fix: update

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
notaryproject · Jul 15, 2024 · 683c60e · 683c60e
1 parent efcaf8d
commit 683c60e
Show file tree

Hide file tree

Showing 5 changed files with 194 additions and 51 deletions.
diff --git a/verifier/timestamp_test.go b/verifier/timestamp_test.go
@@ -65,7 +65,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   jwsEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		if err := authenticTimestampResult.Error; err != nil {
 			t.Fatalf("expected nil error, but got %s", err)
 		}
@@ -76,7 +76,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   coseEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		if err := authenticTimestampResult.Error; err != nil {
 			t.Fatalf("expected nil error, but got %s", err)
 		}
@@ -91,7 +91,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   jwsEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		if err := authenticTimestampResult.Error; err != nil {
 			t.Fatalf("expected nil error, but got %s", err)
 		}
@@ -106,7 +106,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   coseEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		if err := authenticTimestampResult.Error; err != nil {
 			t.Fatalf("expected nil error, but got %s", err)
 		}
@@ -127,7 +127,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   coseEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		if err := authenticTimestampResult.Error; err != nil {
 			t.Fatalf("expected nil error, but got %s", err)
 		}
@@ -148,7 +148,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   jwsEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		expectedErrMsg := "failed to check tsa trust store configuration in turst policy with error: invalid trust policy statement: \"test-timestamp\" is missing separator in trust store value \"tsa\". The required format is <TrustStoreType>:<TrustStoreName>"
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
@@ -174,7 +174,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   coseEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		expectedErrMsg := "verification time is after certificate \"CN=testTSA,O=Notary,L=Seattle,ST=WA,C=US\" validity period, it was expired at \"Tue, 18 Jun 2024 07:30:31 +0000\""
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
@@ -190,7 +190,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   envContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		expectedErrMsg := "no timestamp countersignature was found in the signature envelope"
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
@@ -211,7 +211,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   envContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		expectedErrMsg := "failed to parse timestamp countersignature with error: unexpected content type: 1.2.840.113549.1.7.1"
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
@@ -232,7 +232,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   envContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		expectedErrMsg := "failed to get the timestamp TSTInfo with error: cannot unmarshal TSTInfo from timestamp token: asn1: structure error: tags don't match (23 vs {class:0 tag:16 length:3 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:24 set:false omitEmpty:false} Time @89"
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
@@ -254,7 +254,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   envContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		expectedErrMsg := "failed to get timestamp from timestamp countersignature with error: invalid TSTInfo: mismatched message"
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
@@ -276,7 +276,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   envContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		expectedErrMsg := "failed to verify the timestamp countersignature with error: failed to verify signed token: signing certificate not found in the timestamp token"
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
@@ -298,7 +298,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   coseEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		expectedErrMsg := "failed to load tsa trust store with error: the trust store \"does-not-exist\" of type \"tsa\" does not exist"
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
@@ -320,7 +320,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   coseEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, dummyTrustStore{}, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, dummyTrustStore{}, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		expectedErrMsg := "no trusted TSA certificate found in trust store"
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
@@ -342,7 +342,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   coseEnvContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		expectedErrMsg := "failed to verify the timestamp countersignature with error: failed to verify signed token: cms verification failure: x509: certificate signed by unknown authority"
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
@@ -368,7 +368,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   envContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		expectedErrMsg := "timestamp can be before certificate \"CN=testTSA,O=Notary,L=Seattle,ST=WA,C=US\" validity period, it will be valid from \"Fri, 18 Sep 2099 11:54:34 +0000\""
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
@@ -394,7 +394,7 @@ func TestAuthenticTimestamp(t *testing.T) {
 			EnvelopeContent:   envContent,
 			VerificationLevel: trustpolicy.LevelStrict,
 		}
-		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, outcome)
+		authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestsampClient, trustpolicy.RevocationModeAuto, outcome)
 		expectedErrMsg := "timestamp can be after certificate \"CN=testTSA,O=Notary,L=Seattle,ST=WA,C=US\" validity period, it was expired at \"Tue, 18 Sep 2001 11:54:34 +0000\""
 		if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)

diff --git a/verifier/trustpolicy/blob.go b/verifier/trustpolicy/blob.go
@@ -49,6 +49,19 @@ type BlobTrustPolicy struct {
 
 	// GlobalPolicy defines if policy statement is global or not
 	GlobalPolicy bool `json:"globalPolicy,omitempty"`
+
+	// CRLValidity is the longest validity period of the CRL
+	// it will override the CRL default next update time if the next update
+	// time is longer than the CRLValidity
+	CRLValidity int `json:"crlValidity"`
+
+	// GlobalRevocationMode sets the global revocation mode
+	// it supported values are "auto", "ocsp", "crl"
+	GlobalRevocationMode string `json:"revocationModeGlobal"`
+
+	// RevocationMode sets the revocation mode for CA and TSA
+	// it will override RevocationModeGlobal if set
+	RevocationMode RevocationMode `json:"revocationMode"`
 }
 
 var supportedBlobPolicyVersions = []string{"1.0"}
@@ -115,7 +128,7 @@ func (policyDoc *BlobDocument) Validate() error {
 // see https://github.com/notaryproject/notaryproject/blob/v1.1.0/specs/trust-store-trust-policy.md#blob-trust-policy
 func (policyDoc *BlobDocument) GetApplicableTrustPolicy(policyName string) (*BlobTrustPolicy, error) {
 	if strings.TrimSpace(policyName) == "" {
-		return  nil, errors.New("policy name cannot be empty")
+		return nil, errors.New("policy name cannot be empty")
 	}
 	for _, policyStatement := range policyDoc.TrustPolicies {
 		// exact match
@@ -139,6 +152,30 @@ func (policyDoc *BlobDocument) GetGlobalTrustPolicy() (*BlobTrustPolicy, error)
 	return nil, fmt.Errorf("no global blob trust policy")
 }
 
+func (t *BlobTrustPolicy) RevocationModeCA() string {
+	if t.RevocationMode.CA != "" {
+		return t.RevocationMode.CA
+	}
+
+	if t.GlobalRevocationMode != "" {
+		return t.GlobalRevocationMode
+	}
+
+	return RevocationModeAuto
+}
+
+func (t *BlobTrustPolicy) RevocationModeTSA() string {
+	if t.RevocationMode.TSA != "" {
+		return t.RevocationMode.TSA
+	}
+
+	if t.GlobalRevocationMode != "" {
+		return t.GlobalRevocationMode
+	}
+
+	return RevocationModeAuto
+}
+
 // clone returns a pointer to the deeply copied TrustPolicy
 func (t *BlobTrustPolicy) clone() *BlobTrustPolicy {
 	return &BlobTrustPolicy{

diff --git a/verifier/trustpolicy/oci.go b/verifier/trustpolicy/oci.go
@@ -62,9 +62,9 @@ type OCITrustPolicy struct {
 	// time is longer than the CRLValidity
 	CRLValidity int `json:"crlValidity"`
 
-	// RevocationModeGlobal sets the global revocation mode
+	// GlobalRevocationMode sets the global revocation mode
 	// it supported values are "auto", "ocsp", "crl"
-	RevocationModeGlobal string `json:"revocationModeGlobal"`
+	GlobalRevocationMode string `json:"revocationModeGlobal"`
 
 	// RevocationMode sets the revocation mode for CA and TSA
 	// it will override RevocationModeGlobal if set
@@ -151,6 +151,34 @@ func (policyDoc *OCIDocument) Validate() error {
 			return fmt.Errorf("oci trust policy: %w", err)
 		}
 
+		switch statement.GlobalRevocationMode {
+		case RevocationModeAuto, RevocationModeOCSP, RevocationModeCRL:
+		case "":
+			statement.GlobalRevocationMode = RevocationModeAuto
+		default:
+			return fmt.Errorf("oci trust policy statement %q has unsupported global revocation mode %q, supported values are %q, %q, %q", statement.Name, statement.GlobalRevocationMode, RevocationModeAuto, RevocationModeOCSP, RevocationModeCRL)
+		}
+
+		switch statement.RevocationMode.CA {
+		case RevocationModeAuto, RevocationModeOCSP, RevocationModeCRL:
+		case "":
+			statement.RevocationMode.CA = RevocationModeAuto
+		default:
+			return fmt.Errorf("oci trust policy statement %q has unsupported CA revocation mode %q, supported values are %q, %q, %q", statement.Name, statement.RevocationMode.CA, RevocationModeAuto, RevocationModeOCSP, RevocationModeCRL)
+		}
+
+		switch statement.RevocationMode.TSA {
+		case RevocationModeAuto, RevocationModeOCSP, RevocationModeCRL:
+		case "":
+			statement.RevocationMode.TSA = RevocationModeAuto
+		default:
+			return fmt.Errorf("oci trust policy statement %q has unsupported TSA revocation mode %q, supported values are %q, %q, %q", statement.Name, statement.RevocationMode.TSA, RevocationModeAuto, RevocationModeOCSP, RevocationModeCRL)
+		}
+
+		if statement.CRLValidity < 0 {
+			return fmt.Errorf("oci trust policy statement %q has negative CRL validity %d, it must be a non-negative integer", statement.Name, statement.CRLValidity)
+		}
+
 		policyNames.Add(statement.Name)
 	}
 
@@ -195,14 +223,28 @@ func (policyDoc *OCIDocument) GetApplicableTrustPolicy(artifactReference string)
 	}
 }
 
-func (policy *OCITrustPolicy) GetRevocationMode(storeType string) string {
-	if policy.RevocationMode.CA != "" && storeType == "ca" {
+func (policy *OCITrustPolicy) RevocationModeCA() string {
+	if policy.RevocationMode.CA != "" {
 		return policy.RevocationMode.CA
 	}
-	if policy.RevocationMode.TSA != "" && storeType == "tsa" {
+
+	if policy.GlobalRevocationMode != "" {
+		return policy.GlobalRevocationMode
+	}
+
+	return RevocationModeAuto
+}
+
+func (policy *OCITrustPolicy) RevocationModeTSA() string {
+	if policy.RevocationMode.TSA != "" {
 		return policy.RevocationMode.TSA
 	}
-	return policy.RevocationModeGlobal
+
+	if policy.GlobalRevocationMode != "" {
+		return policy.GlobalRevocationMode
+	}
+
+	return RevocationModeAuto
 }
 
 // clone returns a pointer to the deeply copied TrustPolicy