Revert "update"

This reverts commit 3ca469d.
notaryproject · Aug 6, 2024 · 048b687 · 048b687
1 parent 3ca469d
commit 048b687
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 64 deletions.
diff --git a/revocation/revocation.go b/revocation/revocation.go
@@ -32,9 +32,9 @@ import (
 // Deprecated: Revocation exists for backwards compatibility and should not be used.
 // To perform revocation check, use [Validator].
 type Revocation interface {
-	// Validate checks the revocation status for a code signing certificate chain
-	// using OCSP and returns an array of CertRevocationResults that contain
-	// the results and any errors that are encountered during the process
+	// Validate checks the revocation status for a certificate chain using OCSP
+	// and returns an array of CertRevocationResults that contain the results
+	// and any errors that are encountered during the process
 	Validate(certChain []*x509.Certificate, signingTime time.Time) ([]*result.CertRevocationResult, error)
 }
 
@@ -50,11 +50,6 @@ type ValidateContextOptions struct {
 	//
 	// Reference: https://github.com/notaryproject/specifications/blob/v1.0.0/specs/trust-store-trust-policy.md#revocation-checking-with-ocsp
 	AuthenticSigningTime time.Time
-
-	// CertChainPurpose is the purpose of the certificate chain. Supported
-	// values are x509.ExtKeyUsageCodeSigning and x509.ExtKeyUsageTimeStamping.
-	// REQUIRED.
-	CertChainPurpose x509.ExtKeyUsage
 }
 
 // Validator is an interface that provides revocation checking with
@@ -68,7 +63,8 @@ type Validator interface {
 
 // revocation is an internal struct used for revocation checking
 type revocation struct {
-	httpClient *http.Client
+	httpClient       *http.Client
+	certChainPurpose x509.ExtKeyUsage
 }
 
 // New constructs a revocation object for code signing certificate chain.
@@ -80,7 +76,8 @@ func New(httpClient *http.Client) (Revocation, error) {
 		return nil, errors.New("invalid input: a non-nil httpClient must be specified")
 	}
 	return &revocation{
-		httpClient: httpClient,
+		httpClient:       httpClient,
+		certChainPurpose: x509.ExtKeyUsageCodeSigning,
 	}, nil
 }
 
@@ -90,6 +87,11 @@ type Options struct {
 	// a default *http.Client with timeout of 2 seconds will be used.
 	// OPTIONAL.
 	OCSPHTTPClient *http.Client
+
+	// CertChainPurpose is the purpose of the certificate chain. Supported
+	// values are x509.ExtKeyUsageCodeSigning and x509.ExtKeyUsageTimeStamping.
+	// REQUIRED.
+	CertChainPurpose x509.ExtKeyUsage
 }
 
 // NewWithOptions constructs a Validator with the specified options
@@ -98,22 +100,28 @@ func NewWithOptions(opts Options) (Validator, error) {
 		opts.OCSPHTTPClient = &http.Client{Timeout: 2 * time.Second}
 	}
 
+	switch opts.CertChainPurpose {
+	case x509.ExtKeyUsageCodeSigning, x509.ExtKeyUsageTimeStamping:
+	default:
+		return nil, fmt.Errorf("unsupported certificate chain purpose %v", opts.CertChainPurpose)
+	}
+
 	return &revocation{
-		httpClient: opts.OCSPHTTPClient,
+		httpClient:       opts.OCSPHTTPClient,
+		certChainPurpose: opts.CertChainPurpose,
 	}, nil
 }
 
-// Validate checks the revocation status for a code signing certificate chain
-// using OCSP and returns an array of CertRevocationResults that contain the
-// results and any errors that are encountered during the process.
+// Validate checks the revocation status for a certificate chain using OCSP and
+// returns an array of CertRevocationResults that contain the results and any
+// errors that are encountered during the process
 //
 // TODO: add CRL support
 // https://github.com/notaryproject/notation-core-go/issues/125
 func (r *revocation) Validate(certChain []*x509.Certificate, signingTime time.Time) ([]*result.CertRevocationResult, error) {
 	return r.ValidateContext(context.Background(), ValidateContextOptions{
 		CertChain:            certChain,
 		AuthenticSigningTime: signingTime,
-		CertChainPurpose:     x509.ExtKeyUsageCodeSigning,
 	})
 }
 
@@ -128,15 +136,9 @@ func (r *revocation) ValidateContext(ctx context.Context, validateContextOpts Va
 		return nil, result.InvalidChainError{Err: errors.New("chain does not contain any certificates")}
 	}
 
-	switch validateContextOpts.CertChainPurpose {
-	case x509.ExtKeyUsageCodeSigning, x509.ExtKeyUsageTimeStamping:
-	default:
-		return nil, fmt.Errorf("unsupported certificate chain purpose %v", validateContextOpts.CertChainPurpose)
-	}
-
 	return ocsp.CheckStatus(ocsp.Options{
 		CertChain:        validateContextOpts.CertChain,
-		CertChainPurpose: validateContextOpts.CertChainPurpose,
+		CertChainPurpose: r.certChainPurpose,
 		SigningTime:      validateContextOpts.AuthenticSigningTime,
 		HTTPClient:       r.httpClient,
 	})

diff --git a/revocation/revocation_test.go b/revocation/revocation_test.go
@@ -102,11 +102,25 @@ func TestNew(t *testing.T) {
 
 func TestNewWithOptions(t *testing.T) {
 	t.Run("nil OCSP HTTP Client", func(t *testing.T) {
-		_, err := NewWithOptions(Options{})
+		_, err := NewWithOptions(Options{
+			CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+		})
 		if err != nil {
 			t.Fatal(err)
 		}
 	})
+
+	t.Run("invalid CertChainPurpose", func(t *testing.T) {
+		_, err := NewWithOptions(Options{
+			OCSPHTTPClient:   &http.Client{},
+			CertChainPurpose: -1,
+		})
+		expectedErrMsg := "unsupported certificate chain purpose -1"
+		if err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected %s, but got %s", expectedErrMsg, err.Error())
+		}
+	})
+
 }
 
 func TestCheckRevocationStatusForSingleCert(t *testing.T) {
@@ -480,15 +494,15 @@ func TestCheckRevocationStatusForTimestampChain(t *testing.T) {
 
 	t.Run("empty chain", func(t *testing.T) {
 		r, err := NewWithOptions(Options{
-			OCSPHTTPClient: &http.Client{Timeout: 5 * time.Second},
+			OCSPHTTPClient:   &http.Client{Timeout: 5 * time.Second},
+			CertChainPurpose: x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected successful creation of revocation, but received error: %v", err)
 		}
 		certResults, err := r.ValidateContext(context.Background(), ValidateContextOptions{
 			CertChain:            []*x509.Certificate{},
 			AuthenticSigningTime: time.Now(),
-			CertChainPurpose:     x509.ExtKeyUsageTimeStamping,
 		})
 		expectedErr := result.InvalidChainError{Err: errors.New("chain does not contain any certificates")}
 		if err == nil || err.Error() != expectedErr.Error() {
@@ -501,15 +515,15 @@ func TestCheckRevocationStatusForTimestampChain(t *testing.T) {
 	t.Run("check non-revoked chain", func(t *testing.T) {
 		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good}, nil, true)
 		r, err := NewWithOptions(Options{
-			OCSPHTTPClient: client,
+			OCSPHTTPClient:   client,
+			CertChainPurpose: x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected successful creation of revocation, but received error: %v", err)
 		}
 		certResults, err := r.ValidateContext(context.Background(), ValidateContextOptions{
 			CertChain:            revokableChain,
 			AuthenticSigningTime: time.Now(),
-			CertChainPurpose:     x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
@@ -524,38 +538,19 @@ func TestCheckRevocationStatusForTimestampChain(t *testing.T) {
 		}
 		validateEquivalentCertResults(certResults, expectedCertResults, t)
 	})
-
-	t.Run("invalid CertChainPurpose", func(t *testing.T) {
-		r, err := NewWithOptions(Options{
-			OCSPHTTPClient: &http.Client{Timeout: 5 * time.Second},
-		})
-		if err != nil {
-			t.Errorf("Expected successful creation of revocation, but received error: %v", err)
-		}
-		_, err = r.ValidateContext(context.Background(), ValidateContextOptions{
-			CertChain:            revokableChain,
-			AuthenticSigningTime: time.Now(),
-			CertChainPurpose:     -1,
-		})
-		expectedErrMsg := "unsupported certificate chain purpose -1"
-		if err == nil || err.Error() != expectedErrMsg {
-			t.Fatalf("expected %s, but got %s", expectedErrMsg, err.Error())
-		}
-	})
-
 	t.Run("check chain with 1 Unknown cert", func(t *testing.T) {
 		// 3rd cert will be unknown, the rest will be good
 		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Unknown, ocsp.Good}, nil, true)
 		r, err := NewWithOptions(Options{
-			OCSPHTTPClient: client,
+			OCSPHTTPClient:   client,
+			CertChainPurpose: x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected successful creation of revocation, but received error: %v", err)
 		}
 		certResults, err := r.ValidateContext(context.Background(), ValidateContextOptions{
 			CertChain:            revokableChain,
 			AuthenticSigningTime: time.Now(),
-			CertChainPurpose:     x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
@@ -579,15 +574,15 @@ func TestCheckRevocationStatusForTimestampChain(t *testing.T) {
 		// 3rd cert will be revoked, the rest will be good
 		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Revoked, ocsp.Good}, nil, true)
 		r, err := NewWithOptions(Options{
-			OCSPHTTPClient: client,
+			OCSPHTTPClient:   client,
+			CertChainPurpose: x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected successful creation of revocation, but received error: %v", err)
 		}
 		certResults, err := r.ValidateContext(context.Background(), ValidateContextOptions{
 			CertChain:            revokableChain,
 			AuthenticSigningTime: time.Now(),
-			CertChainPurpose:     x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
@@ -611,15 +606,15 @@ func TestCheckRevocationStatusForTimestampChain(t *testing.T) {
 		// 3rd cert will be unknown, 5th will be revoked, the rest will be good
 		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Unknown, ocsp.Good, ocsp.Revoked, ocsp.Good}, nil, true)
 		r, err := NewWithOptions(Options{
-			OCSPHTTPClient: client,
+			OCSPHTTPClient:   client,
+			CertChainPurpose: x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected successful creation of revocation, but received error: %v", err)
 		}
 		certResults, err := r.ValidateContext(context.Background(), ValidateContextOptions{
 			CertChain:            revokableChain,
 			AuthenticSigningTime: time.Now(),
-			CertChainPurpose:     x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
@@ -649,15 +644,15 @@ func TestCheckRevocationStatusForTimestampChain(t *testing.T) {
 		// 3rd cert will be future revoked, the rest will be good
 		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Revoked, ocsp.Good}, &revokedTime, true)
 		r, err := NewWithOptions(Options{
-			OCSPHTTPClient: client,
+			OCSPHTTPClient:   client,
+			CertChainPurpose: x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected successful creation of revocation, but received error: %v", err)
 		}
 		certResults, err := r.ValidateContext(context.Background(), ValidateContextOptions{
 			CertChain:            revokableChain,
 			AuthenticSigningTime: time.Now(),
-			CertChainPurpose:     x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
@@ -677,15 +672,15 @@ func TestCheckRevocationStatusForTimestampChain(t *testing.T) {
 		// 3rd cert will be unknown, 5th will be future revoked, the rest will be good
 		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Unknown, ocsp.Good, ocsp.Revoked, ocsp.Good}, &revokedTime, true)
 		r, err := NewWithOptions(Options{
-			OCSPHTTPClient: client,
+			OCSPHTTPClient:   client,
+			CertChainPurpose: x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected successful creation of revocation, but received error: %v", err)
 		}
 		certResults, err := r.ValidateContext(context.Background(), ValidateContextOptions{
 			CertChain:            revokableChain,
 			AuthenticSigningTime: time.Now(),
-			CertChainPurpose:     x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
@@ -709,15 +704,15 @@ func TestCheckRevocationStatusForTimestampChain(t *testing.T) {
 		// 3rd cert will be revoked, the rest will be good
 		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Revoked, ocsp.Good}, nil, true)
 		r, err := NewWithOptions(Options{
-			OCSPHTTPClient: client,
+			OCSPHTTPClient:   client,
+			CertChainPurpose: x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected successful creation of revocation, but received error: %v", err)
 		}
 		certResults, err := r.ValidateContext(context.Background(), ValidateContextOptions{
 			CertChain:            revokableChain,
 			AuthenticSigningTime: time.Now().Add(time.Hour),
-			CertChainPurpose:     x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
@@ -745,15 +740,15 @@ func TestCheckRevocationStatusForTimestampChain(t *testing.T) {
 			t.Errorf("exected zeroTime.IsZero() to be true")
 		}
 		r, err := NewWithOptions(Options{
-			OCSPHTTPClient: client,
+			OCSPHTTPClient:   client,
+			CertChainPurpose: x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected successful creation of revocation, but received error: %v", err)
 		}
 		certResults, err := r.ValidateContext(context.Background(), ValidateContextOptions{
 			CertChain:            revokableChain,
 			AuthenticSigningTime: time.Now().Add(time.Hour),
-			CertChainPurpose:     x509.ExtKeyUsageTimeStamping,
 		})
 		if err != nil {
 			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
@@ -995,15 +990,14 @@ func TestCheckRevocationInvalidChain(t *testing.T) {
 
 func TestValidateContext(t *testing.T) {
 	r, err := NewWithOptions(Options{
-		OCSPHTTPClient: &http.Client{},
+		OCSPHTTPClient:   &http.Client{},
+		CertChainPurpose: x509.ExtKeyUsageCodeSigning,
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	expectedErrMsg := "invalid chain: expected chain to be correct and complete: chain does not contain any certificates"
-	_, err = r.ValidateContext(context.Background(), ValidateContextOptions{
-		CertChainPurpose: x509.ExtKeyUsageCodeSigning,
-	})
+	_, err = r.ValidateContext(context.Background(), ValidateContextOptions{})
 	if err == nil || err.Error() != expectedErrMsg {
 		t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
 	}