For valid signed packages, extract certificates and write them to the certificate store (#295)

Progress on NuGet/Engineering#785

Author: joelverhagen

src/Validation.PackageSigning.Core/Extensions/CryptographicAttributeObjectCollectionExtensions.cs

@@ -0,0 +1,31 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+
+namespace System.Security.Cryptography
+{
+    public static class CryptographicAttributeObjectCollectionExtensions
+    {
+        /// <summary>
+        /// Returns the first attribute if the Oid is found.
+        /// Returns null if the attribute is not found.
+        /// </summary>
+        public static CryptographicAttributeObject FirstOrDefault(this CryptographicAttributeObjectCollection attributes, string oid)
+        {
+            if (oid == null)
+            {
+                throw new ArgumentNullException(nameof(oid));
+            }
+
+            foreach (var attribute in attributes)
+            {
+                if (StringComparer.Ordinal.Equals(oid, attribute.Oid.Value))
+                {
+                    return attribute;
+                }
+            }
+
+            return null;
+        }
+    }
+}

src/Validation.PackageSigning.Core/Validation.PackageSigning.Core.csproj

@@ -35,6 +35,7 @@
     <Reference Include="System.Core" />
     <Reference Include="Microsoft.CSharp" />
     <Reference Include="System.Data" />
+    <Reference Include="System.Security" />
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="NuGet.Services.ServiceBus">
@@ -54,6 +55,7 @@
     <Compile Include="Configuration\CertificateStoreConfiguration.cs" />
     <Compile Include="Error.cs" />
     <Compile Include="ExceptionExtensions.cs" />
+    <Compile Include="Extensions\CryptographicAttributeObjectCollectionExtensions.cs" />
     <Compile Include="Extensions\X509Certificate2Extensions.cs" />
     <Compile Include="Storage\AddStatusResult.cs" />
     <Compile Include="Storage\CertificateStore.cs" />

src/Validation.PackageSigning.ExtractAndValidateSignature/Hash.cs

@@ -0,0 +1,68 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using NuGet.Common;
+
+namespace NuGet.Jobs.Validation.PackageSigning.ExtractAndValidateSignature
+{
+    /// <summary>
+    /// Represents a hash digest and the hash algorithm that produced it. This allows easy set comparisons of many
+    /// hashes with varying hash algorithms.
+    /// </summary>
+    public class Hash : IEquatable<Hash>
+    {
+        public Hash(HashAlgorithmName algorithmName, byte[] digest)
+        {
+            if (digest == null)
+            {
+                throw new ArgumentNullException(nameof(digest));
+            }
+
+            AlgorithmName = algorithmName;
+            HexDigest = BitConverter
+                .ToString(digest)
+                .Replace("-", string.Empty)
+                .ToLowerInvariant();
+        }
+
+        public HashAlgorithmName AlgorithmName { get; }
+        public string HexDigest { get; }
+
+        public override bool Equals(object obj)
+        {
+            return Equals(obj as Hash);
+        }
+
+        public bool Equals(Hash other)
+        {
+            if (other == null)
+            {
+                return false;
+            }
+
+            if (ReferenceEquals(this, other))
+            {
+                return true;
+            }
+
+            return AlgorithmName == other.AlgorithmName
+                && HexDigest == other.HexDigest;
+        }
+
+        /// <summary>
+        /// This method is auto-generated using Visual Studio.
+        /// </summary>
+        public override int GetHashCode()
+        {
+            unchecked
+            {
+                var hashCode = 696079939;
+                hashCode = hashCode * -1521134295 + AlgorithmName.GetHashCode();
+                hashCode = hashCode * -1521134295 + EqualityComparer<string>.Default.GetHashCode(HexDigest);
+                return hashCode;
+            }
+        }
+    }
+}

src/Validation.PackageSigning.ExtractAndValidateSignature/ISignaturePartsExtractor.cs

@@ -0,0 +1,24 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Threading;
+using System.Threading.Tasks;
+using NuGet.Packaging.Signing;
+
+namespace NuGet.Jobs.Validation.PackageSigning.ExtractAndValidateSignature
+{
+    /// <summary>
+    /// After a package's signature is validated, this interface extracts components of the signature and persists them
+    /// to be used by downstream systems.
+    /// </summary>
+    public interface ISignaturePartsExtractor
+    {
+        /// <summary>
+        /// Extracts and persists artifacts from the provided signed package.
+        /// </summary>
+        /// <exception cref="ArgumentException">Thrown if the provided package is not signed.</exception>
+        /// <param name="signedPackageReader">The reader of the signed package.</param>
+        /// <param name="token">The cancellation token.</param>
+        Task ExtractAsync(ISignedPackageReader signedPackageReader, CancellationToken token);
+    }
+}

src/Validation.PackageSigning.ExtractAndValidateSignature/Job.cs

@@ -184,6 +184,7 @@ private void ConfigureJobServices(IServiceCollection services, IConfigurationRoo
             services.AddTransient<IMessageHandler<SignatureValidationMessage>, SignatureValidationMessageHandler>();
             services.AddTransient<IPackageSigningStateService, PackageSigningStateService>();
             services.AddTransient<ISignatureValidator, SignatureValidator>();
+            services.AddTransient<ISignaturePartsExtractor, SignaturePartsExtractor>();
 
             services.AddSingleton(p =>
             {

src/Validation.PackageSigning.ExtractAndValidateSignature/SignaturePartsExtractor.cs

@@ -0,0 +1,104 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Security.Cryptography.Pkcs;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading;
+using System.Threading.Tasks;
+using NuGet.Common;
+using NuGet.Jobs.Validation.PackageSigning.Storage;
+using NuGet.Packaging.Signing;
+
+namespace NuGet.Jobs.Validation.PackageSigning.ExtractAndValidateSignature
+{
+    public class SignaturePartsExtractor : ISignaturePartsExtractor
+    {
+        private readonly ICertificateStore _certificateStore;
+
+        public SignaturePartsExtractor(ICertificateStore certificateStore)
+        {
+            _certificateStore = certificateStore ?? throw new ArgumentNullException(nameof(certificateStore));
+        }
+
+        public async Task ExtractAsync(ISignedPackageReader signedPackageReader, CancellationToken token)
+        {
+            if (!await signedPackageReader.IsSignedAsync(token))
+            {
+                throw new ArgumentException("The provided package reader must refer to a signed package.", nameof(signedPackageReader));
+            }
+
+            var signatures = await signedPackageReader.GetSignaturesAsync(token);
+
+            foreach (var signature in signatures)
+            {
+                foreach (var certificate in GetCertificates(signature.SignedCms))
+                {
+                    await SaveCertificateAsync(certificate, token);
+                }
+
+                foreach (var timestamp in signature.Timestamps)
+                {
+                    // TODO: use the signing-certificate-v2 attribute to prune.
+                    foreach (var certificate in timestamp.SignedCms.Certificates)
+                    {
+                        await SaveCertificateAsync(certificate, token);
+                    }
+                }
+            }
+        }
+
+        private IEnumerable<X509Certificate2> GetCertificates(SignedCms signedCms)
+        {
+            // Use the signing-certificate-v2 attribute to prune the list of certificates.
+            var signingCertificateV2Attribute = signedCms
+                .SignerInfos[0]
+                .SignedAttributes
+                .FirstOrDefault(Oids.SigningCertificateV2);
+
+            if (signingCertificateV2Attribute == null)
+            {
+                throw new ArgumentException(
+                    $"The first element of {nameof(SignedCms.SignerInfos)} {nameof(SignedCms)} must have a signing certificate attribute.",
+                    nameof(signedCms));
+            }
+            
+            var signingCertificateHashes = new HashSet<Hash>(AttributeUtility
+                .GetESSCertIDv2Entries(signingCertificateV2Attribute)
+                .Select(pair => new Hash(pair.Key, pair.Value)));
+
+            // Try all of the candidate hash algorithms against the set of certificates found in the SignedCMS.
+            var algorithmsToTry = signingCertificateHashes
+                .Select(x => x.AlgorithmName)
+                .Distinct();
+            foreach (var algorithm in algorithmsToTry)
+            {
+                foreach (var certificate in signedCms.Certificates)
+                {
+                    var digest = CryptoHashUtility.ComputeHash(algorithm, certificate.RawData);
+                    var hash = new Hash(algorithm, digest);
+
+                    if (signingCertificateHashes.Contains(hash))
+                    {
+                        yield return certificate;
+                    }
+                }
+            }
+        }
+
+        private async Task SaveCertificateAsync(X509Certificate2 certificate, CancellationToken token)
+        {
+            var thumbprint = certificate.ComputeSHA256Thumbprint();
+
+            if (await _certificateStore.ExistsAsync(thumbprint, token))
+            {
+                return;
+            }
+
+            await _certificateStore.SaveAsync(certificate, token);
+        }
+    }
+}

src/Validation.PackageSigning.ExtractAndValidateSignature/SignatureValidator.cs

@@ -4,7 +4,6 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
-using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
@@ -20,15 +19,18 @@ namespace NuGet.Jobs.Validation.PackageSigning.ExtractAndValidateSignature
     public class SignatureValidator : ISignatureValidator
     {
         private readonly IPackageSigningStateService _packageSigningStateService;
+        private readonly ISignaturePartsExtractor _signaturePartsExtractor;
         private readonly IEntityRepository<Certificate> _certificates;
         private readonly ILogger<SignatureValidator> _logger;
 
         public SignatureValidator(
             IPackageSigningStateService packageSigningStateService,
+            ISignaturePartsExtractor signaturePartsExtractor,
             IEntityRepository<Certificate> certificates,
             ILogger<SignatureValidator> logger)
         {
             _packageSigningStateService = packageSigningStateService ?? throw new ArgumentNullException(nameof(packageSigningStateService));
+            _signaturePartsExtractor = signaturePartsExtractor ?? throw new ArgumentNullException(nameof(signaturePartsExtractor));
             _certificates = certificates ?? throw new ArgumentNullException(nameof(certificates));
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
         }
@@ -108,8 +110,11 @@ private async Task HandleSignedPackageAsync(
                 message.ValidationId,
                 packageThumbprints);
 
+            // Extract all of the signature artifacts and persist them.
+            await _signaturePartsExtractor.ExtractAsync(signedPackageReader, cancellationToken);
+
+            // Mark this package as signed.
             await AcceptAsync(validation, message, PackageSigningStatus.Valid);
-            return;
         }
 
         private HashSet<string> GetThumbprints(IEnumerable<Signature> signatures)

src/Validation.PackageSigning.ExtractAndValidateSignature/Validation.PackageSigning.ExtractAndValidateSignature.csproj

@@ -40,7 +40,10 @@
     <Reference Include="System.Security" />
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="Hash.cs" />
+    <Compile Include="ISignaturePartsExtractor.cs" />
     <Compile Include="ISignatureValidator.cs" />
+    <Compile Include="SignaturePartsExtractor.cs" />
     <Compile Include="SignatureValidator.cs" />
     <Compile Include="Storage\PackageSigningStateService.cs" />
     <Compile Include="Storage\IPackageSigningStateService.cs" />
@@ -98,7 +101,7 @@
       <Version>1.1.2</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Packaging">
-      <Version>4.6.0-preview2-4709</Version>
+      <Version>4.6.0-preview3-4785</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Configuration">
       <Version>2.7.0</Version>