notaryproject · JeyJeyGao · Nov 5, 2024 · Oct 21, 2024 · Oct 21, 2024 · Oct 21, 2024
diff --git a/revocation/ocsp/ocsp_test.go b/revocation/ocsp/ocsp_test.go
@@ -128,7 +128,7 @@ func TestCheckStatusForNonSelfSignedSingleCert(t *testing.T) {
 	}
 
 	certResults, err := CheckStatus(opts)
-	expectedErr := result.InvalidChainError{Err: errors.New("invalid self-signed certificate. subject: \"CN=Notation Test RSA Leaf Cert,O=Notary,L=Seattle,ST=WA,C=US\". Error: crypto/rsa: verification error")}
+	expectedErr := result.InvalidChainError{Err: errors.New("invalid self-signed leaf certificate. subject: \"CN=Notation Test RSA Leaf Cert,O=Notary,L=Seattle,ST=WA,C=US\". Error: crypto/rsa: verification error")}
 	if err == nil || err.Error() != expectedErr.Error() {
 		t.Errorf("Expected CheckStatus to fail with %v, but got: %v", expectedErr, err)
 	}

diff --git a/revocation/revocation_test.go b/revocation/revocation_test.go
@@ -1164,7 +1164,9 @@ func TestCRL(t *testing.T) {
 		}
 
 		revocationClient, err := NewWithOptions(Options{
-			OCSPHTTPClient:   &http.Client{},
+			OCSPHTTPClient: &http.Client{
+				Transport: &serverErrorTransport{},
+			},
 			CRLFetcher:       fetcher,
 			CertChainPurpose: purpose.CodeSigning,
 		})
@@ -1352,6 +1354,15 @@ func (t panicTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	panic("panic")
 }
 
+type serverErrorTransport struct{}
+
+func (t serverErrorTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	return &http.Response{
+		StatusCode: http.StatusInternalServerError,
+		Body:       io.NopCloser(bytes.NewReader([]byte{})),
+	}, nil
+}
+
 func TestValidateContext(t *testing.T) {
 	r, err := NewWithOptions(Options{
 		OCSPHTTPClient:   &http.Client{},

@@ -34,12 +34,12 @@
 	// For self-signed signing certificate (not a CA)
 	if len(certChain) == 1 {
 		cert := certChain[0]
+		if err := validateSelfSignedLeaf(cert); err != nil {
+			return err
+		}
 		if signedTimeError := validateSigningTime(cert, signingTime); signedTimeError != nil {
 			return signedTimeError
 		}
-		if err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature); err != nil {
-			return fmt.Errorf("invalid self-signed certificate. subject: %q. Error: %w", cert.Subject, err)
-		}
 		if err := validateCodeSigningLeafCertificate(cert); err != nil {
 			return fmt.Errorf("invalid self-signed certificate. Error: %w", err)
 		}

diff --git a/x509/helper.go b/x509/helper.go
@@ -23,6 +23,19 @@
 	"github.com/notaryproject/notation-core-go/signature"
 )
 
+// validateSelfSignedLeaf validates a self-signed leaf certificate.
+//
+// A self-signed leaf certificate must have the same subject and issuer.
+func validateSelfSignedLeaf(cert *x509.Certificate) error {
+	if err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature); err != nil {
+		return fmt.Errorf("invalid self-signed leaf certificate. subject: %q. Error: %w", cert.Subject, err)
+	}
+	if !bytes.Equal(cert.RawSubject, cert.RawIssuer) {
+		return fmt.Errorf("invalid self-signed leaf certificate. subject: %q. Error: issuer and subject are not the same", cert.Subject)
+	}
+	return nil
+}
+
 func isSelfSigned(cert *x509.Certificate) (bool, error) {
 	return isIssuedBy(cert, cert)
 }

@@ -33,8 +33,8 @@ func ValidateTimestampingCertChain(certChain []*x509.Certificate) error {
 	// For self-signed signing certificate (not a CA)
 	if len(certChain) == 1 {
 		cert := certChain[0]
-		if err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature); err != nil {
-			return fmt.Errorf("invalid self-signed certificate. subject: %q. Error: %w", cert.Subject, err)
+		if err := validateSelfSignedLeaf(cert); err != nil {
+			return err
 		}
 		if err := validateTimestampingLeafCertificate(cert); err != nil {
 			return fmt.Errorf("invalid self-signed certificate. Error: %w", err)

@@ -63,7 +63,7 @@ func TestInvalidTimestampingChain(t *testing.T) {
 	assertErrorEqual(expectedErr, err, t)
 
 	certChain = []*x509.Certificate{timestamp_leaf}
-	expectedErr = "invalid self-signed certificate. subject: \"CN=DigiCert Timestamp 2023,O=DigiCert\\\\, Inc.,C=US\". Error: crypto/rsa: verification error"
+	expectedErr = "invalid self-signed leaf certificate. subject: \"CN=DigiCert Timestamp 2023,O=DigiCert\\\\, Inc.,C=US\". Error: crypto/rsa: verification error"
 	err = ValidateTimestampingCertChain(certChain)
 	assertErrorEqual(expectedErr, err, t)