Refactor signature object to add support for repository countersignatures #2006
Conversation
PatoBeltran
requested review from
rohit21agrawal,
nkolev92,
emgarten,
zhili1208,
mishra14,
dtivel and
jainaashish
|
Had an offline discussion with @PatoBeltran. We should consider the following approach - Or if we want to keep the implementation simple then - |
| @@ -364,6 +364,11 @@ public enum NuGetLogCode | |||
| /// </summary> | |||
| NU3029 = 3029, | |||
|
|
|||
| /// <summary> | |||
| /// The package signature cointains multiple repository countersignatures. | |||
| { | ||
| throw new NotSupportedException(); | ||
| } | ||
|
|
||
| private Task<Signature> TimestampSignature(SignPackageRequest request, ILogger logger, Signature signature, CancellationToken token) | ||
| private Task<PrimarySignature> TimestampPrimarySignature(SignPackageRequest request, ILogger logger, PrimarySignature signature, CancellationToken token) |
There was a problem hiding this comment.
TimestampPrimarySignatureAsync
| } | ||
|
|
||
| private Task<Signature> TimestampSignature(SignPackageRequest request, ILogger logger, Signature signature, CancellationToken token) | ||
| private Task<PrimarySignature> TimestampPrimarySignature(SignPackageRequest request, ILogger logger, PrimarySignature signature, CancellationToken token) |
There was a problem hiding this comment.
TimestampPrimarySignatureAsync
|
|
||
| namespace NuGet.Packaging.Signing | ||
| { | ||
| public class AuthorPrimarySignature : PrimarySignature |
|
|
||
| namespace NuGet.Packaging.Signing | ||
| { | ||
| public class RepositoryPrimarySignature : PrimarySignature, IRepositorySignature |
| potentialNuGetV3ServiceIndexUrl = AttributeUtility.GetNuGetV3ServiceIndexUrl(counterSignature.SignedAttributes); | ||
| } | ||
| // This counter signature is not a valid repository countersignature | ||
| catch (SignatureException) { } |
There was a problem hiding this comment.
After you determine it's a repository countersignature, do not catch this exception. Let the exception bubble up to indicate it's an invalid repository countersignature.
| throw new SignatureException(NuGetLogCode.NU3030, Strings.Error_NotOneRepositoryCounterSignature); | ||
| } | ||
|
|
||
| var respoSignature = repositoryCounterSignatures.FirstOrDefault(); |
| public static RepositoryCounterSignature GetRepositoryCounterSignature(PrimarySignature primarySignature) | ||
| { | ||
| var counterSignatures = primarySignature.SignerInfo.CounterSignerInfos; | ||
| var repositoryCounterSignatures = new List<SignerInfo>(); |
There was a problem hiding this comment.
You don't need a list.
Create a local:
RepositoryCounterSignature repositoryCountersignature = null;
When examining countersignatures, assign this local only if null; otherwise throw.
|
|
||
| namespace NuGet.Packaging.Signing | ||
| { | ||
| public class UnknownPrimarySignature : PrimarySignature |
| VerifySigningTimeAttribute(SignerInfo); | ||
| } | ||
|
|
||
| private static void VerifySigningTimeAttribute(SignerInfo signerInfo) |
There was a problem hiding this comment.
This verification applies to author signatures, repository signatures and repository countersignatures.
PatoBeltran
force-pushed
the
dev-patobeltran-signing-repo-first
branch
from
8334989
to
5b0840c
Compare
| @@ -28,7 +28,7 @@ public static class CertificateUtility | |||
| public static string X509Certificate2ToString(X509Certificate2 cert, HashAlgorithmName fingerprintAlgorithm) | |||
| { | |||
| var certStringBuilder = new StringBuilder(); | |||
| X509Certificate2ToString(cert, certStringBuilder, fingerprintAlgorithm, indentation: ""); | |||
| X509Certificate2ToString(cert, certStringBuilder, fingerprintAlgorithm, indentation: " "); | |||
There was a problem hiding this comment.
I added indentation to all certs to match the output from signtool, see example in NuGet/Home#6005 (comment)
| string.Join(", ", chainStatusList.Select(x => x.Status.ToString()))))); | ||
| } | ||
| } | ||
| signatureIssues.AddRange(timestampIssues); |
There was a problem hiding this comment.
This is to display first the details of the signature and afterwards for its timestamp (if present). This matches signtool and makes more sense to display first the signature. (example output of signtool NuGet/Home#6005 (comment))
| NU3032 = 3032, | ||
|
|
||
| /// <summary> | ||
| /// A repository primary signature should not have a repository countersignatures. |
There was a problem hiding this comment.
A repository primary signature must not have a repository countersignature.
| { | ||
| } | ||
|
|
||
| internal override SignatureVerificationStatus Verify( |
There was a problem hiding this comment.
Can't we just pass a settings object instead of a bunch of flags? It's easier to maintain over time.
| internal override SignatureVerificationStatus Verify( | ||
| Timestamp timestamp, | ||
| bool allowUntrusted, | ||
| bool allowUntrustedSelfSignedCertificate, |
There was a problem hiding this comment.
| #if IS_DESKTOP | ||
| Uri NuGetV3ServiceIndexUrl { get; } | ||
|
|
||
| IReadOnlyList<string> NuGetPackageOwners { get; } |
| public interface IRepositorySignature | ||
| { | ||
| #if IS_DESKTOP | ||
| Uri NuGetV3ServiceIndexUrl { get; } |
| ThrowForInvalidRepositoryCounterSignature(); | ||
| } | ||
|
|
||
| private static void ThrowForInvalidRepositoryCounterSignature() |
There was a problem hiding this comment.
You don't need this method. Just move the method body into ThrowForInvalidSignature().
| X509Certificate2Collection certificateExtraStore, | ||
| List<SignatureLog> issues) | ||
| { | ||
| issues?.Add(SignatureLog.InformationLog(string.Format(CultureInfo.CurrentCulture, Strings.SignatureType, Type.ToString()))); |
There was a problem hiding this comment.
Why allow issues to be null here and in other files?
There was a problem hiding this comment.
I though it was a good idea to allow in the case you want to have the verification but don't care about logs, because even if there are no issues the same validation will be performed and you would get the same result. Do you think we should enforce the existence of issues?
| @@ -29,7 +29,7 @@ public SignatureTests(CertificatesFixture fixture) | |||
| public void Load_WhenDataNull_Throws() | |||
| { | |||
| var exception = Assert.Throws<ArgumentNullException>( | |||
| () => Signature.Load(data: null)); | |||
| () => PrimarySignature.Load(data: null)); | |||
There was a problem hiding this comment.
Rename file to PrimarySignatureTests.
| @@ -80,25 +80,25 @@ public void GetPrimarySignatureCertificates_WithAuthorSignature_ReturnsCertifica | |||
| public void GetPrimarySignatureTimestampSignatureCertificates_WhenSignatureNull_Throws() | |||
| { | |||
| var exception = Assert.Throws<ArgumentNullException>( | |||
| () => SignatureUtility.GetPrimarySignatureTimestampSignatureCertificates(signature: null)); | |||
| () => SignatureUtility.GetPrimarySignatureTimestampCertificates(signature: null)); | |||
There was a problem hiding this comment.
This test (and others) were testing the method GetPrimarySignatureTimestampSignatureCertificates(...). The method name begins with the name of the member under test. Since you renamed the name of the member under test, update the test name too. This feedback applies globally.
<MemberName>_<TestCondition>_<ExpectedResult>
| ThrowForInvalidPrimarySignature(); | ||
| } | ||
|
|
||
| protected static void ThrowForInvalidPrimarySignature() |
There was a problem hiding this comment.
Not sure this method is needed. Just move the body into ThrowForInvalidSignature().
There was a problem hiding this comment.
I decided to have this method not as part of ThrowForInvalidSignature() because it is usefull as a static method in some of the static methods in this class, and because ThrowForInvalidSignature() is an abstract method it cannot be static. Therefore I decided to have another method that is static with the desired implementation and just let ThrowForInvalidSignature() call this method.
PatoBeltran
force-pushed
the
dev-patobeltran-signing-repo-first
branch
from
cb14d1f
to
8105baf
Compare
| /// <summary> | ||
| /// A SignedCms object holding the signature and SignerInfo. | ||
| /// </summary> | ||
| public SignedCms SignedCms { get; } |
There was a problem hiding this comment.
This can be moved into Signature, since all signatures need to atleast be a SignedCms
There was a problem hiding this comment.
Countersignatures are represented as SignerInfo, so they don't have their own SignedCms only Primary signatures will have it, that's why I choose to leave it in this class. If we see the need for the primary signature's SignedCms in the countersignature we should consider moving it, but in the mean time I think it should stay here.
First part of NuGet/Home#6276
This work is being done in multiple PRs to avoid having one huge and difficult PR to review.
This PR refactors the current signature object to be able to have repository primary signatures, repository counter signatures in addition to the current author primary signatures.