easy_code_sign 0.1.0

data/lib/easy_code_sign/verification/certificate_chain.rb

@@ -0,0 +1,298 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "net/http"
+require "uri"
+
+module EasyCodeSign
+  module Verification
+    # Validates certificate chains and checks revocation status
+    #
+    # @example
+    #   validator = CertificateChain.new(trust_store)
+    #   result = validator.validate(cert, intermediates)
+    #
+    class CertificateChain
+      attr_reader :trust_store
+
+      def initialize(trust_store, check_revocation: false, network_timeout: 10)
+        @trust_store = trust_store
+        @check_revocation = check_revocation
+        @network_timeout = network_timeout
+      end
+
+      # Validate a certificate chain
+      #
+      # @param certificate [OpenSSL::X509::Certificate] end-entity certificate
+      # @param intermediates [Array<OpenSSL::X509::Certificate>] intermediate certs
+      # @param at_time [Time, nil] verify at specific time (nil = now)
+      # @return [ChainValidationResult]
+      #
+      def validate(certificate, intermediates = [], at_time: nil)
+        result = ChainValidationResult.new
+        result.certificate = certificate
+
+        # Set verification time if specified
+        if at_time
+          trust_store.at_time(at_time)
+        end
+
+        # Build the chain
+        chain = build_chain(certificate, intermediates)
+        result.chain = chain
+
+        # Verify basic certificate validity
+        validate_certificate(certificate, result, at_time)
+
+        # Verify chain to trusted root
+        validate_chain_trust(certificate, chain, result)
+
+        # Check revocation if enabled
+        if @check_revocation && result.chain_valid
+          check_revocation_status(certificate, chain, result)
+        end
+
+        # Check code signing extended key usage
+        check_key_usage(certificate, result)
+
+        result.valid = result.certificate_valid && result.chain_valid &&
+                       result.trusted && result.not_revoked
+
+        result
+      end
+
+      private
+
+      def build_chain(leaf, intermediates)
+        chain = [leaf]
+        current = leaf
+        remaining = intermediates.dup
+
+        # Build chain by matching issuer -> subject
+        loop do
+          issuer = remaining.find { |c| c.subject.to_s == current.issuer.to_s }
+          break unless issuer
+
+          chain << issuer
+          remaining.delete(issuer)
+          current = issuer
+
+          # Stop if self-signed (root)
+          break if current.subject.to_s == current.issuer.to_s
+        end
+
+        chain
+      end
+
+      def validate_certificate(cert, result, at_time)
+        check_time = at_time || Time.now
+
+        # Check not before
+        if check_time < cert.not_before
+          result.add_error("Certificate not yet valid (starts #{cert.not_before})")
+          result.certificate_valid = false
+          return
+        end
+
+        # Check not after
+        if check_time > cert.not_after
+          result.add_error("Certificate expired (#{cert.not_after})")
+          result.expired = true
+          result.certificate_valid = false
+          return
+        end
+
+        result.certificate_valid = true
+        result.expires_at = cert.not_after
+
+        # Warn if expiring soon (30 days)
+        days_until_expiry = (cert.not_after - Time.now) / 86_400
+        if days_until_expiry < 30 && days_until_expiry > 0
+          result.add_warning("Certificate expires in #{days_until_expiry.to_i} days")
+        end
+      end
+
+      def validate_chain_trust(cert, chain, result)
+        # Remove leaf cert from chain for verification
+        intermediates = chain[1..] || []
+
+        verification = trust_store.verify(cert, intermediates)
+
+        if verification[:trusted]
+          result.chain_valid = true
+          result.trusted = true
+        else
+          result.chain_valid = false
+          result.trusted = false
+          result.add_error("Certificate chain validation failed: #{verification[:error]}")
+        end
+      end
+
+      def check_revocation_status(cert, chain, result)
+        result.revocation_checked = true
+
+        # Try OCSP first (faster, real-time)
+        ocsp_result = check_ocsp(cert, chain)
+        if ocsp_result
+          if ocsp_result[:revoked]
+            result.not_revoked = false
+            result.add_error("Certificate has been revoked (OCSP)")
+          else
+            result.not_revoked = true
+          end
+          return
+        end
+
+        # Fall back to CRL if OCSP unavailable
+        crl_result = check_crl(cert, chain)
+        if crl_result
+          if crl_result[:revoked]
+            result.not_revoked = false
+            result.add_error("Certificate has been revoked (CRL)")
+          else
+            result.not_revoked = true
+          end
+        else
+          result.add_warning("Could not check revocation status")
+        end
+      end
+
+      def check_ocsp(cert, chain)
+        # Find OCSP responder URL from certificate
+        ocsp_uri = extract_ocsp_uri(cert)
+        return nil unless ocsp_uri
+
+        issuer = chain[1] # Issuer is second in chain
+        return nil unless issuer
+
+        begin
+          # Build OCSP request
+          digest = OpenSSL::Digest.new("SHA256")
+          cert_id = OpenSSL::OCSP::CertificateId.new(cert, issuer, digest)
+          request = OpenSSL::OCSP::Request.new
+          request.add_certid(cert_id)
+          request.add_nonce
+
+          # Send request
+          uri = URI.parse(ocsp_uri)
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = (uri.scheme == "https")
+          http.open_timeout = @network_timeout
+          http.read_timeout = @network_timeout
+
+          http_request = Net::HTTP::Post.new(uri.path)
+          http_request["Content-Type"] = "application/ocsp-request"
+          http_request.body = request.to_der
+
+          response = http.request(http_request)
+          return nil unless response.is_a?(Net::HTTPSuccess)
+
+          ocsp_response = OpenSSL::OCSP::Response.new(response.body)
+          return nil unless ocsp_response.status == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+
+          basic = ocsp_response.basic
+          return nil unless basic
+
+          # Check certificate status
+          status, = basic.status.find { |s| s[0].cmp(cert_id) }
+          return nil unless status
+
+          { revoked: status[1] == OpenSSL::OCSP::V_CERTSTATUS_REVOKED }
+        rescue StandardError
+          nil
+        end
+      end
+
+      def check_crl(cert, chain)
+        crl_uri = extract_crl_uri(cert)
+        return nil unless crl_uri
+
+        begin
+          uri = URI.parse(crl_uri)
+          response = Net::HTTP.get_response(uri)
+          return nil unless response.is_a?(Net::HTTPSuccess)
+
+          crl = OpenSSL::X509::CRL.new(response.body)
+
+          # Check if certificate is in CRL
+          revoked = crl.revoked.any? { |r| r.serial == cert.serial }
+          { revoked: revoked }
+        rescue StandardError
+          nil
+        end
+      end
+
+      def extract_ocsp_uri(cert)
+        aia = cert.extensions.find { |e| e.oid == "authorityInfoAccess" }
+        return nil unless aia
+
+        match = aia.value.match(/OCSP - URI:(\S+)/)
+        match ? match[1] : nil
+      end
+
+      def extract_crl_uri(cert)
+        cdp = cert.extensions.find { |e| e.oid == "crlDistributionPoints" }
+        return nil unless cdp
+
+        match = cdp.value.match(/URI:(\S+)/)
+        match ? match[1] : nil
+      end
+
+      def check_key_usage(cert, result)
+        # Check for code signing EKU
+        eku = cert.extensions.find { |e| e.oid == "extendedKeyUsage" }
+
+        if eku
+          unless eku.value.include?("Code Signing")
+            result.add_warning("Certificate does not have Code Signing extended key usage")
+          end
+        else
+          result.add_warning("Certificate has no extended key usage extension")
+        end
+      end
+    end
+
+    # Result of certificate chain validation
+    class ChainValidationResult
+      attr_accessor :valid, :certificate, :chain,
+                    :certificate_valid, :chain_valid, :trusted,
+                    :not_revoked, :revocation_checked, :expired,
+                    :expires_at, :errors, :warnings
+
+      def initialize
+        @valid = false
+        @certificate_valid = false
+        @chain_valid = false
+        @trusted = false
+        @not_revoked = true
+        @revocation_checked = false
+        @expired = false
+        @errors = []
+        @warnings = []
+      end
+
+      def add_error(msg)
+        @errors << msg
+      end
+
+      def add_warning(msg)
+        @warnings << msg
+      end
+
+      def to_h
+        {
+          valid: valid,
+          certificate_valid: certificate_valid,
+          chain_valid: chain_valid,
+          trusted: trusted,
+          not_revoked: not_revoked,
+          revocation_checked: revocation_checked,
+          expired: expired,
+          expires_at: expires_at&.iso8601,
+          errors: errors,
+          warnings: warnings
+        }
+      end
+    end
+  end
+end

data/lib/easy_code_sign/verification/result.rb

@@ -0,0 +1,222 @@
+# frozen_string_literal: true
+
+module EasyCodeSign
+  module Verification
+    # Comprehensive result of signature verification
+    #
+    # Provides detailed information about each aspect of verification:
+    # - Signature validity (cryptographic check)
+    # - Certificate chain validity
+    # - Trust status (chains to trusted root)
+    # - Timestamp validity (if present)
+    # - File integrity (content hasn't been modified)
+    #
+    # @example
+    #   result = EasyCodeSign.verify("signed.gem")
+    #   if result.valid?
+    #     puts "Signed by: #{result.signer_name}"
+    #     puts "Signed at: #{result.timestamp}" if result.timestamped?
+    #   else
+    #     puts "Verification failed:"
+    #     result.errors.each { |e| puts "  - #{e}" }
+    #   end
+    #
+    class Result
+      # Overall verification status
+      attr_accessor :valid
+
+      # Individual check results
+      attr_accessor :signature_valid,    # Cryptographic signature is valid
+                    :integrity_valid,    # File content matches signature
+                    :certificate_valid,  # Certificate is valid (not expired, etc.)
+                    :chain_valid,        # Certificate chain is complete
+                    :trusted,            # Chain leads to trusted root
+                    :timestamp_valid,    # Timestamp is valid (if present)
+                    :not_revoked         # Certificate not revoked (if checked)
+
+      # Signer information
+      attr_accessor :signer_certificate, # The signing certificate
+                    :certificate_chain,  # Full chain from signer to root
+                    :signer_name,        # CN from certificate
+                    :signer_organization # O from certificate
+
+      # Timestamp information
+      attr_accessor :timestamped,        # Whether timestamp is present
+                    :timestamp,          # Time from timestamp token
+                    :timestamp_authority # TSA name/URL
+
+      # Detailed messages
+      attr_accessor :errors,   # Array of error messages
+                    :warnings  # Array of warning messages
+
+      # File information
+      attr_accessor :file_path,
+                    :file_type,      # :gem, :zip, etc.
+                    :signature_algorithm
+
+      def initialize
+        @valid = false
+        @signature_valid = false
+        @integrity_valid = false
+        @certificate_valid = false
+        @chain_valid = false
+        @trusted = false
+        @timestamp_valid = false
+        @not_revoked = true  # Assume not revoked unless checked
+        @timestamped = false
+        @errors = []
+        @warnings = []
+      end
+
+      # Overall validity check
+      # @return [Boolean]
+      def valid?
+        valid
+      end
+
+      # Check if signature is cryptographically valid
+      # @return [Boolean]
+      def signature_valid?
+        signature_valid
+      end
+
+      # Check if file integrity is intact
+      # @return [Boolean]
+      def integrity_valid?
+        integrity_valid
+      end
+
+      # Check if certificate is valid
+      # @return [Boolean]
+      def certificate_valid?
+        certificate_valid
+      end
+
+      # Check if certificate chain is valid
+      # @return [Boolean]
+      def chain_valid?
+        chain_valid
+      end
+
+      # Check if signing certificate is trusted
+      # @return [Boolean]
+      def trusted?
+        trusted
+      end
+
+      # Check if timestamp is present
+      # @return [Boolean]
+      def timestamped?
+        timestamped
+      end
+
+      # Check if timestamp is valid
+      # @return [Boolean]
+      def timestamp_valid?
+        timestamp_valid
+      end
+
+      # Check if certificate revocation was verified
+      # @return [Boolean]
+      def revocation_checked?
+        @revocation_checked || false
+      end
+
+      attr_writer :revocation_checked
+
+      # Get certificate expiration date
+      # @return [Time, nil]
+      def certificate_expires_at
+        signer_certificate&.not_after
+      end
+
+      # Check if certificate is currently expired
+      # @return [Boolean]
+      def certificate_expired?
+        return false unless signer_certificate
+
+        signer_certificate.not_after < Time.now
+      end
+
+      # Check if certificate was valid at signing time (requires timestamp)
+      # @return [Boolean, nil] nil if no timestamp
+      def certificate_valid_at_signing?
+        return nil unless timestamped? && timestamp && signer_certificate
+
+        timestamp >= signer_certificate.not_before &&
+          timestamp <= signer_certificate.not_after
+      end
+
+      # Add an error message
+      # @param message [String]
+      def add_error(message)
+        errors << message
+      end
+
+      # Add a warning message
+      # @param message [String]
+      def add_warning(message)
+        warnings << message
+      end
+
+      # Convert to hash for serialization
+      # @return [Hash]
+      def to_h
+        {
+          valid: valid,
+          file_path: file_path,
+          file_type: file_type,
+          checks: {
+            signature_valid: signature_valid,
+            integrity_valid: integrity_valid,
+            certificate_valid: certificate_valid,
+            chain_valid: chain_valid,
+            trusted: trusted,
+            timestamp_valid: timestamp_valid,
+            not_revoked: not_revoked
+          },
+          signer: {
+            name: signer_name,
+            organization: signer_organization,
+            certificate_expires: certificate_expires_at&.iso8601
+          },
+          timestamp: timestamped ? {
+            time: timestamp&.iso8601,
+            authority: timestamp_authority,
+            valid: timestamp_valid
+          } : nil,
+          errors: errors,
+          warnings: warnings
+        }
+      end
+
+      # Human-readable summary
+      # @return [String]
+      def summary
+        status = valid? ? "VALID" : "INVALID"
+        lines = ["Signature: #{status}"]
+
+        if signer_name
+          lines << "Signer: #{signer_name}"
+          lines << "Organization: #{signer_organization}" if signer_organization
+        end
+
+        if timestamped?
+          lines << "Timestamp: #{timestamp&.iso8601} (#{timestamp_valid? ? 'valid' : 'invalid'})"
+        end
+
+        unless errors.empty?
+          lines << "Errors:"
+          errors.each { |e| lines << "  - #{e}" }
+        end
+
+        unless warnings.empty?
+          lines << "Warnings:"
+          warnings.each { |w| lines << "  - #{w}" }
+        end
+
+        lines.join("\n")
+      end
+    end
+  end
+end

data/lib/easy_code_sign/verification/signature_checker.rb

@@ -0,0 +1,196 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module EasyCodeSign
+  module Verification
+    # Performs cryptographic signature verification
+    #
+    # Handles PKCS#7 signature verification for both gem and ZIP files.
+    #
+    class SignatureChecker
+      # Verify a PKCS#7 signature
+      #
+      # @param pkcs7_der [String] DER-encoded PKCS#7 signature
+      # @param content [String] the signed content
+      # @param trust_store [TrustStore] trust store for verification
+      # @return [SignatureCheckResult]
+      #
+      def verify_pkcs7(pkcs7_der, content, trust_store)
+        result = SignatureCheckResult.new
+
+        begin
+          pkcs7 = OpenSSL::PKCS7.new(pkcs7_der)
+          result.signature_parsed = true
+
+          # Extract certificates
+          result.certificates = pkcs7.certificates || []
+          result.signer_certificate = result.certificates.first
+
+          # Verify the signature
+          # NOVERIFY flag skips certificate chain verification (we do that separately)
+          flags = OpenSSL::PKCS7::NOVERIFY
+
+          if pkcs7.verify(result.certificates, trust_store.store, content, flags)
+            result.signature_valid = true
+          else
+            result.signature_valid = false
+            result.add_error("PKCS#7 signature verification failed")
+          end
+
+          # Extract signature algorithm info
+          extract_signature_info(pkcs7, result)
+
+        rescue OpenSSL::PKCS7::PKCS7Error => e
+          result.signature_valid = false
+          result.add_error("PKCS#7 error: #{e.message}")
+        rescue StandardError => e
+          result.signature_valid = false
+          result.add_error("Signature verification error: #{e.message}")
+        end
+
+        result
+      end
+
+      # Verify a detached PKCS#7 signature (signature separate from content)
+      #
+      # @param pkcs7_der [String] DER-encoded PKCS#7 signature
+      # @param content [String] the original content that was signed
+      # @param trust_store [TrustStore] trust store for verification
+      # @return [SignatureCheckResult]
+      #
+      def verify_detached_pkcs7(pkcs7_der, content, trust_store)
+        result = SignatureCheckResult.new
+
+        begin
+          pkcs7 = OpenSSL::PKCS7.new(pkcs7_der)
+          result.signature_parsed = true
+
+          result.certificates = pkcs7.certificates || []
+          result.signer_certificate = result.certificates.first
+
+          # For detached signatures, we need to provide the content
+          flags = OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::DETACHED
+
+          store = trust_store.store
+
+          if pkcs7.verify(result.certificates, store, content, flags)
+            result.signature_valid = true
+          else
+            result.signature_valid = false
+            result.add_error("Detached PKCS#7 signature verification failed")
+          end
+
+          extract_signature_info(pkcs7, result)
+
+        rescue OpenSSL::PKCS7::PKCS7Error => e
+          result.signature_valid = false
+          result.add_error("PKCS#7 error: #{e.message}")
+        rescue StandardError => e
+          result.signature_valid = false
+          result.add_error("Signature verification error: #{e.message}")
+        end
+
+        result
+      end
+
+      # Verify a raw signature (not PKCS#7 wrapped)
+      #
+      # @param signature [String] raw signature bytes
+      # @param content [String] the signed content
+      # @param certificate [OpenSSL::X509::Certificate] signer's certificate
+      # @param algorithm [Symbol] signature algorithm used
+      # @return [SignatureCheckResult]
+      #
+      def verify_raw(signature, content, certificate, algorithm: :sha256)
+        result = SignatureCheckResult.new
+        result.signer_certificate = certificate
+        result.certificates = [certificate]
+
+        begin
+          public_key = certificate.public_key
+          digest = digest_for_algorithm(algorithm)
+
+          if public_key.verify(digest, signature, content)
+            result.signature_valid = true
+          else
+            result.signature_valid = false
+            result.add_error("Raw signature verification failed")
+          end
+
+          result.signature_algorithm = algorithm
+
+        rescue OpenSSL::PKey::PKeyError => e
+          result.signature_valid = false
+          result.add_error("Public key error: #{e.message}")
+        rescue StandardError => e
+          result.signature_valid = false
+          result.add_error("Signature verification error: #{e.message}")
+        end
+
+        result
+      end
+
+      private
+
+      def extract_signature_info(pkcs7, result)
+        # Try to extract algorithm info from signers
+        signers = pkcs7.signers rescue []
+        if signers.any?
+          signer = signers.first
+          result.signature_algorithm = signer.digest_algorithm.name rescue nil
+        end
+      end
+
+      def digest_for_algorithm(algorithm)
+        case algorithm
+        when :sha256, :sha256_rsa, :sha256_ecdsa
+          OpenSSL::Digest::SHA256.new
+        when :sha384, :sha384_rsa, :sha384_ecdsa
+          OpenSSL::Digest::SHA384.new
+        when :sha512, :sha512_rsa, :sha512_ecdsa
+          OpenSSL::Digest::SHA512.new
+        else
+          OpenSSL::Digest::SHA256.new
+        end
+      end
+    end
+
+    # Result of signature verification
+    class SignatureCheckResult
+      attr_accessor :signature_valid, :signature_parsed,
+                    :signer_certificate, :certificates,
+                    :signature_algorithm, :errors
+
+      def initialize
+        @signature_valid = false
+        @signature_parsed = false
+        @certificates = []
+        @errors = []
+      end
+
+      def valid?
+        signature_valid
+      end
+
+      def add_error(msg)
+        @errors << msg
+      end
+
+      def signer_name
+        signer_certificate&.subject&.to_s
+      end
+
+      def to_h
+        {
+          valid: signature_valid,
+          parsed: signature_parsed,
+          algorithm: signature_algorithm,
+          signer: signer_name,
+          certificate_count: certificates.size,
+          errors: errors
+        }
+      end
+    end
+  end
+end