time.Time + HTTPClient *http.Client } -const ( - pkixNoCheckOID string = "1.3.6.1.5.5.7.48.1.5" - invalidityDateOID string = "2.5.29.24" - // Max size determined from https://www.ibm.com/docs/en/sva/9.0.6?topic=stanza-ocsp-max-response-size. - // Typical size is ~4 KB - ocspMaxResponseSize int64 = 20480 //bytes -) - // CheckStatus checks OCSP based on the passed options and returns an array of // result.CertRevocationResult objects that contains the results and error. The // length of this array will always be equal to the length of the certificate @@ -67,33 +50,25 @@ func CheckStatus(opts Options) ([]*resul return nil, result.InvalidChainError{Err: errors.New("chain does not contain any certificates")} } - switch opts.CertChainPurpose { - case purpose.CodeSigning: - // Since ValidateCodeSigningCertChain is using authentic signing time, - // signing time may be zero. - // Thus, it is better to pass nil here than fail for a cert's NotBefore - // being after zero time - if err := coreX509.ValidateCodeSigningCertChain(opts.CertChain, nil); err != nil { - return nil, result.InvalidChainError{Err: err} - } - case purpose.Timestamping: - if err := coreX509.ValidateTimestampingCertChain(opts.CertChain); err != nil { - return nil, result.InvalidChainError{Err: err} - } - default: - return nil, result.InvalidChainError{Err: fmt.Errorf("unsupported certificate chain purpose %v", opts.CertChainPurpose)} + if err := x509util.ValidateChain(opts.CertChain, opts.CertChainPurpose); err != nil { + return nil, err } certResults := make([]*result.CertRevocationResult, len(opts.CertChain)) + certCheckStatusOptions := ocsp.CertCheckStatusOptions{ + SigningTime: opts.SigningTime, + HTTPClient: opts.HTTPClient, + } // Check status for each cert in cert chain var wg sync.WaitGroup + ctx := context.Background() for i, cert := range opts.CertChain[:len(opts.CertChain)-1] { wg.Add(1) // Assume cert chain is accurate and next cert in chain is the issuer go func(i int, cert *x509.Certificate) { defer wg.Done() - certResults[i] = certCheckStatus(cert, opts.CertChain[i+1], opts) + certResults[i] = ocsp.CertCheckStatus(ctx, cert, opts.CertChain[i+1], certCheckStatusOptions) }(i, cert) } // Last is root cert, which will never be revoked by OCSP @@ -108,182 +83,3 @@ func CheckStatus(opts Options) ([]*resul wg.Wait() return certResults, nil } - -func certCheckStatus(cert, issuer *x509.Certificate, opts Options) *result.CertRevocationResult { - ocspURLs := cert.OCSPServer - if len(ocspURLs) == 0 { - // OCSP not enabled for this certificate. - return &result.CertRevocationResult{ - Result: result.ResultNonRevokable, - ServerResults: []*result.ServerResult{toServerResult("", NoServerError{})}, - } - } - - serverResults := make([]*result.ServerResult, len(ocspURLs)) - for serverIndex, server := range ocspURLs { - serverResult := checkStatusFromServer(cert, issuer, server, opts) - if serverResult.Result == result.ResultOK || - serverResult.Result == result.ResultRevoked || - (serverResult.Result == result.ResultUnknown && errors.Is(serverResult.Error, UnknownStatusError{})) { - // A valid response has been received from an OCSP server - // Result should be based on only this response, not any errors from - // other servers - return serverResultsToCertRevocationResult([]*result.ServerResult{serverResult}) - } - serverResults[serverIndex] = serverResult - } - return serverResultsToCertRevocationResult(serverResults) -} - -func checkStatusFromServer(cert, issuer *x509.Certificate, server string, opts Options) *result.ServerResult { - // Check valid server - if serverURL, err := url.Parse(server); err != nil || !strings.EqualFold(serverURL.Scheme, "http") { - // This function is only able to check servers that are accessible via HTTP - return toServerResult(server, GenericError{Err: fmt.Errorf("OCSPServer protocol %s is not supported", serverURL.Scheme)}) - } - - // Create OCSP Request - resp, err := executeOCSPCheck(cert, issuer, server, opts) - if err != nil { - // If there is a server error, attempt all servers before determining what to return - // to the user - return toServerResult(server, err) - } - - // Validate OCSP response isn't expired - if time.Now().After(resp.NextUpdate) { - return toServerResult(server, GenericError{Err: errors.New("expired OCSP response")}) - } - - // Handle pkix-ocsp-no-check and id-ce-invalidityDate extensions if present - // in response - extensionMap := extensionsToMap(resp.Extensions) - if _, foundNoCheck := extensionMap[pkixNoCheckOID]; !foundNoCheck { - // This will be ignored until CRL is implemented - // If it isn't found, CRL should be used to verify the OCSP response - _ = foundNoCheck // needed to bypass linter warnings (Remove after adding CRL) - // TODO: add CRL support - // https://github.com/notaryproject/notation-core-go/issues/125 - } - if invalidityDateBytes, foundInvalidityDate := extensionMap[invalidityDateOID]; foundInvalidityDate && !opts.SigningTime.IsZero() && resp.Status == ocsp.Revoked { - var invalidityDate time.Time - rest, err := asn1.UnmarshalWithParams(invalidityDateBytes, &invalidityDate, "generalized") - if len(rest) == 0 && err == nil && opts.SigningTime.Before(invalidityDate) { - return toServerResult(server, nil) - } - } - - // No errors, valid server response - switch resp.Status { - case ocsp.Good: - return toServerResult(server, nil) - case ocsp.Revoked: - return toServerResult(server, RevokedError{}) - default: - // ocsp.Unknown - return toServerResult(server, UnknownStatusError{}) - } -} - -func extensionsToMap(extensions []pkix.Extension) map[string][]byte { - extensionMap := make(map[string][]byte) - for _, extension := range extensions { - extensionMap[extension.Id.String()] = extension.Value - } - return extensionMap -} - -func executeOCSPCheck(cert, issuer *x509.Certificate, server string, opts Options) (*ocsp.Response, error) { - // TODO: Look into other alternatives for specifying the Hash - // https://github.com/notaryproject/notation-core-go/issues/139 - // The following do not support SHA256 hashes: - // - Microsoft - // - Entrust - // - Let's Encrypt - // - Digicert (sometimes) - // As this represents a large percentage of public CAs, we are using the - // hashing algorithm SHA1, which has been confirmed to be supported by all - // that were tested. - ocspRequest, err := ocsp.CreateRequest(cert, issuer, &ocsp.RequestOptions{Hash: crypto.SHA1}) - if err != nil { - return nil, GenericError{Err: err} - } - - var resp *http.Response - postRequired := base64.StdEncoding.EncodedLen(len(ocspRequest)) >= 255 - if !postRequired { - encodedReq := url.QueryEscape(base64.StdEncoding.EncodeToString(ocspRequest)) - if len(encodedReq) < 255 { - var reqURL string - reqURL, err = url.JoinPath(server, encodedReq) - if err != nil { - return nil, GenericError{Err: err} - } - resp, err = opts.HTTPClient.Get(reqURL) - } else { - resp, err = postRequest(ocspRequest, server, opts.HTTPClient) - } - } else { - resp, err = postRequest(ocspRequest, server, opts.HTTPClient) - } - - if err != nil { - var urlErr *url.Error - if errors.As(err, &urlErr) && urlErr.Timeout() { - return nil, TimeoutError{} - } - return nil, GenericError{Err: err} - } - defer resp.Body.Close() - - if resp.StatusCode < 200 || resp.StatusCode >= 300 { - return nil, fmt.Errorf("failed to retrieve OCSP: response had status code %d", resp.StatusCode) - } - - body, err := io.ReadAll(io.LimitReader(resp.Body, ocspMaxResponseSize)) - if err != nil { - return nil, GenericError{Err: err} - } - - switch { - case bytes.Equal(body, ocsp.UnauthorizedErrorResponse): - return nil, GenericError{Err: errors.New("OCSP unauthorized")} - case bytes.Equal(body, ocsp.MalformedRequestErrorResponse): - return nil, GenericError{Err: errors.New("OCSP malformed")} - case bytes.Equal(body, ocsp.InternalErrorErrorResponse): - return nil, GenericError{Err: errors.New("OCSP internal error")} - case bytes.Equal(body, ocsp.TryLaterErrorResponse): - return nil, GenericError{Err: errors.New("OCSP try later")} - case bytes.Equal(body, ocsp.SigRequredErrorResponse): - return nil, GenericError{Err: errors.New("OCSP signature required")} - } - - return ocsp.ParseResponseForCert(body, cert, issuer) -} - -func postRequest(req []byte, server string, httpClient *http.Client) (*http.Response, error) { - reader := bytes.NewReader(req) - return httpClient.Post(server, "application/ocsp-request", reader) -} - -func toServerResult(server string, err error) *result.ServerResult { - switch t := err.(type) { - case nil: - return result.NewServerResult(result.ResultOK, server, nil) - case NoServerError: - return result.NewServerResult(result.ResultNonRevokable, server, nil) - case RevokedError: - return result.NewServerResult(result.ResultRevoked, server, t) - default: - // Includes GenericError, UnknownStatusError, result.InvalidChainError, - // and TimeoutError - return result.NewServerResult(result.ResultUnknown, server, t) - } -} - -func serverResultsToCertRevocationResult(serverResults []*result.ServerResult) *result.CertRevocationResult { - return &result.CertRevocationResult{ - Result: serverResults[len(serverResults)-1].Result, - ServerResults: serverResults, - } -} diff -pruN 1.1.0-6/revocation/ocsp/ocsp_test.go 1.3.0-1/revocation/ocsp/ocsp_test.go --- 1.1.0-6/revocation/ocsp/ocsp_test.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/revocation/ocsp/ocsp_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -79,81 +79,14 @@ func getRootCertResult() *result.CertRev } } -func TestCheckStatus(t *testing.T) { - revokableCertTuple := testhelper.GetRevokableRSALeafCertificate() - revokableIssuerTuple := testhelper.GetRSARootCertificate() - ocspServer := revokableCertTuple.Cert.OCSPServer[0] - revokableChain := []*x509.Certificate{revokableCertTuple.Cert, revokableIssuerTuple.Cert} - testChain := []testhelper.RSACertTuple{revokableCertTuple, revokableIssuerTuple} - - t.Run("check non-revoked cert", func(t *testing.T) { - client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good}, nil, true) - opts := Options{ - CertChain: revokableChain, - SigningTime: time.Now(), - HTTPClient: client, - } - - certResult := certCheckStatus(revokableChain[0], revokableChain[1], opts) - expectedCertResults := []*result.CertRevocationResult{getOKCertResult(ocspServer)} - validateEquivalentCertResults([]*result.CertRevocationResult{certResult}, expectedCertResults, t) - }) - t.Run("check cert with Unknown OCSP response", func(t *testing.T) { - client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Unknown}, nil, true) - opts := Options{ - CertChain: revokableChain, - SigningTime: time.Now(), - HTTPClient: client, - } - - certResult := certCheckStatus(revokableChain[0], revokableChain[1], opts) - expectedCertResults := []*result.CertRevocationResult{{ - Result: result.ResultUnknown, - ServerResults: []*result.ServerResult{ - result.NewServerResult(result.ResultUnknown, ocspServer, UnknownStatusError{}), - }, - }} - validateEquivalentCertResults([]*result.CertRevocationResult{certResult}, expectedCertResults, t) - }) - t.Run("check OCSP revoked cert", func(t *testing.T) { - client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Revoked}, nil, true) - opts := Options{ - CertChain: revokableChain, - SigningTime: time.Now(), - HTTPClient: client, - } - - certResult := certCheckStatus(revokableChain[0], revokableChain[1], opts) - expectedCertResults := []*result.CertRevocationResult{{ - Result: result.ResultRevoked, - ServerResults: []*result.ServerResult{ - result.NewServerResult(result.ResultRevoked, ocspServer, RevokedError{}), - }, - }} - validateEquivalentCertResults([]*result.CertRevocationResult{certResult}, expectedCertResults, t) - }) - t.Run("check OCSP future revoked cert", func(t *testing.T) { - revokedTime := time.Now().Add(time.Hour) - client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Revoked}, &revokedTime, true) - opts := Options{ - CertChain: revokableChain, - SigningTime: time.Now(), - HTTPClient: client, - } - - certResult := certCheckStatus(revokableChain[0], revokableChain[1], opts) - expectedCertResults := []*result.CertRevocationResult{getOKCertResult(ocspServer)} - validateEquivalentCertResults([]*result.CertRevocationResult{certResult}, expectedCertResults, t) - }) -} - func TestCheckStatusForSelfSignedCert(t *testing.T) { selfSignedTuple := testhelper.GetRSASelfSignedSigningCertTuple("Notation revocation test self-signed cert") client := testhelper.MockClient([]testhelper.RSACertTuple{selfSignedTuple}, []ocsp.ResponseStatus{ocsp.Good}, nil, true) opts := Options{ - CertChain: []*x509.Certificate{selfSignedTuple.Cert}, - SigningTime: time.Now(), - HTTPClient: client, + CertChain: []*x509.Certificate{selfSignedTuple.Cert}, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: client, } certResults, err := CheckStatus(opts) @@ -168,9 +101,10 @@ func TestCheckStatusForRootCert(t *testi rootTuple := testhelper.GetRSARootCertificate() client := testhelper.MockClient([]testhelper.RSACertTuple{rootTuple}, []ocsp.ResponseStatus{ocsp.Good}, nil, true) opts := Options{ - CertChain: []*x509.Certificate{rootTuple.Cert}, - SigningTime: time.Now(), - HTTPClient: client, + CertChain: []*x509.Certificate{rootTuple.Cert}, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: client, } certResults, err := CheckStatus(opts) @@ -187,9 +121,10 @@ func TestCheckStatusForNonSelfSignedSing certTuple := testhelper.GetRSALeafCertificate() client := testhelper.MockClient([]testhelper.RSACertTuple{certTuple}, []ocsp.ResponseStatus{ocsp.Good}, nil, true) opts := Options{ - CertChain: []*x509.Certificate{certTuple.Cert}, - SigningTime: time.Now(), - HTTPClient: client, + CertChain: []*x509.Certificate{certTuple.Cert}, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: client, } certResults, err := CheckStatus(opts) @@ -213,9 +148,10 @@ func TestCheckStatusForChain(t *testing. t.Run("empty chain", func(t *testing.T) { opts := Options{ - CertChain: []*x509.Certificate{}, - SigningTime: time.Now(), - HTTPClient: http.DefaultClient, + CertChain: []*x509.Certificate{}, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: http.DefaultClient, } certResults, err := CheckStatus(opts) expectedErr := result.InvalidChainError{Err: errors.New("chain does not contain any certificates")} @@ -253,9 +189,10 @@ func TestCheckStatusForChain(t *testing. client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Unknown, ocsp.Good}, nil, true) // 3rd cert will be unknown, the rest will be good opts := Options{ - CertChain: revokableChain, - SigningTime: time.Now(), - HTTPClient: client, + CertChain: revokableChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: client, } certResults, err := CheckStatus(opts) @@ -281,9 +218,10 @@ func TestCheckStatusForChain(t *testing. client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Revoked, ocsp.Good}, nil, true) // 3rd cert will be revoked, the rest will be good opts := Options{ - CertChain: revokableChain, - SigningTime: time.Now(), - HTTPClient: client, + CertChain: revokableChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: client, } certResults, err := CheckStatus(opts) @@ -309,9 +247,10 @@ func TestCheckStatusForChain(t *testing. client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Unknown, ocsp.Good, ocsp.Revoked, ocsp.Good}, nil, true) // 3rd cert will be unknown, 5th will be revoked, the rest will be good opts := Options{ - CertChain: revokableChain, - SigningTime: time.Now(), - HTTPClient: client, + CertChain: revokableChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: client, } certResults, err := CheckStatus(opts) @@ -343,9 +282,10 @@ func TestCheckStatusForChain(t *testing. client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Revoked, ocsp.Good}, &revokedTime, true) // 3rd cert will be revoked, the rest will be good opts := Options{ - CertChain: revokableChain, - SigningTime: time.Now(), - HTTPClient: client, + CertChain: revokableChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: client, } certResults, err := CheckStatus(opts) @@ -367,9 +307,10 @@ func TestCheckStatusForChain(t *testing. client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Unknown, ocsp.Good, ocsp.Revoked, ocsp.Good}, &revokedTime, true) // 3rd cert will be unknown, 5th will be revoked, the rest will be good opts := Options{ - CertChain: revokableChain, - SigningTime: time.Now(), - HTTPClient: client, + CertChain: revokableChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: client, } certResults, err := CheckStatus(opts) @@ -395,9 +336,10 @@ func TestCheckStatusForChain(t *testing. client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Revoked, ocsp.Good}, nil, true) // 3rd cert will be revoked, the rest will be good opts := Options{ - CertChain: revokableChain, - SigningTime: time.Now().Add(time.Hour), - HTTPClient: client, + CertChain: revokableChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now().Add(time.Hour), + HTTPClient: client, } certResults, err := CheckStatus(opts) @@ -424,9 +366,10 @@ func TestCheckStatusForChain(t *testing. client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Revoked, ocsp.Good}, &revokedTime, true) // 3rd cert will be revoked, the rest will be good opts := Options{ - CertChain: revokableChain, - SigningTime: zeroTime, - HTTPClient: client, + CertChain: revokableChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: zeroTime, + HTTPClient: client, } if !zeroTime.IsZero() { @@ -467,13 +410,13 @@ func TestCheckStatusErrors(t *testing.T) expiredLeaf, _ := x509.ParseCertificate(revokableTuples[0].Cert.Raw) expiredLeaf.IsCA = false expiredLeaf.KeyUsage = x509.KeyUsageDigitalSignature - expiredLeaf.OCSPServer = []string{"http://example.com/expired_ocsp"} + expiredLeaf.OCSPServer = []string{"http://localhost.test/expired_ocsp"} expiredChain := []*x509.Certificate{expiredLeaf, revokableTuples[1].Cert, revokableTuples[2].Cert} noHTTPLeaf, _ := x509.ParseCertificate(revokableTuples[0].Cert.Raw) noHTTPLeaf.IsCA = false noHTTPLeaf.KeyUsage = x509.KeyUsageDigitalSignature - noHTTPLeaf.OCSPServer = []string{"ldap://ds.example.com:123/chain_ocsp/0"} + noHTTPLeaf.OCSPServer = []string{"ldap://ds.localhost.test:123/chain_ocsp/0"} noHTTPChain := []*x509.Certificate{noHTTPLeaf, revokableTuples[1].Cert, revokableTuples[2].Cert} timestampSigningCertErr := result.InvalidChainError{Err: errors.New("timestamp signing certificate with subject \"CN=Notation Test Revokable RSA Chain Cert 3,O=Notary,L=Seattle,ST=WA,C=US\" must have and only have Timestamping as extended key usage")} @@ -484,9 +427,10 @@ func TestCheckStatusErrors(t *testing.T) t.Run("no OCSPServer specified", func(t *testing.T) { opts := Options{ - CertChain: noOCSPChain, - SigningTime: time.Now(), - HTTPClient: http.DefaultClient, + CertChain: noOCSPChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: http.DefaultClient, } certResults, err := CheckStatus(opts) if err != nil { @@ -506,9 +450,10 @@ func TestCheckStatusErrors(t *testing.T) t.Run("chain missing root", func(t *testing.T) { opts := Options{ - CertChain: noRootChain, - SigningTime: time.Now(), - HTTPClient: http.DefaultClient, + CertChain: noRootChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: http.DefaultClient, } certResults, err := CheckStatus(opts) if err == nil || err.Error() != chainRootErr.Error() { @@ -521,9 +466,10 @@ func TestCheckStatusErrors(t *testing.T) t.Run("backwards chain", func(t *testing.T) { opts := Options{ - CertChain: backwardsChain, - SigningTime: time.Now(), - HTTPClient: http.DefaultClient, + CertChain: backwardsChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: http.DefaultClient, } certResults, err := CheckStatus(opts) if err == nil || err.Error() != backwardsChainErr.Error() { @@ -581,9 +527,10 @@ func TestCheckStatusErrors(t *testing.T) t.Run("timeout", func(t *testing.T) { timeoutClient := &http.Client{Timeout: 1 * time.Nanosecond} opts := Options{ - CertChain: okChain, - SigningTime: time.Now(), - HTTPClient: timeoutClient, + CertChain: okChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: timeoutClient, } certResults, err := CheckStatus(opts) if err != nil { @@ -610,9 +557,10 @@ func TestCheckStatusErrors(t *testing.T) t.Run("expired ocsp response", func(t *testing.T) { client := testhelper.MockClient(revokableTuples, []ocsp.ResponseStatus{ocsp.Good}, nil, true) opts := Options{ - CertChain: expiredChain, - SigningTime: time.Now(), - HTTPClient: client, + CertChain: expiredChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: client, } certResults, err := CheckStatus(opts) if err != nil { @@ -634,9 +582,10 @@ func TestCheckStatusErrors(t *testing.T) t.Run("pkixNoCheck missing", func(t *testing.T) { client := testhelper.MockClient(revokableTuples, []ocsp.ResponseStatus{ocsp.Good}, nil, false) opts := Options{ - CertChain: okChain, - SigningTime: time.Now(), - HTTPClient: client, + CertChain: okChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: client, } certResults, err := CheckStatus(opts) @@ -654,9 +603,10 @@ func TestCheckStatusErrors(t *testing.T) t.Run("non-HTTP URI error", func(t *testing.T) { client := testhelper.MockClient(revokableTuples, []ocsp.ResponseStatus{ocsp.Good}, nil, true) opts := Options{ - CertChain: noHTTPChain, - SigningTime: time.Now(), - HTTPClient: client, + CertChain: noHTTPChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: client, } certResults, err := CheckStatus(opts) if err != nil { @@ -683,7 +633,7 @@ func TestCheckOCSPInvalidChain(t *testin for i, cert := range misorderedIntermediateChain { if i != (len(misorderedIntermediateChain) - 1) { // Skip root which won't have an OCSP Server - cert.OCSPServer[0] = fmt.Sprintf("http://example.com/chain_ocsp/%d", i) + cert.OCSPServer[0] = fmt.Sprintf("http://localhost.test/chain_ocsp/%d", i) } } @@ -691,7 +641,7 @@ func TestCheckOCSPInvalidChain(t *testin for i, cert := range missingIntermediateChain { if i != (len(missingIntermediateChain) - 1) { // Skip root which won't have an OCSP Server - cert.OCSPServer[0] = fmt.Sprintf("http://example.com/chain_ocsp/%d", i) + cert.OCSPServer[0] = fmt.Sprintf("http://localhost.test/chain_ocsp/%d", i) } } @@ -701,9 +651,10 @@ func TestCheckOCSPInvalidChain(t *testin t.Run("chain missing intermediate", func(t *testing.T) { client := testhelper.MockClient(revokableTuples, []ocsp.ResponseStatus{ocsp.Good}, nil, true) opts := Options{ - CertChain: missingIntermediateChain, - SigningTime: time.Now(), - HTTPClient: client, + CertChain: missingIntermediateChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: client, } certResults, err := CheckStatus(opts) if err == nil || err.Error() != missingIntermediateErr.Error() { @@ -717,9 +668,10 @@ func TestCheckOCSPInvalidChain(t *testin t.Run("chain out of order", func(t *testing.T) { client := testhelper.MockClient(misorderedIntermediateTuples, []ocsp.ResponseStatus{ocsp.Good}, nil, true) opts := Options{ - CertChain: misorderedIntermediateChain, - SigningTime: time.Now(), - HTTPClient: client, + CertChain: misorderedIntermediateChain, + CertChainPurpose: purpose.CodeSigning, + SigningTime: time.Now(), + HTTPClient: client, } certResults, err := CheckStatus(opts) if err == nil || err.Error() != misorderedChainErr.Error() { diff -pruN 1.1.0-6/revocation/result/results.go 1.3.0-1/revocation/result/results.go --- 1.1.0-6/revocation/result/results.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/revocation/result/results.go 2025-10-31 12:58:40.000000000 +0000 @@ -16,23 +16,27 @@ package result import "strconv" -// Result is a type of enumerated value to help characterize errors. It can be -// OK, Unknown, or Revoked +// Result is a type of enumerated value to help characterize revocation result. +// It can be OK, Unknown, NonRevokable, or Revoked type Result int const ( // ResultUnknown is a Result that indicates that some error other than a - // revocation was encountered during the revocation check + // revocation was encountered during the revocation check. ResultUnknown Result = iota - // ResultOK is a Result that indicates that the revocation check resulted in no - // important errors + + // ResultOK is a Result that indicates that the revocation check resulted in + // no important errors. ResultOK - // ResultNonRevokable is a Result that indicates that the certificate cannot be - // checked for revocation. This may be a result of no OCSP servers being - // specified, the cert is a root certificate, or other related situations. + + // ResultNonRevokable is a Result that indicates that the certificate cannot + // be checked for revocation. This may be due to the absence of OCSP servers + // or CRL distribution points, or because the certificate is a root + // certificate. ResultNonRevokable + // ResultRevoked is a Result that indicates that at least one certificate was - // revoked when performing a revocation check on the certificate chain + // revoked when performing a revocation check on the certificate chain. ResultRevoked ) @@ -52,8 +56,45 @@ func (r Result) String() string { } } -// ServerResult encapsulates the result for a single server for a single -// certificate in the chain +// RevocationMethod defines the method used to check the revocation status of a +// certificate. +type RevocationMethod int + +const ( + // RevocationMethodUnknown is used for root certificates or when the method + // used to check the revocation status of a certificate is unknown. + RevocationMethodUnknown RevocationMethod = iota + + // RevocationMethodOCSP represents OCSP as the method used to check the + // revocation status of a certificate. + RevocationMethodOCSP + + // RevocationMethodCRL represents CRL as the method used to check the + // revocation status of a certificate. + RevocationMethodCRL + + // RevocationMethodOCSPFallbackCRL represents OCSP check with unknown error + // fallback to CRL as the method used to check the revocation status of a + // certificate. + RevocationMethodOCSPFallbackCRL +) + +// String provides a conversion from a Method to a string +func (m RevocationMethod) String() string { + switch m { + case RevocationMethodOCSP: + return "OCSP" + case RevocationMethodCRL: + return "CRL" + case RevocationMethodOCSPFallbackCRL: + return "OCSPFallbackCRL" + default: + return "Unknown" + } +} + +// ServerResult encapsulates the OCSP result for a single server or the CRL +// result for a single CRL URI for a certificate in the chain type ServerResult struct { // Result of revocation for this server (Unknown if there is an error which // prevents the retrieval of a valid status) @@ -67,6 +108,11 @@ type ServerResult struct { // Error is set if there is an error associated with the revocation check // to this server Error error + + // RevocationMethod is the method used to check the revocation status of the + // certificate, including RevocationMethodUnknown, RevocationMethodOCSP, + // RevocationMethodCRL + RevocationMethod RevocationMethod } // NewServerResult creates a ServerResult object from its individual parts: a @@ -83,21 +129,31 @@ func NewServerResult(result Result, serv // chain as well as the results from individual servers associated with this // certificate type CertRevocationResult struct { - // Result of revocation for a specific cert in the chain - // - // If there are multiple ServerResults, this is because no responses were - // able to be retrieved, leaving each ServerResult with a Result of Unknown. - // Thus, in the case of more than one ServerResult, this will be ResultUnknown + // Result of revocation for a specific certificate in the chain. Result Result - // An array of results for each server associated with the certificate. - // The length will be either 1 or the number of OCSPServers for the cert. + // ServerResults is an array of results for each server associated with the + // certificate. // - // If the length is 1, then a valid status was able to be retrieved. Only + // When RevocationMethod is MethodOCSP, the length will be + // either 1 or the number of OCSPServers for the certificate. + // If the length is 1, then a valid status was retrieved. Only // this server result is contained. Any errors for other servers are // discarded in favor of this valid response. - // // Otherwise, every server specified had some error that prevented the - // status from being retrieved. These are all contained here for evaluation + // status from being retrieved. These are all contained here for evaluation. + // + // When RevocationMethod is MethodCRL, the length will be the number of + // CRL distribution points' URIs checked. If the result is Revoked, or + // there is an error, the length will be 1. + // + // When RevocationMethod is MethodOCSPFallbackCRL, the length + // will be the sum of the previous two cases. The CRL result will be + // appended after the OCSP results. ServerResults []*ServerResult + + // RevocationMethod is the method used to check the revocation status of the + // certificate, including RevocationMethodUnknown, RevocationMethodOCSP, + // RevocationMethodCRL and RevocationMethodOCSPFallbackCRL + RevocationMethod RevocationMethod } diff -pruN 1.1.0-6/revocation/result/results_test.go 1.3.0-1/revocation/result/results_test.go --- 1.1.0-6/revocation/result/results_test.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/revocation/result/results_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -46,6 +46,27 @@ func TestResultString(t *testing.T) { }) } +func TestMethodString(t *testing.T) { + tests := []struct { + method RevocationMethod + expected string + }{ + {RevocationMethodOCSP, "OCSP"}, + {RevocationMethodCRL, "CRL"}, + {RevocationMethodOCSPFallbackCRL, "OCSPFallbackCRL"}, + {RevocationMethod(999), "Unknown"}, // Test for default case + } + + for _, tt := range tests { + t.Run(tt.expected, func(t *testing.T) { + result := tt.method.String() + if result != tt.expected { + t.Errorf("expected %s, got %s", tt.expected, result) + } + }) + } +} + func TestNewServerResult(t *testing.T) { expectedR := &ServerResult{ Result: ResultNonRevokable, diff -pruN 1.1.0-6/revocation/revocation.go 1.3.0-1/revocation/revocation.go --- 1.1.0-6/revocation/revocation.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/revocation/revocation.go 2025-10-31 12:58:40.000000000 +0000 @@ -21,9 +21,13 @@ import ( "errors" "fmt" "net/http" + "sync" "time" - "github.com/notaryproject/notation-core-go/revocation/ocsp" + crlutil "github.com/notaryproject/notation-core-go/revocation/crl" + "github.com/notaryproject/notation-core-go/revocation/internal/crl" + "github.com/notaryproject/notation-core-go/revocation/internal/ocsp" + "github.com/notaryproject/notation-core-go/revocation/internal/x509util" "github.com/notaryproject/notation-core-go/revocation/purpose" "github.com/notaryproject/notation-core-go/revocation/result" ) @@ -34,8 +38,9 @@ import ( // To perform revocation check, use [Validator]. type Revocation interface { // Validate checks the revocation status for a certificate chain using OCSP - // and returns an array of CertRevocationResults that contain the results - // and any errors that are encountered during the process + // and CRL if OCSP is not available. It returns an array of + // CertRevocationResults that contain the results and any errors that are + // encountered during the process Validate(certChain []*x509.Certificate, signingTime time.Time) ([]*result.CertRevocationResult, error) } @@ -64,7 +69,8 @@ type Validator interface { // revocation is an internal struct used for revocation checking type revocation struct { - httpClient *http.Client + ocspHTTPClient *http.Client + crlFetcher crlutil.Fetcher certChainPurpose purpose.Purpose } @@ -76,8 +82,14 @@ func New(httpClient *http.Client) (Revoc if httpClient == nil { return nil, errors.New("invalid input: a non-nil httpClient must be specified") } + fetcher, err := crlutil.NewHTTPFetcher(httpClient) + if err != nil { + return nil, err + } + return &revocation{ - httpClient: httpClient, + ocspHTTPClient: httpClient, + crlFetcher: fetcher, certChainPurpose: purpose.CodeSigning, }, nil } @@ -89,6 +101,11 @@ type Options struct { // OPTIONAL. OCSPHTTPClient *http.Client + // CRLFetcher is a fetcher for CRL with cache. If not provided, a default + // fetcher with an HTTP client and a timeout of 5 seconds will be used + // without cache. + CRLFetcher crlutil.Fetcher + // CertChainPurpose is the purpose of the certificate chain. Supported // values are CodeSigning and Timestamping. Default value is CodeSigning. // OPTIONAL. @@ -101,6 +118,15 @@ func NewWithOptions(opts Options) (Valid opts.OCSPHTTPClient = &http.Client{Timeout: 2 * time.Second} } + fetcher := opts.CRLFetcher + if fetcher == nil { + newFetcher, err := crlutil.NewHTTPFetcher(&http.Client{Timeout: 5 * time.Second}) + if err != nil { + return nil, err + } + fetcher = newFetcher + } + switch opts.CertChainPurpose { case purpose.CodeSigning, purpose.Timestamping: default: @@ -108,17 +134,22 @@ func NewWithOptions(opts Options) (Valid } return &revocation{ - httpClient: opts.OCSPHTTPClient, + ocspHTTPClient: opts.OCSPHTTPClient, + crlFetcher: fetcher, certChainPurpose: opts.CertChainPurpose, }, nil } // Validate checks the revocation status for a certificate chain using OCSP and -// returns an array of CertRevocationResults that contain the results and any -// errors that are encountered during the process +// CRL if OCSP is not available. It returns an array of CertRevocationResults +// that contain the results and any errors that are encountered during the +// process. +// +// This function tries OCSP and falls back to CRL when: +// - OCSP is not supported by the certificate +// - OCSP returns an unknown status // -// TODO: add CRL support -// https://github.com/notaryproject/notation-core-go/issues/125 +// NOTE: The certificate chain is expected to be in the order of leaf to root. func (r *revocation) Validate(certChain []*x509.Certificate, signingTime time.Time) ([]*result.CertRevocationResult, error) { return r.ValidateContext(context.Background(), ValidateContextOptions{ CertChain: certChain, @@ -126,24 +157,115 @@ func (r *revocation) Validate(certChain }) } -// ValidateContext checks the revocation status for a certificate chain using -// OCSP and returns an array of CertRevocationResults that contain the results -// and any errors that are encountered during the process +// ValidateContext checks the revocation status for a certificate chain using OCSP and +// CRL if OCSP is not available. It returns an array of CertRevocationResults +// that contain the results and any errors that are encountered during the +// process. +// +// This function tries OCSP and falls back to CRL when: +// - OCSP is not supported by the certificate +// - OCSP returns an unknown status // -// TODO: add CRL support -// https://github.com/notaryproject/notation-core-go/issues/125 +// NOTE: The certificate chain is expected to be in the order of leaf to root. func (r *revocation) ValidateContext(ctx context.Context, validateContextOpts ValidateContextOptions) ([]*result.CertRevocationResult, error) { + // validate certificate chain if len(validateContextOpts.CertChain) == 0 { return nil, result.InvalidChainError{Err: errors.New("chain does not contain any certificates")} } + certChain := validateContextOpts.CertChain + if err := x509util.ValidateChain(certChain, r.certChainPurpose); err != nil { + return nil, err + } - return ocsp.CheckStatus(ocsp.Options{ - CertChain: validateContextOpts.CertChain, - CertChainPurpose: r.certChainPurpose, - SigningTime: validateContextOpts.AuthenticSigningTime, - HTTPClient: r.httpClient, - }) + ocspOpts := ocsp.CertCheckStatusOptions{ + HTTPClient: r.ocspHTTPClient, + SigningTime: validateContextOpts.AuthenticSigningTime, + } + + crlOpts := crl.CertCheckStatusOptions{ + Fetcher: r.crlFetcher, + SigningTime: validateContextOpts.AuthenticSigningTime, + } + + // panicChain is used to store the panic in goroutine and handle it + panicChan := make(chan any, len(certChain)) + defer close(panicChan) + + certResults := make([]*result.CertRevocationResult, len(certChain)) + var wg sync.WaitGroup + for i, cert := range certChain[:len(certChain)-1] { + switch { + case ocsp.Supported(cert): + // do OCSP check for the certificate + wg.Add(1) + + go func(i int, cert *x509.Certificate) { + defer wg.Done() + defer func() { + if r := recover(); r != nil { + // catch panic and send it to panicChan to avoid + // losing the panic + panicChan <- r + } + }() + + ocspResult := ocsp.CertCheckStatus(ctx, cert, certChain[i+1], ocspOpts) + if ocspResult != nil && ocspResult.Result == result.ResultUnknown && crl.Supported(cert) { + // try CRL check if OCSP serverResult is unknown + serverResult := crl.CertCheckStatus(ctx, cert, certChain[i+1], crlOpts) + // append CRL result to OCSP result + serverResult.ServerResults = append(ocspResult.ServerResults, serverResult.ServerResults...) + serverResult.RevocationMethod = result.RevocationMethodOCSPFallbackCRL + certResults[i] = serverResult + } else { + certResults[i] = ocspResult + } + }(i, cert) + case crl.Supported(cert): + // do CRL check for the certificate + wg.Add(1) + + go func(i int, cert *x509.Certificate) { + defer wg.Done() + defer func() { + if r := recover(); r != nil { + // catch panic and send it to panicChan to avoid + // losing the panic + panicChan <- r + } + }() + + certResults[i] = crl.CertCheckStatus(ctx, cert, certChain[i+1], crlOpts) + }(i, cert) + default: + certResults[i] = &result.CertRevocationResult{ + Result: result.ResultNonRevokable, + ServerResults: []*result.ServerResult{{ + Result: result.ResultNonRevokable, + RevocationMethod: result.RevocationMethodUnknown, + }}, + RevocationMethod: result.RevocationMethodUnknown, + } + } + } + + // Last is root cert, which will never be revoked by OCSP or CRL + certResults[len(certChain)-1] = &result.CertRevocationResult{ + Result: result.ResultNonRevokable, + ServerResults: []*result.ServerResult{{ + Result: result.ResultNonRevokable, + RevocationMethod: result.RevocationMethodUnknown, + }}, + RevocationMethod: result.RevocationMethodUnknown, + } + wg.Wait() + + // handle panic + select { + case p := <-panicChan: + panic(p) + default: + } - // TODO: add CRL support - // https://github.com/notaryproject/notation-core-go/issues/125 + return certResults, nil } diff -pruN 1.1.0-6/revocation/revocation_test.go 1.3.0-1/revocation/revocation_test.go --- 1.1.0-6/revocation/revocation_test.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/revocation/revocation_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -14,15 +14,22 @@ package revocation import ( + "bytes" "context" + "crypto/rand" "crypto/x509" "errors" "fmt" + "io" + "math/big" "net/http" + "strconv" + "strings" "testing" "time" - revocationocsp "github.com/notaryproject/notation-core-go/revocation/ocsp" + "github.com/notaryproject/notation-core-go/revocation/crl" + revocationocsp "github.com/notaryproject/notation-core-go/revocation/internal/ocsp" "github.com/notaryproject/notation-core-go/revocation/purpose" "github.com/notaryproject/notation-core-go/revocation/result" "github.com/notaryproject/notation-core-go/testhelper" @@ -60,6 +67,9 @@ func validateEquivalentCertResults(certR t.Errorf("Expected certResults[%d].ServerResults[%d].Error to be %v, but got %v", i, j, expectedCertResults[i].ServerResults[j].Error, serverResult.Error) } } + if certResult.RevocationMethod != expectedCertResults[i].RevocationMethod { + t.Errorf("Expected certResults[%d].RevocationMethod to be %d, but got %d", i, expectedCertResults[i].RevocationMethod, certResult.RevocationMethod) + } } } @@ -69,6 +79,7 @@ func getOKCertResult(server string) *res ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultOK, server, nil), }, + RevocationMethod: result.RevocationMethodOCSP, } } @@ -96,8 +107,8 @@ func TestNew(t *testing.T) { revR, ok := r.(*revocation) if !ok { t.Error("Expected New to create an object matching the internal revocation struct") - } else if revR.httpClient != client { - t.Errorf("Expected New to set client to %v, but it was set to %v", client, revR.httpClient) + } else if revR.ocspHTTPClient != client { + t.Errorf("Expected New to set client to %v, but it was set to %v", client, revR.ocspHTTPClient) } } @@ -161,6 +172,7 @@ func TestCheckRevocationStatusForSingleC ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultUnknown, revokableChain[0].OCSPServer[0], revocationocsp.UnknownStatusError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getRootCertResult(), } @@ -183,6 +195,7 @@ func TestCheckRevocationStatusForSingleC ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultRevoked, revokableChain[0].OCSPServer[0], revocationocsp.RevokedError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getRootCertResult(), } @@ -305,6 +318,7 @@ func TestCheckRevocationStatusForChain(t ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultUnknown, revokableChain[2].OCSPServer[0], revocationocsp.UnknownStatusError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(revokableChain[3].OCSPServer[0]), getOKCertResult(revokableChain[4].OCSPServer[0]), @@ -332,6 +346,7 @@ func TestCheckRevocationStatusForChain(t ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultRevoked, revokableChain[2].OCSPServer[0], revocationocsp.RevokedError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(revokableChain[3].OCSPServer[0]), getOKCertResult(revokableChain[4].OCSPServer[0]), @@ -359,6 +374,7 @@ func TestCheckRevocationStatusForChain(t ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultUnknown, revokableChain[2].OCSPServer[0], revocationocsp.UnknownStatusError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(revokableChain[3].OCSPServer[0]), { @@ -366,6 +382,7 @@ func TestCheckRevocationStatusForChain(t ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultRevoked, revokableChain[4].OCSPServer[0], revocationocsp.RevokedError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getRootCertResult(), } @@ -415,6 +432,7 @@ func TestCheckRevocationStatusForChain(t ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultUnknown, revokableChain[2].OCSPServer[0], revocationocsp.UnknownStatusError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(revokableChain[3].OCSPServer[0]), getOKCertResult(revokableChain[4].OCSPServer[0]), @@ -442,6 +460,7 @@ func TestCheckRevocationStatusForChain(t ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultRevoked, revokableChain[2].OCSPServer[0], revocationocsp.RevokedError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(revokableChain[3].OCSPServer[0]), getOKCertResult(revokableChain[4].OCSPServer[0]), @@ -475,6 +494,7 @@ func TestCheckRevocationStatusForChain(t ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultRevoked, revokableChain[2].OCSPServer[0], revocationocsp.RevokedError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(revokableChain[3].OCSPServer[0]), getOKCertResult(revokableChain[4].OCSPServer[0]), @@ -493,6 +513,18 @@ func TestCheckRevocationStatusForTimesta revokableChain[i].NotBefore = zeroTime } + t.Run("invalid revocation purpose", func(t *testing.T) { + revocationClient := &revocation{ + ocspHTTPClient: &http.Client{Timeout: 5 * time.Second}, + certChainPurpose: -1, + } + + _, err := revocationClient.Validate(revokableChain, time.Now()) + if err == nil { + t.Error("Expected Validate to fail with an error, but it succeeded") + } + }) + t.Run("empty chain", func(t *testing.T) { r, err := NewWithOptions(Options{ OCSPHTTPClient: &http.Client{Timeout: 5 * time.Second}, @@ -564,6 +596,7 @@ func TestCheckRevocationStatusForTimesta ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultUnknown, revokableChain[2].OCSPServer[0], revocationocsp.UnknownStatusError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(revokableChain[3].OCSPServer[0]), getOKCertResult(revokableChain[4].OCSPServer[0]), @@ -596,6 +629,7 @@ func TestCheckRevocationStatusForTimesta ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultRevoked, revokableChain[2].OCSPServer[0], revocationocsp.RevokedError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(revokableChain[3].OCSPServer[0]), getOKCertResult(revokableChain[4].OCSPServer[0]), @@ -628,6 +662,7 @@ func TestCheckRevocationStatusForTimesta ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultUnknown, revokableChain[2].OCSPServer[0], revocationocsp.UnknownStatusError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(revokableChain[3].OCSPServer[0]), { @@ -635,6 +670,7 @@ func TestCheckRevocationStatusForTimesta ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultRevoked, revokableChain[4].OCSPServer[0], revocationocsp.RevokedError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getRootCertResult(), } @@ -694,6 +730,7 @@ func TestCheckRevocationStatusForTimesta ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultUnknown, revokableChain[2].OCSPServer[0], revocationocsp.UnknownStatusError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(revokableChain[3].OCSPServer[0]), getOKCertResult(revokableChain[4].OCSPServer[0]), @@ -726,6 +763,7 @@ func TestCheckRevocationStatusForTimesta ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultRevoked, revokableChain[2].OCSPServer[0], revocationocsp.RevokedError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(revokableChain[3].OCSPServer[0]), getOKCertResult(revokableChain[4].OCSPServer[0]), @@ -762,6 +800,7 @@ func TestCheckRevocationStatusForTimesta ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultRevoked, revokableChain[2].OCSPServer[0], revocationocsp.RevokedError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(revokableChain[3].OCSPServer[0]), getOKCertResult(revokableChain[4].OCSPServer[0]), @@ -784,13 +823,13 @@ func TestCheckRevocationErrors(t *testin expiredLeaf, _ := x509.ParseCertificate(revokableTuples[0].Cert.Raw) expiredLeaf.IsCA = false expiredLeaf.KeyUsage = x509.KeyUsageDigitalSignature - expiredLeaf.OCSPServer = []string{"http://example.com/expired_ocsp"} + expiredLeaf.OCSPServer = []string{"http://localhost.test/expired_ocsp"} expiredChain := []*x509.Certificate{expiredLeaf, revokableTuples[1].Cert, revokableTuples[2].Cert} noHTTPLeaf, _ := x509.ParseCertificate(revokableTuples[0].Cert.Raw) noHTTPLeaf.IsCA = false noHTTPLeaf.KeyUsage = x509.KeyUsageDigitalSignature - noHTTPLeaf.OCSPServer = []string{"ldap://ds.example.com:123/chain_ocsp/0"} + noHTTPLeaf.OCSPServer = []string{"ldap://ds.localhost.test:123/chain_ocsp/0"} noHTTPChain := []*x509.Certificate{noHTTPLeaf, revokableTuples[1].Cert, revokableTuples[2].Cert} backwardsChainErr := result.InvalidChainError{Err: errors.New("leaf certificate with subject \"CN=Notation Test Revokable RSA Chain Cert Root,O=Notary,L=Seattle,ST=WA,C=US\" is self-signed. Certificate chain must not contain self-signed leaf certificate")} @@ -856,12 +895,14 @@ func TestCheckRevocationErrors(t *testin ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultUnknown, okChain[0].OCSPServer[0], revocationocsp.TimeoutError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, { Result: result.ResultUnknown, ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultUnknown, okChain[1].OCSPServer[0], revocationocsp.TimeoutError{}), }, + RevocationMethod: result.RevocationMethodOCSP, }, getRootCertResult(), } @@ -884,6 +925,7 @@ func TestCheckRevocationErrors(t *testin ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultUnknown, expiredChain[0].OCSPServer[0], expiredRespErr), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(expiredChain[1].OCSPServer[0]), getRootCertResult(), @@ -926,6 +968,7 @@ func TestCheckRevocationErrors(t *testin ServerResults: []*result.ServerResult{ result.NewServerResult(result.ResultUnknown, noHTTPChain[0].OCSPServer[0], noHTTPErr), }, + RevocationMethod: result.RevocationMethodOCSP, }, getOKCertResult(noHTTPChain[1].OCSPServer[0]), getRootCertResult(), @@ -941,7 +984,7 @@ func TestCheckRevocationInvalidChain(t * for i, cert := range misorderedIntermediateChain { if i != (len(misorderedIntermediateChain) - 1) { // Skip root which won't have an OCSP Server - cert.OCSPServer[0] = fmt.Sprintf("http://example.com/chain_ocsp/%d", i) + cert.OCSPServer[0] = fmt.Sprintf("http://localhost.test/chain_ocsp/%d", i) } } @@ -949,7 +992,7 @@ func TestCheckRevocationInvalidChain(t * for i, cert := range missingIntermediateChain { if i != (len(missingIntermediateChain) - 1) { // Skip root which won't have an OCSP Server - cert.OCSPServer[0] = fmt.Sprintf("http://example.com/chain_ocsp/%d", i) + cert.OCSPServer[0] = fmt.Sprintf("http://localhost.test/chain_ocsp/%d", i) } } @@ -989,9 +1032,341 @@ func TestCheckRevocationInvalidChain(t * }) } +func TestCRL(t *testing.T) { + t.Run("CRL check valid", func(t *testing.T) { + chain := testhelper.GetRevokableRSAChainWithRevocations(3, false, true) + + fetcher, err := crl.NewHTTPFetcher(&http.Client{ + Timeout: 5 * time.Second, + Transport: &crlRoundTripper{ + CertChain: chain, + Revoked: false, + }, + }) + if err != nil { + t.Errorf("Expected successful creation of fetcher, but received error: %v", err) + } + + revocationClient, err := NewWithOptions(Options{ + OCSPHTTPClient: &http.Client{}, + CRLFetcher: fetcher, + CertChainPurpose: purpose.CodeSigning, + }) + if err != nil { + t.Errorf("Expected successful creation of revocation, but received error: %v", err) + } + + certResults, err := revocationClient.ValidateContext(context.Background(), ValidateContextOptions{ + CertChain: []*x509.Certificate{chain[0].Cert, chain[1].Cert, chain[2].Cert}, + AuthenticSigningTime: time.Now(), + }) + if err != nil { + t.Errorf("Expected CheckStatus to succeed, but got error: %v", err) + } + + expectedCertResults := []*result.CertRevocationResult{ + { + Result: result.ResultOK, + ServerResults: []*result.ServerResult{{ + Result: result.ResultOK, + Server: "http://localhost.test/chain_crl/0", + }}, + RevocationMethod: result.RevocationMethodCRL, + }, + { + Result: result.ResultOK, + ServerResults: []*result.ServerResult{{ + Result: result.ResultOK, + Server: "http://localhost.test/chain_crl/1", + }}, + RevocationMethod: result.RevocationMethodCRL, + }, + getRootCertResult(), + } + + validateEquivalentCertResults(certResults, expectedCertResults, t) + }) + + t.Run("CRL check with revoked status", func(t *testing.T) { + chain := testhelper.GetRevokableRSAChainWithRevocations(3, false, true) + + fetcher, err := crl.NewHTTPFetcher(&http.Client{ + Timeout: 5 * time.Second, + Transport: &crlRoundTripper{ + CertChain: chain, + Revoked: true, + }, + }) + if err != nil { + t.Errorf("Expected successful creation of fetcher, but received error: %v", err) + } + + revocationClient, err := NewWithOptions(Options{ + OCSPHTTPClient: &http.Client{}, + CRLFetcher: fetcher, + CertChainPurpose: purpose.CodeSigning, + }) + if err != nil { + t.Errorf("Expected successful creation of revocation, but received error: %v", err) + } + + certResults, err := revocationClient.ValidateContext(context.Background(), ValidateContextOptions{ + CertChain: []*x509.Certificate{ + chain[0].Cert, // leaf + chain[1].Cert, // intermediate + chain[2].Cert, // root + }, + AuthenticSigningTime: time.Now(), + }) + if err != nil { + t.Errorf("Expected CheckStatus to succeed, but got error: %v", err) + } + + expectedCertResults := []*result.CertRevocationResult{ + { + Result: result.ResultRevoked, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultRevoked, + Server: "http://localhost.test/chain_crl/0", + }, + }, + RevocationMethod: result.RevocationMethodCRL, + }, + { + Result: result.ResultRevoked, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultRevoked, + Server: "http://localhost.test/chain_crl/1", + }, + }, + RevocationMethod: result.RevocationMethodCRL, + }, + getRootCertResult(), + } + + validateEquivalentCertResults(certResults, expectedCertResults, t) + }) + + t.Run("OCSP fallback to CRL", func(t *testing.T) { + chain := testhelper.GetRevokableRSAChainWithRevocations(3, true, true) + fetcher, err := crl.NewHTTPFetcher(&http.Client{ + Timeout: 5 * time.Second, + Transport: &crlRoundTripper{ + CertChain: chain, + Revoked: true, + FailOCSP: true, + }, + }) + if err != nil { + t.Errorf("Expected successful creation of fetcher, but received error: %v", err) + } + + revocationClient, err := NewWithOptions(Options{ + OCSPHTTPClient: &http.Client{ + Transport: &serverErrorTransport{}, + }, + CRLFetcher: fetcher, + CertChainPurpose: purpose.CodeSigning, + }) + if err != nil { + t.Errorf("Expected successful creation of revocation, but received error: %v", err) + } + + certResults, err := revocationClient.ValidateContext(context.Background(), ValidateContextOptions{ + CertChain: []*x509.Certificate{ + chain[0].Cert, // leaf + chain[1].Cert, // intermediate + chain[2].Cert, // root + }, + AuthenticSigningTime: time.Now(), + }) + if err != nil { + t.Errorf("Expected CheckStatus to succeed, but got error: %v", err) + } + + expectedCertResults := []*result.CertRevocationResult{ + { + Result: result.ResultRevoked, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultUnknown, + Server: "http://localhost.test/chain_ocsp/0", + Error: errors.New("failed to retrieve OCSP: response had status code 500"), + RevocationMethod: result.RevocationMethodOCSP, + }, + { + Result: result.ResultRevoked, + Server: "http://localhost.test/chain_crl/0", + RevocationMethod: result.RevocationMethodCRL, + }, + }, + RevocationMethod: result.RevocationMethodOCSPFallbackCRL, + }, + { + Result: result.ResultRevoked, + ServerResults: []*result.ServerResult{ + { + Result: result.ResultUnknown, + Server: "http://localhost.test/chain_ocsp/1", + Error: errors.New("failed to retrieve OCSP: response had status code 500"), + RevocationMethod: result.RevocationMethodOCSPFallbackCRL, + }, + { + Result: result.ResultRevoked, + Server: "http://localhost.test/chain_crl/1", + RevocationMethod: result.RevocationMethodCRL, + }, + }, + RevocationMethod: result.RevocationMethodOCSPFallbackCRL, + }, + getRootCertResult(), + } + + validateEquivalentCertResults(certResults, expectedCertResults, t) + }) +} + +func TestPanicHandling(t *testing.T) { + t.Run("panic in OCSP", func(t *testing.T) { + chain := testhelper.GetRevokableRSAChainWithRevocations(2, true, false) + client := &http.Client{ + Transport: panicTransport{}, + } + + fetcher, err := crl.NewHTTPFetcher(client) + if err != nil { + t.Errorf("Expected successful creation of fetcher, but received error: %v", err) + } + + r, err := NewWithOptions(Options{ + OCSPHTTPClient: client, + CRLFetcher: fetcher, + CertChainPurpose: purpose.CodeSigning, + }) + if err != nil { + t.Errorf("Expected successful creation of revocation, but received error: %v", err) + } + + defer func() { + if r := recover(); r == nil { + t.Error("Expected panic, but got nil") + } + }() + _, _ = r.ValidateContext(context.Background(), ValidateContextOptions{ + CertChain: []*x509.Certificate{chain[0].Cert, chain[1].Cert}, + AuthenticSigningTime: time.Now(), + }) + + }) + + t.Run("panic in CRL", func(t *testing.T) { + chain := testhelper.GetRevokableRSAChainWithRevocations(2, false, true) + client := &http.Client{ + Transport: panicTransport{}, + } + + fetcher, err := crl.NewHTTPFetcher(client) + if err != nil { + t.Errorf("Expected successful creation of fetcher, but received error: %v", err) + } + + r, err := NewWithOptions(Options{ + OCSPHTTPClient: client, + CRLFetcher: fetcher, + CertChainPurpose: purpose.CodeSigning, + }) + if err != nil { + t.Errorf("Expected successful creation of revocation, but received error: %v", err) + } + + defer func() { + if r := recover(); r == nil { + t.Error("Expected panic, but got nil") + } + }() + _, _ = r.ValidateContext(context.Background(), ValidateContextOptions{ + CertChain: []*x509.Certificate{chain[0].Cert, chain[1].Cert}, + AuthenticSigningTime: time.Now(), + }) + }) +} + +type crlRoundTripper struct { + CertChain []testhelper.RSACertTuple + Revoked bool + FailOCSP bool +} + +func (rt *crlRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { + // e.g. ocsp URL: http://localhost.test/chain_ocsp/0 + // e.g. crl URL: http://localhost.test/chain_crl/0 + parts := strings.Split(req.URL.Path, "/") + + isOCSP := parts[len(parts)-2] == "chain_ocsp" + // fail OCSP + if rt.FailOCSP && isOCSP { + return nil, errors.New("OCSP failed") + } + + // choose the cert suffix based on suffix of request url + // e.g. http://localhost.test/chain_crl/0 -> 0 + i, err := strconv.Atoi(parts[len(parts)-1]) + if err != nil { + return nil, err + } + if i >= len(rt.CertChain) { + return nil, errors.New("invalid index") + } + + cert := rt.CertChain[i].Cert + crl := &x509.RevocationList{ + NextUpdate: time.Now().Add(time.Hour), + Number: big.NewInt(20240720), + } + + if rt.Revoked { + crl.RevokedCertificateEntries = []x509.RevocationListEntry{ + { + SerialNumber: cert.SerialNumber, + RevocationTime: time.Now().Add(-time.Hour), + }, + } + } + + issuerCert := rt.CertChain[i+1].Cert + issuerKey := rt.CertChain[i+1].PrivateKey + crlBytes, err := x509.CreateRevocationList(rand.Reader, crl, issuerCert, issuerKey) + if err != nil { + return nil, err + } + + return &http.Response{ + StatusCode: http.StatusOK, + Body: io.NopCloser(bytes.NewReader(crlBytes)), + }, nil +} + +type panicTransport struct{} + +func (t panicTransport) RoundTrip(req *http.Request) (*http.Response, error) { + panic("panic") +} + +type serverErrorTransport struct{} + +func (t serverErrorTransport) RoundTrip(req *http.Request) (*http.Response, error) { + return &http.Response{ + StatusCode: http.StatusInternalServerError, + Body: io.NopCloser(bytes.NewReader([]byte{})), + }, nil +} + func TestValidateContext(t *testing.T) { r, err := NewWithOptions(Options{ - OCSPHTTPClient: &http.Client{}, + OCSPHTTPClient: &http.Client{}, + CertChainPurpose: purpose.CodeSigning, }) if err != nil { t.Fatal(err) diff -pruN 1.1.0-6/signature/algorithm.go 1.3.0-1/signature/algorithm.go --- 1.1.0-6/signature/algorithm.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/signature/algorithm.go 2025-10-31 12:58:40.000000000 +0000 @@ -14,112 +14,44 @@ package signature import ( - "crypto" - "crypto/ecdsa" - "crypto/rsa" "crypto/x509" - "fmt" + + "github.com/notaryproject/notation-core-go/internal/algorithm" ) // Algorithm defines the signature algorithm. -type Algorithm int +type Algorithm = algorithm.Algorithm // Signature algorithms supported by this library. // // Reference: https://github.com/notaryproject/notaryproject/blob/main/specs/signature-specification.md#algorithm-selection const ( - AlgorithmPS256 Algorithm = 1 + iota // RSASSA-PSS with SHA-256 - AlgorithmPS384 // RSASSA-PSS with SHA-384 - AlgorithmPS512 // RSASSA-PSS with SHA-512 - AlgorithmES256 // ECDSA on secp256r1 with SHA-256 - AlgorithmES384 // ECDSA on secp384r1 with SHA-384 - AlgorithmES512 // ECDSA on secp521r1 with SHA-512 + AlgorithmPS256 = algorithm.AlgorithmPS256 // RSASSA-PSS with SHA-256 + AlgorithmPS384 = algorithm.AlgorithmPS384 // RSASSA-PSS with SHA-384 + AlgorithmPS512 = algorithm.AlgorithmPS512 // RSASSA-PSS with SHA-512 + AlgorithmES256 = algorithm.AlgorithmES256 // ECDSA on secp256r1 with SHA-256 + AlgorithmES384 = algorithm.AlgorithmES384 // ECDSA on secp384r1 with SHA-384 + AlgorithmES512 = algorithm.AlgorithmES512 // ECDSA on secp521r1 with SHA-512 ) // KeyType defines the key type. -type KeyType int +type KeyType = algorithm.KeyType const ( - KeyTypeRSA KeyType = 1 + iota // KeyType RSA - KeyTypeEC // KeyType EC + KeyTypeRSA = algorithm.KeyTypeRSA // KeyType RSA + KeyTypeEC = algorithm.KeyTypeEC // KeyType EC ) // KeySpec defines a key type and size. -type KeySpec struct { - // KeyType is the type of the key. - Type KeyType - - // KeySize is the size of the key in bits. - Size int -} - -// Hash returns the hash function of the algorithm. -func (alg Algorithm) Hash() crypto.Hash { - switch alg { - case AlgorithmPS256, AlgorithmES256: - return crypto.SHA256 - case AlgorithmPS384, AlgorithmES384: - return crypto.SHA384 - case AlgorithmPS512, AlgorithmES512: - return crypto.SHA512 - } - return 0 -} +type KeySpec = algorithm.KeySpec // ExtractKeySpec extracts KeySpec from the signing certificate. func ExtractKeySpec(signingCert *x509.Certificate) (KeySpec, error) { - switch key := signingCert.PublicKey.(type) { - case *rsa.PublicKey: - switch bitSize := key.Size() << 3; bitSize { - case 2048, 3072, 4096: - return KeySpec{ - Type: KeyTypeRSA, - Size: bitSize, - }, nil - default: - return KeySpec{}, &UnsupportedSigningKeyError{ - Msg: fmt.Sprintf("rsa key size %d bits is not supported", bitSize), - } - } - case *ecdsa.PublicKey: - switch bitSize := key.Curve.Params().BitSize; bitSize { - case 256, 384, 521: - return KeySpec{ - Type: KeyTypeEC, - Size: bitSize, - }, nil - default: - return KeySpec{}, &UnsupportedSigningKeyError{ - Msg: fmt.Sprintf("ecdsa key size %d bits is not supported", bitSize), - } - } - } - return KeySpec{}, &UnsupportedSigningKeyError{ - Msg: "unsupported public key type", - } -} - -// SignatureAlgorithm returns the signing algorithm associated with the KeySpec. -func (k KeySpec) SignatureAlgorithm() Algorithm { - switch k.Type { - case KeyTypeEC: - switch k.Size { - case 256: - return AlgorithmES256 - case 384: - return AlgorithmES384 - case 521: - return AlgorithmES512 - } - case KeyTypeRSA: - switch k.Size { - case 2048: - return AlgorithmPS256 - case 3072: - return AlgorithmPS384 - case 4096: - return AlgorithmPS512 + ks, err := algorithm.ExtractKeySpec(signingCert) + if err != nil { + return KeySpec{}, &UnsupportedSigningKeyError{ + Msg: err.Error(), } } - return 0 + return ks, nil } diff -pruN 1.1.0-6/signature/algorithm_test.go 1.3.0-1/signature/algorithm_test.go --- 1.1.0-6/signature/algorithm_test.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/signature/algorithm_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -14,7 +14,6 @@ package signature import ( - "crypto" "crypto/ecdsa" "crypto/ed25519" "crypto/elliptic" @@ -28,59 +27,6 @@ import ( "github.com/notaryproject/notation-core-go/testhelper" ) -func TestHash(t *testing.T) { - tests := []struct { - name string - alg Algorithm - expect crypto.Hash - }{ - { - name: "PS256", - alg: AlgorithmPS256, - expect: crypto.SHA256, - }, - { - name: "ES256", - alg: AlgorithmES256, - expect: crypto.SHA256, - }, - { - name: "PS384", - alg: AlgorithmPS384, - expect: crypto.SHA384, - }, - { - name: "ES384", - alg: AlgorithmES384, - expect: crypto.SHA384, - }, - { - name: "PS512", - alg: AlgorithmPS512, - expect: crypto.SHA512, - }, - { - name: "ES512", - alg: AlgorithmES512, - expect: crypto.SHA512, - }, - { - name: "UnsupportedAlgorithm", - alg: 0, - expect: 0, - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - hash := tt.alg.Hash() - if hash != tt.expect { - t.Fatalf("Expected %v, got %v", tt.expect, hash) - } - }) - } -} - func TestExtractKeySpec(t *testing.T) { type testCase struct { name string @@ -167,78 +113,4 @@ func TestExtractKeySpec(t *testing.T) { } }) } -} - -func TestSignatureAlgorithm(t *testing.T) { - tests := []struct { - name string - keySpec KeySpec - expect Algorithm - }{ - { - name: "EC 256", - keySpec: KeySpec{ - Type: KeyTypeEC, - Size: 256, - }, - expect: AlgorithmES256, - }, - { - name: "EC 384", - keySpec: KeySpec{ - Type: KeyTypeEC, - Size: 384, - }, - expect: AlgorithmES384, - }, - { - name: "EC 521", - keySpec: KeySpec{ - Type: KeyTypeEC, - Size: 521, - }, - expect: AlgorithmES512, - }, - { - name: "RSA 2048", - keySpec: KeySpec{ - Type: KeyTypeRSA, - Size: 2048, - }, - expect: AlgorithmPS256, - }, - { - name: "RSA 3072", - keySpec: KeySpec{ - Type: KeyTypeRSA, - Size: 3072, - }, - expect: AlgorithmPS384, - }, - { - name: "RSA 4096", - keySpec: KeySpec{ - Type: KeyTypeRSA, - Size: 4096, - }, - expect: AlgorithmPS512, - }, - { - name: "Unsupported key spec", - keySpec: KeySpec{ - Type: 0, - Size: 0, - }, - expect: 0, - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - alg := tt.keySpec.SignatureAlgorithm() - if alg != tt.expect { - t.Errorf("unexpected signature algorithm: %v, expect: %v", alg, tt.expect) - } - }) - } } diff -pruN 1.1.0-6/signature/cose/envelope_test.go 1.3.0-1/signature/cose/envelope_test.go --- 1.1.0-6/signature/cose/envelope_test.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/signature/cose/envelope_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -14,6 +14,7 @@ package cose import ( + "context" "crypto" "crypto/x509" "errors" @@ -33,7 +34,7 @@ import ( const ( payloadString = "{\"targetArtifact\":{\"mediaType\":\"application/vnd.oci.image.manifest.v1+json\",\"digest\":\"sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333\",\"size\":16724,\"annotations\":{\"io.wabbit-networks.buildId\":\"123\"}}}" - rfc3161TSAurl = "http://rfc3161timestamp.globalsign.com/advanced" + rfc3161TSAurl = "http://timestamp.digicert.com" ) var ( @@ -128,7 +129,7 @@ func TestSign(t *testing.T) { } } - t.Run("with timestmap countersignature request", func(t *testing.T) { + t.Run("with timestamp countersignature request", func(t *testing.T) { signRequest, err := newSignRequest("notary.x509", signature.KeyTypeRSA, 3072) if err != nil { t.Fatalf("newSignRequest() failed. Error = %s", err) @@ -137,7 +138,7 @@ func TestSign(t *testing.T) { if err != nil { t.Fatal(err) } - rootCerts, err := nx509.ReadCertificateFile("../../internal/timestamp/testdata/tsaRootCert.crt") + rootCerts, err := nx509.ReadCertificateFile("../../internal/timestamp/testdata/tsaRootCert.cer") if err != nil || len(rootCerts) == 0 { t.Fatal("failed to read root CA certificate:", err) } @@ -341,11 +342,8 @@ func TestSignErrors(t *testing.T) { if err != nil { t.Fatalf("getSignRequest() failed. Error = %v", err) } - signRequest.Timestamper, err = tspclient.NewHTTPTimestamper(nil, "invalid") - if err != nil { - t.Fatal(err) - } - expected := errors.New("timestamp: Post \"invalid\": unsupported protocol scheme \"\"") + signRequest.Timestamper = &dummyTimestamper{} + expected := errors.New("timestamp: failed to timestamp") encoded, err := env.Sign(signRequest) if !isErrEqual(expected, err) { t.Fatalf("Sign() expects error: %v, but got: %v.", expected, err) @@ -1101,3 +1099,9 @@ func generateTestRawMessage(raw cbor.Raw return resRaw } + +type dummyTimestamper tspclient.Timestamp + +func (dts *dummyTimestamper) Timestamp(context.Context, *tspclient.Request) (*tspclient.Response, error) { + return nil, errors.New("failed to timestamp") +} diff -pruN 1.1.0-6/signature/cose/fuzz_test.go 1.3.0-1/signature/cose/fuzz_test.go --- 1.1.0-6/signature/cose/fuzz_test.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/signature/cose/fuzz_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,33 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cose + +import ( + "testing" +) + +func FuzzSignatureCose(f *testing.F) { + f.Fuzz(func(t *testing.T, envelopeBytes []byte, shouldVerify bool) { + e, err := ParseEnvelope(envelopeBytes) + if err != nil { + t.Skip() + } + + if shouldVerify { + _, _ = e.Verify() + } else { + _, _ = e.Content() + } + }) +} diff -pruN 1.1.0-6/signature/errors.go 1.3.0-1/signature/errors.go --- 1.1.0-6/signature/errors.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/signature/errors.go 2025-10-31 12:58:40.000000000 +0000 @@ -67,7 +67,7 @@ type SignatureAuthenticityError struct{} // Error returns the default error message. func (e *SignatureAuthenticityError) Error() string { - return "signature is not produced by a trusted signer" + return "the signature's certificate chain does not contain any trusted certificate" } // UnsupportedSigningKeyError is used when a signing key is not supported. diff -pruN 1.1.0-6/signature/errors_test.go 1.3.0-1/signature/errors_test.go --- 1.1.0-6/signature/errors_test.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/signature/errors_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -162,7 +162,7 @@ func TestSignatureEnvelopeNotFoundError( func TestSignatureAuthenticityError(t *testing.T) { err := &SignatureAuthenticityError{} - expectMsg := "signature is not produced by a trusted signer" + expectMsg := "the signature's certificate chain does not contain any trusted certificate" if err.Error() != expectMsg { t.Errorf("Expected %v but got %v", expectMsg, err.Error()) diff -pruN 1.1.0-6/signature/jws/envelope_test.go 1.3.0-1/signature/jws/envelope_test.go --- 1.1.0-6/signature/jws/envelope_test.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/signature/jws/envelope_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -14,6 +14,7 @@ package jws import ( + "context" "crypto" "crypto/ecdsa" "crypto/rand" @@ -36,7 +37,7 @@ import ( "github.com/notaryproject/tspclient-go" ) -const rfc3161TSAurl = "http://rfc3161timestamp.globalsign.com/advanced" +const rfc3161TSAurl = "http://timestamp.digicert.com" // remoteMockSigner is used to mock remote signer type remoteMockSigner struct { @@ -266,11 +267,8 @@ func TestSignFailed(t *testing.T) { signReq, err := getSignReq(signature.SigningSchemeX509, signer, nil) checkNoError(t, err) - signReq.Timestamper, err = tspclient.NewHTTPTimestamper(nil, "invalid") - if err != nil { - t.Fatal(err) - } - expected := errors.New("timestamp: Post \"invalid\": unsupported protocol scheme \"\"") + signReq.Timestamper = &dummyTimestamper{} + expected := errors.New("timestamp: failed to timestamp") encoded, err := env.Sign(signReq) if !isErrEqual(expected, err) { t.Fatalf("Sign() expects error: %v, but got: %v.", expected, err) @@ -343,7 +341,7 @@ func TestSignWithTimestamp(t *testing.T) if err != nil { t.Fatal(err) } - rootCerts, err := nx509.ReadCertificateFile("../../internal/timestamp/testdata/tsaRootCert.crt") + rootCerts, err := nx509.ReadCertificateFile("../../internal/timestamp/testdata/tsaRootCert.cer") if err != nil || len(rootCerts) == 0 { t.Fatal("failed to read root CA certificate:", err) } @@ -687,3 +685,9 @@ func isErrEqual(wanted, got error) bool } return false } + +type dummyTimestamper tspclient.Timestamp + +func (dts *dummyTimestamper) Timestamp(context.Context, *tspclient.Request) (*tspclient.Response, error) { + return nil, errors.New("failed to timestamp") +} diff -pruN 1.1.0-6/signature/jws/fuzz_test.go 1.3.0-1/signature/jws/fuzz_test.go --- 1.1.0-6/signature/jws/fuzz_test.go 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-1/signature/jws/fuzz_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -0,0 +1,33 @@ +// Copyright The Notary Project Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package jws + +import ( + "testing" +) + +func FuzzSignatureJws(f *testing.F) { + f.Fuzz(func(t *testing.T, envelopeBytes []byte, shouldVerify bool) { + e, err := ParseEnvelope(envelopeBytes) + if err != nil { + t.Skip() + } + + if shouldVerify { + _, _ = e.Verify() + } else { + _, _ = e.Content() + } + }) +} diff -pruN 1.1.0-6/signature/signer.go 1.3.0-1/signature/signer.go --- 1.1.0-6/signature/signer.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/signature/signer.go 2025-10-31 12:58:40.000000000 +0000 @@ -122,22 +122,21 @@ func (s *localSigner) PrivateKey() crypt return s.key } -// VerifyAuthenticity verifies the certificate chain in the given SignerInfo -// with one of the trusted certificates and returns a certificate that matches -// with one of the certificates in the SignerInfo. +// VerifyAuthenticity iterates the certificate chain in signerInfo, for each +// certificate in the chain, it checks if the certificate matches with one of +// the trusted certificates in trustedCerts. It returns the first matching +// certificate. If no match is found, it returns an error. // // Reference: https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#steps func VerifyAuthenticity(signerInfo *SignerInfo, trustedCerts []*x509.Certificate) (*x509.Certificate, error) { if len(trustedCerts) == 0 { return nil, &InvalidArgumentError{Param: "trustedCerts"} } - if signerInfo == nil { return nil, &InvalidArgumentError{Param: "signerInfo"} } - - for _, trust := range trustedCerts { - for _, cert := range signerInfo.CertificateChain { + for _, cert := range signerInfo.CertificateChain { + for _, trust := range trustedCerts { if trust.Equal(cert) { return trust, nil } diff -pruN 1.1.0-6/signature/types.go 1.3.0-1/signature/types.go --- 1.1.0-6/signature/types.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/signature/types.go 2025-10-31 12:58:40.000000000 +0000 @@ -20,6 +20,7 @@ import ( "fmt" "time" + "github.com/notaryproject/notation-core-go/revocation" "github.com/notaryproject/tspclient-go" ) @@ -112,6 +113,11 @@ type SignRequest struct { // TSARootCAs is the set of caller trusted TSA root certificates TSARootCAs *x509.CertPool + // TSARevocationValidator is used for timestamping certificate + // chain revocation check after signing. + // When present, only used when timestamping is performed. + TSARevocationValidator revocation.Validator + // ctx is the caller context. It should only be modified via WithContext. // It is unexported to prevent people from using Context wrong // and mutating the contexts held by callers of the same request. diff -pruN 1.1.0-6/testhelper/certificatetest.go 1.3.0-1/testhelper/certificatetest.go --- 1.1.0-6/testhelper/certificatetest.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/testhelper/certificatetest.go 2025-10-31 12:58:40.000000000 +0000 @@ -75,16 +75,31 @@ func GetRevokableRSALeafCertificate() RS return revokableRSALeaf } +// GetRevokableRSAChainWithRevocations returns a certificate chain with OCSP +// and CRL enabled for revocation checks. +func GetRevokableRSAChainWithRevocations(size int, enabledOCSP, enabledCRL bool) []RSACertTuple { + setupCertificates() + chain := make([]RSACertTuple, size) + chain[size-1] = getRevokableRSARootChainCertTuple("Notation Test Revokable RSA Chain Cert Root", size-1, enabledCRL) + for i := size - 2; i > 0; i-- { + chain[i] = getRevokableRSAChainCertTuple(fmt.Sprintf("Notation Test Revokable RSA Chain Cert %d", size-i), &chain[i+1], i, enabledOCSP, enabledCRL) + } + if size > 1 { + chain[0] = getRevokableRSALeafChainCertTuple(fmt.Sprintf("Notation Test Revokable RSA Chain Cert %d", size), &chain[1], 0, true, false, enabledOCSP, enabledCRL) + } + return chain +} + // GetRevokableRSAChain returns a chain of certificates that specify a local OCSP server signed using RSA algorithm func GetRevokableRSAChain(size int) []RSACertTuple { setupCertificates() chain := make([]RSACertTuple, size) - chain[size-1] = getRevokableRSARootChainCertTuple("Notation Test Revokable RSA Chain Cert Root", size-1) + chain[size-1] = getRevokableRSARootChainCertTuple("Notation Test Revokable RSA Chain Cert Root", size-1, false) for i := size - 2; i > 0; i-- { - chain[i] = getRevokableRSAChainCertTuple(fmt.Sprintf("Notation Test Revokable RSA Chain Cert %d", size-i), &chain[i+1], i) + chain[i] = getRevokableRSAChainCertTuple(fmt.Sprintf("Notation Test Revokable RSA Chain Cert %d", size-i), &chain[i+1], i, true, false) } if size > 1 { - chain[0] = getRevokableRSALeafChainCertTuple(fmt.Sprintf("Notation Test Revokable RSA Chain Cert %d", size), &chain[1], 0, true, false) + chain[0] = getRevokableRSALeafChainCertTuple(fmt.Sprintf("Notation Test Revokable RSA Chain Cert %d", size), &chain[1], 0, true, false, true, false) } return chain } @@ -94,12 +109,12 @@ func GetRevokableRSAChain(size int) []RS func GetRevokableRSATimestampChain(size int) []RSACertTuple { setupCertificates() chain := make([]RSACertTuple, size) - chain[size-1] = getRevokableRSARootChainCertTuple("Notation Test Revokable RSA Chain Cert Root", size-1) + chain[size-1] = getRevokableRSARootChainCertTuple("Notation Test Revokable RSA Chain Cert Root", size-1, false) for i := size - 2; i > 0; i-- { - chain[i] = getRevokableRSAChainCertTuple(fmt.Sprintf("Notation Test Revokable RSA Chain Cert %d", size-i), &chain[i+1], i) + chain[i] = getRevokableRSAChainCertTuple(fmt.Sprintf("Notation Test Revokable RSA Chain Cert %d", size-i), &chain[i+1], i, true, false) } if size > 1 { - chain[0] = getRevokableRSALeafChainCertTuple(fmt.Sprintf("Notation Test Revokable RSA Chain Cert %d", size), &chain[1], 0, false, true) + chain[0] = getRevokableRSALeafChainCertTuple(fmt.Sprintf("Notation Test Revokable RSA Chain Cert %d", size), &chain[1], 0, false, true, true, false) } return chain } @@ -167,35 +182,49 @@ func getRSACertTuple(cn string, issuer * func getRevokableRSACertTuple(cn string, issuer *RSACertTuple) RSACertTuple { template := getCertTemplate(issuer == nil, true, false, cn) - template.OCSPServer = []string{"http://example.com/ocsp"} + template.OCSPServer = []string{"http://localhost.test/ocsp"} return getRSACertTupleWithTemplate(template, issuer.PrivateKey, issuer) } -func getRevokableRSAChainCertTuple(cn string, previous *RSACertTuple, index int) RSACertTuple { +func getRevokableRSAChainCertTuple(cn string, previous *RSACertTuple, index int, enabledOCSP, enabledCRL bool) RSACertTuple { template := getCertTemplate(previous == nil, true, false, cn) template.BasicConstraintsValid = true template.IsCA = true template.KeyUsage = x509.KeyUsageCertSign - template.OCSPServer = []string{fmt.Sprintf("http://example.com/chain_ocsp/%d", index)} + if enabledOCSP { + template.OCSPServer = []string{fmt.Sprintf("http://localhost.test/chain_ocsp/%d", index)} + } + if enabledCRL { + template.KeyUsage |= x509.KeyUsageCRLSign + template.CRLDistributionPoints = []string{fmt.Sprintf("http://localhost.test/chain_crl/%d", index)} + } return getRSACertTupleWithTemplate(template, previous.PrivateKey, previous) } -func getRevokableRSARootChainCertTuple(cn string, pathLen int) RSACertTuple { +func getRevokableRSARootChainCertTuple(cn string, pathLen int, enabledCRL bool) RSACertTuple { pk, _ := rsa.GenerateKey(rand.Reader, 3072) template := getCertTemplate(true, true, false, cn) template.BasicConstraintsValid = true template.IsCA = true template.KeyUsage = x509.KeyUsageCertSign + if enabledCRL { + template.KeyUsage |= x509.KeyUsageCRLSign + } template.MaxPathLen = pathLen return getRSACertTupleWithTemplate(template, pk, nil) } -func getRevokableRSALeafChainCertTuple(cn string, issuer *RSACertTuple, index int, codesign, timestamp bool) RSACertTuple { +func getRevokableRSALeafChainCertTuple(cn string, issuer *RSACertTuple, index int, codesign, timestamp, enabledOCSP, enabledCRL bool) RSACertTuple { template := getCertTemplate(false, codesign, timestamp, cn) template.BasicConstraintsValid = true template.IsCA = false template.KeyUsage = x509.KeyUsageDigitalSignature - template.OCSPServer = []string{fmt.Sprintf("http://example.com/chain_ocsp/%d", index)} + if enabledOCSP { + template.OCSPServer = []string{fmt.Sprintf("http://localhost.test/chain_ocsp/%d", index)} + } + if enabledCRL { + template.CRLDistributionPoints = []string{fmt.Sprintf("http://localhost.test/chain_crl/%d", index)} + } return getRSACertTupleWithTemplate(template, issuer.PrivateKey, issuer) } diff -pruN 1.1.0-6/x509/codesigning_cert_validations.go 1.3.0-1/x509/codesigning_cert_validations.go --- 1.1.0-6/x509/codesigning_cert_validations.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/x509/codesigning_cert_validations.go 2025-10-31 12:58:40.000000000 +0000 @@ -14,6 +14,7 @@ package x509 import ( + "bytes" "crypto/x509" "errors" "fmt" @@ -34,12 +35,17 @@ func ValidateCodeSigningCertChain(certCh // For self-signed signing certificate (not a CA) if len(certChain) == 1 { cert := certChain[0] - if signedTimeError := validateSigningTime(cert, signingTime); signedTimeError != nil { - return signedTimeError - } + // check self-signed if err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature); err != nil { return fmt.Errorf("invalid self-signed certificate. subject: %q. Error: %w", cert.Subject, err) } + // check self-issued + if !bytes.Equal(cert.RawSubject, cert.RawIssuer) { + return fmt.Errorf("invalid self-signed certificate. subject: %q. Error: issuer(%s) and subject(%s) are not the same", cert.Subject, cert.Issuer, cert.Subject) + } + if signedTimeError := validateSigningTime(cert, signingTime); signedTimeError != nil { + return signedTimeError + } if err := validateCodeSigningLeafCertificate(cert); err != nil { return fmt.Errorf("invalid self-signed certificate. Error: %w", err) } diff -pruN 1.1.0-6/x509/codesigning_cert_validations_test.go 1.3.0-1/x509/codesigning_cert_validations_test.go --- 1.1.0-6/x509/codesigning_cert_validations_test.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/x509/codesigning_cert_validations_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -19,6 +19,7 @@ import ( _ "embed" "errors" "os" + "strings" "testing" "time" @@ -200,6 +201,35 @@ func TestFailEmptyChain(t *testing.T) { assertErrorEqual("certificate chain must contain at least one certificate", err, t) } +func TestFailNonSelfSignedLeafCert(t *testing.T) { + signingTime := time.Now() + err := ValidateCodeSigningCertChain([]*x509.Certificate{codeSigningCert}, &signingTime) + + assertErrorEqual("invalid self-signed certificate. subject: \"CN=CodeSigningLeaf\". Error: crypto/rsa: verification error", err, t) +} + +func TestFailSelfIssuedCodeSigningCert(t *testing.T) { + chainTuple := testhelper.GetRevokableRSATimestampChain(2) + // the leaf certiifcate and the root certificate share the same private key + // so the leaf is also self-signed but issuer and subject are different + chain := []*x509.Certificate{chainTuple[0].Cert} + signingTime := time.Now() + err := ValidateCodeSigningCertChain(chain, &signingTime) + assertErrorEqual("invalid self-signed certificate. subject: \"CN=Notation Test Revokable RSA Chain Cert 2,O=Notary,L=Seattle,ST=WA,C=US\". Error: issuer(CN=Notation Test Revokable RSA Chain Cert Root,O=Notary,L=Seattle,ST=WA,C=US) and subject(CN=Notation Test Revokable RSA Chain Cert 2,O=Notary,L=Seattle,ST=WA,C=US) are not the same", err, t) +} + +func TestInvalidCodeSigningCertSigningTime(t *testing.T) { + chainTuple := testhelper.GetRevokableRSATimestampChain(2) + chain := []*x509.Certificate{chainTuple[1].Cert} + signingTime := time.Date(2021, 7, 7, 20, 48, 42, 0, time.UTC) + + expectPrefix := "certificate with subject \"CN=Notation Test Revokable RSA Chain Cert Root,O=Notary,L=Seattle,ST=WA,C=US\" was invalid at signing time of 2021-07-07 20:48:42 +0000 UTC" + err := ValidateCodeSigningCertChain(chain, &signingTime) + if !strings.HasPrefix(err.Error(), expectPrefix) { + t.Errorf("expected error to start with %q, got %q", expectPrefix, err) + } +} + func TestFailInvalidSigningTime(t *testing.T) { certChain := []*x509.Certificate{codeSigningCert, intermediateCert2, intermediateCert1, rootCert} diff -pruN 1.1.0-6/x509/helper.go 1.3.0-1/x509/helper.go --- 1.1.0-6/x509/helper.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/x509/helper.go 2025-10-31 12:58:40.000000000 +0000 @@ -20,7 +20,7 @@ import ( "strings" "time" - "github.com/notaryproject/notation-core-go/signature" + "github.com/notaryproject/notation-core-go/internal/algorithm" ) func isSelfSigned(cert *x509.Certificate) (bool, error) { @@ -95,13 +95,10 @@ func validateLeafKeyUsage(cert *x509.Cer } func validateSignatureAlgorithm(cert *x509.Certificate) error { - keySpec, err := signature.ExtractKeySpec(cert) + _, err := algorithm.ExtractKeySpec(cert) if err != nil { return fmt.Errorf("certificate with subject %q: %w", cert.Subject, err) } - if keySpec.SignatureAlgorithm() == 0 { - return fmt.Errorf("certificate with subject %q: unsupported signature algorithm with key spec %+v", cert.Subject, keySpec) - } return nil } diff -pruN 1.1.0-6/x509/timestamp_cert_validations.go 1.3.0-1/x509/timestamp_cert_validations.go --- 1.1.0-6/x509/timestamp_cert_validations.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/x509/timestamp_cert_validations.go 2025-10-31 12:58:40.000000000 +0000 @@ -14,6 +14,7 @@ package x509 import ( + "bytes" "crypto/x509" "errors" "fmt" @@ -33,9 +34,14 @@ func ValidateTimestampingCertChain(certC // For self-signed signing certificate (not a CA) if len(certChain) == 1 { cert := certChain[0] + // check self-signed if err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature); err != nil { return fmt.Errorf("invalid self-signed certificate. subject: %q. Error: %w", cert.Subject, err) } + // check self-issued + if !bytes.Equal(cert.RawSubject, cert.RawIssuer) { + return fmt.Errorf("invalid self-signed certificate. subject: %q. Error: issuer (%s) and subject (%s) are not the same", cert.Subject, cert.Issuer, cert.Subject) + } if err := validateTimestampingLeafCertificate(cert); err != nil { return fmt.Errorf("invalid self-signed certificate. Error: %w", err) } diff -pruN 1.1.0-6/x509/timestamp_cert_validations_test.go 1.3.0-1/x509/timestamp_cert_validations_test.go --- 1.1.0-6/x509/timestamp_cert_validations_test.go 2024-08-27 00:06:48.000000000 +0000 +++ 1.3.0-1/x509/timestamp_cert_validations_test.go 2025-10-31 12:58:40.000000000 +0000 @@ -14,9 +14,18 @@ package x509 import ( + "crypto/rand" + "crypto/rsa" "crypto/x509" "crypto/x509/pkix" + "encoding/asn1" + "math/big" + "strings" "testing" + "time" + + "github.com/notaryproject/notation-core-go/internal/oid" + "github.com/notaryproject/notation-core-go/testhelper" ) func TestValidTimestampingChain(t *testing.T) { @@ -39,6 +48,42 @@ func TestValidTimestampingChain(t *testi } } +func TestFailSelfIssuedTimestampingCert(t *testing.T) { + chainTuple := testhelper.GetRevokableRSATimestampChain(2) + // the leaf certiifcate and the root certificate share the same private key + // so the leaf is also self-signed but issuer and subject are different + chain := []*x509.Certificate{chainTuple[0].Cert} + err := ValidateTimestampingCertChain(chain) + assertErrorEqual("invalid self-signed certificate. subject: \"CN=Notation Test Revokable RSA Chain Cert 2,O=Notary,L=Seattle,ST=WA,C=US\". Error: issuer (CN=Notation Test Revokable RSA Chain Cert Root,O=Notary,L=Seattle,ST=WA,C=US) and subject (CN=Notation Test Revokable RSA Chain Cert 2,O=Notary,L=Seattle,ST=WA,C=US) are not the same", err, t) +} + +func TestInvalidTimestampSelfSignedCert(t *testing.T) { + cert, err := createSelfSignedCert("valid cert", "valid cert", false) + if err != nil { + t.Error(err) + } + certChain := []*x509.Certificate{cert} + + expectPrefix := "invalid self-signed certificate. Error: timestamp signing certificate with subject \"CN=valid cert\" must have and only have Timestamping as extended key usage" + err = ValidateTimestampingCertChain(certChain) + if !strings.HasPrefix(err.Error(), expectPrefix) { + t.Errorf("expected error to start with %q, got %q", expectPrefix, err) + } +} + +func TestValidTimestampSelfSignedCert(t *testing.T) { + cert, err := createSelfSignedCert("valid cert", "valid cert", true) + if err != nil { + t.Error(err) + } + certChain := []*x509.Certificate{cert} + + err = ValidateTimestampingCertChain(certChain) + if err != nil { + t.Error(err) + } +} + func TestInvalidTimestampingChain(t *testing.T) { timestamp_leaf, err := readSingleCertificate("testdata/timestamp_leaf.crt") if err != nil { @@ -215,3 +260,47 @@ func TestEkuToString(t *testing.T) { t.Fatalf("expected 7") } } + +func createSelfSignedCert(subject string, issuer string, isTimestamp bool) (*x509.Certificate, error) { + priv, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + return nil, err + } + + template := &x509.Certificate{ + SerialNumber: big.NewInt(1), + Subject: pkix.Name{CommonName: subject}, + NotBefore: time.Now(), + NotAfter: time.Now().Add(365 * 24 * time.Hour), + KeyUsage: x509.KeyUsageDigitalSignature, + } + + if isTimestamp { + oids := []asn1.ObjectIdentifier{{1, 3, 6, 1, 5, 5, 7, 3, 8}} + value, err := asn1.Marshal(oids) + if err != nil { + return nil, err + } + template.ExtraExtensions = []pkix.Extension{{ + Id: oid.ExtKeyUsage, + Critical: true, + Value: value, + }} + template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageTimeStamping} + } + + parentTemplate := &x509.Certificate{ + SerialNumber: big.NewInt(2), + Subject: pkix.Name{CommonName: issuer}, + NotBefore: time.Now(), + NotAfter: time.Now().Add(365 * 24 * time.Hour), + KeyUsage: x509.KeyUsageCertSign, + } + + certDER, err := x509.CreateCertificate(rand.Reader, template, parentTemplate, &priv.PublicKey, priv) + if err != nil { + return nil, err + } + + return x509.ParseCertificate(certDER) +}