Update gallery certificate info in ProcessSignature job (#497)

Progress on NuGet/NuGetGallery#6183

Author: joelverhagen

src/Validation.Common.Job/LoggerDiagnosticsSource.cs

@@ -91,7 +91,7 @@ private static IDictionary<string, string> GetProperties(
 
         public void Log<TState>(LogLevel logLevel, EventId eventId, TState state, Exception exception, Func<TState, Exception, string> formatter)
         {
-            _logger.Log<TState>(logLevel, eventId, state, exception, formatter);
+            _logger.Log(logLevel, eventId, state, exception, formatter);
         }
 
         public bool IsEnabled(LogLevel logLevel)
@@ -101,7 +101,7 @@ public bool IsEnabled(LogLevel logLevel)
 
         public IDisposable BeginScope<TState>(TState state)
         {
-            return _logger.BeginScope<TState>(state);
+            return _logger.BeginScope(state);
         }
 
         /// <summary>

src/Validation.Common.Job/Validation.Common.Job.csproj

@@ -115,7 +115,7 @@
       <Version>2.27.0</Version>
     </PackageReference>
     <PackageReference Include="NuGetGallery.Core">
-      <Version>4.4.5-dev-35743</Version>
+      <Version>4.4.5-dev-36354</Version>
     </PackageReference>
     <PackageReference Include="Serilog">
       <Version>2.5.0</Version>

src/Validation.Common.Job/Validation.Common.Job.nuspec

@@ -23,7 +23,7 @@
       <dependency id="NuGet.Services.Storage" version="2.27.0" />
       <dependency id="NuGet.Services.Validation" version="2.27.0" />
       <dependency id="NuGet.Services.Validation.Issues" version="2.27.0" />
-      <dependency id="NuGetGallery.Core" version="4.4.5-dev-35743" />
+      <dependency id="NuGetGallery.Core" version="4.4.5-dev-36354" />
       <dependency id="Serilog" version="2.5.0" />
       <dependency id="System.Net.Http" version="4.3.3" />
     </dependencies>

src/Validation.PackageSigning.ProcessSignature/ProcessSignatureConfiguration.cs

@@ -26,5 +26,14 @@ public class ProcessSignatureConfiguration
         /// is in test mode and repository signed packages are not published.
         /// </summary>
         public bool CommitRepositorySignatures { get; set; }
+
+        /// <summary>
+        /// The maximum length of a subject or issuer string to save to the gallery database. If a processed author
+        /// certificate has an issuer or subject distinguished name or
+        /// <see cref="System.Security.Cryptography.X509Certificates.X509NameType.SimpleName"/> that is longer than this
+        /// value, null is stored in the database. We use 4000 since this is the maximum length for many package fields,
+        /// such as description.
+        /// </summary>
+        public int MaxCertificateStringLength { get; set; } = 4000;
     }
 }

src/Validation.PackageSigning.ProcessSignature/SignaturePartsExtractor.cs

@@ -5,31 +5,36 @@
 using System.Collections.Generic;
 using System.Data.Entity;
 using System.Linq;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using NuGet.Jobs.Validation.PackageSigning.Storage;
 using NuGet.Packaging.Signing;
 using NuGet.Services.Validation;
+using NuGetGallery;
 
 namespace NuGet.Jobs.Validation.PackageSigning.ProcessSignature
 {
     public class SignaturePartsExtractor : ISignaturePartsExtractor
     {
         private readonly ICertificateStore _certificateStore;
-        private readonly IValidationEntitiesContext _entitiesContext;
+        private readonly IValidationEntitiesContext _validationEntitiesContext;
+        private readonly IEntitiesContext _galleryEntitiesContext;
         private readonly IOptionsSnapshot<ProcessSignatureConfiguration> _configuration;
         private readonly ILogger<SignaturePartsExtractor> _logger;
 
         public SignaturePartsExtractor(
             ICertificateStore certificateStore,
-            IValidationEntitiesContext entitiesContext,
+            IValidationEntitiesContext validationEntitiesContext,
+            IEntitiesContext galleryEntitiesContext,
             IOptionsSnapshot<ProcessSignatureConfiguration> configuration,
             ILogger<SignaturePartsExtractor> logger)
         {
             _certificateStore = certificateStore ?? throw new ArgumentNullException(nameof(certificateStore));
-            _entitiesContext = entitiesContext ?? throw new ArgumentNullException(nameof(entitiesContext));
+            _validationEntitiesContext = validationEntitiesContext ?? throw new ArgumentNullException(nameof(validationEntitiesContext));
+            _galleryEntitiesContext = galleryEntitiesContext ?? throw new ArgumentNullException(nameof(galleryEntitiesContext));
             _configuration = configuration ?? throw new ArgumentNullException(nameof(configuration));
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
         }
@@ -53,8 +58,80 @@ public async Task ExtractAsync(int packageKey, PrimarySignature primarySignature
                 await SaveCertificatesToStoreAsync(context);
 
                 // Commit the database changes.
-                await _entitiesContext.SaveChangesAsync();
+                await _validationEntitiesContext.SaveChangesAsync();
+
+                // Update certificate information in the gallery.
+                await UpdateCertificateInformationAsync(context);
+            }
+        }
+
+        private async Task UpdateCertificateInformationAsync(Context context)
+        {
+            // Only operate on author signatures. Packages that only have a repository signature are not interesting
+            // for this purpose.
+            if (context.PrimarySignature.Type != SignatureType.Author)
+            {
+                return;
             }
+
+            var hashedCertificate = context
+                .Author
+                .Certificates
+                .SignatureEndCertificate;
+            var certificate = hashedCertificate.Certificate;
+            var thumbprint = hashedCertificate.Thumbprint;
+
+            // Fetch the certificate record from the gallery database using the SHA-256 thumbprint.
+            var certificateRecord = await _galleryEntitiesContext
+                .Certificates
+                .Where(c => c.Thumbprint == thumbprint)
+                .FirstOrDefaultAsync();            
+            if (certificateRecord == null)
+            {
+                _logger.LogWarning(
+                    "No certificate record was found in the gallery database for thumbprint {Thumbprint}.",
+                    thumbprint);
+                return;
+            }
+
+            // Do nothing if the certificate details are already populated.
+            var expiration = certificate.NotAfter.ToUniversalTime();
+            var subject = NoLongerThanOrNull(certificate.Subject);
+            var issuer = NoLongerThanOrNull(certificate.Issuer);
+            var shortSubject = NoLongerThanOrNull(certificate.GetNameInfo(X509NameType.SimpleName, forIssuer: false));
+            var shortIssuer = NoLongerThanOrNull(certificate.GetNameInfo(X509NameType.SimpleName, forIssuer: true));
+            if (certificateRecord.Expiration == expiration
+                && certificateRecord.Subject == subject
+                && certificateRecord.Issuer == issuer
+                && certificateRecord.ShortSubject == shortSubject
+                && certificateRecord.ShortIssuer == shortIssuer)
+            {
+                return;
+            }
+
+            // Save the certificate details to the gallery record.
+            certificateRecord.Expiration = expiration;
+            certificateRecord.Subject = subject;
+            certificateRecord.Issuer = issuer;
+            certificateRecord.ShortSubject = shortSubject;
+            certificateRecord.ShortIssuer = shortIssuer;
+
+            await _galleryEntitiesContext.SaveChangesAsync();
+
+            _logger.LogInformation(
+                "Gallery certificate information for certificate with thumbprint {Thumbprint} has been populated.",
+                thumbprint);
+        }
+
+        private string NoLongerThanOrNull(string input)
+        {
+            if (string.IsNullOrWhiteSpace(input) ||
+                input.Length > _configuration.Value.MaxCertificateStringLength)
+            {
+                return null;
+            }
+
+            return input;
         }
 
         private static void ExtractSignaturesAndCertificates(Context context)
@@ -260,7 +337,7 @@ private async Task<PackageSignature> InitializePackageSignatureAsync(
             IReadOnlyDictionary<string, EndCertificate> thumbprintToEndCertificate,
             bool replacePackageSignature)
         {
-            var packageSignatures = await _entitiesContext
+            var packageSignatures = await _validationEntitiesContext
                 .PackageSignatures
                 .Include(x => x.TrustedTimestamps)
                 .Include(x => x.EndCertificate)
@@ -309,10 +386,10 @@ private async Task<PackageSignature> InitializePackageSignatureAsync(
                         // explicit and to facilitate unit testing, we explicitly remove them.
                         foreach (var trustedTimestamp in packageSignature.TrustedTimestamps)
                         {
-                            _entitiesContext.TrustedTimestamps.Remove(trustedTimestamp);
+                            _validationEntitiesContext.TrustedTimestamps.Remove(trustedTimestamp);
                         }
 
-                        _entitiesContext.PackageSignatures.Remove(packageSignature);
+                        _validationEntitiesContext.PackageSignatures.Remove(packageSignature);
 
                         packageSignature = InitializePackageSignature(
                             packageKey,
@@ -356,7 +433,7 @@ private PackageSignature InitializePackageSignature(
             };
 
             packageSignature.EndCertificateKey = packageSignature.EndCertificate.Key;
-            _entitiesContext.PackageSignatures.Add(packageSignature);
+            _validationEntitiesContext.PackageSignatures.Add(packageSignature);
 
             return packageSignature;
         }
@@ -394,7 +471,7 @@ private void InitializeTrustedTimestamp(
                 };
                 trustedTimestamp.EndCertificateKey = trustedTimestamp.EndCertificate.Key;
                 packageSignature.TrustedTimestamps.Add(trustedTimestamp);
-                _entitiesContext.TrustedTimestamps.Add(trustedTimestamp);
+                _validationEntitiesContext.TrustedTimestamps.Add(trustedTimestamp);
             }
             else
             {
@@ -454,7 +531,7 @@ private void ConnectCertificates(
                         EndCertificate = endCertificateEntity,
                         ParentCertificate = parentCertificateEntity,
                     };
-                    _entitiesContext.CertificateChainLinks.Add(link);
+                    _validationEntitiesContext.CertificateChainLinks.Add(link);
                     endCertificateEntity.CertificateChainLinks.Add(link);
                     parentCertificateEntity.CertificateChainLinks.Add(link);
 
@@ -476,7 +553,7 @@ private async Task<IReadOnlyDictionary<string, EndCertificate>> InitializeEndCer
 
             // Find all of the end certificate entities that intersect with the set of certificates found in the
             // package that is currently being processed.
-            var existingEntities = await _entitiesContext
+            var existingEntities = await _validationEntitiesContext
                 .EndCertificates
                 .Include(x => x.CertificateChainLinks)
                 .Where(x => thumbprints.Contains(x.Thumbprint))
@@ -495,7 +572,7 @@ private async Task<IReadOnlyDictionary<string, EndCertificate>> InitializeEndCer
                         Thumbprint = certificateAndUse.Certificate.Thumbprint,
                         CertificateChainLinks = new List<CertificateChainLink>(),
                     };
-                    _entitiesContext.EndCertificates.Add(entity);
+                    _validationEntitiesContext.EndCertificates.Add(entity);
 
                     thumbprintToEntity[certificateAndUse.Certificate.Thumbprint] = entity;
                 }
@@ -524,7 +601,7 @@ private async Task<IReadOnlyDictionary<string, ParentCertificate>> InitializePar
 
             // Find all of the parent certificate entities that intersect with the set of certificates found in the
             // package that is currently being processed.
-            var existingEntities = await _entitiesContext
+            var existingEntities = await _validationEntitiesContext
                 .ParentCertificates
                 .Include(x => x.CertificateChainLinks)
                 .Where(x => thumbprints.Contains(x.Thumbprint))
@@ -541,7 +618,7 @@ private async Task<IReadOnlyDictionary<string, ParentCertificate>> InitializePar
                         Thumbprint = certificate.Thumbprint,
                         CertificateChainLinks = new List<CertificateChainLink>(),
                     };
-                    _entitiesContext.ParentCertificates.Add(entity);
+                    _validationEntitiesContext.ParentCertificates.Add(entity);
 
                     thumbprintToEntity[certificate.Thumbprint] = entity;
                 }