implement extractSigningEntity

Author: yim-lee

Sources/PackageSigning/SignatureProvider.swift

@@ -64,6 +64,7 @@ public enum SignatureProvider {
         let provider = format.provider
         return try await provider.extractSigningEntity(
             signature: signature,
+            format: format,
             verifierConfiguration: verifierConfiguration
         )
     }
@@ -119,6 +120,9 @@ public enum SigningError: Error {
     case keyDoesNotSupportSignatureAlgorithm
     case signingIdentityNotSupported
     case unableToValidateSignature(String)
+    case invalidSignature(String)
+    case certificateInvalid(String)
+    case certificateNotTrusted(SigningEntity)
 }
 
 // MARK: - Signature formats and providers
@@ -177,6 +181,7 @@ protocol SignatureProviderProtocol {
 
     func extractSigningEntity(
         signature: [UInt8],
+        format: SignatureFormat,
         verifierConfiguration: VerifierConfiguration
     ) async throws -> SigningEntity
 }
@@ -249,13 +254,6 @@ struct CMSSignatureProvider: SignatureProviderProtocol {
         }
     }
 
-    func extractSigningEntity(
-        signature: [UInt8],
-        verifierConfiguration: VerifierConfiguration
-    ) async throws -> SigningEntity {
-        throw StringError("not implemented")
-    }
-
     func status(
         signature: [UInt8],
         content: [UInt8],
@@ -310,6 +308,66 @@ struct CMSSignatureProvider: SignatureProviderProtocol {
             throw SigningError.unableToValidateSignature("\(error)")
         }
     }
+
+    func extractSigningEntity(
+        signature: [UInt8],
+        format: SignatureFormat,
+        verifierConfiguration: VerifierConfiguration
+    ) async throws -> SigningEntity {
+        switch format {
+        case .cms_1_0_0:
+            do {
+                let cmsSignature = try CMSSignature(derEncoded: signature)
+                let signers = try cmsSignature.signers
+                guard signers.count == 1, let signer = signers.first else {
+                    throw SigningError.invalidSignature("expected 1 signer but got \(signers.count)")
+                }
+
+                let signingCertificate = signer.certificate
+
+                var trustRoots: [Certificate] = []
+                if verifierConfiguration.includeDefaultTrustStore {
+                    trustRoots.append(contentsOf: CertificateStores.defaultTrustRoots)
+                }
+                trustRoots.append(contentsOf: try verifierConfiguration.trustedRoots.map { try Certificate($0) })
+
+                // Verifier uses these to build cert chain for validation
+                // (see also notes in `status` method)
+                var untrustedIntermediates: [Certificate] = []
+                // WWDR intermediates are not required when signing with ADP certs,
+                // (i.e., these intermediates may not be in the signature), hence
+                // we include them here to ensure Verifier can build cert chain.
+                untrustedIntermediates.append(contentsOf: Certificates.wwdrIntermediates)
+                // For self-signed certificate, the signature should include intermediate(s).
+                untrustedIntermediates.append(contentsOf: cmsSignature.certificates)
+
+                let policySet = self.buildPolicySet(configuration: verifierConfiguration, httpClient: self.httpClient)
+
+                var verifier = Verifier(rootCertificates: CertificateStore(trustRoots), policy: policySet)
+                let result = await verifier.validate(
+                    leafCertificate: signingCertificate,
+                    intermediates: CertificateStore(untrustedIntermediates)
+                )
+
+                switch result {
+                case .validCertificate:
+                    return SigningEntity.from(certificate: signingCertificate)
+                case .couldNotValidate(let validationFailures):
+                    if validationFailures.isEmpty {
+                        let signingEntity = SigningEntity.from(certificate: signingCertificate)
+                        throw SigningError.certificateNotTrusted(signingEntity)
+                    } else {
+                        throw SigningError
+                            .certificateInvalid("failures: \(validationFailures.map(\.policyFailureReason))")
+                    }
+                }
+            } catch let error as SigningError {
+                throw error
+            } catch {
+                throw SigningError.invalidSignature("\(error)")
+            }
+        }
+    }
 }
 
 #if canImport(Security)

Tests/PackageSigningTests/SigningTests.swift

@@ -818,6 +818,123 @@ final class SigningTests: XCTestCase {
     }
     #endif
 
+    func testCMS1_0_0ExtractSigningEntity() async throws {
+        let keyAndCertChain = try tsc_await { self.ecTestKeyAndCertChain(callback: $0) }
+        let signingIdentity = SwiftSigningIdentity(
+            certificate: try Certificate(keyAndCertChain.leafCertificate),
+            privateKey: try Certificate
+                .PrivateKey(P256.Signing.PrivateKey(derRepresentation: keyAndCertChain.privateKey))
+        )
+        let content = Array("per aspera ad astra".utf8)
+
+        let signatureFormat = SignatureFormat.cms_1_0_0
+        let signature = try SignatureProvider.sign(
+            content: content,
+            identity: signingIdentity,
+            intermediateCertificates: keyAndCertChain.intermediateCertificates,
+            format: signatureFormat,
+            observabilityScope: ObservabilitySystem.NOOP
+        )
+
+        let verifierConfiguration = VerifierConfiguration(
+            trustedRoots: [keyAndCertChain.rootCertificate],
+            includeDefaultTrustStore: false,
+            certificateExpiration: .disabled,
+            certificateRevocation: .disabled
+        )
+
+        let signingEntity = try await SignatureProvider.extractSigningEntity(
+            signature: signature,
+            format: signatureFormat,
+            verifierConfiguration: verifierConfiguration
+        )
+
+        guard case .unrecognized(let name, let organizationalUnit, let organization) = signingEntity else {
+            return XCTFail("Expected SigningEntity.unrecognized but got \(signingEntity)")
+        }
+        XCTAssertEqual("Test (EC) leaf", name)
+        XCTAssertEqual("Test (EC) org unit", organizationalUnit)
+        XCTAssertEqual("Test (EC) org", organization)
+    }
+
+    func testCMS1_0_0ExtractSigningEntityWithSelfSignedCertificate() async throws {
+        let keyAndCertChain = try tsc_await { self.ecSelfSignedTestKeyAndCertChain(callback: $0) }
+        let signingIdentity = SwiftSigningIdentity(
+            certificate: try Certificate(keyAndCertChain.leafCertificate),
+            privateKey: try Certificate
+                .PrivateKey(P256.Signing.PrivateKey(derRepresentation: keyAndCertChain.privateKey))
+        )
+        let content = Array("per aspera ad astra".utf8)
+
+        let signatureFormat = SignatureFormat.cms_1_0_0
+        let signature = try SignatureProvider.sign(
+            content: content,
+            identity: signingIdentity,
+            intermediateCertificates: keyAndCertChain.intermediateCertificates,
+            format: signatureFormat,
+            observabilityScope: ObservabilitySystem.NOOP
+        )
+
+        let verifierConfiguration = VerifierConfiguration(
+            trustedRoots: [keyAndCertChain.rootCertificate],
+            includeDefaultTrustStore: false,
+            certificateExpiration: .disabled,
+            certificateRevocation: .disabled
+        )
+
+        let signingEntity = try await SignatureProvider.extractSigningEntity(
+            signature: signature,
+            format: signatureFormat,
+            verifierConfiguration: verifierConfiguration
+        )
+
+        guard case .unrecognized(let name, let organizationalUnit, let organization) = signingEntity else {
+            return XCTFail("Expected SigningEntity.unrecognized but got \(signingEntity)")
+        }
+        XCTAssertEqual("Test (EC)", name)
+        XCTAssertEqual("Test (EC) org unit", organizationalUnit)
+        XCTAssertEqual("Test (EC) org", organization)
+    }
+
+    func testCMS1_0_0ExtractSigningEntityWithUntrustedCertificate() async throws {
+        let keyAndCertChain = try tsc_await { self.ecTestKeyAndCertChain(callback: $0) }
+        let signingIdentity = SwiftSigningIdentity(
+            certificate: try Certificate(keyAndCertChain.leafCertificate),
+            privateKey: try Certificate
+                .PrivateKey(P256.Signing.PrivateKey(derRepresentation: keyAndCertChain.privateKey))
+        )
+        let content = Array("per aspera ad astra".utf8)
+
+        let signatureFormat = SignatureFormat.cms_1_0_0
+        let signature = try SignatureProvider.sign(
+            content: content,
+            identity: signingIdentity,
+            intermediateCertificates: keyAndCertChain.intermediateCertificates,
+            format: signatureFormat,
+            observabilityScope: ObservabilitySystem.NOOP
+        )
+
+        let verifierConfiguration = VerifierConfiguration(
+            trustedRoots: [], // trust store is empty
+            includeDefaultTrustStore: false,
+            certificateExpiration: .disabled,
+            certificateRevocation: .disabled
+        )
+
+        do {
+            _ = try await SignatureProvider.extractSigningEntity(
+                signature: signature,
+                format: signatureFormat,
+                verifierConfiguration: verifierConfiguration
+            )
+            XCTFail("expected error")
+        } catch {
+            guard case SigningError.certificateNotTrusted = error else {
+                return XCTFail("Expected error to be SigningError.certificateNotTrusted but got \(error)")
+            }
+        }
+    }
+
     private func ecTestKeyAndCertChain(callback: (Result<KeyAndCertChain, Error>) -> Void) {
         do {
             try fixture(name: "Signing", createGitRepo: false) { fixturePath in