1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
|
// Copyright The Notary Project Authors.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package Revocation provides methods for checking the revocation status of a
// certificate chain
package revocation
import (
"context"
"crypto/x509"
"errors"
"fmt"
"net/http"
"sync"
"time"
crlutil "github.com/notaryproject/notation-core-go/revocation/crl"
"github.com/notaryproject/notation-core-go/revocation/internal/crl"
"github.com/notaryproject/notation-core-go/revocation/internal/ocsp"
"github.com/notaryproject/notation-core-go/revocation/internal/x509util"
"github.com/notaryproject/notation-core-go/revocation/purpose"
"github.com/notaryproject/notation-core-go/revocation/result"
)
// Revocation is an interface that specifies methods used for revocation checking.
//
// Deprecated: Revocation exists for backwards compatibility and should not be used.
// To perform revocation check, use [Validator].
type Revocation interface {
// Validate checks the revocation status for a certificate chain using OCSP
// and CRL if OCSP is not available. It returns an array of
// CertRevocationResults that contain the results and any errors that are
// encountered during the process
Validate(certChain []*x509.Certificate, signingTime time.Time) ([]*result.CertRevocationResult, error)
}
// ValidateContextOptions provides configuration options for revocation checks
type ValidateContextOptions struct {
// CertChain denotes the certificate chain whose revocation status is
// been validated. REQUIRED.
CertChain []*x509.Certificate
// AuthenticSigningTime denotes the authentic signing time of the signature.
// It is used to compare with the InvalidityDate during revocation check.
// OPTIONAL.
//
// Reference: https://github.com/notaryproject/specifications/blob/v1.0.0/specs/trust-store-trust-policy.md#revocation-checking-with-ocsp
AuthenticSigningTime time.Time
}
// Validator is an interface that provides revocation checking with
// context
type Validator interface {
// ValidateContext checks the revocation status given caller provided options
// and returns an array of CertRevocationResults that contain the results
// and any errors that are encountered during the process
ValidateContext(ctx context.Context, validateContextOpts ValidateContextOptions) ([]*result.CertRevocationResult, error)
}
// revocation is an internal struct used for revocation checking
type revocation struct {
ocspHTTPClient *http.Client
crlFetcher crlutil.Fetcher
certChainPurpose purpose.Purpose
}
// New constructs a revocation object for code signing certificate chain.
//
// Deprecated: New exists for backwards compatibility and should not be used.
// To create a revocation object, use [NewWithOptions].
func New(httpClient *http.Client) (Revocation, error) {
if httpClient == nil {
return nil, errors.New("invalid input: a non-nil httpClient must be specified")
}
fetcher, err := crlutil.NewHTTPFetcher(httpClient)
if err != nil {
return nil, err
}
return &revocation{
ocspHTTPClient: httpClient,
crlFetcher: fetcher,
certChainPurpose: purpose.CodeSigning,
}, nil
}
// Options specifies values that are needed to check revocation
type Options struct {
// OCSPHTTPClient is the HTTP client for OCSP request. If not provided,
// a default *http.Client with timeout of 2 seconds will be used.
// OPTIONAL.
OCSPHTTPClient *http.Client
// CRLFetcher is a fetcher for CRL with cache. If not provided, a default
// fetcher with an HTTP client and a timeout of 5 seconds will be used
// without cache.
CRLFetcher crlutil.Fetcher
// CertChainPurpose is the purpose of the certificate chain. Supported
// values are CodeSigning and Timestamping. Default value is CodeSigning.
// OPTIONAL.
CertChainPurpose purpose.Purpose
}
// NewWithOptions constructs a Validator with the specified options
func NewWithOptions(opts Options) (Validator, error) {
if opts.OCSPHTTPClient == nil {
opts.OCSPHTTPClient = &http.Client{Timeout: 2 * time.Second}
}
fetcher := opts.CRLFetcher
if fetcher == nil {
newFetcher, err := crlutil.NewHTTPFetcher(&http.Client{Timeout: 5 * time.Second})
if err != nil {
return nil, err
}
fetcher = newFetcher
}
switch opts.CertChainPurpose {
case purpose.CodeSigning, purpose.Timestamping:
default:
return nil, fmt.Errorf("unsupported certificate chain purpose %v", opts.CertChainPurpose)
}
return &revocation{
ocspHTTPClient: opts.OCSPHTTPClient,
crlFetcher: fetcher,
certChainPurpose: opts.CertChainPurpose,
}, nil
}
// Validate checks the revocation status for a certificate chain using OCSP and
// CRL if OCSP is not available. It returns an array of CertRevocationResults
// that contain the results and any errors that are encountered during the
// process.
//
// This function tries OCSP and falls back to CRL when:
// - OCSP is not supported by the certificate
// - OCSP returns an unknown status
//
// NOTE: The certificate chain is expected to be in the order of leaf to root.
func (r *revocation) Validate(certChain []*x509.Certificate, signingTime time.Time) ([]*result.CertRevocationResult, error) {
return r.ValidateContext(context.Background(), ValidateContextOptions{
CertChain: certChain,
AuthenticSigningTime: signingTime,
})
}
// ValidateContext checks the revocation status for a certificate chain using OCSP and
// CRL if OCSP is not available. It returns an array of CertRevocationResults
// that contain the results and any errors that are encountered during the
// process.
//
// This function tries OCSP and falls back to CRL when:
// - OCSP is not supported by the certificate
// - OCSP returns an unknown status
//
// NOTE: The certificate chain is expected to be in the order of leaf to root.
func (r *revocation) ValidateContext(ctx context.Context, validateContextOpts ValidateContextOptions) ([]*result.CertRevocationResult, error) {
// validate certificate chain
if len(validateContextOpts.CertChain) == 0 {
return nil, result.InvalidChainError{Err: errors.New("chain does not contain any certificates")}
}
certChain := validateContextOpts.CertChain
if err := x509util.ValidateChain(certChain, r.certChainPurpose); err != nil {
return nil, err
}
ocspOpts := ocsp.CertCheckStatusOptions{
HTTPClient: r.ocspHTTPClient,
SigningTime: validateContextOpts.AuthenticSigningTime,
}
crlOpts := crl.CertCheckStatusOptions{
Fetcher: r.crlFetcher,
SigningTime: validateContextOpts.AuthenticSigningTime,
}
// panicChain is used to store the panic in goroutine and handle it
panicChan := make(chan any, len(certChain))
defer close(panicChan)
certResults := make([]*result.CertRevocationResult, len(certChain))
var wg sync.WaitGroup
for i, cert := range certChain[:len(certChain)-1] {
switch {
case ocsp.Supported(cert):
// do OCSP check for the certificate
wg.Add(1)
go func(i int, cert *x509.Certificate) {
defer wg.Done()
defer func() {
if r := recover(); r != nil {
// catch panic and send it to panicChan to avoid
// losing the panic
panicChan <- r
}
}()
ocspResult := ocsp.CertCheckStatus(ctx, cert, certChain[i+1], ocspOpts)
if ocspResult != nil && ocspResult.Result == result.ResultUnknown && crl.Supported(cert) {
// try CRL check if OCSP serverResult is unknown
serverResult := crl.CertCheckStatus(ctx, cert, certChain[i+1], crlOpts)
// append CRL result to OCSP result
serverResult.ServerResults = append(ocspResult.ServerResults, serverResult.ServerResults...)
serverResult.RevocationMethod = result.RevocationMethodOCSPFallbackCRL
certResults[i] = serverResult
} else {
certResults[i] = ocspResult
}
}(i, cert)
case crl.Supported(cert):
// do CRL check for the certificate
wg.Add(1)
go func(i int, cert *x509.Certificate) {
defer wg.Done()
defer func() {
if r := recover(); r != nil {
// catch panic and send it to panicChan to avoid
// losing the panic
panicChan <- r
}
}()
certResults[i] = crl.CertCheckStatus(ctx, cert, certChain[i+1], crlOpts)
}(i, cert)
default:
certResults[i] = &result.CertRevocationResult{
Result: result.ResultNonRevokable,
ServerResults: []*result.ServerResult{{
Result: result.ResultNonRevokable,
RevocationMethod: result.RevocationMethodUnknown,
}},
RevocationMethod: result.RevocationMethodUnknown,
}
}
}
// Last is root cert, which will never be revoked by OCSP or CRL
certResults[len(certChain)-1] = &result.CertRevocationResult{
Result: result.ResultNonRevokable,
ServerResults: []*result.ServerResult{{
Result: result.ResultNonRevokable,
RevocationMethod: result.RevocationMethodUnknown,
}},
RevocationMethod: result.RevocationMethodUnknown,
}
wg.Wait()
// handle panic
select {
case p := <-panicChan:
panic(p)
default:
}
return certResults, nil
}
|
