Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[revocation] Implement CRL support #125

Closed
priteshbandi opened this issue Feb 28, 2023 · 4 comments
Closed

[revocation] Implement CRL support #125

priteshbandi opened this issue Feb 28, 2023 · 4 comments
Assignees
Milestone

Comments

@priteshbandi
Copy link
Contributor

priteshbandi commented Feb 28, 2023

Spec: https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#crls

Note: For start we can Indirect CRL and can be implemented as step 2.

@yizha1
Copy link
Contributor

yizha1 commented Dec 19, 2023

@priteshbandi Do you have any plan on implementing CRL checks?

Copy link

This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days.

@JeyJeyGao
Copy link
Contributor

As we discussed in notaryproject/notation-go#425. We will include the following CRL features for notation v1.3.0:

  1. Basic CRL support : This includes base CRL downloading and validation, with a fallback rule to automatically choose OCSP and fallback to CRL.
  2. CRL cache support : Since CRL is a static file with relatively long-term validity, and a well-known CA's CRL is usually greater than 600KiB, a cache mechanism can significantly improve performance.

@JeyJeyGao JeyJeyGao mentioned this issue Jul 25, 2024
@yizha1 yizha1 moved this from Todo to In Progress in Notary Project Planning Board Jul 29, 2024
@yizha1 yizha1 modified the milestones: 1.3.0, 1.2.0 Sep 3, 2024
JeyJeyGao added a commit that referenced this issue Sep 18, 2024
Feat:
- CRL support, including CRL downloading, validation, and revocation
list checks.
- OCSP fallback to CRL when OCSP is unavailable or encounters an unknown
issue.

Refactor:
- move OCSP to internal package to export `ocsp.CertCheckStatus` and
`ocsp.Supported` function for `revocation` package

The PR implements a subset of RFC 5280:
- It only supports X.509 v2 CRL, as the Golang CRL parser only supports
v2.
- It only verifies that the CRL issuer is the certificate's CA with the
same key.
- Delta CRL and indirect CRL are not supported.

> NOTE: CRL cache is not included.

Resolves part 1 of #125 
Signed-off-by: Junjie Gao <[email protected]>

---------

Signed-off-by: Junjie Gao <[email protected]>
@JeyJeyGao
Copy link
Contributor

CRL and CRL Cache have been merged. We can close this issue now.

@github-project-automation github-project-automation bot moved this from In Progress to Done in Notary Project Planning Board Oct 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Done
Development

No branches or pull requests

3 participants