refactor!: update revocation based on notation-core-go

verifier/verifier.go

@@ -78,7 +78,7 @@
 	// check, use [RevocationCodeSigningValidator].
 	RevocationClient revocation.Revocation
 
-	// RevocationTimestampingValidator is used for verifying revocation of
+	// RevocationCodeSigningValidator is used for verifying revocation of
 	// code signing certificate chain with context.
 	RevocationCodeSigningValidator revocation.Validator
 
@@ -130,17 +130,6 @@
 // NewVerifierWithOptions creates a new verifier given ociTrustPolicy, blobTrustPolicy,
 // trustStore, pluginManager, and verifierOptions
 func NewVerifierWithOptions(ociTrustPolicy *trustpolicy.OCIDocument, blobTrustPolicy *trustpolicy.BlobDocument, trustStore truststore.X509TrustStore, pluginManager plugin.Manager, verifierOptions VerifierOptions) (*verifier, error) {
-	revocationTimestampingValidator := verifierOptions.RevocationTimestampingValidator
-	var err error
-	if revocationTimestampingValidator == nil {
-		revocationTimestampingValidator, err = revocation.NewWithOptions(revocation.Options{
-			OCSPHTTPClient:   &http.Client{Timeout: 2 * time.Second},
-			CertChainPurpose: x509.ExtKeyUsageTimeStamping,
-		})
-		if err != nil {
-			return nil, err
-		}
-	}
 	if trustStore == nil {
 		return nil, errors.New("trustStore cannot be nil")
 	}
@@ -158,15 +147,14 @@
 		}
 	}
 	v := &verifier{
-		ociTrustPolicyDoc:               ociTrustPolicy,
-		blobTrustPolicyDoc:              blobTrustPolicy,
-		trustStore:                      trustStore,
-		pluginManager:                   pluginManager,
-		revocationTimestampingValidator: revocationTimestampingValidator,
+		ociTrustPolicyDoc:  ociTrustPolicy,
+		blobTrustPolicyDoc: blobTrustPolicy,
+		trustStore:         trustStore,
+		pluginManager:      pluginManager,
 	}
 
-	if err := v.setCodeSigningRevocation(verifierOptions); err != nil {
+	if err := setRevocation(v, verifierOptions); err != nil {
 		return nil, err
 	}
 	return v, nil
 }
@@ -187,32 +175,6 @@
 	return NewVerifier(ociTrustPolicy, nil, trustStore, pluginManager)
 }
 
-// setCodeSigningRevocation sets code signing revocation object of v
-func (v *verifier) setCodeSigningRevocation(verifierOptions VerifierOptions) error {
-	revocationCodeSigningValidator := verifierOptions.RevocationCodeSigningValidator
-	if revocationCodeSigningValidator != nil {
-		v.revocationCodeSigningValidator = revocationCodeSigningValidator
-		return nil
-	}
-	revocationClient := verifierOptions.RevocationClient
-	if revocationClient != nil {
-		v.revocationClient = revocationClient
-		return nil
-	}
-
-	// both RevocationCodeSigningValidator and RevocationClient are nil
-	var err error
-	revocationCodeSigningValidator, err = revocation.NewWithOptions(revocation.Options{
-		OCSPHTTPClient:   &http.Client{Timeout: 2 * time.Second},
-		CertChainPurpose: x509.ExtKeyUsageCodeSigning,
-	})
-	if err != nil {
-		return err
-	}
-	v.revocationCodeSigningValidator = revocationCodeSigningValidator
-	return nil
-}
-
 // SkipVerify validates whether the verification level is skip.
 func (v *verifier) SkipVerify(ctx context.Context, opts notation.VerifierVerifyOptions) (bool, *trustpolicy.VerificationLevel, error) {
 	logger := log.GetLogger(ctx)
@@ -1062,8 +1024,7 @@
 	// 5. Perform the timestamping certificate chain revocation check
 	logger.Debug("Checking timestamping certificate chain revocation...")
 	certResults, err := r.ValidateContext(ctx, revocation.ValidateContextOptions{
-		CertChain:   tsaCertChain,
-		SigningTime: time.Time{},
+		CertChain: tsaCertChain,
 	})
 	if err != nil {
 		return fmt.Errorf("failed to check timestamping certificate chain revocation with error: %w", err)
@@ -1082,3 +1043,43 @@
 	// success
 	return nil
 }
+
+// setRevocation sets revocation validators of verifier
+func setRevocation(verifier *verifier, verifierOptions VerifierOptions) error {
+	// timestamping validator
+	revocationTimestampingValidator := verifierOptions.RevocationTimestampingValidator
+	var err error
+	if revocationTimestampingValidator == nil {
+		revocationTimestampingValidator, err = revocation.NewWithOptions(revocation.Options{
+			OCSPHTTPClient:   &http.Client{Timeout: 2 * time.Second},
+			CertChainPurpose: x509.ExtKeyUsageTimeStamping,
+		})
+		if err != nil {
+			return err
+		}
+	}
+	verifier.revocationTimestampingValidator = revocationTimestampingValidator
+
+	// code signing validator
+	revocationCodeSigningValidator := verifierOptions.RevocationCodeSigningValidator
+	if revocationCodeSigningValidator != nil {
+		verifier.revocationCodeSigningValidator = revocationCodeSigningValidator
+		return nil
+	}
+	revocationClient := verifierOptions.RevocationClient
+	if revocationClient != nil {
+		verifier.revocationClient = revocationClient
+		return nil
+	}
+
+	// both RevocationCodeSigningValidator and RevocationClient are nil
+	revocationCodeSigningValidator, err = revocation.NewWithOptions(revocation.Options{
+		OCSPHTTPClient:   &http.Client{Timeout: 2 * time.Second},
+		CertChainPurpose: x509.ExtKeyUsageCodeSigning,
+	})
+	if err != nil {
+		return err
+	}
+	verifier.revocationCodeSigningValidator = revocationCodeSigningValidator
+	return nil
+}