fixups

coder · Emyrk · Dec 12, 2024 · Dec 13, 2024 · Dec 13, 2024 · Dec 13, 2024
commit 7fe365c91aa9621a3d2655c211f79ff776346763
diff --git a/cli/signature.go b/cli/signature.go
@@ -4,7 +4,6 @@
 "context"
 "crypto/x509"
 "fmt"
-"io"
 "os"
 "os/exec"
 "path/filepath"
@@ -16,7 +15,6 @@
 
 "cdr.dev/slog"
 "github.com/coder/code-marketplace/extensionsign"
-"github.com/coder/code-marketplace/storage/easyzip"
 )
 
 func signature() *cobra.Command {
@@ -31,6 +29,10 @@
 return cmd
 }
 
+var (
+localCA = false
+)
+
 func verifySig() *cobra.Command {
 cmd := &cobra.Command{
 Use: "verify <extension.vsix> <signature.p7s>",
@@ -40,6 +42,11 @@
 logger := cmdLogger(cmd)
 ctx := cmd.Context()
 extensionVsix := args[0]
+msgData, err := os.ReadFile(extensionVsix)
+if err != nil {
+return xerrors.Errorf("read %q: %w", extensionVsix, err)
+}
+
 p7sFile := args[1]
 
 logger.Info(ctx, fmt.Sprintf("Decoding %q", p7sFile))
@@ -49,14 +56,14 @@
 return xerrors.Errorf("read %q: %w", p7sFile, err)
 }
 
-msg, err := easyzip.GetZipFileReader(data, extensionVsix)
-if err != nil {
-return xerrors.Errorf("get manifest: %w", err)
-}
-msgData, err := io.ReadAll(msg)
-if err != nil {
-return xerrors.Errorf("read manifest: %w", err)
-}
+//msg, err := easyzip.GetZipFileReader(data, extensionVsix)
+//if err != nil {
+//return xerrors.Errorf("get manifest: %w", err)
+//}
+//msgData, err := io.ReadAll(msg)
+//if err != nil {
+//return xerrors.Errorf("read manifest: %w", err)
+//}
 
 signed, err := extensionsign.ExtractP7SSig(data)
 if err != nil {
@@ -87,6 +94,7 @@
 return nil
 },
 }
+cmd.Flags().BoolVar(&localCA, "local-ca", true, "Use the local CA for verification.")
 return cmd
 }
 
@@ -140,7 +148,7 @@
 tmpdir := os.TempDir()
 tmpdir = filepath.Join(tmpdir, "verify-sigs")
 defer os.RemoveAll(tmpdir)
 os.MkdirAll(tmpdir, 0755)
 msgPath := filepath.Join(tmpdir, ".signature.manifest")
 err := os.WriteFile(msgPath, message, 0644)
 if err != nil {
@@ -153,12 +161,18 @@
 return false, xerrors.Errorf("write signature: %w", err)
 }
 
-cmd := exec.CommandContext(ctx, "openssl", "smime", "-verify",
+if localCA {
+
+}
+
+cmd := exec.CommandContext(ctx, "openssl", "cms", "-verify",
 "-in", sigPath, "-content", msgPath, "-inform", "DER",
-"-CAfile", "/home/steven/go/src/github.com/coder/code-marketplace/extensionsign/testdata/cert2.pem",
 )
+if localCA {
+cmd.Args = append(cmd.Args, "-CAfile", "/home/steven/go/src/github.com/coder/code-marketplace/extensionsign/testdata/cert2.pem")
+}
 output := &strings.Builder{}
-cmd.Stdout = output
+//cmd.Stdout = output
 cmd.Stderr = output
 err = cmd.Run()
 fmt.Println(output.String())

diff --git a/extensionsign/algo.go b/extensionsign/algo.go
@@ -13,7 +13,7 @@ import (
 "golang.org/x/xerrors"
 )
 
-var SigningAlgorithm = OpenSSLSign
+var SigningAlgorithm = CMSAlgo
 
 func CMSAlgo(data []byte, certs []*x509.Certificate, signer crypto.Signer) (result []byte, err error) {
 return cms.SignDetached(data, certs, signer)

diff --git a/extensionsign/sigzip.go b/extensionsign/sigzip.go
@@ -39,7 +39,7 @@ func ExtractP7SSig(zip []byte) ([]byte, error) {
 }
 
 // SignAndZipManifest signs a manifest and zips it up
-func SignAndZipManifest(certs []*x509.Certificate, secret crypto.Signer, manifest json.RawMessage) ([]byte, error) {
+func SignAndZipManifest(certs []*x509.Certificate, secret crypto.Signer, vsixData []byte, manifest json.RawMessage) ([]byte, error) {
 var buf bytes.Buffer
 w := zip.NewWriter(&buf)
 
@@ -53,19 +53,12 @@ func SignAndZipManifest(certs []*x509.Certificate, secret crypto.Signer, manifes
 return nil, xerrors.Errorf("write manifest: %w", err)
 }
 
-// Empty file
 p7sFile, err := w.Create(".signature.p7s")
 if err != nil {
 return nil, xerrors.Errorf("create empty p7s signature: %w", err)
 }
 
-// Actual sig
-sigFile, err := w.Create(".signature.sig")
-if err != nil {
-return nil, xerrors.Errorf("create signature: %w", err)
-}
-
-signature, err := secret.Sign(rand.Reader, vsixData, crypto.Hash(0))
+signature, err := SigningAlgorithm(vsixData, certs, secret)
 if err != nil {
 return nil, xerrors.Errorf("sign: %w", err)
 }

diff --git a/storage/signature.go b/storage/signature.go
@@ -14,10 +14,6 @@ import (
 "golang.org/x/xerrors"
 
 "cdr.dev/slog"
-<<<<<<< HEAD
-
-=======
->>>>>>> 13a5775 (chore: more work towards supporting p7s)
 "github.com/coder/code-marketplace/extensionsign"
 )
 
@@ -208,7 +204,7 @@ func (s *Signature) Open(ctx context.Context, fp string) (fs.File, error) {
 }
 
 func (s *Signature) SigZip(ctx context.Context, vsix []byte, sigManifest []byte) ([]byte, error) {
-signed, err := extensionsign.SignAndZipManifest(s.Signer, vsix, sigManifest)
+signed, err := extensionsign.SignAndZipManifest(s.Certificates, s.Signer, vsix, sigManifest)
 if err != nil {
 s.Logger.Error(ctx, "signing manifest", slog.Error(err))
 return nil, xerrors.Errorf("sign and zip manifest: %w", err)

diff --git a/storage/signature_test.go b/storage/signature_test.go
@@ -5,6 +5,8 @@ import (
 "crypto/x509"
 "testing"
 
+"github.com/stretchr/testify/require"
+
 "cdr.dev/slog"
 "github.com/coder/code-marketplace/extensionsign"
 "github.com/coder/code-marketplace/storage"
@@ -32,7 +34,7 @@ func signed(signer bool, factory func(t *testing.T) testStorage) func(t *testing
 sst, err := storage.NewSignatureStorage(slog.Make(), key, []*x509.Certificate{}, st.storage)
 require.NoError(t, err)
 return testStorage{
-storage: storage.NewSignatureStorage(slog.Make(), key, st.storage),
+storage: sst,
 write: st.write,
 exists: st.exists,
 expectedManifest: exp,