Add get cert chain operation to Az.CodeSigning preview module (#25528)

* feat: initial implementation of the get certificate chain method

* fix: root cert operation should return PSSigningCertificate type

* test: added get test chain certificate function

* docs: added help sample file

* docs: added link to new cert chain operation

Also fixed minor typo

* docs: updated changelog.md

* fix: static analyzer failure

* Update ChangeLog.md

* docs: fix markdown parsing for cert chain operation

---------

Co-authored-by: Yabo Hu <[email protected]>

Author: Jaxelr

src/CodeSigning/CodeSigning.Test/ScenarioTests/CodeSigningTests.cs

@@ -36,5 +36,12 @@ public void TestGetSigningRootCertificate()
         {
             TestRunner.RunTestScript("Test-GetCodeSigningRootCert");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.LiveOnly)]
+        public void TestGetSigningCertificateChain()
+        {
+            TestRunner.RunTestScript("Test-GetCodeSigningCertChain");
+        }
     }
 }

src/CodeSigning/CodeSigning.Test/ScenarioTests/CodeSigningTests.ps1

@@ -52,5 +52,26 @@ function Test-GetCodeSigningRootCert {
 
     finally {
 
+    }
+}
+
+<#
+.SYNOPSIS
+Test codesigning command to get the certificate chain from the certificate profile
+#>
+function Test-GetCodeSigningCertChain {
+    $accountName = "acs-test-account"
+    $profileName = "acs-test-account-ci"
+    $endPointUrl = "https://scus.codesigning.azure.net/"
+    $destination = "C:\temp"
+
+    try {
+        # Test Get CodeSigning Certificate Chain
+        $chain = Get-AzCodeSigningCertChain -AccountName $accountName -ProfileName $profileName -EndpointUrl $endPointUrl -Destination $destination
+        Assert-NotNullOrEmpty $chain
+    }
+
+    finally {
+
     }
 }

src/CodeSigning/CodeSigning/Az.CodeSigning.psd1

@@ -54,9 +54,9 @@ DotNetFrameworkVersion = '4.7.2'
 RequiredModules = @(@{ModuleName = 'Az.Accounts'; ModuleVersion = '3.0.1'; })
 
 # Assemblies that must be loaded prior to importing this module
-RequiredAssemblies = 'Azure.CodeSigning.Client.CryptoProvider.dll', 
-               'Azure.CodeSigning.Client.CryptoProvider.Models.dll', 
-               'Azure.CodeSigning.Client.CryptoProvider.Utilities.dll', 
+RequiredAssemblies = 'Azure.CodeSigning.Client.CryptoProvider.dll',
+               'Azure.CodeSigning.Client.CryptoProvider.Models.dll',
+               'Azure.CodeSigning.Client.CryptoProvider.Utilities.dll',
                'Azure.CodeSigning.dll', 'Polly.dll'
 
 # Script files (.ps1) that are run in the caller's environment prior to importing this module.
@@ -75,7 +75,7 @@ NestedModules = @('Microsoft.Azure.PowerShell.Cmdlets.CodeSigning.dll')
 FunctionsToExport = @()
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
-CmdletsToExport = 'Get-AzCodeSigningCustomerEku', 'Get-AzCodeSigningRootCert', 
+CmdletsToExport = 'Get-AzCodeSigningCustomerEku', 'Get-AzCodeSigningRootCert', 'Get-AzCodeSigningCertChain',
                'Invoke-AzCodeSigningCIPolicySigning'
 
 # Variables to export from this module

src/CodeSigning/CodeSigning/ChangeLog.md

@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Added `Get-AzCodeSigningCertChain` cmdlet to retrieve the certificate chain for a certificate profile.
 
 ## Version 0.1.2
 * Updated signed 3rd party assembly Polly.dll to PSGallery

src/CodeSigning/CodeSigning/CodeSigning.csproj

@@ -24,6 +24,7 @@
   <ItemGroup>
     <PackageReference Include="Polly" Version="7.2.4" />
     <PackageReference Include="Azure.CodeSigning.Client.CryptoProvider" Version="0.1.16" />
+    <PackageReference Include="Azure.CodeSigning.Sdk" Version="0.1.106" />
     <PackageReference Include="System.Security.Cryptography.Pkcs" Version="6.0.3" />
   </ItemGroup>
 

src/CodeSigning/CodeSigning/Commands/GetAzureCodeSigningCertChain.cs

@@ -0,0 +1,135 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.CodeSigning.Models;
+using System.Collections.Generic;
+using System.IO;
+using System.Management.Automation;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Microsoft.Azure.Commands.CodeSigning
+{
+    [Cmdlet("Get", ResourceManager.Common.AzureRMConstants.AzurePrefix + "CodeSigningCertChain", DefaultParameterSetName = ByAccountProfileNameParameterSet)]
+    [OutputType(typeof(IEnumerable<PSSigningCertificate>))]
+    public class GetAzureCodeSigningCertChain : CodeSigningCmdletBase
+    {
+        #region Parameter Set Names
+
+        private const string ByAccountProfileNameParameterSet = "ByAccountProfileNameParameterSet";
+        private const string ByMetadataFileParameterSet = "ByMetadataFileParameterSet";
+
+        #endregion
+
+        #region Input Parameter Definitions
+
+        /// <summary>
+        /// Account Profile name
+        /// </summary>
+        [Parameter(Mandatory = true,
+            Position = 0,
+            ParameterSetName = ByAccountProfileNameParameterSet,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "The account name of Azure CodeSigning.")]
+        [ValidateNotNullOrEmpty]
+        public string AccountName { get; set; }
+
+        [Parameter(Mandatory = true,
+            Position = 1,
+            ParameterSetName = ByAccountProfileNameParameterSet,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "The certificate profile name of Azure CodeSigning account.")]
+        [ValidateNotNullOrEmpty()]
+        public string ProfileName { get; set; }
+        [Parameter(Mandatory = true,
+            Position = 2,
+            ParameterSetName = ByAccountProfileNameParameterSet,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "The endpoint url used to submit request to Azure CodeSigning.")]
+        public string EndpointUrl { get; set; }
+
+
+        /// <summary>
+        /// Metadata File Path
+        /// </summary>
+        [Parameter(Mandatory = true,
+            Position = 0,
+            ParameterSetName = ByMetadataFileParameterSet,
+             ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Metadata File path. Cmdlet constructs the FQDN of an account profile based on the Metadata File and currently selected environment.")]
+        [ValidateNotNullOrEmpty]
+        public string MetadataFilePath { get; set; }
+
+        [Parameter(Mandatory = true,
+          Position = 3,
+          ParameterSetName = ByAccountProfileNameParameterSet,
+          ValueFromPipelineByPropertyName = true,
+          HelpMessage = "Downloaded Root Cert file full path, including file name")]
+        [Parameter(Mandatory = true,
+          Position = 1,
+          ParameterSetName = ByMetadataFileParameterSet,
+          ValueFromPipelineByPropertyName = true,
+          HelpMessage = "Downloaded Root Cert file full path, including file name")]
+        [ValidateNotNullOrEmpty]
+        public string Destination { get; set; }
+        #endregion
+
+        public override void ExecuteCmdlet()
+        {
+            Stream certchain;
+
+            if (!string.IsNullOrEmpty(AccountName))
+            {
+                certchain = CodeSigningServiceClient.GetCodeSigningCertChain(AccountName, ProfileName, EndpointUrl);
+                WriteCertChain(certchain);
+            }
+            else if (!string.IsNullOrEmpty(MetadataFilePath))
+            {
+                certchain = CodeSigningServiceClient.GetCodeSigningCertChain(MetadataFilePath);
+                WriteCertChain(certchain);
+            }
+        }
+
+        private void WriteCertChain(Stream certchain)
+        {
+            var downloadPath = ResolvePath(Destination);
+
+            var fileStream = new FileStream(downloadPath, FileMode.Create, FileAccess.Write);
+            certchain.CopyTo(fileStream);
+            fileStream.Dispose();
+
+            byte[] rawData = File.ReadAllBytes(downloadPath);
+
+            var chain = new X509Certificate2Collection();
+            chain.Import(rawData);
+
+            WriteObject(downloadPath.Replace("\\", @"\"));
+
+            var pschain = new List<PSSigningCertificate>();
+
+            foreach (var cert in chain)
+            {
+                var pscert = new PSSigningCertificate()
+                {
+                    Issuer = cert.Issuer,
+                    Subject = cert.Subject,
+                    Thumbprint = cert.Thumbprint
+                };
+
+                pschain.Add(pscert);
+            }
+
+            WriteObject(pschain);
+        }
+    }
+}

src/CodeSigning/CodeSigning/Commands/GetAzureCodeSigningRootCert.cs

@@ -20,7 +20,7 @@
 namespace Microsoft.Azure.Commands.CodeSigning
 {
     [Cmdlet("Get", ResourceManager.Common.AzureRMConstants.AzurePrefix + "CodeSigningRootCert", DefaultParameterSetName = ByAccountProfileNameParameterSet)]
-    [OutputType(typeof(string))]
+    [OutputType(typeof(PSSigningCertificate))]
     public class GetAzureCodeSigningRootCert : CodeSigningCmdletBase
     {
         #region Parameter Set Names
@@ -115,7 +115,8 @@ private void WriteRootCert(Stream rootcert)
             PSSigningCertificate pscert = new PSSigningCertificate
             {
                 Subject = x509.Subject,
-                Thumbprint = x509.Thumbprint
+                Thumbprint = x509.Thumbprint,
+                Issuer = x509.Issuer
             };
 
             WriteObject(pscert, false);

src/CodeSigning/CodeSigning/Models/CodeSigningServiceClient.cs

@@ -12,13 +12,13 @@
 // limitations under the License.
 // ----------------------------------------------------------------------------------
 
-using System;
 using Azure.CodeSigning;
-using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
-using System.IO;
 using Azure.Core;
 using Microsoft.Azure.Commands.CodeSigning.Helpers;
+using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 using Newtonsoft.Json;
+using System;
+using System.IO;
 using System.Linq;
 
 namespace Microsoft.Azure.Commands.CodeSigning.Models
@@ -52,14 +52,6 @@ public CodeSigningServiceClient(IAuthenticationFactory authFactory, IAzureContex
         private Exception GetInnerException(Exception exception)
         {
             while (exception.InnerException != null) exception = exception.InnerException;
-            //if need modify inner exception
-            //if (exception is KeyVaultErrorException kvEx && kvEx?.Body?.Error != null)
-            //{
-            //    var detailedMsg = exception.Message;
-            //    detailedMsg += string.Format(Environment.NewLine + "Code: {0}", kvEx.Body.Error.Code);
-            //    detailedMsg += string.Format(Environment.NewLine + "Message: {0}", kvEx.Body.Error.Message);
-            //    exception = new KeyVaultErrorException(detailedMsg, kvEx);
-            //}
             return exception;
         }
 
@@ -120,11 +112,31 @@ public Stream GetCodeSigningRootCert(string metadataPath)
             return GetCodeSigningRootCert(accountName, profileName, endpoint);
         }
 
+        public Stream GetCodeSigningCertChain(string accountName, string profileName, string endpoint)
+        {
+            GetCertificateProfileClient(endpoint);
+
+            var certChain = CertificateProfileClient.GetSignCertificateChain(accountName, profileName);
+            return certChain;
+        }
+
+        public Stream GetCodeSigningCertChain(string metadataPath)
+        {
+            var rawMetadata = File.ReadAllText(metadataPath);
+            Metadata = JsonConvert.DeserializeObject<Metadata>(rawMetadata);
+
+            var accountName = Metadata.CodeSigningAccountName;
+            var profileName = Metadata.CertificateProfileName;
+            var endpoint = Metadata.Endpoint;
+
+            return GetCodeSigningCertChain(accountName, profileName, endpoint);
+        }
+
         public void SubmitCIPolicySigning(string accountName, string profileName, string endpoint,
             string unsignedCIFilePath, string signedCIFilePath, string timeStamperUrl = null)
         {
-           var cipolicySigner = new CmsSigner();
-           cipolicySigner.SignCIPolicy(user_creds, accountName, profileName, endpoint, unsignedCIFilePath, signedCIFilePath, timeStamperUrl);
+            var cipolicySigner = new CmsSigner();
+            cipolicySigner.SignCIPolicy(user_creds, accountName, profileName, endpoint, unsignedCIFilePath, signedCIFilePath, timeStamperUrl);
         }
 
         public void SubmitCIPolicySigning(string metadataPath, string unsignedCIFilePath, string signedCIFilePath, string timeStamperUrl)

src/CodeSigning/CodeSigning/Models/ICodeSigningServiceClient.cs

@@ -26,6 +26,10 @@ public interface ICodeSigningServiceClient
 
         Stream GetCodeSigningRootCert(string metadataPath);
 
+        Stream GetCodeSigningCertChain(string accountName, string profileName, string endpoint);
+
+        Stream GetCodeSigningCertChain(string metadataPath);
+
         void SubmitCIPolicySigning(string accountName, string profileName, string endpoint,
                 string unsignedCIFilePath, string signedCIFilePath, string timeStamperUrl);
         void SubmitCIPolicySigning(string metadataPath,

src/CodeSigning/CodeSigning/Models/PSSigningCertificate.cs

@@ -18,5 +18,6 @@ internal class PSSigningCertificate
     {
         public string Thumbprint { get; set; }
         public string Subject { get; set; }
+        public string Issuer { get; set; }
     }
 }