in internal/verifier/verifier.go [195:236]
func (v *Verifier) validateRevocation(ctx context.Context, request *plugin.VerifySignatureRequest, response *plugin.VerifySignatureResponse) error {
profileVersionArn, err := getValueAsString(request.Signature.CriticalAttributes.ExtendedAttributes, attrSigningProfileVersion)
if err != nil {
return err
}
jobArn, err := getValueAsString(request.Signature.CriticalAttributes.ExtendedAttributes, attrSigningJob)
if err != nil {
return err
}
certHashes, err := hashCertificates(request.Signature.CertificateChain)
if err != nil {
return plugin.NewValidationError(errMsgCertificateParse)
}
input := &signer.GetRevocationStatusInput{
CertificateHashes: certHashes,
JobArn: aws.String(jobArn),
PlatformId: aws.String(platformNotation),
ProfileVersionArn: aws.String(profileVersionArn),
SignatureTimestamp: request.Signature.CriticalAttributes.AuthenticSigningTime,
}
result := &plugin.VerificationResult{
Success: true,
Reason: reasonNotRevoked,
}
output, err := v.awssigner.GetRevocationStatus(ctx, input)
if err != nil {
result.Success = false
result.Reason = fmt.Sprintf("GetRevocationStatus call failed with error: %+v", err)
} else {
if len(output.RevokedEntities) > 0 {
result.Success = false
result.Reason = getRevocationResultReason(output.RevokedEntities)
}
}
response.VerificationResults[plugin.CapabilityRevocationCheckVerifier] = result
return nil
}