easy_code_sign 0.1.0

data/lib/easy_code_sign/signer.rb

@@ -0,0 +1,254 @@
+# frozen_string_literal: true
+
+module EasyCodeSign
+  # Orchestrates the signing process for different file types
+  #
+  # @example Sign a gem file
+  #   signer = EasyCodeSign::Signer.new
+  #   result = signer.sign("my_gem-1.0.0.gem", pin: "1234")
+  #
+  # @example Sign with timestamp
+  #   signer = EasyCodeSign::Signer.new
+  #   result = signer.sign("archive.zip", pin: "1234", timestamp: true)
+  #
+  class Signer
+    attr_reader :provider, :configuration
+
+    def initialize(provider: nil, configuration: nil)
+      @configuration = configuration || EasyCodeSign.configuration
+      @provider = provider || EasyCodeSign.provider
+    end
+
+    # Sign a file
+    #
+    # @param file_path [String] path to file to sign
+    # @param pin [String, nil] PIN for hardware token (uses callback if nil)
+    # @param output_path [String, nil] output path (defaults to overwriting input)
+    # @param timestamp [Boolean] whether to add RFC 3161 timestamp
+    # @param algorithm [Symbol] signature algorithm (:sha256_rsa, etc.)
+    # @return [SigningResult] result containing signed file path and metadata
+    #
+    def sign(file_path, pin: nil, output_path: nil, timestamp: nil, algorithm: :sha256_rsa, **extra_options)
+      timestamp = configuration.require_timestamp if timestamp.nil?
+
+      signable = create_signable(file_path, output_path: output_path, algorithm: algorithm, **extra_options)
+      signable.prepare_for_signing
+
+      provider.with_session(pin: pin) do |session|
+        certificate_chain = session.certificate_chain
+        timestamp_token = nil
+
+        # PDF files use deferred signing (callback-based)
+        if signable.is_a?(Signable::PdfFile)
+          # Create signing callback for PDF
+          signing_callback = lambda do |data_to_sign|
+            sig = session.sign(data_to_sign, algorithm: algorithm)
+            # Request timestamp on the signature if needed
+            if timestamp
+              timestamp_token = request_timestamp(sig)
+            end
+            sig
+          end
+
+          signed_path = signable.apply_signature(
+            signing_callback,
+            certificate_chain,
+            timestamp_token: -> { timestamp_token }  # Lazy accessor since it's set in callback
+          )
+        else
+          # Standard flow for gem/zip files
+          content = signable.content_to_sign
+          signature = session.sign(content, algorithm: algorithm)
+
+          if timestamp
+            timestamp_token = request_timestamp(signature)
+          end
+
+          signed_path = signable.apply_signature(signature, certificate_chain, timestamp_token: timestamp_token)
+        end
+
+        SigningResult.new(
+          file_path: signed_path,
+          certificate: certificate_chain.first,
+          algorithm: algorithm,
+          timestamp_token: timestamp_token,
+          signed_at: Time.now
+        )
+      end
+    end
+
+    # Phase 1 of deferred PDF signing: prepare a PDF with a placeholder signature
+    # and return a DeferredSigningRequest containing the digest to be signed externally.
+    #
+    # Requires a hardware token session (PIN) to retrieve the signing certificate.
+    #
+    # @param file_path [String] path to the PDF
+    # @param pin [String, nil] PIN for hardware token
+    # @param digest_algorithm [String] hash algorithm ("sha256", "sha384", "sha512")
+    # @param timestamp [Boolean] whether to reserve space for a timestamp
+    # @return [DeferredSigningRequest]
+    def prepare_pdf(file_path, pin: nil, digest_algorithm: "sha256", timestamp: false, **extra_options)
+      signable = Signable::PdfFile.new(file_path, **extra_options)
+      timestamp_size = timestamp ? 4096 : 0
+
+      provider.with_session(pin: pin) do |session|
+        certificate_chain = session.certificate_chain
+
+        signable.prepare_deferred(
+          certificate_chain.first,
+          certificate_chain,
+          digest_algorithm: digest_algorithm,
+          timestamp_size: timestamp_size
+        )
+      end
+    end
+
+    # Phase 2 of deferred PDF signing: embed an externally-produced signature
+    # into the prepared PDF. No hardware token needed.
+    #
+    # @param deferred_request [DeferredSigningRequest] from Phase 1
+    # @param raw_signature [String] raw signature bytes from the external signer
+    # @return [SigningResult]
+    def finalize_pdf(deferred_request, raw_signature, timestamp: nil, timestamp_token: nil)
+      timestamp = configuration.require_timestamp if timestamp.nil?
+
+      if timestamp && timestamp_token.nil?
+        timestamp_token = request_timestamp(raw_signature)
+      end
+
+      signable = Signable::PdfFile.new(deferred_request.prepared_pdf_path)
+
+      signed_path = signable.finalize_deferred(deferred_request, raw_signature, timestamp_token: timestamp_token)
+
+      SigningResult.new(
+        file_path: signed_path,
+        certificate: deferred_request.certificate,
+        algorithm: :"#{deferred_request.digest_algorithm}_rsa",
+        timestamp_token: timestamp_token,
+        signed_at: deferred_request.signing_time
+      )
+    end
+
+    # Sign multiple files
+    #
+    # @param file_paths [Array<String>] paths to files to sign
+    # @param pin [String, nil] PIN for hardware token
+    # @param options [Hash] signing options passed to #sign
+    # @return [Array<SigningResult>] results for each file
+    #
+    def sign_batch(file_paths, pin: nil, **options)
+      results = []
+
+      provider.with_session(pin: pin) do |session|
+        file_paths.each do |path|
+          # Re-use the open session for batch signing
+          result = sign_with_session(session, path, **options)
+          results << result
+        end
+      end
+
+      results
+    end
+
+    private
+
+    def create_signable(file_path, **options)
+      extension = File.extname(file_path).downcase
+
+      case extension
+      when ".gem"
+        Signable::GemFile.new(file_path, **options)
+      when ".zip", ".jar", ".apk", ".war", ".ear"
+        Signable::ZipFile.new(file_path, **options)
+      when ".pdf"
+        Signable::PdfFile.new(file_path, **options)
+      else
+        raise InvalidFileError, "Unsupported file type: #{extension}. " \
+                                "Supported: .gem, .zip, .jar, .apk, .war, .ear, .pdf"
+      end
+    end
+
+    def sign_with_session(session, file_path, output_path: nil, timestamp: nil, algorithm: :sha256_rsa)
+      timestamp = configuration.require_timestamp if timestamp.nil?
+
+      signable = create_signable(file_path, output_path: output_path, algorithm: algorithm)
+      signable.prepare_for_signing
+
+      content = signable.content_to_sign
+      signature = session.sign(content, algorithm: algorithm)
+      certificate_chain = session.certificate_chain
+
+      timestamp_token = timestamp ? request_timestamp(signature) : nil
+
+      signed_path = signable.apply_signature(signature, certificate_chain, timestamp_token: timestamp_token)
+
+      SigningResult.new(
+        file_path: signed_path,
+        certificate: certificate_chain.first,
+        algorithm: algorithm,
+        timestamp_token: timestamp_token,
+        signed_at: Time.now
+      )
+    end
+
+    def request_timestamp(signature)
+      return nil unless configuration.timestamp_authority
+
+      client = Timestamp::Client.new(
+        configuration.timestamp_authority,
+        timeout: configuration.network_timeout
+      )
+
+      client.timestamp(
+        signature,
+        algorithm: configuration.timestamp_hash_algorithm
+      )
+    end
+  end
+
+  # Result of a signing operation
+  class SigningResult
+    attr_reader :file_path, :certificate, :algorithm, :timestamp_token, :signed_at
+
+    def initialize(file_path:, certificate:, algorithm:, timestamp_token:, signed_at:)
+      @file_path = file_path
+      @certificate = certificate
+      @algorithm = algorithm
+      @timestamp_token = timestamp_token
+      @signed_at = signed_at
+    end
+
+    def timestamped?
+      !timestamp_token.nil?
+    end
+
+    # Get the timestamp time
+    # @return [Time, nil]
+    def timestamp
+      timestamp_token&.timestamp
+    end
+
+    def signer_name
+      certificate.subject.to_s
+    end
+
+    # Get TSA info if timestamped
+    # @return [Hash, nil]
+    def timestamp_info
+      return nil unless timestamp_token
+
+      timestamp_token.to_h
+    end
+
+    def to_h
+      {
+        file_path: file_path,
+        signer: signer_name,
+        algorithm: algorithm,
+        timestamped: timestamped?,
+        timestamp: timestamp_info,
+        signed_at: signed_at
+      }
+    end
+  end
+end

data/lib/easy_code_sign/timestamp/client.rb

@@ -0,0 +1,184 @@
+# frozen_string_literal: true
+
+require "net/http"
+require "uri"
+
+module EasyCodeSign
+  module Timestamp
+    # RFC 3161 Timestamp Authority Client
+    #
+    # Communicates with a TSA to obtain timestamp tokens for signatures.
+    #
+    # @example
+    #   client = Timestamp::Client.new("http://timestamp.digicert.com")
+    #   token = client.timestamp(signature_bytes, algorithm: :sha256)
+    #
+    class Client
+      CONTENT_TYPE = "application/timestamp-query"
+      ACCEPT_TYPE = "application/timestamp-reply"
+
+      attr_reader :url, :timeout, :username, :password
+
+      # Common TSA URLs for reference
+      KNOWN_TSAS = {
+        digicert: "http://timestamp.digicert.com",
+        globalsign: "http://timestamp.globalsign.com/tsa/r6advanced1",
+        sectigo: "http://timestamp.sectigo.com",
+        comodo: "http://timestamp.comodoca.com",
+        entrust: "http://timestamp.entrust.net/TSS/RFC3161sha2TS",
+        ssl_com: "http://ts.ssl.com"
+      }.freeze
+
+      # Create a new TSA client
+      #
+      # @param url [String] TSA URL
+      # @param timeout [Integer] HTTP timeout in seconds
+      # @param username [String, nil] HTTP Basic auth username
+      # @param password [String, nil] HTTP Basic auth password
+      #
+      def initialize(url, timeout: 30, username: nil, password: nil)
+        @url = url
+        @timeout = timeout
+        @username = username
+        @password = password
+      end
+
+      # Request a timestamp for data
+      #
+      # @param data [String] data to timestamp (typically a signature)
+      # @param algorithm [Symbol] hash algorithm (:sha256, :sha384, :sha512)
+      # @param cert_req [Boolean] request TSA certificate in response
+      # @return [TimestampToken] the timestamp token
+      # @raise [TimestampAuthorityError] if TSA request fails
+      # @raise [InvalidTimestampError] if response is invalid
+      #
+      def timestamp(data, algorithm: :sha256, cert_req: true)
+        request = Request.new(data, algorithm: algorithm, cert_req: cert_req)
+        response = send_request(request)
+
+        validate_response!(response, request)
+
+        TimestampToken.new(
+          token_der: response.token_der,
+          timestamp: response.timestamp,
+          serial_number: response.serial_number,
+          policy_oid: response.policy_oid,
+          tsa_url: url
+        )
+      end
+
+      # Check if the TSA is reachable
+      # @return [Boolean]
+      def available?
+        uri = URI.parse(url)
+        http = build_http(uri)
+        http.open_timeout = 5
+        http.read_timeout = 5
+
+        response = http.head(uri.path.empty? ? "/" : uri.path)
+        response.is_a?(Net::HTTPSuccess) || response.is_a?(Net::HTTPMethodNotAllowed)
+      rescue StandardError
+        false
+      end
+
+      private
+
+      def send_request(request)
+        uri = URI.parse(url)
+        http = build_http(uri)
+
+        http_request = Net::HTTP::Post.new(uri.path.empty? ? "/" : uri.path)
+        http_request["Content-Type"] = CONTENT_TYPE
+        http_request["Accept"] = ACCEPT_TYPE
+        http_request.body = request.to_der
+
+        if username && password
+          http_request.basic_auth(username, password)
+        end
+
+        response = http.request(http_request)
+
+        unless response.is_a?(Net::HTTPSuccess)
+          raise TimestampAuthorityError.new(
+            "TSA returned HTTP #{response.code}: #{response.message}",
+            http_status: response.code.to_i
+          )
+        end
+
+        Response.parse(response.body)
+      rescue Timeout::Error, Errno::ECONNREFUSED, Errno::EHOSTUNREACH => e
+        raise TimestampAuthorityError, "Failed to connect to TSA: #{e.message}"
+      rescue SocketError => e
+        raise TimestampAuthorityError, "DNS resolution failed for TSA: #{e.message}"
+      end
+
+      def build_http(uri)
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = (uri.scheme == "https")
+        http.open_timeout = timeout
+        http.read_timeout = timeout
+
+        if http.use_ssl?
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        end
+
+        http
+      end
+
+      def validate_response!(response, request)
+        unless response.success?
+          raise TimestampAuthorityError, response.error_message
+        end
+
+        unless response.nonce_matches?(request.nonce)
+          raise InvalidTimestampError, "Nonce mismatch: response nonce does not match request"
+        end
+
+        # Verify message imprint matches
+        if response.message_imprint_hash != request.message_imprint_hash
+          raise InvalidTimestampError, "Message imprint mismatch: TSA timestamped different data"
+        end
+      end
+    end
+
+    # Represents a timestamp token obtained from a TSA
+    class TimestampToken
+      attr_reader :token_der, :timestamp, :serial_number, :policy_oid, :tsa_url
+
+      def initialize(token_der:, timestamp:, serial_number:, policy_oid:, tsa_url:)
+        @token_der = token_der
+        @timestamp = timestamp
+        @serial_number = serial_number
+        @policy_oid = policy_oid
+        @tsa_url = tsa_url
+      end
+
+      # Get the timestamp as ISO 8601 string
+      # @return [String]
+      def timestamp_iso8601
+        timestamp&.iso8601
+      end
+
+      # Get the PKCS#7 structure
+      # @return [OpenSSL::PKCS7]
+      def pkcs7
+        @pkcs7 ||= OpenSSL::PKCS7.new(token_der)
+      end
+
+      # Get the TSA signing certificate (if included in response)
+      # @return [OpenSSL::X509::Certificate, nil]
+      def tsa_certificate
+        pkcs7.certificates&.first
+      end
+
+      def to_h
+        {
+          timestamp: timestamp_iso8601,
+          serial_number: serial_number,
+          policy_oid: policy_oid,
+          tsa_url: tsa_url
+        }
+      end
+    end
+  end
+end

data/lib/easy_code_sign/timestamp/request.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "securerandom"
+
+module EasyCodeSign
+  module Timestamp
+    # RFC 3161 Timestamp Request builder
+    #
+    # Creates a TimeStampReq ASN.1 structure for submission to a TSA.
+    #
+    # @example
+    #   request = Timestamp::Request.new(signature_data, algorithm: :sha256)
+    #   der_bytes = request.to_der
+    #
+    class Request
+      # OIDs for hash algorithms
+      HASH_ALGORITHM_OIDS = {
+        sha256: "2.16.840.1.101.3.4.2.1",
+        sha384: "2.16.840.1.101.3.4.2.2",
+        sha512: "2.16.840.1.101.3.4.2.3",
+        sha1: "1.3.14.3.2.26" # Legacy, not recommended
+      }.freeze
+
+      attr_reader :data, :algorithm, :nonce, :cert_req, :policy_oid
+
+      # Create a new timestamp request
+      #
+      # @param data [String] the data to timestamp (typically a signature)
+      # @param algorithm [Symbol] hash algorithm (:sha256, :sha384, :sha512)
+      # @param cert_req [Boolean] request signing certificate in response
+      # @param policy_oid [String, nil] optional TSA policy OID
+      #
+      def initialize(data, algorithm: :sha256, cert_req: true, policy_oid: nil)
+        @data = data
+        @algorithm = algorithm
+        @cert_req = cert_req
+        @policy_oid = policy_oid
+        @nonce = generate_nonce
+      end
+
+      # Get the message digest of the data
+      # @return [String] hash bytes
+      def message_imprint_hash
+        digest_class.digest(data)
+      end
+
+      # Encode the request as DER
+      # @return [String] DER-encoded TimeStampReq
+      def to_der
+        # TimeStampReq ::= SEQUENCE {
+        #   version          INTEGER { v1(1) },
+        #   messageImprint   MessageImprint,
+        #   reqPolicy        TSAPolicyId OPTIONAL,
+        #   nonce            INTEGER OPTIONAL,
+        #   certReq          BOOLEAN DEFAULT FALSE,
+        #   extensions       [0] IMPLICIT Extensions OPTIONAL
+        # }
+
+        seq = OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::Integer.new(1), # version
+          message_imprint_asn1,
+          # reqPolicy omitted if nil
+          policy_oid ? OpenSSL::ASN1::ObjectId.new(policy_oid) : nil,
+          OpenSSL::ASN1::Integer.new(nonce),
+          OpenSSL::ASN1::Boolean.new(cert_req)
+        ].compact)
+
+        seq.to_der
+      end
+
+      # Get the hash algorithm OID
+      # @return [String]
+      def algorithm_oid
+        HASH_ALGORITHM_OIDS[algorithm] or
+          raise ArgumentError, "Unsupported algorithm: #{algorithm}"
+      end
+
+      private
+
+      def message_imprint_asn1
+        # MessageImprint ::= SEQUENCE {
+        #   hashAlgorithm    AlgorithmIdentifier,
+        #   hashedMessage    OCTET STRING
+        # }
+
+        algo_id = OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::ObjectId.new(algorithm_oid),
+          OpenSSL::ASN1::Null.new(nil)
+        ])
+
+        OpenSSL::ASN1::Sequence.new([
+          algo_id,
+          OpenSSL::ASN1::OctetString.new(message_imprint_hash)
+        ])
+      end
+
+      def digest_class
+        case algorithm
+        when :sha256 then OpenSSL::Digest::SHA256
+        when :sha384 then OpenSSL::Digest::SHA384
+        when :sha512 then OpenSSL::Digest::SHA512
+        when :sha1 then OpenSSL::Digest::SHA1
+        else raise ArgumentError, "Unsupported algorithm: #{algorithm}"
+        end
+      end
+
+      def generate_nonce
+        # Generate a random 64-bit nonce
+        SecureRandom.random_number(2**64)
+      end
+    end
+  end
+end