notaryproject · priteshbandi · Apr 20, 2023 · Mar 29, 2023 · Mar 29, 2023 · Mar 29, 2023
@@ -25,7 +25,7 @@ var examplePolicyDocument = trustpolicy.Document{
 		{
 			Name:                  "test-statement-name",
 			RegistryScopes:        []string{"example/software"},
-			SignatureVerification: trustpolicy.SignatureVerification{VerificationLevel: trustpolicy.LevelStrict.Name},
+			SignatureVerification: trustpolicy.SignatureVerification{VerificationLevel: trustpolicy.LevelStrict.Name, Override: map[trustpolicy.ValidationType]trustpolicy.ValidationAction{trustpolicy.TypeRevocation: trustpolicy.ActionSkip}},
 			TrustStores:           []string{"ca:valid-trust-store"},
 			TrustedIdentities:     []string{"*"},
 		},

@@ -8,6 +8,7 @@ require (
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0-rc2
 	github.com/veraison/go-cose v1.0.0
+	golang.org/x/crypto v0.7.0
 	golang.org/x/mod v0.9.0
 	oras.land/oras-go/v2 v2.0.2
 )
@@ -16,8 +17,7 @@ require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
-	github.com/golang-jwt/jwt/v4 v4.4.3 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/crypto v0.5.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
 )
@@ -9,8 +9,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF
 github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs=
 github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI=
-github.com/golang-jwt/jwt/v4 v4.4.3 h1:Hxl6lhQFj4AnOX6MLrsCb/+7tCj7DxP7VA+2rDIq5AU=
-github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/notaryproject/notation-core-go v1.0.0-rc.2 h1:nNJuXa12jVNSSETjGNJEcZgv1NwY5ToYPo+c0P9syCI=
 github.com/notaryproject/notation-core-go v1.0.0-rc.2/go.mod h1:ASoc9KbJkSHLbKhO96lb0pIEWJRMZq9oprwBSZ0EAx0=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -27,8 +27,8 @@ github.com/veraison/go-cose v1.0.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE=
-golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
+golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/mod v0.9.0 h1:KENHtAZL2y3NLMYZeHY9DW8HW8V+kQyJsY/V9JlKvCs=
 golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=

@@ -7,10 +7,13 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/http"
 	"reflect"
 	"strings"
 	"time"
 
+	"github.com/notaryproject/notation-core-go/revocation"
+	revocation_result "github.com/notaryproject/notation-core-go/revocation/result"
 	"github.com/notaryproject/notation-core-go/signature"
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/dir"
@@ -30,9 +33,10 @@ import (
 
 // verifier implements notation.Verifier and notation.skipVerifier
 type verifier struct {
-	trustPolicyDoc *trustpolicy.Document
-	trustStore     truststore.X509TrustStore
-	pluginManager  plugin.Manager
+	trustPolicyDoc   *trustpolicy.Document
+	trustStore       truststore.X509TrustStore
+	pluginManager    plugin.Manager
+	revocationClient revocation.Revocation
 }
 
 // NewFromConfig returns a verifier based on local file system
@@ -50,16 +54,29 @@ func NewFromConfig() (notation.Verifier, error) {
 
 // New creates a new verifier given trustPolicy, trustStore and pluginManager
 func New(trustPolicy *trustpolicy.Document, trustStore truststore.X509TrustStore, pluginManager plugin.Manager) (notation.Verifier, error) {
+	r, err := revocation.New(&http.Client{Timeout: 5 * time.Second})
+	if err != nil {
+		return nil, err
+	}
+	return NewWithOptions(trustPolicy, trustStore, pluginManager, r)
+}
+
+// NewWithOptions creates a new verifier given trustPolicy, trustStore, pluginManager, and revocationClient
+func NewWithOptions(trustPolicy *trustpolicy.Document, trustStore truststore.X509TrustStore, pluginManager plugin.Manager, revocationClient revocation.Revocation) (notation.Verifier, error) {
+	if revocationClient == nil {
+		return nil, errors.New("revocationClient cannot be nil")
+	}
 	if trustPolicy == nil || trustStore == nil {
 		return nil, errors.New("trustPolicy or trustStore cannot be nil")
 	}
 	if err := trustPolicy.Validate(); err != nil {
 		return nil, err
 	}
 	return &verifier{
-		trustPolicyDoc: trustPolicy,
-		trustStore:     trustStore,
-		pluginManager:  pluginManager,
+		trustPolicyDoc:   trustPolicy,
+		trustStore:       trustStore,
+		pluginManager:    pluginManager,
+		revocationClient: revocationClient,
 	}, nil
 }
 
@@ -256,9 +273,14 @@ func (v *verifier) processSignature(ctx context.Context, sigBlob []byte, envelop
 	// skipped using a trust policy or a plugin may override the check
 	if outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation] != trustpolicy.ActionSkip &&
 		!slices.Contains(pluginCapabilities, proto.CapabilityRevocationCheckVerifier) {
-		logger.Debugf("Validating revocation (not implemented)")
-		// TODO perform X509 revocation check (not in RC1)
-		// https://github.com/notaryproject/notation-go/issues/110
+
+		logger.Debug("Validating revocation")
+		revocationResult := verifyRevocation(outcome, v.revocationClient, logger)
+		outcome.VerificationResults = append(outcome.VerificationResults, revocationResult)
+		logVerificationResult(logger, revocationResult)
+		if isCriticalFailure(revocationResult) {
+			return revocationResult.Error
+		}
 	}
 
 	// perform extended verification using verification plugin if present
@@ -518,6 +540,78 @@ func verifyAuthenticTimestamp(outcome *notation.VerificationOutcome) *notation.V
 	}
 }
 
+func verifyRevocation(outcome *notation.VerificationOutcome, r revocation.Revocation, logger log.Logger) *notation.ValidationResult {
+	if r == nil {
+		return &notation.ValidationResult{
+			Type:   trustpolicy.TypeRevocation,
+			Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation],
+			Error:  fmt.Errorf("unable to check revocation status, revocation client cannot be nil"),
+		}
+	}
+
+	signingTime := outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningTime
+	if signingTime.IsZero() {
+		signingTime = time.Now()
+	}
+	revocationResult, err := r.Validate(outcome.EnvelopeContent.SignerInfo.CertificateChain, signingTime)
+	if err != nil {
+		logger.Debug("error while checking revocation status, err: %s", err.Error())
+		return &notation.ValidationResult{
+			Type:   trustpolicy.TypeRevocation,
+			Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation],
+			Error:  fmt.Errorf("unable to check revocation status, err: %s", err.Error()),
+		}
+	}
+
+	result := &notation.ValidationResult{
+		Type:   trustpolicy.TypeRevocation,
+		Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation],
+	}
+
+	finalResult := revocation_result.ResultUnknown
+	numOKResults := 0
+	var problematicCertSubject string
+	revokedFound := false
+	var revokedCertSubject string
+	for i := len(revocationResult) - 1; i >= 0; i-- {
+		for _, serverResult := range revocationResult[i].ServerResults {
+			if serverResult != nil {
+				logger.Debugf("error for certificate #%d in chain with subject %v for server %q: %v", (i + 1), outcome.EnvelopeContent.SignerInfo.CertificateChain[i].Subject.String(), serverResult.Server, serverResult.Error)
+			}
+		}
+
+		if revocationResult[i].Result == revocation_result.ResultOK || revocationResult[i].Result == revocation_result.ResultNonRevokable {
+			numOKResults++
+		} else {
+			finalResult = revocationResult[i].Result
+			problematicCertSubject = outcome.EnvelopeContent.SignerInfo.CertificateChain[i].Subject.String()
+			if revocationResult[i].Result == revocation_result.ResultRevoked {
+				revokedFound = true
+				revokedCertSubject = problematicCertSubject
+			}
+		}
+	}
+	if revokedFound {
+		problematicCertSubject = revokedCertSubject
+		finalResult = revocation_result.ResultRevoked
+	}
+	if numOKResults == len(revocationResult) {
+		finalResult = revocation_result.ResultOK
+	}
+
+	switch finalResult {
+	case revocation_result.ResultOK:
+		logger.Debug("no important errors encountered while checking revocation, status is OK")
+	case revocation_result.ResultRevoked:
+		result.Error = fmt.Errorf("signing certificate with subject %q is revoked", problematicCertSubject)
+	default:
+		// revocation_result.ResultUnknown
+		result.Error = fmt.Errorf("signing certificate with subject %q revocation status is unknown", problematicCertSubject)
+	}
+
+	return result
+}
+
 func executePlugin(ctx context.Context, installedPlugin plugin.Plugin, trustPolicy *trustpolicy.TrustPolicy, capabilitiesToVerify []proto.Capability, envelopeContent *signature.EnvelopeContent, pluginConfig map[string]string) (*proto.VerifySignatureResponse, error) {
 	logger := log.GetLogger(ctx)
 	// sanity check