feat: CRL

revocation/internal/crl/crl.go

@@ -29,6 +29,9 @@ import (
 	"github.com/notaryproject/notation-core-go/revocation/result"
 )
 
+// RevocationMethodCRL represents the CRL revocation method
+const RevocationMethodCRL = 2
+
 var (
 	// oidFreshestCRL is the object identifier for the distribution point
 	// for the delta CRL. (See RFC 5280, Section 5.2.6)
@@ -44,7 +47,9 @@ var (
 )
 
 // maxCRLSize is the maximum size of CRL in bytes
-const maxCRLSize = 64 * 1024 * 1024 // 64 MiB
+//
+// CRL examples: https://chasersystems.com/blog/an-analysis-of-certificate-revocation-list-sizes/
+const maxCRLSize = 32 * 1024 * 1024 // 32 MiB
 
 // CertCheckStatusOptions specifies values that are needed to check CRL
 type CertCheckStatusOptions struct {
@@ -69,9 +74,11 @@ func CertCheckStatus(ctx context.Context, cert, issuer *x509.Certificate, opts C
 		// CRL not enabled for this certificate.
 		return &result.CertRevocationResult{
 			Result: result.ResultNonRevokable,
-			CRLResults: []*result.CRLResult{{
-				Result: result.ResultNonRevokable,
+			ServerResults: []*result.ServerResult{{
+				RevocationMethod: RevocationMethodCRL,
+				Result:           result.ResultNonRevokable,
 			}},
+			RevocationMethod: RevocationMethodCRL,
 		}
 	}
 
@@ -83,9 +90,9 @@ func CertCheckStatus(ctx context.Context, cert, issuer *x509.Certificate, opts C
 	// point with one CRL URI, which will be cached, so checking all the URIs is
 	// not a performance issue.
 	var (
-		crlResults []*result.CRLResult
-		lastErr    error
-		crlURL     string
+		results []*result.ServerResult
+		lastErr error
+		crlURL  string
 	)
 	for _, crlURL = range cert.CRLDistributionPoints {
 		baseCRL, err := download(ctx, crlURL, opts.HTTPClient)
@@ -104,31 +111,35 @@ func CertCheckStatus(ctx context.Context, cert, issuer *x509.Certificate, opts C
 			lastErr = fmt.Errorf("failed to check revocation status from %s: %w", crlURL, err)
 			break
 		}
-		crlResults = append(crlResults, crlResult)
-
 		if crlResult.Result == result.ResultRevoked {
 			return &result.CertRevocationResult{
-				Result:     result.ResultRevoked,
-				CRLResults: crlResults,
+				Result:           result.ResultRevoked,
+				ServerResults:    []*result.ServerResult{crlResult},
+				RevocationMethod: RevocationMethodCRL,
 			}
 		}
+
+		results = append(results, crlResult)
 	}
 
 	if lastErr != nil {
 		return &result.CertRevocationResult{
 			Result: result.ResultUnknown,
-			CRLResults: []*result.CRLResult{
+			ServerResults: []*result.ServerResult{
 				{
-					Result: result.ResultUnknown,
-					URI:    crlURL,
-					Error:  lastErr,
+					Result:           result.ResultUnknown,
+					Server:           crlURL,
+					Error:            lastErr,
+					RevocationMethod: RevocationMethodCRL,
 				}},
+			RevocationMethod: RevocationMethodCRL,
 		}
 	}
 
 	return &result.CertRevocationResult{
-		Result:     result.ResultOK,
-		CRLResults: crlResults,
+		Result:           result.ResultOK,
+		ServerResults:    results,
+		RevocationMethod: RevocationMethodCRL,
 	}
 }
 
@@ -140,7 +151,7 @@ func Supported(cert *x509.Certificate) bool {
 func validate(crl *x509.RevocationList, issuer *x509.Certificate) error {
 	// check signature
 	if err := crl.CheckSignatureFrom(issuer); err != nil {
-		return fmt.Errorf("failed to verify CRL signature: %w", err)
+		return fmt.Errorf("CRL is not signed by CA %s: %w,", issuer.Subject, err)
 	}
 
 	// check validity
@@ -169,7 +180,7 @@ func validate(crl *x509.RevocationList, issuer *x509.Certificate) error {
 }
 
 // checkRevocation checks if the certificate is revoked or not
-func checkRevocation(cert *x509.Certificate, baseCRL *x509.RevocationList, signingTime time.Time, crlURL string) (*result.CRLResult, error) {
+func checkRevocation(cert *x509.Certificate, baseCRL *x509.RevocationList, signingTime time.Time, crlURL string) (*result.ServerResult, error) {
 	if cert == nil {
 		return nil, errors.New("certificate cannot be nil")
 	}
@@ -178,14 +189,7 @@ func checkRevocation(cert *x509.Certificate, baseCRL *x509.RevocationList, signi
 		return nil, errors.New("baseCRL cannot be nil")
 	}
 
-	// latestTempRevokedEntry contains the most recent revocation entry with
-	// reasons such as CertificateHold or RemoveFromCRL.
-	//
-	// If the certificate is revoked with CertificateHold, it is temporarily
-	// revoked. If the certificate is shown in the CRL with RemoveFromCRL,
-	// it is unrevoked.
-	var latestTempRevokedEntry *x509.RevocationListEntry
-	for i, revocationEntry := range baseCRL.RevokedCertificateEntries {
+	for _, revocationEntry := range baseCRL.RevokedCertificateEntries {
 		if revocationEntry.SerialNumber.Cmp(cert.SerialNumber) == 0 {
 			extensions, err := parseEntryExtensions(revocationEntry)
 			if err != nil {
@@ -197,41 +201,22 @@ func checkRevocation(cert *x509.Certificate, baseCRL *x509.RevocationList, signi
 				signingTime.Before(extensions.invalidityDate) {
 				// signing time is before the invalidity date which means the
 				// certificate is not revoked at the time of signing.
-				continue
+				break
 			}
 
-			switch revocationEntry.ReasonCode {
-			case int(result.CRLReasonCodeCertificateHold), int(result.CRLReasonCodeRemoveFromCRL):
-				// temporarily revoked or unrevoked
-				if latestTempRevokedEntry == nil || latestTempRevokedEntry.RevocationTime.Before(revocationEntry.RevocationTime) {
-					// the revocation status depends on the most recent reason
-					latestTempRevokedEntry = &baseCRL.RevokedCertificateEntries[i]
-				}
-			default:
-				// permanently revoked
-				return &result.CRLResult{
-					Result:         result.ResultRevoked,
-					ReasonCode:     result.CRLReasonCode(revocationEntry.ReasonCode),
-					RevocationTime: revocationEntry.RevocationTime,
-					URI:            crlURL,
-				}, nil
-			}
+			// revoked
+			return &result.ServerResult{
+				Result:           result.ResultRevoked,
+				Server:           crlURL,
+				RevocationMethod: RevocationMethodCRL,
+			}, nil
 		}
 	}
 
-	if latestTempRevokedEntry != nil && latestTempRevokedEntry.ReasonCode == int(result.CRLReasonCodeCertificateHold) {
-		// revoked with CertificateHold
-		return &result.CRLResult{
-			Result:         result.ResultRevoked,
-			ReasonCode:     result.CRLReasonCodeCertificateHold,
-			RevocationTime: latestTempRevokedEntry.RevocationTime,
-			URI:            crlURL,
-		}, nil
-	}
-
-	return &result.CRLResult{
-		Result: result.ResultOK,
-		URI:    crlURL,
+	return &result.ServerResult{
+		Result:           result.ResultOK,
+		Server:           crlURL,
+		RevocationMethod: RevocationMethodCRL,
 	}, nil
 }
 
@@ -273,17 +258,17 @@ func download(ctx context.Context, crlURL string, client *http.Client) (*x509.Re
 		return nil, fmt.Errorf("invalid CRL URL: %w", err)
 	}
 	if parsedURL.Scheme != "http" {
-		return nil, fmt.Errorf("unsupported scheme: %s. Only supports CRL URL in HTTP protocol", parsedURL.Scheme)
+		return nil, fmt.Errorf("unsupported CRL endpoint: %s. Only urls with HTTP scheme is supported", crlURL)
 	}
 
 	// download CRL
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, crlURL, nil)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create CRL request: %w", err)
+		return nil, fmt.Errorf("failed to create CRL request %q: %w", crlURL, err)
 	}
 	resp, err := client.Do(req)
 	if err != nil {
-		return nil, fmt.Errorf("request failed: %w", err)
+		return nil, fmt.Errorf("request failed for %q: %w", crlURL, err)
 	}
 	defer resp.Body.Close()
 
@@ -296,7 +281,7 @@ func download(ctx context.Context, crlURL string, client *http.Client) (*x509.Re
 	limitedReader := io.LimitReader(resp.Body, maxCRLSize)
 	data, err := io.ReadAll(limitedReader)
 	if err != nil {
-		return nil, fmt.Errorf("failed to read CRL response: %w", err)
+		return nil, fmt.Errorf("failed to read CRL response from %q: %w", resp.Request.URL, err)
 	}
 	if len(data) == maxCRLSize {
 		return nil, fmt.Errorf("%s %q: CRL size reached the %d MiB size limit", resp.Request.Method, resp.Request.URL, maxCRLSize/1024/1024)