From 2345ed2274b39b7966e6641d78cad1e2ab236df7 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 15 Jul 2024 17:00:05 +0800 Subject: [PATCH 1/5] fix revocation authentic signing time Signed-off-by: Patrick Zheng --- go.mod | 2 ++ go.sum | 4 ++-- verifier/verifier.go | 16 ++++++++++++---- verifier/verifier_test.go | 33 +++++++++------------------------ 4 files changed, 25 insertions(+), 30 deletions(-) diff --git a/go.mod b/go.mod index 61e27ab5..a0372031 100644 --- a/go.mod +++ b/go.mod @@ -24,3 +24,5 @@ require ( github.com/x448/float16 v0.8.4 // indirect golang.org/x/sync v0.6.0 // indirect ) + +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240715083411-74ad57be772a diff --git a/go.sum b/go.sum index de10e43d..c1e903cd 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/Two-Hearts/notation-core-go v0.0.0-20240715083411-74ad57be772a h1:BFOKrz3zz6ii/r6SkDjgL0Ez6u+bjfgt5HLotpsF0oY= +github.com/Two-Hearts/notation-core-go v0.0.0-20240715083411-74ad57be772a/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -32,8 +34,6 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= -github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 h1:kXRTRPpJqj7DuSxYxfrVKcfQ3CijRisPdQQrt/+Y1bE= -github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10/go.mod h1:6DN+zUYRhXx7swFMVSrai5J+7jqyuOCru1q9G+SbFno= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/notaryproject/tspclient-go v0.1.0 h1:kmtQuN32iwBAizOhPr+NZsxCErydoGcrfQy1ppJi5Vo= diff --git a/verifier/verifier.go b/verifier/verifier.go index 4eeca168..90072d35 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -721,11 +721,19 @@ func verifyRevocation(outcome *notation.VerificationOutcome, r revocation.Revoca } } - authenticSigningTime, err := outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() - if err != nil { - logger.Debugf("Not using authentic signing time due to error retrieving AuthenticSigningTime, err: %v", err) - authenticSigningTime = time.Time{} + var authenticSigningTime time.Time + var err error + if outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme == signature.SigningSchemeX509SigningAuthority { + authenticSigningTime, err = outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() + if err != nil { + return ¬ation.ValidationResult{ + Type: trustpolicy.TypeRevocation, + Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation], + Error: fmt.Errorf("unable to check revocation status, err: %s", err.Error()), + } + } } + certResults, err := r.Validate(outcome.EnvelopeContent.SignerInfo.CertificateChain, authenticSigningTime) if err != nil { logger.Debug("Error while checking revocation status, err: %s", err.Error()) diff --git a/verifier/verifier_test.go b/verifier/verifier_test.go index c8104012..d954bad4 100644 --- a/verifier/verifier_test.go +++ b/verifier/verifier_test.go @@ -623,18 +623,19 @@ func TestVerifyRevocation(t *testing.T) { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error) } }) - t.Run("verifyRevocation zero signing time no invalidity", func(t *testing.T) { + t.Run("verifyRevocation zero signing time", func(t *testing.T) { revocationClient, err := revocation.New(revokedClient) if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } + expectedErrMsg := "unable to check revocation status, err: authentic signing time must be present under signing scheme \"notary.x509.signingAuthority\"" result := verifyRevocation(createMockOutcome(revokableChain, zeroTime), revocationClient, logger) + if result.Error == nil || result.Error.Error() != expectedErrMsg { + t.Fatalf("expected verifyRevocation to fail with %s, but got %v", expectedErrMsg, result.Error) + } if !zeroTime.IsZero() { t.Fatalf("exected zeroTime.IsZero() to be true") } - if result.Error == nil || result.Error.Error() != revokedMsg { - t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error) - } }) t.Run("verifyRevocation older signing time with invalidity", func(t *testing.T) { revocationClient, err := revocation.New(revokedInvalidityClient) @@ -646,19 +647,6 @@ func TestVerifyRevocation(t *testing.T) { t.Fatalf("expected verifyRevocation to succeed, but got %v", result.Error) } }) - t.Run("verifyRevocation zero signing time with invalidity", func(t *testing.T) { - revocationClient, err := revocation.New(revokedInvalidityClient) - if err != nil { - t.Fatalf("unexpected error while creating revocation object: %v", err) - } - result := verifyRevocation(createMockOutcome(revokableChain, zeroTime), revocationClient, logger) - if !zeroTime.IsZero() { - t.Fatalf("exected zeroTime.IsZero() to be true") - } - if result.Error == nil || result.Error.Error() != revokedMsg { - t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error) - } - }) t.Run("verifyRevocation non-authentic signing time with invalidity", func(t *testing.T) { revocationClient, err := revocation.New(revokedInvalidityClient) if err != nil { @@ -666,16 +654,13 @@ func TestVerifyRevocation(t *testing.T) { } // Specifying older signing time (which should succeed), but will use zero time since no authentic signing time outcome := createMockOutcome(revokableChain, time.Now().Add(-4*time.Hour)) - outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme = "unsupported scheme" - - time, err := outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() - expectedErr := errors.New("authenticSigningTime not found") - if !time.IsZero() || err == nil || err.Error() != expectedErr.Error() { + outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme = "notary.x509" + authenticSigningTime, err := outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() + expectedErr := errors.New("authentic signing time not supported under signing scheme \"notary.x509\"") + if !authenticSigningTime.IsZero() || err == nil || err.Error() != expectedErr.Error() { t.Fatalf("expected AuthenticSigningTime to fail with %v, but got %v", expectedErr, err) } - result := verifyRevocation(outcome, revocationClient, logger) - if result.Error == nil || result.Error.Error() != revokedMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error) } From e6e7c07f2494b4a0d23597a503f9900c15389772 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 16 Jul 2024 13:50:59 +0800 Subject: [PATCH 2/5] updated notation-core-go Signed-off-by: Patrick Zheng --- go.mod | 4 +--- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index a0372031..0275b5f5 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.21 require ( github.com/go-ldap/ldap/v3 v3.4.8 - github.com/notaryproject/notation-core-go v1.0.4-0.20240708015912-faac9b7f3f10 + github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b github.com/notaryproject/notation-plugin-framework-go v1.0.0 github.com/notaryproject/tspclient-go v0.1.0 github.com/opencontainers/go-digest v1.0.0 @@ -24,5 +24,3 @@ require ( github.com/x448/float16 v0.8.4 // indirect golang.org/x/sync v0.6.0 // indirect ) - -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240715083411-74ad57be772a diff --git a/go.sum b/go.sum index c1e903cd..eeca3607 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,5 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240715083411-74ad57be772a h1:BFOKrz3zz6ii/r6SkDjgL0Ez6u+bjfgt5HLotpsF0oY= -github.com/Two-Hearts/notation-core-go v0.0.0-20240715083411-74ad57be772a/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -34,6 +32,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= +github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b h1:uJ4bmNieZRkPj3UgmKr3bZr8vs7UJ2MdlJMeB0oOaZw= +github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/notaryproject/tspclient-go v0.1.0 h1:kmtQuN32iwBAizOhPr+NZsxCErydoGcrfQy1ppJi5Vo= From 1c7e7851896ec4584b12adf98de59434ebf94bdc Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 17 Jul 2024 09:52:00 +0800 Subject: [PATCH 3/5] update Signed-off-by: Patrick Zheng --- verifier/verifier.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verifier/verifier.go b/verifier/verifier.go index 90072d35..9ebfd0d6 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -722,8 +722,8 @@ func verifyRevocation(outcome *notation.VerificationOutcome, r revocation.Revoca } var authenticSigningTime time.Time - var err error if outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme == signature.SigningSchemeX509SigningAuthority { + var err error authenticSigningTime, err = outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() if err != nil { return ¬ation.ValidationResult{ From 4e7026dda6443d164156178358a72f736b63d96e Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 19 Jul 2024 08:46:16 +0800 Subject: [PATCH 4/5] update Signed-off-by: Patrick Zheng --- verifier/verifier.go | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/verifier/verifier.go b/verifier/verifier.go index 5843b8b3..575fa610 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -723,15 +723,7 @@ func verifyRevocation(outcome *notation.VerificationOutcome, r revocation.Revoca var authenticSigningTime time.Time if outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme == signature.SigningSchemeX509SigningAuthority { - var err error - authenticSigningTime, err = outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() - if err != nil { - return ¬ation.ValidationResult{ - Type: trustpolicy.TypeRevocation, - Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation], - Error: fmt.Errorf("unable to check revocation status, err: %s", err.Error()), - } - } + authenticSigningTime, _ = outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() } certResults, err := r.Validate(outcome.EnvelopeContent.SignerInfo.CertificateChain, authenticSigningTime) From 3158202985b0de14b93dfd0d7ce49b1f2728d485 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 19 Jul 2024 08:48:11 +0800 Subject: [PATCH 5/5] update Signed-off-by: Patrick Zheng --- verifier/verifier_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verifier/verifier_test.go b/verifier/verifier_test.go index d954bad4..3e213119 100644 --- a/verifier/verifier_test.go +++ b/verifier/verifier_test.go @@ -628,7 +628,7 @@ func TestVerifyRevocation(t *testing.T) { if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } - expectedErrMsg := "unable to check revocation status, err: authentic signing time must be present under signing scheme \"notary.x509.signingAuthority\"" + expectedErrMsg := "signing certificate with subject \"CN=Notation Test Revokable RSA Chain Cert 3,O=Notary,L=Seattle,ST=WA,C=US\" is revoked" result := verifyRevocation(createMockOutcome(revokableChain, zeroTime), revocationClient, logger) if result.Error == nil || result.Error.Error() != expectedErrMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", expectedErrMsg, result.Error)