From f83c35c7873c82d40b3cb9ba6acc5344043798e5 Mon Sep 17 00:00:00 2001
From: lemccomb <117306942+lemccomb@users.noreply.github.com>
Date: Wed, 11 Oct 2023 10:21:13 -0700
Subject: [PATCH 01/11] Add password support for certificate files
---
CoseSignTool.tests/MainTests.cs | 36 ++++++++++++++++++---
CoseSignTool/SignCommand.cs | 56 +++++++++++++++++++++++----------
2 files changed, 72 insertions(+), 20 deletions(-)
diff --git a/CoseSignTool.tests/MainTests.cs b/CoseSignTool.tests/MainTests.cs
index ba18b022..a24d1518 100644
--- a/CoseSignTool.tests/MainTests.cs
+++ b/CoseSignTool.tests/MainTests.cs
@@ -2,6 +2,7 @@
// Licensed under the MIT License.
namespace CoseSignUnitTests;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
using CST = CoseSignTool.CoseSignTool;
@@ -25,6 +26,7 @@ public class MainTests
private static string PublicKeyIntermediateCertFile;
private static string PublicKeyRootCertFile;
private static string PrivateKeyCertFileChained;
+ private static string PrivateKeyCertFileChainedWithPassword;
private static string PayloadFile;
private static readonly byte[] Payload1Bytes = Encoding.ASCII.GetBytes("Payload1!");
@@ -46,6 +48,8 @@ public MainTests()
File.WriteAllBytes(PublicKeyIntermediateCertFile, Int1Priv.Export(X509ContentType.Cert));
PrivateKeyCertFileChained = Path.GetTempFileName() + ".pfx";
File.WriteAllBytes(PrivateKeyCertFileChained, Leaf1Priv.Export(X509ContentType.Pkcs12));
+ PrivateKeyCertFileChainedWithPassword = Path.GetTempFileName() + ".pfx";
+ File.WriteAllBytes(PrivateKeyCertFileChainedWithPassword, Leaf1Priv.Export(X509ContentType.Pkcs12, "password"));
}
[TestMethod]
@@ -55,21 +59,21 @@ public void FromMainValid()
// sign detached
string[] args1 = { "sign", @"/p", PayloadFile, @"/pfx", PrivateKeyCertFileChained };
- CST.Main(args1).Should().Be(0, "Detach sign failed.");
+ CST.Main(args1).Should().Be((int)ExitCode.Success, "Detach sign failed.");
// sign embedded
string[] args2 = { "sign", @"/pfx", PrivateKeyCertFileChained, @"/p", PayloadFile, @"/ep" };
- CST.Main(args2).Should().Be(0, "Embed sign failed.");
+ CST.Main(args2).Should().Be((int)ExitCode.Success, "Embed sign failed.");
// validate detached
string sigFile = PayloadFile + ".cose";
string[] args3 = { "validate", @"/rt", certPair, @"/sf", sigFile, @"/p", PayloadFile, "/rm", "NoCheck" };
- CST.Main(args3).Should().Be(0, "Detach validation failed.");
+ CST.Main(args3).Should().Be((int)ExitCode.Success, "Detach validation failed.");
// validate embedded
sigFile = PayloadFile + ".csm";
string[] args4 = { "validate", @"/rt", certPair, @"/sf", sigFile, "/rm", "NoCheck" };
- CST.Main(args4).Should().Be(0, "Embed validation failed.");
+ CST.Main(args4).Should().Be((int)ExitCode.Success, "Embed validation failed.");
// get content
string saveFile = PayloadFile + ".saved";
@@ -78,6 +82,30 @@ public void FromMainValid()
File.ReadAllText(PayloadFile).Should().Be(File.ReadAllText(saveFile), "Saved content did not match payload.");
}
+ [TestMethod]
+ public void SignWithPasswordProtectedCertSuccess()
+ {
+ // sign detached with password protected cert
+ string[] args1 = { "sign", @"/p", PayloadFile, @"/pfx", PrivateKeyCertFileChainedWithPassword, @"/pw", "password" };
+ CST.Main(args1).Should().Be((int)ExitCode.Success, "Detach sign with password protected cert failed.");
+ }
+
+ [TestMethod]
+ public void SignWithPasswordProtectedCertNoPassword()
+ {
+ // sign detached with password protected cert
+ string[] args1 = { "sign", @"/p", PayloadFile, @"/pfx", PrivateKeyCertFileChainedWithPassword };
+ CST.Main(args1).Should().Be((int)ExitCode.CertificateLoadFailure, "Detach sign did not fail in the expected way.");
+ }
+
+ [TestMethod]
+ public void SignWithPasswordProtectedCertWrongPassword()
+ {
+ // sign detached with password protected cert
+ string[] args1 = { "sign", @"/p", PayloadFile, @"/pfx", PrivateKeyCertFileChainedWithPassword, @"/pw", "NotThePassword" };
+ CST.Main(args1).Should().Be((int)ExitCode.CertificateLoadFailure, "Detach sign did not fail in the expected way.");
+ }
+
[TestMethod]
public void FromMainInvalid()
{
diff --git a/CoseSignTool/SignCommand.cs b/CoseSignTool/SignCommand.cs
index ad99e741..26ec5cd9 100644
--- a/CoseSignTool/SignCommand.cs
+++ b/CoseSignTool/SignCommand.cs
@@ -18,6 +18,16 @@ public sealed class SignCommand : CoseCommand
["-PipeOutput"] = "PipeOutput",
["-po"] = "PipeOutput",
["-PfxCertificate"] = "PfxCertificate",
+ ["-Password"] = "Password",
+ ["-pw"] = "Password",
+ ["-Thumbprint"] = "Thumbprint",
+ ["-th"] = "Thumbprint",
+ ["-StoreName"] = "StoreName",
+ ["-sn"] = "StoreName",
+ ["-StoreLocation"] = "StoreLocation",
+ ["-sl"] = "StoreLocation",
+ ["-ContentType"] = "ContentType",
+ ["-cty"] = "ContentType",
["-pfx"] = "PfxCertificate",
["-Thumbprint"] = "Thumbprint",
["-th"] = "Thumbprint",
@@ -51,10 +61,15 @@ public sealed class SignCommand : CoseCommand
public bool PipeOutput { get; set; }
///
- /// Optional. Gets or set the path to a .pfx file containing the private key certificate to sign with.
+ /// Optional. Gets or sets the path to a .pfx file containing the private key certificate to sign with.
///
public string? PfxCertificate { get; set; }
+ ///
+ /// Optional. Gets or sets the password for the .pfx file if it requires one.
+ ///
+ public string? Password { get; set; }
+
///
/// Optional. Gets or sets the SHA1 thumbprint of a certificate in the Certificate Store to sign the file with.
///
@@ -111,7 +126,7 @@ public override ExitCode Run()
{
cert = LoadCert();
}
- catch (Exception ex) when (ex is CoseSign1CertificateException or FileNotFoundException)
+ catch (Exception ex) when (ex is CoseSign1CertificateException or FileNotFoundException or CryptographicException)
{
ExitCode exitCode = ex is CoseSign1CertificateException ? ExitCode.StoreCertificateNotFound : ExitCode.CertificateLoadFailure;
return CoseSignTool.Fail(exitCode, ex);
@@ -166,6 +181,7 @@ protected internal override void ApplyOptions(CommandLineConfigurationProvider p
PipeOutput = GetOptionBool(provider, nameof (PipeOutput));
Thumbprint = GetOptionString(provider, nameof(Thumbprint));
PfxCertificate = GetOptionString(provider, nameof(PfxCertificate));
+ Password = GetOptionString(provider, nameof(Password));
ContentType = GetOptionString(provider, nameof(ContentType), CoseSign1MessageFactory.DEFAULT_CONTENT_TYPE);
StoreName = GetOptionString(provider, nameof(StoreName), DefaultStoreName);
string? sl = GetOptionString(provider, nameof(StoreLocation), DefaultStoreLocation);
@@ -179,15 +195,17 @@ protected internal override void ApplyOptions(CommandLineConfigurationProvider p
/// The certificate if found.
/// User passed in a thumbprint instead of a file path on a non-Windows OS.
/// No certificate filepath or thumbprint was given.
- /// The certificate was found but could not be loaded.
+ /// The certificate was found but could not be loaded
+ /// -- OR --
+ /// The certificate required a password and the user did not supply one, or the user-supplied password was wrong.
internal X509Certificate2 LoadCert()
{
X509Certificate2 cert;
if (PfxCertificate is not null)
{
- // Load the PFX certificate.
+ // Load the PFX certificate. This will throw a CryptographicException if the password is wrong or missing.
ThrowIfMissing(PfxCertificate, "Could not find the certificate file");
- cert = new X509Certificate2(PfxCertificate);
+ cert = new X509Certificate2(PfxCertificate, Password);
}
else
{
@@ -217,20 +235,26 @@ A detached signature resides in a separate file and validates against the origin
Default value is [payload file].cose for detached signatures or [payload file].csm for embedded.
Required if neither PayloadFile or PipeOutput are set.
- PipeOutput /po: Optional. If set, outputs the detached or embedded COSE signature to Standard Out instead of writing
- to file.
+ A signing certificate as either:
+
+ PfxCertificate / pfx: A path to a private key certificate file (.pfx) to sign with.
+
+ Password / pw: Optional. The password for the .pfx file if it has one.
- PfxCertificate / pfx: A path to a private key certificate file (.pfx) to sign with.
- --OR--
- Thumbprint / th: The SHA1 thumbprint of a certificate in the local certificate store to sign the file with.
- Use the optional StoreName and StoreLocation parameters to tell CoseSignTool where to find the matching
- certificate.
+ --OR--
- StoreName / sn: Optional. The name of the local certificate store to find the signing certificate in.
- Default value is 'My'.
+ Thumbprint / th: The SHA1 thumbprint of a certificate in the local certificate store to sign the file with.
+ Use the optional StoreName and StoreLocation parameters to tell CoseSignTool where to find the matching
+ certificate.
- StoreLocation / sl: Optional. The location of the local certificate store to find the signing certificate in.
- Default value is 'CurrentUser'.
+ StoreName / sn: Optional. The name of the local certificate store to find the signing certificate in.
+ Default value is 'My'.
+
+ StoreLocation / sl: Optional. The location of the local certificate store to find the signing certificate in.
+ Default value is 'CurrentUser'.
+
+ PipeOutput /po: Optional. If set, outputs the detached or embedded COSE signature to Standard Out instead of writing
+ to file.
EmbedPayload / ep: Optional. If true, encrypts and embeds a copy of the payload in the in COSE signature file.
Default behavior is 'detached signing', where the signature is in a separate file from the payload.
From 8e51c495d6cceb9e103c2b9bb0e197730a685462 Mon Sep 17 00:00:00 2001
From: GitHub Action
Date: Wed, 11 Oct 2023 17:24:28 +0000
Subject: [PATCH 02/11] Update changelog for release
---
CHANGELOG.md | 38 +++++++++++---------------------------
1 file changed, 11 insertions(+), 27 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 35c0f6f4..0de59e9d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,44 +1,28 @@
# Changelog
-## [Unreleased](https://github.com/microsoft/CoseSignTool/tree/HEAD)
+## [v1.1.0](https://github.com/microsoft/CoseSignTool/tree/v1.1.0) (2023-10-10)
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.1-pre.12...HEAD)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.1-pre.10...v1.1.0)
-**Merged pull requests:**
-
-- implement detached signature factory, tests and helper extension methods. [\#47](https://github.com/microsoft/CoseSignTool/pull/47) ([JeromySt](https://github.com/JeromySt))
+## [v0.3.1-pre.10](https://github.com/microsoft/CoseSignTool/tree/v0.3.1-pre.10) (2023-10-10)
-## [v0.3.1-pre.12](https://github.com/microsoft/CoseSignTool/tree/v0.3.1-pre.12) (2023-10-02)
-
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.1-pre.11...v0.3.1-pre.12)
-
-**Merged pull requests:**
-
-- Re-enable CodeQL [\#45](https://github.com/microsoft/CoseSignTool/pull/45) ([lemccomb](https://github.com/lemccomb))
-
-## [v0.3.1-pre.11](https://github.com/microsoft/CoseSignTool/tree/v0.3.1-pre.11) (2023-10-02)
-
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.1-pre.10...v0.3.1-pre.11)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.1-pre.9...v0.3.1-pre.10)
**Merged pull requests:**
+- Correct folder mapping, update Nuget packages, fix for ADO compatibility [\#51](https://github.com/microsoft/CoseSignTool/pull/51) ([lemccomb](https://github.com/lemccomb))
+- Port CoseHandler to .NET Standard 2.0 [\#48](https://github.com/microsoft/CoseSignTool/pull/48) ([lemccomb](https://github.com/lemccomb))
+- implement detached signature factory, tests and helper extension methods. [\#47](https://github.com/microsoft/CoseSignTool/pull/47) ([JeromySt](https://github.com/JeromySt))
- Port changes from ADO repo to GitHub repo [\#46](https://github.com/microsoft/CoseSignTool/pull/46) ([lemccomb](https://github.com/lemccomb))
+- Re-enable CodeQL [\#45](https://github.com/microsoft/CoseSignTool/pull/45) ([lemccomb](https://github.com/lemccomb))
-## [v0.3.1-pre.10](https://github.com/microsoft/CoseSignTool/tree/v0.3.1-pre.10) (2023-10-02)
-
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.2...v0.3.1-pre.10)
-
-**Merged pull requests:**
+## [v0.3.1-pre.9](https://github.com/microsoft/CoseSignTool/tree/v0.3.1-pre.9) (2023-09-28)
-- Port CoseHandler to .NET Standard 2.0 [\#48](https://github.com/microsoft/CoseSignTool/pull/48) ([lemccomb](https://github.com/lemccomb))
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.2...v0.3.1-pre.9)
## [v0.3.2](https://github.com/microsoft/CoseSignTool/tree/v0.3.2) (2023-09-28)
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.1-pre.9...v0.3.2)
-
-## [v0.3.1-pre.9](https://github.com/microsoft/CoseSignTool/tree/v0.3.1-pre.9) (2023-09-28)
-
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.1-pre.8...v0.3.1-pre.9)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.1-pre.8...v0.3.2)
**Merged pull requests:**
From 728a8066d6c7608865e242964ddcd36573942e1b Mon Sep 17 00:00:00 2001
From: lemccomb <117306942+lemccomb@users.noreply.github.com>
Date: Wed, 11 Oct 2023 10:55:15 -0700
Subject: [PATCH 03/11] update docs
---
README.md | 5 +----
docs/CONTRIBUTING.md | 19 ++++++++++---------
docs/CoseSignTool.md | 2 +-
3 files changed, 12 insertions(+), 14 deletions(-)
diff --git a/README.md b/README.md
index 368ef342..f385f2e2 100644
--- a/README.md
+++ b/README.md
@@ -36,10 +36,9 @@ This is an alpha release, so there are some planned features that are not yet in
The planned work is currently tracked only in an internal Microsoft ADO instance but will be moved to Github Issues soon. In the meantime, here is some of the work currently planned.
#### New features
-* Add /Password option for signing with locked .pfx certificate files
* Investigate adding suport for RFC3161 timestamp counter signatures
* Enable specifying a mandatory cert chain root for validation
-* Implement digest signing
+* Simplify digest signing scenario
* Support batch operations in CoseSignTool to reduce file and cert store reads
* Publish single file version of CoseSignTool
@@ -50,8 +49,6 @@ The planned work is currently tracked only in an internal Microsoft ADO instance
* Expand code coverage in unit and integration tests
#### Other
-* Downgrade the CoseSign1 libraries from .NET Standard 2.1 to 2.0 (Compatibility)
-* Convert CoseHandler from .NET 7 to .NET Standard 2.0 to match other libs
* Move work item tracking to public Github repo
* Re-organize the CoseSignTool unit tests for better readability
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index 040ee98e..4fc02f73 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -15,6 +15,16 @@ See [Stye.md](./STYLE.md) for details.
## Testing
All unit tests in the repo must pass in Windows, Linux, and MacOS environments to ensure compatitility.
+## Pull Request Process
+_Note:There is a bug in the pull request process which causesGithub to lose track of running workflows when the Create_Changelog job completes. The work around is to close and re-open the pull request the pull request page ^(https://github.com/microsoft/CoseSignTool/pull/^[pull request number^]^)_
+1. Clone the [repo](https://github.com/microsoft/CoseSignTool).
+1. Create a user or feature branch off of main. Do not use the keyword "hotfix" or "develope" in your branch names as these will trigger incorrect release behavior.
+1. Submit pull requests into main from your branch.
+1. Ensure builds are still successful and tests, including any added or updated tests, pass locally prior to submitting the pull request. The pull request automation will re-run the unit tests in Windows, MacOS, and Linux environments.
+1. Update any documentation, user and contributor, that is impacted by your changes. See [CoseSignTool.md](./CoseSignTool.md) for the CoseSignTool project, [CoseHandler.md](./CoseHandler.md) for the CoseHandler project, and [Advanced.md](./Advanced.md) for the CoseSign1 projects.
+1. You may merge the pull request in once you have the sign-off of at least two Microsoft full-time employees, including at least one other developer.
+Do not modify CHANGELOG.md is it is generated by the pull request process.
+
## Releases
Releases are created automatically on completion of a pull request into main, and have the pre-release flag set. Official releases are created manually by the repo owners and do not use the pre-release flag.
In both cases, the built binaries and other assets for the release are made available in .zip files.
@@ -28,14 +38,5 @@ In both cases, the built binaries and other assets for the release are made avai
1. Make sure the _Set as a pre-release_ box is _not_ checked.
1. Click _Publish release_.
-## Pull Request Process
-1. Clone the [repo](https://github.com/microsoft/CoseSignTool).
-1. Create a user or feature branch off of main. Do not use the keyword "hotfix" or "develope" in your branch names as these will trigger incorrect release behavior.
-1. Submit pull requests into main from your branch.
-1. Ensure builds are still successful and tests, including any added or updated tests, pass locally prior to submitting the pull request. The pull request automation will re-run the unit tests in Windows, MacOS, and Linux environments.
-1. Update any documentation, user and contributor, that is impacted by your changes. See [CoseSignTool.md](./CoseSignTool.md) for the CoseSignTool project, [CoseHandler.md](./CoseHandler.md) for the CoseHandler project, and [Advanced.md](./Advanced.md) for the CoseSign1 projects.
-1. You may merge the pull request in once you have the sign-off of at least two Microsoft full-time employees, including at least one other developer.
-Do not modify CHANGELOG.md is it is generated by the pull request process.
-
## License Information
[MIT License](https://github.com/microsoft/CoseSignTool/blob/main/LICENSE)
\ No newline at end of file
diff --git a/docs/CoseSignTool.md b/docs/CoseSignTool.md
index d2358cba..b29678d1 100644
--- a/docs/CoseSignTool.md
+++ b/docs/CoseSignTool.md
@@ -11,7 +11,7 @@ The **Sign** command signs a file or stream.
You will need to specify:
* The payload content to sign. This may be a file specified with the **/Payload** option or you can pipe it in on the Standard Input channel when you call CoseSignTool. Piping in the content is generally considered more secure and performant option but large streams of > 2gb in length are not yet supported.
-* A certificate to sign with. You can either use the **/Thumbprint** option to pass the SHA1 thumbprint of an installed certificate or use the **/PfxCertificate** option to point to a .pfx certificate file. The certificate must include a private key. We have plans to add a /Password option for locked certificate files very soon, but for now only unlocked files are supported.
+* A certificate to sign with. You can either use the **/Thumbprint** option to pass the SHA1 thumbprint of an installed certificate or use the **/PfxCertificate** option to point to a .pfx certificate file and a **/Password** to open the certificate file with if it is locked. The certificate must include a private key.
You may also want to specify:
* Detached or embedded: By default, CoseSignTool creates a detached signature, which contains a hash of the original payoad. If you want it embedded, meaning that the signature file includes a copy of the payload, use the **/EmbedPayload option.** Note that embedded signatures are only supported for payload of less than 2gb.
From 2a93aeb6d5faebf2fa699c57a0b972d6d6c84539 Mon Sep 17 00:00:00 2001
From: lemccomb <117306942+lemccomb@users.noreply.github.com>
Date: Wed, 11 Oct 2023 11:09:18 -0700
Subject: [PATCH 04/11] Fix markdown error
---
docs/CONTRIBUTING.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index 4fc02f73..dc517134 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -16,7 +16,7 @@ See [Stye.md](./STYLE.md) for details.
All unit tests in the repo must pass in Windows, Linux, and MacOS environments to ensure compatitility.
## Pull Request Process
-_Note:There is a bug in the pull request process which causesGithub to lose track of running workflows when the Create_Changelog job completes. The work around is to close and re-open the pull request the pull request page ^(https://github.com/microsoft/CoseSignTool/pull/^[pull request number^]^)_
+_Note:There is a bug in the pull request process which causesGithub to lose track of running workflows when the CreateChangelog job completes. The work around is to close and re-open the pull request the pull request page https://github.com/microsoft/CoseSignTool/pull/[pull request number]_
1. Clone the [repo](https://github.com/microsoft/CoseSignTool).
1. Create a user or feature branch off of main. Do not use the keyword "hotfix" or "develope" in your branch names as these will trigger incorrect release behavior.
1. Submit pull requests into main from your branch.
From 5b89a4f06a1e54301548afeb93001c77f52a29a0 Mon Sep 17 00:00:00 2001
From: lemccomb <117306942+lemccomb@users.noreply.github.com>
Date: Wed, 11 Oct 2023 11:10:54 -0700
Subject: [PATCH 05/11] Put parens back in
---
docs/CONTRIBUTING.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index dc517134..e3d203b0 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -16,7 +16,7 @@ See [Stye.md](./STYLE.md) for details.
All unit tests in the repo must pass in Windows, Linux, and MacOS environments to ensure compatitility.
## Pull Request Process
-_Note:There is a bug in the pull request process which causesGithub to lose track of running workflows when the CreateChangelog job completes. The work around is to close and re-open the pull request the pull request page https://github.com/microsoft/CoseSignTool/pull/[pull request number]_
+_Note:There is a bug in the pull request process which causesGithub to lose track of running workflows when the CreateChangelog job completes. The work around is to close and re-open the pull request the pull request page (https://github.com/microsoft/CoseSignTool/pull/[pull-request-number])_
1. Clone the [repo](https://github.com/microsoft/CoseSignTool).
1. Create a user or feature branch off of main. Do not use the keyword "hotfix" or "develope" in your branch names as these will trigger incorrect release behavior.
1. Submit pull requests into main from your branch.
From ccec206bdceda0a29e4c85ef395036b7dbb11b51 Mon Sep 17 00:00:00 2001
From: lemccomb <117306942+lemccomb@users.noreply.github.com>
Date: Wed, 11 Oct 2023 11:14:37 -0700
Subject: [PATCH 06/11] try nolink tag
---
docs/CONTRIBUTING.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index e3d203b0..72aca74f 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -16,7 +16,7 @@ See [Stye.md](./STYLE.md) for details.
All unit tests in the repo must pass in Windows, Linux, and MacOS environments to ensure compatitility.
## Pull Request Process
-_Note:There is a bug in the pull request process which causesGithub to lose track of running workflows when the CreateChangelog job completes. The work around is to close and re-open the pull request the pull request page (https://github.com/microsoft/CoseSignTool/pull/[pull-request-number])_
+_Note:There is a bug in the pull request process which causesGithub to lose track of running workflows when the CreateChangelog job completes. The work around is to close and re-open the pull request the pull request page (https://github.com/microsoft/CoseSignTool/pull/[pull-request-number])_
1. Clone the [repo](https://github.com/microsoft/CoseSignTool).
1. Create a user or feature branch off of main. Do not use the keyword "hotfix" or "develope" in your branch names as these will trigger incorrect release behavior.
1. Submit pull requests into main from your branch.
From 21dd96592a0f29aa07fa3db95bace36fba89378c Mon Sep 17 00:00:00 2001
From: lemccomb <117306942+lemccomb@users.noreply.github.com>
Date: Wed, 11 Oct 2023 11:16:11 -0700
Subject: [PATCH 07/11] missing word
---
docs/CONTRIBUTING.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index 72aca74f..c5787424 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -16,7 +16,7 @@ See [Stye.md](./STYLE.md) for details.
All unit tests in the repo must pass in Windows, Linux, and MacOS environments to ensure compatitility.
## Pull Request Process
-_Note:There is a bug in the pull request process which causesGithub to lose track of running workflows when the CreateChangelog job completes. The work around is to close and re-open the pull request the pull request page (https://github.com/microsoft/CoseSignTool/pull/[pull-request-number])_
+_Note: There is a bug in the pull request process which causes Github to lose track of running workflows when the CreateChangelog job completes. The work around is to close and re-open the pull request on the pull request page (https://github.com/microsoft/CoseSignTool/pull/[pull-request-number])_
1. Clone the [repo](https://github.com/microsoft/CoseSignTool).
1. Create a user or feature branch off of main. Do not use the keyword "hotfix" or "develope" in your branch names as these will trigger incorrect release behavior.
1. Submit pull requests into main from your branch.
From 214b5bb7669d554f93b42f547bb1e1bc68f4940f Mon Sep 17 00:00:00 2001
From: lemccomb <117306942+lemccomb@users.noreply.github.com>
Date: Wed, 11 Oct 2023 11:31:35 -0700
Subject: [PATCH 08/11] Cleaned up PR steps in doc
---
docs/CONTRIBUTING.md | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index c5787424..d3805475 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -19,11 +19,14 @@ All unit tests in the repo must pass in Windows, Linux, and MacOS environments t
_Note: There is a bug in the pull request process which causes Github to lose track of running workflows when the CreateChangelog job completes. The work around is to close and re-open the pull request on the pull request page (https://github.com/microsoft/CoseSignTool/pull/[pull-request-number])_
1. Clone the [repo](https://github.com/microsoft/CoseSignTool).
1. Create a user or feature branch off of main. Do not use the keyword "hotfix" or "develope" in your branch names as these will trigger incorrect release behavior.
-1. Submit pull requests into main from your branch.
-1. Ensure builds are still successful and tests, including any added or updated tests, pass locally prior to submitting the pull request. The pull request automation will re-run the unit tests in Windows, MacOS, and Linux environments.
+1. Make your changes, including adding or updating unit tests to ensure your changes work as intended.
+1. Make sure the solution still builds and all unit tests still pass locally.
1. Update any documentation, user and contributor, that is impacted by your changes. See [CoseSignTool.md](./CoseSignTool.md) for the CoseSignTool project, [CoseHandler.md](./CoseHandler.md) for the CoseHandler project, and [Advanced.md](./Advanced.md) for the CoseSign1 projects.
+1. Push your changes to origin and create a pull request into main from your branch. The pull request automation will re-run the unit tests in Windows, MacOS, and Linux environments.
+1. Fix any build or test failures or CodeQL warnings caught by the pull request automation and push the fixes to your branch.
+1. Address any code review comments.
1. You may merge the pull request in once you have the sign-off of at least two Microsoft full-time employees, including at least one other developer.
-Do not modify CHANGELOG.md is it is generated by the pull request process.
+Do not modify CHANGELOG.md, as it is auto-generated.
## Releases
Releases are created automatically on completion of a pull request into main, and have the pre-release flag set. Official releases are created manually by the repo owners and do not use the pre-release flag.
From 710fe94fb0345cb39362815e1816e90ab65d7a45 Mon Sep 17 00:00:00 2001
From: lemccomb <117306942+lemccomb@users.noreply.github.com>
Date: Wed, 11 Oct 2023 11:44:19 -0700
Subject: [PATCH 09/11] CodeQL fix
---
CoseHandler/CoseHandler.cs | 2 +-
CoseSignTool.tests/MainTests.cs | 18 ++++++------------
2 files changed, 7 insertions(+), 13 deletions(-)
diff --git a/CoseHandler/CoseHandler.cs b/CoseHandler/CoseHandler.cs
index 1fa9bec8..a1647b10 100644
--- a/CoseHandler/CoseHandler.cs
+++ b/CoseHandler/CoseHandler.cs
@@ -33,7 +33,7 @@ public static class CoseHandler
// static instance of the factory for creating new CoseSign1Messages
private static readonly ICoseSign1MessageFactory Factory = new CoseSign1MessageFactory();
- #region Sign
+ #region Sign Overloads
///
/// Signs the payload content with the supplied certificate and returns a ReadOnlyMemory object containing the COSE signatureFile.
///
diff --git a/CoseSignTool.tests/MainTests.cs b/CoseSignTool.tests/MainTests.cs
index a24d1518..53d59cfb 100644
--- a/CoseSignTool.tests/MainTests.cs
+++ b/CoseSignTool.tests/MainTests.cs
@@ -22,13 +22,12 @@ public class MainTests
// File paths to export them to
private static readonly string PrivateKeyCertFileSelfSigned = Path.GetTempFileName() + "_SelfSigned.pfx";
private static readonly string PublicKeyCertFileSelfSigned = Path.GetTempFileName() + "_SelfSigned.cer";
- private static string PrivateKeyRootCertFile;
- private static string PublicKeyIntermediateCertFile;
- private static string PublicKeyRootCertFile;
- private static string PrivateKeyCertFileChained;
- private static string PrivateKeyCertFileChainedWithPassword;
+ private static readonly string PrivateKeyRootCertFile = Path.GetTempFileName() + ".pfx";
+ private static readonly string PublicKeyIntermediateCertFile = Path.GetTempFileName() + ".cer";
+ private static readonly string PublicKeyRootCertFile = Path.GetTempFileName() + ".cer";
+ private static readonly string PrivateKeyCertFileChained = Path.GetTempFileName() + ".pfx";
+ private static readonly string PrivateKeyCertFileChainedWithPassword = Path.GetTempFileName() + ".pfx";
private static string PayloadFile;
-
private static readonly byte[] Payload1Bytes = Encoding.ASCII.GetBytes("Payload1!");
public MainTests()
@@ -40,15 +39,10 @@ public MainTests()
// export generated certs to files
File.WriteAllBytes(PrivateKeyCertFileSelfSigned, SelfSignedCert.Export(X509ContentType.Pkcs12));
File.WriteAllBytes(PublicKeyCertFileSelfSigned, SelfSignedCert.Export(X509ContentType.Cert));
- PrivateKeyRootCertFile = Path.GetTempFileName() + ".pfx";
File.WriteAllBytes(PrivateKeyRootCertFile, Root1Priv.Export(X509ContentType.Pkcs12));
- PublicKeyRootCertFile = Path.GetTempFileName() + ".cer";
File.WriteAllBytes(PublicKeyRootCertFile, Root1Priv.Export(X509ContentType.Cert));
- PublicKeyIntermediateCertFile = Path.GetTempFileName() + ".cer";
- File.WriteAllBytes(PublicKeyIntermediateCertFile, Int1Priv.Export(X509ContentType.Cert));
- PrivateKeyCertFileChained = Path.GetTempFileName() + ".pfx";
+ File.WriteAllBytes(PublicKeyIntermediateCertFile, Int1Priv.Export(X509ContentType.Cert));
File.WriteAllBytes(PrivateKeyCertFileChained, Leaf1Priv.Export(X509ContentType.Pkcs12));
- PrivateKeyCertFileChainedWithPassword = Path.GetTempFileName() + ".pfx";
File.WriteAllBytes(PrivateKeyCertFileChainedWithPassword, Leaf1Priv.Export(X509ContentType.Pkcs12, "password"));
}
From beee8e6ba557e720fac9c333b2c701956aa0e6fa Mon Sep 17 00:00:00 2001
From: lemccomb <117306942+lemccomb@users.noreply.github.com>
Date: Wed, 11 Oct 2023 12:03:42 -0700
Subject: [PATCH 10/11] o hard coded password in test
---
CoseSignTool.tests/MainTests.cs | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/CoseSignTool.tests/MainTests.cs b/CoseSignTool.tests/MainTests.cs
index 53d59cfb..128d223b 100644
--- a/CoseSignTool.tests/MainTests.cs
+++ b/CoseSignTool.tests/MainTests.cs
@@ -2,6 +2,8 @@
// Licensed under the MIT License.
namespace CoseSignUnitTests;
+
+using System;
using Microsoft.VisualStudio.TestTools.UnitTesting;
using CST = CoseSignTool.CoseSignTool;
@@ -27,6 +29,9 @@ public class MainTests
private static readonly string PublicKeyRootCertFile = Path.GetTempFileName() + ".cer";
private static readonly string PrivateKeyCertFileChained = Path.GetTempFileName() + ".pfx";
private static readonly string PrivateKeyCertFileChainedWithPassword = Path.GetTempFileName() + ".pfx";
+ private static readonly string CertPassword = Guid.NewGuid().ToString();
+
+
private static string PayloadFile;
private static readonly byte[] Payload1Bytes = Encoding.ASCII.GetBytes("Payload1!");
@@ -80,7 +85,7 @@ public void FromMainValid()
public void SignWithPasswordProtectedCertSuccess()
{
// sign detached with password protected cert
- string[] args1 = { "sign", @"/p", PayloadFile, @"/pfx", PrivateKeyCertFileChainedWithPassword, @"/pw", "password" };
+ string[] args1 = { "sign", @"/p", PayloadFile, @"/pfx", PrivateKeyCertFileChainedWithPassword, @"/pw", CertPassword };
CST.Main(args1).Should().Be((int)ExitCode.Success, "Detach sign with password protected cert failed.");
}
From 5a24f792a7ca92175b04b9a979c85a62b94581aa Mon Sep 17 00:00:00 2001
From: lemccomb <117306942+lemccomb@users.noreply.github.com>
Date: Wed, 11 Oct 2023 12:27:49 -0700
Subject: [PATCH 11/11] fix test failure
---
CoseSignTool.tests/MainTests.cs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/CoseSignTool.tests/MainTests.cs b/CoseSignTool.tests/MainTests.cs
index 128d223b..ea876196 100644
--- a/CoseSignTool.tests/MainTests.cs
+++ b/CoseSignTool.tests/MainTests.cs
@@ -48,7 +48,7 @@ public MainTests()
File.WriteAllBytes(PublicKeyRootCertFile, Root1Priv.Export(X509ContentType.Cert));
File.WriteAllBytes(PublicKeyIntermediateCertFile, Int1Priv.Export(X509ContentType.Cert));
File.WriteAllBytes(PrivateKeyCertFileChained, Leaf1Priv.Export(X509ContentType.Pkcs12));
- File.WriteAllBytes(PrivateKeyCertFileChainedWithPassword, Leaf1Priv.Export(X509ContentType.Pkcs12, "password"));
+ File.WriteAllBytes(PrivateKeyCertFileChainedWithPassword, Leaf1Priv.Export(X509ContentType.Pkcs12, CertPassword));
}
[TestMethod]