Reject signatures that are not version 1 and reject author and repository counter signatures (#308)

joelverhagen · joelverhagen · commit db681f976974 · 2018-01-18T17:11:00.000-08:00
Progress on NuGet/Engineering#785
diff --git a/src/NuGet.Services.Validation.Orchestrator/NuGet.Services.Validation.Orchestrator.csproj b/src/NuGet.Services.Validation.Orchestrator/NuGet.Services.Validation.Orchestrator.csproj
@@ -131,25 +131,25 @@
       <Version>1.1.2</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Configuration">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Contracts">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.KeyVault">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Logging">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.ServiceBus">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Validation">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Validation.Issues">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Versioning">
       <Version>4.3.0</Version>
diff --git a/src/Validation.Callback.Vcs/Web.config b/src/Validation.Callback.Vcs/Web.config
@@ -70,7 +70,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="NuGet.Services.KeyVault" publicKeyToken="31bf3856ad364e35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-2.9.0.0" newVersion="2.9.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-2.10.0.0" newVersion="2.10.0.0" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Microsoft.Extensions.Configuration.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral" />
diff --git a/src/Validation.Common/Validation.Common.csproj b/src/Validation.Common/Validation.Common.csproj
@@ -105,11 +105,11 @@
     <Reference Include="NuGet.ApplicationInsights.Owin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <HintPath>..\..\packages\NuGet.ApplicationInsights.Owin.4.1.0\lib\net452\NuGet.ApplicationInsights.Owin.dll</HintPath>
     </Reference>
-    <Reference Include="NuGet.Services.KeyVault, Version=2.9.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <HintPath>..\..\packages\NuGet.Services.KeyVault.2.9.0\lib\net45\NuGet.Services.KeyVault.dll</HintPath>
+    <Reference Include="NuGet.Services.KeyVault, Version=2.10.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\NuGet.Services.KeyVault.2.10.0\lib\net45\NuGet.Services.KeyVault.dll</HintPath>
     </Reference>
-    <Reference Include="NuGet.Services.Logging, Version=2.9.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <HintPath>..\..\packages\NuGet.Services.Logging.2.9.0\lib\net452\NuGet.Services.Logging.dll</HintPath>
+    <Reference Include="NuGet.Services.Logging, Version=2.10.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\NuGet.Services.Logging.2.10.0\lib\net452\NuGet.Services.Logging.dll</HintPath>
     </Reference>
     <Reference Include="NuGet.Services.VirusScanning.Core, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <HintPath>..\..\packages\NuGet.Services.VirusScanning.Vcs.3.2.0\lib\net452\NuGet.Services.VirusScanning.Core.dll</HintPath>
diff --git a/src/Validation.Common/app.config b/src/Validation.Common/app.config
@@ -4,7 +4,7 @@
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
       <dependentAssembly>
         <assemblyIdentity name="NuGet.Services.Logging" publicKeyToken="31BF3856AD364E35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-2.9.0.0" newVersion="2.9.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-2.10.0.0" newVersion="2.10.0.0" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
@@ -40,7 +40,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="NuGet.Services.KeyVault" publicKeyToken="31bf3856ad364e35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-2.9.0.0" newVersion="2.9.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-2.10.0.0" newVersion="2.10.0.0" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Microsoft.Extensions.Configuration.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral" />
diff --git a/src/Validation.Common/packages.config b/src/Validation.Common/packages.config
@@ -22,8 +22,8 @@
   <package id="Microsoft.WindowsAzure.ConfigurationManager" version="3.2.1" targetFramework="net452" />
   <package id="Newtonsoft.Json" version="9.0.1" targetFramework="net452" />
   <package id="NuGet.ApplicationInsights.Owin" version="4.1.0" targetFramework="net452" />
-  <package id="NuGet.Services.KeyVault" version="2.9.0" targetFramework="net452" />
-  <package id="NuGet.Services.Logging" version="2.9.0" targetFramework="net452" />
+  <package id="NuGet.Services.KeyVault" version="2.10.0" targetFramework="net452" />
+  <package id="NuGet.Services.Logging" version="2.10.0" targetFramework="net452" />
   <package id="NuGet.Services.VirusScanning.Vcs" version="3.2.0" targetFramework="net452" />
   <package id="Owin" version="1.0" targetFramework="net452" />
   <package id="Serilog" version="2.0.0" targetFramework="net452" />
diff --git a/src/Validation.PackageSigning.Core/Validation.PackageSigning.Core.csproj b/src/Validation.PackageSigning.Core/Validation.PackageSigning.Core.csproj
@@ -39,13 +39,13 @@
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="NuGet.Services.ServiceBus">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Storage">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Validation">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="WindowsAzure.Storage">
       <Version>7.1.2</Version>
diff --git a/src/Validation.PackageSigning.ExtractAndValidateSignature/SignatureValidator.cs b/src/Validation.PackageSigning.ExtractAndValidateSignature/SignatureValidator.cs
@@ -3,10 +3,13 @@
 
 using System;
 using System.Linq;
+using System.Security.Cryptography;
+using System.Security.Cryptography.Pkcs;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
+using NuGet.Common;
 using NuGet.Jobs.Validation.PackageSigning.Messages;
 using NuGet.Jobs.Validation.PackageSigning.Storage;
 using NuGet.Packaging.Signing;
@@ -80,81 +83,123 @@ private async Task<SignatureValidatorResult> HandleSignedPackageAsync(
             SignatureValidationMessage message,
             CancellationToken cancellationToken)
         {
-            // First, detect format errors with a minimal verification. This doesn't even check package integrity. The
-            // minimal verification is expected to swallow any sort of signature format exception.
-            var invalidFormatResult = await GetVerifyResult(
-                _minimalPackageSignatureVerifier,
-                packageKey,
-                signedPackageReader,
-                message,
-                cancellationToken);
-            if (invalidFormatResult != null)
+            try
             {
-                return invalidFormatResult;
-            }
+                // First, detect format errors with a minimal verification. This doesn't even check package integrity. The
+                // minimal verification is expected to swallow any sort of signature format exception.
+                var invalidFormatResult = await GetVerifyResult(
+                    _minimalPackageSignatureVerifier,
+                    packageKey,
+                    signedPackageReader,
+                    message,
+                    cancellationToken);
+                if (invalidFormatResult != null)
+                {
+                    return invalidFormatResult;
+                }
 
-            // We now know we can safely read the signature.
-            var packageSignature = await signedPackageReader.GetSignatureAsync(cancellationToken);
+                // We now know we can safely read the signature.
+                var packageSignature = await signedPackageReader.GetSignatureAsync(cancellationToken);
 
-            // Block packages with any unknown signing certificates.
-            var packageThumbprint = packageSignature
-                .SignerInfo
-                .Certificate
-                .ComputeSHA256Thumbprint();
-            var isKnownCertificate = _certificates
-                .GetAll()
-                .Where(c => packageThumbprint == c.Thumbprint)
-                .Any();
+                // Block packages with any unknown signing certificates.
+                var packageThumbprint = packageSignature
+                    .SignerInfo
+                    .Certificate
+                    .ComputeSHA256Thumbprint();
+                var isKnownCertificate = _certificates
+                    .GetAll()
+                    .Any(c => packageThumbprint == c.Thumbprint);
+                if (!isKnownCertificate)
+                {
+                    _logger.LogInformation(
+                        "Signed package {PackageId} {PackageVersion} is blocked for validation {ValidationId} since it has an unknown certificate thumbprint: {UnknownThumbprint}",
+                        message.PackageId,
+                        message.PackageVersion,
+                        message.ValidationId,
+                        packageThumbprint);
+
+                    return await RejectAsync(
+                        packageKey,
+                        message,
+                        ValidationIssue.PackageIsSigned);
+                }
+
+                // Only reject counter signatures that have the author or repository commitment type. Other types of
+                // counter signatures are not produced by the client but technically just fine.
+                var authorOrRepositoryCounterSignatureCount = packageSignature
+                    .SignerInfo
+                    .CounterSignerInfos
+                    .Cast<SignerInfo>()
+                    .Select(x => x.SignedAttributes.FirstOrDefault(Oids.CommitmentTypeIndication))
+                    .Where(x => x != null)
+                    .Select(x => AttributeUtility.GetCommitmentTypeIndication(x))
+                    .Count(x => x != SignatureType.Unknown);
+                if (authorOrRepositoryCounterSignatureCount > 0)
+                {
+                    _logger.LogInformation(
+                        "Signed package {PackageId} {PackageVersion} is blocked for validation {ValidationId} since it has {AuthorOrRepositorySignatureCount} invalid countersignatures.",
+                        message.PackageId,
+                        message.PackageVersion,
+                        message.ValidationId,
+                        authorOrRepositoryCounterSignatureCount);
+
+                    return await RejectAsync(
+                        packageKey,
+                        message,
+                        ValidationIssue.AuthorAndRepositoryCounterSignaturesNotSupported);
+                }
+
+                if (packageSignature.Type != SignatureType.Author)
+                {
+                    _logger.LogInformation(
+                        "Signed package {PackageId} {PackageVersion} is blocked for validation {ValidationId} since it is not author signed: {SignatureType}",
+                        message.PackageId,
+                        message.PackageVersion,
+                        message.ValidationId,
+                        packageSignature.Type);
+
+                    return await RejectAsync(
+                        packageKey,
+                        message,
+                        ValidationIssue.OnlyAuthorSignaturesSupported);
+                }
+
+                // Call the "verify" API, which does the main logic of signature validation.
+                var failureResult = await GetVerifyResult(
+                    _fullPackageSignatureVerifier,
+                    packageKey,
+                    signedPackageReader,
+                    message,
+                    cancellationToken);
+                if (failureResult != null)
+                {
+                    return failureResult;
+                }
 
-            if (!isKnownCertificate)
-            {
                 _logger.LogInformation(
-                    "Signed package {PackageId} {PackageVersion} is blocked for validation {ValidationId} since it has an unknown certificate thumbprint: {UnknownThumbprint}",
+                    "Signed package {PackageId} {PackageVersion} for validation {ValidationId} is valid with certificate thumbprint: {PackageThumbprint}",
                     message.PackageId,
                     message.PackageVersion,
                     message.ValidationId,
                     packageThumbprint);
-
-                return await RejectAsync(
-                    packageKey,
-                    message,
-                    ValidationIssue.PackageIsSigned);
             }
-
-            if (packageSignature.Type != SignatureType.Author)
+            catch (SignatureException ex)
             {
+                EventId eventId = 0;
                 _logger.LogInformation(
-                    "Signed package {PackageId} {PackageVersion} is blocked for validation {ValidationId} since it has a non-author signature: {SignatureType}",
+                    eventId,
+                    ex,
+                    "Signed package {PackageId} {PackageVersion} is blocked for validation {ValidationId} due to an exception during signature validation.",
                     message.PackageId,
                     message.PackageVersion,
-                    message.ValidationId,
-                    packageSignature.Type);
+                    message.ValidationId);
 
                 return await RejectAsync(
                     packageKey,
                     message,
-                    ValidationIssue.OnlyAuthorSignaturesSupported);
+                    new ClientSigningVerificationFailure(ex.Code.ToString(), ex.Message));
             }
 
-            // Call the "verify" API, which does the main logic of signature validation.
-            var failureResult = await GetVerifyResult(
-                _fullPackageSignatureVerifier,
-                packageKey,
-                signedPackageReader,
-                message,
-                cancellationToken);
-            if (failureResult != null)
-            {
-                return failureResult;
-            }
-
-            _logger.LogInformation(
-                "Signed package {PackageId} {PackageVersion} for validation {ValidationId} is valid with certificate thumbprint: {PackageThumbprint}",
-                message.PackageId,
-                message.PackageVersion,
-                message.ValidationId,
-                packageThumbprint);
-
             // Extract all of the signature artifacts and persist them.
             await _signaturePartsExtractor.ExtractAsync(signedPackageReader, cancellationToken);
 
@@ -196,12 +241,27 @@ private async Task<SignatureValidatorResult> GetVerifyResult(
                     errorsForLogs,
                     warningsForLogs);
 
+                // Treat the "signature format version" error specially. This is because the message provided by the
+                // client does not make sense in the server context.
+                IValidationIssue[] errorValidationIssues;
+                if (errorIssues.Any(x => x.Code == NuGetLogCode.NU3007))
+                {
+                    errorValidationIssues = new[]
+                    {
+                        ValidationIssue.OnlySignatureFormatVersion1Supported,
+                    };
+                }
+                else
+                {
+                    errorValidationIssues = errorIssues
+                        .Select(x => new ClientSigningVerificationFailure(x.Code.ToString(), x.Message))
+                        .ToArray();
+                }
+
                 return await RejectAsync(
                     packageKey,
                     message,
-                    errorIssues
-                        .Select(x => new ClientSigningVerificationFailure(x.Code.ToString(), x.Message))
-                        .ToArray());
+                    errorValidationIssues);
             }
 
             return null;
diff --git a/src/Validation.PackageSigning.ExtractAndValidateSignature/Validation.PackageSigning.ExtractAndValidateSignature.csproj b/src/Validation.PackageSigning.ExtractAndValidateSignature/Validation.PackageSigning.ExtractAndValidateSignature.csproj
@@ -109,22 +109,22 @@
       <Version>4.6.0-rtm-4822</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Configuration">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Contracts">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.KeyVault">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Logging">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.ServiceBus">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Validation">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGetGallery.Core">
       <Version>4.4.4-dev-19677</Version>
diff --git a/src/Validation.PackageSigning.ValidateCertificate/Validation.PackageSigning.ValidateCertificate.csproj b/src/Validation.PackageSigning.ValidateCertificate/Validation.PackageSigning.ValidateCertificate.csproj
@@ -103,16 +103,16 @@
       <Version>1.1.2</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Configuration">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Contracts">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.KeyVault">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Validation">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="System.Net.Http">
       <Version>4.3.3</Version>
diff --git a/src/Validation.Runner/App.config b/src/Validation.Runner/App.config
@@ -47,7 +47,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="NuGet.Services.KeyVault" publicKeyToken="31bf3856ad364e35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-2.9.0.0" newVersion="2.9.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-2.10.0.0" newVersion="2.10.0.0" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Microsoft.Extensions.Configuration.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral" />
diff --git a/tests/NuGet.Services.Validation.Orchestrator.Tests/NuGet.Services.Validation.Orchestrator.Tests.csproj b/tests/NuGet.Services.Validation.Orchestrator.Tests/NuGet.Services.Validation.Orchestrator.Tests.csproj
@@ -68,7 +68,7 @@
       <Version>4.5.23</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Validation.Issues">
-      <Version>2.9.0</Version>
+      <Version>2.10.0</Version>
     </PackageReference>
     <PackageReference Include="System.Net.Http">
       <Version>4.3.3</Version>
diff --git a/tests/Validation.PackageSigning.ExtractAndValidateSignature.Tests/SignatureValidatorIntegrationTests.cs b/tests/Validation.PackageSigning.ExtractAndValidateSignature.Tests/SignatureValidatorIntegrationTests.cs
