Implement ICertificateStore

Complete NuGet/Engineering#932

Author: joelverhagen

NuGet.Jobs.sln

@@ -103,6 +103,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Validation.PackageSigning.E
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Validation.PackageSigning.ExtractAndValidateSignature.Tests", "tests\Validation.PackageSigning.ExtractAndValidateSignature.Tests\Validation.PackageSigning.ExtractAndValidateSignature.Tests.csproj", "{26435822-8938-48C9-96FD-0DCCF8F7CE00}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Validation.PackageSigning.Core.Tests", "tests\Validation.PackageSigning.Core.Tests\Validation.PackageSigning.Core.Tests.csproj", "{B4B7564A-965B-447B-927F-6749E2C08880}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -259,6 +261,10 @@ Global
 		{26435822-8938-48C9-96FD-0DCCF8F7CE00}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{26435822-8938-48C9-96FD-0DCCF8F7CE00}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{26435822-8938-48C9-96FD-0DCCF8F7CE00}.Release|Any CPU.Build.0 = Release|Any CPU
+		{B4B7564A-965B-447B-927F-6749E2C08880}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{B4B7564A-965B-447B-927F-6749E2C08880}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{B4B7564A-965B-447B-927F-6749E2C08880}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{B4B7564A-965B-447B-927F-6749E2C08880}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -300,6 +306,7 @@ Global
 		{91C060DA-736F-4DA9-A57F-CB3AC0E6CB10} = {678D7B14-F8BC-4193-99AF-2EE8AA390A02}
 		{DD043977-6BCD-475A-BEE2-8C34309EC622} = {678D7B14-F8BC-4193-99AF-2EE8AA390A02}
 		{26435822-8938-48C9-96FD-0DCCF8F7CE00} = {6A776396-02B1-475D-A104-26940ADB04AB}
+		{B4B7564A-965B-447B-927F-6749E2C08880} = {6A776396-02B1-475D-A104-26940ADB04AB}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {284A7AC3-FB43-4F1F-9C9C-2AF0E1F46C2B}

src/NuGet.Services.Validation.Orchestrator/IValidationStorageService.cs

@@ -35,7 +35,7 @@ public interface IValidationStorageService
         /// or <see cref="GetValidationSetAsync(Guid)"/> calls.</param>
         /// <param name="validationResult">Validation result. Its status cannot be <see cref="ValidationStatus.NotStarted"/></param>
         /// <returns>Task object tracking the async operation status.</returns>
-        /// <exception cref="ArgumentOutOfRangeException">If <paramref name="startedStatus"/> is <see cref="ValidationStatus.NotStarted"/></exception>
+        /// <exception cref="ArgumentOutOfRangeException">If <paramref name="validationResult"/> has status <see cref="ValidationStatus.NotStarted"/></exception>
         Task MarkValidationStartedAsync(PackageValidation packageValidation, IValidationResult validationResult);
 
         /// <summary>

src/Validation.Common/app.config

@@ -1,67 +1,74 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <runtime>
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
       <dependentAssembly>
-        <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-9.0.0.0" newVersion="9.0.0.0" />
+        <assemblyIdentity name="NuGet.Services.Logging" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-2.7.0.0" newVersion="2.7.0.0"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="Microsoft.Data.Edm" publicKeyToken="31bf3856ad364e35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-5.7.0.0" newVersion="5.7.0.0" />
+        <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-9.0.0.0" newVersion="9.0.0.0"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="Microsoft.Data.OData" publicKeyToken="31bf3856ad364e35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-5.7.0.0" newVersion="5.7.0.0" />
+        <assemblyIdentity name="Microsoft.Data.Edm" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-5.7.0.0" newVersion="5.7.0.0"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="Microsoft.Data.Services.Client" publicKeyToken="31bf3856ad364e35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-5.7.0.0" newVersion="5.7.0.0" />
+        <assemblyIdentity name="Microsoft.Data.OData" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-5.7.0.0" newVersion="5.7.0.0"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="Microsoft.Azure.KeyVault" publicKeyToken="31bf3856ad364e35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-1.0.0.0" newVersion="1.0.0.0" />
+        <assemblyIdentity name="Microsoft.Data.Services.Client" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-5.7.0.0" newVersion="5.7.0.0"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="Microsoft.IdentityModel.Clients.ActiveDirectory.Platform" publicKeyToken="31bf3856ad364e35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-3.13.5.907" newVersion="3.13.5.907" />
+        <assemblyIdentity name="Microsoft.Azure.KeyVault" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-1.0.0.0" newVersion="1.0.0.0"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="Microsoft.IdentityModel.Clients.ActiveDirectory" publicKeyToken="31bf3856ad364e35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-3.13.5.907" newVersion="3.13.5.907" />
+        <assemblyIdentity name="Microsoft.IdentityModel.Clients.ActiveDirectory.Platform" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-3.13.5.907" newVersion="3.13.5.907"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-2.2.0.0" newVersion="2.2.0.0" />
+        <assemblyIdentity name="Microsoft.IdentityModel.Clients.ActiveDirectory" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-3.13.5.907" newVersion="3.13.5.907"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="NuGet.Services.KeyVault" publicKeyToken="31bf3856ad364e35" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-2.7.0.0" newVersion="2.7.0.0" />
+        <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-2.2.0.0" newVersion="2.2.0.0"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="Microsoft.Extensions.Configuration.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-1.1.2.0" newVersion="1.1.2.0" />
+        <assemblyIdentity name="NuGet.Services.KeyVault" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-2.7.0.0" newVersion="2.7.0.0"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="Microsoft.Extensions.FileProviders.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-1.1.1.0" newVersion="1.1.1.0" />
+        <assemblyIdentity name="Microsoft.Extensions.Configuration.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-1.1.2.0" newVersion="1.1.2.0"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="Microsoft.Extensions.Configuration.FileExtensions" publicKeyToken="adb9793829ddae60" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-1.1.2.0" newVersion="1.1.2.0" />
+        <assemblyIdentity name="Microsoft.Extensions.FileProviders.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-1.1.1.0" newVersion="1.1.1.0"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="Microsoft.Extensions.FileProviders.Physical" publicKeyToken="adb9793829ddae60" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-1.1.1.0" newVersion="1.1.1.0" />
+        <assemblyIdentity name="Microsoft.Extensions.Configuration.FileExtensions" publicKeyToken="adb9793829ddae60" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-1.1.2.0" newVersion="1.1.2.0"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="Microsoft.Extensions.Configuration" publicKeyToken="adb9793829ddae60" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-1.1.2.0" newVersion="1.1.2.0" />
+        <assemblyIdentity name="Microsoft.Extensions.FileProviders.Physical" publicKeyToken="adb9793829ddae60" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-1.1.1.0" newVersion="1.1.1.0"/>
       </dependentAssembly>
       <dependentAssembly>
-        <assemblyIdentity name="Microsoft.Extensions.DependencyInjection.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-1.0.0.0" newVersion="1.0.0.0" />
+        <assemblyIdentity name="Microsoft.Extensions.Configuration" publicKeyToken="adb9793829ddae60" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-1.1.2.0" newVersion="1.1.2.0"/>
+      </dependentAssembly>
+      <dependentAssembly>
+        <assemblyIdentity name="Microsoft.Extensions.DependencyInjection.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-1.0.0.0" newVersion="1.0.0.0"/>
       </dependentAssembly>
     </assemblyBinding>
   </runtime>
-<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" /></startup></configuration>
+  <startup>
+    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2"/>
+  </startup>
+</configuration>

src/Validation.PackageSigning.Core/Configuration/CertificateStoreConfiguration.cs

@@ -0,0 +1,11 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace NuGet.Jobs.Validation.PackageSigning.Configuration
+{
+    public class CertificateStoreConfiguration
+    {
+        public string DataStorageAccount { get; set; }
+        public string ContainerName { get; set; }
+    }
+}

src/Validation.PackageSigning.Core/Error.cs

@@ -9,6 +9,8 @@ public static class Error
     {
         public static EventId ValidatorStateServiceFailedToAddStatus = new EventId(1000, "Failed to add validator's status");
         public static EventId ValidatorStateServiceFailedToUpdateStatus = new EventId(1001, "Failed to update validator's status");
+        public static EventId LoadedCertificateThumbprintDoesNotMatch = new EventId(1002, "Certificate thumbprint mismatch");
+        public static EventId LoadCertificateFromStorageFailed = new EventId(1003, "Certificate loading from storage failed");
 
         public static EventId ValidateSignatureFailedToDownloadPackageStatus = new EventId(1100, "Failed to download package");
     }

src/Validation.PackageSigning.Core/Extensions/X509Certificate2Extensions.cs

@@ -0,0 +1,25 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace System.Security.Cryptography.X509Certificates
+{
+    public static class X509Certificate2Extensions
+    {
+        public static string ComputeSHA256Thumbprint(this X509Certificate2 certificate)
+        {
+            if (certificate == null)
+            {
+                throw new ArgumentNullException(nameof(certificate));
+            }
+            
+            using (var sha256 = SHA256.Create())
+            {
+                var digestBytes = sha256.ComputeHash(certificate.RawData);
+                return BitConverter
+                        .ToString(digestBytes)
+                        .Replace("-", string.Empty)
+                        .ToLowerInvariant();
+            }
+        }
+    }
+}

src/Validation.PackageSigning.Core/Storage/CertificateStore.cs

@@ -2,28 +2,116 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.IO;
 using System.Security.Cryptography.X509Certificates;
+using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using NuGet.Services.Storage;
 
 namespace NuGet.Jobs.Validation.PackageSigning.Storage
 {
     public class CertificateStore : ICertificateStore
     {
-        public Task<bool> Exists(string thumbprint)
+        private const string _containerSubDirectory = "sha256";
+        private const string _fileExtension = ".cer";
+
+        private readonly ILogger<CertificateStore> _logger;
+        private readonly IStorage _storage;
+
+        public CertificateStore(
+            IStorage storage,
+            ILogger<CertificateStore> logger)
+        {
+            _storage = storage ?? throw new ArgumentNullException(nameof(storage));
+            _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        }
+
+        public Task<bool> ExistsAsync(string sha256Thumbprint, CancellationToken cancellationToken)
         {
-            throw new NotImplementedException();
+            if (sha256Thumbprint == null)
+            {
+                throw new ArgumentNullException(nameof(sha256Thumbprint));
+            }
+
+            return _storage.ExistsAsync(GetBlobFileName(sha256Thumbprint), cancellationToken);
         }
 
-        public Task<X509Certificate2> Load(string thumbprint)
+        public async Task<X509Certificate2> LoadAsync(string sha256Thumbprint, CancellationToken cancellationToken)
         {
-            // TODO: verify the certificate's thumbprint each time the certificate is downloaded from blob storage
+            if (sha256Thumbprint == null)
+            {
+                throw new ArgumentNullException(nameof(sha256Thumbprint));
+            }
+
+            var uri = _storage.ResolveUri(GetBlobFileName(sha256Thumbprint));
+
+            _logger.LogInformation("Loading certificate with SHA-256 thumbprint {Thumbprint} from URI {BlobUri}", sha256Thumbprint, uri);
+
+            var storageContent = await _storage.Load(uri, CancellationToken.None);
+            if (storageContent == null)
+            {
+                _logger.LogError(
+                        Error.LoadCertificateFromStorageFailed,
+                        "The certificate with SHA-256 thumbprint {Thumbprint} could not be loaded from storage URI {BlobUri}.",
+                        sha256Thumbprint,
+                        uri);
+
+                throw new InvalidOperationException($"Failed to load certificate with SHA-256 thumbprint {sha256Thumbprint} from URI {uri}");
+            }
+
+            byte[] rawData;
+            using (var stream = storageContent.GetContentStream())
+            {
+                using (var buffer = new MemoryStream())
+                {
+                    await stream.CopyToAsync(buffer);
+                    rawData = buffer.ToArray();
+                }
+            }
+
+            var certificate = new X509Certificate2(rawData);
+            var certificateSha256ComputedThumbprint = certificate.ComputeSHA256Thumbprint();
+
+            // Verify the certificate's thumbprint each time the certificate is downloaded from blob storage
+            if (!string.Equals(certificateSha256ComputedThumbprint, sha256Thumbprint, StringComparison.Ordinal))
+            {
+                _logger.LogError(
+                        Error.LoadedCertificateThumbprintDoesNotMatch,
+                        "The loaded certificate did not match the expected SHA-256 thumbprint {ExpectedThumbprint} (actual SHA-256 thumbprint: {ActualThumbprint}).",
+                        sha256Thumbprint,
+                        certificateSha256ComputedThumbprint);
+
+                throw new InvalidOperationException($"The loaded certificate did not match the expected SHA-256 thumbprint {sha256Thumbprint} (actual SHA-256 thumbprint: {certificateSha256ComputedThumbprint}).");
+            }
+
+            _logger.LogInformation("Loaded certificate with SHA-256 thumbprint {Thumbprint} from URI {blobUri}", sha256Thumbprint, uri);
+
+            return certificate;
+        }
+
+        public Task SaveAsync(X509Certificate2 certificate, CancellationToken cancellationToken)
+        {
+            if (certificate == null)
+            {
+                throw new ArgumentNullException(nameof(certificate));
+            }
+
+            var sha256Thumbprint = certificate.ComputeSHA256Thumbprint();
+            var uri = _storage.ResolveUri(GetBlobFileName(sha256Thumbprint));
+
+            _logger.LogInformation("Saving certificate with SHA-256 thumbprint {Thumbprint} to URI {BlobUri}", sha256Thumbprint, uri);
 
-            throw new NotImplementedException();
+            return _storage.Save(
+                uri,
+                new StreamStorageContent(new MemoryStream(certificate.RawData)),
+                overwrite: false,
+                cancellationToken: cancellationToken);
         }
 
-        public Task Save(X509Certificate2 certificate)
+        private static string GetBlobFileName(string sha256Thumbprint)
         {
-            throw new NotImplementedException();
+            return $"{_containerSubDirectory}/{sha256Thumbprint}{_fileExtension}".ToLowerInvariant();
         }
     }
 }

src/Validation.PackageSigning.Core/Storage/ICertificateStore.cs

@@ -2,34 +2,38 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Security.Cryptography.X509Certificates;
+using System.Threading;
 using System.Threading.Tasks;
 
 namespace NuGet.Jobs.Validation.PackageSigning.Storage
 {
     /// <summary>
-    /// The class used to <see cref="X509Certificate2"/> store and retrieve certificates.
+    /// The interface used to <see cref="X509Certificate2"/> store and retrieve certificates.
     /// </summary>
     public interface ICertificateStore
     {
         /// <summary>
         /// Check if the store contains the certificate.
         /// </summary>
         /// <param name="thumbprint">The certificate's thumbprint.</param>
+        /// <param name="cancellationToken">The cancellation token.</param>
         /// <returns>Whether the store contains a certificate that has the given thumbprint.</returns>
-        Task<bool> Exists(string thumbprint);
+        Task<bool> ExistsAsync(string thumbprint, CancellationToken cancellationToken);
 
         /// <summary>
         /// Load the certificate into memory.
         /// </summary>
         /// <param name="thumbprint">The certificate's thumbprint.</param>
+        /// <param name="cancellationToken">The cancellation token.</param>
         /// <returns>A certificate whose thumbprint is the given thumbprint.</returns>
-        Task<X509Certificate2> Load(string thumbprint);
+        Task<X509Certificate2> LoadAsync(string thumbprint, CancellationToken cancellationToken);
 
         /// <summary>
-        /// Save the certificate to the store.
+        /// Save the certificate to the store. This method fails if the certificate already exists.
         /// </summary>
         /// <param name="certificate">The certificate to save to the store.</param>
+        /// <param name="cancellationToken">The cancellation token.</param>
         /// <returns>A task that completes when the certificate has been saved.</returns>
-        Task Save(X509Certificate2 certificate);
+        Task SaveAsync(X509Certificate2 certificate, CancellationToken cancellationToken);
     }
 }