-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add OCSP and CRL revocation checks #128
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,6 +6,88 @@ require ( | |
github.com/fxamacker/cbor/v2 v2.4.0 | ||
github.com/golang-jwt/jwt/v4 v4.5.0 | ||
github.com/veraison/go-cose v1.0.0 | ||
golang.org/x/crypto v0.0.0-20220824171710-5757bc0c5503 | ||
github.com/cloudflare/cfssl v1.6.3 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is the use of |
||
) | ||
|
||
require ( | ||
cloud.google.com/go v0.81.0 // indirect | ||
github.com/beorn7/perks v1.0.1 // indirect | ||
github.com/bgentry/speakeasy v0.1.0 // indirect | ||
github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect | ||
github.com/cespare/xxhash/v2 v2.1.1 // indirect | ||
github.com/cncf/udpa/go v0.0.0-20210322005330-6414d713912e // indirect | ||
github.com/coreos/go-semver v0.3.0 // indirect | ||
github.com/coreos/go-systemd/v22 v22.3.2 // indirect | ||
github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect | ||
github.com/dustin/go-humanize v1.0.0 // indirect | ||
github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d // indirect | ||
github.com/envoyproxy/protoc-gen-validate v0.6.1 // indirect | ||
github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect | ||
github.com/fullstorydev/grpcurl v1.8.1 // indirect | ||
github.com/gogo/protobuf v1.3.2 // indirect | ||
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect | ||
github.com/golang/mock v1.5.0 // indirect | ||
github.com/golang/protobuf v1.5.2 // indirect | ||
github.com/google/btree v1.0.1 // indirect | ||
github.com/google/certificate-transparency-go v1.1.2-0.20210511102531-373a877eec92 // indirect | ||
github.com/google/go-cmp v0.5.5 // indirect | ||
github.com/google/uuid v1.2.0 // indirect | ||
github.com/gorilla/websocket v1.4.2 // indirect | ||
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect | ||
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect | ||
github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect | ||
github.com/inconshreveable/mousetrap v1.0.0 // indirect | ||
github.com/jhump/protoreflect v1.8.2 // indirect | ||
github.com/jmoiron/sqlx v1.3.3 // indirect | ||
github.com/jonboulle/clockwork v0.2.2 // indirect | ||
github.com/json-iterator/go v1.1.11 // indirect | ||
github.com/mattn/go-runewidth v0.0.12 // indirect | ||
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect | ||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect | ||
github.com/modern-go/reflect2 v1.0.1 // indirect | ||
github.com/olekukonko/tablewriter v0.0.5 // indirect | ||
github.com/prometheus/client_golang v1.10.0 // indirect | ||
github.com/prometheus/client_model v0.2.0 // indirect | ||
github.com/prometheus/common v0.24.0 // indirect | ||
github.com/prometheus/procfs v0.6.0 // indirect | ||
github.com/rivo/uniseg v0.2.0 // indirect | ||
github.com/russross/blackfriday/v2 v2.1.0 // indirect | ||
github.com/sirupsen/logrus v1.8.1 // indirect | ||
github.com/soheilhy/cmux v0.1.5 // indirect | ||
github.com/spf13/cobra v1.1.3 // indirect | ||
github.com/spf13/pflag v1.0.5 // indirect | ||
github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect | ||
github.com/urfave/cli v1.22.5 // indirect | ||
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect | ||
go.etcd.io/bbolt v1.3.5 // indirect | ||
go.etcd.io/etcd/api/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/client/v2 v2.305.0-alpha.0 // indirect | ||
go.etcd.io/etcd/client/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/etcdctl/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/pkg/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/raft/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/server/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/tests/v3 v3.5.0-alpha.0 // indirect | ||
go.etcd.io/etcd/v3 v3.5.0-alpha.0 // indirect | ||
go.uber.org/atomic v1.7.0 // indirect | ||
go.uber.org/multierr v1.7.0 // indirect | ||
go.uber.org/zap v1.16.0 // indirect | ||
golang.org/x/mod v0.4.2 // indirect | ||
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 // indirect | ||
golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c // indirect | ||
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect | ||
golang.org/x/text v0.3.6 // indirect | ||
golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect | ||
golang.org/x/tools v0.1.0 // indirect | ||
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect | ||
google.golang.org/appengine v1.6.7 // indirect | ||
google.golang.org/genproto v0.0.0-20210510173355-fb37daa5cd7a // indirect | ||
google.golang.org/grpc v1.37.0 // indirect | ||
google.golang.org/protobuf v1.26.0 // indirect | ||
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect | ||
gopkg.in/yaml.v2 v2.4.0 // indirect | ||
sigs.k8s.io/yaml v1.2.0 // indirect | ||
Comment on lines
+14
to
+90
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These seems to be an awful lot of dependency for crl and ocsp check :O There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
) | ||
|
||
require github.com/x448/float16 v0.8.4 // indirect |
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -257,6 +257,14 @@ func (e *envelope) Verify() (*signature.EnvelopeContent, error) { | |
return nil, &signature.InvalidSignatureError{Msg: "malformed leaf certificate"} | ||
} | ||
|
||
rc := signature.NewRevocationChecker() | ||
revoked, err := rc.CheckRevocationStatus(cert) | ||
if err != nil { | ||
return nil, err | ||
} else if revoked { | ||
return nil, &signature.InvalidSignatureError{Msg: "certificate has been revoked"} | ||
} | ||
Comment on lines
+260
to
+266
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Check should be done in notation-go, depending upon trust policy configuration the outcome of verification will change. The idea is that functions to check for revocation status should be in notation-core-go but actual check should happen in notation-go There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. +1 |
||
|
||
// core verify process, verify integrity of COSE envelope | ||
publicKeyAlg, err := getSignatureAlgorithm(cert) | ||
if err != nil { | ||
|
Original file line number | Diff line number | Diff line change | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
@@ -101,6 +101,14 @@ func (e *envelope) Verify() (*signature.EnvelopeContent, error) { | |||||||||||||||||||
return nil, &signature.InvalidSignatureError{Msg: "malformed leaf certificate"} | ||||||||||||||||||||
} | ||||||||||||||||||||
|
||||||||||||||||||||
rc := signature.NewRevocationChecker() | ||||||||||||||||||||
revoked, err := rc.CheckRevocationStatus(cert) | ||||||||||||||||||||
if err != nil { | ||||||||||||||||||||
return nil, err | ||||||||||||||||||||
} else if revoked { | ||||||||||||||||||||
return nil, &signature.InvalidSignatureError{Msg: "certificate has been revoked"} | ||||||||||||||||||||
} | ||||||||||||||||||||
Comment on lines
+105
to
+110
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This can be refactored as
Suggested change
Caller just needs the error. The |
||||||||||||||||||||
|
||||||||||||||||||||
// verify JWT | ||||||||||||||||||||
compact := compactJWS(e.base) | ||||||||||||||||||||
if err = verifyJWT(compact, cert.PublicKey); err != nil { | ||||||||||||||||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please document all exported types and methods. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
package signature | ||
|
||
import ( | ||
"crypto/x509" | ||
"net/http" | ||
|
||
"github.com/cloudflare/cfssl/revoke" | ||
) | ||
|
||
type RevocationChecker struct { | ||
HTTPClient *http.Client | ||
} | ||
|
||
func NewRevocationChecker(httpClients ...http.Client) *RevocationChecker { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What's the scenario to take multiple http client? |
||
if len(httpClients) == 0 { | ||
return &RevocationChecker{HTTPClient: http.DefaultClient} | ||
} else { | ||
return &RevocationChecker{HTTPClient: &httpClients[0]} | ||
} | ||
} | ||
|
||
func (r RevocationChecker) CheckRevocationStatus(cert *x509.Certificate) (bool, error) { | ||
revoke.HTTPClient = r.HTTPClient | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Setting to a global variable |
||
revoked, _, err := revoke.VerifyCertificateError(cert) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Does it do OSCP check first then CRL? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This method does more than revocation check which we dont want |
||
return revoked, err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A tagged version of
golang.org/x/crypto
should be used. The current latest one is v0.7.0