search

notaryproject / notation

A CLI tool to sign and verify artifacts
https://notaryproject.dev/
Apache License 2.0
302 stars 84 forks source link

Signature verification failure with error "revocation status is unknown" #959

Open yizha1 opened 3 weeks ago

yizha1 commented 3 weeks ago

What is not working as expected?

Use notation verify command to verify an image signed with a CA issued certificate. The certificate chain contains intermediate CA certificate and root CA certificate. Here is the log captured using -d and -v flags (Note: The trust policy verification level is set to permissive, so the error is just logged)

2024-06-06T09:13:39.1090940Z time="2024-06-06T09:13:39Z" level=debug msg="error for certificate #2 in chain with subject for server \"http://ocsp..com/ocsp\": exceeded timeout threshold of 0.00 seconds for OCSP check" 2024-06-06T09:13:39.1092428Z time="2024-06-06T09:13:39Z" level=debug msg="error for certificate #1 in chain with subject for server \"http://ocsp..com/ocsp\": exceeded timeout threshold of 0.00 seconds for OCSP check" 2024-06-06T09:13:39.1093376Z time="2024-06-06T09:13:39Z" level=warning msg="revocation validation failed with validation action set to \"logged\". Failure reason: signing certificate with subject \"***\" revocation status is unknown"

However, when using the following openssl command in the same environment, the ocsp verification works.

openssl ocsp -issuer chain.pem -cert leaf.pem -url http://ocsp.xxx.com/ocsp -CAfile chain.pem -no_nonce

During troubleshooting, we found the same openssl ocsp command does not work without -no_nonce , the result was Responder Error: unauthorized (6)

openssl ocsp -issuer chain.pem -cert leaf.pem -url http://ocsp.xxx.com/ocsp -CAfile chain.pem

What did you expect to happen?

First, the revocation checking should work as the openssl command works in the same environment. Based on the tried flags for openssl, my guess is nonce may not be probably handled in the OCSP request and response. Second, the log should be improved, the timeout is confusing, what is timeout? It looks like the connection to OCSP responder is timeout, but it can also mean the revocation result is not fetched within an expected time, but the connection with the server is established. 0.00 in the log is strange as well. revocation status is unknown is also too general, not help to understand the problem and how to mitigate it.

How can we reproduce it?

The steps are simple, just use notation verify to verify a signed image. But the certificates cannot be shared in this issue.

Describe your environment

Linux OS

What is the version of your Notation CLI or Notation Library?

Notation/1.0.0

yizha1 commented 3 weeks ago

@priteshbandi would you mind checking this issue, as it is related to the OCSP work you did previously? Thanks.

priteshbandi commented 3 weeks ago

Due to a limitation in golang ocsp library, we are unable to pass the nonce in the ocsp request, as discussed here. Consequently, we are not including the nonce.

The error message stating 1exceeded timeout threshold of 0.00 seconds for OCSP check1 is misleading because we are not explicitly setting a timeout in the error message; therefore, it defaults to 0.00 seconds (see source).

It appears there may be another underlying issue. Could you please provide the certificate you are using? If it's a private certificate with a private ocsp endpoint, are there any errors on the server side?

yizha1 commented 3 weeks ago

Thanks @priteshbandi for your prompt response.

If the OCSP responder passes the nonce, can we handle it? The openssl command only works when explicitly specifying the flag -no_nonce.

I will check whether it is possible to get any server logs. If the certificates cannot be shared, is there any other way to do troubleshooting on Notation side?

yizha1 commented 2 weeks ago

Updates: Requested OCSP responder logs