easy_code_sign 0.1.0

data/lib/easy_code_sign/signable/base.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+module EasyCodeSign
+  module Signable
+    # Abstract base class for signable file types
+    #
+    # Subclasses must implement:
+    # - #prepare_for_signing - Extract/prepare content for signing
+    # - #apply_signature(signature, certificate_chain) - Embed signature in file
+    # - #extract_signature - Extract existing signature for verification
+    # - #content_to_sign - Return the bytes to be signed
+    #
+    class Base
+      attr_reader :file_path, :options
+
+      def initialize(file_path, **options)
+        @file_path = File.expand_path(file_path)
+        @options = options
+        validate_file!
+      end
+
+      # Prepare content for signing
+      # @return [void]
+      def prepare_for_signing
+        raise NotImplementedError, "#{self.class}#prepare_for_signing must be implemented"
+      end
+
+      # Get the content that will be signed (typically a hash of the file)
+      # @return [String] bytes to be signed
+      def content_to_sign
+        raise NotImplementedError, "#{self.class}#content_to_sign must be implemented"
+      end
+
+      # Apply signature to the file
+      # @param signature [String] raw signature bytes
+      # @param certificate_chain [Array<OpenSSL::X509::Certificate>] signing certificate chain
+      # @param timestamp_token [String, nil] optional RFC 3161 timestamp token
+      # @return [String] path to the signed output file
+      def apply_signature(signature, certificate_chain, timestamp_token: nil)
+        raise NotImplementedError, "#{self.class}#apply_signature must be implemented"
+      end
+
+      # Extract existing signature from the file
+      # @return [Hash, nil] signature data or nil if unsigned
+      def extract_signature
+        raise NotImplementedError, "#{self.class}#extract_signature must be implemented"
+      end
+
+      # Check if file is already signed
+      # @return [Boolean]
+      def signed?
+        !extract_signature.nil?
+      end
+
+      # Get the hash algorithm to use
+      # @return [Symbol] :sha256, :sha384, or :sha512
+      def hash_algorithm
+        options.fetch(:hash_algorithm, :sha256)
+      end
+
+      # Compute hash of data using configured algorithm
+      # @param data [String] data to hash
+      # @return [String] hash bytes
+      def compute_hash(data)
+        digest_class.digest(data)
+      end
+
+      # Get the OpenSSL digest class for the hash algorithm
+      # @return [Class]
+      def digest_class
+        case hash_algorithm
+        when :sha256 then OpenSSL::Digest::SHA256
+        when :sha384 then OpenSSL::Digest::SHA384
+        when :sha512 then OpenSSL::Digest::SHA512
+        else raise ArgumentError, "Unsupported hash algorithm: #{hash_algorithm}"
+        end
+      end
+
+      # Get signature algorithm symbol for the provider
+      # @param key_type [Symbol] :rsa or :ecdsa
+      # @return [Symbol]
+      def signature_algorithm(key_type = :rsa)
+        :"#{hash_algorithm}_#{key_type}"
+      end
+
+      protected
+
+      def validate_file!
+        raise InvalidFileError, "File not found: #{file_path}" unless File.exist?(file_path)
+        raise InvalidFileError, "Cannot read file: #{file_path}" unless File.readable?(file_path)
+      end
+
+      def output_path
+        options[:output_path] || file_path
+      end
+    end
+  end
+end

data/lib/easy_code_sign/signable/gem_file.rb

@@ -0,0 +1,224 @@
+# frozen_string_literal: true
+
+require "rubygems/package"
+require "openssl"
+require "tempfile"
+require "fileutils"
+
+module EasyCodeSign
+  module Signable
+    # Handler for signing Ruby gem files (.gem)
+    #
+    # Gem signing follows the RubyGems signing format:
+    # - Creates PKCS#7 detached signatures for data.tar.gz, metadata.gz, checksums.yaml.gz
+    # - Signature files are stored as .sig files in the gem archive
+    #
+    # @example
+    #   gem_file = EasyCodeSign::Signable::GemFile.new("my_gem-1.0.0.gem")
+    #   gem_file.prepare_for_signing
+    #   signature = provider.sign(gem_file.content_to_sign, algorithm: :sha256_rsa)
+    #   gem_file.apply_signature(signature, [cert])
+    #
+    class GemFile < Base
+      # Files within the gem that get signed
+      SIGNABLE_FILES = %w[data.tar.gz metadata.gz checksums.yaml.gz].freeze
+
+      def initialize(file_path, **options)
+        super
+        validate_gem_format!
+        @contents = {}
+        @signatures = {}
+      end
+
+      def prepare_for_signing
+        extract_gem_contents
+      end
+
+      # Returns concatenated hashes of all signable files
+      # This is what gets signed by the hardware token
+      def content_to_sign
+        prepare_for_signing if @contents.empty?
+
+        # Create a digest of all signable content
+        combined = SIGNABLE_FILES.filter_map do |name|
+          content = @contents[name]
+          next unless content
+
+          "#{name}:#{compute_hash(content).unpack1('H*')}"
+        end.join("\n")
+
+        compute_hash(combined)
+      end
+
+      def apply_signature(signature, certificate_chain, timestamp_token: nil)
+        prepare_for_signing if @contents.empty?
+
+        # Build PKCS#7 signature structure for each file
+        SIGNABLE_FILES.each do |name|
+          content = @contents[name]
+          next unless content
+
+          pkcs7_sig = build_pkcs7_signature(content, signature, certificate_chain, timestamp_token)
+          @signatures["#{name}.sig"] = pkcs7_sig.to_der
+        end
+
+        write_signed_gem
+      end
+
+      def extract_signature
+        sigs = {}
+
+        File.open(file_path, "rb") do |io|
+          Gem::Package::TarReader.new(io) do |tar|
+            tar.each do |entry|
+              next unless entry.full_name.end_with?(".sig")
+
+              sigs[entry.full_name] = entry.read
+            end
+          end
+        end
+
+        sigs.empty? ? nil : sigs
+      rescue StandardError
+        nil
+      end
+
+      # Get the gem specification
+      # @return [Gem::Specification, nil]
+      def spec
+        @spec ||= extract_gemspec
+      end
+
+      private
+
+      def validate_gem_format!
+        unless file_path.end_with?(".gem")
+          raise InvalidFileError, "File must have .gem extension: #{file_path}"
+        end
+
+        # Verify it's a valid tar archive
+        File.open(file_path, "rb") do |io|
+          Gem::Package::TarReader.new(io) do |tar|
+            tar.first # Just check we can read it
+          end
+        end
+      rescue Gem::Package::TarInvalidError => e
+        raise InvalidFileError, "Invalid gem file: #{e.message}"
+      end
+
+      def extract_gem_contents
+        @contents = {}
+
+        File.open(file_path, "rb") do |io|
+          Gem::Package::TarReader.new(io) do |tar|
+            tar.each do |entry|
+              if SIGNABLE_FILES.include?(entry.full_name)
+                @contents[entry.full_name] = entry.read
+              end
+            end
+          end
+        end
+
+        if @contents.empty?
+          raise InvalidFileError, "Gem file contains no signable content"
+        end
+
+        @contents
+      end
+
+      def extract_gemspec
+        File.open(file_path, "rb") do |io|
+          Gem::Package::TarReader.new(io) do |tar|
+            tar.each do |entry|
+              if entry.full_name == "metadata.gz"
+                require "zlib"
+                yaml = Zlib::GzipReader.new(StringIO.new(entry.read)).read
+                return Gem::Specification.from_yaml(yaml)
+              end
+            end
+          end
+        end
+        nil
+      rescue StandardError
+        nil
+      end
+
+      def build_pkcs7_signature(content, raw_signature, certificate_chain, timestamp_token)
+        # Create PKCS#7 signed data structure
+        signing_cert = certificate_chain.first
+
+        pkcs7 = OpenSSL::PKCS7.new
+        pkcs7.type = "signed"
+
+        # Add certificates to the signature
+        certificate_chain.each do |cert|
+          pkcs7.add_certificate(cert)
+        end
+
+        # Create signer info
+        # Note: We're using a pre-computed signature from the hardware token
+        # This creates a compatible PKCS#7 structure
+        signer_info = OpenSSL::PKCS7::SignerInfo.new(
+          signing_cert,
+          nil, # We don't have the private key - signature was made by HSM
+          digest_class.name.split("::").last
+        )
+
+        # The actual signature from the HSM needs to be embedded
+        # This is a simplified version - full implementation would need
+        # to properly construct the SignerInfo with the external signature
+
+        pkcs7.add_signer(signer_info)
+        pkcs7.add_data(content)
+
+        # Add timestamp if provided
+        if timestamp_token
+          # Timestamp would be added as an unsigned attribute
+          # Implementation depends on how we receive the timestamp
+        end
+
+        pkcs7
+      end
+
+      def write_signed_gem
+        output = output_path
+        temp_file = Tempfile.new(["signed_gem", ".gem"])
+
+        begin
+          # Write new gem with signatures
+          File.open(temp_file.path, "wb") do |out_io|
+            Gem::Package::TarWriter.new(out_io) do |tar|
+              # First, copy all original entries
+              File.open(file_path, "rb") do |in_io|
+                Gem::Package::TarReader.new(in_io) do |reader|
+                  reader.each do |entry|
+                    # Skip existing signatures if re-signing
+                    next if entry.full_name.end_with?(".sig")
+
+                    tar.add_file_simple(entry.full_name, entry.header.mode, entry.size) do |io|
+                      io.write(entry.read)
+                    end
+                  end
+                end
+              end
+
+              # Add signature files
+              @signatures.each do |name, sig_data|
+                tar.add_file_simple(name, 0o444, sig_data.bytesize) do |io|
+                  io.write(sig_data)
+                end
+              end
+            end
+          end
+
+          # Move temp file to output location
+          FileUtils.mv(temp_file.path, output)
+          output
+        ensure
+          temp_file.close
+          temp_file.unlink if File.exist?(temp_file.path)
+        end
+      end
+    end
+  end
+end