Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor!: update revocation #215

Merged
merged 25 commits into from
Aug 8, 2024
Merged

refactor!: update revocation #215

Show file tree
Hide file tree
Changes from 20 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
e218e8f
refactored revocation
Two-Hearts Jul 29, 2024
bba1705
fixed license
Two-Hearts Jul 29, 2024
b886f0a
updated per code review
Two-Hearts Jul 29, 2024
dc24a75
fix
Two-Hearts Jul 29, 2024
dadec5f
fix
Two-Hearts Jul 29, 2024
73d64c8
update
Two-Hearts Jul 30, 2024
56447bd
update
Two-Hearts Jul 30, 2024
254c50c
update
Two-Hearts Jul 30, 2024
e19d36b
fix
Two-Hearts Jul 30, 2024
442f510
update
Two-Hearts Jul 30, 2024
0e7da15
deprecate
Two-Hearts Jul 30, 2024
5d5043a
updated per code review
Two-Hearts Jul 30, 2024
8f09e5d
updated per code review
Two-Hearts Jul 31, 2024
fb94266
updated per code review
Two-Hearts Jul 31, 2024
ef895d8
update
Two-Hearts Jul 31, 2024
74357d9
update
Two-Hearts Jul 31, 2024
17703be
updated per code review
Two-Hearts Aug 1, 2024
2272d07
update
Two-Hearts Aug 5, 2024
ac2e649
added more comments
Two-Hearts Aug 6, 2024
da3704d
added more comments
Two-Hearts Aug 6, 2024
3ca469d
update
Two-Hearts Aug 6, 2024
8a09715
Revert "update"
Two-Hearts Aug 6, 2024
6166ff2
updated per discussions
Two-Hearts Aug 7, 2024
67f085a
updated per discussions
Two-Hearts Aug 7, 2024
02ab652
updated per discussions
Two-Hearts Aug 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 17 additions & 23 deletions revocation/ocsp/ocsp.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,24 +36,18 @@ import (
"golang.org/x/crypto/ocsp"
)

// Purpose is an enum for purpose of the certificate chain whose OCSP status
// is checked
type Purpose int

const (
// PurposeCodeSigning means the certificate chain is a code signing chain
PurposeCodeSigning Purpose = iota

// PurposeTimestamping means the certificate chain is a timestamping chain
PurposeTimestamping
)

// Options specifies values that are needed to check OCSP revocation
type Options struct {
CertChain []*x509.Certificate
CertChainPurpose Purpose // default value is `PurposeCodeSigning`
SigningTime time.Time
HTTPClient *http.Client
CertChain []*x509.Certificate

// CertChainPurpose is the purpose of the certificate chain. Supported
// values are x509.ExtKeyUsageCodeSigning and x509.ExtKeyUsageTimeStamping.
// When not provided, the default value x509.ExtKeyUsageAny is also taken as
// a code signing certificate chain.
CertChainPurpose x509.ExtKeyUsage
Two-Hearts marked this conversation as resolved.
Show resolved Hide resolved

SigningTime time.Time
HTTPClient *http.Client
}

const (
Expand All @@ -73,21 +67,21 @@ func CheckStatus(opts Options) ([]*result.CertRevocationResult, error) {
return nil, result.InvalidChainError{Err: errors.New("chain does not contain any certificates")}
}

// Validate cert chain structure
// Since this is using authentic signing time, signing time may be zero.
// Thus, it is better to pass nil here than fail for a cert's NotBefore
// being after zero time
switch opts.CertChainPurpose {
case PurposeCodeSigning:
case x509.ExtKeyUsageAny, x509.ExtKeyUsageCodeSigning:
// Since ValidateCodeSigningCertChain is using authentic signing time,
// signing time may be zero.
// Thus, it is better to pass nil here than fail for a cert's NotBefore
// being after zero time
if err := coreX509.ValidateCodeSigningCertChain(opts.CertChain, nil); err != nil {
return nil, result.InvalidChainError{Err: err}
}
case PurposeTimestamping:
case x509.ExtKeyUsageTimeStamping:
if err := coreX509.ValidateTimestampingCertChain(opts.CertChain); err != nil {
return nil, result.InvalidChainError{Err: err}
}
default:
return nil, result.InvalidChainError{Err: fmt.Errorf("unknown certificate chain purpose %v", opts.CertChainPurpose)}
return nil, result.InvalidChainError{Err: fmt.Errorf("unsupported certificate chain purpose %v", opts.CertChainPurpose)}
}

certResults := make([]*result.CertRevocationResult, len(opts.CertChain))
Expand Down
Loading
Loading