Persist signature and timestamp entities (#313)

Fix test Zip64 package so it's readable by the gallery upload flow
Block end certificates that are used for both timestamping and signing
Complete NuGet/NuGetGallery#5327
Progress on NuGet/Engineering#785

Author: joelverhagen

src/NuGet.Services.Validation.Orchestrator/NuGet.Services.Validation.Orchestrator.csproj

@@ -131,25 +131,25 @@
       <Version>1.1.2</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Configuration">
-      <Version>2.10.0</Version>
+      <Version>2.12.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Contracts">
-      <Version>2.10.0</Version>
+      <Version>2.12.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.KeyVault">
-      <Version>2.10.0</Version>
+      <Version>2.12.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Logging">
-      <Version>2.10.0</Version>
+      <Version>2.12.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.ServiceBus">
-      <Version>2.10.0</Version>
+      <Version>2.12.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Validation">
-      <Version>2.10.0</Version>
+      <Version>2.12.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Validation.Issues">
-      <Version>2.10.0</Version>
+      <Version>2.12.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Versioning">
       <Version>4.3.0</Version>

src/Validation.Callback.Vcs/Web.config

@@ -70,7 +70,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="NuGet.Services.KeyVault" publicKeyToken="31bf3856ad364e35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-2.10.0.0" newVersion="2.10.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-2.12.0.0" newVersion="2.12.0.0" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Microsoft.Extensions.Configuration.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral" />

src/Validation.Common/Validation.Common.csproj

@@ -105,11 +105,11 @@
     <Reference Include="NuGet.ApplicationInsights.Owin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <HintPath>..\..\packages\NuGet.ApplicationInsights.Owin.4.1.0\lib\net452\NuGet.ApplicationInsights.Owin.dll</HintPath>
     </Reference>
-    <Reference Include="NuGet.Services.KeyVault, Version=2.10.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <HintPath>..\..\packages\NuGet.Services.KeyVault.2.10.0\lib\net45\NuGet.Services.KeyVault.dll</HintPath>
+    <Reference Include="NuGet.Services.KeyVault, Version=2.12.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\NuGet.Services.KeyVault.2.12.0\lib\net45\NuGet.Services.KeyVault.dll</HintPath>
     </Reference>
-    <Reference Include="NuGet.Services.Logging, Version=2.10.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <HintPath>..\..\packages\NuGet.Services.Logging.2.10.0\lib\net452\NuGet.Services.Logging.dll</HintPath>
+    <Reference Include="NuGet.Services.Logging, Version=2.12.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\NuGet.Services.Logging.2.12.0\lib\net452\NuGet.Services.Logging.dll</HintPath>
     </Reference>
     <Reference Include="NuGet.Services.VirusScanning.Core, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <HintPath>..\..\packages\NuGet.Services.VirusScanning.Vcs.3.2.0\lib\net452\NuGet.Services.VirusScanning.Core.dll</HintPath>

src/Validation.Common/app.config

@@ -4,7 +4,7 @@
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
       <dependentAssembly>
         <assemblyIdentity name="NuGet.Services.Logging" publicKeyToken="31BF3856AD364E35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-2.10.0.0" newVersion="2.10.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-2.12.0.0" newVersion="2.12.0.0" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
@@ -40,7 +40,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="NuGet.Services.KeyVault" publicKeyToken="31bf3856ad364e35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-2.10.0.0" newVersion="2.10.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-2.12.0.0" newVersion="2.12.0.0" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Microsoft.Extensions.Configuration.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral" />

src/Validation.Common/packages.config

@@ -22,8 +22,8 @@
   <package id="Microsoft.WindowsAzure.ConfigurationManager" version="3.2.1" targetFramework="net452" />
   <package id="Newtonsoft.Json" version="9.0.1" targetFramework="net452" />
   <package id="NuGet.ApplicationInsights.Owin" version="4.1.0" targetFramework="net452" />
-  <package id="NuGet.Services.KeyVault" version="2.10.0" targetFramework="net452" />
-  <package id="NuGet.Services.Logging" version="2.10.0" targetFramework="net452" />
+  <package id="NuGet.Services.KeyVault" version="2.12.0" targetFramework="net452" />
+  <package id="NuGet.Services.Logging" version="2.12.0" targetFramework="net452" />
   <package id="NuGet.Services.VirusScanning.Vcs" version="3.2.0" targetFramework="net452" />
   <package id="Owin" version="1.0" targetFramework="net452" />
   <package id="Serilog" version="2.0.0" targetFramework="net452" />

src/Validation.PackageSigning.Core/Validation.PackageSigning.Core.csproj

@@ -39,13 +39,13 @@
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="NuGet.Services.ServiceBus">
-      <Version>2.10.0</Version>
+      <Version>2.12.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Storage">
-      <Version>2.10.0</Version>
+      <Version>2.12.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Validation">
-      <Version>2.10.0</Version>
+      <Version>2.12.0</Version>
     </PackageReference>
     <PackageReference Include="WindowsAzure.Storage">
       <Version>7.1.2</Version>

src/Validation.PackageSigning.ExtractAndValidateSignature/ISignaturePartsExtractor.cs

@@ -17,8 +17,9 @@ public interface ISignaturePartsExtractor
         /// Extracts and persists artifacts from the provided signed package.
         /// </summary>
         /// <exception cref="ArgumentException">Thrown if the provided package is not signed.</exception>
+        /// <param name="packageKey">The key of the package in the gallery database.</param>
         /// <param name="signedPackageReader">The reader of the signed package.</param>
         /// <param name="token">The cancellation token.</param>
-        Task ExtractAsync(ISignedPackageReader signedPackageReader, CancellationToken token);
+        Task ExtractAsync(int packageKey, ISignedPackageReader signedPackageReader, CancellationToken token);
     }
 }

src/Validation.PackageSigning.ExtractAndValidateSignature/SignaturePartsExtractor.cs

@@ -7,6 +7,7 @@
 using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
 using NuGet.Jobs.Validation.PackageSigning.Storage;
 using NuGet.Packaging.Signing;
 using NuGet.Services.Validation;
@@ -17,16 +18,19 @@ public class SignaturePartsExtractor : ISignaturePartsExtractor
     {
         private readonly ICertificateStore _certificateStore;
         private readonly IValidationEntitiesContext _entitiesContext;
+        private readonly ILogger<SignaturePartsExtractor> _logger;
 
         public SignaturePartsExtractor(
             ICertificateStore certificateStore,
-            IValidationEntitiesContext entitiesContext)
+            IValidationEntitiesContext entitiesContext,
+            ILogger<SignaturePartsExtractor> logger)
         {
             _certificateStore = certificateStore ?? throw new ArgumentNullException(nameof(certificateStore));
             _entitiesContext = entitiesContext ?? throw new ArgumentNullException(nameof(entitiesContext));
+            _logger = logger ?? throw new ArgumentNullException(nameof(logger));
         }
 
-        public async Task ExtractAsync(ISignedPackageReader signedPackageReader, CancellationToken token)
+        public async Task ExtractAsync(int packageKey, ISignedPackageReader signedPackageReader, CancellationToken token)
         {
             if (!await signedPackageReader.IsSignedAsync(token))
             {
@@ -39,11 +43,14 @@ public async Task ExtractAsync(ISignedPackageReader signedPackageReader, Cancell
             // Extract the certificates found in the package signatures.
             var extractedCertificates = ExtractCertificates(signature);
 
+            // Prepare signature entities for the database (does not commit).
+            await SaveSignatureToDatabaseAsync(packageKey, signature, extractedCertificates);
+
             // Save the certificates to blob storage.
             await SaveCertificatesToStoreAsync(extractedCertificates, token);
 
-            // Save the certificates to the database.
-            await SaveCertificatesToDatabaseAsync(extractedCertificates);
+            // Commit the database changes.
+            await _entitiesContext.SaveChangesAsync();
         }
 
         private ExtractedCertificates ExtractCertificates(Signature signature)
@@ -90,14 +97,14 @@ private ExtractedCertificates ExtractCertificates(Signature signature)
                 timestampParentCertificates);
         }
 
-        private async Task SaveCertificatesToDatabaseAsync(ExtractedCertificates extractedCertificates)
+        private async Task SaveSignatureToDatabaseAsync(int packageKey, Signature signature, ExtractedCertificates extractedCertificates)
         {
             // Initialize the end and parent certificates.
             var thumbprintToEndCertificate = await InitializeEndCertificatesAsync(
                 new[]
                 {
-                    extractedCertificates.SignatureEndCertificate,
-                    extractedCertificates.TimestampEndCertificate
+                    new CertificateAndUse(extractedCertificates.SignatureEndCertificate, EndCertificateUse.CodeSigning),
+                    new CertificateAndUse(extractedCertificates.TimestampEndCertificate, EndCertificateUse.Timestamping),
                 });
 
             var thumbprintToParentCertificate = await InitializeParentCertificatesAsync(
@@ -118,8 +125,140 @@ private async Task SaveCertificatesToDatabaseAsync(ExtractedCertificates extract
                 thumbprintToEndCertificate,
                 thumbprintToParentCertificate);
 
-            // Commit
-            await _entitiesContext.SaveChangesAsync();
+            // Initialize the package signature record.
+            var packageSignature = await InitializePackageSignatureAsync(
+                packageKey,
+                extractedCertificates.SignatureEndCertificate,
+                thumbprintToEndCertificate);
+
+            // Initialize the trusted timestamp record.
+            InitializeTrustedTimestamp(
+                packageSignature,
+                signature,
+                extractedCertificates.TimestampEndCertificate,
+                thumbprintToEndCertificate);
+        }
+
+        public async Task<PackageSignature> InitializePackageSignatureAsync(
+            int packageKey,
+            HashedCertificate signatureEndCertificate,
+            IReadOnlyDictionary<string, EndCertificate> thumbprintToEndCertificate)
+        {
+            var packageSignatures = await _entitiesContext
+                .PackageSignatures
+                .Include(x => x.TrustedTimestamps)
+                .Include(x => x.EndCertificate)
+                .Where(x => x.PackageKey == packageKey)
+                .ToListAsync();
+
+            if (packageSignatures.Count > 1)
+            {
+                _logger.LogError(
+                    "There are {Count} package signatures for package key {PackageKey}. There should be either zero or one.",
+                    packageSignatures.Count,
+                    packageKey);
+
+                throw new InvalidOperationException("There should never be more than one package signature per package.");
+            }
+
+            PackageSignature packageSignature;
+            if (packageSignatures.Count == 0)
+            {
+                packageSignature = new PackageSignature
+                {
+                    CreatedAt = DateTime.UtcNow,
+                    EndCertificate = thumbprintToEndCertificate[signatureEndCertificate.Thumbprint],
+                    PackageKey = packageKey,
+                    Status = PackageSignatureStatus.Unknown,
+                    TrustedTimestamps = new List<TrustedTimestamp>(),
+                };
+                _entitiesContext.PackageSignatures.Add(packageSignature);
+
+                packageSignature.EndCertificateKey = packageSignature.EndCertificate.Key;
+            }
+            else
+            {
+                packageSignature = packageSignatures.Single();
+
+                if (packageSignature.EndCertificate.Thumbprint != signatureEndCertificate.Thumbprint)
+                {
+                    _logger.LogError(
+                        "The signature end certificate thumbprint cannot change for package {PackageKey}. The " +
+                        "existing signature end certificate is {ExistingThumbprint}. The new thumprint is " +
+                        "{NewThumbprint}.",
+                        packageKey,
+                        packageSignature.EndCertificate.Thumbprint,
+                        signatureEndCertificate.Thumbprint);
+
+                    throw new InvalidOperationException("The thumbprint of the signature end certificate cannot change.");
+                }
+            }
+
+            return packageSignature;
+        }
+
+        private void InitializeTrustedTimestamp(
+            PackageSignature packageSignature,
+            Signature signature,
+            HashedCertificate timestampEndCertificate,
+            IReadOnlyDictionary<string, EndCertificate> thumbprintToEndCertificate)
+        {
+            if (packageSignature.TrustedTimestamps.Count > 1)
+            {
+                _logger.LogError(
+                    "There are {Count} trusted timestamps for signature on package {PackageKey}. There should be either zero or one.",
+                    packageSignature.TrustedTimestamps.Count,
+                    packageSignature.PackageKey);
+
+                throw new InvalidOperationException("There should never be more than one trusted timestamp per package signature.");
+            }
+
+            // Determine the value of the timestamp.
+            var value = signature.Timestamps.Single().UpperLimit.UtcDateTime;
+
+            TrustedTimestamp trustedTimestamp;
+            if (packageSignature.TrustedTimestamps.Count == 0)
+            {
+                trustedTimestamp = new TrustedTimestamp
+                {
+                    PackageSignature = packageSignature,
+                    PackageSignatureKey = packageSignature.Key,
+                    EndCertificate = thumbprintToEndCertificate[timestampEndCertificate.Thumbprint],
+                    Value = value,
+                };
+                trustedTimestamp.EndCertificateKey = trustedTimestamp.EndCertificate.Key;
+                packageSignature.TrustedTimestamps.Add(trustedTimestamp);
+                _entitiesContext.TrustedTimestamps.Add(trustedTimestamp);
+            }
+            else
+            {
+                trustedTimestamp = packageSignature.TrustedTimestamps.Single();
+
+                if (trustedTimestamp.EndCertificate.Thumbprint != timestampEndCertificate.Thumbprint)
+                {
+                    _logger.LogError(
+                        "The timestamp end certificate thumbprint cannot change for package {PackageKey}. The " +
+                        "existing timestamp end certificate is {ExistingThumbprint}. The new thumprint is " +
+                        "{NewThumbprint}.",
+                        packageSignature.PackageKey,
+                        packageSignature.EndCertificate.Thumbprint,
+                        timestampEndCertificate.Thumbprint);
+
+                    throw new InvalidOperationException("The thumbprint of the timestamp end certificate cannot change.");
+                }
+
+                if (trustedTimestamp.Value != value)
+                {
+                    _logger.LogError(
+                        "The trusted timestamp value cannot change for package {PackageKey}. The existing timestamp " +
+                        "value is {ExistingValue}. The new value is {NewValue}.",
+                        packageSignature.PackageKey,
+                        trustedTimestamp.Value,
+                        value);
+
+                    throw new InvalidOperationException("The value of the trusted timestamp cannot change.");
+                }
+            }
         }
 
         private void ConnectCertificates(
@@ -160,10 +299,10 @@ private void ConnectCertificates(
         }
 
         private async Task<IReadOnlyDictionary<string, EndCertificate>> InitializeEndCertificatesAsync(
-            IEnumerable<HashedCertificate> certificates)
+            IEnumerable<CertificateAndUse> certificatesAndUses)
         {
-            var thumbprints = certificates
-                .Select(x => x.Thumbprint)
+            var thumbprints = certificatesAndUses
+                .Select(x => x.Certificate.Thumbprint)
                 .Distinct()
                 .ToList();
 
@@ -177,19 +316,30 @@ private async Task<IReadOnlyDictionary<string, EndCertificate>> InitializeEndCer
 
             var thumbprintToEntity = existingEntities.ToDictionary(x => x.Thumbprint);
 
-            foreach (var certificate in certificates)
+            foreach (var certificateAndUse in certificatesAndUses)
             {
-                if (!thumbprintToEntity.TryGetValue(certificate.Thumbprint, out var entity))
+                if (!thumbprintToEntity.TryGetValue(certificateAndUse.Certificate.Thumbprint, out var entity))
                 {
                     entity = new EndCertificate
                     {
                         Status = EndCertificateStatus.Unknown,
-                        Thumbprint = certificate.Thumbprint,
+                        Use = certificateAndUse.Use,
+                        Thumbprint = certificateAndUse.Certificate.Thumbprint,
                         CertificateChainLinks = new List<CertificateChainLink>(),
                     };
                     _entitiesContext.EndCertificates.Add(entity);
 
-                    thumbprintToEntity[certificate.Thumbprint] = entity;
+                    thumbprintToEntity[certificateAndUse.Certificate.Thumbprint] = entity;
+                }
+                else if (entity.Use != certificateAndUse.Use)
+                {
+                    _logger.LogError(
+                        "The use of end certificate {Thumbprint} cannot change. The existing use is {ExistingUse}. The new use is {NewUse}.",
+                        certificateAndUse.Certificate.Thumbprint,
+                        entity.Use,
+                        certificateAndUse.Use);
+
+                    throw new InvalidOperationException("The use of an end certificate cannot change.");
                 }
             }
 
@@ -256,5 +406,17 @@ private async Task SaveCertificateToStoreAsync(HashedCertificate certificate, Ca
 
             await _certificateStore.SaveAsync(certificate.Certificate, token);
         }
+
+        private class CertificateAndUse
+        {
+            public CertificateAndUse(HashedCertificate hashedCertificate, EndCertificateUse endCertificateUse)
+            {
+                Certificate = hashedCertificate;
+                Use = endCertificateUse;
+            }
+
+            public HashedCertificate Certificate { get; }
+            public EndCertificateUse Use { get; }
+        }
     }
 }