add some signature debugging commands

coder · Dec 13, 2024 · 449f77c · 449f77c
1 parent 59376d2
commit 449f77c
Showing 1 changed file with 59 additions and 5 deletions.
diff --git a/cli/signature.go b/cli/signature.go
@@ -3,12 +3,17 @@ package cli
 import (
 	"crypto/x509"
 	"fmt"
+	"io"
 	"os"
+	"strings"
 
 	cms "github.com/github/smimesign/ietf-cms"
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
 
+	"cdr.dev/slog"
+	"github.com/coder/code-marketplace/storage/easyzip"
+
 	"github.com/coder/code-marketplace/extensionsign"
 	"github.com/coder/code-marketplace/extensionsign/verify"
 )
@@ -20,15 +25,22 @@ func signature() *cobra.Command {
 		Hidden:  true, // Debugging tools
 		Aliases: []string{"sig", "sigs", "signatures"},
 	}
+
 	cmd.AddCommand(compareSignatureSigZips(), verifyCmd(), decodeSigCmd())
 	return cmd
 }
 
 func decodeSigCmd() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:  "decode",
-		Args: cobra.ExactArgs(1),
+
+		Use:   "decode",
+		Short: "Decode a signature archive.",
+		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
+			logger := cmdLogger(cmd)
+			ctx := cmd.Context()
+			logger.Info(ctx, fmt.Sprintf("Decoding %q", args[0]))
+
 			data, err := os.ReadFile(args[0])
 			if err != nil {
 				return xerrors.Errorf("read %q: %w", args[0], err)
@@ -39,6 +51,15 @@ func decodeSigCmd() *cobra.Command {
 				return xerrors.Errorf("extract p7s: %w", err)
 			}
 
+			detachedDataR, err := easyzip.GetZipFileReader(data, ".signature.manifest")
+			if err != nil {
+				return xerrors.Errorf("get manifest: %w", err)
+			}
+			detachedData, err := io.ReadAll(detachedDataR)
+			if err != nil {
+				return xerrors.Errorf("read manifest: %w", err)
+			}
+
 			sd, err := cms.ParseSignedData(signed)
 			if err != nil {
 				return xerrors.Errorf("new signed data: %w", err)
@@ -57,18 +78,51 @@ func decodeSigCmd() *cobra.Command {
 			}
 			fmt.Println("Data:", len(sdData))
 
-			vcerts, err := sd.Verify(x509.VerifyOptions{})
+			var verifyErr error
+			var vcerts [][][]*x509.Certificate
+
+			sys, err := x509.SystemCertPool()
 			if err != nil {
-				return xerrors.Errorf("verify: %w", err)
+				return xerrors.Errorf("system cert pool: %w", err)
+			}
+			opts := x509.VerifyOptions{
+				Intermediates: sys,
+				Roots:         sys,
+			}
+
+			if sd.IsDetached() {
+				vcerts, verifyErr = sd.VerifyDetached(detachedData, opts)
+			} else {
+				vcerts, verifyErr = sd.Verify(opts)
+			}
+			if verifyErr != nil {
+				logger.Fatal(ctx, "verify", slog.Error(verifyErr))
 			}
-			var _ = vcerts
+
+			certChain := dimensions(vcerts)
+			fmt.Println("Verified!")
+			fmt.Println(certChain)
 
 			return nil
 		},
 	}
 	return cmd
 }
 
+func dimensions(chain [][][]*x509.Certificate) string {
+	var str strings.Builder
+	for _, top := range chain {
+		str.WriteString(fmt.Sprintf("Chain, len=%d\n", len(top)))
+		for _, second := range top {
+			str.WriteString(fmt.Sprintf("  Certs len=%d\n", len(second)))
+			for _, cert := range second {
+				str.WriteString(fmt.Sprintf("    Cert: %s\n", cert.Subject))
+			}
+		}
+	}
+	return str.String()
+}
+
 func verifyCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use: "verify",