feat: Certificate status assertion

sdk/src/assertions/certificate_status.rs

@@ -0,0 +1,110 @@
+// Copyright 2025 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use serde::{Deserialize, Serialize};
+use serde_bytes::ByteBuf;
+
+use crate::{
+    assertion::{Assertion, AssertionBase, AssertionCbor},
+    assertions::labels,
+    error::Result,
+};
+
+/// Helper class to create Certificate Status assertions
+#[derive(Serialize, Deserialize, Default, Debug, PartialEq, Eq)]
+pub struct CertificateStatus {
+    #[serde(rename = "ocspVals")]
+    pub ocsp_vals: Vec<ByteBuf>,
+}
+
+impl CertificateStatus {
+    /// Label prefix for a [`CertificateStatus`] assertion.
+    ///
+    /// See <https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#certificate_status_assertion>.
+    pub const LABEL: &'static str = labels::CERTIFICATE_STATUS;
+
+    pub fn new(ocsp_vals: Vec<Vec<u8>>) -> Self {
+        let mut cs = CertificateStatus {
+            ocsp_vals: Vec::new(),
+        };
+        for oscp_val in ocsp_vals {
+            cs.ocsp_vals.push(ByteBuf::from(oscp_val));
+        }
+        cs
+    }
+
+    pub fn add_ocsp_vals(mut self, ocsp_vals: Vec<Vec<u8>>) -> Self {
+        for ocsp_val in ocsp_vals {
+            self.ocsp_vals.push(ByteBuf::from(ocsp_val));
+        }
+        self
+    }
+}
+
+impl AsRef<Vec<ByteBuf>> for CertificateStatus {
+    fn as_ref(&self) -> &Vec<ByteBuf> {
+        &self.ocsp_vals
+    }
+}
+
+impl AssertionCbor for CertificateStatus {}
+
+impl AssertionBase for CertificateStatus {
+    const LABEL: &'static str = Self::LABEL;
+
+    fn to_assertion(&self) -> Result<Assertion> {
+        Self::to_cbor_assertion(self)
+    }
+
+    fn from_assertion(assertion: &Assertion) -> Result<Self> {
+        Self::from_cbor_assertion(assertion)
+    }
+}
+
+#[cfg(test)]
+pub mod tests {
+    #![allow(clippy::expect_used)]
+    #![allow(clippy::unwrap_used)]
+
+    use crate::{assertion::AssertionBase, assertions::CertificateStatus};
+
+    #[test]
+    fn assertions_certificate_status() {
+        let original = CertificateStatus::new(vec!["ocsp_val".into()]);
+
+        assert_eq!(original.ocsp_vals.len(), 1);
+
+        let assertion = original.to_assertion().unwrap();
+        assert_eq!(assertion.mime_type(), "application/cbor");
+        assert_eq!(assertion.label(), CertificateStatus::LABEL);
+
+        let result = CertificateStatus::from_assertion(&assertion).unwrap();
+        assert_eq!(result, original)
+    }
+
+    #[test]
+    fn test_json_round_trip() {
+        let json = serde_json::json!({
+          "ocspVals" : [
+            "...",
+            "..."
+          ]
+        });
+
+        let original: CertificateStatus = serde_json::from_value(json).unwrap();
+        let assertion = original.to_assertion().unwrap();
+        let result = CertificateStatus::from_assertion(&assertion).unwrap();
+
+        assert_eq!(result, original);
+    }
+}

sdk/src/assertions/labels.rs

@@ -179,6 +179,11 @@ pub const CREATIVE_WORK: &str = "stds.schema-org.CreativeWork";
 /// See <https://c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#timestamp_assertion>.
 pub const TIMESTAMP: &str = "c2pa.time-stamp";
 
+/// Label prefix for a certificate status assertion.
+///
+/// See <https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#certificate_status_assertion>.
+pub const CERTIFICATE_STATUS: &str = "c2pa.certificate-status";
+
 // Assertion store label
 pub(crate) const ASSERTION_STORE: &str = "c2pa.assertions";
 

sdk/src/assertions/mod.rs

@@ -34,6 +34,9 @@ pub use box_hash::{BoxHash, BoxMap, C2PA_BOXHASH};
 mod data_hash;
 pub use data_hash::DataHash;
 
+mod certificate_status;
+pub(crate) use certificate_status::CertificateStatus;
+
 mod creative_work;
 #[allow(deprecated)]
 pub use creative_work::CreativeWork;

sdk/src/claim.rs

@@ -40,11 +40,17 @@ use crate::{
     },
     asset_io::CAIRead,
     cbor_types::{map_cbor_to_type, value_cbor_to_type},
-    cose_validator::{get_signing_info, get_signing_info_async, verify_cose, verify_cose_async},
+    cose_validator::{
+        get_signing_cert_serial_num, get_signing_info, get_signing_info_async, verify_cose,
+        verify_cose_async,
+    },
     crypto::{
         asn1::rfc3161::TstInfo,
         base64,
-        cose::{parse_cose_sign1, CertificateInfo, CertificateTrustPolicy, OcspFetchPolicy},
+        cose::{
+            get_ocsp_der, parse_cose_sign1, CertificateInfo, CertificateTrustPolicy,
+            OcspFetchPolicy,
+        },
         ocsp::OcspResponse,
     },
     error::{Error, Result},
@@ -1844,12 +1850,14 @@ impl Claim {
         }
 
         let sign1 = parse_cose_sign1(&sig, &data, validation_log)?;
+        let certificate_serial_num = get_signing_cert_serial_num(&sign1)?.to_string();
 
         // check certificate revocation
         check_ocsp_status(
             &sign1,
             &data,
             ctp,
+            svi.certificate_statuses.get(&certificate_serial_num),
             svi.timestamps.get(claim.label()),
             validation_log,
         )?;
@@ -1921,11 +1929,13 @@ impl Claim {
 
         let sign1 = parse_cose_sign1(sig, data, validation_log)?;
 
+        let certificate_serial_num = get_signing_cert_serial_num(&sign1)?.to_string();
         // check certificate revocation
         check_ocsp_status(
             &sign1,
             data,
             ctp,
+            svi.certificate_statuses.get(&certificate_serial_num),
             svi.timestamps.get(claim.label()),
             validation_log,
         )?;
@@ -3340,6 +3350,14 @@ impl Claim {
         self.assertions_by_type(&dummy_timestamp, None)
     }
 
+    /// Returns list of certificate status assertions.
+    pub fn certificate_status_assertions(&self) -> Vec<&ClaimAssertion> {
+        let dummy_data = AssertionData::Cbor(Vec::new());
+        let dummy_certificate_status =
+            Assertion::new(assertions::labels::CERTIFICATE_STATUS, None, dummy_data);
+        self.assertions_by_type(&dummy_certificate_status, None)
+    }
+
     /// Return list of action assertions.
     /// Created assertions have higher priority than gathered assertions
     pub fn action_assertions(&self) -> Vec<&ClaimAssertion> {
@@ -3907,14 +3925,36 @@ impl Claim {
             uri
         }
     }
-}
 
+    /// Checks whether or not ocsp values are present in claim
+    pub fn has_ocsp_vals(&self) -> bool {
+        if !self.certificate_status_assertions().is_empty() {
+            return false;
+        }
+
+        let data = match self.data() {
+            Ok(data) => data,
+            Err(_) => return false,
+        };
+
+        let sig = self.signature_val().clone();
+        let mut validation_log = StatusTracker::default();
+
+        let sign1 = match parse_cose_sign1(&sig, &data, &mut validation_log) {
+            Ok(sign1) => sign1,
+            Err(_) => return false,
+        };
+
+        get_ocsp_der(&sign1).is_some()
+    }
+}
 #[allow(dead_code)]
 #[async_generic]
 pub(crate) fn check_ocsp_status(
     sign1: &coset::CoseSign1,
     data: &[u8],
     ctp: &CertificateTrustPolicy,
+    ocsp_responses: Option<&Vec<Vec<u8>>>,
     tst_info: Option<&TstInfo>,
     validation_log: &mut StatusTracker,
 ) -> Result<OcspResponse> {
@@ -3931,6 +3971,7 @@ pub(crate) fn check_ocsp_status(
             data,
             fetch_policy,
             ctp,
+            ocsp_responses,
             tst_info,
             validation_log,
         )?)
@@ -3940,6 +3981,7 @@ pub(crate) fn check_ocsp_status(
             data,
             fetch_policy,
             ctp,
+            ocsp_responses,
             tst_info,
             validation_log,
         )

sdk/src/cose_validator.rs

@@ -14,6 +14,7 @@
 use std::{borrow::Cow, io::Write};
 
 use async_generic::async_generic;
+use coset::CoseSign1;
 use x509_parser::{num_bigint::BigUint, prelude::*};
 
 use crate::{
@@ -165,6 +166,14 @@ fn extract_serial_from_cert(cert: &X509Certificate) -> BigUint {
     cert.serial.clone()
 }
 
+/// Returns the unique serial number from the provided CoseSign1
+pub(crate) fn get_signing_cert_serial_num(sign1: &CoseSign1) -> Result<BigUint> {
+    let der_bytes = get_sign_cert(sign1)?;
+    let (_rem, signcert) =
+        X509Certificate::from_der(&der_bytes).map_err(|_| Error::CoseInvalidCert)?;
+    Ok(extract_serial_from_cert(&signcert))
+}
+
 #[allow(unused_variables)]
 #[async_generic]
 pub(crate) fn get_signing_info(

sdk/src/crypto/cose/mod.rs

@@ -32,7 +32,8 @@ mod error;
 pub use error::CoseError;
 
 mod ocsp;
-pub use ocsp::{check_ocsp_status, check_ocsp_status_async, OcspFetchPolicy};
+pub(crate) use ocsp::fetch_and_check_ocsp_response;
+pub use ocsp::{check_ocsp_status, check_ocsp_status_async, get_ocsp_der, OcspFetchPolicy};
 
 mod sign;
 pub use sign::{sign, sign_async, sign_v2_embedded, sign_v2_embedded_async, CosePayload};