finagolfin
diff --git a/‎Package.swift‎
Lines changed: 11 additions & 0 deletions b/‎Package.swift‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎Sources/PackageSigning/SignatureProvider.swift‎
Lines changed: 277 additions & 0 deletions b/‎Sources/PackageSigning/SignatureProvider.swift‎
Lines changed: 277 additions & 0 deletions
diff --git a/‎Sources/PackageSigning/SigningEntity.swift‎
Lines changed: 88 additions & 0 deletions b/‎Sources/PackageSigning/SigningEntity.swift‎
Lines changed: 88 additions & 0 deletions
@@ -289,6 +289,13 @@ let package = Package(
             ],
             exclude: ["CMakeLists.txt"]
         ),
+        
+        .target(
+            name: "PackageSigning",
+            dependencies: [
+                "Basics",
+            ]
+        ),
 
         // MARK: Package Manager Functionality
 
@@ -643,6 +650,10 @@ let package = Package(
             name: "PackageRegistryTests",
             dependencies: ["SPMTestSupport", "PackageRegistry"]
         ),
+        .testTarget(
+            name: "PackageSigningTests",
+            dependencies: ["SPMTestSupport", "PackageSigning"]
+        ),
         .testTarget(
             name: "SourceControlTests",
             dependencies: ["SourceControl", "SPMTestSupport"],
 
@@ -0,0 +1,277 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the Swift open source project
+//
+// Copyright (c) 2023 Apple Inc. and the Swift project authors
+// Licensed under Apache License v2.0 with Runtime Library Exception
+//
+// See http://swift.org/LICENSE.txt for license information
+// See http://swift.org/CONTRIBUTORS.txt for the list of Swift project authors
+//
+//===----------------------------------------------------------------------===//
+
+import struct Foundation.Data
+
+#if os(macOS)
+import Security
+#endif
+
+import Basics
+
+public struct SignatureProvider {
+    public init() {}
+
+    public func sign(
+        _ content: Data,
+        with identity: SigningIdentity,
+        in format: SignatureFormat,
+        observabilityScope: ObservabilityScope
+    ) async throws -> Data {
+        let provider = format.provider
+        return try await provider.sign(content, with: identity, observabilityScope: observabilityScope)
+    }
+
+    public func status(
+        of signature: Data,
+        for content: Data,
+        in format: SignatureFormat,
+        verifierConfiguration: VerifierConfiguration,
+        observabilityScope: ObservabilityScope
+    ) async throws -> SignatureStatus {
+        let provider = format.provider
+        return try await provider.status(of: signature, for: content, observabilityScope: observabilityScope)
+    }
+}
+
+public struct VerifierConfiguration {
+    public var trustedRoots: [Certificate]
+    public var certificateExpiration: CertificateExpiration
+    public var certificateRevocation: CertificateRevocation
+
+    public init() {
+        self.trustedRoots = []
+        self.certificateExpiration = .disabled
+        self.certificateRevocation = .disabled
+    }
+
+    public enum CertificateExpiration {
+        case enabled
+        case disabled
+    }
+
+    public enum CertificateRevocation {
+        case strict
+        case allowSoftFail
+        case disabled
+    }
+}
+
+public enum SignatureStatus: Equatable {
+    case valid
+    case invalid(String)
+    case certificateInvalid(String)
+    case certificateNotTrusted
+}
+
+extension Certificate {
+    public enum RevocationStatus {
+        case valid
+        case revoked
+        case unknown
+    }
+}
+
+public enum SigningError: Error {
+    case encodeInitializationFailed(String)
+    case decodeInitializationFailed(String)
+    case signingFailed(String)
+    case signatureInvalid(String)
+}
+
+protocol SignatureProviderProtocol {
+    func sign(
+        _ content: Data,
+        with identity: SigningIdentity,
+        observabilityScope: ObservabilityScope
+    ) async throws -> Data
+
+    func status(
+        of signature: Data,
+        for content: Data,
+        observabilityScope: ObservabilityScope
+    ) async throws -> SignatureStatus
+
+    func signingEntity(of signature: Data) throws -> SigningEntity
+}
+
+public enum SignatureFormat: String {
+    case cms_1_0_0 = "cms-1.0.0"
+
+    var provider: SignatureProviderProtocol {
+        switch self {
+        case .cms_1_0_0:
+            return CMSSignatureProvider(format: self)
+        }
+    }
+}
+
+struct CMSSignatureProvider: SignatureProviderProtocol {
+    let format: SignatureFormat
+
+    init(format: SignatureFormat) {
+        precondition(format.rawValue.hasPrefix("cms-"), "Unsupported signature format '\(format)'")
+        self.format = format
+    }
+
+    func sign(
+        _ content: Data,
+        with identity: SigningIdentity,
+        observabilityScope: ObservabilityScope
+    ) async throws -> Data {
+        try self.validate(identity: identity)
+
+        #if os(macOS)
+        if CFGetTypeID(identity as CFTypeRef) == SecIdentityGetTypeID() {
+            var cmsEncoder: CMSEncoder?
+            var status = CMSEncoderCreate(&cmsEncoder)
+            guard status == errSecSuccess, let cmsEncoder = cmsEncoder else {
+                throw SigningError.encodeInitializationFailed("Unable to create CMSEncoder. Error: \(status)")
+            }
+
+            CMSEncoderAddSigners(cmsEncoder, identity as! SecIdentity)
+            CMSEncoderSetHasDetachedContent(cmsEncoder, true) // Detached signature
+            CMSEncoderSetSignerAlgorithm(cmsEncoder, kCMSEncoderDigestAlgorithmSHA256)
+            CMSEncoderAddSignedAttributes(cmsEncoder, CMSSignedAttributes.attrSigningTime)
+            CMSEncoderSetCertificateChainMode(cmsEncoder, .signerOnly)
+
+            var contentArray = Array(content)
+            CMSEncoderUpdateContent(cmsEncoder, &contentArray, content.count)
+
+            var signature: CFData?
+            status = CMSEncoderCopyEncodedContent(cmsEncoder, &signature)
+            guard status == errSecSuccess, let signature = signature else {
+                throw SigningError.signingFailed("Signing failed. Error: \(status)")
+            }
+
+            return signature as Data
+        } else {
+            fatalError("TO BE IMPLEMENTED")
+        }
+        #else
+        fatalError("TO BE IMPLEMENTED")
+        #endif
+    }
+
+    func status(
+        of signature: Data,
+        for content: Data,
+        observabilityScope: ObservabilityScope
+    ) async throws -> SignatureStatus {
+        #if os(macOS)
+        var cmsDecoder: CMSDecoder?
+        var status = CMSDecoderCreate(&cmsDecoder)
+        guard status == errSecSuccess, let cmsDecoder = cmsDecoder else {
+            throw SigningError.decodeInitializationFailed("Unable to create CMSDecoder. Error: \(status)")
+        }
+
+        CMSDecoderSetDetachedContent(cmsDecoder, content as CFData)
+
+        status = CMSDecoderUpdateMessage(cmsDecoder, [UInt8](signature), signature.count)
+        guard status == errSecSuccess else {
+            return .invalid("Unable to update CMSDecoder with signature. Error: \(status)")
+        }
+        status = CMSDecoderFinalizeMessage(cmsDecoder)
+        guard status == errSecSuccess else {
+            return .invalid("Failed to set up CMSDecoder. Error: \(status)")
+        }
+
+        var signerStatus = CMSSignerStatus.needsDetachedContent
+        var certificateVerifyResult: OSStatus = errSecSuccess
+        var trust: SecTrust?
+
+        // TODO: build policy based on user config
+        let basicPolicy = SecPolicyCreateBasicX509()
+        let revocationPolicy = SecPolicyCreateRevocation(kSecRevocationOCSPMethod)
+        CMSDecoderCopySignerStatus(
+            cmsDecoder,
+            0,
+            [basicPolicy, revocationPolicy] as CFArray,
+            true,
+            &signerStatus,
+            &trust,
+            &certificateVerifyResult
+        )
+
+        guard certificateVerifyResult == errSecSuccess else {
+            return .certificateInvalid("Certificate verify result: \(certificateVerifyResult)")
+        }
+        guard signerStatus == .valid else {
+            return .invalid("Signer status: \(signerStatus)")
+        }
+
+        guard let trust = trust else {
+            return .certificateNotTrusted
+        }
+
+        // TODO: user configured trusted roots
+        SecTrustSetNetworkFetchAllowed(trust, true)
+        //        SecTrustSetAnchorCertificates(trust, trustedCAs as CFArray)
+        //        SecTrustSetAnchorCertificatesOnly(trust, true)
+
+        guard SecTrustEvaluateWithError(trust, nil) else {
+            return .certificateNotTrusted
+        }
+
+        var revocationStatus: Certificate.RevocationStatus?
+        if let trustResult = SecTrustCopyResult(trust) as? [String: Any],
+           let trustRevocationChecked = trustResult[kSecTrustRevocationChecked as String] as? Bool
+        {
+            revocationStatus = trustRevocationChecked ? .valid : .revoked
+        }
+        observabilityScope.emit(debug: "Certificate revocation status: \(String(describing: revocationStatus))")
+
+        return .valid
+        #else
+        fatalError("TO BE IMPLEMENTED")
+        #endif
+    }
+
+    func signingEntity(of signature: Data) throws -> SigningEntity {
+        #if os(macOS)
+        var cmsDecoder: CMSDecoder?
+        var status = CMSDecoderCreate(&cmsDecoder)
+        guard status == errSecSuccess, let cmsDecoder = cmsDecoder else {
+            throw SigningError.decodeInitializationFailed("Unable to create CMSDecoder. Error: \(status)")
+        }
+
+        status = CMSDecoderUpdateMessage(cmsDecoder, [UInt8](signature), signature.count)
+        guard status == errSecSuccess else {
+            throw SigningError
+                .decodeInitializationFailed("Unable to update CMSDecoder with signature. Error: \(status)")
+        }
+        status = CMSDecoderFinalizeMessage(cmsDecoder)
+        guard status == errSecSuccess else {
+            throw SigningError.decodeInitializationFailed("Failed to set up CMSDecoder. Error: \(status)")
+        }
+
+        var certificate: SecCertificate?
+        status = CMSDecoderCopySignerCert(cmsDecoder, 0, &certificate)
+        guard status == errSecSuccess, let certificate = certificate else {
+            throw SigningError.signatureInvalid("Unable to extract signing certificate. Error: \(status)")
+        }
+
+        return SigningEntity(certificate: certificate)
+        #else
+        // TODO: decode `data` by `format`, then construct `signedBy` from signing cert
+        fatalError("TO BE IMPLEMENTED")
+        #endif
+    }
+
+    private func validate(identity: SigningIdentity) throws {
+        switch self.format {
+        case .cms_1_0_0:
+            // TODO: key must be EC
+            ()
+        }
+    }
+}
@@ -0,0 +1,88 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the Swift open source project
+//
+// Copyright (c) 2023 Apple Inc. and the Swift project authors
+// Licensed under Apache License v2.0 with Runtime Library Exception
+//
+// See http://swift.org/LICENSE.txt for license information
+// See http://swift.org/CONTRIBUTORS.txt for the list of Swift project authors
+//
+//===----------------------------------------------------------------------===//
+
+import struct Foundation.Data
+
+#if os(macOS)
+import Security
+#endif
+
+// MARK: - SigningEntity is the entity that generated the signature
+
+public struct SigningEntity {
+    public let type: SigningEntityType?
+    public let name: String?
+    public let organizationalUnit: String?
+    public let organization: String?
+
+    public var isRecognized: Bool {
+        self.type != nil
+    }
+
+    public init(of signature: Data, signatureFormat: SignatureFormat) throws {
+        let provider = signatureFormat.provider
+        self = try provider.signingEntity(of: signature)
+    }
+
+    #if os(macOS)
+    init(certificate: SecCertificate) {
+        self.type = certificate.signingEntityType
+        self.name = certificate.commonName
+
+        guard let dict = SecCertificateCopyValues(certificate, nil, nil) as? [CFString: Any],
+              let subjectDict = dict[kSecOIDX509V1SubjectName] as? [CFString: Any],
+              let propValueList = subjectDict[kSecPropertyKeyValue] as? [[String: Any]]
+        else {
+            self.organizationalUnit = nil
+            self.organization = nil
+            return
+        }
+
+        let props = propValueList.reduce(into: [String: String]()) { result, item in
+            if let label = item["label"] as? String, let value = item["value"] as? String {
+                result[label] = value
+            }
+        }
+
+        self.organizationalUnit = props[kSecOIDOrganizationalUnitName as String]
+        self.organization = props[kSecOIDOrganizationName as String]
+    }
+    #endif
+
+    init(certificate: Certificate) {
+        // TODO: extract id, name, organization, etc. from cert
+        fatalError("TO BE IMPLEMENTED")
+    }
+}
+
+// MARK: - SigningEntity types that SwiftPM recognizes
+
+public enum SigningEntityType {
+    case adp // Apple Developer Program
+
+    static let oid_adpSwiftPackageMarker = "1.2.840.113635.100.6.1.35"
+}
+
+#if os(macOS)
+extension SecCertificate {
+    var signingEntityType: SigningEntityType? {
+        guard let dict = SecCertificateCopyValues(
+            self,
+            [SigningEntityType.oid_adpSwiftPackageMarker as CFString] as CFArray,
+            nil
+        ) as? [CFString: Any] else {
+            return nil
+        }
+        return dict.isEmpty ? nil : .adp
+    }
+}
+#endif