chore: adding debugging code

Emyrk · Emyrk · commit ccad7c0d47d1 · 2024-12-13T10:50:22.000-06:00
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@ bin
 coverage
 extensions
 .idea
+.run
diff --git a/cli/server.go b/cli/server.go
@@ -31,12 +31,11 @@ func serverFlags() (addFlags func(cmd *cobra.Command), opts *storage.Options) {
 		cmd.Flags().StringVar(&opts.ExtDir, "extensions-dir", "", "The path to extensions.")
 		cmd.Flags().StringVar(&opts.Artifactory, "artifactory", "", "Artifactory server URL.")
 		cmd.Flags().StringVar(&opts.Repo, "repo", "", "Artifactory repository.")
-		cmd.Flags().DurationVar(&opts.ListCacheDuration, "list-cache-duration", time.Minute, "The duration of the extension cache.")
 		cmd.Flags().StringArrayVar(&certificates, "certs", []string{}, "The path to certificates that match the signing key.")
 		cmd.Flags().StringVar(&signingKeyFile, "key", "", "The path to signing key file in PEM format.")
 		cmd.Flags().BoolVar(&opts.SaveSigZips, "save-sigs", false, "Save signed extensions to disk for debugging.")
 		_ = cmd.Flags().MarkHidden("save-sigs")
-		
+
 		if cmd.Use == "server" {
 			// Server only flags
 			cmd.Flags().DurationVar(&opts.ListCacheDuration, "list-cache-duration", time.Minute, "The duration of the extension cache.")
diff --git a/cli/signature.go b/cli/signature.go
@@ -1,21 +1,22 @@
 package cli
 
 import (
+	"context"
 	"crypto/x509"
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
+	"path/filepath"
 	"strings"
 
 	cms "github.com/github/smimesign/ietf-cms"
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
-	"github.com/coder/code-marketplace/storage/easyzip"
-
 	"github.com/coder/code-marketplace/extensionsign"
-	"github.com/coder/code-marketplace/extensionsign/verify"
+	"github.com/coder/code-marketplace/storage/easyzip"
 )
 
 func signature() *cobra.Command {
@@ -26,89 +27,172 @@ func signature() *cobra.Command {
 		Aliases: []string{"sig", "sigs", "signatures"},
 	}
 
-	cmd.AddCommand(compareSignatureSigZips(), verifyCmd(), decodeSigCmd())
+	cmd.AddCommand(compareSignatureSigZips(), verifySig())
 	return cmd
 }
 
-func decodeSigCmd() *cobra.Command {
+func verifySig() *cobra.Command {
 	cmd := &cobra.Command{
-
-		Use:   "decode",
-		Short: "Decode a signature archive.",
-		Args:  cobra.ExactArgs(1),
+		Use:   "verify",
+		Short: "Decode & verify a signature archive.",
+		Args:  cobra.ExactArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			logger := cmdLogger(cmd)
 			ctx := cmd.Context()
-			logger.Info(ctx, fmt.Sprintf("Decoding %q", args[0]))
+			extensionVsix := args[0]
+			p7sFile := args[1]
 
-			data, err := os.ReadFile(args[0])
-			if err != nil {
-				return xerrors.Errorf("read %q: %w", args[0], err)
-			}
+			logger.Info(ctx, fmt.Sprintf("Decoding %q", p7sFile))
 
-			signed, err := extensionsign.ExtractP7SSig(data)
+			data, err := os.ReadFile(p7sFile)
 			if err != nil {
-				return xerrors.Errorf("extract p7s: %w", err)
+				return xerrors.Errorf("read %q: %w", p7sFile, err)
 			}
 
-			detachedDataR, err := easyzip.GetZipFileReader(data, ".signature.manifest")
+			msg, err := easyzip.GetZipFileReader(data, ".signature.manifest")
 			if err != nil {
 				return xerrors.Errorf("get manifest: %w", err)
 			}
-			detachedData, err := io.ReadAll(detachedDataR)
+			msgData, err := io.ReadAll(msg)
 			if err != nil {
 				return xerrors.Errorf("read manifest: %w", err)
 			}
 
-			sd, err := cms.ParseSignedData(signed)
+			signed, err := extensionsign.ExtractP7SSig(data)
 			if err != nil {
-				return xerrors.Errorf("new signed data: %w", err)
+				return xerrors.Errorf("extract p7s: %w", err)
 			}
 
-			fmt.Println("Detached:", sd.IsDetached())
-			certs, err := sd.GetCertificates()
+			fmt.Println("----------------Golang Verify----------------")
+			valid, err := goVerify(ctx, logger, msgData, signed)
 			if err != nil {
-				return xerrors.Errorf("get certs: %w", err)
+				logger.Error(ctx, "go verify", slog.Error(err))
 			}
-			fmt.Println("Certificates:", len(certs))
+			logger.Info(ctx, fmt.Sprintf("Valid: %t", valid))
 
-			sdData, err := sd.GetData()
+			fmt.Println("----------------OpenSSL Verify----------------")
+			valid, err = openSSLVerify(ctx, logger, msgData, signed)
 			if err != nil {
-				return xerrors.Errorf("get data: %w", err)
+				logger.Error(ctx, "openssl verify", slog.Error(err))
 			}
-			fmt.Println("Data:", len(sdData))
-
-			var verifyErr error
-			var vcerts [][][]*x509.Certificate
+			logger.Info(ctx, fmt.Sprintf("Valid: %t", valid))
 
-			sys, err := x509.SystemCertPool()
+			fmt.Println("----------------vsce-sign Verify----------------")
+			valid, err = vsceSignVerify(ctx, logger, extensionVsix, p7sFile)
 			if err != nil {
-				return xerrors.Errorf("system cert pool: %w", err)
-			}
-			opts := x509.VerifyOptions{
-				Intermediates: sys,
-				Roots:         sys,
+				logger.Error(ctx, "openssl verify", slog.Error(err))
 			}
-
-			if sd.IsDetached() {
-				vcerts, verifyErr = sd.VerifyDetached(detachedData, opts)
-			} else {
-				vcerts, verifyErr = sd.Verify(opts)
-			}
-			if verifyErr != nil {
-				logger.Fatal(ctx, "verify", slog.Error(verifyErr))
-			}
-
-			certChain := dimensions(vcerts)
-			fmt.Println("Verified!")
-			fmt.Println(certChain)
+			logger.Info(ctx, fmt.Sprintf("Valid: %t", valid))
 
 			return nil
 		},
 	}
 	return cmd
 }
 
+func goVerify(ctx context.Context, logger slog.Logger, message []byte, signature []byte) (bool, error) {
+	sd, err := cms.ParseSignedData(signature)
+	if err != nil {
+		return false, xerrors.Errorf("new signed data: %w", err)
+	}
+
+	fmt.Println("Detached:", sd.IsDetached())
+	certs, err := sd.GetCertificates()
+	if err != nil {
+		return false, xerrors.Errorf("get certs: %w", err)
+	}
+	fmt.Println("Certificates:", len(certs))
+
+	sdData, err := sd.GetData()
+	if err != nil {
+		return false, xerrors.Errorf("get data: %w", err)
+	}
+	fmt.Println("Data:", len(sdData))
+
+	var verifyErr error
+	var vcerts [][][]*x509.Certificate
+
+	sys, err := x509.SystemCertPool()
+	if err != nil {
+		return false, xerrors.Errorf("system cert pool: %w", err)
+	}
+	opts := x509.VerifyOptions{
+		Intermediates: sys,
+		Roots:         sys,
+	}
+
+	if sd.IsDetached() {
+		vcerts, verifyErr = sd.VerifyDetached(message, opts)
+	} else {
+		vcerts, verifyErr = sd.Verify(opts)
+	}
+	if verifyErr != nil {
+		logger.Error(ctx, "verify", slog.Error(verifyErr))
+	}
+
+	certChain := dimensions(vcerts)
+	fmt.Println(certChain)
+	return verifyErr == nil, nil
+}
+
+func openSSLVerify(ctx context.Context, logger slog.Logger, message []byte, signature []byte) (bool, error) {
+	// openssl cms -verify -in message_from_alice_for_bob.msg -inform DER -CAfile ehealth_root_ca.cer | openssl cms -decrypt -inform DER -recip bob_etk_pair.pem  | openssl cms -inform DER -cmsout -print
+	tmpdir := os.TempDir()
+	tmpdir = filepath.Join(tmpdir, "verify-sigs")
+	defer os.RemoveAll(tmpdir)
+	os.MkdirAll(tmpdir, 0755)
+	msgPath := filepath.Join(tmpdir, ".signature.manifest")
+	err := os.WriteFile(msgPath, message, 0644)
+	if err != nil {
+		return false, xerrors.Errorf("write message: %w", err)
+	}
+
+	sigPath := filepath.Join(tmpdir, ".signature.p7s")
+	err = os.WriteFile(sigPath, signature, 0644)
+	if err != nil {
+		return false, xerrors.Errorf("write signature: %w", err)
+	}
+
+	cmd := exec.CommandContext(ctx, "openssl", "smime", "-verify",
+		"-in", sigPath, "-content", msgPath, "-inform", "DER",
+		"-CAfile", "/home/steven/go/src/github.com/coder/code-marketplace/extensionsign/testdata/cert2.pem",
+	)
+	output := &strings.Builder{}
+	cmd.Stdout = output
+	cmd.Stderr = output
+	err = cmd.Run()
+	fmt.Println(output.String())
+	if err != nil {
+		return false, xerrors.Errorf("run verify %q: %w", cmd.String(), err)
+	}
+
+	return cmd.ProcessState.ExitCode() == 0, nil
+}
+
+func vsceSignVerify(ctx context.Context, logger slog.Logger, vsixPath, sigPath string) (bool, error) {
+	bin := os.Getenv("VSCE_SIGN_PATH")
+	if bin == "" {
+		return false, xerrors.Errorf("VSCE_SIGN_PATH not set")
+	}
+
+	cmd := exec.CommandContext(ctx, bin, "verify",
+		"--package", vsixPath,
+		"--signaturearchive", sigPath,
+		"-v",
+	)
+	fmt.Println(cmd.String())
+	output := &strings.Builder{}
+	cmd.Stdout = output
+	cmd.Stderr = output
+	err := cmd.Run()
+	fmt.Println(output.String())
+	if err != nil {
+		return false, xerrors.Errorf("run verify %q: %w", cmd.String(), err)
+	}
+
+	return cmd.ProcessState.ExitCode() == 0, nil
+}
+
 func dimensions(chain [][][]*x509.Certificate) string {
 	var str strings.Builder
 	for _, top := range chain {
@@ -123,17 +207,6 @@ func dimensions(chain [][][]*x509.Certificate) string {
 	return str.String()
 }
 
-func verifyCmd() *cobra.Command {
-	cmd := &cobra.Command{
-		Use: "verify",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			ctx := cmd.Context()
-			return verify.DownloadVsceSign(ctx)
-		},
-	}
-	return cmd
-}
-
 func compareSignatureSigZips() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:  "compare",
diff --git a/extensionsign/algo.go b/extensionsign/algo.go
@@ -0,0 +1,82 @@
+package extensionsign
+
+import (
+	"context"
+	"crypto"
+	"crypto/x509"
+	"encoding/pem"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	cms "github.com/github/smimesign/ietf-cms"
+	"golang.org/x/xerrors"
+)
+
+var SigningAlgorithm = OpenSSLSign
+
+func CMSAlgo(data []byte, certs []*x509.Certificate, signer crypto.Signer) (result []byte, err error) {
+	return cms.SignDetached(data, certs, signer)
+}
+
+// openssl smime -sign -signer <cert> -inkey <key> -binary -in .signature.manifest -outform der -out openssl.p7s
+func OpenSSLSign(data []byte, certs []*x509.Certificate, signer crypto.Signer) (result []byte, err error) {
+	tmpdir := os.TempDir()
+	tmpdir = filepath.Join(tmpdir, "sign-sigs")
+	defer os.RemoveAll(tmpdir)
+
+	err = os.MkdirAll(tmpdir, 0755)
+	if err != nil {
+		return nil, xerrors.Errorf("create temp dir: %w", err)
+	}
+
+	certPath := filepath.Join(tmpdir, "certs.pem")
+	certFile, err := os.OpenFile(certPath, os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return nil, xerrors.Errorf("open cert file: %w", err)
+	}
+
+	for _, cert := range certs {
+		if len(cert.Raw) == 0 {
+			return nil, xerrors.Errorf("empty certificate")
+		}
+		err = pem.Encode(certFile, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	keyPath := "/home/steven/go/src/github.com/coder/code-marketplace/extensionsign/testdata/key2.pem"
+	//keyFile, err := os.Open(keyPath)
+	//if err != nil {
+	//	return nil, err
+	//}
+	//pem.Encode(keyFile, &pem.Block{Type: "PRIVATE KEY", )
+
+	msgPath := filepath.Join(tmpdir, ".signature.manifest")
+	messageFile, err := os.OpenFile(msgPath, os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return nil, err
+	}
+	_, err = messageFile.Write(data)
+	if err != nil {
+		return nil, xerrors.Errorf("write message: %w", err)
+	}
+
+	signed := filepath.Join(tmpdir, "openssl.p7s")
+	cmd := exec.CommandContext(context.Background(), "openssl", "cms", "-sign",
+		"-signer", certPath,
+		"-inkey", keyPath,
+		"-binary",
+		"-in", msgPath,
+		"-outform", "der",
+		"-out", signed,
+	)
+
+	err = cmd.Run()
+	if err != nil {
+		return nil, xerrors.Errorf("run openssl: %w", err)
+	}
+
+	return os.ReadFile(signed)
+}
diff --git a/extensionsign/sigzip.go b/extensionsign/sigzip.go
@@ -8,7 +8,6 @@ import (
 	"encoding/json"
 	"io"
 
-	cms "github.com/github/smimesign/ietf-cms"
 	"golang.org/x/xerrors"
 
 	"github.com/coder/code-marketplace/storage/easyzip"
@@ -61,7 +60,7 @@ func SignAndZipManifest(certs []*x509.Certificate, secret crypto.Signer, manifes
 	}
 
 	// Signature file
-	signature, err := cms.SignDetached(manifest, certs, secret)
+	signature, err := SigningAlgorithm(manifest, certs, secret)
 	if err != nil {
 		return nil, xerrors.Errorf("sign: %w", err)
 	}
diff --git a/extensionsign/verify/examples/extension.vsix b/extensionsign/verify/examples/extension.vsix
diff --git a/extensionsign/verify/examples/signature.p7s b/extensionsign/verify/examples/signature.p7s
diff --git a/storage/signature.go b/storage/signature.go
@@ -9,7 +9,6 @@ import (
 	"io/fs"
 	"path/filepath"
 
-	cms "github.com/github/smimesign/ietf-cms"
 	"github.com/spf13/afero/mem"
 	"golang.org/x/xerrors"
 
@@ -51,7 +50,7 @@ func NewSignatureStorage(logger slog.Logger, signer crypto.Signer, certs []*x509
 	}
 
 	// Attempt to sign something to ensure certs/keys are correct and supported
-	_, err := cms.SignDetached([]byte("testing configuration"), certs, signer)
+	_, err := extensionsign.SigningAlgorithm([]byte("testing configuration"), certs, signer)
 	if err != nil {
 		return nil, xerrors.Errorf("extension signer: %w", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,6 @@ import (`
`8`	`8`	`"encoding/json"`
`9`	`9`	`"io"`
`10`	`10`
`11`		`- cms "github.com/github/smimesign/ietf-cms"`
`12`	`11`	`"golang.org/x/xerrors"`
`13`	`12`
`14`	`13`	`"github.com/coder/code-marketplace/storage/easyzip"`
`@@ -61,7 +60,7 @@ func SignAndZipManifest(certs []*x509.Certificate, secret crypto.Signer, manifes`
`61`	`60`	`}`
`62`	`61`
`63`	`62`	`// Signature file`
`64`		`- signature, err := cms.SignDetached(manifest, certs, secret)`
	`63`	`+ signature, err := SigningAlgorithm(manifest, certs, secret)`
`65`	`64`	`if err != nil {`
`66`	`65`	`return nil, xerrors.Errorf("sign: %w", err)`
`67`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,6 @@ import (`
`9`	`9`	`"io/fs"`
`10`	`10`	`"path/filepath"`
`11`	`11`
`12`		`- cms "github.com/github/smimesign/ietf-cms"`
`13`	`12`	`"github.com/spf13/afero/mem"`
`14`	`13`	`"golang.org/x/xerrors"`
`15`	`14`
`@@ -51,7 +50,7 @@ func NewSignatureStorage(logger slog.Logger, signer crypto.Signer, certs []*x509`
`51`	`50`	`}`
`52`	`51`
`53`	`52`	`// Attempt to sign something to ensure certs/keys are correct and supported`
`54`		`- _, err := cms.SignDetached([]byte("testing configuration"), certs, signer)`
	`53`	`+ _, err := extensionsign.SigningAlgorithm([]byte("testing configuration"), certs, signer)`
`55`	`54`	`if err != nil {`
`56`	`55`	`return nil, xerrors.Errorf("extension signer: %w", err)`
`57`	`56`	`}`