Key Vault support for SignTool

dtivel · Aug 6, 2017 · ea0f837 · ea0f837
1 parent dd2f9ab
commit ea0f837
Show file tree

Hide file tree

Showing 35 changed files with 46,307 additions and 9 deletions.
diff --git a/.gitignore b/.gitignore
@@ -247,4 +247,6 @@ ModelManifest.xml
 /src/SignClient/Properties/launchSettings.json
 /src/SignService/appsettings.development.json
 
-/src/SignService/tools/SDK/
+/src/SignService/tools/SDK/
+!**/KeyVaultSignToolWrapper/x86/
+!**/KeyVaultSignToolWrapper/x64/
diff --git a/src/SignService/Controllers/SignController.cs b/src/SignService/Controllers/SignController.cs
@@ -11,6 +11,7 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 using SignService.SigningTools;
+using Microsoft.Extensions.Options;
 
 namespace SignService.Controllers
 {
@@ -20,13 +21,15 @@ namespace SignService.Controllers
     public class SignController : Controller
     {
         readonly ISigningToolAggregate codeSignAggregate;
+        readonly IOptionsSnapshot<Settings> settings;
         readonly ILogger<SignController> logger;
 
 
 
-        public SignController(ISigningToolAggregate codeSignAggregate, ILogger<SignController> logger)
+        public SignController(ISigningToolAggregate codeSignAggregate, IOptionsSnapshot<Settings> settings, ILogger<SignController> logger)
         {
             this.codeSignAggregate = codeSignAggregate;
+            this.settings = settings;
             this.logger = logger;
         }
 
@@ -46,6 +49,16 @@ public async Task<IActionResult> SignFile(IFormFile source, IFormFile filelist,
                 return BadRequest();
             }
 
+            // If we're in Key Vault enabled mode, don't allow dual since SHA-1 isn't supported
+            if (settings.Value.CertificateInfo.UseKeyVault)
+            {
+                if (hashMode == HashMode.Sha1 || hashMode == HashMode.Dual)
+                {
+                    ModelState.AddModelError(nameof(hashMode), "Azure Key Vault does not support SHA-1. Use sha256");
+                    return BadRequest(ModelState);
+                }
+            }
+
             var dataDir = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
             Directory.CreateDirectory(dataDir);
 

diff --git a/src/SignService/SignService.csproj b/src/SignService/SignService.csproj
@@ -20,10 +20,10 @@
     <SdkFile Include="$(WinSdkBinDir)mssign32.dll" />
     <SdkFile Include="$(WinSdkBinDir)opcservices.dll" />
     <SdkFile Include="$(WinSdkBinDir)signtool.exe" />
-    <!--<SdkFile Include="$(WinSdkBinDir)signtool.exe.manifest" />-->
+    <SdkFile Include="$(WinSdkBinDir)signtool.exe.manifest" />
     <SdkFile Include="$(WinSdkBinDir)wintrust.dll" />
     <SdkFile Include="$(WinSdkBinDir)wintrust.dll.ini" />
-    <SdkFile Include="$(NetSdkBinDir)mage.exe"/>
+    <SdkFile Include="$(NetSdkBinDir)mage.exe" />
 
     <None Update="wwwroot\**\*;Views;Areas\**\Views;tools\**\*">
       <CopyToPublishDirectory>PreserveNewest</CopyToPublishDirectory>

diff --git a/src/SignService/SigningTools/SigntoolCodeSignService.cs b/src/SignService/SigningTools/SigntoolCodeSignService.cs
@@ -28,10 +28,14 @@ class SigntoolCodeSignService : ICodeSignService
     {
         readonly string timeStampUrl;
         readonly string thumbprint;
+        private readonly Settings settings;
+        private readonly AadOptions aadOptions;
         readonly ILogger<SigntoolCodeSignService> logger;
         readonly IAppxFileFactory appxFileFactory;
 
         readonly string signtoolPath;
+        readonly string keyVaultSignToolPath;
+        readonly bool isKeyVault;
 
         // Four things at once as we're hitting the sign server
         readonly ParallelOptions options = new ParallelOptions
@@ -40,13 +44,17 @@ class SigntoolCodeSignService : ICodeSignService
         };
 
 
-        public SigntoolCodeSignService(IOptionsSnapshot<Settings> settings, ILogger<SigntoolCodeSignService> logger, IAppxFileFactory appxFileFactory)
+        public SigntoolCodeSignService(IOptionsSnapshot<Settings> settings, IOptionsSnapshot<AadOptions> aadOptions, ILogger<SigntoolCodeSignService> logger, IAppxFileFactory appxFileFactory, IHostingEnvironment hostingEnvironment)
         {
             timeStampUrl = settings.Value.CertificateInfo.TimestampUrl;
             thumbprint = settings.Value.CertificateInfo.Thumbprint;
+            this.settings = settings.Value;
+            this.aadOptions = aadOptions.Value;
             this.logger = logger;
             this.appxFileFactory = appxFileFactory;
             signtoolPath = Path.Combine(settings.Value.WinSdkBinDirectory, "signtool.exe");
+            keyVaultSignToolPath = Path.Combine(hostingEnvironment.ContentRootPath, "tools\\KeyVaultSignToolWrapper\\KeyVaultSignToolWrapper.exe");
+            isKeyVault = settings.Value.CertificateInfo.UseKeyVault;
         }
 
         public Task Submit(HashMode hashMode, string name, string description, string descriptionUrl, IList<string> files, string filter)
@@ -79,6 +87,8 @@ void SubmitInternal(HashMode hashMode, string name, string description, string d
             }
 
             var descArgs = string.Join(" ", descArgsList);
+            var certParam = isKeyVault ? string.Empty : $@" /sha1 {thumbprint}";
+
 
 
             Parallel.ForEach(files, options, (file, state) =>
@@ -94,9 +104,10 @@ void SubmitInternal(HashMode hashMode, string name, string description, string d
                 string args;
                 if (hashMode == HashMode.Dual)
                 {
-                    // Sign it with sha1
+                    if (isKeyVault)
+                        throw new NotSupportedException("Key Vault does not support SHA-1");
 
-                    args = $@"sign /t {timeStampUrl} {descArgs} /sha1 {thumbprint} ""{file}""";
+                    args = $@"sign /t {timeStampUrl} {descArgs} {certParam} ""{file}""";
 
                     if (!Sign(args))
                     {
@@ -107,7 +118,19 @@ void SubmitInternal(HashMode hashMode, string name, string description, string d
 
                 var appendParam = hashMode == HashMode.Dual ? "/as" : string.Empty;
 
-                args = $@"sign /tr {timeStampUrl} {appendParam} /fd sha256 /td sha256 {descArgs} /sha1 {thumbprint} ""{file}""";
+
+                args = $@"sign /tr {timeStampUrl} {appendParam} /fd sha256 /td sha256 {descArgs} {certParam} ";
+
+                if (!isKeyVault)
+                {
+                    // Not key vault, append the file parameter
+                    args += $@" ""{file}"" ";
+                }
+                else
+                {
+                    args = $@"sign ""{file}"" ""{signtoolPath}"" ""{args}"" -kvu {settings.CertificateInfo.KeyVaultUrl} -kvc {settings.CertificateInfo.KeyVaultCertificateName} -kvi {aadOptions.ClientId} -kvs {aadOptions.ClientSecret}";
+                }
+
                 // Append a sha256 signature
                 if (!Sign(args))
                 {
@@ -164,7 +187,7 @@ bool RunSignTool(string args)
             {
                 StartInfo =
                 {
-                    FileName = signtoolPath,
+                    FileName = isKeyVault ? keyVaultSignToolPath : signtoolPath,
                     UseShellExecute = false,
                     RedirectStandardError = false,
                     RedirectStandardOutput = false,

diff --git a/src/SignService/tools/KeyVaultSignToolWrapper/KeyVaultSignToolWrapper.exe b/src/SignService/tools/KeyVaultSignToolWrapper/KeyVaultSignToolWrapper.exe
diff --git a/src/SignService/tools/KeyVaultSignToolWrapper/Microsoft.Azure.KeyVault.WebKey.dll b/src/SignService/tools/KeyVaultSignToolWrapper/Microsoft.Azure.KeyVault.WebKey.dll
diff --git a/src/SignService/tools/KeyVaultSignToolWrapper/Microsoft.Azure.KeyVault.dll b/src/SignService/tools/KeyVaultSignToolWrapper/Microsoft.Azure.KeyVault.dll
diff --git a/src/SignService/tools/KeyVaultSignToolWrapper/Microsoft.Extensions.CommandLineUtils.dll b/src/SignService/tools/KeyVaultSignToolWrapper/Microsoft.Extensions.CommandLineUtils.dll
diff --git a/...ools/KeyVaultSignToolWrapper/Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll b/...ools/KeyVaultSignToolWrapper/Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll
diff --git a/...Service/tools/KeyVaultSignToolWrapper/Microsoft.IdentityModel.Clients.ActiveDirectory.dll b/...Service/tools/KeyVaultSignToolWrapper/Microsoft.IdentityModel.Clients.ActiveDirectory.dll
diff --git a/src/SignService/tools/KeyVaultSignToolWrapper/Microsoft.Rest.ClientRuntime.Azure.dll b/src/SignService/tools/KeyVaultSignToolWrapper/Microsoft.Rest.ClientRuntime.Azure.dll
diff --git a/src/SignService/tools/KeyVaultSignToolWrapper/Microsoft.Rest.ClientRuntime.dll b/src/SignService/tools/KeyVaultSignToolWrapper/Microsoft.Rest.ClientRuntime.dll
diff --git a/src/SignService/tools/KeyVaultSignToolWrapper/Newtonsoft.Json.dll b/src/SignService/tools/KeyVaultSignToolWrapper/Newtonsoft.Json.dll
diff --git a/src/SignService/tools/KeyVaultSignToolWrapper/x64/KeyVaultSigner.dll b/src/SignService/tools/KeyVaultSignToolWrapper/x64/KeyVaultSigner.dll
diff --git a/src/SignService/tools/KeyVaultSignToolWrapper/x64/Microsoft.Azure.KeyVault.WebKey.dll b/src/SignService/tools/KeyVaultSignToolWrapper/x64/Microsoft.Azure.KeyVault.WebKey.dll
diff --git a/src/SignService/tools/KeyVaultSignToolWrapper/x64/Microsoft.Azure.KeyVault.WebKey.xml b/src/SignService/tools/KeyVaultSignToolWrapper/x64/Microsoft.Azure.KeyVault.WebKey.xml
diff --git a/src/SignService/tools/KeyVaultSignToolWrapper/x64/Microsoft.Azure.KeyVault.dll b/src/SignService/tools/KeyVaultSignToolWrapper/x64/Microsoft.Azure.KeyVault.dll