feat: support CRL

Signed-off-by: Junjie Gao <[email protected]>
JeyJeyGao · Aug 20, 2024 · 640b3bb · 640b3bb
1 parent 8e2131d
commit 640b3bb
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 8 deletions.
diff --git a/go.mod b/go.mod
@@ -24,3 +24,5 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 )
+
+replace github.com/notaryproject/notation-core-go => github.com/JeyJeyGao/notation-core-go v0.0.0-20240820065505-3bb154fda9f6
diff --git a/go.sum b/go.sum
@@ -1,5 +1,7 @@
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/JeyJeyGao/notation-core-go v0.0.0-20240820065505-3bb154fda9f6 h1:ssy8DajeEYdS4hzGFEadvOk1frLWreBZPv2J3MmS83o=
+github.com/JeyJeyGao/notation-core-go v0.0.0-20240820065505-3bb154fda9f6/go.mod h1:v6QLd2jSJwhPHQZr7VeWPtWidAcgzp3e0Ra/uerw0bw=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -32,8 +34,6 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/notaryproject/notation-core-go v1.1.0-rc.1 h1:6cxfVUuc4rTqYu0u7vOmgXfqw1zZabSLJNo8KvkDEzU=
-github.com/notaryproject/notation-core-go v1.1.0-rc.1/go.mod h1:j6NELapik2bE1DcrL5otTfXWuW5PR/JLLfREZ4ggmYY=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
 github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ=

diff --git a/verifier/verifier.go b/verifier/verifier.go
@@ -30,6 +30,7 @@ import (
 	"oras.land/oras-go/v2/content"
 
 	"github.com/notaryproject/notation-core-go/revocation"
+	"github.com/notaryproject/notation-core-go/revocation/crl"
 	"github.com/notaryproject/notation-core-go/revocation/purpose"
 	revocationresult "github.com/notaryproject/notation-core-go/revocation/result"
 	"github.com/notaryproject/notation-core-go/signature"
@@ -808,16 +809,32 @@ func revocationFinalResult(certResults []*revocationresult.CertRevocationResult,
 	revokedFound := false
 	var revokedCertSubject string
 	for i := len(certResults) - 1; i >= 0; i-- {
-		if len(certResults[i].ServerResults) > 0 && certResults[i].ServerResults[0].Error != nil {
-			logger.Debugf("Error for certificate #%d in chain with subject %v for server %q: %v", (i + 1), certChain[i].Subject.String(), certResults[i].ServerResults[0].Server, certResults[i].ServerResults[0].Error)
+		cert := certChain[i]
+		certResult := certResults[i]
+		if len(certResult.ServerResults) > 0 && certResult.ServerResults[0].Error != nil {
+			logger.Debugf("OCSP Error for certificate #%d in chain with subject %v for server %q: %v", (i + 1), cert.Subject.String(), certResult.ServerResults[0].Server, certResult.ServerResults[0].Error)
+		}
+		if len(certResult.ServerResults) > 0 && len(certResult.CRLResults) > 0 {
+			logger.Warnf("OCSP check failed with unknown error and fallback to CRL check for certificate #%d in chain with subject %v", (i + 1), cert.Subject.String())
+		}
+		if len(certResult.CRLResults) > 0 && certResult.CRLResults[0].Error != nil {
+			logger.Debugf("CRL Error for certificate #%d in chain with subject %v: %v", (i + 1), cert.Subject.String(), certResult.CRLResults[0].Error)
+		}
+
+		// delta CRL not checked warning
+		for _, crlResult := range certResult.CRLResults {
+			if crlResult.Error == crl.ErrDeltaCRLNotChecked {
+				logger.Warnf("Delta CRL not checked for certificate #%d in chain with subject %v", (i + 1), cert.Subject.String())
+				break
+			}
 		}
 
-		if certResults[i].Result == revocationresult.ResultOK || certResults[i].Result == revocationresult.ResultNonRevokable {
+		if certResult.Result == revocationresult.ResultOK || certResult.Result == revocationresult.ResultNonRevokable {
 			numOKResults++
 		} else {
-			finalResult = certResults[i].Result
-			problematicCertSubject = certChain[i].Subject.String()
-			if certResults[i].Result == revocationresult.ResultRevoked {
+			finalResult = certResult.Result
+			problematicCertSubject = cert.Subject.String()
+			if certResult.Result == revocationresult.ResultRevoked {
 				revokedFound = true
 				revokedCertSubject = problematicCertSubject
 			}