-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add OCSP and CRL revocation checks #128
Conversation
Signed-off-by: Kody Kimberl <[email protected]>
rc := signature.NewRevocationChecker() | ||
revoked, err := rc.CheckRevocationStatus(cert) | ||
if err != nil { | ||
return nil, err | ||
} else if revoked { | ||
return nil, &signature.InvalidSignatureError{Msg: "certificate has been revoked"} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check should be done in notation-go, depending upon trust policy configuration the outcome of verification will change.
Ref: https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#certificate-revocation-evaluation
The idea is that functions to check for revocation status should be in notation-core-go but actual check should happen in notation-go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
|
||
func (r RevocationChecker) CheckRevocationStatus(cert *x509.Certificate) (bool, error) { | ||
revoke.HTTPClient = r.HTTPClient | ||
revoked, _, err := revoke.VerifyCertificateError(cert) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it do OSCP check first then CRL?
|
||
func (r RevocationChecker) CheckRevocationStatus(cert *x509.Certificate) (bool, error) { | ||
revoke.HTTPClient = r.HTTPClient | ||
revoked, _, err := revoke.VerifyCertificateError(cert) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This method does more than revocation check which we dont want
https://github.com/cloudflare/cfssl/blob/master/revoke/revoke.go#L191-L202
cloud.google.com/go v0.81.0 // indirect | ||
github.com/beorn7/perks v1.0.1 // indirect | ||
github.com/bgentry/speakeasy v0.1.0 // indirect | ||
github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect | ||
github.com/cespare/xxhash/v2 v2.1.1 // indirect | ||
github.com/cncf/udpa/go v0.0.0-20210322005330-6414d713912e // indirect | ||
github.com/coreos/go-semver v0.3.0 // indirect | ||
github.com/coreos/go-systemd/v22 v22.3.2 // indirect | ||
github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect | ||
github.com/dustin/go-humanize v1.0.0 // indirect | ||
github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d // indirect | ||
github.com/envoyproxy/protoc-gen-validate v0.6.1 // indirect | ||
github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect | ||
github.com/fullstorydev/grpcurl v1.8.1 // indirect | ||
github.com/gogo/protobuf v1.3.2 // indirect | ||
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect | ||
github.com/golang/mock v1.5.0 // indirect | ||
github.com/golang/protobuf v1.5.2 // indirect | ||
github.com/google/btree v1.0.1 // indirect | ||
github.com/google/certificate-transparency-go v1.1.2-0.20210511102531-373a877eec92 // indirect | ||
github.com/google/go-cmp v0.5.5 // indirect | ||
github.com/google/uuid v1.2.0 // indirect | ||
github.com/gorilla/websocket v1.4.2 // indirect | ||
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect | ||
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect | ||
github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect | ||
github.com/inconshreveable/mousetrap v1.0.0 // indirect | ||
github.com/jhump/protoreflect v1.8.2 // indirect | ||
github.com/jmoiron/sqlx v1.3.3 // indirect | ||
github.com/jonboulle/clockwork v0.2.2 // indirect | ||
github.com/json-iterator/go v1.1.11 // indirect | ||
github.com/mattn/go-runewidth v0.0.12 // indirect | ||
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect | ||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect | ||
github.com/modern-go/reflect2 v1.0.1 // indirect | ||
github.com/olekukonko/tablewriter v0.0.5 // indirect | ||
github.com/prometheus/client_golang v1.10.0 // indirect | ||
github.com/prometheus/client_model v0.2.0 // indirect | ||
github.com/prometheus/common v0.24.0 // indirect | ||
github.com/prometheus/procfs v0.6.0 // indirect | ||
github.com/rivo/uniseg v0.2.0 // indirect | ||
github.com/russross/blackfriday/v2 v2.1.0 // indirect | ||
github.com/sirupsen/logrus v1.8.1 // indirect | ||
github.com/soheilhy/cmux v0.1.5 // indirect | ||
github.com/spf13/cobra v1.1.3 // indirect | ||
github.com/spf13/pflag v1.0.5 // indirect | ||
github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect | ||
github.com/urfave/cli v1.22.5 // indirect | ||
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect | ||
go.etcd.io/bbolt v1.3.5 // indirect | ||
go.etcd.io/etcd/api/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/client/v2 v2.305.0-alpha.0 // indirect | ||
go.etcd.io/etcd/client/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/etcdctl/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/pkg/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/raft/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/server/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/tests/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/v3 v3.5.0-alpha.0 // indirect | ||
go.uber.org/atomic v1.7.0 // indirect | ||
go.uber.org/multierr v1.7.0 // indirect | ||
go.uber.org/zap v1.16.0 // indirect | ||
golang.org/x/mod v0.4.2 // indirect | ||
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 // indirect | ||
golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c // indirect | ||
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect | ||
golang.org/x/text v0.3.6 // indirect | ||
golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect | ||
golang.org/x/tools v0.1.0 // indirect | ||
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect | ||
google.golang.org/appengine v1.6.7 // indirect | ||
google.golang.org/genproto v0.0.0-20210510173355-fb37daa5cd7a // indirect | ||
google.golang.org/grpc v1.37.0 // indirect | ||
google.golang.org/protobuf v1.26.0 // indirect | ||
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect | ||
gopkg.in/yaml.v2 v2.4.0 // indirect | ||
sigs.k8s.io/yaml v1.2.0 // indirect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These seems to be an awful lot of dependency for crl and ocsp check :O
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the notation-core-go
's dependency should be as much as concise.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
notation-core-go
should not import so many non-relevant dependencies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better if a design doc for the golang implementation is provided.
@@ -6,6 +6,88 @@ require ( | |||
github.com/fxamacker/cbor/v2 v2.4.0 | |||
github.com/golang-jwt/jwt/v4 v4.5.0 | |||
github.com/veraison/go-cose v1.0.0 | |||
golang.org/x/crypto v0.0.0-20220824171710-5757bc0c5503 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A tagged version of golang.org/x/crypto
should be used. The current latest one is v0.7.0
cloud.google.com/go v0.81.0 // indirect | ||
github.com/beorn7/perks v1.0.1 // indirect | ||
github.com/bgentry/speakeasy v0.1.0 // indirect | ||
github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect | ||
github.com/cespare/xxhash/v2 v2.1.1 // indirect | ||
github.com/cncf/udpa/go v0.0.0-20210322005330-6414d713912e // indirect | ||
github.com/coreos/go-semver v0.3.0 // indirect | ||
github.com/coreos/go-systemd/v22 v22.3.2 // indirect | ||
github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect | ||
github.com/dustin/go-humanize v1.0.0 // indirect | ||
github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d // indirect | ||
github.com/envoyproxy/protoc-gen-validate v0.6.1 // indirect | ||
github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect | ||
github.com/fullstorydev/grpcurl v1.8.1 // indirect | ||
github.com/gogo/protobuf v1.3.2 // indirect | ||
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect | ||
github.com/golang/mock v1.5.0 // indirect | ||
github.com/golang/protobuf v1.5.2 // indirect | ||
github.com/google/btree v1.0.1 // indirect | ||
github.com/google/certificate-transparency-go v1.1.2-0.20210511102531-373a877eec92 // indirect | ||
github.com/google/go-cmp v0.5.5 // indirect | ||
github.com/google/uuid v1.2.0 // indirect | ||
github.com/gorilla/websocket v1.4.2 // indirect | ||
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect | ||
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect | ||
github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect | ||
github.com/inconshreveable/mousetrap v1.0.0 // indirect | ||
github.com/jhump/protoreflect v1.8.2 // indirect | ||
github.com/jmoiron/sqlx v1.3.3 // indirect | ||
github.com/jonboulle/clockwork v0.2.2 // indirect | ||
github.com/json-iterator/go v1.1.11 // indirect | ||
github.com/mattn/go-runewidth v0.0.12 // indirect | ||
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect | ||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect | ||
github.com/modern-go/reflect2 v1.0.1 // indirect | ||
github.com/olekukonko/tablewriter v0.0.5 // indirect | ||
github.com/prometheus/client_golang v1.10.0 // indirect | ||
github.com/prometheus/client_model v0.2.0 // indirect | ||
github.com/prometheus/common v0.24.0 // indirect | ||
github.com/prometheus/procfs v0.6.0 // indirect | ||
github.com/rivo/uniseg v0.2.0 // indirect | ||
github.com/russross/blackfriday/v2 v2.1.0 // indirect | ||
github.com/sirupsen/logrus v1.8.1 // indirect | ||
github.com/soheilhy/cmux v0.1.5 // indirect | ||
github.com/spf13/cobra v1.1.3 // indirect | ||
github.com/spf13/pflag v1.0.5 // indirect | ||
github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect | ||
github.com/urfave/cli v1.22.5 // indirect | ||
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect | ||
go.etcd.io/bbolt v1.3.5 // indirect | ||
go.etcd.io/etcd/api/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/client/v2 v2.305.0-alpha.0 // indirect | ||
go.etcd.io/etcd/client/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/etcdctl/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/pkg/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/raft/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/server/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/tests/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/v3 v3.5.0-alpha.0 // indirect | ||
go.uber.org/atomic v1.7.0 // indirect | ||
go.uber.org/multierr v1.7.0 // indirect | ||
go.uber.org/zap v1.16.0 // indirect | ||
golang.org/x/mod v0.4.2 // indirect | ||
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 // indirect | ||
golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c // indirect | ||
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect | ||
golang.org/x/text v0.3.6 // indirect | ||
golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect | ||
golang.org/x/tools v0.1.0 // indirect | ||
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect | ||
google.golang.org/appengine v1.6.7 // indirect | ||
google.golang.org/genproto v0.0.0-20210510173355-fb37daa5cd7a // indirect | ||
google.golang.org/grpc v1.37.0 // indirect | ||
google.golang.org/protobuf v1.26.0 // indirect | ||
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect | ||
gopkg.in/yaml.v2 v2.4.0 // indirect | ||
sigs.k8s.io/yaml v1.2.0 // indirect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
notation-core-go
should not import so many non-relevant dependencies.
@@ -6,6 +6,88 @@ require ( | |||
github.com/fxamacker/cbor/v2 v2.4.0 | |||
github.com/golang-jwt/jwt/v4 v4.5.0 | |||
github.com/veraison/go-cose v1.0.0 | |||
golang.org/x/crypto v0.0.0-20220824171710-5757bc0c5503 | |||
github.com/cloudflare/cfssl v1.6.3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the use of github.com/cloudflare/cfssl
approved by crypto board of any organization?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please document all exported types and methods.
return len(b), nil | ||
} | ||
|
||
func MockServer(cert *x509.Certificate, key *rsa.PrivateKey, desiredOCSPStatus ocsp.ResponseStatus, revokedInCRL bool, wg *sync.WaitGroup) *http.Server { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
package httptest should be used as a mock server instead of a real server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please document all exported types and methods.
HTTPClient *http.Client | ||
} | ||
|
||
func NewRevocationChecker(httpClients ...http.Client) *RevocationChecker { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the scenario to take multiple http client?
} | ||
|
||
func (r RevocationChecker) CheckRevocationStatus(cert *x509.Certificate) (bool, error) { | ||
revoke.HTTPClient = r.HTTPClient |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Setting to a global variable revoke.HTTPClient
is dangerous due to race conditions.
rc := signature.NewRevocationChecker() | ||
revoked, err := rc.CheckRevocationStatus(cert) | ||
if err != nil { | ||
return nil, err | ||
} else if revoked { | ||
return nil, &signature.InvalidSignatureError{Msg: "certificate has been revoked"} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
revoked, err := rc.CheckRevocationStatus(cert) | ||
if err != nil { | ||
return nil, err | ||
} else if revoked { | ||
return nil, &signature.InvalidSignatureError{Msg: "certificate has been revoked"} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be refactored as
revoked, err := rc.CheckRevocationStatus(cert) | |
if err != nil { | |
return nil, err | |
} else if revoked { | |
return nil, &signature.InvalidSignatureError{Msg: "certificate has been revoked"} | |
} | |
if err := rc.CheckRevocationStatus(cert); err != nil { | |
return nil, err | |
} |
Caller just needs the error. The revoked
value can be one type of error.
Proposed design for OCSP revocation: #132 |
This PR adds OCSP and CRL revocation checking to the Verify function of COSE and JWS envelopes.
To do this, it implements a new dependency on https://pkg.go.dev/github.com/cloudflare/cfssl/revoke, as well as a dependency on https://pkg.go.dev/golang.org/x/crypto/ocsp for testing purposes.
I added a few new tests that use a mock OCSP and CRL server to simulate revoked certificates.
This PR intends to resolve the following issues:
Before investing too much more time, I wanted to publish this initial PR to ensure we agree on this approach.
Signed-off-by: Kody Kimberl [email protected]