chore: more work towards supporting p7s

Author: Emyrk

cli/add.go

@@ -16,6 +16,7 @@ import (
 
 func add() *cobra.Command {
 	addFlags, opts := serverFlags()
+
 	cmd := &cobra.Command{
 		Use:   "add <source>",
 		Short: "Add an extension to the marketplace",

cli/server.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"net"
 	"net/http"
+	"os"
 	"os/signal"
 	"strings"
 	"time"
@@ -24,14 +25,18 @@ import (
 
 func serverFlags() (addFlags func(cmd *cobra.Command), opts *storage.Options) {
 	opts = &storage.Options{}
-	var sign bool
+	var certificates []string
+	var signingKeyFile string
 	return func(cmd *cobra.Command) {
 		cmd.Flags().StringVar(&opts.ExtDir, "extensions-dir", "", "The path to extensions.")
 		cmd.Flags().StringVar(&opts.Artifactory, "artifactory", "", "Artifactory server URL.")
 		cmd.Flags().StringVar(&opts.Repo, "repo", "", "Artifactory repository.")
-		cmd.Flags().BoolVar(&sign, "sign", false, "Sign extensions.")
-		_ = cmd.Flags().MarkHidden("sign") // This flag needs to import a key, not just be a bool
-
+		cmd.Flags().DurationVar(&opts.ListCacheDuration, "list-cache-duration", time.Minute, "The duration of the extension cache.")
+		cmd.Flags().StringArrayVar(&certificates, "certs", []string{}, "The path to certificates that match the signing key.")
+		cmd.Flags().StringVar(&signingKeyFile, "key", "", "The path to signing key file in PEM format.")
+		cmd.Flags().BoolVar(&opts.SaveSigZips, "save-sigs", false, "Save signed extensions to disk for debugging.")
+		_ = cmd.Flags().MarkHidden("save-sigs")
+		
 		if cmd.Use == "server" {
 			// Server only flags
 			cmd.Flags().DurationVar(&opts.ListCacheDuration, "list-cache-duration", time.Minute, "The duration of the extension cache.")
@@ -54,8 +59,21 @@ func serverFlags() (addFlags func(cmd *cobra.Command), opts *storage.Options) {
 			if before != nil {
 				return before(cmd, args)
 			}
-			if sign { // TODO: Remove this for an actual key import
-				opts.Signer, _ = extensionsign.GenerateKey()
+			if signingKeyFile != "" { // TODO: Remove this for an actual key import
+				signingKey, err := os.ReadFile(signingKeyFile)
+				if err != nil {
+					return xerrors.Errorf("read signing key: %w", err)
+				}
+
+				signer, err := extensionsign.LoadKey(signingKey)
+				if err != nil {
+					return xerrors.Errorf("load signing key: %w", err)
+				}
+				opts.Signer = signer
+				opts.Certificates, err = extensionsign.LoadCertificatesFromDisk(cmd.Context(), opts.Logger, certificates)
+				if err != nil {
+					return xerrors.Errorf("load certificates: %w", err)
+				}
 			}
 			return nil
 		}

cli/signature.go

@@ -1,13 +1,16 @@
 package cli
 
 import (
+	"crypto/x509"
 	"fmt"
 	"os"
 
+	cms "github.com/github/smimesign/ietf-cms"
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
 
 	"github.com/coder/code-marketplace/extensionsign"
+	"github.com/coder/code-marketplace/extensionsign/verify"
 )
 
 func signature() *cobra.Command {
@@ -17,7 +20,63 @@ func signature() *cobra.Command {
 		Hidden:  true, // Debugging tools
 		Aliases: []string{"sig", "sigs", "signatures"},
 	}
-	cmd.AddCommand(compareSignatureSigZips())
+	cmd.AddCommand(compareSignatureSigZips(), verifyCmd(), decodeSigCmd())
+	return cmd
+}
+
+func decodeSigCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:  "decode",
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			data, err := os.ReadFile(args[0])
+			if err != nil {
+				return xerrors.Errorf("read %q: %w", args[0], err)
+			}
+
+			signed, err := extensionsign.ExtractP7SSig(data)
+			if err != nil {
+				return xerrors.Errorf("extract p7s: %w", err)
+			}
+
+			sd, err := cms.ParseSignedData(signed)
+			if err != nil {
+				return xerrors.Errorf("new signed data: %w", err)
+			}
+
+			fmt.Println("Detached:", sd.IsDetached())
+			certs, err := sd.GetCertificates()
+			if err != nil {
+				return xerrors.Errorf("get certs: %w", err)
+			}
+			fmt.Println("Certificates:", len(certs))
+
+			sdData, err := sd.GetData()
+			if err != nil {
+				return xerrors.Errorf("get data: %w", err)
+			}
+			fmt.Println("Data:", len(sdData))
+
+			vcerts, err := sd.Verify(x509.VerifyOptions{})
+			if err != nil {
+				return xerrors.Errorf("verify: %w", err)
+			}
+			var _ = vcerts
+
+			return nil
+		},
+	}
+	return cmd
+}
+
+func verifyCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use: "verify",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			return verify.DownloadVsceSign(ctx)
+		},
+	}
 	return cmd
 }
 

extensionsign/doc.go

@@ -1,2 +1,3 @@
 // Package extensionsign is a Go implementation of https://github.com/filiptronicek/node-ovsx-sign
+// See https://github.com/eclipse/openvsx/issues/543
 package extensionsign

extensionsign/key.go

@@ -1,8 +1,18 @@
 package extensionsign
 
 import (
+	"context"
+	"crypto"
 	"crypto/ed25519"
 	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"os"
+
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
 )
 
 func GenerateKey() (ed25519.PrivateKey, error) {
@@ -12,3 +22,60 @@ func GenerateKey() (ed25519.PrivateKey, error) {
 	}
 	return private, nil
 }
+
+// To generate a new self signed certificate using openssl:
+// openssl req -x509 -newkey Ed25519 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"
+// openssl req -x509 -newkey rsa:4096 -keyout key2.pem -out cert2.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"
+
+func LoadCertificatesFromDisk(ctx context.Context, logger slog.Logger, files []string) ([]*x509.Certificate, error) {
+	var certs []*x509.Certificate
+	for _, file := range files {
+		certData, err := os.ReadFile(file)
+		if err != nil {
+			return nil, xerrors.Errorf("read cert file %q: %w", file, err)
+		}
+
+		for {
+			block, rest := pem.Decode(certData)
+
+			crt, err := x509.ParseCertificate(block.Bytes)
+			if err != nil {
+				return nil, xerrors.Errorf("load certificate %q: %w", file, err)
+			}
+			logger.Info(ctx, "Loaded certificate",
+				slog.F("file", file),
+				slog.F("subject", crt.Subject.CommonName),
+			)
+			certs = append(certs, crt)
+
+			if len(rest) == 0 {
+				break
+			}
+			certData = rest
+		}
+
+	}
+	return certs, nil
+}
+
+// LoadKey takes in a PEM encoded secret
+func LoadKey(secret []byte) (crypto.Signer, error) {
+	data, rest := pem.Decode(secret)
+	if len(rest) > 0 {
+		return nil, xerrors.Errorf("extra data after PEM block")
+	}
+
+	sec, err := x509.ParsePKCS8PrivateKey(data.Bytes)
+	if err != nil {
+		_, err2 := x509.ParsePKCS1PrivateKey(secret)
+		fmt.Println(err2)
+		return nil, err
+	}
+
+	signer, ok := sec.(crypto.Signer)
+	if !ok {
+		return nil, xerrors.Errorf("%T is not a crypto.Signer and is not supported", sec)
+	}
+
+	return signer, nil
+}

extensionsign/sigzip.go

@@ -4,9 +4,11 @@ import (
 	"archive/zip"
 	"bytes"
 	"crypto"
-	"crypto/rand"
+	"crypto/x509"
 	"encoding/json"
+	"io"
 
+	cms "github.com/github/smimesign/ietf-cms"
 	"golang.org/x/xerrors"
 
 	"github.com/coder/code-marketplace/storage/easyzip"
@@ -27,8 +29,18 @@ func ExtractSignatureManifest(zip []byte) (SignatureManifest, error) {
 	return manifest, nil
 }
 
+func ExtractP7SSig(zip []byte) ([]byte, error) {
+	r, err := easyzip.GetZipFileReader(zip, ".signature.p7s")
+	if err != nil {
+		return nil, xerrors.Errorf("get p7s: %w", err)
+	}
+
+	defer r.Close()
+	return io.ReadAll(r)
+}
+
 // SignAndZipManifest signs a manifest and zips it up
-func SignAndZipManifest(secret crypto.Signer, manifest json.RawMessage) ([]byte, error) {
+func SignAndZipManifest(certs []*x509.Certificate, secret crypto.Signer, manifest json.RawMessage) ([]byte, error) {
 	var buf bytes.Buffer
 	w := zip.NewWriter(&buf)
 
@@ -43,23 +55,18 @@ func SignAndZipManifest(secret crypto.Signer, manifest json.RawMessage) ([]byte,
 	}
 
 	// Empty file
-	_, err = w.Create(".signature.p7s")
+	p7sFile, err := w.Create(".signature.p7s")
 	if err != nil {
 		return nil, xerrors.Errorf("create empty p7s signature: %w", err)
 	}
 
-	// Actual sig
-	sigFile, err := w.Create(".signature.sig")
-	if err != nil {
-		return nil, xerrors.Errorf("create signature: %w", err)
-	}
-
-	signature, err := secret.Sign(rand.Reader, manifest, crypto.Hash(0))
+	// Signature file
+	signature, err := cms.SignDetached(manifest, certs, secret)
 	if err != nil {
 		return nil, xerrors.Errorf("sign: %w", err)
 	}
 
-	_, err = sigFile.Write(signature)
+	_, err = p7sFile.Write(signature)
 	if err != nil {
 		return nil, xerrors.Errorf("write signature: %w", err)
 	}

extensionsign/verify/examples/Microsoft.VisualStudio.Services.VSIXPackage

@@ -0,0 +1,2 @@
+https://ms-python.gallerycdn.vsassets.io/extensions/ms-python/python/2024.23.2024121003/1733845882640/Microsoft.VisualStudio.Code.Manifest
+https://ms-python.gallerycdn.vsassets.io/extensions/ms-python/python/2024.23.2024121003/1733845882640/Microsoft.VisualStudio.Services.VsixSignature

extensionsign/verify/examples/Microsoft.VisualStudio.Services.VsixSignature

@@ -0,0 +1,12 @@
+
+import { verify } from "@vscode/vsce-sign";
+
+
+if(process.argv.length < 2) {
+    console.log("Usage: node main.js <extension.vsix> <extension.sigzip>")
+    process.exit(1)
+}
+
+verify(process.argv[0], process.argv[1], "true").then((x) => {
+    console.log(x)
+})