feat: Implement CAWG X.509 signing via settings (#1388)

Author: scouten-adobe

cli/docs/cawg_x509_signing.md

@@ -0,0 +1,33 @@
+# Using an X.509 certificate for CAWG signing
+
+The `c2patool` uses some custom properties in the `cawg_x509_signer` section of the settings file for signing:
+
+- `private_key`: Path to the private key file.
+- `sign_cert`: Path to the signing certificate file.
+- `alg`: Algorithm to use, if not the default ES256.
+
+Both the private key and signing certificate must be in PEM (privacy-enhanced mail) format. The signing certificate must contain a PEM certificate chain starting with the end-entity certificate used to sign the claim ending with the intermediate certificate before the root CA certificate. 
+
+If the settings file doesn't include the `cawg_x509_signer.sign_cert` and `cawg_x509_signer.private_key` properties, c2patool will not generate a CAWG identity assertion. An example settings file demonstrating how this works is provided in the [c2patool repo sample folder](https://github.com/contentauth/c2pa-rs/tree/main/cli/tests/fixtures/trust/cawg_sign_settings.toml). 
+
+If you are using a signing algorithm other than the default `es256`, specify it in the manifest definition field `alg` with one of the following values:
+
+- `ps256`
+- `ps384`
+- `ps512`
+- `es256`
+- `es384`
+- `es512`
+- `ed25519`
+
+The specified algorithm must be compatible with the values of private key and signing certificate.  For more information, see [Signing manfiests](https://opensource.contentauthenticity.org/docs/signing-manifests).
+
+To sign an asset using this technique, adapt the following command-line invocation:
+
+```sh
+$ c2patool \
+    --settings (path to settings.toml file) \
+    (path to source file) \
+    -m (path to manifest definition file) \
+    -o (path to output file)
+```

cli/src/main.rs

@@ -740,7 +740,11 @@ fn main() -> Result<()> {
 
             Box::new(signer)
         } else {
-            sign_config.signer()?
+            match Settings::signer() {
+                Ok(signer) => signer,
+                Err(Error::MissingSignerSettings) => sign_config.signer()?,
+                Err(err) => Err(err)?,
+            }
         };
 
         if let Some(output) = args.output {

cli/tests/fixtures/trust/cawg_sign_settings.toml

@@ -616,3 +616,37 @@ fn tool_read_image_with_details_with_cawg_data() -> Result<(), Box<dyn Error>> {
         .stdout(str::contains("cawg.identity.well-formed"));
     Ok(())
 }
+
+#[test]
+// c2patool --settings .../trust/cawg_test_settings.toml C_with_CAWG_data.jpg
+fn tool_sign_image_with_cawg_data() -> Result<(), Box<dyn Error>> {
+    let tmp_dir = tempdir()?;
+    let file_path = tmp_dir.path().join("same_image.jpg");
+    fs::copy(fixture_path(TEST_IMAGE), &file_path)?;
+
+    let output_path = tmp_dir.path().join("same_image_cawg_signed.jpg");
+
+    Command::cargo_bin("c2patool")?
+        .arg("--settings")
+        .arg(fixture_path("trust/cawg_sign_settings.toml"))
+        .arg(&file_path)
+        .arg("-m")
+        .arg(fixture_path("ingredient_test.json"))
+        .arg("-o")
+        .arg(&output_path)
+        .arg("-f")
+        .assert()
+        .success();
+
+    Command::cargo_bin("c2patool")?
+        .arg("--settings")
+        .arg(fixture_path("trust/cawg_sign_settings.toml"))
+        .arg(&output_path)
+        .assert()
+        .success()
+        .stdout(str::contains("cawg.identity"))
+        .stdout(str::contains("c2pa.assertions/cawg.training-mining"));
+    // .stdout(str::contains("cawg.identity.well-formed"));
+    // ^^ Enable this when #1356 lands.
+    Ok(())
+}

cli/tests/integration.rs

@@ -259,6 +259,8 @@ pub struct Settings {
     builder: BuilderSettings,
     #[serde(skip_serializing_if = "Option::is_none")]
     signer: Option<SignerSettings>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    cawg_x509_signer: Option<SignerSettings>,
 }
 
 impl Settings {
@@ -412,7 +414,7 @@ impl Settings {
         Ok(toml::to_string_pretty(&settings)?)
     }
 
-    /// Returns the construct signer from the `signer` field.
+    /// Returns the constructed signer from the `signer` field.
     ///
     /// If the signer settings aren't specified, this function will return [Error::MissingSignerSettings].
     #[inline]
@@ -432,6 +434,7 @@ impl Default for Settings {
             verify: Default::default(),
             builder: Default::default(),
             signer: None,
+            cawg_x509_signer: None,
         }
     }
 }
@@ -446,6 +449,9 @@ impl SettingsValidate for Settings {
         if let Some(signer) = &self.signer {
             signer.validate()?;
         }
+        if let Some(cawg_x509_signer) = &self.cawg_x509_signer {
+            cawg_x509_signer.validate()?;
+        }
         self.trust.validate()?;
         self.cawg_trust.validate()?;
         self.core.validate()?;

sdk/src/settings/mod.rs

@@ -15,13 +15,19 @@ use serde::{Deserialize, Serialize};
 
 use crate::{
     create_signer,
+    crypto::raw_signature::RawSigner,
+    dynamic_assertion::DynamicAssertion,
+    identity::{builder::IdentityAssertionBuilder, x509::X509CredentialHolder},
     settings::{Settings, SettingsValidate},
     Error, Result, Signer, SigningAlg,
 };
 
-/// Settings for configuring a local or remote [Signer][crate::Signer].
+/// Settings for configuring a local or remote [`Signer`].
 ///
-/// A [Signer][crate::Signer] can be obtained by calling [BuilderSettings::signer].
+/// A [`Signer`] can be obtained by calling the [`signer()`] function.
+///
+/// [`Signer`]: crate::Signer
+/// [`signer()`]: Builder::signer
 #[allow(unused)]
 #[derive(Clone, Debug, Deserialize, PartialEq, Serialize)]
 #[serde(rename_all = "lowercase")]
@@ -58,7 +64,46 @@ impl SignerSettings {
     ///
     /// If the signer settings aren't specified, this function will return [Error::MissingSignerSettings][crate::Error::MissingSignerSettings].
     pub fn signer() -> Result<Box<dyn Signer>> {
+        let c2pa_signer = Self::c2pa_signer()?;
+
+        // TO DISCUSS: What if get_value returns an Err(...)?
+        if let Ok(Some(cawg_x509_settings)) =
+            Settings::get_value::<Option<SignerSettings>>("cawg_x509_signer")
+        {
+            match cawg_x509_settings {
+                SignerSettings::Local {
+                    alg: cawg_alg,
+                    sign_cert: cawg_sign_cert,
+                    private_key: cawg_private_key,
+                    tsa_url: cawg_tsa_url,
+                } => {
+                    let cawg_dual_signer = CawgX509IdentitySigner {
+                        c2pa_signer,
+                        cawg_alg,
+                        cawg_sign_cert,
+                        cawg_private_key,
+                        cawg_tsa_url,
+                    };
+
+                    Ok(Box::new(cawg_dual_signer))
+                }
+
+                SignerSettings::Remote {
+                    url: _url,
+                    alg: _alg,
+                    sign_cert: _sign_cert,
+                    tsa_url: _tsa_url,
+                } => todo!("Remote CAWG X.509 signing not yet supported"),
+            }
+        } else {
+            Ok(c2pa_signer)
+        }
+    }
+
+    /// Returns a C2PA-only signer from the [`BuilderSettings::signer`] field.
+    fn c2pa_signer() -> Result<Box<dyn Signer>> {
         let signer_info = Settings::get_value::<Option<SignerSettings>>("signer");
+
         match signer_info {
             Ok(Some(signer_info)) => match signer_info {
                 SignerSettings::Local {
@@ -107,6 +152,85 @@ impl SettingsValidate for SignerSettings {
     }
 }
 
+struct CawgX509IdentitySigner {
+    c2pa_signer: Box<dyn Signer>,
+    cawg_alg: SigningAlg,
+    cawg_sign_cert: String,
+    cawg_private_key: String,
+    cawg_tsa_url: Option<String>,
+    // NOTE: The CAWG signing settings are stored here because
+    // we can't clone or transfer ownership of an `X509CredentialHolder`
+    // inside the dynamic_assertions callback.
+}
+
+impl Signer for CawgX509IdentitySigner {
+    fn sign(&self, data: &[u8]) -> Result<Vec<u8>> {
+        Signer::sign(&self.c2pa_signer, data)
+    }
+
+    fn alg(&self) -> SigningAlg {
+        Signer::alg(&self.c2pa_signer)
+    }
+
+    fn certs(&self) -> Result<Vec<Vec<u8>>> {
+        self.c2pa_signer.certs()
+    }
+
+    fn reserve_size(&self) -> usize {
+        Signer::reserve_size(&self.c2pa_signer)
+    }
+
+    fn time_authority_url(&self) -> Option<String> {
+        self.c2pa_signer.time_authority_url()
+    }
+
+    fn timestamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+        self.c2pa_signer.timestamp_request_headers()
+    }
+
+    fn timestamp_request_body(&self, message: &[u8]) -> Result<Vec<u8>> {
+        self.c2pa_signer.timestamp_request_body(message)
+    }
+
+    fn send_timestamp_request(&self, message: &[u8]) -> Option<Result<Vec<u8>>> {
+        self.c2pa_signer.send_timestamp_request(message)
+    }
+
+    fn ocsp_val(&self) -> Option<Vec<u8>> {
+        self.c2pa_signer.ocsp_val()
+    }
+
+    fn direct_cose_handling(&self) -> bool {
+        self.c2pa_signer.direct_cose_handling()
+    }
+
+    fn dynamic_assertions(&self) -> Vec<Box<dyn DynamicAssertion>> {
+        let Ok(raw_signer) = crate::crypto::raw_signature::signer_from_cert_chain_and_private_key(
+            self.cawg_sign_cert.as_bytes(),
+            self.cawg_private_key.as_bytes(),
+            self.cawg_alg,
+            self.cawg_tsa_url.clone(),
+        ) else {
+            // dynamic_assertions() API doesn't let us fail.
+            // signer_from_cert_chain_and_private_key rarely fails,
+            // so when it does, we do so silently.
+            return vec![];
+        };
+
+        let x509_credential_holder = X509CredentialHolder::from_raw_signer(raw_signer);
+
+        let iab = IdentityAssertionBuilder::for_credential_holder(x509_credential_holder);
+
+        // TODO: Configure referenced assertions and role.
+
+        vec![Box::new(iab)]
+    }
+
+    fn raw_signer(&self) -> Option<Box<&dyn RawSigner>> {
+        self.c2pa_signer.raw_signer()
+    }
+}
+
 #[cfg(not(target_arch = "wasm32"))]
 #[derive(Debug)]
 pub(crate) struct RemoteSigner {