feat: CRL

revocation/internal/crl/crl.go

@@ -26,12 +26,10 @@ import (
 	"net/url"
 	"time"
 
+	"github.com/notaryproject/notation-core-go/revocation/internal/revocation"
 	"github.com/notaryproject/notation-core-go/revocation/result"
 )
 
-// RevocationMethodCRL represents the CRL revocation method
-const RevocationMethodCRL = 2
-
 var (
 	// oidFreshestCRL is the object identifier for the distribution point
 	// for the delta CRL. (See RFC 5280, Section 5.2.6)
@@ -75,10 +73,10 @@ func CertCheckStatus(ctx context.Context, cert, issuer *x509.Certificate, opts C
 		return &result.CertRevocationResult{
 			Result: result.ResultNonRevokable,
 			ServerResults: []*result.ServerResult{{
-				RevocationMethod: RevocationMethodCRL,
+				RevocationMethod: revocation.MethodCRL,
 				Result:           result.ResultNonRevokable,
 			}},
-			RevocationMethod: RevocationMethodCRL,
+			RevocationMethod: revocation.MethodCRL,
 		}
 	}
 
@@ -90,11 +88,11 @@ func CertCheckStatus(ctx context.Context, cert, issuer *x509.Certificate, opts C
 	// point with one CRL URI, which will be cached, so checking all the URIs is
 	// not a performance issue.
 	var (
-		results []*result.ServerResult
-		lastErr error
-		crlURL  string
+		serverResults = make([]*result.ServerResult, 0, len(cert.CRLDistributionPoints))
+		lastErr       error
+		crlURL        string
 	)
-	for _, crlURL = range cert.CRLDistributionPoints {
+	for _, crlURL := range cert.CRLDistributionPoints {
 		baseCRL, err := download(ctx, crlURL, opts.HTTPClient)
 		if err != nil {
 			lastErr = fmt.Errorf("failed to download CRL from %s: %w", crlURL, err)
@@ -115,11 +113,11 @@ func CertCheckStatus(ctx context.Context, cert, issuer *x509.Certificate, opts C
 			return &result.CertRevocationResult{
 				Result:           result.ResultRevoked,
 				ServerResults:    []*result.ServerResult{crlResult},
-				RevocationMethod: RevocationMethodCRL,
+				RevocationMethod: revocation.MethodCRL,
 			}
 		}
 
-		results = append(results, crlResult)
+		serverResults = append(serverResults, crlResult)
 	}
 
 	if lastErr != nil {
@@ -130,16 +128,16 @@ func CertCheckStatus(ctx context.Context, cert, issuer *x509.Certificate, opts C
 					Result:           result.ResultUnknown,
 					Server:           crlURL,
 					Error:            lastErr,
-					RevocationMethod: RevocationMethodCRL,
+					RevocationMethod: revocation.MethodCRL,
 				}},
-			RevocationMethod: RevocationMethodCRL,
+			RevocationMethod: revocation.MethodCRL,
 		}
 	}
 
 	return &result.CertRevocationResult{
 		Result:           result.ResultOK,
-		ServerResults:    results,
-		RevocationMethod: RevocationMethodCRL,
+		ServerResults:    serverResults,
+		RevocationMethod: revocation.MethodCRL,
 	}
 }
 
@@ -208,15 +206,15 @@ func checkRevocation(cert *x509.Certificate, baseCRL *x509.RevocationList, signi
 			return &result.ServerResult{
 				Result:           result.ResultRevoked,
 				Server:           crlURL,
-				RevocationMethod: RevocationMethodCRL,
+				RevocationMethod: revocation.MethodCRL,
 			}, nil
 		}
 	}
 
 	return &result.ServerResult{
 		Result:           result.ResultOK,
 		Server:           crlURL,
-		RevocationMethod: RevocationMethodCRL,
+		RevocationMethod: revocation.MethodCRL,
 	}, nil
 }
 

revocation/internal/ocsp/ocsp.go

@@ -30,13 +30,11 @@
 	"strings"
 	"time"
 
+	"github.com/notaryproject/notation-core-go/revocation/internal/revocation"
 	"github.com/notaryproject/notation-core-go/revocation/result"
 	"golang.org/x/crypto/ocsp"
 )
 
-// RevocationMethodOCSP represents the OCSP revocation method
-const RevocationMethodOCSP = 1
-
 // CertCheckStatusOptions specifies values that are needed to check OCSP revocation
 type CertCheckStatusOptions struct {
 	// HTTPClient is the HTTP client used to perform the OCSP request
@@ -61,7 +59,7 @@
 		return &result.CertRevocationResult{
 			Result:           result.ResultNonRevokable,
 			ServerResults:    []*result.ServerResult{toServerResult("", NoServerError{})},
-			RevocationMethod: RevocationMethodOCSP,
+			RevocationMethod: revocation.MethodOCSP,
 		}
 	}
 	ocspURLs := cert.OCSPServer
@@ -77,9 +75,9 @@
 			// other servers
 			return serverResultsToCertRevocationResult([]*result.ServerResult{serverResult})
 		}
 		serverResults[serverIndex] = serverResult
 	}
 	return serverResultsToCertRevocationResult(serverResults)
 }
 
 // Supported returns true if the certificate supports OCSP.
@@ -113,7 +111,7 @@
 	if _, foundNoCheck := extensionMap[pkixNoCheckOID]; !foundNoCheck {
 		// This will be ignored until CRL is implemented
 		// If it isn't found, CRL should be used to verify the OCSP response
 		_ = foundNoCheck // needed to bypass linter warnings (Remove after adding CRL)
 		// TODO: add CRL support
 		// https://github.com/notaryproject/notation-core-go/issues/125
 	}
@@ -158,7 +156,7 @@
 	// that were tested.
 	ocspRequest, err := ocsp.CreateRequest(cert, issuer, &ocsp.RequestOptions{Hash: crypto.SHA1})
 	if err != nil {
 		return nil, GenericError{Err: err}
 	}
 
 	var resp *http.Response
@@ -169,45 +167,45 @@
 			var reqURL string
 			reqURL, err = url.JoinPath(server, encodedReq)
 			if err != nil {
 				return nil, GenericError{Err: err}
 			}
 			resp, err = opts.HTTPClient.Get(reqURL)
 		} else {
 			resp, err = postRequest(ocspRequest, server, opts.HTTPClient)
 		}
 	} else {
 		resp, err = postRequest(ocspRequest, server, opts.HTTPClient)
 	}
 
 	if err != nil {
 		var urlErr *url.Error
 		if errors.As(err, &urlErr) && urlErr.Timeout() {
 			return nil, TimeoutError{}
 		}
 		return nil, GenericError{Err: err}
 	}
 	defer resp.Body.Close()
 
 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
 		return nil, fmt.Errorf("failed to retrieve OCSP: response had status code %d", resp.StatusCode)
 	}
 
 	body, err := io.ReadAll(io.LimitReader(resp.Body, ocspMaxResponseSize))
 	if err != nil {
 		return nil, GenericError{Err: err}
 	}
 
 	switch {
 	case bytes.Equal(body, ocsp.UnauthorizedErrorResponse):
 		return nil, GenericError{Err: errors.New("OCSP unauthorized")}
 	case bytes.Equal(body, ocsp.MalformedRequestErrorResponse):
 		return nil, GenericError{Err: errors.New("OCSP malformed")}
 	case bytes.Equal(body, ocsp.InternalErrorErrorResponse):
 		return nil, GenericError{Err: errors.New("OCSP internal error")}
 	case bytes.Equal(body, ocsp.TryLaterErrorResponse):
 		return nil, GenericError{Err: errors.New("OCSP try later")}
 	case bytes.Equal(body, ocsp.SigRequredErrorResponse):
 		return nil, GenericError{Err: errors.New("OCSP signature required")}
 	}
 
 	return ocsp.ParseResponseForCert(body, cert, issuer)
@@ -232,14 +230,14 @@
 		// and TimeoutError
 		serverResult = result.NewServerResult(result.ResultUnknown, server, t)
 	}
-	serverResult.RevocationMethod = RevocationMethodOCSP
+	serverResult.RevocationMethod = revocation.MethodOCSP
 	return serverResult
 }
 
 func serverResultsToCertRevocationResult(serverResults []*result.ServerResult) *result.CertRevocationResult {
 	return &result.CertRevocationResult{
 		Result:           serverResults[len(serverResults)-1].Result,
 		ServerResults:    serverResults,
-		RevocationMethod: RevocationMethodOCSP,
+		RevocationMethod: revocation.MethodOCSP,
 	}
 }

revocation/internal/revocation/method.go

@@ -0,0 +1,53 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package revocation provides methods for checking the revocation status of a
+// certificate
+package revocation
+
+// Method defines the method used to check the revocation status of a
+// certificate.
+type Method int
+
+const (
+	// MethodUnknown is used for root certificates or when the method
+	// used to check the revocation status of a certificate is unknown.
+	MethodUnknown Method = iota
+
+	// MethodOCSP represents OCSP as the method used to check the
+	// revocation status of a certificate.
+	MethodOCSP
+
+	// MethodCRL represents CRL as the method used to check the
+	// revocation status of a certificate.
+	MethodCRL
+
+	// MethodOCSPFallbackCRL represents OCSP check with unknown error
+	// fallback to CRL as the method used to check the revocation status of a
+	// certificate.
+	MethodOCSPFallbackCRL
+)
+
+// String provides a conversion from a Method to a string
+func (m Method) String() string {
+	switch m {
+	case MethodOCSP:
+		return "OCSP"
+	case MethodCRL:
+		return "CRL"
+	case MethodOCSPFallbackCRL:
+		return "OCSPFallbackCRL"
+	default:
+		return "Unknown"
+	}
+}

revocation/method_test.go → revocation/internal/revocation/method_test.go

@@ -15,25 +15,23 @@ package revocation
 
 import "testing"
 
-func TestMethods(t *testing.T) {
-	t.Run("MethodUnknown", func(t *testing.T) {
-		if MethodUnknown != 0 {
-			t.Errorf("Expected %d but got %d", 0, MethodUnknown)
-		}
-	})
-	t.Run("MethodOCSP", func(t *testing.T) {
-		if MethodOCSP != 1 {
-			t.Errorf("Expected %d but got %d", 1, MethodOCSP)
-		}
-	})
-	t.Run("MethodCRL", func(t *testing.T) {
-		if MethodCRL != 2 {
-			t.Errorf("Expected %d but got %d", 1, MethodCRL)
-		}
-	})
-	t.Run("MethodOCSPFallbackCRL", func(t *testing.T) {
-		if MethodOCSPFallbackCRL != 3 {
-			t.Errorf("Expected %d but got %d", 3, MethodOCSPFallbackCRL)
-		}
-	})
+func TestMethodString(t *testing.T) {
+	tests := []struct {
+		method   Method
+		expected string
+	}{
+		{MethodOCSP, "OCSP"},
+		{MethodCRL, "CRL"},
+		{MethodOCSPFallbackCRL, "OCSPFallbackCRL"},
+		{Method(999), "Unknown"}, // Test for default case
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.expected, func(t *testing.T) {
+			result := tt.method.String()
+			if result != tt.expected {
+				t.Errorf("expected %s, got %s", tt.expected, result)
+			}
+		})
+	}
 }

revocation/method.go

@@ -14,25 +14,28 @@
 package revocation
 
 import (
-	"github.com/notaryproject/notation-core-go/revocation/internal/crl"
-	"github.com/notaryproject/notation-core-go/revocation/internal/ocsp"
+	internalrevocation "github.com/notaryproject/notation-core-go/revocation/internal/revocation"
 )
 
+// Method defines the method used to check the revocation status of a
+// certificate.
+type Method = internalrevocation.Method
+
 const (
 	// MethodUnknown is used for root certificates or when the method
 	// used to check the revocation status of a certificate is unknown.
-	MethodUnknown int = 0
+	MethodUnknown = internalrevocation.MethodUnknown
 
 	// MethodOCSP represents OCSP as the method used to check the
-	// revocation status of a certificate
-	MethodOCSP = ocsp.RevocationMethodOCSP
+	// revocation status of a certificate.
+	MethodOCSP = internalrevocation.MethodOCSP
 
 	// MethodCRL represents CRL as the method used to check the
-	// revocation status of a certificate
-	MethodCRL = crl.RevocationMethodCRL
+	// revocation status of a certificate.
+	MethodCRL = internalrevocation.MethodCRL
 
 	// MethodOCSPFallbackCRL represents OCSP check with unknown error
 	// fallback to CRL as the method used to check the revocation status of a
-	// certificate
-	MethodOCSPFallbackCRL = 3
+	// certificate.
+	MethodOCSPFallbackCRL = internalrevocation.MethodOCSPFallbackCRL
 )

revocation/result/results.go

@@ -14,7 +14,11 @@
 // Package result provides general objects that are used across revocation
 package result
 
-import "strconv"
+import (
+	"strconv"
+
+	"github.com/notaryproject/notation-core-go/revocation/internal/revocation"
+)
 
 // Result is a type of enumerated value to help characterize revocation result.
 // It can be OK, Unknown, NonRevokable, or Revoked
@@ -74,7 +78,7 @@ type ServerResult struct {
 
 	// RevocationMethod is the method used to check the revocation status of the
 	// certificate, including Unknown(0), MethodOCSP(1), MethodCRL(2)
-	RevocationMethod int
+	RevocationMethod revocation.Method
 }
 
 // NewServerResult creates a ServerResult object from its individual parts: a
@@ -116,6 +120,6 @@ type CertRevocationResult struct {
 
 	// RevocationMethod is the method used to check the revocation status of the
 	// certificate, including Unknown(0), MethodOCSP(1), MethodCRL(2) and
-	// OCSPFallbackCRL(3)
-	RevocationMethod int
+	// MethodOCSPFallbackCRL(3)
+	RevocationMethod revocation.Method
 }