Squashed commit of the following:

commit 004b86d Author: Patrick Zheng <[email protected]> Date: Thu Aug 8 09:50:12 2024 +0800 refactor!: update revocation (notaryproject#215) Signed-off-by: Patrick Zheng <[email protected]> Signed-off-by: Junjie Gao <[email protected]>
JeyJeyGao · Aug 8, 2024 · 281dd64 · 281dd64
1 parent c512907
commit 281dd64
Show file tree

Hide file tree

Showing 5 changed files with 121 additions and 108 deletions.
diff --git a/revocation/internal/ocsp/ocsp.go b/revocation/internal/ocsp/ocsp.go
@@ -31,6 +31,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/notaryproject/notation-core-go/revocation/purpose"
 	"github.com/notaryproject/notation-core-go/revocation/result"
 	coreX509 "github.com/notaryproject/notation-core-go/x509"
 	"golang.org/x/crypto/ocsp"
@@ -41,10 +42,9 @@ type Options struct {
 	CertChain []*x509.Certificate
 
 	// CertChainPurpose is the purpose of the certificate chain. Supported
-	// values are x509.ExtKeyUsageCodeSigning and x509.ExtKeyUsageTimeStamping.
-	// When not provided, the default value x509.ExtKeyUsageAny is also taken as
-	// a code signing certificate chain.
-	CertChainPurpose x509.ExtKeyUsage
+	// values are CodeSigning and Timestamping.
+	// When not provided, the default value is CodeSigning.
+	CertChainPurpose purpose.Purpose
 
 	SigningTime time.Time
 	HTTPClient  *http.Client
@@ -96,17 +96,17 @@ func CheckStatus(opts Options) ([]*result.CertRevocationResult, error) {
 	return certResults, nil
 }
 
-func ValidateCertificateChain(certChain []*x509.Certificate, certChainPurpose x509.ExtKeyUsage) error {
+func ValidateCertificateChain(certChain []*x509.Certificate, certChainPurpose purpose.Purpose) error {
 	switch certChainPurpose {
-	case x509.ExtKeyUsageAny, x509.ExtKeyUsageCodeSigning:
+	case purpose.CodeSigning:
 		// Since ValidateCodeSigningCertChain is using authentic signing time,
 		// signing time may be zero.
 		// Thus, it is better to pass nil here than fail for a cert's NotBefore
 		// being after zero time
 		if err := coreX509.ValidateCodeSigningCertChain(certChain, nil); err != nil {
 			return result.InvalidChainError{Err: err}
 		}
-	case x509.ExtKeyUsageTimeStamping:
+	case purpose.Timestamping:
 		if err := coreX509.ValidateTimestampingCertChain(certChain); err != nil {
 			return result.InvalidChainError{Err: err}
 		}

diff --git a/revocation/internal/ocsp/ocsp_test.go b/revocation/internal/ocsp/ocsp_test.go
@@ -21,6 +21,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/notaryproject/notation-core-go/revocation/purpose"
 	"github.com/notaryproject/notation-core-go/revocation/result"
 	"github.com/notaryproject/notation-core-go/testhelper"
 	"golang.org/x/crypto/ocsp"
@@ -89,7 +90,7 @@ func TestCheckStatus(t *testing.T) {
 		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good}, nil, true)
 		opts := Options{
 			CertChain:        revokableChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -102,7 +103,7 @@ func TestCheckStatus(t *testing.T) {
 		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Unknown}, nil, true)
 		opts := Options{
 			CertChain:        revokableChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -120,7 +121,7 @@ func TestCheckStatus(t *testing.T) {
 		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Revoked}, nil, true)
 		opts := Options{
 			CertChain:        revokableChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -139,7 +140,7 @@ func TestCheckStatus(t *testing.T) {
 		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Revoked}, &revokedTime, true)
 		opts := Options{
 			CertChain:        revokableChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -155,7 +156,7 @@ func TestCheckStatusForSelfSignedCert(t *testing.T) {
 	client := testhelper.MockClient([]testhelper.RSACertTuple{selfSignedTuple}, []ocsp.ResponseStatus{ocsp.Good}, nil, true)
 	opts := Options{
 		CertChain:        []*x509.Certificate{selfSignedTuple.Cert},
-		CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+		CertChainPurpose: purpose.CodeSigning,
 		SigningTime:      time.Now(),
 		HTTPClient:       client,
 	}
@@ -173,7 +174,7 @@ func TestCheckStatusForRootCert(t *testing.T) {
 	client := testhelper.MockClient([]testhelper.RSACertTuple{rootTuple}, []ocsp.ResponseStatus{ocsp.Good}, nil, true)
 	opts := Options{
 		CertChain:        []*x509.Certificate{rootTuple.Cert},
-		CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+		CertChainPurpose: purpose.CodeSigning,
 		SigningTime:      time.Now(),
 		HTTPClient:       client,
 	}
@@ -193,7 +194,7 @@ func TestCheckStatusForNonSelfSignedSingleCert(t *testing.T) {
 	client := testhelper.MockClient([]testhelper.RSACertTuple{certTuple}, []ocsp.ResponseStatus{ocsp.Good}, nil, true)
 	opts := Options{
 		CertChain:        []*x509.Certificate{certTuple.Cert},
-		CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+		CertChainPurpose: purpose.CodeSigning,
 		SigningTime:      time.Now(),
 		HTTPClient:       client,
 	}
@@ -220,7 +221,7 @@ func TestCheckStatusForChain(t *testing.T) {
 	t.Run("empty chain", func(t *testing.T) {
 		opts := Options{
 			CertChain:        []*x509.Certificate{},
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       http.DefaultClient,
 		}
@@ -237,7 +238,7 @@ func TestCheckStatusForChain(t *testing.T) {
 		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good}, nil, true)
 		opts := Options{
 			CertChain:        revokableChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -261,7 +262,7 @@ func TestCheckStatusForChain(t *testing.T) {
 		// 3rd cert will be unknown, the rest will be good
 		opts := Options{
 			CertChain:        revokableChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -290,7 +291,7 @@ func TestCheckStatusForChain(t *testing.T) {
 		// 3rd cert will be revoked, the rest will be good
 		opts := Options{
 			CertChain:        revokableChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -319,7 +320,7 @@ func TestCheckStatusForChain(t *testing.T) {
 		// 3rd cert will be unknown, 5th will be revoked, the rest will be good
 		opts := Options{
 			CertChain:        revokableChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -354,7 +355,7 @@ func TestCheckStatusForChain(t *testing.T) {
 		// 3rd cert will be revoked, the rest will be good
 		opts := Options{
 			CertChain:        revokableChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -379,7 +380,7 @@ func TestCheckStatusForChain(t *testing.T) {
 		// 3rd cert will be unknown, 5th will be revoked, the rest will be good
 		opts := Options{
 			CertChain:        revokableChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -408,7 +409,7 @@ func TestCheckStatusForChain(t *testing.T) {
 		// 3rd cert will be revoked, the rest will be good
 		opts := Options{
 			CertChain:        revokableChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now().Add(time.Hour),
 			HTTPClient:       client,
 		}
@@ -438,7 +439,7 @@ func TestCheckStatusForChain(t *testing.T) {
 		// 3rd cert will be revoked, the rest will be good
 		opts := Options{
 			CertChain:        revokableChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      zeroTime,
 			HTTPClient:       client,
 		}
@@ -499,7 +500,7 @@ func TestCheckStatusErrors(t *testing.T) {
 	t.Run("no OCSPServer specified", func(t *testing.T) {
 		opts := Options{
 			CertChain:        noOCSPChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       http.DefaultClient,
 		}
@@ -522,7 +523,7 @@ func TestCheckStatusErrors(t *testing.T) {
 	t.Run("chain missing root", func(t *testing.T) {
 		opts := Options{
 			CertChain:        noRootChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       http.DefaultClient,
 		}
@@ -538,7 +539,7 @@ func TestCheckStatusErrors(t *testing.T) {
 	t.Run("backwards chain", func(t *testing.T) {
 		opts := Options{
 			CertChain:        backwardsChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       http.DefaultClient,
 		}
@@ -554,7 +555,7 @@ func TestCheckStatusErrors(t *testing.T) {
 	t.Run("check codesigning cert with PurposeTimestamping", func(t *testing.T) {
 		opts := Options{
 			CertChain:        okChain,
-			CertChainPurpose: x509.ExtKeyUsageTimeStamping,
+			CertChainPurpose: purpose.Timestamping,
 			SigningTime:      time.Now(),
 			HTTPClient:       http.DefaultClient,
 		}
@@ -599,7 +600,7 @@ func TestCheckStatusErrors(t *testing.T) {
 		timeoutClient := &http.Client{Timeout: 1 * time.Nanosecond}
 		opts := Options{
 			CertChain:        okChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       timeoutClient,
 		}
@@ -629,7 +630,7 @@ func TestCheckStatusErrors(t *testing.T) {
 		client := testhelper.MockClient(revokableTuples, []ocsp.ResponseStatus{ocsp.Good}, nil, true)
 		opts := Options{
 			CertChain:        expiredChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -654,7 +655,7 @@ func TestCheckStatusErrors(t *testing.T) {
 		client := testhelper.MockClient(revokableTuples, []ocsp.ResponseStatus{ocsp.Good}, nil, false)
 		opts := Options{
 			CertChain:        okChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -675,7 +676,7 @@ func TestCheckStatusErrors(t *testing.T) {
 		client := testhelper.MockClient(revokableTuples, []ocsp.ResponseStatus{ocsp.Good}, nil, true)
 		opts := Options{
 			CertChain:        noHTTPChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -723,7 +724,7 @@ func TestCheckOCSPInvalidChain(t *testing.T) {
 		client := testhelper.MockClient(revokableTuples, []ocsp.ResponseStatus{ocsp.Good}, nil, true)
 		opts := Options{
 			CertChain:        missingIntermediateChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}
@@ -740,7 +741,7 @@ func TestCheckOCSPInvalidChain(t *testing.T) {
 		client := testhelper.MockClient(misorderedIntermediateTuples, []ocsp.ResponseStatus{ocsp.Good}, nil, true)
 		opts := Options{
 			CertChain:        misorderedIntermediateChain,
-			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+			CertChainPurpose: purpose.CodeSigning,
 			SigningTime:      time.Now(),
 			HTTPClient:       client,
 		}

diff --git a/revocation/purpose/purpose.go b/revocation/purpose/purpose.go
@@ -0,0 +1,28 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package purpose provides purposes of the certificate chain whose revocation
+// status is checked
+package purpose
+
+// Purpose is an enum for purpose of the certificate chain whose revocation
+// status is checked
+type Purpose int
+
+const (
+	// CodeSigning means the certificate chain is a code signing chain
+	CodeSigning Purpose = iota
+
+	// Timestamping means the certificate chain is a timestamping chain
+	Timestamping
+)