[Collections] Signing (apple, 4): signature validation

This is part 4 of a series of PRs to support package collection signing on Apple platforms. Originally #3252.

Depends on  #3269.

Modifications:
- Add `PackageCollectionsSigning` dependency to `PackageCollections` module
- Verify collection signature in `JSONPackageCollectionProvider`

Author: yim-lee

Package.swift

@@ -161,7 +161,7 @@ let package = Package(
         .target(
             /** Data structures and support for package collections */
             name: "PackageCollections",
-            dependencies: ["SwiftToolsSupport-auto", "Basics", "PackageModel", "SourceControl", "PackageCollectionsModel"]),
+            dependencies: ["SwiftToolsSupport-auto", "Basics", "PackageModel", "SourceControl", "PackageCollectionsModel", "PackageCollectionsSigning"]),
 
         // MARK: Package Manager Functionality
 

Sources/PackageCollections/CMakeLists.txt

@@ -32,6 +32,9 @@ target_link_libraries(PackageCollections PUBLIC
   TSCBasic
   TSCUtility
   Basics
+  Crypto
+  PackageCollectionsModel
+  PackageCollectionsSigning
   PackageModel
   SourceControl)
 # NOTE(compnerd) workaround for CMake not setting up include flags yet

Sources/PackageCollections/Providers/JSONPackageCollectionProvider.swift

@@ -10,11 +10,13 @@
 
 import Basics
 import Dispatch
+import struct Foundation.Data
 import struct Foundation.Date
 import class Foundation.JSONDecoder
 import struct Foundation.URL
 
 import PackageCollectionsModel
+import PackageCollectionsSigning
 import PackageModel
 import SourceControl
 import TSCBasic
@@ -27,13 +29,21 @@ struct JSONPackageCollectionProvider: PackageCollectionProvider {
     private let httpClient: HTTPClient
     private let decoder: JSONDecoder
     private let validator: JSONModel.Validator
+    private let signatureValidator: PackageCollectionSignatureValidator
 
-    init(configuration: Configuration = .init(), httpClient: HTTPClient? = nil, diagnosticsEngine: DiagnosticsEngine? = nil) {
+    init(configuration: Configuration = .init(),
+         httpClient: HTTPClient? = nil,
+         signatureValidator: PackageCollectionSignatureValidator? = nil,
+         diagnosticsEngine: DiagnosticsEngine? = nil) {
         self.configuration = configuration
         self.diagnosticsEngine = diagnosticsEngine
         self.httpClient = httpClient ?? Self.makeDefaultHTTPClient(diagnosticsEngine: diagnosticsEngine)
         self.decoder = JSONDecoder.makeWithDefaults()
         self.validator = JSONModel.Validator(configuration: configuration.validator)
+        self.signatureValidator = signatureValidator ?? PackageCollectionSigning(
+            trustedRootCertsDir: configuration.trustedRootCertsDir,
+            diagnosticsEngine: diagnosticsEngine
+        )
     }
 
     func get(_ source: Model.CollectionSource, callback: @escaping (Result<Model.Collection, Error>) -> Void) {
@@ -49,14 +59,9 @@ struct JSONPackageCollectionProvider: PackageCollectionProvider {
         if let absolutePath = source.absolutePath {
             do {
                 let fileContents = try localFileSystem.readFileContents(absolutePath)
-                let collection: JSONModel.Collection = try fileContents.withData { data in
-                    do {
-                        return try self.decoder.decode(JSONModel.Collection.self, from: data)
-                    } catch {
-                        throw Errors.invalidJSON(error)
-                    }
+                return fileContents.withData { data in
+                    self.decodeAndRunSignatureCheck(source: source, data: data, certPolicyKey: .default, callback: callback)
                 }
-                return callback(self.makeCollection(from: collection, source: source, signature: nil))
             } catch {
                 return callback(.failure(error))
             }
@@ -97,33 +102,40 @@ struct JSONPackageCollectionProvider: PackageCollectionProvider {
                             return callback(.failure(Errors.invalidResponse("Body is empty")))
                         }
 
-                        do {
-                            // parse json and construct result
-                            do {
-                                // This fails if "signature" is missing
-                                let signature = try JSONModel.SignedCollection.signature(from: body, using: self.decoder)
-                                // TODO: Check collection's signature
-                                // If signature is
-                                //      a. valid: process the collection; set isSigned=true
-                                //      b. invalid: includes expired cert, untrusted cert, signature-payload mismatch => return error
-                                let collection = try JSONModel.SignedCollection.collection(from: body, using: self.decoder)
-                                callback(self.makeCollection(from: collection, source: source, signature: Model.SignatureData(from: signature)))
-                            } catch {
-                                // Collection is not signed
-                                guard let collection = try response.decodeBody(JSONModel.Collection.self, using: self.decoder) else {
-                                    return callback(.failure(Errors.invalidResponse("Invalid body")))
-                                }
-                                callback(self.makeCollection(from: collection, source: source, signature: nil))
-                            }
-                        } catch {
-                            callback(.failure(Errors.invalidJSON(error)))
-                        }
+                        let certPolicyKey = self.configuration.certificatePolicyKey(for: source) ?? .default
+                        self.decodeAndRunSignatureCheck(source: source, data: body, certPolicyKey: certPolicyKey, callback: callback)
                     }
                 }
             }
         }
     }
 
+    private func decodeAndRunSignatureCheck(source: Model.CollectionSource,
+                                            data: Data,
+                                            certPolicyKey: CertificatePolicyKey,
+                                            callback: @escaping (Result<Model.Collection, Error>) -> Void) {
+        do {
+            // This fails if collection is not signed (i.e., no "signature")
+            let signedCollection = try self.decoder.decode(JSONModel.SignedCollection.self, from: data)
+            // Check the signature
+            self.signatureValidator.validate(signedCollection: signedCollection, certPolicyKey: certPolicyKey) { result in
+                switch result {
+                case .failure(let error):
+                    self.diagnosticsEngine?.emit(warning: "The signature of package collection [\(source)] is invalid: \(error)")
+                    callback(.failure(Errors.invalidSignature))
+                case .success:
+                    callback(self.makeCollection(from: signedCollection.collection, source: source, signature: Model.SignatureData(from: signedCollection.signature)))
+                }
+            }
+        } catch {
+            // Collection is not signed
+            guard let collection = try? self.decoder.decode(JSONModel.Collection.self, from: data) else {
+                return callback(.failure(Errors.invalidJSON(error)))
+            }
+            callback(self.makeCollection(from: collection, source: source, signature: nil))
+        }
+    }
+
     private func makeCollection(from collection: JSONModel.Collection, source: Model.CollectionSource, signature: Model.SignatureData?) -> Result<Model.Collection, Error> {
         if let errors = self.validator.validate(collection: collection)?.errors() {
             return .failure(MultipleErrors(errors))
@@ -240,7 +252,10 @@ struct JSONPackageCollectionProvider: PackageCollectionProvider {
 
     public struct Configuration {
         public var maximumSizeInBytes: Int64
-        public var validator: PackageCollectionModel.V1.Validator.Configuration
+        public var trustedRootCertsDir: URL?
+        public var sourceCertPolicies: [String: CertificatePolicyKey]
+
+        var validator: PackageCollectionModel.V1.Validator.Configuration
 
         public var maximumPackageCount: Int {
             get {
@@ -270,22 +285,33 @@ struct JSONPackageCollectionProvider: PackageCollectionProvider {
         }
 
         public init(maximumSizeInBytes: Int64? = nil,
+                    trustedRootCertsDir: URL? = nil,
+                    sourceCertPolicies: [String: CertificatePolicyKey]? = nil,
                     maximumPackageCount: Int? = nil,
                     maximumMajorVersionCount: Int? = nil,
                     maximumMinorVersionCount: Int? = nil) {
             // TODO: where should we read defaults from?
             self.maximumSizeInBytes = maximumSizeInBytes ?? 5_000_000 // 5MB
+            self.trustedRootCertsDir = trustedRootCertsDir
+            self.sourceCertPolicies = sourceCertPolicies ?? [:]
             self.validator = JSONModel.Validator.Configuration(
                 maximumPackageCount: maximumPackageCount,
                 maximumMajorVersionCount: maximumMajorVersionCount,
                 maximumMinorVersionCount: maximumMinorVersionCount
             )
         }
+
+        func certificatePolicyKey(for source: Model.CollectionSource) -> CertificatePolicyKey? {
+            // Certificate policy is associated to a collection host
+            guard let host = source.url.host else { return nil }
+            return self.sourceCertPolicies[host]
+        }
     }
 
     public enum Errors: Error {
         case invalidJSON(Error)
         case invalidResponse(String)
+        case invalidSignature
     }
 }
 

Sources/PackageCollectionsModel/PackageCollectionModel+v1.swift

@@ -473,52 +473,4 @@ extension PackageCollectionModel.V1.SignedCollection: Codable {
         self.collection = try PackageCollectionModel.V1.Collection(from: decoder)
         self.signature = try container.decode(PackageCollectionModel.V1.Signature.self, forKey: .signature)
     }
-
-    // MARK: - Extract value for single key path
-
-    static let keyPathKey = "key_path"
-
-    public static func collection(from data: Data, using decoder: JSONDecoder) throws -> PackageCollectionModel.V1.Collection {
-        guard let keyPathUserInfoKey = CodingUserInfoKey(rawValue: Self.keyPathKey) else {
-            throw KeyPathValueError.invalidUserInfo
-        }
-        decoder.userInfo[keyPathUserInfoKey] = \PackageCollectionModel.V1.SignedCollection.collection
-        return try decoder.decode(KeyPathValue<PackageCollectionModel.V1.Collection>.self, from: data).value
-    }
-
-    public static func signature(from data: Data, using decoder: JSONDecoder) throws -> PackageCollectionModel.V1.Signature {
-        guard let keyPathUserInfoKey = CodingUserInfoKey(rawValue: Self.keyPathKey) else {
-            throw KeyPathValueError.invalidUserInfo
-        }
-        decoder.userInfo[keyPathUserInfoKey] = \PackageCollectionModel.V1.SignedCollection.signature
-        return try decoder.decode(KeyPathValue<PackageCollectionModel.V1.Signature>.self, from: data).value
-    }
-
-    private struct KeyPathValue<T: Decodable>: Decodable {
-        let value: T
-
-        init(from decoder: Decoder) throws {
-            guard let keyPathUserInfoKey = CodingUserInfoKey(rawValue: PackageCollectionModel.V1.SignedCollection.keyPathKey) else {
-                throw KeyPathValueError.invalidUserInfo
-            }
-            guard let keyPath = decoder.userInfo[keyPathUserInfoKey] as? KeyPath<PackageCollectionModel.V1.SignedCollection, T> else {
-                throw KeyPathValueError.missingUserInfo
-            }
-            switch keyPath {
-            case \PackageCollectionModel.V1.SignedCollection.collection:
-                self.value = try T(from: decoder)
-            case \PackageCollectionModel.V1.SignedCollection.signature:
-                let container = try decoder.container(keyedBy: PackageCollectionModel.V1.SignedCollection.CodingKeys.self)
-                self.value = try container.decode(T.self, forKey: .signature) as T
-            default:
-                throw KeyPathValueError.unknownKeyPath
-            }
-        }
-    }
-
-    public enum KeyPathValueError: Error {
-        case invalidUserInfo
-        case missingUserInfo
-        case unknownKeyPath
-    }
 }

Sources/PackageCollectionsSigning/PackageCollectionSigning.swift

@@ -15,7 +15,38 @@ import Basics
 import PackageCollectionsModel
 import TSCBasic
 
-public struct PackageCollectionSigning {
+public protocol PackageCollectionSigner {
+    /// Signs package collection using the given certificate and key.
+    ///
+    /// - Parameters:
+    ///   - collection: The package collection to be signed
+    ///   - certChainPaths: Paths to all DER-encoded certificates in the chain. The certificate used for signing
+    ///                     must be the first in the array.
+    ///   - certPrivateKeyPath: Path to the private key (*.pem) of the certificate
+    ///   - certPolicyKey: The key of the `CertificatePolicy` to use for validating certificates
+    ///   - callback: The callback to invoke when the signed collection is available.
+    func sign(collection: PackageCollectionModel.V1.Collection,
+              certChainPaths: [URL],
+              certPrivateKeyPath: URL,
+              certPolicyKey: CertificatePolicyKey,
+              callback: @escaping (Result<PackageCollectionModel.V1.SignedCollection, Error>) -> Void)
+}
+
+public protocol PackageCollectionSignatureValidator {
+    /// Validates a signed package collection.
+    ///
+    /// - Parameters:
+    ///   - signedCollection: The signed package collection
+    ///   - certPolicyKey: The key of the `CertificatePolicy` to use for validating certificates
+    ///   - callback: The callback to invoke when the result is available.
+    func validate(signedCollection: PackageCollectionModel.V1.SignedCollection,
+                  certPolicyKey: CertificatePolicyKey,
+                  callback: @escaping (Result<Void, Error>) -> Void)
+}
+
+// MARK: - Implementation
+
+public struct PackageCollectionSigning: PackageCollectionSigner, PackageCollectionSignatureValidator {
     public typealias Model = PackageCollectionModel.V1
 
     private static let minimumRSAKeySizeInBits = 2048
@@ -31,6 +62,9 @@ public struct PackageCollectionSigning {
     /// Internal cache/storage of `CertificatePolicy`s
     private let certPolicies = ThreadSafeKeyValueStore<CertificatePolicyKey, CertificatePolicy>()
 
+    private let encoder: JSONEncoder
+    private let decoder: JSONDecoder
+
     public init(trustedRootCertsDir: URL? = nil, callbackQueue: DispatchQueue = DispatchQueue.global(), diagnosticsEngine: DiagnosticsEngine? = nil) {
         self.trustedRootCertsDir = trustedRootCertsDir
         self.callbackQueue = callbackQueue
@@ -41,13 +75,17 @@ public struct PackageCollectionSigning {
             callbackQueue: callbackQueue,
             diagnosticsEngine: diagnosticsEngine
         )
+        self.encoder = JSONEncoder.makeWithDefaults()
+        self.decoder = JSONDecoder.makeWithDefaults()
     }
 
     init(certPolicy: CertificatePolicy, trustedRootCertsDir: URL? = nil, callbackQueue: DispatchQueue = DispatchQueue.global(), diagnosticsEngine: DiagnosticsEngine? = nil) {
         self.trustedRootCertsDir = trustedRootCertsDir
         self.callbackQueue = callbackQueue
-        self.certPolicies[CertificatePolicyKey.custom] = certPolicy
         self.diagnosticsEngine = diagnosticsEngine
+        self.certPolicies[CertificatePolicyKey.custom] = certPolicy
+        self.encoder = JSONEncoder.makeWithDefaults()
+        self.decoder = JSONDecoder.makeWithDefaults()
     }
 
     private func getCertificatePolicy(key: CertificatePolicyKey) throws -> CertificatePolicy {
@@ -69,21 +107,10 @@ public struct PackageCollectionSigning {
         }
     }
 
-    /// Signs package collection using the given certificate and key.
-    ///
-    /// - Parameters:
-    ///   - collection: The package collection to be signed
-    ///   - certChainPaths: Paths to all DER-encoded certificates in the chain. The certificate used for signing
-    ///                     must be the first in the array.
-    ///   - certPrivateKeyPath: Path to the private key (*.pem) of the certificate
-    ///   - certPolicyKey: The key of the `CertificatePolicy` to use for validating certificates
-    ///   - jsonEncoder: The `JSONEncoder` to use
-    ///   - callback: The callback to invoke when the signed collection is available.
     public func sign(collection: Model.Collection,
                      certChainPaths: [URL],
                      certPrivateKeyPath: URL,
                      certPolicyKey: CertificatePolicyKey = .default,
-                     jsonEncoder: JSONEncoder = JSONEncoder(),
                      callback: @escaping (Result<Model.SignedCollection, Error>) -> Void) {
         do {
             let certChainData = try certChainPaths.map { try Data(contentsOf: $0) }
@@ -117,7 +144,7 @@ public struct PackageCollectionSigning {
                         try self.validateKey(privateKey)
 
                         // Generate the signature
-                        let signatureData = try Signature.generate(for: collection, with: header, using: privateKey, jsonEncoder: jsonEncoder)
+                        let signatureData = try Signature.generate(for: collection, with: header, using: privateKey, jsonEncoder: self.encoder)
 
                         guard let signature = String(bytes: signatureData, encoding: .utf8) else {
                             return callback(.failure(PackageCollectionSigningError.invalidSignature))
@@ -150,7 +177,6 @@ public struct PackageCollectionSigning {
     ///   - callback: The callback to invoke when the result is available.
     public func validate(signedCollection: Model.SignedCollection,
                          certPolicyKey: CertificatePolicyKey = .default,
-                         jsonDecoder: JSONDecoder = JSONDecoder(),
                          callback: @escaping (Result<Void, Error>) -> Void) {
         guard let signature = signedCollection.signature.signature.data(using: .utf8)?.copyBytes() else {
             return callback(.failure(PackageCollectionSigningError.invalidSignature))
@@ -160,14 +186,14 @@ public struct PackageCollectionSigning {
         let certChainValidate = { certChainData, validateCallback in
             self.validateCertChain(certChainData, certPolicyKey: certPolicyKey, callback: validateCallback)
         }
-        Signature.parse(signature, certChainValidate: certChainValidate, jsonDecoder: jsonDecoder) { result in
+        Signature.parse(signature, certChainValidate: certChainValidate, jsonDecoder: self.decoder) { result in
             switch result {
             case .failure(let error):
                 callback(.failure(error))
             case .success(let signature):
                 // Verify the collection embedded in the signature is the same as received
                 // i.e., the signature is associated with the given collection and not another
-                guard let collectionFromSignature = try? jsonDecoder.decode(Model.Collection.self, from: signature.payload),
+                guard let collectionFromSignature = try? self.decoder.decode(Model.Collection.self, from: signature.payload),
                     signedCollection.collection == collectionFromSignature else {
                     return callback(.failure(PackageCollectionSigningError.invalidSignature))
                 }
@@ -208,7 +234,7 @@ public struct PackageCollectionSigning {
     }
 }
 
-enum PackageCollectionSigningError: Error, Equatable {
+public enum PackageCollectionSigningError: Error, Equatable {
     case certPolicyNotFound
     case emptyCertChain
     case invalidCertChain