Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[revocation] Implement CRL support #125

Open
priteshbandi opened this issue Feb 28, 2023 · 3 comments
Open

[revocation] Implement CRL support #125

priteshbandi opened this issue Feb 28, 2023 · 3 comments
Assignees
@JeyJeyGao
Milestone
1.2.0

Comments

@priteshbandi
Copy link
Contributor

priteshbandi commented Feb 28, 2023
edited
Loading

Spec: https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#crls

Note: For start we can Indirect CRL and can be implemented as step 2.
This was referenced Feb 28, 2023
Open
Open
@kody-kimberl kody-kimberl mentioned this issue Mar 11, 2023
Closed
@yizha1
Copy link
Contributor

yizha1 commented Dec 19, 2023

@priteshbandi Do you have any plan on implementing CRL checks?

@github-actions GitHub Actions
Copy link

This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days.

@github-actions github-actions bot added the Stale label Mar 22, 2024
@yizha1 yizha1 removed the Stale label Mar 22, 2024
@yizha1 yizha1 added this to the Future milestone Mar 22, 2024
@yizha1 yizha1 modified the milestones: Future, 1.3.0 Apr 11, 2024
@JeyJeyGao JeyJeyGao mentioned this issue Jul 22, 2024
Open
@JeyJeyGao
Copy link
Contributor

As we discussed in notaryproject/notation-go#425. We will include the following CRL features for notation v1.3.0:

  1. Basic CRL support : This includes base CRL downloading and validation, with a fallback rule to automatically choose OCSP and fallback to CRL.
  2. CRL cache support : Since CRL is a static file with relatively long-term validity, and a well-known CA's CRL is usually greater than 600KiB, a cache mechanism can significantly improve performance.

@JeyJeyGao JeyJeyGao mentioned this issue Jul 25, 2024
Merged
@yizha1 yizha1 modified the milestones: 1.3.0, 1.2.0 Sep 3, 2024
JeyJeyGao added a commit that referenced this issue Sep 18, 2024
@JeyJeyGao
feat: CRL (#214)
695ea0c 
Feat:
- CRL support, including CRL downloading, validation, and revocation
list checks.
- OCSP fallback to CRL when OCSP is unavailable or encounters an unknown
issue.

Refactor:
- move OCSP to internal package to export `ocsp.CertCheckStatus` and
`ocsp.Supported` function for `revocation` package

The PR implements a subset of RFC 5280:
- It only supports X.509 v2 CRL, as the Golang CRL parser only supports
v2.
- It only verifies that the CRL issuer is the certificate's CA with the
same key.
- Delta CRL and indirect CRL are not supported.

> NOTE: CRL cache is not included.

Resolves part 1 of #125 
Signed-off-by: Junjie Gao <[email protected]>

---------

Signed-off-by: Junjie Gao <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JeyJeyGao JeyJeyGao

Labels
None yet
Projects
Notary Project Planning Board
Status: In Progress
Milestone
1.2.0
Development

No branches or pull requests
3 participants
@priteshbandi @JeyJeyGao @yizha1