Allow caller to assert revocation status of a cert

MatthiasValvekens · MatthiasValvekens · commit 39184fbe3fe5 · 2023-11-11T23:06:11.000+01:00
diff --git a/pyhanko_certvalidator/context.py b/pyhanko_certvalidator/context.py
@@ -18,6 +18,7 @@
     AlgorithmUsagePolicy,
     CertRevTrustPolicy,
     DisallowWeakAlgorithmsPolicy,
+    NonRevokedStatusAssertion,
     PKIXValidationParams,
     RevocationCheckingPolicy,
 )
@@ -546,6 +547,7 @@ def bootstrap_validation_data_handlers(
     ocsps: Iterable[OCSPContainer] = (),
     certs: Iterable[x509.Certificate] = (),
     poe_manager: Optional[POEManager] = None,
+    nonrevoked_assertions: Iterable[NonRevokedStatusAssertion] = (),
 ) -> ValidationDataHandlers:
     """
     Simple bootstrapping method for a :class:`.ValidationDataHandlers`
@@ -564,6 +566,9 @@ def bootstrap_validation_data_handlers(
         Initial collection of certificates to add to the certificate registry.
     :param poe_manager:
         Explicit POE manager. Will instantiate an empty one if left unspecified.
+    :param nonrevoked_assertions:
+        Assertions about the non-revoked status of certain certificates
+        that will be taken as true by fiat.
     :return:
         A :class:`.ValidationDataHandlers` object.
     """
@@ -587,6 +592,7 @@ def bootstrap_validation_data_handlers(
         crls=crls,
         ocsps=ocsps,
         fetchers=_fetchers,
+        assertions=nonrevoked_assertions,
     )
     return ValidationDataHandlers(
         revinfo_manager=revinfo_manager,
diff --git a/pyhanko_certvalidator/policy_decl.py b/pyhanko_certvalidator/policy_decl.py
@@ -5,7 +5,7 @@
 import enum
 from dataclasses import dataclass
 from datetime import datetime, timedelta
-from typing import FrozenSet, Optional
+from typing import FrozenSet, Iterable, Optional
 
 from asn1crypto import algos, keys
 
@@ -21,6 +21,7 @@
     'AlgorithmUsagePolicy',
     'DisallowWeakAlgorithmsPolicy',
     'AcceptAllAlgorithms',
+    'NonRevokedStatusAssertion',
     'DEFAULT_WEAK_HASH_ALGOS',
     'REQUIRE_REVINFO',
     'NO_REVOCATION',
@@ -40,6 +41,23 @@
 """
 
 
+@dataclass(frozen=True)
+class NonRevokedStatusAssertion:
+    """
+    Assert that a certificate was not revoked at some given date.
+    """
+
+    cert_sha256: bytes
+    """
+    SHA-256 hash of the certificate.
+    """
+
+    at: datetime
+    """
+    Moment in time at which the assertion is to be considered valid.
+    """
+
+
 @enum.unique
 class RevocationCheckingRule(enum.Enum):
     """
diff --git a/pyhanko_certvalidator/revinfo/manager.py b/pyhanko_certvalidator/revinfo/manager.py
@@ -1,3 +1,4 @@
+from datetime import datetime
 from typing import Dict, Iterable, List, Optional, Set
 
 from asn1crypto import crl, ocsp, x509
@@ -13,6 +14,7 @@
     ValidationObjectType,
     digest_for_poe,
 )
+from pyhanko_certvalidator.policy_decl import NonRevokedStatusAssertion
 from pyhanko_certvalidator.registry import CertificateRegistry
 from pyhanko_certvalidator.revinfo.archival import (
     CRLContainer,
@@ -46,6 +48,7 @@ def __init__(
         poe_manager: POEManager,
         crls: Iterable[CRLContainer],
         ocsps: Iterable[OCSPContainer],
+        assertions: Iterable[NonRevokedStatusAssertion] = (),
         fetchers: Optional[Fetchers] = None,
     ):
         self._certificate_registry = certificate_registry
@@ -65,6 +68,9 @@ def __init__(
                 self._extract_ocsp_certs(ocsp_response)
 
         self._fetchers = fetchers
+        self._assertions: Dict[bytes, NonRevokedStatusAssertion] = {
+            assertion.cert_sha256: assertion for assertion in assertions
+        }
 
     @property
     def poe_manager(self) -> POEManager:
@@ -275,3 +281,11 @@ def p(container: CRLContainer):
             return digest not in hashes_to_evict
 
         self._crls = list(filter(p, self._crls))
+
+    def check_asserted_unrevoked(
+        self, cert: x509.Certificate, at: datetime
+    ) -> bool:
+        try:
+            return at <= self._assertions[cert.sha256].at
+        except KeyError:
+            return False
diff --git a/pyhanko_certvalidator/validate.py b/pyhanko_certvalidator/validate.py
@@ -1085,6 +1085,14 @@ async def intl_validate_path(
     else:
         cert = None
 
+    # TODO support this for attr certs
+    leaf_asserted_nonrevoked = False
+    revinfo_manager = validation_context.revinfo_manager
+    if isinstance(path.leaf, x509.Certificate):
+        leaf_asserted_nonrevoked = revinfo_manager.check_asserted_unrevoked(
+            path.leaf, moment
+        )
+
     for index in range(1, path_length + 1):
         cert = path[index]
 
@@ -1109,12 +1117,16 @@ async def intl_validate_path(
             )
 
         # Step 2 a 3 - CRL/OCSP
-        await _check_revocation(
-            cert=cert,
-            validation_context=validation_context,
-            path=path,
-            proc_state=proc_state,
-        )
+        if (
+            not leaf_asserted_nonrevoked
+            and not revinfo_manager.check_asserted_unrevoked(cert, moment)
+        ):
+            await _check_revocation(
+                cert=cert,
+                validation_context=validation_context,
+                path=path,
+                proc_state=proc_state,
+            )
 
         # Step 2 a 4
         if cert.issuer != state.working_issuer_name:
diff --git a/tests/test_validate.py b/tests/test_validate.py
@@ -31,8 +31,14 @@
     aiohttp_fetchers,
     requests_fetchers,
 )
+from pyhanko_certvalidator.ltv.poe import POEManager
 from pyhanko_certvalidator.path import QualifiedPolicy, ValidationPath
-from pyhanko_certvalidator.policy_decl import DisallowWeakAlgorithmsPolicy
+from pyhanko_certvalidator.policy_decl import (
+    DisallowWeakAlgorithmsPolicy,
+    NonRevokedStatusAssertion,
+)
+from pyhanko_certvalidator.registry import CertificateRegistry
+from pyhanko_certvalidator.revinfo.manager import RevinfoManager
 from pyhanko_certvalidator.validate import async_validate_path, validate_path
 
 from .common import (
@@ -352,6 +358,34 @@ def test_ed448():
     validate_path(context, path)
 
 
+def test_assert_no_revinfo_needed_by_fiat():
+    cert = load_cert_object('testing-ca-pss', 'signer1.cert.pem')
+    ca_certs = [load_cert_object('testing-ca-pss', 'root.cert.pem')]
+    other_certs = [load_cert_object('testing-ca-pss', 'interm.cert.pem')]
+    moment = datetime(2021, 5, 3, tzinfo=timezone.utc)
+    assertion = NonRevokedStatusAssertion(cert.sha256, moment)
+    revinfo_manager = RevinfoManager(
+        certificate_registry=CertificateRegistry.build(),
+        poe_manager=POEManager(),
+        crls=(),
+        ocsps=(),
+        assertions=(assertion,),
+    )
+    context = ValidationContext(
+        trust_roots=ca_certs,
+        other_certs=other_certs,
+        allow_fetching=False,
+        moment=moment,
+        revocation_mode='require',  # turn on strict revinfovalidation
+        revinfo_manager=revinfo_manager,
+    )
+    paths = context.path_builder.build_paths(cert)
+    assert 1 == len(paths)
+    path = paths[0]
+    assert 3 == len(path)
+    validate_path(context, path)
+
+
 def test_multitasking_ocsp():
     # regression test for case where the same responder ID (name + key ID)
     # is used in OCSP responses for different issuers in the same chain of
