CodeTransparency SDK support to API version 2025-01-31-preview and added new verification logic (Azure#48627)

* initial SDK generation

Author: vimauro

.vscode/cspell.json

@@ -353,7 +353,11 @@
         "cbor",
         "ccfs",
         "cose",
-        "scitt"
+        "Jwks",
+        "PHDR",
+        "PKIX",
+        "scitt",
+        "tstr"
       ]
     },
     {

sdk/confidentialledger/Azure.Security.CodeTransparency/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Release History
 
+## 1.0.0-beta.4 (2025-03-27)
+
+### Features Added
+
+- Aligned with the latest changes (Feb 25) of the IETF draft: https://datatracker.ietf.org/doc/draft-ietf-scitt-architecture/
+- Updated receipt verification logic.
+
+### Breaking Changes
+
+### Bugs Fixed
+
+### Other Changes
+
 ## 1.0.0-beta.3 (Unreleased)
 
 ### Features Added

sdk/confidentialledger/Azure.Security.CodeTransparency/README.md

@@ -22,7 +22,7 @@ dotnet add package Azure.Security.CodeTransparency --prerelease
 
 - A running and accessible Code Transparency Service
 - Ability to create `COSE_Sign1` envelopes, [an example script][CTS_claim_generator_script]
-- Your signer details (CA cert or DID issuer) have to be configured in the running service, [about available configuration][CTS_configuration_doc]
+- Your signer details (CA cert) have to be configured in the running service, [about available configuration][CTS_configuration_doc]
 - You can get a valid Bearer token if the service authentication is configured to require one, [see example](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/confidentialledger/Azure.Security.CodeTransparency/samples/Sample3_UseYourCredentials.md)
 
 ### Thread safety
@@ -42,21 +42,34 @@ Before submitting the cose file, the service must be configured with the relevan
 To submit the signature, use the following code:
 
 ```C# Snippet:CodeTransparencySubmission
-CodeTransparencyClient client = new(new Uri("https://<< service name >>.confidential-ledger.azure.com"), null);
+CodeTransparencyClient client = new(new Uri("https://<< service name >>.confidential-ledger.azure.com"));
 FileStream fileStream = File.OpenRead("signature.cose");
 BinaryData content = BinaryData.FromStream(fileStream);
-Operation<GetOperationResult> operation = await client.CreateEntryAsync(content);
-Response<GetOperationResult> operationResult = await operation.WaitForCompletionAsync();
-Console.WriteLine($"The entry id to use to get the entry and receipt is {{{operationResult.Value.EntryId}}}");
-Response<BinaryData> signatureWithReceiptResponse = await client.GetEntryAsync(operationResult.Value.EntryId, true);
-BinaryData signatureWithReceipt = signatureWithReceiptResponse.Value;
-byte[] signatureWithReceiptBytes = signatureWithReceipt.ToArray();
+Operation<BinaryData> operation = await client.CreateEntryAsync(WaitUntil.Started, content);
 ```
 
 Once you have the receipt and the signature, you can verify whether the signature was actually included in the Code Transparency service by running the receipt verification logic. The verifier checks if the receipt was issued for a given signature and if the receipt signature was endorsed by the service.
 
+```C# Snippet:CodeTransparencyVerifyReceipt
+Response<JwksDocument> key = client.GetPublicKeys();
+
+CcfReceiptVerifier.VerifyTransparentStatementReceipt(key.Value.Keys[0], receiptBytes, inputSignedPayloadBytes);
+```
+
+Alternatively, you can retrieve the Transparent Statement of the corresponding submission and run the receipt verification logic
+
 ```C# Snippet:CodeTransparencyVerification
-CcfReceiptVerifier.RunVerification(signatureWithReceiptBytes);
+Response<BinaryData> transparentStatement = client.GetEntryStatement(entryId);
+byte[] transparentStatementBytes = transparentStatement.Value.ToArray();
+
+try
+{
+    client.RunTransparentStatementVerification(transparentStatementBytes);
+}
+catch (Exception e)
+{
+    Console.WriteLine(e.Message);
+}
 ```
 
 If the verification completes without exception, you can trust the signature and the receipt. This allows you to safely inspect the contents of the files, especially the contents of the payload embedded in a cose signature envelope.
@@ -94,8 +107,8 @@ This project has adopted the [Microsoft Open Source Code of Conduct][code_of_con
 
 <!-- LINKS -->
 [COSE_RFC]: https://www.rfc-editor.org/rfc/rfc8152.txt
-[SCITT_ARCHITECTURE_RFC]: https://www.ietf.org/archive/id/draft-ietf-scitt-architecture-01.txt
-[SCITT_RECEIPT_RFC]: https://www.ietf.org/archive/id/draft-birkholz-scitt-receipts-03.txt
+[SCITT_ARCHITECTURE_RFC]: https://www.ietf.org/archive/id/draft-ietf-scitt-architecture-11.txt
+[SCITT_RECEIPT_RFC]: https://www.ietf.org/archive/id/draft-ietf-cose-merkle-tree-proofs-08.txt
 [API_reference]: https://learn.microsoft.com/dotnet/api/azure.security.keyvault.keys
 [Service_source_code]: https://github.com/microsoft/scitt-ccf-ledger
 [CTS_claim_generator_script]: https://github.com/microsoft/scitt-ccf-ledger/tree/main/demo/cts_poc

sdk/confidentialledger/Azure.Security.CodeTransparency/api/Azure.Security.CodeTransparency.net8.0.cs

@@ -13,18 +13,19 @@ Then, you will also need to have a valid `COSE_Sign1` envelope file. There are m
 To create a new `CodeTransparencyClient` that will interact with the service, without explicit credentials if the service allows it or if you 
 want to get the publicly accessible data only. Then use a subclient to work with entries:
 
-```C# Snippet:CodeTransparencySample1_CreateClient
-CodeTransparencyClient client = new(new Uri("https://<< service name >>.confidential-ledger.azure.com"), null);
+```C# Snippet:CodeTransparencySample_CreateClient
+CodeTransparencyClient client = new(new Uri("https://<< service name >>.confidential-ledger.azure.com"));
 ```
 
 ## Submit the file
 
 The most basic usage is to submit a valid signature file to the service. Acceptance of the submission is a long running operation which is why the response will contain the operation id.
 
-```C# Snippet:CodeTransparencySample1_SendSignature
+```C# Snippet:CodeTransparencySubmission
+CodeTransparencyClient client = new(new Uri("https://<< service name >>.confidential-ledger.azure.com"));
 FileStream fileStream = File.OpenRead("signature.cose");
 BinaryData content = BinaryData.FromStream(fileStream);
-Operation<GetOperationResult> operation = await client.CreateEntryAsync(content);
+Operation<BinaryData> operation = await client.CreateEntryAsync(WaitUntil.Started, content);
 ```
 
 ## Verify if operation was successful
@@ -34,7 +35,21 @@ If you want to be sure that the submission completed successfully it is necessar
 Another important part of the operation check is that it will contain an identifier (entry ID) to be used to get the transaction receipt.
 
 ```C# Snippet:CodeTransparencySample1_WaitForResult
-Response<GetOperationResult> response = await operation.WaitForCompletionAsync();
-GetOperationResult value = response.Value;
-Console.WriteLine($"The entry id to use to get the entry and receipt is {{{value.EntryId}}}");
+Response<BinaryData> operationResult = await operation.WaitForCompletionAsync();
+
+string entryId = string.Empty;
+CborReader cborReader = new CborReader(operationResult.Value);
+cborReader.ReadStartMap();
+while (cborReader.PeekState() != CborReaderState.EndMap)
+{
+    string key = cborReader.ReadTextString();
+    if (key == "EntryId")
+    {
+        entryId = cborReader.ReadTextString();
+    }
+    else
+        cborReader.SkipValue();
+}
+
+Console.WriteLine($"The entry id to use to get the receipt and Transparent Statement is {{{entryId}}}");
 ```

sdk/confidentialledger/Azure.Security.CodeTransparency/api/Azure.Security.CodeTransparency.netstandard2.0.cs

@@ -12,8 +12,8 @@ To get started, you'll need a url of the service.
 To create a new `CodeTransparencyClient` that will interact with the service, without explicit credentials if the service allows it or if you 
 want to get the publicly accessible data only. Then use a subclient to work with entries:
 
-```C# Snippet:CodeTransparencySample2_CreateClient
-CodeTransparencyClient client = new(new Uri("https://<< service name >>.confidential-ledger.azure.com"), null);
+```C# Snippet:CodeTransparencySample_CreateClient
+CodeTransparencyClient client = new(new Uri("https://<< service name >>.confidential-ledger.azure.com"));
 ```
 
 ## Download receipt
@@ -24,16 +24,16 @@ The receipt on its own contains only the inclusion proof and the signature. You
 
 The easiest way is to download the receipt and the signature together which was stored after the submission. The receipt will be added to the unprotected header of the signature.
 
-```C# Snippet:CodeTransparencySample2_GetEntryWithEmbeddedReceipt
-Response<BinaryData> signatureWithReceipt = await client.GetEntryAsync("2.34", true);
+```C# Snippet:CodeTransparencySample2_GetEntryStatement
+Response<BinaryData> signatureWithReceiptResponse = await client.GetEntryStatementAsync(entryId);
 ```
 
 ### Raw receipt
 
 If you have the signature as a separate file already then you can download the raw receipt file.
 
 ```C# Snippet:CodeTransparencySample2_GetRawReceipt
-Response<BinaryData> receipt = await client.GetEntryReceiptAsync("2.34");
+Response<BinaryData> receipt = await client.GetEntryAsync(entryId);
 ```
 
 ## Verify
@@ -46,14 +46,33 @@ The following examples will use a default public key resolver to get the keys fo
 
 When receipt is embedded in the signature then passing just the signature is enough.
 
-```C# Snippet:CodeTransparencySample2_VerifyEntryWithEmbeddedReceipt
-CcfReceiptVerifier.RunVerification(signatureWithReceipt.Value.ToArray());
+```C# Snippet:CodeTransparencyVerification
+Response<BinaryData> transparentStatement = client.GetEntryStatement(entryId);
+byte[] transparentStatementBytes = transparentStatement.Value.ToArray();
+
+try
+{
+    client.RunTransparentStatementVerification(transparentStatementBytes);
+}
+catch (Exception e)
+{
+    Console.WriteLine(e.Message);
+}
 ```
 
-### Raw receipt
-
-If the receipt is a separate file then it needs to be passed as a second argument next to the signature.
-
-```C# Snippet:CodeTransparencySample2_VerifyEntryAndReceipt
-CcfReceiptVerifier.RunVerification(receipt.Value.ToArray(), signatureBytes);
-```
+Alternatively, you can provide your own JsonWebKey, the receipt and the corresponding signed claims
+
+```C# Snippet:CodeTransparencySample2_VerifyReceiptAndInputSignedStatement
+// Create a JsonWebKey
+JsonWebKey jsonWebKey = new JsonWebKey(<.....>);
+byte[] inputSignedStatement = readFileBytes("<input_signed_claims");
+
+try
+{
+    CcfReceiptVerifier.VerifyTransparentStatementReceipt(jsonWebKey, signatureWithReceiptBytes, inputSignedStatement);
+}
+catch (Exception e)
+{
+    Console.WriteLine(e.Message);
+}
+```

sdk/confidentialledger/Azure.Security.CodeTransparency/samples/Sample1_HelloWorld.md

@@ -10,13 +10,15 @@
 
   <ItemGroup>
     <Compile Include="$(AzureCoreSharedSources)AzureResourceProviderNamespaceAttribute.cs" LinkBase="Shared/Core" />
+    <Compile Include="$(AzureCoreSharedSources)Base64Url.cs" LinkBase="Shared/Core" />
     <Compile Include="$(AzureCoreSharedSources)AzureKeyCredentialPolicy.cs" LinkBase="Shared" />
     <Compile Include="$(AzureCoreSharedSources)LightweightPkcs8Decoder.cs" LinkBase="Shared" />
     <Compile Include="$(AzureCoreSharedSources)PemReader.cs" LinkBase="Shared" />
   </ItemGroup>
 
   <ItemGroup>
     <PackageReference Include="Azure.Core" />
+    <PackageReference Include="Azure.Security.KeyVault.Keys" />
     <PackageReference Include="System.ClientModel" />
     <PackageReference Include="System.Text.Json" />
     <PackageReference Include="System.Security.Cryptography.Cose" />

sdk/confidentialledger/Azure.Security.CodeTransparency/samples/Sample2_ReceiptDownloadVerification.md

@@ -33,23 +33,23 @@ protected CodeTransparencyCertificateClient()
         }
 
         /// <summary> Initializes a new instance of CertificateClient.</summary>
-        /// <param name="certificateEndpoint"> The Identity Service URL. </param>
-        /// <exception cref="ArgumentNullException"> <paramref name="certificateEndpoint"/> </exception>
-        public CodeTransparencyCertificateClient(Uri certificateEndpoint) : this(certificateEndpoint, new CodeTransparencyClientOptions())
+        /// <param name="endpoint"> The Identity Service URL. </param>
+        /// <exception cref="ArgumentNullException"> <paramref name="endpoint"/> </exception>
+        public CodeTransparencyCertificateClient(Uri endpoint) : this(endpoint, new CodeTransparencyClientOptions())
         {
         }
 
         /// <summary> Initializes a new instance of CertificateClient.</summary>
-        /// <param name="certificateEndpoint"> The Identity Service URL. </param>
+        /// <param name="endpoint"> The Identity Service URL. </param>
         /// <param name="options"> The options for configuring the client. </param>
-        /// <exception cref="ArgumentNullException"> <paramref name="certificateEndpoint"/> </exception>
-        public CodeTransparencyCertificateClient(Uri certificateEndpoint, CodeTransparencyClientOptions options)
+        /// <exception cref="ArgumentNullException"> <paramref name="endpoint"/> </exception>
+        public CodeTransparencyCertificateClient(Uri endpoint, CodeTransparencyClientOptions options)
         {
-            Argument.AssertNotNull(certificateEndpoint, nameof(certificateEndpoint));
+            Argument.AssertNotNull(endpoint, nameof(endpoint));
             Argument.AssertNotNull(options, nameof(options));
             ClientDiagnostics = new(options, true);
             _pipeline = HttpPipelineBuilder.Build(options, Array.Empty<HttpPipelinePolicy>(), Array.Empty<HttpPipelinePolicy>(), new ResponseClassifier());
-            _certificateEndpoint = certificateEndpoint;
+            _certificateEndpoint = endpoint;
             _results = new ConcurrentDictionary<string, ServiceIdentityResult>();
             _cacheTTLSec = options.CacheTTLSeconds;
         }