Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add OCSP and CRL revocation checks #128

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 82 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,88 @@ require (
github.com/fxamacker/cbor/v2 v2.4.0
github.com/golang-jwt/jwt/v4 v4.5.0
github.com/veraison/go-cose v1.0.0
golang.org/x/crypto v0.0.0-20220824171710-5757bc0c5503
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A tagged version of golang.org/x/crypto should be used. The current latest one is v0.7.0

github.com/cloudflare/cfssl v1.6.3
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the use of github.com/cloudflare/cfssl approved by crypto board of any organization?

)

require (
cloud.google.com/go v0.81.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/speakeasy v0.1.0 // indirect
github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
github.com/cespare/xxhash/v2 v2.1.1 // indirect
github.com/cncf/udpa/go v0.0.0-20210322005330-6414d713912e // indirect
github.com/coreos/go-semver v0.3.0 // indirect
github.com/coreos/go-systemd/v22 v22.3.2 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
github.com/dustin/go-humanize v1.0.0 // indirect
github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d // indirect
github.com/envoyproxy/protoc-gen-validate v0.6.1 // indirect
github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
github.com/fullstorydev/grpcurl v1.8.1 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/mock v1.5.0 // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/google/btree v1.0.1 // indirect
github.com/google/certificate-transparency-go v1.1.2-0.20210511102531-373a877eec92 // indirect
github.com/google/go-cmp v0.5.5 // indirect
github.com/google/uuid v1.2.0 // indirect
github.com/gorilla/websocket v1.4.2 // indirect
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
github.com/inconshreveable/mousetrap v1.0.0 // indirect
github.com/jhump/protoreflect v1.8.2 // indirect
github.com/jmoiron/sqlx v1.3.3 // indirect
github.com/jonboulle/clockwork v0.2.2 // indirect
github.com/json-iterator/go v1.1.11 // indirect
github.com/mattn/go-runewidth v0.0.12 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.1 // indirect
github.com/olekukonko/tablewriter v0.0.5 // indirect
github.com/prometheus/client_golang v1.10.0 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.24.0 // indirect
github.com/prometheus/procfs v0.6.0 // indirect
github.com/rivo/uniseg v0.2.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/sirupsen/logrus v1.8.1 // indirect
github.com/soheilhy/cmux v0.1.5 // indirect
github.com/spf13/cobra v1.1.3 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
github.com/urfave/cli v1.22.5 // indirect
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
go.etcd.io/bbolt v1.3.5 // indirect
go.etcd.io/etcd/api/v3 v3.5.0-alpha.0 // indirect
go.etcd.io/etcd/client/v2 v2.305.0-alpha.0 // indirect
go.etcd.io/etcd/client/v3 v3.5.0-alpha.0 // indirect
go.etcd.io/etcd/etcdctl/v3 v3.5.0-alpha.0 // indirect
go.etcd.io/etcd/pkg/v3 v3.5.0-alpha.0 // indirect
go.etcd.io/etcd/raft/v3 v3.5.0-alpha.0 // indirect
go.etcd.io/etcd/server/v3 v3.5.0-alpha.0 // indirect
go.etcd.io/etcd/tests/v3 v3.5.0-alpha.0 // indirect
go.etcd.io/etcd/v3 v3.5.0-alpha.0 // indirect
go.uber.org/atomic v1.7.0 // indirect
go.uber.org/multierr v1.7.0 // indirect
go.uber.org/zap v1.16.0 // indirect
golang.org/x/mod v0.4.2 // indirect
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 // indirect
golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c // indirect
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
golang.org/x/text v0.3.6 // indirect
golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
golang.org/x/tools v0.1.0 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20210510173355-fb37daa5cd7a // indirect
google.golang.org/grpc v1.37.0 // indirect
google.golang.org/protobuf v1.26.0 // indirect
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
sigs.k8s.io/yaml v1.2.0 // indirect
Comment on lines +14 to +90
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These seems to be an awful lot of dependency for crl and ocsp check :O

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the notation-core-go's dependency should be as much as concise.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

notation-core-go should not import so many non-relevant dependencies.

)

require github.com/x448/float16 v0.8.4 // indirect
1,221 changes: 1,221 additions & 0 deletions go.sum

Large diffs are not rendered by default.

8 changes: 8 additions & 0 deletions signature/cose/envelope.go
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,14 @@ func (e *envelope) Verify() (*signature.EnvelopeContent, error) {
return nil, &signature.InvalidSignatureError{Msg: "malformed leaf certificate"}
}

rc := signature.NewRevocationChecker()
revoked, err := rc.CheckRevocationStatus(cert)
if err != nil {
return nil, err
} else if revoked {
return nil, &signature.InvalidSignatureError{Msg: "certificate has been revoked"}
}
Comment on lines +260 to +266
Copy link
Contributor

@priteshbandi priteshbandi Mar 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check should be done in notation-go, depending upon trust policy configuration the outcome of verification will change.
Ref: https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#certificate-revocation-evaluation

The idea is that functions to check for revocation status should be in notation-core-go but actual check should happen in notation-go

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1


// core verify process, verify integrity of COSE envelope
publicKeyAlg, err := getSignatureAlgorithm(cert)
if err != nil {
Expand Down
96 changes: 96 additions & 0 deletions signature/cose/envelope_test.go
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
package cose

import (
"context"
"crypto"
"crypto/x509"
"errors"
"fmt"
"sync"
"testing"
"time"

Expand All @@ -13,6 +15,7 @@ import (
"github.com/notaryproject/notation-core-go/signature/internal/signaturetest"
"github.com/notaryproject/notation-core-go/testhelper"
"github.com/veraison/go-cose"
"golang.org/x/crypto/ocsp"
)

const (
Expand Down Expand Up @@ -403,6 +406,99 @@ func TestVerifyErrors(t *testing.T) {
t.Fatalf("Verify() expects error: %v, but got: %v.", expected, err)
}
})

// Testing verify with revokable certificates
t.Run("when COSE envelope has non-revoked certificate", func(t *testing.T) {
revokableCertTuple := testhelper.GetRevokableRSALeafCertificate()
revokableCert := revokableCertTuple.Cert
revokableKey := revokableCertTuple.PrivateKey

serverShutdownWaitGroup := &sync.WaitGroup{}
serverShutdownWaitGroup.Add(1)
srv := testhelper.MockServer(revokableCert, revokableKey, ocsp.Good, false, serverShutdownWaitGroup)

env, err := getVerifyCOSE("notary.x509", signature.KeyTypeRSA, 3072)
if err != nil {
t.Errorf("getVerifyCOSE() failed. Error = %s", err)
}
certs, ok := env.base.Headers.Unprotected[cose.HeaderLabelX5Chain].([]any)
if !ok || len(certs) == 0 {
t.Errorf("certificate chain is not present")
}
certs[0] = revokableCert.Raw
env.base.Headers.Unprotected[cose.HeaderLabelX5Chain] = certs
//Integrity of the envelope has been invalidated, so signature will fail, but this is after revoke check
_, err = env.Verify()
unexpected := errors.New("certificate has been revoked")
if isErrEqual(unexpected, err) {
t.Errorf("Verify() expects to not get error: %v, but got: %v.", unexpected, err)
}

if err := srv.Shutdown(context.TODO()); err != nil {
t.Errorf("Error while shutting down server: %v", err)
}
serverShutdownWaitGroup.Wait()
})
t.Run("when COSE envelope has OCSP revoked certificate", func(t *testing.T) {
revokableCertTuple := testhelper.GetRevokableRSALeafCertificate()
revokableCert := revokableCertTuple.Cert
revokableKey := revokableCertTuple.PrivateKey

serverShutdownWaitGroup := &sync.WaitGroup{}
serverShutdownWaitGroup.Add(1)
srv := testhelper.MockServer(revokableCert, revokableKey, ocsp.Revoked, false, serverShutdownWaitGroup)

env, err := getVerifyCOSE("notary.x509", signature.KeyTypeRSA, 3072)
if err != nil {
t.Errorf("getVerifyCOSE() failed. Error = %s", err)
}
certs, ok := env.base.Headers.Unprotected[cose.HeaderLabelX5Chain].([]any)
if !ok || len(certs) == 0 {
t.Errorf("certificate chain is not present")
}
certs[0] = revokableCert.Raw
env.base.Headers.Unprotected[cose.HeaderLabelX5Chain] = certs
_, err = env.Verify()
expected := errors.New("certificate has been revoked")
if !isErrEqual(expected, err) {
t.Errorf("Verify() expects error: %v, but got: %v.", expected, err)
}

if err := srv.Shutdown(context.TODO()); err != nil {
t.Errorf("Error while shutting down server: %v", err)
}
serverShutdownWaitGroup.Wait()
})
t.Run("when COSE envelope has CRL revoked certificate", func(t *testing.T) {
revokableCertTuple := testhelper.GetRevokableRSALeafCertificate()
revokableCert := revokableCertTuple.Cert
revokableKey := revokableCertTuple.PrivateKey

serverShutdownWaitGroup := &sync.WaitGroup{}
serverShutdownWaitGroup.Add(1)
srv := testhelper.MockServer(revokableCert, revokableKey, ocsp.Good, true, serverShutdownWaitGroup)

env, err := getVerifyCOSE("notary.x509", signature.KeyTypeRSA, 3072)
if err != nil {
t.Errorf("getVerifyCOSE() failed. Error = %s", err)
}
certs, ok := env.base.Headers.Unprotected[cose.HeaderLabelX5Chain].([]any)
if !ok || len(certs) == 0 {
t.Errorf("certificate chain is not present")
}
certs[0] = revokableCert.Raw
env.base.Headers.Unprotected[cose.HeaderLabelX5Chain] = certs
_, err = env.Verify()
expected := errors.New("certificate has been revoked")
if !isErrEqual(expected, err) {
t.Errorf("Verify() expects error: %v, but got: %v.", expected, err)
}

if err := srv.Shutdown(context.TODO()); err != nil {
t.Errorf("Error while shutting down server: %v", err)
}
serverShutdownWaitGroup.Wait()
})
}

func TestPayloadErrors(t *testing.T) {
Expand Down
8 changes: 8 additions & 0 deletions signature/jws/envelope.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,14 @@ func (e *envelope) Verify() (*signature.EnvelopeContent, error) {
return nil, &signature.InvalidSignatureError{Msg: "malformed leaf certificate"}
}

rc := signature.NewRevocationChecker()
revoked, err := rc.CheckRevocationStatus(cert)
if err != nil {
return nil, err
} else if revoked {
return nil, &signature.InvalidSignatureError{Msg: "certificate has been revoked"}
}
Comment on lines +105 to +110
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be refactored as

Suggested change
revoked, err := rc.CheckRevocationStatus(cert)
if err != nil {
return nil, err
} else if revoked {
return nil, &signature.InvalidSignatureError{Msg: "certificate has been revoked"}
}
if err := rc.CheckRevocationStatus(cert); err != nil {
return nil, err
}

Caller just needs the error. The revoked value can be one type of error.


// verify JWT
compact := compactJWS(e.base)
if err = verifyJWT(compact, cert.PublicKey); err != nil {
Expand Down
82 changes: 82 additions & 0 deletions signature/jws/envelope_test.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package jws

import (
"context"
"crypto"
"crypto/ecdsa"
"crypto/rand"
Expand All @@ -13,12 +14,14 @@ import (
"math"
"reflect"
"strings"
"sync"
"testing"
"time"

"github.com/notaryproject/notation-core-go/signature"
"github.com/notaryproject/notation-core-go/signature/internal/signaturetest"
"github.com/notaryproject/notation-core-go/testhelper"
"golang.org/x/crypto/ocsp"
)

// remoteMockSigner is used to mock remote signer
Expand Down Expand Up @@ -336,6 +339,85 @@ func TestVerify(t *testing.T) {
checkErrorEqual(t, "malformed leaf certificate", err.Error())
})

t.Run("nonrevoked certificate", func(t *testing.T) {
revokableCertTuple := testhelper.GetRevokableRSALeafCertificate()
revokableCert := revokableCertTuple.Cert
revokableKey := revokableCertTuple.PrivateKey

serverShutdownWaitGroup := &sync.WaitGroup{}
serverShutdownWaitGroup.Add(1)
srv := testhelper.MockServer(revokableCert, revokableKey, ocsp.Good, false, serverShutdownWaitGroup)

// get envelope
env, err := getSignedEnvelope(signature.SigningSchemeX509, true, extSignedAttr)
checkNoError(t, err)

// change cert to revokable cert
env.Header.CertChain[0] = revokableCert.Raw

// Integrity of the envelope has been invalidated, so signature will fail, but this is after revoke check
err = verifyEnvelope(env)
unexpected := errors.New("certificate has been revoked")
if err == unexpected {
t.Errorf("did not expect to not get error: %v, but got: %v.", unexpected, err)
}

if err := srv.Shutdown(context.TODO()); err != nil {
t.Errorf("Error while shutting down server: %v", err)
}
serverShutdownWaitGroup.Wait()
})

t.Run("OCSP revoked certificate", func(t *testing.T) {
revokableCertTuple := testhelper.GetRevokableRSALeafCertificate()
revokableCert := revokableCertTuple.Cert
revokableKey := revokableCertTuple.PrivateKey

serverShutdownWaitGroup := &sync.WaitGroup{}
serverShutdownWaitGroup.Add(1)
srv := testhelper.MockServer(revokableCert, revokableKey, ocsp.Revoked, false, serverShutdownWaitGroup)

// get envelope
env, err := getSignedEnvelope(signature.SigningSchemeX509, true, extSignedAttr)
checkNoError(t, err)

// change cert to revokable cert
env.Header.CertChain[0] = revokableCert.Raw

err = verifyEnvelope(env)
checkErrorEqual(t, "certificate has been revoked", err.Error())

if err := srv.Shutdown(context.TODO()); err != nil {
t.Errorf("Error while shutting down server: %v", err)
}
serverShutdownWaitGroup.Wait()
})

t.Run("CRL revoked certificate", func(t *testing.T) {
revokableCertTuple := testhelper.GetRevokableRSALeafCertificate()
revokableCert := revokableCertTuple.Cert
revokableKey := revokableCertTuple.PrivateKey

serverShutdownWaitGroup := &sync.WaitGroup{}
serverShutdownWaitGroup.Add(1)
srv := testhelper.MockServer(revokableCert, revokableKey, ocsp.Good, true, serverShutdownWaitGroup)

// get envelope
env, err := getSignedEnvelope(signature.SigningSchemeX509, true, extSignedAttr)
checkNoError(t, err)

// change cert to revokable cert
env.Header.CertChain[0] = revokableCert.Raw

err = verifyEnvelope(env)
checkErrorEqual(t, "certificate has been revoked", err.Error())

if err := srv.Shutdown(context.TODO()); err != nil {
t.Errorf("Error while shutting down server: %v", err)
}
serverShutdownWaitGroup.Wait()
})

t.Run("malformed protected header base64 encoded", func(t *testing.T) {
// get envelope
env, err := getSignedEnvelope(signature.SigningSchemeX509, true, extSignedAttr)
Expand Down
26 changes: 26 additions & 0 deletions signature/revocation.go
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please document all exported types and methods.

Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package signature

import (
"crypto/x509"
"net/http"

"github.com/cloudflare/cfssl/revoke"
)

type RevocationChecker struct {
HTTPClient *http.Client
}

func NewRevocationChecker(httpClients ...http.Client) *RevocationChecker {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the scenario to take multiple http client?

if len(httpClients) == 0 {
return &RevocationChecker{HTTPClient: http.DefaultClient}
} else {
return &RevocationChecker{HTTPClient: &httpClients[0]}
}
}

func (r RevocationChecker) CheckRevocationStatus(cert *x509.Certificate) (bool, error) {
revoke.HTTPClient = r.HTTPClient
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting to a global variable revoke.HTTPClient is dangerous due to race conditions.

revoked, _, err := revoke.VerifyCertificateError(cert)
Copy link
Contributor

@priteshbandi priteshbandi Mar 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method does more than revocation check which we dont want
https://github.com/cloudflare/cfssl/blob/master/revoke/revoke.go#L191-L202

return revoked, err
}
Loading