From b79412aeea9845bb43d3e2beb8efc8ff3a5fa723 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 30 Jul 2024 12:38:22 +0800 Subject: [PATCH 01/12] updated revocation Signed-off-by: Patrick Zheng --- go.mod | 2 ++ go.sum | 4 ++-- verifier/timestamp_test.go | 5 ++++- verifier/verifier.go | 18 ++++++++++++------ verifier/verifier_test.go | 5 ++++- 5 files changed, 24 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 29e957b1..a2ae16c9 100644 --- a/go.mod +++ b/go.mod @@ -24,3 +24,5 @@ require ( github.com/x448/float16 v0.8.4 // indirect golang.org/x/sync v0.6.0 // indirect ) + +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240730042226-e19d36b91b8d diff --git a/go.sum b/go.sum index 34b798e3..32ecc49e 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/Two-Hearts/notation-core-go v0.0.0-20240730042226-e19d36b91b8d h1:pCb3QB5UpjJ1A7ycsmX3xLRETFtJJKKH/DB5M5d/uOQ= +github.com/Two-Hearts/notation-core-go v0.0.0-20240730042226-e19d36b91b8d/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -32,8 +34,6 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= -github.com/notaryproject/notation-core-go v1.1.0-beta.1 h1:Rpg8qhoEo4nIdiAWz597lbEcvEmjKwJLUtvJqXa8M4c= -github.com/notaryproject/notation-core-go v1.1.0-beta.1/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y= diff --git a/verifier/timestamp_test.go b/verifier/timestamp_test.go index 288014de..380f3533 100644 --- a/verifier/timestamp_test.go +++ b/verifier/timestamp_test.go @@ -44,7 +44,10 @@ func TestAuthenticTimestamp(t *testing.T) { TrustStores: []string{"ca:valid-trust-store", "tsa:test-timestamp"}, TrustedIdentities: []string{"*"}, } - revocationTimestsampClient, err := revocation.NewTimestamp(&http.Client{Timeout: 5 * time.Second}) + revocationTimestsampClient, err := revocation.NewWithOptions(revocation.Options{ + OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, + CertChainPurpose: x509.ExtKeyUsageTimeStamping, + }) if err != nil { t.Fatalf("failed to get revocation timestamp client: %v", err) } diff --git a/verifier/verifier.go b/verifier/verifier.go index 30cc1ef5..94438ef8 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -63,7 +63,7 @@ type verifier struct { trustStore truststore.X509TrustStore pluginManager plugin.Manager revocationClient revocation.Revocation - revocationTimestampClient revocation.Revocation + revocationTimestampClient revocation.ContextRevocation } // VerifierOptions specifies additional parameters that can be set when using @@ -75,7 +75,7 @@ type VerifierOptions struct { // RevocationTimestampClient is an implementaion of evocation.Revocation to // use for verifying revocation of timestamping certificate chain - RevocationTimestampClient revocation.Revocation + RevocationTimestampClient revocation.ContextRevocation } // NewOCIVerifierFromConfig returns a OCI verifier based on local file system @@ -132,7 +132,10 @@ func NewVerifierWithOptions(ociTrustPolicy *trustpolicy.OCIDocument, blobTrustPo revocationTimestampClient := verifierOptions.RevocationTimestampClient if revocationTimestampClient == nil { var err error - revocationTimestampClient, err = revocation.NewTimestamp(&http.Client{Timeout: 2 * time.Second}) + revocationTimestampClient, err = revocation.NewWithOptions(revocation.Options{ + OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, + CertChainPurpose: x509.ExtKeyUsageTimeStamping, + }) if err != nil { return nil, err } @@ -678,7 +681,7 @@ func verifyExpiry(outcome *notation.VerificationOutcome) *notation.ValidationRes } } -func verifyAuthenticTimestamp(ctx context.Context, policyName string, trustStores []string, signatureVerification trustpolicy.SignatureVerification, x509TrustStore truststore.X509TrustStore, r revocation.Revocation, outcome *notation.VerificationOutcome) *notation.ValidationResult { +func verifyAuthenticTimestamp(ctx context.Context, policyName string, trustStores []string, signatureVerification trustpolicy.SignatureVerification, x509TrustStore truststore.X509TrustStore, r revocation.ContextRevocation, outcome *notation.VerificationOutcome) *notation.ValidationResult { logger := log.GetLogger(ctx) signerInfo := outcome.EnvelopeContent.SignerInfo @@ -906,7 +909,7 @@ func isRequiredVerificationPluginVer(pluginVer string, minPluginVer string) bool // verifyTimestamp provides core verification logic of authentic timestamp under // signing scheme `notary.x509`. -func verifyTimestamp(ctx context.Context, policyName string, trustStores []string, signatureVerification trustpolicy.SignatureVerification, x509TrustStore truststore.X509TrustStore, r revocation.Revocation, outcome *notation.VerificationOutcome) error { +func verifyTimestamp(ctx context.Context, policyName string, trustStores []string, signatureVerification trustpolicy.SignatureVerification, x509TrustStore truststore.X509TrustStore, r revocation.ContextRevocation, outcome *notation.VerificationOutcome) error { logger := log.GetLogger(ctx) signerInfo := outcome.EnvelopeContent.SignerInfo @@ -1019,7 +1022,10 @@ func verifyTimestamp(ctx context.Context, policyName string, trustStores []strin // 5. Perform the timestamping certificate chain revocation check logger.Debug("Checking timestamping certificate chain revocation...") - certResults, err := r.Validate(tsaCertChain, time.Time{}) + certResults, err := r.ValidateContext(ctx, revocation.ValidateContextOptions{ + CertChain: tsaCertChain, + AuthenticSigningTime: time.Time{}, + }) if err != nil { return fmt.Errorf("failed to check timestamping certificate chain revocation with error: %w", err) } diff --git a/verifier/verifier_test.go b/verifier/verifier_test.go index 9489dfae..6537bb6c 100644 --- a/verifier/verifier_test.go +++ b/verifier/verifier_test.go @@ -725,7 +725,10 @@ func TestNewVerifierWithOptionsError(t *testing.T) { if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } - rt, err := revocation.NewTimestamp(&http.Client{}) + rt, err := revocation.NewWithOptions(revocation.Options{ + OCSPHTTPClient: &http.Client{}, + CertChainPurpose: x509.ExtKeyUsageTimeStamping, + }) if err != nil { t.Fatalf("unexpected error while creating revocation timestamp object: %v", err) } From 8a8176043a8224006479354568e9c117e8660431 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 30 Jul 2024 15:57:33 +0800 Subject: [PATCH 02/12] update Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- verifier/verifier.go | 34 +++++++++++++++++----------------- verifier/verifier_test.go | 4 ++-- 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/go.mod b/go.mod index a2ae16c9..03e11f14 100644 --- a/go.mod +++ b/go.mod @@ -25,4 +25,4 @@ require ( golang.org/x/sync v0.6.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240730042226-e19d36b91b8d +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240730073616-5d5043a8f812 diff --git a/go.sum b/go.sum index 32ecc49e..30b04032 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240730042226-e19d36b91b8d h1:pCb3QB5UpjJ1A7ycsmX3xLRETFtJJKKH/DB5M5d/uOQ= -github.com/Two-Hearts/notation-core-go v0.0.0-20240730042226-e19d36b91b8d/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= +github.com/Two-Hearts/notation-core-go v0.0.0-20240730073616-5d5043a8f812 h1:pEH1o/4qUb5+D2LC4n4ZWscXYsGht4ri3ZfyKTP6WlM= +github.com/Two-Hearts/notation-core-go v0.0.0-20240730073616-5d5043a8f812/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/verifier/verifier.go b/verifier/verifier.go index 94438ef8..6d395ed4 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -58,12 +58,12 @@ var algorithms = map[crypto.Hash]digest.Algorithm{ // verifier implements notation.Verifier, notation.BlobVerifier and notation.verifySkipper type verifier struct { - ociTrustPolicyDoc *trustpolicy.OCIDocument - blobTrustPolicyDoc *trustpolicy.BlobDocument - trustStore truststore.X509TrustStore - pluginManager plugin.Manager - revocationClient revocation.Revocation - revocationTimestampClient revocation.ContextRevocation + ociTrustPolicyDoc *trustpolicy.OCIDocument + blobTrustPolicyDoc *trustpolicy.BlobDocument + trustStore truststore.X509TrustStore + pluginManager plugin.Manager + revocationClient revocation.Revocation + contextRevocationTimestampClient revocation.ContextRevocation } // VerifierOptions specifies additional parameters that can be set when using @@ -73,9 +73,9 @@ type VerifierOptions struct { // verifying revocation of code signing certificate chain RevocationClient revocation.Revocation - // RevocationTimestampClient is an implementaion of evocation.Revocation to - // use for verifying revocation of timestamping certificate chain - RevocationTimestampClient revocation.ContextRevocation + // ContextRevocationTimestampClient is used for verifying revocation of + // timestamping certificate chain with context. + ContextRevocationTimestampClient revocation.ContextRevocation } // NewOCIVerifierFromConfig returns a OCI verifier based on local file system @@ -129,7 +129,7 @@ func NewVerifierWithOptions(ociTrustPolicy *trustpolicy.OCIDocument, blobTrustPo } } - revocationTimestampClient := verifierOptions.RevocationTimestampClient + revocationTimestampClient := verifierOptions.ContextRevocationTimestampClient if revocationTimestampClient == nil { var err error revocationTimestampClient, err = revocation.NewWithOptions(revocation.Options{ @@ -162,12 +162,12 @@ func NewVerifierWithOptions(ociTrustPolicy *trustpolicy.OCIDocument, blobTrustPo } return &verifier{ - ociTrustPolicyDoc: ociTrustPolicy, - blobTrustPolicyDoc: blobTrustPolicy, - trustStore: trustStore, - pluginManager: pluginManager, - revocationClient: revocationClient, - revocationTimestampClient: revocationTimestampClient, + ociTrustPolicyDoc: ociTrustPolicy, + blobTrustPolicyDoc: blobTrustPolicy, + trustStore: trustStore, + pluginManager: pluginManager, + revocationClient: revocationClient, + contextRevocationTimestampClient: revocationTimestampClient, }, nil } @@ -464,7 +464,7 @@ func (v *verifier) processSignature(ctx context.Context, sigBlob []byte, envelop // verify authentic timestamp logger.Debug("Validating authentic timestamp") - authenticTimestampResult := verifyAuthenticTimestamp(ctx, policyName, trustStores, signatureVerification, v.trustStore, v.revocationTimestampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(ctx, policyName, trustStores, signatureVerification, v.trustStore, v.contextRevocationTimestampClient, outcome) outcome.VerificationResults = append(outcome.VerificationResults, authenticTimestampResult) logVerificationResult(logger, authenticTimestampResult) if isCriticalFailure(authenticTimestampResult) { diff --git a/verifier/verifier_test.go b/verifier/verifier_test.go index 6537bb6c..b9043b36 100644 --- a/verifier/verifier_test.go +++ b/verifier/verifier_test.go @@ -733,8 +733,8 @@ func TestNewVerifierWithOptionsError(t *testing.T) { t.Fatalf("unexpected error while creating revocation timestamp object: %v", err) } opts := VerifierOptions{ - RevocationClient: r, - RevocationTimestampClient: rt, + RevocationClient: r, + ContextRevocationTimestampClient: rt, } _, err = NewVerifierWithOptions(nil, nil, store, pm, opts) From 5354b7c7bef5909811ec100cdd31416282bbeb5a Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 31 Jul 2024 16:16:40 +0800 Subject: [PATCH 03/12] updated revocation Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 +- verifier/verifier.go | 194 ++++++++++++++++++++++---------------- verifier/verifier_test.go | 106 +++++++++++++++++---- 4 files changed, 205 insertions(+), 101 deletions(-) diff --git a/go.mod b/go.mod index 03e11f14..7ad5fdef 100644 --- a/go.mod +++ b/go.mod @@ -25,4 +25,4 @@ require ( golang.org/x/sync v0.6.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240730073616-5d5043a8f812 +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240731063103-74357d901612 diff --git a/go.sum b/go.sum index 30b04032..10c5e46c 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240730073616-5d5043a8f812 h1:pEH1o/4qUb5+D2LC4n4ZWscXYsGht4ri3ZfyKTP6WlM= -github.com/Two-Hearts/notation-core-go v0.0.0-20240730073616-5d5043a8f812/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= +github.com/Two-Hearts/notation-core-go v0.0.0-20240731063103-74357d901612 h1:M/QbcNnsTqwuQp0/EhDS+CU89SvbdH2jFfMzg6YIDhI= +github.com/Two-Hearts/notation-core-go v0.0.0-20240731063103-74357d901612/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/verifier/verifier.go b/verifier/verifier.go index 6d395ed4..4a311670 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -58,12 +58,13 @@ var algorithms = map[crypto.Hash]digest.Algorithm{ // verifier implements notation.Verifier, notation.BlobVerifier and notation.verifySkipper type verifier struct { - ociTrustPolicyDoc *trustpolicy.OCIDocument - blobTrustPolicyDoc *trustpolicy.BlobDocument - trustStore truststore.X509TrustStore - pluginManager plugin.Manager - revocationClient revocation.Revocation - contextRevocationTimestampClient revocation.ContextRevocation + ociTrustPolicyDoc *trustpolicy.OCIDocument + blobTrustPolicyDoc *trustpolicy.BlobDocument + trustStore truststore.X509TrustStore + pluginManager plugin.Manager + revocationClient revocation.Revocation + revocationCodeSigningValidator revocation.Validator + revocationTimestampingValidator revocation.Validator } // VerifierOptions specifies additional parameters that can be set when using @@ -71,11 +72,19 @@ type verifier struct { type VerifierOptions struct { // RevocationClient is an implementation of revocation.Revocation to use for // verifying revocation of code signing certificate chain + // + // Deprecated: RevocationClient exists for backwards compatibility and + // should not be used. To perform code signing certificate chain revocation + // check, use [RevocationCodeSigningValidator]. RevocationClient revocation.Revocation - // ContextRevocationTimestampClient is used for verifying revocation of + // RevocationTimestampingValidator is used for verifying revocation of + // code signing certificate chain with context. + RevocationCodeSigningValidator revocation.Validator + + // RevocationTimestampingValidator is used for verifying revocation of // timestamping certificate chain with context. - ContextRevocationTimestampClient revocation.ContextRevocation + RevocationTimestampingValidator revocation.Validator } // NewOCIVerifierFromConfig returns a OCI verifier based on local file system @@ -120,19 +129,10 @@ func NewVerifier(ociTrustPolicy *trustpolicy.OCIDocument, blobTrustPolicy *trust // NewVerifierWithOptions creates a new verifier given ociTrustPolicy, blobTrustPolicy, // trustStore, pluginManager, and verifierOptions func NewVerifierWithOptions(ociTrustPolicy *trustpolicy.OCIDocument, blobTrustPolicy *trustpolicy.BlobDocument, trustStore truststore.X509TrustStore, pluginManager plugin.Manager, verifierOptions VerifierOptions) (*verifier, error) { - revocationClient := verifierOptions.RevocationClient - if revocationClient == nil { - var err error - revocationClient, err = revocation.New(&http.Client{Timeout: 2 * time.Second}) - if err != nil { - return nil, err - } - } - - revocationTimestampClient := verifierOptions.ContextRevocationTimestampClient - if revocationTimestampClient == nil { - var err error - revocationTimestampClient, err = revocation.NewWithOptions(revocation.Options{ + revocationTimestampingValidator := verifierOptions.RevocationTimestampingValidator + var err error + if revocationTimestampingValidator == nil { + revocationTimestampingValidator, err = revocation.NewWithOptions(revocation.Options{ OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, CertChainPurpose: x509.ExtKeyUsageTimeStamping, }) @@ -140,35 +140,34 @@ func NewVerifierWithOptions(ociTrustPolicy *trustpolicy.OCIDocument, blobTrustPo return nil, err } } - if trustStore == nil { return nil, errors.New("trustStore cannot be nil") } - if ociTrustPolicy == nil && blobTrustPolicy == nil { return nil, errors.New("ociTrustPolicy and blobTrustPolicy both cannot be nil") } - if ociTrustPolicy != nil { if err := ociTrustPolicy.Validate(); err != nil { return nil, err } } - if blobTrustPolicy != nil { if err := blobTrustPolicy.Validate(); err != nil { return nil, err } } + v := &verifier{ + ociTrustPolicyDoc: ociTrustPolicy, + blobTrustPolicyDoc: blobTrustPolicy, + trustStore: trustStore, + pluginManager: pluginManager, + revocationTimestampingValidator: revocationTimestampingValidator, + } - return &verifier{ - ociTrustPolicyDoc: ociTrustPolicy, - blobTrustPolicyDoc: blobTrustPolicy, - trustStore: trustStore, - pluginManager: pluginManager, - revocationClient: revocationClient, - contextRevocationTimestampClient: revocationTimestampClient, - }, nil + if err := v.setCodeSigningRevocation(verifierOptions); err != nil { + return nil, err + } + return v, nil } // NewFromConfig returns a OCI verifier based on local file system @@ -185,6 +184,32 @@ func New(ociTrustPolicy *trustpolicy.OCIDocument, trustStore truststore.X509Trus return NewVerifier(ociTrustPolicy, nil, trustStore, pluginManager) } +// setCodeSigningRevocation sets code signing revocation object of v +func (v *verifier) setCodeSigningRevocation(verifierOptions VerifierOptions) error { + revocationCodeSigningValidator := verifierOptions.RevocationCodeSigningValidator + if revocationCodeSigningValidator != nil { + v.revocationCodeSigningValidator = revocationCodeSigningValidator + return nil + } + revocationClient := verifierOptions.RevocationClient + if revocationClient != nil { + v.revocationClient = revocationClient + return nil + } + + // both RevocationCodeSigningValidator and RevocationClient are nil + var err error + revocationCodeSigningValidator, err = revocation.NewWithOptions(revocation.Options{ + OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, + CertChainPurpose: x509.ExtKeyUsageCodeSigning, + }) + if err != nil { + return err + } + v.revocationCodeSigningValidator = revocationCodeSigningValidator + return nil +} + // SkipVerify validates whether the verification level is skip. func (v *verifier) SkipVerify(ctx context.Context, opts notation.VerifierVerifyOptions) (bool, *trustpolicy.VerificationLevel, error) { logger := log.GetLogger(ctx) @@ -464,7 +489,7 @@ func (v *verifier) processSignature(ctx context.Context, sigBlob []byte, envelop // verify authentic timestamp logger.Debug("Validating authentic timestamp") - authenticTimestampResult := verifyAuthenticTimestamp(ctx, policyName, trustStores, signatureVerification, v.trustStore, v.contextRevocationTimestampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(ctx, policyName, trustStores, signatureVerification, v.trustStore, v.revocationTimestampingValidator, outcome) outcome.VerificationResults = append(outcome.VerificationResults, authenticTimestampResult) logVerificationResult(logger, authenticTimestampResult) if isCriticalFailure(authenticTimestampResult) { @@ -478,7 +503,7 @@ func (v *verifier) processSignature(ctx context.Context, sigBlob []byte, envelop !slices.Contains(pluginCapabilities, pluginframework.CapabilityRevocationCheckVerifier) { logger.Debug("Validating revocation") - revocationResult := verifyRevocation(outcome, v.revocationClient, logger) + revocationResult := v.verifyRevocation(ctx, outcome) outcome.VerificationResults = append(outcome.VerificationResults, revocationResult) logVerificationResult(logger, revocationResult) if isCriticalFailure(revocationResult) { @@ -512,6 +537,59 @@ func (v *verifier) processSignature(ctx context.Context, sigBlob []byte, envelop return nil } +func (v *verifier) verifyRevocation(ctx context.Context, outcome *notation.VerificationOutcome) *notation.ValidationResult { + logger := log.GetLogger(ctx) + + if v.revocationCodeSigningValidator == nil && v.revocationClient == nil { + return ¬ation.ValidationResult{ + Type: trustpolicy.TypeRevocation, + Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation], + Error: fmt.Errorf("unable to check revocation status, code signing revocation validator cannot be nil"), + } + } + + var authenticSigningTime time.Time + if outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme == signature.SigningSchemeX509SigningAuthority { + authenticSigningTime, _ = outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() + } + + var certResults []*revocationresult.CertRevocationResult + var err error + if v.revocationCodeSigningValidator != nil { + certResults, err = v.revocationCodeSigningValidator.ValidateContext(ctx, revocation.ValidateContextOptions{ + CertChain: outcome.EnvelopeContent.SignerInfo.CertificateChain, + AuthenticSigningTime: authenticSigningTime, + }) + } else { + certResults, err = v.revocationClient.Validate(outcome.EnvelopeContent.SignerInfo.CertificateChain, authenticSigningTime) + } + if err != nil { + logger.Debug("Error while checking revocation status, err: %s", err.Error()) + return ¬ation.ValidationResult{ + Type: trustpolicy.TypeRevocation, + Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation], + Error: fmt.Errorf("unable to check revocation status, err: %s", err.Error()), + } + } + + result := ¬ation.ValidationResult{ + Type: trustpolicy.TypeRevocation, + Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation], + } + finalResult, problematicCertSubject := revocationFinalResult(certResults, outcome.EnvelopeContent.SignerInfo.CertificateChain, logger) + switch finalResult { + case revocationresult.ResultOK: + logger.Debug("No verification impacting errors encountered while checking revocation, status is OK") + case revocationresult.ResultRevoked: + result.Error = fmt.Errorf("signing certificate with subject %q is revoked", problematicCertSubject) + default: + // revocationresult.ResultUnknown + result.Error = fmt.Errorf("signing certificate with subject %q revocation status is unknown", problematicCertSubject) + } + + return result +} + func processPluginResponse(capabilitiesToVerify []pluginframework.Capability, response *pluginframework.VerifySignatureResponse, outcome *notation.VerificationOutcome) error { verificationPluginName, err := getVerificationPlugin(&outcome.EnvelopeContent.SignerInfo) if err != nil { @@ -681,7 +759,7 @@ func verifyExpiry(outcome *notation.VerificationOutcome) *notation.ValidationRes } } -func verifyAuthenticTimestamp(ctx context.Context, policyName string, trustStores []string, signatureVerification trustpolicy.SignatureVerification, x509TrustStore truststore.X509TrustStore, r revocation.ContextRevocation, outcome *notation.VerificationOutcome) *notation.ValidationResult { +func verifyAuthenticTimestamp(ctx context.Context, policyName string, trustStores []string, signatureVerification trustpolicy.SignatureVerification, x509TrustStore truststore.X509TrustStore, r revocation.Validator, outcome *notation.VerificationOutcome) *notation.ValidationResult { logger := log.GetLogger(ctx) signerInfo := outcome.EnvelopeContent.SignerInfo @@ -715,48 +793,6 @@ func verifyAuthenticTimestamp(ctx context.Context, policyName string, trustStore } } -func verifyRevocation(outcome *notation.VerificationOutcome, r revocation.Revocation, logger log.Logger) *notation.ValidationResult { - if r == nil { - return ¬ation.ValidationResult{ - Type: trustpolicy.TypeRevocation, - Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation], - Error: fmt.Errorf("unable to check revocation status, revocation client cannot be nil"), - } - } - - var authenticSigningTime time.Time - if outcome.EnvelopeContent.SignerInfo.SignedAttributes.SigningScheme == signature.SigningSchemeX509SigningAuthority { - authenticSigningTime, _ = outcome.EnvelopeContent.SignerInfo.AuthenticSigningTime() - } - - certResults, err := r.Validate(outcome.EnvelopeContent.SignerInfo.CertificateChain, authenticSigningTime) - if err != nil { - logger.Debug("Error while checking revocation status, err: %s", err.Error()) - return ¬ation.ValidationResult{ - Type: trustpolicy.TypeRevocation, - Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation], - Error: fmt.Errorf("unable to check revocation status, err: %s", err.Error()), - } - } - - result := ¬ation.ValidationResult{ - Type: trustpolicy.TypeRevocation, - Action: outcome.VerificationLevel.Enforcement[trustpolicy.TypeRevocation], - } - finalResult, problematicCertSubject := revocationFinalResult(certResults, outcome.EnvelopeContent.SignerInfo.CertificateChain, logger) - switch finalResult { - case revocationresult.ResultOK: - logger.Debug("No verification impacting errors encountered while checking revocation, status is OK") - case revocationresult.ResultRevoked: - result.Error = fmt.Errorf("signing certificate with subject %q is revoked", problematicCertSubject) - default: - // revocationresult.ResultUnknown - result.Error = fmt.Errorf("signing certificate with subject %q revocation status is unknown", problematicCertSubject) - } - - return result -} - // revocationFinalResult returns the final revocation result and problematic // certificate subject if the final result is not ResultOK func revocationFinalResult(certResults []*revocationresult.CertRevocationResult, certChain []*x509.Certificate, logger log.Logger) (revocationresult.Result, string) { @@ -909,7 +945,7 @@ func isRequiredVerificationPluginVer(pluginVer string, minPluginVer string) bool // verifyTimestamp provides core verification logic of authentic timestamp under // signing scheme `notary.x509`. -func verifyTimestamp(ctx context.Context, policyName string, trustStores []string, signatureVerification trustpolicy.SignatureVerification, x509TrustStore truststore.X509TrustStore, r revocation.ContextRevocation, outcome *notation.VerificationOutcome) error { +func verifyTimestamp(ctx context.Context, policyName string, trustStores []string, signatureVerification trustpolicy.SignatureVerification, x509TrustStore truststore.X509TrustStore, r revocation.Validator, outcome *notation.VerificationOutcome) error { logger := log.GetLogger(ctx) signerInfo := outcome.EnvelopeContent.SignerInfo diff --git a/verifier/verifier_test.go b/verifier/verifier_test.go index b9043b36..728aa0d9 100644 --- a/verifier/verifier_test.go +++ b/verifier/verifier_test.go @@ -38,7 +38,6 @@ import ( "github.com/notaryproject/notation-go/dir" "github.com/notaryproject/notation-go/internal/envelope" "github.com/notaryproject/notation-go/internal/mock" - "github.com/notaryproject/notation-go/log" "github.com/notaryproject/notation-go/plugin/proto" "github.com/notaryproject/notation-go/signer" "github.com/notaryproject/notation-go/verifier/trustpolicy" @@ -491,7 +490,6 @@ func createMockOutcome(certChain []*x509.Certificate, signingTime time.Time) *no } func TestVerifyRevocation(t *testing.T) { - logger := log.GetLogger(context.Background()) zeroTime := time.Time{} revokableTuples := testhelper.GetRevokableRSAChain(3) @@ -514,10 +512,12 @@ func TestVerifyRevocation(t *testing.T) { unknownMsg := fmt.Sprintf("signing certificate with subject %q revocation status is unknown", revokableChain[0].Subject.String()) revokedMsg := fmt.Sprintf("signing certificate with subject %q is revoked", revokableChain[0].Subject.String()) multiMsg := fmt.Sprintf("signing certificate with subject %q is revoked", revokableChain[1].Subject.String()) + ctx := context.Background() t.Run("verifyRevocation nil client", func(t *testing.T) { - result := verifyRevocation(createMockOutcome(revokableChain, time.Now()), nil, logger) - expectedErrMsg := "unable to check revocation status, revocation client cannot be nil" + v := &verifier{} + result := v.verifyRevocation(ctx, createMockOutcome(revokableChain, time.Now())) + expectedErrMsg := "unable to check revocation status, code signing revocation validator cannot be nil" if result.Error == nil || result.Error.Error() != expectedErrMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", expectedErrMsg, result.Error) } @@ -527,7 +527,10 @@ func TestVerifyRevocation(t *testing.T) { if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } - result := verifyRevocation(createMockOutcome(invalidChain, time.Now()), revocationClient, logger) + v := &verifier{ + revocationClient: revocationClient, + } + result := v.verifyRevocation(ctx, createMockOutcome(invalidChain, time.Now())) expectedErrMsg := "unable to check revocation status, err: invalid chain: expected chain to be correct and complete: invalid certificates or certificate with subject \"CN=Notation Test Revokable RSA Chain Cert 2,O=Notary,L=Seattle,ST=WA,C=US\" is not issued by \"CN=Notation Test Revokable RSA Chain Cert 3,O=Notary,L=Seattle,ST=WA,C=US\". Error: x509: invalid signature: parent certificate cannot sign this kind of certificate" if result.Error == nil || result.Error.Error() != expectedErrMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", expectedErrMsg, result.Error) @@ -538,7 +541,10 @@ func TestVerifyRevocation(t *testing.T) { if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } - result := verifyRevocation(createMockOutcome(revokableChain, time.Now()), revocationClient, logger) + v := &verifier{ + revocationClient: revocationClient, + } + result := v.verifyRevocation(ctx, createMockOutcome(revokableChain, time.Now())) if result.Error != nil { t.Fatalf("expected verifyRevocation to succeed, but got %v", result.Error) } @@ -548,7 +554,10 @@ func TestVerifyRevocation(t *testing.T) { if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } - result := verifyRevocation(createMockOutcome(revokableChain, time.Now()), revocationClient, logger) + v := &verifier{ + revocationClient: revocationClient, + } + result := v.verifyRevocation(ctx, createMockOutcome(revokableChain, time.Now())) if result.Error == nil || result.Error.Error() != revokedMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error) } @@ -558,7 +567,10 @@ func TestVerifyRevocation(t *testing.T) { if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } - result := verifyRevocation(createMockOutcome(revokableChain, time.Now()), revocationClient, logger) + v := &verifier{ + revocationClient: revocationClient, + } + result := v.verifyRevocation(ctx, createMockOutcome(revokableChain, time.Now())) if result.Error == nil || result.Error.Error() != revokedMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error) } @@ -568,7 +580,10 @@ func TestVerifyRevocation(t *testing.T) { if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } - result := verifyRevocation(createMockOutcome(revokableChain, time.Now()), revocationClient, logger) + v := &verifier{ + revocationClient: revocationClient, + } + result := v.verifyRevocation(ctx, createMockOutcome(revokableChain, time.Now())) if result.Error == nil || result.Error.Error() != unknownMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", unknownMsg, result.Error) } @@ -578,7 +593,10 @@ func TestVerifyRevocation(t *testing.T) { if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } - result := verifyRevocation(createMockOutcome(revokableChain, time.Now()), revocationClient, logger) + v := &verifier{ + revocationClient: revocationClient, + } + result := v.verifyRevocation(ctx, createMockOutcome(revokableChain, time.Now())) if result.Error == nil || result.Error.Error() != multiMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", multiMsg, result.Error) } @@ -588,7 +606,10 @@ func TestVerifyRevocation(t *testing.T) { if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } - result := verifyRevocation(createMockOutcome(revokableChain, time.Now()), revocationClient, logger) + v := &verifier{ + revocationClient: revocationClient, + } + result := v.verifyRevocation(ctx, createMockOutcome(revokableChain, time.Now())) if result.Error == nil || result.Error.Error() != revokedMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error) } @@ -598,7 +619,10 @@ func TestVerifyRevocation(t *testing.T) { if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } - result := verifyRevocation(createMockOutcome(revokableChain, time.Now()), revocationClient, logger) + v := &verifier{ + revocationClient: revocationClient, + } + result := v.verifyRevocation(ctx, createMockOutcome(revokableChain, time.Now())) if result.Error != nil { t.Fatalf("expected verifyRevocation to succeed, but got %v", result.Error) } @@ -608,7 +632,10 @@ func TestVerifyRevocation(t *testing.T) { if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } - result := verifyRevocation(createMockOutcome(revokableChain, time.Now()), revocationClient, logger) + v := &verifier{ + revocationClient: revocationClient, + } + result := v.verifyRevocation(ctx, createMockOutcome(revokableChain, time.Now())) if result.Error == nil || result.Error.Error() != unknownMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", unknownMsg, result.Error) } @@ -618,7 +645,10 @@ func TestVerifyRevocation(t *testing.T) { if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } - result := verifyRevocation(createMockOutcome(revokableChain, time.Now().Add(-4*time.Hour)), revocationClient, logger) + v := &verifier{ + revocationClient: revocationClient, + } + result := v.verifyRevocation(ctx, createMockOutcome(revokableChain, time.Now().Add(-4*time.Hour))) if result.Error == nil || result.Error.Error() != revokedMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error) } @@ -629,7 +659,10 @@ func TestVerifyRevocation(t *testing.T) { t.Fatalf("unexpected error while creating revocation object: %v", err) } expectedErrMsg := "signing certificate with subject \"CN=Notation Test Revokable RSA Chain Cert 3,O=Notary,L=Seattle,ST=WA,C=US\" is revoked" - result := verifyRevocation(createMockOutcome(revokableChain, zeroTime), revocationClient, logger) + v := &verifier{ + revocationClient: revocationClient, + } + result := v.verifyRevocation(ctx, createMockOutcome(revokableChain, zeroTime)) if result.Error == nil || result.Error.Error() != expectedErrMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", expectedErrMsg, result.Error) } @@ -642,7 +675,10 @@ func TestVerifyRevocation(t *testing.T) { if err != nil { t.Fatalf("unexpected error while creating revocation object: %v", err) } - result := verifyRevocation(createMockOutcome(revokableChain, time.Now().Add(-4*time.Hour)), revocationClient, logger) + v := &verifier{ + revocationClient: revocationClient, + } + result := v.verifyRevocation(ctx, createMockOutcome(revokableChain, time.Now().Add(-4*time.Hour))) if result.Error != nil { t.Fatalf("expected verifyRevocation to succeed, but got %v", result.Error) } @@ -660,7 +696,10 @@ func TestVerifyRevocation(t *testing.T) { if !authenticSigningTime.IsZero() || err == nil || err.Error() != expectedErr.Error() { t.Fatalf("expected AuthenticSigningTime to fail with %v, but got %v", expectedErr, err) } - result := verifyRevocation(outcome, revocationClient, logger) + v := &verifier{ + revocationClient: revocationClient, + } + result := v.verifyRevocation(ctx, outcome) if result.Error == nil || result.Error.Error() != revokedMsg { t.Fatalf("expected verifyRevocation to fail with %s, but got %v", revokedMsg, result.Error) } @@ -702,6 +741,9 @@ func TestNewVerifierWithOptions(t *testing.T) { if v.revocationClient == nil { t.Fatal("expected nonnil revocationClient") } + if v.revocationCodeSigningValidator != nil { + t.Fatal("expected nil revocationCodeSigningValidator") + } _, err = NewVerifierWithOptions(nil, &blobPolicy, store, pm, opts) if err != nil { @@ -718,6 +760,32 @@ func TestNewVerifierWithOptions(t *testing.T) { if err != nil { t.Fatalf("expected NewVerifierWithOptions constructor to succeed, but got %v", err) } + + csValidator, err := revocation.NewWithOptions(revocation.Options{ + CertChainPurpose: x509.ExtKeyUsageCodeSigning, + }) + if err != nil { + t.Fatal(err) + } + opts = VerifierOptions{ + RevocationCodeSigningValidator: csValidator, + } + v, err = NewVerifierWithOptions(&ociPolicy, nil, store, pm, opts) + if err != nil { + t.Fatalf("expected NewVerifierWithOptions constructor to succeed, but got %v", err) + } + if v.revocationCodeSigningValidator == nil { + t.Fatal("expected v.revocationCodeSigningValidator to be non-nil") + } + + opts = VerifierOptions{} + v, err = NewVerifierWithOptions(&ociPolicy, nil, store, pm, opts) + if err != nil { + t.Fatalf("expected NewVerifierWithOptions constructor to succeed, but got %v", err) + } + if v.revocationCodeSigningValidator == nil { + t.Fatal("expected v.revocationCodeSigningValidator to be non-nil") + } } func TestNewVerifierWithOptionsError(t *testing.T) { @@ -733,8 +801,8 @@ func TestNewVerifierWithOptionsError(t *testing.T) { t.Fatalf("unexpected error while creating revocation timestamp object: %v", err) } opts := VerifierOptions{ - RevocationClient: r, - ContextRevocationTimestampClient: rt, + RevocationClient: r, + RevocationTimestampingValidator: rt, } _, err = NewVerifierWithOptions(nil, nil, store, pm, opts) From 1b70bfebc0bc384385f6252fb96edc2d7a09029b Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 31 Jul 2024 16:46:50 +0800 Subject: [PATCH 04/12] update Signed-off-by: Patrick Zheng --- verifier/timestamp_test.go | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/verifier/timestamp_test.go b/verifier/timestamp_test.go index 380f3533..e3f53ac4 100644 --- a/verifier/timestamp_test.go +++ b/verifier/timestamp_test.go @@ -44,7 +44,7 @@ func TestAuthenticTimestamp(t *testing.T) { TrustStores: []string{"ca:valid-trust-store", "tsa:test-timestamp"}, TrustedIdentities: []string{"*"}, } - revocationTimestsampClient, err := revocation.NewWithOptions(revocation.Options{ + revocationTimestampingValidator, err := revocation.NewWithOptions(revocation.Options{ OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, CertChainPurpose: x509.ExtKeyUsageTimeStamping, }) @@ -68,7 +68,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: jwsEnvContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) if err := authenticTimestampResult.Error; err != nil { t.Fatalf("expected nil error, but got %s", err) } @@ -79,7 +79,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: coseEnvContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) if err := authenticTimestampResult.Error; err != nil { t.Fatalf("expected nil error, but got %s", err) } @@ -94,7 +94,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: jwsEnvContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) if err := authenticTimestampResult.Error; err != nil { t.Fatalf("expected nil error, but got %s", err) } @@ -109,7 +109,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: coseEnvContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) if err := authenticTimestampResult.Error; err != nil { t.Fatalf("expected nil error, but got %s", err) } @@ -130,7 +130,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: coseEnvContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) if err := authenticTimestampResult.Error; err != nil { t.Fatalf("expected nil error, but got %s", err) } @@ -151,7 +151,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: jwsEnvContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) expectedErrMsg := "failed to check tsa trust store configuration in turst policy with error: invalid trust policy statement: \"test-timestamp\" is missing separator in trust store value \"tsa\". The required format is :" if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) @@ -177,7 +177,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: coseEnvContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) expectedErrMsg := "verification time is after certificate \"CN=testTSA,O=Notary,L=Seattle,ST=WA,C=US\" validity period, it was expired at \"Tue, 18 Jun 2024 07:30:31 +0000\"" if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) @@ -193,7 +193,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: envContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) expectedErrMsg := "no timestamp countersignature was found in the signature envelope" if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) @@ -214,7 +214,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: envContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) expectedErrMsg := "failed to parse timestamp countersignature with error: unexpected content type: 1.2.840.113549.1.7.1" if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) @@ -235,7 +235,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: envContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) expectedErrMsg := "failed to get the timestamp TSTInfo with error: cannot unmarshal TSTInfo from timestamp token: asn1: structure error: tags don't match (23 vs {class:0 tag:16 length:3 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue: tag: stringType:0 timeType:24 set:false omitEmpty:false} Time @89" if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) @@ -257,7 +257,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: envContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) expectedErrMsg := "failed to get timestamp from timestamp countersignature with error: invalid TSTInfo: mismatched message" if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) @@ -279,7 +279,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: envContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) expectedErrMsg := "failed to verify the timestamp countersignature with error: failed to verify signed token: signing certificate not found in the timestamp token" if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) @@ -301,7 +301,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: coseEnvContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) expectedErrMsg := "failed to load tsa trust store with error: the trust store \"does-not-exist\" of type \"tsa\" does not exist" if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) @@ -323,7 +323,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: coseEnvContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, dummyTrustStore{}, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, dummyTrustStore{}, revocationTimestampingValidator, outcome) expectedErrMsg := "no trusted TSA certificate found in trust store" if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) @@ -345,7 +345,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: coseEnvContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) expectedErrMsg := "failed to verify the timestamp countersignature with error: failed to verify signed token: cms verification failure: x509: certificate signed by unknown authority" if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) @@ -371,7 +371,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: envContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) expectedErrMsg := "timestamp can be before certificate \"CN=testTSA,O=Notary,L=Seattle,ST=WA,C=US\" validity period, it will be valid from \"Fri, 18 Sep 2099 11:54:34 +0000\"" if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) @@ -397,7 +397,7 @@ func TestAuthenticTimestamp(t *testing.T) { EnvelopeContent: envContent, VerificationLevel: trustpolicy.LevelStrict, } - authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome) + authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome) expectedErrMsg := "timestamp can be after certificate \"CN=testTSA,O=Notary,L=Seattle,ST=WA,C=US\" validity period, it was expired at \"Tue, 18 Sep 2001 11:54:34 +0000\"" if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) From b6429fb2d15a013396fe8edf586ca920b589161e Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 1 Aug 2024 13:45:57 +0800 Subject: [PATCH 05/12] update Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- verifier/verifier.go | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 7ad5fdef..9810231f 100644 --- a/go.mod +++ b/go.mod @@ -25,4 +25,4 @@ require ( golang.org/x/sync v0.6.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240731063103-74357d901612 +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240801005628-17703be86fe1 diff --git a/go.sum b/go.sum index 10c5e46c..938669e7 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240731063103-74357d901612 h1:M/QbcNnsTqwuQp0/EhDS+CU89SvbdH2jFfMzg6YIDhI= -github.com/Two-Hearts/notation-core-go v0.0.0-20240731063103-74357d901612/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= +github.com/Two-Hearts/notation-core-go v0.0.0-20240801005628-17703be86fe1 h1:BSSLhg7pNcaxaWgPg47G6oIMIcgNOY00haRwi+pky3g= +github.com/Two-Hearts/notation-core-go v0.0.0-20240801005628-17703be86fe1/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/verifier/verifier.go b/verifier/verifier.go index 4a311670..01f8f1e6 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -557,8 +557,8 @@ func (v *verifier) verifyRevocation(ctx context.Context, outcome *notation.Verif var err error if v.revocationCodeSigningValidator != nil { certResults, err = v.revocationCodeSigningValidator.ValidateContext(ctx, revocation.ValidateContextOptions{ - CertChain: outcome.EnvelopeContent.SignerInfo.CertificateChain, - AuthenticSigningTime: authenticSigningTime, + CertChain: outcome.EnvelopeContent.SignerInfo.CertificateChain, + SigningTime: authenticSigningTime, }) } else { certResults, err = v.revocationClient.Validate(outcome.EnvelopeContent.SignerInfo.CertificateChain, authenticSigningTime) @@ -1059,8 +1059,8 @@ func verifyTimestamp(ctx context.Context, policyName string, trustStores []strin // 5. Perform the timestamping certificate chain revocation check logger.Debug("Checking timestamping certificate chain revocation...") certResults, err := r.ValidateContext(ctx, revocation.ValidateContextOptions{ - CertChain: tsaCertChain, - AuthenticSigningTime: time.Time{}, + CertChain: tsaCertChain, + SigningTime: time.Time{}, }) if err != nil { return fmt.Errorf("failed to check timestamping certificate chain revocation with error: %w", err) From 02ac12ec085f30151ac2ce7a3edec53cc469d214 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 1 Aug 2024 13:56:37 +0800 Subject: [PATCH 06/12] update Signed-off-by: Patrick Zheng --- verifier/verifier.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/verifier/verifier.go b/verifier/verifier.go index 01f8f1e6..4f303da1 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -114,7 +114,8 @@ func NewBlobVerifierFromConfig() (*verifier, error) { } // NewWithOptions creates a new verifier given ociTrustPolicy, trustStore, -// pluginManager, and VerifierOptions +// pluginManager, and VerifierOptions. +// // Deprecated: NewWithOptions function exists for historical compatibility and should not be used. // To create verifier, use NewVerifierWithOptions function. func NewWithOptions(ociTrustPolicy *trustpolicy.OCIDocument, trustStore truststore.X509TrustStore, pluginManager plugin.Manager, opts VerifierOptions) (notation.Verifier, error) { @@ -170,14 +171,16 @@ func NewVerifierWithOptions(ociTrustPolicy *trustpolicy.OCIDocument, blobTrustPo return v, nil } -// NewFromConfig returns a OCI verifier based on local file system +// NewFromConfig returns a OCI verifier based on local file system. +// // Deprecated: NewFromConfig function exists for historical compatibility and should not be used. // To create an OCI verifier, use NewOCIVerifierFromConfig function. func NewFromConfig() (notation.Verifier, error) { return NewOCIVerifierFromConfig() } -// New creates a new verifier given ociTrustPolicy, trustStore and pluginManager +// New creates a new verifier given ociTrustPolicy, trustStore and pluginManager. +// // Deprecated: New function exists for historical compatibility and should not be used. // To create verifier, use NewVerifier function. func New(ociTrustPolicy *trustpolicy.OCIDocument, trustStore truststore.X509TrustStore, pluginManager plugin.Manager) (notation.Verifier, error) { From 20fb2f17995f5c1752c788ccd199fb02645a2b0b Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 6 Aug 2024 16:50:36 +0800 Subject: [PATCH 07/12] updated per code review Signed-off-by: Patrick Zheng --- verifier/verifier.go | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/verifier/verifier.go b/verifier/verifier.go index 4f303da1..da3cb759 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -78,7 +78,7 @@ type VerifierOptions struct { // check, use [RevocationCodeSigningValidator]. RevocationClient revocation.Revocation - // RevocationTimestampingValidator is used for verifying revocation of + // RevocationCodeSigningValidator is used for verifying revocation of // code signing certificate chain with context. RevocationCodeSigningValidator revocation.Validator @@ -130,17 +130,6 @@ func NewVerifier(ociTrustPolicy *trustpolicy.OCIDocument, blobTrustPolicy *trust // NewVerifierWithOptions creates a new verifier given ociTrustPolicy, blobTrustPolicy, // trustStore, pluginManager, and verifierOptions func NewVerifierWithOptions(ociTrustPolicy *trustpolicy.OCIDocument, blobTrustPolicy *trustpolicy.BlobDocument, trustStore truststore.X509TrustStore, pluginManager plugin.Manager, verifierOptions VerifierOptions) (*verifier, error) { - revocationTimestampingValidator := verifierOptions.RevocationTimestampingValidator - var err error - if revocationTimestampingValidator == nil { - revocationTimestampingValidator, err = revocation.NewWithOptions(revocation.Options{ - OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, - CertChainPurpose: x509.ExtKeyUsageTimeStamping, - }) - if err != nil { - return nil, err - } - } if trustStore == nil { return nil, errors.New("trustStore cannot be nil") } @@ -158,14 +147,13 @@ func NewVerifierWithOptions(ociTrustPolicy *trustpolicy.OCIDocument, blobTrustPo } } v := &verifier{ - ociTrustPolicyDoc: ociTrustPolicy, - blobTrustPolicyDoc: blobTrustPolicy, - trustStore: trustStore, - pluginManager: pluginManager, - revocationTimestampingValidator: revocationTimestampingValidator, + ociTrustPolicyDoc: ociTrustPolicy, + blobTrustPolicyDoc: blobTrustPolicy, + trustStore: trustStore, + pluginManager: pluginManager, } - if err := v.setCodeSigningRevocation(verifierOptions); err != nil { + if err := v.setRevocation(verifierOptions); err != nil { return nil, err } return v, nil @@ -187,8 +175,23 @@ func New(ociTrustPolicy *trustpolicy.OCIDocument, trustStore truststore.X509Trus return NewVerifier(ociTrustPolicy, nil, trustStore, pluginManager) } -// setCodeSigningRevocation sets code signing revocation object of v -func (v *verifier) setCodeSigningRevocation(verifierOptions VerifierOptions) error { +// setRevocation sets revocation validators of v +func (v *verifier) setRevocation(verifierOptions VerifierOptions) error { + // timestamping validator + revocationTimestampingValidator := verifierOptions.RevocationTimestampingValidator + var err error + if revocationTimestampingValidator == nil { + revocationTimestampingValidator, err = revocation.NewWithOptions(revocation.Options{ + OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, + CertChainPurpose: x509.ExtKeyUsageTimeStamping, + }) + if err != nil { + return err + } + } + v.revocationTimestampingValidator = revocationTimestampingValidator + + // code signing validator revocationCodeSigningValidator := verifierOptions.RevocationCodeSigningValidator if revocationCodeSigningValidator != nil { v.revocationCodeSigningValidator = revocationCodeSigningValidator @@ -201,7 +204,6 @@ func (v *verifier) setCodeSigningRevocation(verifierOptions VerifierOptions) err } // both RevocationCodeSigningValidator and RevocationClient are nil - var err error revocationCodeSigningValidator, err = revocation.NewWithOptions(revocation.Options{ OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, CertChainPurpose: x509.ExtKeyUsageCodeSigning, From 26eec66f442c829f3bdd6326b152318a443bb3b4 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Tue, 6 Aug 2024 17:06:37 +0800 Subject: [PATCH 08/12] updated per code review Signed-off-by: Patrick Zheng --- verifier/verifier.go | 85 ++++++++++++++++++++++---------------------- 1 file changed, 42 insertions(+), 43 deletions(-) diff --git a/verifier/verifier.go b/verifier/verifier.go index da3cb759..6cb45ee6 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -153,7 +153,7 @@ func NewVerifierWithOptions(ociTrustPolicy *trustpolicy.OCIDocument, blobTrustPo pluginManager: pluginManager, } - if err := v.setRevocation(verifierOptions); err != nil { + if err := setRevocation(v, verifierOptions); err != nil { return nil, err } return v, nil @@ -175,46 +175,6 @@ func New(ociTrustPolicy *trustpolicy.OCIDocument, trustStore truststore.X509Trus return NewVerifier(ociTrustPolicy, nil, trustStore, pluginManager) } -// setRevocation sets revocation validators of v -func (v *verifier) setRevocation(verifierOptions VerifierOptions) error { - // timestamping validator - revocationTimestampingValidator := verifierOptions.RevocationTimestampingValidator - var err error - if revocationTimestampingValidator == nil { - revocationTimestampingValidator, err = revocation.NewWithOptions(revocation.Options{ - OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, - CertChainPurpose: x509.ExtKeyUsageTimeStamping, - }) - if err != nil { - return err - } - } - v.revocationTimestampingValidator = revocationTimestampingValidator - - // code signing validator - revocationCodeSigningValidator := verifierOptions.RevocationCodeSigningValidator - if revocationCodeSigningValidator != nil { - v.revocationCodeSigningValidator = revocationCodeSigningValidator - return nil - } - revocationClient := verifierOptions.RevocationClient - if revocationClient != nil { - v.revocationClient = revocationClient - return nil - } - - // both RevocationCodeSigningValidator and RevocationClient are nil - revocationCodeSigningValidator, err = revocation.NewWithOptions(revocation.Options{ - OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, - CertChainPurpose: x509.ExtKeyUsageCodeSigning, - }) - if err != nil { - return err - } - v.revocationCodeSigningValidator = revocationCodeSigningValidator - return nil -} - // SkipVerify validates whether the verification level is skip. func (v *verifier) SkipVerify(ctx context.Context, opts notation.VerifierVerifyOptions) (bool, *trustpolicy.VerificationLevel, error) { logger := log.GetLogger(ctx) @@ -1064,8 +1024,7 @@ func verifyTimestamp(ctx context.Context, policyName string, trustStores []strin // 5. Perform the timestamping certificate chain revocation check logger.Debug("Checking timestamping certificate chain revocation...") certResults, err := r.ValidateContext(ctx, revocation.ValidateContextOptions{ - CertChain: tsaCertChain, - SigningTime: time.Time{}, + CertChain: tsaCertChain, }) if err != nil { return fmt.Errorf("failed to check timestamping certificate chain revocation with error: %w", err) @@ -1084,3 +1043,43 @@ func verifyTimestamp(ctx context.Context, policyName string, trustStores []strin // success return nil } + +// setRevocation sets revocation validators of verifier +func setRevocation(verifier *verifier, verifierOptions VerifierOptions) error { + // timestamping validator + revocationTimestampingValidator := verifierOptions.RevocationTimestampingValidator + var err error + if revocationTimestampingValidator == nil { + revocationTimestampingValidator, err = revocation.NewWithOptions(revocation.Options{ + OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, + CertChainPurpose: x509.ExtKeyUsageTimeStamping, + }) + if err != nil { + return err + } + } + verifier.revocationTimestampingValidator = revocationTimestampingValidator + + // code signing validator + revocationCodeSigningValidator := verifierOptions.RevocationCodeSigningValidator + if revocationCodeSigningValidator != nil { + verifier.revocationCodeSigningValidator = revocationCodeSigningValidator + return nil + } + revocationClient := verifierOptions.RevocationClient + if revocationClient != nil { + verifier.revocationClient = revocationClient + return nil + } + + // both RevocationCodeSigningValidator and RevocationClient are nil + revocationCodeSigningValidator, err = revocation.NewWithOptions(revocation.Options{ + OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, + CertChainPurpose: x509.ExtKeyUsageCodeSigning, + }) + if err != nil { + return err + } + verifier.revocationCodeSigningValidator = revocationCodeSigningValidator + return nil +} From 4ff5d4af0c8b129fbb83c5147665731f29bc0ce4 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 7 Aug 2024 08:19:32 +0800 Subject: [PATCH 09/12] update Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 +-- verifier/verifier.go | 86 ++++++++++++++++++++++---------------------- 3 files changed, 46 insertions(+), 46 deletions(-) diff --git a/go.mod b/go.mod index 9810231f..8971c0d0 100644 --- a/go.mod +++ b/go.mod @@ -25,4 +25,4 @@ require ( golang.org/x/sync v0.6.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240801005628-17703be86fe1 +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240806060916-8a09715b8a0b diff --git a/go.sum b/go.sum index 938669e7..362afa0e 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240801005628-17703be86fe1 h1:BSSLhg7pNcaxaWgPg47G6oIMIcgNOY00haRwi+pky3g= -github.com/Two-Hearts/notation-core-go v0.0.0-20240801005628-17703be86fe1/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= +github.com/Two-Hearts/notation-core-go v0.0.0-20240806060916-8a09715b8a0b h1:+SIu9DGwjgNMVnGgf2eF3LoaRmqnKCWShr1tMMxLWHg= +github.com/Two-Hearts/notation-core-go v0.0.0-20240806060916-8a09715b8a0b/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/verifier/verifier.go b/verifier/verifier.go index 6cb45ee6..a309b1ce 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -153,7 +153,7 @@ func NewVerifierWithOptions(ociTrustPolicy *trustpolicy.OCIDocument, blobTrustPo pluginManager: pluginManager, } - if err := setRevocation(v, verifierOptions); err != nil { + if err := v.setRevocation(verifierOptions); err != nil { return nil, err } return v, nil @@ -175,6 +175,46 @@ func New(ociTrustPolicy *trustpolicy.OCIDocument, trustStore truststore.X509Trus return NewVerifier(ociTrustPolicy, nil, trustStore, pluginManager) } +// setRevocation sets revocation validators of v +func (v *verifier) setRevocation(verifierOptions VerifierOptions) error { + // timestamping validator + revocationTimestampingValidator := verifierOptions.RevocationTimestampingValidator + var err error + if revocationTimestampingValidator == nil { + revocationTimestampingValidator, err = revocation.NewWithOptions(revocation.Options{ + OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, + CertChainPurpose: x509.ExtKeyUsageTimeStamping, + }) + if err != nil { + return err + } + } + v.revocationTimestampingValidator = revocationTimestampingValidator + + // code signing validator + revocationCodeSigningValidator := verifierOptions.RevocationCodeSigningValidator + if revocationCodeSigningValidator != nil { + v.revocationCodeSigningValidator = revocationCodeSigningValidator + return nil + } + revocationClient := verifierOptions.RevocationClient + if revocationClient != nil { + v.revocationClient = revocationClient + return nil + } + + // both RevocationCodeSigningValidator and RevocationClient are nil + revocationCodeSigningValidator, err = revocation.NewWithOptions(revocation.Options{ + OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, + CertChainPurpose: x509.ExtKeyUsageCodeSigning, + }) + if err != nil { + return err + } + v.revocationCodeSigningValidator = revocationCodeSigningValidator + return nil +} + // SkipVerify validates whether the verification level is skip. func (v *verifier) SkipVerify(ctx context.Context, opts notation.VerifierVerifyOptions) (bool, *trustpolicy.VerificationLevel, error) { logger := log.GetLogger(ctx) @@ -522,8 +562,8 @@ func (v *verifier) verifyRevocation(ctx context.Context, outcome *notation.Verif var err error if v.revocationCodeSigningValidator != nil { certResults, err = v.revocationCodeSigningValidator.ValidateContext(ctx, revocation.ValidateContextOptions{ - CertChain: outcome.EnvelopeContent.SignerInfo.CertificateChain, - SigningTime: authenticSigningTime, + CertChain: outcome.EnvelopeContent.SignerInfo.CertificateChain, + AuthenticSigningTime: authenticSigningTime, }) } else { certResults, err = v.revocationClient.Validate(outcome.EnvelopeContent.SignerInfo.CertificateChain, authenticSigningTime) @@ -1043,43 +1083,3 @@ func verifyTimestamp(ctx context.Context, policyName string, trustStores []strin // success return nil } - -// setRevocation sets revocation validators of verifier -func setRevocation(verifier *verifier, verifierOptions VerifierOptions) error { - // timestamping validator - revocationTimestampingValidator := verifierOptions.RevocationTimestampingValidator - var err error - if revocationTimestampingValidator == nil { - revocationTimestampingValidator, err = revocation.NewWithOptions(revocation.Options{ - OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, - CertChainPurpose: x509.ExtKeyUsageTimeStamping, - }) - if err != nil { - return err - } - } - verifier.revocationTimestampingValidator = revocationTimestampingValidator - - // code signing validator - revocationCodeSigningValidator := verifierOptions.RevocationCodeSigningValidator - if revocationCodeSigningValidator != nil { - verifier.revocationCodeSigningValidator = revocationCodeSigningValidator - return nil - } - revocationClient := verifierOptions.RevocationClient - if revocationClient != nil { - verifier.revocationClient = revocationClient - return nil - } - - // both RevocationCodeSigningValidator and RevocationClient are nil - revocationCodeSigningValidator, err = revocation.NewWithOptions(revocation.Options{ - OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, - CertChainPurpose: x509.ExtKeyUsageCodeSigning, - }) - if err != nil { - return err - } - verifier.revocationCodeSigningValidator = revocationCodeSigningValidator - return nil -} From d598573c22527aada5af41c97ee40dab51dffdf4 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Wed, 7 Aug 2024 13:04:12 +0800 Subject: [PATCH 10/12] update Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- verifier/timestamp_test.go | 3 ++- verifier/verifier.go | 5 +++-- verifier/verifier_test.go | 7 +++---- 5 files changed, 11 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 8971c0d0..e64aee6f 100644 --- a/go.mod +++ b/go.mod @@ -25,4 +25,4 @@ require ( golang.org/x/sync v0.6.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240806060916-8a09715b8a0b +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240807034940-02ab652946b1 diff --git a/go.sum b/go.sum index 362afa0e..e502d697 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240806060916-8a09715b8a0b h1:+SIu9DGwjgNMVnGgf2eF3LoaRmqnKCWShr1tMMxLWHg= -github.com/Two-Hearts/notation-core-go v0.0.0-20240806060916-8a09715b8a0b/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= +github.com/Two-Hearts/notation-core-go v0.0.0-20240807034940-02ab652946b1 h1:sSVw1vW299sn+FufiSWe3lImhbHwE/LhTuO+0NMBTnk= +github.com/Two-Hearts/notation-core-go v0.0.0-20240807034940-02ab652946b1/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/verifier/timestamp_test.go b/verifier/timestamp_test.go index e3f53ac4..f7eb90ec 100644 --- a/verifier/timestamp_test.go +++ b/verifier/timestamp_test.go @@ -22,6 +22,7 @@ import ( "time" "github.com/notaryproject/notation-core-go/revocation" + "github.com/notaryproject/notation-core-go/revocation/purpose" "github.com/notaryproject/notation-core-go/signature" "github.com/notaryproject/notation-core-go/signature/cose" "github.com/notaryproject/notation-core-go/signature/jws" @@ -46,7 +47,7 @@ func TestAuthenticTimestamp(t *testing.T) { } revocationTimestampingValidator, err := revocation.NewWithOptions(revocation.Options{ OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, - CertChainPurpose: x509.ExtKeyUsageTimeStamping, + CertChainPurpose: purpose.Timestamping, }) if err != nil { t.Fatalf("failed to get revocation timestamp client: %v", err) diff --git a/verifier/verifier.go b/verifier/verifier.go index a309b1ce..90d00c95 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -30,6 +30,7 @@ import ( "oras.land/oras-go/v2/content" "github.com/notaryproject/notation-core-go/revocation" + "github.com/notaryproject/notation-core-go/revocation/purpose" revocationresult "github.com/notaryproject/notation-core-go/revocation/result" "github.com/notaryproject/notation-core-go/signature" nx509 "github.com/notaryproject/notation-core-go/x509" @@ -183,7 +184,7 @@ func (v *verifier) setRevocation(verifierOptions VerifierOptions) error { if revocationTimestampingValidator == nil { revocationTimestampingValidator, err = revocation.NewWithOptions(revocation.Options{ OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, - CertChainPurpose: x509.ExtKeyUsageTimeStamping, + CertChainPurpose: purpose.Timestamping, }) if err != nil { return err @@ -206,7 +207,7 @@ func (v *verifier) setRevocation(verifierOptions VerifierOptions) error { // both RevocationCodeSigningValidator and RevocationClient are nil revocationCodeSigningValidator, err = revocation.NewWithOptions(revocation.Options{ OCSPHTTPClient: &http.Client{Timeout: 2 * time.Second}, - CertChainPurpose: x509.ExtKeyUsageCodeSigning, + CertChainPurpose: purpose.CodeSigning, }) if err != nil { return err diff --git a/verifier/verifier_test.go b/verifier/verifier_test.go index 728aa0d9..1038e260 100644 --- a/verifier/verifier_test.go +++ b/verifier/verifier_test.go @@ -29,6 +29,7 @@ import ( "golang.org/x/crypto/ocsp" "github.com/notaryproject/notation-core-go/revocation" + "github.com/notaryproject/notation-core-go/revocation/purpose" "github.com/notaryproject/notation-core-go/signature" _ "github.com/notaryproject/notation-core-go/signature/cose" "github.com/notaryproject/notation-core-go/signature/jws" @@ -761,9 +762,7 @@ func TestNewVerifierWithOptions(t *testing.T) { t.Fatalf("expected NewVerifierWithOptions constructor to succeed, but got %v", err) } - csValidator, err := revocation.NewWithOptions(revocation.Options{ - CertChainPurpose: x509.ExtKeyUsageCodeSigning, - }) + csValidator, err := revocation.NewWithOptions(revocation.Options{}) if err != nil { t.Fatal(err) } @@ -795,7 +794,7 @@ func TestNewVerifierWithOptionsError(t *testing.T) { } rt, err := revocation.NewWithOptions(revocation.Options{ OCSPHTTPClient: &http.Client{}, - CertChainPurpose: x509.ExtKeyUsageTimeStamping, + CertChainPurpose: purpose.Timestamping, }) if err != nil { t.Fatalf("unexpected error while creating revocation timestamp object: %v", err) From 8b4ecbed15bb4d9568a33405ed36f07cddd052e6 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 8 Aug 2024 10:34:31 +0800 Subject: [PATCH 11/12] updated dependencies Signed-off-by: Patrick Zheng --- go.mod | 6 ++---- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index e64aee6f..8f9ad696 100644 --- a/go.mod +++ b/go.mod @@ -4,9 +4,9 @@ go 1.21 require ( github.com/go-ldap/ldap/v3 v3.4.8 - github.com/notaryproject/notation-core-go v1.1.0-beta.1 + github.com/notaryproject/notation-core-go v1.1.0-beta.1.0.20240808015012-004b86dbf289 github.com/notaryproject/notation-plugin-framework-go v1.0.0 - github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 + github.com/notaryproject/tspclient-go v0.2.0 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 github.com/veraison/go-cose v1.1.0 @@ -24,5 +24,3 @@ require ( github.com/x448/float16 v0.8.4 // indirect golang.org/x/sync v0.6.0 // indirect ) - -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240807034940-02ab652946b1 diff --git a/go.sum b/go.sum index e502d697..a1de4525 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,5 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20240807034940-02ab652946b1 h1:sSVw1vW299sn+FufiSWe3lImhbHwE/LhTuO+0NMBTnk= -github.com/Two-Hearts/notation-core-go v0.0.0-20240807034940-02ab652946b1/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -34,10 +32,12 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= +github.com/notaryproject/notation-core-go v1.1.0-beta.1.0.20240808015012-004b86dbf289 h1:/g5Ax507BDKBRXkCXKVCnSMXfSsoO/HsuvH4yJnOXAE= +github.com/notaryproject/notation-core-go v1.1.0-beta.1.0.20240808015012-004b86dbf289/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= -github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y= -github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ= +github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= From 9340a5fb8f20a45b51f0d4a94caabb06c49d38fe Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 12 Aug 2024 09:27:43 +0800 Subject: [PATCH 12/12] updated notation-core-go to v1.1.0-rc.1 Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 8f9ad696..784e4520 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.21 require ( github.com/go-ldap/ldap/v3 v3.4.8 - github.com/notaryproject/notation-core-go v1.1.0-beta.1.0.20240808015012-004b86dbf289 + github.com/notaryproject/notation-core-go v1.1.0-rc.1 github.com/notaryproject/notation-plugin-framework-go v1.0.0 github.com/notaryproject/tspclient-go v0.2.0 github.com/opencontainers/go-digest v1.0.0 diff --git a/go.sum b/go.sum index a1de4525..fb01ee43 100644 --- a/go.sum +++ b/go.sum @@ -32,8 +32,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= -github.com/notaryproject/notation-core-go v1.1.0-beta.1.0.20240808015012-004b86dbf289 h1:/g5Ax507BDKBRXkCXKVCnSMXfSsoO/HsuvH4yJnOXAE= -github.com/notaryproject/notation-core-go v1.1.0-beta.1.0.20240808015012-004b86dbf289/go.mod h1:t57m88CEK1g1EkZ96vGLOPPDB6mSh/YZXD/aR2mSnRg= +github.com/notaryproject/notation-core-go v1.1.0-rc.1 h1:6cxfVUuc4rTqYu0u7vOmgXfqw1zZabSLJNo8KvkDEzU= +github.com/notaryproject/notation-core-go v1.1.0-rc.1/go.mod h1:j6NELapik2bE1DcrL5otTfXWuW5PR/JLLfREZ4ggmYY= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ=