Skip to content

[Collections] Signing (part 5): validate signature #3252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 18 commits into from
Closed

[Collections] Signing (part 5): validate signature #3252

wants to merge 18 commits into from

Conversation

yim-lee
Copy link
Contributor

@yim-lee yim-lee commented Feb 10, 2021

This continues part 4 but doesn't necessarily depend on it.

Modifications:

  • Add PackageCollectionsSigning dependency to PackageCollections module
  • Verify collection signature in JSONPackageCollectionProvider

yim-lee added 18 commits February 9, 2021 15:25
@yim-lee
[Collections] Signing (part 1): certificate and key types
a1e5f8c 
This is part 1 of a series of PRs to support package collection signing.

Modifications:
- New `PackageCollectionsSigning` module
- Add `Certificate` type
- Add EC and RSA key types
@yim-lee
Fix Windows compilation errors
44bd1f7
@yim-lee
Make deps private
915ebc9
@yim-lee
minor cleanup
9cbeccf
@yim-lee
Reduce conversion between String, Data, [UInt8]
8f0579e
@yim-lee
allow using a build tree of dispatch, Foundation
9729ef1 
Following example apple/swift-crypto#67
@yim-lee
Address some of Cory's feedback
bab6dd0
@yim-lee
Address Cory's feedback
83ae885
@yim-lee
Remove no longer used method
411a241
@yim-lee
Safer PEM string parsing
3ed553a
@yim-lee
[Collections] Signing (part 2): signed collections
c51d4ed 
This is part 2 of a series of PRs to support package collection signing.

Depends on [part 1](swiftlang#3241)

Modifications:

Add support for signing with EC and RSA keys
@yim-lee
Add Signature, which is similar to JWS
ead2d11
@yim-lee
Introduce CertificatePolicy protocol; sign PackageCollection
d22774c 
- Introduce `CertificatePolicy` protocol (more on this in part 3)
- `PackageCollectionsSigning` - given a package collection, certificate and its private key, generate a "signed" collection; and reverse that process to validate collection signature.
@yim-lee
Check key size
ecaec8a
@yim-lee
[Collections] Signing (part 3): certificate validations
0ce6db9 
This is part 3 of a series of PRs to support package collection signing.

Depends on [part 2](swiftlang#3242)

Modifications:
- Certificate policies to validate collection signing certificates. OCSP support on non-Apple platforms to come in part 4.
- Wire up `PackageCollectionSigning` with certificate policies.
@yim-lee
Fix cmake build; wire up DiagnosticsEngine
797f13e
@yim-lee
[Collections] Signing (part 4): OCSP support for non-Apple platforms
f55879d 
This is part 4 of a series of PRs to support package collection signing.

Depends on [part 3](swiftlang#3245)

Modifications:
- Add PackageCollectionsSigningLibc module
- Add OCSP support for non-Apple platforms through PackageCollectionsSigningLibc
@yim-lee
[Collections] Signing (part 5): validate signature
e23c7e7 
This continues [part 4](swiftlang#3250) but doesn't necessarily depend on it.

Modifications:
- Add `PackageCollectionsSigning` dependency to `PackageCollections` module
- Verify collection signature in `JSONPackageCollectionProvider`
@yim-lee
Copy link
Contributor Author

yim-lee commented Feb 10, 2021

@swift-ci please smoke test

tomerd
tomerd reviewed Feb 10, 2021
View reviewed changes
Sources/PackageCollectionsSigning/PackageCollectionSigning.swift
certChainPaths: [URL],
certPrivateKeyPath: URL,
certPolicyKey: CertificatePolicyKey,
jsonEncoder: JSONEncoder,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: are we passing a concrete JSONEncoder to save the need to create a new one every time?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are we passing a concrete JSONEncoder to save the need to create a new one every time?

No, the collection is serialized and embedded inside the signature, and upon checking the signature we deserialize the collection and compare it with the one received. In previous implementations we were comparing JSON/Data so we had to make sure we use the same encoder/decoder, but now that we are comparing SignedCollection we can probably get away with that.

tomerd
tomerd reviewed Feb 10, 2021
View reviewed changes
Sources/PackageCollectionsSigning/PackageCollectionSigning.swift
/// - callback: The callback to invoke when the result is available.
func validate(signedCollection: PackageCollectionModel.V1.SignedCollection,
certPolicyKey: CertificatePolicyKey,
jsonDecoder: JSONDecoder,
Copy link
Contributor

@tomerd tomerd Feb 10, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same question as above. seems a bit unnatural to have it in the public API vs. a private static decoder/encoder at the implementation level (imo). fwiw, I would feel differently if this was a "TopLevelEncoder" (which does not exist in the stdlib) that reflect the format can be either JSON or something else, but since its always JSON it feels like this should be an impl detail rather than exposed in the API

tomerd
tomerd approved these changes Feb 10, 2021
View reviewed changes
Copy link
Contributor

@tomerd tomerd left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reviewed the "part 5" commit (e23c7e7) only, looks good to me. one question regarding API design

yim-lee added a commit to yim-lee/swift-package-manager that referenced this pull request Feb 13, 2021
@yim-lee
[Collections] Signing (apple, 4): signature validation
01f47f3 
This is part 4 of a series of PRs to support package collection signing on Apple platforms. Originally swiftlang#3252.

Depends on  swiftlang#3269.

Modifications:
- Add `PackageCollectionsSigning` dependency to `PackageCollections` module
- Verify collection signature in `JSONPackageCollectionProvider`
@yim-lee yim-lee mentioned this pull request Feb 13, 2021
Merged
yim-lee added a commit to yim-lee/swift-package-manager that referenced this pull request Feb 13, 2021
@yim-lee
[Collections] Signing (apple, 4): signature validation
1948996 
This is part 4 of a series of PRs to support package collection signing on Apple platforms. Originally swiftlang#3252.

Depends on  swiftlang#3269.

Modifications:
- Add `PackageCollectionsSigning` dependency to `PackageCollections` module
- Verify collection signature in `JSONPackageCollectionProvider`
@yim-lee
Copy link
Contributor Author

yim-lee commented Feb 13, 2021

Closing this PR, which has been replaced with #3271 and #3272

@yim-lee yim-lee closed this Feb 13, 2021
yim-lee added a commit to yim-lee/swift-package-manager that referenced this pull request Feb 17, 2021
@yim-lee
[Collections] Signing (apple, 4): signature validation
d406b49 
This is part 4 of a series of PRs to support package collection signing on Apple platforms. Originally swiftlang#3252.

Depends on  swiftlang#3269.

Modifications:
- Add `PackageCollectionsSigning` dependency to `PackageCollections` module
- Verify collection signature in `JSONPackageCollectionProvider`
yim-lee added a commit to yim-lee/swift-package-manager that referenced this pull request Feb 18, 2021
@yim-lee
[Collections] Signing (apple, 4): signature validation
78951b3 
This is part 4 of a series of PRs to support package collection signing on **Apple** platforms. Originally swiftlang#3252.

Depends on  swiftlang#3269.

Modifications:
- Add `PackageCollectionsSigning` dependency to `PackageCollections` module
- Verify collection signature in `JSONPackageCollectionProvider`
yim-lee added a commit to yim-lee/swift-package-manager that referenced this pull request Feb 18, 2021
@yim-lee
[Collections] Signing (apple, 4): signature validation
d077110 
This is part 4 of a series of PRs to support package collection signing on **Apple** platforms. Originally swiftlang#3252.

Depends on  swiftlang#3269.

Modifications:
- Add `PackageCollectionsSigning` dependency to `PackageCollections` module
- Verify collection signature in `JSONPackageCollectionProvider`
yim-lee added a commit to yim-lee/swift-package-manager that referenced this pull request Feb 18, 2021
@yim-lee
[Collections] Signing (apple, 4): signature validation
6e79415 
This is part 4 of a series of PRs to support package collection signing on **Apple** platforms. Originally swiftlang#3252.

Depends on  swiftlang#3269.

Modifications:
- Add `PackageCollectionsSigning` dependency to `PackageCollections` module
- Verify collection signature in `JSONPackageCollectionProvider`
yim-lee added a commit that referenced this pull request Feb 19, 2021
@yim-lee
[Collections] Signing (apple, 4): signature validation (#3271)
313aa62 
This is part 4 of a series of PRs to support package collection signing on **Apple** platforms. Originally #3252.

Depends on  #3269.

Modifications:
- Add `PackageCollectionsSigning` dependency to `PackageCollections` module
- Verify collection signature in `JSONPackageCollectionProvider`
- Don't cache CertificatePolicy
- Add support for additionalTrustedRootCerts
- Custom certificate policy by collection source
- Throw cannotVerifySignature when no trusted roots configured
- Feature flag
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomerd tomerd tomerd approved these changes

@abertelrud abertelrud Awaiting requested review from abertelrud

@friedbunny friedbunny Awaiting requested review from friedbunny

@neonichu neonichu Awaiting requested review from neonichu

Assignees

@yim-lee yim-lee

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yim-lee @tomerd