notaryproject · Two-Hearts · Jul 8, 2024 · Nov 30, 2023 · Nov 30, 2023 · Dec 1, 2023
@@ -5,6 +5,7 @@ go 1.21
 require (
 	github.com/fxamacker/cbor/v2 v2.6.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe
 	github.com/veraison/go-cose v1.1.0
 	golang.org/x/crypto v0.23.0
 )

@@ -2,6 +2,8 @@ github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1t
 github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe h1:1psX5fHzB0ZGshHkaGlERh0eBX4EapizcVyQwX+YydE=
+github.com/notaryproject/tspclient-go v0.0.0-20240627050441-dcff9b7c23fe/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4o=
 github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=

diff --git a/internal/oid.go b/internal/oid.go
@@ -0,0 +1,31 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package oid
+
+import "encoding/asn1"
+
+// KeyUsage (id-ce-keyUsage) is defined in RFC 5280
+//
+// Reference: https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.3
+var KeyUsage = asn1.ObjectIdentifier{2, 5, 29, 15}
+
+// ExtKeyUsage (id-ce-extKeyUsage) is defined in RFC 5280
+//
+// Reference: https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.12
+var ExtKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37}
+
+// TimeStamping (id-kp-timeStamping) is defined in RFC 3161 2.3
+//
+// Reference: https://datatracker.ietf.org/doc/html/rfc3161#section-2.3
+var TimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
@@ -39,6 +39,7 @@ import (
 // Options specifies values that are needed to check OCSP revocation
 type Options struct {
 	CertChain   []*x509.Certificate
+	Timestamp   bool // when set to true, check revocation of a timestamp certificate chain
 	SigningTime time.Time
 	HTTPClient  *http.Client
 }
@@ -64,8 +65,14 @@ func CheckStatus(opts Options) ([]*result.CertRevocationResult, error) {
 	// Since this is using authentic signing time, signing time may be zero.
 	// Thus, it is better to pass nil here than fail for a cert's NotBefore
 	// being after zero time
-	if err := coreX509.ValidateCodeSigningCertChain(opts.CertChain, nil); err != nil {
-		return nil, result.InvalidChainError{Err: err}
+	if opts.Timestamp {
+		if err := coreX509.ValidateTimeStampingCertChain(opts.CertChain, nil); err != nil {
+			return nil, result.InvalidChainError{Err: err}
+		}
+	} else {
+		if err := coreX509.ValidateCodeSigningCertChain(opts.CertChain, nil); err != nil {
+			return nil, result.InvalidChainError{Err: err}
+		}
 	}
 
 	certResults := make([]*result.CertRevocationResult, len(opts.CertChain))

@@ -474,6 +474,7 @@ func TestCheckStatusErrors(t *testing.T) {
 	noHTTPLeaf.OCSPServer = []string{"ldap://ds.example.com:123/chain_ocsp/0"}
 	noHTTPChain := []*x509.Certificate{noHTTPLeaf, revokableTuples[1].Cert, revokableTuples[2].Cert}
 
+	timestampSigningCertErr := result.InvalidChainError{Err: errors.New("timestamp signing certificate with subject \"CN=Notation Test Revokable RSA Chain Cert 3,O=Notary,L=Seattle,ST=WA,C=US\" must have and only have TimeStamping as extended key usage")}
 	backwardsChainErr := result.InvalidChainError{Err: errors.New("leaf certificate with subject \"CN=Notation Test Revokable RSA Chain Cert Root,O=Notary,L=Seattle,ST=WA,C=US\" is self-signed. Certificate chain must not contain self-signed leaf certificate")}
 	chainRootErr := result.InvalidChainError{Err: errors.New("root certificate with subject \"CN=Notation Test Revokable RSA Chain Cert 2,O=Notary,L=Seattle,ST=WA,C=US\" is not self-signed. Certificate chain must end with a valid self-signed root certificate")}
 	expiredRespErr := GenericError{Err: errors.New("expired OCSP response")}
@@ -531,6 +532,22 @@ func TestCheckStatusErrors(t *testing.T) {
 		}
 	})
 
+	t.Run("check codesigning cert with timestamp set to true", func(t *testing.T) {
+		opts := Options{
+			CertChain:   okChain,
+			Timestamp:   true,
+			SigningTime: time.Now(),
+			HTTPClient:  http.DefaultClient,
+		}
+		certResults, err := CheckStatus(opts)
+		if err == nil || err.Error() != timestampSigningCertErr.Error() {
+			t.Errorf("Expected CheckStatus to fail with %v, but got: %v", timestampSigningCertErr, err)
+		}
+		if certResults != nil {
+			t.Error("Expected certResults to be nil when there is an error")
+		}
+	})
+
 	t.Run("timeout", func(t *testing.T) {
 		timeoutClient := &http.Client{Timeout: 1 * time.Nanosecond}
 		opts := Options{

@@ -63,3 +63,20 @@ func (r *revocation) Validate(certChain []*x509.Certificate, signingTime time.Ti
 	// TODO: add CRL support
 	// https://github.com/notaryproject/notation-core-go/issues/125
 }
+
+// ValidateTimestampCertChain checks the revocation status for a TSA certificate
+// chain using OCSP and returns an array of CertRevocationResults that contain
+// the results and any errors that are encountered during the process
+//
+// TODO: add CRL support
+// https://github.com/notaryproject/notation-core-go/issues/125
+func ValidateTimestampCertChain(certChain []*x509.Certificate, signingTime time.Time, httpClient *http.Client) ([]*result.CertRevocationResult, error) {
+	return ocsp.CheckStatus(ocsp.Options{
+		CertChain:   certChain,
+		Timestamp:   true,
+		SigningTime: signingTime,
+		HTTPClient:  httpClient,
+	})
+	// TODO: add CRL support
+	// https://github.com/notaryproject/notation-core-go/issues/125
+}
@@ -459,6 +459,203 @@ func TestCheckRevocationStatusForChain(t *testing.T) {
 	})
 }
 
+func TestCheckRevocationStatusForTimestampChain(t *testing.T) {
+	zeroTime := time.Time{}
+	testChain := testhelper.GetRevokableRSATimestampChain(6)
+	revokableChain := make([]*x509.Certificate, 6)
+	for i, tuple := range testChain {
+		revokableChain[i] = tuple.Cert
+		revokableChain[i].NotBefore = zeroTime
+	}
+
+	t.Run("empty chain", func(t *testing.T) {
+		certResults, err := ValidateTimestampCertChain([]*x509.Certificate{}, time.Now(), &http.Client{Timeout: 5 * time.Second})
+		expectedErr := result.InvalidChainError{Err: errors.New("chain does not contain any certificates")}
+		if err == nil || err.Error() != expectedErr.Error() {
+			t.Errorf("Expected CheckStatus to fail with %v, but got: %v", expectedErr, err)
+		}
+		if certResults != nil {
+			t.Error("Expected certResults to be nil when there is an error")
+		}
+	})
+	t.Run("check non-revoked chain", func(t *testing.T) {
+		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good}, nil, true)
+		certResults, err := ValidateTimestampCertChain(revokableChain, time.Now(), client)
+		if err != nil {
+			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
+		}
+		expectedCertResults := []*result.CertRevocationResult{
+			getOKCertResult(revokableChain[0].OCSPServer[0]),
+			getOKCertResult(revokableChain[1].OCSPServer[0]),
+			getOKCertResult(revokableChain[2].OCSPServer[0]),
+			getOKCertResult(revokableChain[3].OCSPServer[0]),
+			getOKCertResult(revokableChain[4].OCSPServer[0]),
+			getRootCertResult(),
+		}
+		validateEquivalentCertResults(certResults, expectedCertResults, t)
+	})
+	t.Run("check chain with 1 Unknown cert", func(t *testing.T) {
+		// 3rd cert will be unknown, the rest will be good
+		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Unknown, ocsp.Good}, nil, true)
+		certResults, err := ValidateTimestampCertChain(revokableChain, time.Now(), client)
+		if err != nil {
+			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
+		}
+		expectedCertResults := []*result.CertRevocationResult{
+			getOKCertResult(revokableChain[0].OCSPServer[0]),
+			getOKCertResult(revokableChain[1].OCSPServer[0]),
+			{
+				Result: result.ResultUnknown,
+				ServerResults: []*result.ServerResult{
+					result.NewServerResult(result.ResultUnknown, revokableChain[2].OCSPServer[0], revocationocsp.UnknownStatusError{}),
+				},
+			},
+			getOKCertResult(revokableChain[3].OCSPServer[0]),
+			getOKCertResult(revokableChain[4].OCSPServer[0]),
+			getRootCertResult(),
+		}
+		validateEquivalentCertResults(certResults, expectedCertResults, t)
+	})
+	t.Run("check OCSP with 1 revoked cert", func(t *testing.T) {
+		// 3rd cert will be revoked, the rest will be good
+		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Revoked, ocsp.Good}, nil, true)
+		certResults, err := ValidateTimestampCertChain(revokableChain, time.Now(), client)
+		if err != nil {
+			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
+		}
+		expectedCertResults := []*result.CertRevocationResult{
+			getOKCertResult(revokableChain[0].OCSPServer[0]),
+			getOKCertResult(revokableChain[1].OCSPServer[0]),
+			{
+				Result: result.ResultRevoked,
+				ServerResults: []*result.ServerResult{
+					result.NewServerResult(result.ResultRevoked, revokableChain[2].OCSPServer[0], revocationocsp.RevokedError{}),
+				},
+			},
+			getOKCertResult(revokableChain[3].OCSPServer[0]),
+			getOKCertResult(revokableChain[4].OCSPServer[0]),
+			getRootCertResult(),
+		}
+		validateEquivalentCertResults(certResults, expectedCertResults, t)
+	})
+	t.Run("check OCSP with 1 unknown and 1 revoked cert", func(t *testing.T) {
+		// 3rd cert will be unknown, 5th will be revoked, the rest will be good
+		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Unknown, ocsp.Good, ocsp.Revoked, ocsp.Good}, nil, true)
+		certResults, err := ValidateTimestampCertChain(revokableChain, time.Now(), client)
+		if err != nil {
+			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
+		}
+		expectedCertResults := []*result.CertRevocationResult{
+			getOKCertResult(revokableChain[0].OCSPServer[0]),
+			getOKCertResult(revokableChain[1].OCSPServer[0]),
+			{
+				Result: result.ResultUnknown,
+				ServerResults: []*result.ServerResult{
+					result.NewServerResult(result.ResultUnknown, revokableChain[2].OCSPServer[0], revocationocsp.UnknownStatusError{}),
+				},
+			},
+			getOKCertResult(revokableChain[3].OCSPServer[0]),
+			{
+				Result: result.ResultRevoked,
+				ServerResults: []*result.ServerResult{
+					result.NewServerResult(result.ResultRevoked, revokableChain[4].OCSPServer[0], revocationocsp.RevokedError{}),
+				},
+			},
+			getRootCertResult(),
+		}
+		validateEquivalentCertResults(certResults, expectedCertResults, t)
+	})
+	t.Run("check OCSP with 1 future revoked cert", func(t *testing.T) {
+		revokedTime := time.Now().Add(time.Hour)
+		// 3rd cert will be future revoked, the rest will be good
+		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Revoked, ocsp.Good}, &revokedTime, true)
+		certResults, err := ValidateTimestampCertChain(revokableChain, time.Now(), client)
+		if err != nil {
+			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
+		}
+		expectedCertResults := []*result.CertRevocationResult{
+			getOKCertResult(revokableChain[0].OCSPServer[0]),
+			getOKCertResult(revokableChain[1].OCSPServer[0]),
+			getOKCertResult(revokableChain[2].OCSPServer[0]),
+			getOKCertResult(revokableChain[3].OCSPServer[0]),
+			getOKCertResult(revokableChain[4].OCSPServer[0]),
+			getRootCertResult(),
+		}
+		validateEquivalentCertResults(certResults, expectedCertResults, t)
+	})
+	t.Run("check OCSP with 1 unknown and 1 future revoked cert", func(t *testing.T) {
+		revokedTime := time.Now().Add(time.Hour)
+		// 3rd cert will be unknown, 5th will be future revoked, the rest will be good
+		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Unknown, ocsp.Good, ocsp.Revoked, ocsp.Good}, &revokedTime, true)
+		certResults, err := ValidateTimestampCertChain(revokableChain, time.Now(), client)
+		if err != nil {
+			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
+		}
+		expectedCertResults := []*result.CertRevocationResult{
+			getOKCertResult(revokableChain[0].OCSPServer[0]),
+			getOKCertResult(revokableChain[1].OCSPServer[0]),
+			{
+				Result: result.ResultUnknown,
+				ServerResults: []*result.ServerResult{
+					result.NewServerResult(result.ResultUnknown, revokableChain[2].OCSPServer[0], revocationocsp.UnknownStatusError{}),
+				},
+			},
+			getOKCertResult(revokableChain[3].OCSPServer[0]),
+			getOKCertResult(revokableChain[4].OCSPServer[0]),
+			getRootCertResult(),
+		}
+		validateEquivalentCertResults(certResults, expectedCertResults, t)
+	})
+	t.Run("check OCSP with 1 revoked cert before signing time", func(t *testing.T) {
+		// 3rd cert will be revoked, the rest will be good
+		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Revoked, ocsp.Good}, nil, true)
+		certResults, err := ValidateTimestampCertChain(revokableChain, time.Now().Add(time.Hour), client)
+		if err != nil {
+			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
+		}
+		expectedCertResults := []*result.CertRevocationResult{
+			getOKCertResult(revokableChain[0].OCSPServer[0]),
+			getOKCertResult(revokableChain[1].OCSPServer[0]),
+			{
+				Result: result.ResultRevoked,
+				ServerResults: []*result.ServerResult{
+					result.NewServerResult(result.ResultRevoked, revokableChain[2].OCSPServer[0], revocationocsp.RevokedError{}),
+				},
+			},
+			getOKCertResult(revokableChain[3].OCSPServer[0]),
+			getOKCertResult(revokableChain[4].OCSPServer[0]),
+			getRootCertResult(),
+		}
+		validateEquivalentCertResults(certResults, expectedCertResults, t)
+	})
+	t.Run("check OCSP with 1 revoked cert after zero signing time", func(t *testing.T) {
+		revokedTime := time.Now().Add(time.Hour)
+		// 3rd cert will be revoked, the rest will be good
+		client := testhelper.MockClient(testChain, []ocsp.ResponseStatus{ocsp.Good, ocsp.Good, ocsp.Revoked, ocsp.Good}, &revokedTime, true)
+		if !zeroTime.IsZero() {
+			t.Errorf("exected zeroTime.IsZero() to be true")
+		}
+		certResults, err := ValidateTimestampCertChain(revokableChain, time.Now().Add(time.Hour), client)
+		if err != nil {
+			t.Errorf("Expected CheckStatus to succeed, but got error: %v", err)
+		}
+		expectedCertResults := []*result.CertRevocationResult{
+			getOKCertResult(revokableChain[0].OCSPServer[0]),
+			getOKCertResult(revokableChain[1].OCSPServer[0]),
+			{
+				Result: result.ResultRevoked,
+				ServerResults: []*result.ServerResult{
+					result.NewServerResult(result.ResultRevoked, revokableChain[2].OCSPServer[0], revocationocsp.RevokedError{}),
+				},
+			},
+			getOKCertResult(revokableChain[3].OCSPServer[0]),
+			getOKCertResult(revokableChain[4].OCSPServer[0]),
+			getRootCertResult(),
+		}
+		validateEquivalentCertResults(certResults, expectedCertResults, t)
+	})
+}
+
 func TestCheckRevocationErrors(t *testing.T) {
 	leafCertTuple := testhelper.GetRSALeafCertificate()
 	rootCertTuple := testhelper.GetRSARootCertificate()

@@ -57,7 +57,7 @@ func TestConformance(t *testing.T) {
 
 // testSign does conformance check on COSE_Sign1_Tagged
 func testSign(t *testing.T, sign1 *sign1) {
-	signRequest, err := getSignReq(sign1)
+	signRequest, err := getSignReq()
 	if err != nil {
 		t.Fatalf("getSignReq() failed. Error = %s", err)
 	}
@@ -90,7 +90,7 @@ func testSign(t *testing.T, sign1 *sign1) {
 // testVerify does conformance check by decoding COSE_Sign1_Tagged object
 // into Sign1Message
 func testVerify(t *testing.T, sign1 *sign1) {
-	signRequest, err := getSignReq(sign1)
+	signRequest, err := getSignReq()
 	if err != nil {
 		t.Fatalf("getSignReq() failed. Error = %s", err)
 	}
@@ -124,7 +124,7 @@ func testVerify(t *testing.T, sign1 *sign1) {
 	verifySignerInfo(&content.SignerInfo, signRequest, t)
 }
 
-func getSignReq(sign1 *sign1) (*signature.SignRequest, error) {
+func getSignReq() (*signature.SignRequest, error) {
 	certs := []*x509.Certificate{testhelper.GetRSALeafCertificate().Cert, testhelper.GetRSARootCertificate().Cert}
 	signer, err := signature.NewLocalSigner(certs, testhelper.GetRSALeafCertificate().PrivateKey)
 	if err != nil {