feat: add OCSP and CRL revocation checks

go.mod

@@ -6,6 +6,88 @@ require (
 	github.com/fxamacker/cbor/v2 v2.4.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/veraison/go-cose v1.0.0
+	golang.org/x/crypto v0.0.0-20220824171710-5757bc0c5503
+	github.com/cloudflare/cfssl v1.6.3
+)
+
+require (
+	cloud.google.com/go v0.81.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bgentry/speakeasy v0.1.0 // indirect
+	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.1.1 // indirect
+	github.com/cncf/udpa/go v0.0.0-20210322005330-6414d713912e // indirect
+	github.com/coreos/go-semver v0.3.0 // indirect
+	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
+	github.com/dustin/go-humanize v1.0.0 // indirect
+	github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d // indirect
+	github.com/envoyproxy/protoc-gen-validate v0.6.1 // indirect
+	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
+	github.com/fullstorydev/grpcurl v1.8.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/mock v1.5.0 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/btree v1.0.1 // indirect
+	github.com/google/certificate-transparency-go v1.1.2-0.20210511102531-373a877eec92 // indirect
+	github.com/google/go-cmp v0.5.5 // indirect
+	github.com/google/uuid v1.2.0 // indirect
+	github.com/gorilla/websocket v1.4.2 // indirect
+	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
+	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jhump/protoreflect v1.8.2 // indirect
+	github.com/jmoiron/sqlx v1.3.3 // indirect
+	github.com/jonboulle/clockwork v0.2.2 // indirect
+	github.com/json-iterator/go v1.1.11 // indirect
+	github.com/mattn/go-runewidth v0.0.12 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/prometheus/client_golang v1.10.0 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.24.0 // indirect
+	github.com/prometheus/procfs v0.6.0 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/soheilhy/cmux v0.1.5 // indirect
+	github.com/spf13/cobra v1.1.3 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
+	github.com/urfave/cli v1.22.5 // indirect
+	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
+	go.etcd.io/bbolt v1.3.5 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.0-alpha.0 // indirect
+	go.etcd.io/etcd/client/v2 v2.305.0-alpha.0 // indirect
+	go.etcd.io/etcd/client/v3 v3.5.0-alpha.0 // indirect
+	go.etcd.io/etcd/etcdctl/v3 v3.5.0-alpha.0 // indirect
+	go.etcd.io/etcd/pkg/v3 v3.5.0-alpha.0 // indirect
+	go.etcd.io/etcd/raft/v3 v3.5.0-alpha.0 // indirect
+	go.etcd.io/etcd/server/v3 v3.5.0-alpha.0 // indirect
+	go.etcd.io/etcd/tests/v3 v3.5.0-alpha.0 // indirect
+	go.etcd.io/etcd/v3 v3.5.0-alpha.0 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.7.0 // indirect
+	go.uber.org/zap v1.16.0 // indirect
+	golang.org/x/mod v0.4.2 // indirect
+	golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 // indirect
+	golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c // indirect
+	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
+	golang.org/x/text v0.3.6 // indirect
+	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
+	golang.org/x/tools v0.1.0 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20210510173355-fb37daa5cd7a // indirect
+	google.golang.org/grpc v1.37.0 // indirect
+	google.golang.org/protobuf v1.26.0 // indirect
+	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	sigs.k8s.io/yaml v1.2.0 // indirect
 )
 
 require github.com/x448/float16 v0.8.4 // indirect

signature/cose/envelope.go

@@ -257,6 +257,14 @@ func (e *envelope) Verify() (*signature.EnvelopeContent, error) {
 		return nil, &signature.InvalidSignatureError{Msg: "malformed leaf certificate"}
 	}
 
+	rc := signature.NewRevocationChecker()
+	revoked, err := rc.CheckRevocationStatus(cert)
+	if err != nil {
+		return nil, err
+	} else if revoked {
+		return nil, &signature.InvalidSignatureError{Msg: "certificate has been revoked"}
+	}
+
 	// core verify process, verify integrity of COSE envelope
 	publicKeyAlg, err := getSignatureAlgorithm(cert)
 	if err != nil {

signature/cose/envelope_test.go

@@ -1,10 +1,12 @@
 package cose
 
 import (
+	"context"
 	"crypto"
 	"crypto/x509"
 	"errors"
 	"fmt"
+	"sync"
 	"testing"
 	"time"
 
@@ -13,6 +15,7 @@ import (
 	"github.com/notaryproject/notation-core-go/signature/internal/signaturetest"
 	"github.com/notaryproject/notation-core-go/testhelper"
 	"github.com/veraison/go-cose"
+	"golang.org/x/crypto/ocsp"
 )
 
 const (
@@ -403,6 +406,99 @@ func TestVerifyErrors(t *testing.T) {
 			t.Fatalf("Verify() expects error: %v, but got: %v.", expected, err)
 		}
 	})
+
+	// Testing verify with revokable certificates
+	t.Run("when COSE envelope has non-revoked certificate", func(t *testing.T) {
+		revokableCertTuple := testhelper.GetRevokableRSALeafCertificate()
+		revokableCert := revokableCertTuple.Cert
+		revokableKey := revokableCertTuple.PrivateKey
+
+		serverShutdownWaitGroup := &sync.WaitGroup{}
+		serverShutdownWaitGroup.Add(1)
+		srv := testhelper.MockServer(revokableCert, revokableKey, ocsp.Good, false, serverShutdownWaitGroup)
+
+		env, err := getVerifyCOSE("notary.x509", signature.KeyTypeRSA, 3072)
+		if err != nil {
+			t.Errorf("getVerifyCOSE() failed. Error = %s", err)
+		}
+		certs, ok := env.base.Headers.Unprotected[cose.HeaderLabelX5Chain].([]any)
+		if !ok || len(certs) == 0 {
+			t.Errorf("certificate chain is not present")
+		}
+		certs[0] = revokableCert.Raw
+		env.base.Headers.Unprotected[cose.HeaderLabelX5Chain] = certs
+		//Integrity of the envelope has been invalidated, so signature will fail, but this is after revoke check
+		_, err = env.Verify()
+		unexpected := errors.New("certificate has been revoked")
+		if isErrEqual(unexpected, err) {
+			t.Errorf("Verify() expects to not get error: %v, but got: %v.", unexpected, err)
+		}
+
+		if err := srv.Shutdown(context.TODO()); err != nil {
+			t.Errorf("Error while shutting down server: %v", err)
+		}
+		serverShutdownWaitGroup.Wait()
+	})
+	t.Run("when COSE envelope has OCSP revoked certificate", func(t *testing.T) {
+		revokableCertTuple := testhelper.GetRevokableRSALeafCertificate()
+		revokableCert := revokableCertTuple.Cert
+		revokableKey := revokableCertTuple.PrivateKey
+
+		serverShutdownWaitGroup := &sync.WaitGroup{}
+		serverShutdownWaitGroup.Add(1)
+		srv := testhelper.MockServer(revokableCert, revokableKey, ocsp.Revoked, false, serverShutdownWaitGroup)
+
+		env, err := getVerifyCOSE("notary.x509", signature.KeyTypeRSA, 3072)
+		if err != nil {
+			t.Errorf("getVerifyCOSE() failed. Error = %s", err)
+		}
+		certs, ok := env.base.Headers.Unprotected[cose.HeaderLabelX5Chain].([]any)
+		if !ok || len(certs) == 0 {
+			t.Errorf("certificate chain is not present")
+		}
+		certs[0] = revokableCert.Raw
+		env.base.Headers.Unprotected[cose.HeaderLabelX5Chain] = certs
+		_, err = env.Verify()
+		expected := errors.New("certificate has been revoked")
+		if !isErrEqual(expected, err) {
+			t.Errorf("Verify() expects error: %v, but got: %v.", expected, err)
+		}
+
+		if err := srv.Shutdown(context.TODO()); err != nil {
+			t.Errorf("Error while shutting down server: %v", err)
+		}
+		serverShutdownWaitGroup.Wait()
+	})
+	t.Run("when COSE envelope has CRL revoked certificate", func(t *testing.T) {
+		revokableCertTuple := testhelper.GetRevokableRSALeafCertificate()
+		revokableCert := revokableCertTuple.Cert
+		revokableKey := revokableCertTuple.PrivateKey
+
+		serverShutdownWaitGroup := &sync.WaitGroup{}
+		serverShutdownWaitGroup.Add(1)
+		srv := testhelper.MockServer(revokableCert, revokableKey, ocsp.Good, true, serverShutdownWaitGroup)
+
+		env, err := getVerifyCOSE("notary.x509", signature.KeyTypeRSA, 3072)
+		if err != nil {
+			t.Errorf("getVerifyCOSE() failed. Error = %s", err)
+		}
+		certs, ok := env.base.Headers.Unprotected[cose.HeaderLabelX5Chain].([]any)
+		if !ok || len(certs) == 0 {
+			t.Errorf("certificate chain is not present")
+		}
+		certs[0] = revokableCert.Raw
+		env.base.Headers.Unprotected[cose.HeaderLabelX5Chain] = certs
+		_, err = env.Verify()
+		expected := errors.New("certificate has been revoked")
+		if !isErrEqual(expected, err) {
+			t.Errorf("Verify() expects error: %v, but got: %v.", expected, err)
+		}
+
+		if err := srv.Shutdown(context.TODO()); err != nil {
+			t.Errorf("Error while shutting down server: %v", err)
+		}
+		serverShutdownWaitGroup.Wait()
+	})
 }
 
 func TestPayloadErrors(t *testing.T) {

signature/jws/envelope.go

@@ -101,6 +101,14 @@ func (e *envelope) Verify() (*signature.EnvelopeContent, error) {
 		return nil, &signature.InvalidSignatureError{Msg: "malformed leaf certificate"}
 	}
 
+	rc := signature.NewRevocationChecker()
+	revoked, err := rc.CheckRevocationStatus(cert)
+	if err != nil {
+		return nil, err
+	} else if revoked {
+		return nil, &signature.InvalidSignatureError{Msg: "certificate has been revoked"}
+	}
+
 	// verify JWT
 	compact := compactJWS(e.base)
 	if err = verifyJWT(compact, cert.PublicKey); err != nil {

signature/jws/envelope_test.go

@@ -1,6 +1,7 @@
 package jws
 
 import (
+	"context"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/rand"
@@ -13,12 +14,14 @@ import (
 	"math"
 	"reflect"
 	"strings"
+	"sync"
 	"testing"
 	"time"
 
 	"github.com/notaryproject/notation-core-go/signature"
 	"github.com/notaryproject/notation-core-go/signature/internal/signaturetest"
 	"github.com/notaryproject/notation-core-go/testhelper"
+	"golang.org/x/crypto/ocsp"
 )
 
 // remoteMockSigner is used to mock remote signer
@@ -336,6 +339,85 @@ func TestVerify(t *testing.T) {
 		checkErrorEqual(t, "malformed leaf certificate", err.Error())
 	})
 
+	t.Run("nonrevoked certificate", func(t *testing.T) {
+		revokableCertTuple := testhelper.GetRevokableRSALeafCertificate()
+		revokableCert := revokableCertTuple.Cert
+		revokableKey := revokableCertTuple.PrivateKey
+
+		serverShutdownWaitGroup := &sync.WaitGroup{}
+		serverShutdownWaitGroup.Add(1)
+		srv := testhelper.MockServer(revokableCert, revokableKey, ocsp.Good, false, serverShutdownWaitGroup)
+
+		// get envelope
+		env, err := getSignedEnvelope(signature.SigningSchemeX509, true, extSignedAttr)
+		checkNoError(t, err)
+
+		// change cert to revokable cert
+		env.Header.CertChain[0] = revokableCert.Raw
+
+		// Integrity of the envelope has been invalidated, so signature will fail, but this is after revoke check
+		err = verifyEnvelope(env)
+		unexpected := errors.New("certificate has been revoked")
+		if err == unexpected {
+			t.Errorf("did not expect to not get error: %v, but got: %v.", unexpected, err)
+		}
+
+		if err := srv.Shutdown(context.TODO()); err != nil {
+			t.Errorf("Error while shutting down server: %v", err)
+		}
+		serverShutdownWaitGroup.Wait()
+	})
+
+	t.Run("OCSP revoked certificate", func(t *testing.T) {
+		revokableCertTuple := testhelper.GetRevokableRSALeafCertificate()
+		revokableCert := revokableCertTuple.Cert
+		revokableKey := revokableCertTuple.PrivateKey
+
+		serverShutdownWaitGroup := &sync.WaitGroup{}
+		serverShutdownWaitGroup.Add(1)
+		srv := testhelper.MockServer(revokableCert, revokableKey, ocsp.Revoked, false, serverShutdownWaitGroup)
+
+		// get envelope
+		env, err := getSignedEnvelope(signature.SigningSchemeX509, true, extSignedAttr)
+		checkNoError(t, err)
+
+		// change cert to revokable cert
+		env.Header.CertChain[0] = revokableCert.Raw
+
+		err = verifyEnvelope(env)
+		checkErrorEqual(t, "certificate has been revoked", err.Error())
+
+		if err := srv.Shutdown(context.TODO()); err != nil {
+			t.Errorf("Error while shutting down server: %v", err)
+		}
+		serverShutdownWaitGroup.Wait()
+	})
+
+	t.Run("CRL revoked certificate", func(t *testing.T) {
+		revokableCertTuple := testhelper.GetRevokableRSALeafCertificate()
+		revokableCert := revokableCertTuple.Cert
+		revokableKey := revokableCertTuple.PrivateKey
+
+		serverShutdownWaitGroup := &sync.WaitGroup{}
+		serverShutdownWaitGroup.Add(1)
+		srv := testhelper.MockServer(revokableCert, revokableKey, ocsp.Good, true, serverShutdownWaitGroup)
+
+		// get envelope
+		env, err := getSignedEnvelope(signature.SigningSchemeX509, true, extSignedAttr)
+		checkNoError(t, err)
+
+		// change cert to revokable cert
+		env.Header.CertChain[0] = revokableCert.Raw
+
+		err = verifyEnvelope(env)
+		checkErrorEqual(t, "certificate has been revoked", err.Error())
+
+		if err := srv.Shutdown(context.TODO()); err != nil {
+			t.Errorf("Error while shutting down server: %v", err)
+		}
+		serverShutdownWaitGroup.Wait()
+	})
+
 	t.Run("malformed protected header base64 encoded", func(t *testing.T) {
 		// get envelope
 		env, err := getSignedEnvelope(signature.SigningSchemeX509, true, extSignedAttr)

signature/revocation.go

@@ -0,0 +1,26 @@
+package signature
+
+import (
+	"crypto/x509"
+	"net/http"
+
+	"github.com/cloudflare/cfssl/revoke"
+)
+
+type RevocationChecker struct {
+	HTTPClient *http.Client
+}
+
+func NewRevocationChecker(httpClients ...http.Client) *RevocationChecker {
+	if len(httpClients) == 0 {
+		return &RevocationChecker{HTTPClient: http.DefaultClient}
+	} else {
+		return &RevocationChecker{HTTPClient: &httpClients[0]}
+	}
+}
+
+func (r RevocationChecker) CheckRevocationStatus(cert *x509.Certificate) (bool, error) {
+	revoke.HTTPClient = r.HTTPClient
+	revoked, _, err := revoke.VerifyCertificateError(cert)
+	return revoked, err
+}