S.S.C.Cose: Add Async Stream-based signatures (#67786)

* Add SignAsync(stream) and VerifyAsync(Stream)

* Address src feedback

* * Add sync Stream APIs and tests
* Address feedback

* * Add newlines to long signatures
* Remove try-finally form ArrayPool rents on async context

Author: jozkee

src/libraries/System.Security.Cryptography.Cose/ref/System.Security.Cryptography.Cose.cs

@@ -68,14 +68,22 @@ internal CoseSign1Message() { }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
         public static byte[] Sign(byte[] content, System.Security.Cryptography.AsymmetricAlgorithm key, System.Security.Cryptography.HashAlgorithmName hashAlgorithm, System.Security.Cryptography.Cose.CoseHeaderMap? protectedHeaders = null, System.Security.Cryptography.Cose.CoseHeaderMap? unprotectedHeaders = null, bool isDetached = false) { throw null; }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
+        public static byte[] Sign(System.IO.Stream detachedContent, System.Security.Cryptography.AsymmetricAlgorithm key, System.Security.Cryptography.HashAlgorithmName hashAlgorithm, System.Security.Cryptography.Cose.CoseHeaderMap? protectedHeaders = null, System.Security.Cryptography.Cose.CoseHeaderMap? unprotectedHeaders = null) { throw null; }
+        [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
         public static byte[] Sign(System.ReadOnlySpan<byte> content, System.Security.Cryptography.AsymmetricAlgorithm key, System.Security.Cryptography.HashAlgorithmName hashAlgorithm, System.Security.Cryptography.Cose.CoseHeaderMap? protectedHeaders = null, System.Security.Cryptography.Cose.CoseHeaderMap? unprotectedHeaders = null, bool isDetached = false) { throw null; }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
+        public static System.Threading.Tasks.Task<byte[]> SignAsync(System.IO.Stream detachedContent, System.Security.Cryptography.AsymmetricAlgorithm key, System.Security.Cryptography.HashAlgorithmName hashAlgorithm, System.Security.Cryptography.Cose.CoseHeaderMap? protectedHeaders = null, System.Security.Cryptography.Cose.CoseHeaderMap? unprotectedHeaders = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
         public static bool TrySign(System.ReadOnlySpan<byte> content, System.Span<byte> destination, System.Security.Cryptography.AsymmetricAlgorithm key, System.Security.Cryptography.HashAlgorithmName hashAlgorithm, out int bytesWritten, System.Security.Cryptography.Cose.CoseHeaderMap? protectedHeaders = null, System.Security.Cryptography.Cose.CoseHeaderMap? unprotectedHeaders = null, bool isDetached = false) { throw null; }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
         public bool Verify(System.Security.Cryptography.AsymmetricAlgorithm key) { throw null; }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
         public bool Verify(System.Security.Cryptography.AsymmetricAlgorithm key, byte[] content) { throw null; }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
+        public bool Verify(System.Security.Cryptography.AsymmetricAlgorithm key, System.IO.Stream detachedContent) { throw null; }
+        [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
         public bool Verify(System.Security.Cryptography.AsymmetricAlgorithm key, System.ReadOnlySpan<byte> content) { throw null; }
+        [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
+        public System.Threading.Tasks.Task<bool> VerifyAsync(System.Security.Cryptography.AsymmetricAlgorithm key, System.IO.Stream detachedContent, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
     }
 }

src/libraries/System.Security.Cryptography.Cose/src/Resources/Strings.resx

@@ -156,6 +156,12 @@
   <data name="Sign1AlgDoesNotMatchWithTheOnesSupportedByTypeOfKey" xml:space="preserve">
     <value>COSE algorithm '{0}' doesn't match with the supported algorithms of '{1}'.</value>
   </data>
+  <data name="Sign1ArgumentStreamNotReadable" xml:space="preserve">
+    <value>Stream was not readable.</value>
+  </data>
+  <data name="Sign1ArgumentStreamNotSeekable" xml:space="preserve">
+    <value>Stream does not support seeking.</value>
+  </data>
   <data name="Sign1SignAlgMustBeProtected" xml:space="preserve">
     <value>If specified, Algorithm (alg) must be a protected header.</value>
   </data>

src/libraries/System.Security.Cryptography.Cose/src/System.Security.Cryptography.Cose.csproj

@@ -15,6 +15,7 @@
 
   <ItemGroup>
     <Compile Include="$(CommonPath)System\Memory\PointerMemoryManager.cs" Link="Common\System\Memory\PointerMemoryManager.cs" />
+    <Compile Include="$(LibrariesProjectRoot)System.Formats.Cbor\src\System\Formats\Cbor\CborInitialByte.cs" Link="System\Formats\Cbor\CborInitialByte.cs" />
     <Compile Include="System\Security\Cryptography\Cose\CoseHeaderLabel.cs" />
     <Compile Include="System\Security\Cryptography\Cose\CoseHeaderMap.cs" />
     <Compile Include="System\Security\Cryptography\Cose\CoseHelpers.cs" />
@@ -45,4 +46,9 @@
   <ItemGroup Condition="$([MSBuild]::IsTargetFrameworkCompatible('$(TargetFramework)', 'net7.0'))">
     <Reference Include="System.Security.Cryptography" />
   </ItemGroup>
+
+  <!-- For IncrementalHash -->
+  <ItemGroup Condition="'$(TargetFrameworkIdentifier)' == '.NETFramework'">
+    <PackageReference Include="System.Security.Cryptography.Algorithms" Version="$(SystemSecurityCryptographyAlgorithmsVersion)" />
+  </ItemGroup>
 </Project>

src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseHelpers.cs

@@ -1,6 +1,10 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Buffers.Binary;
+using System.Diagnostics;
+using System.Formats.Cbor;
+using System.Runtime.Versioning;
 using System.Text;
 
 namespace System.Security.Cryptography.Cose
@@ -33,6 +37,47 @@ internal static int GetIntegerEncodedSize(long value)
             }
         }
 
+        internal static void WriteByteStringLength(IncrementalHash hasher, ulong value)
+        {
+            const CborMajorType MajorType = CborMajorType.ByteString;
+            CborInitialByte initialByte;
+
+            if (value < (byte)CborAdditionalInfo.Additional8BitData)
+            {
+                initialByte = new CborInitialByte(MajorType, (CborAdditionalInfo)value);
+                hasher.AppendData(stackalloc byte[] { initialByte.InitialByte });
+            }
+            else if (value <= byte.MaxValue)
+            {
+                initialByte = new CborInitialByte(MajorType, CborAdditionalInfo.Additional8BitData);
+                hasher.AppendData(stackalloc byte[] { initialByte.InitialByte, (byte)value });
+            }
+            else if (value <= ushort.MaxValue)
+            {
+                initialByte = new CborInitialByte(MajorType, CborAdditionalInfo.Additional16BitData);
+                Span<byte> buffer = stackalloc byte[1 + sizeof(ushort)];
+                buffer[0] = initialByte.InitialByte;
+                BinaryPrimitives.WriteUInt16BigEndian(buffer.Slice(1), (ushort)value);
+                hasher.AppendData(buffer);
+            }
+            else if (value <= uint.MaxValue)
+            {
+                initialByte = new CborInitialByte(MajorType, CborAdditionalInfo.Additional32BitData);
+                Span<byte> buffer = stackalloc byte[1 + sizeof(uint)];
+                buffer[0] = initialByte.InitialByte;
+                BinaryPrimitives.WriteUInt32BigEndian(buffer.Slice(1), (uint)value);
+                hasher.AppendData(buffer);
+            }
+            else
+            {
+                initialByte = new CborInitialByte(MajorType, CborAdditionalInfo.Additional64BitData);
+                Span<byte> buffer = stackalloc byte[1 + sizeof(ulong)];
+                buffer[0] = initialByte.InitialByte;
+                BinaryPrimitives.WriteUInt64BigEndian(buffer.Slice(1), value);
+                hasher.AppendData(buffer);
+            }
+        }
+
         internal static int GetIntegerEncodedSize(ulong value)
         {
             if (value < 24)
@@ -56,5 +101,56 @@ internal static int GetIntegerEncodedSize(ulong value)
                 return 1 + sizeof(ulong);
             }
         }
+
+        [UnsupportedOSPlatform("browser")]
+        internal static int SignHashWithECDsa(ECDsa key, IncrementalHash hasher, Span<byte> destination)
+        {
+#if NETSTANDARD2_0 || NETFRAMEWORK
+            byte[] signature = key.SignHash(hasher.GetHashAndReset());
+            signature.CopyTo(destination);
+            return signature.Length;
+#else
+            Debug.Assert(hasher.HashLengthInBytes <= 512 / 8); // largest hash we can get (SHA512).
+            Span<byte> hash = stackalloc byte[hasher.HashLengthInBytes];
+            hasher.GetHashAndReset(hash);
+
+            if (!key.TrySignHash(hash, destination, out int bytesWritten))
+            {
+                Debug.Fail("TrySignData failed with a pre-calculated destination");
+                throw new CryptographicException();
+            }
+
+            return bytesWritten;
+#endif
+        }
+
+        [UnsupportedOSPlatform("browser")]
+        internal static int SignHashWithRSA(RSA key, IncrementalHash hasher, HashAlgorithmName hashAlgorithm, Span<byte> destination)
+        {
+#if NETSTANDARD2_0 || NETFRAMEWORK
+            byte[] signature = key.SignHash(hasher.GetHashAndReset(), hashAlgorithm, RSASignaturePadding.Pss);
+            signature.CopyTo(destination);
+            return signature.Length;
+#else
+            Debug.Assert(hasher.HashLengthInBytes <= 512 / 8); // largest hash we can get (SHA512).
+            Span<byte> hash = stackalloc byte[hasher.HashLengthInBytes];
+            hasher.GetHashAndReset(hash);
+
+            if (!key.TrySignHash(hash, destination, hashAlgorithm, RSASignaturePadding.Pss, out int bytesWritten))
+            {
+                Debug.Fail("TrySignData failed with a pre-calculated destination");
+                throw new CryptographicException();
+            }
+
+            return bytesWritten;
+#endif
+        }
+
+#if NETSTANDARD2_0 || NETFRAMEWORK
+        internal static void AppendData(this IncrementalHash hasher, ReadOnlySpan<byte> data)
+        {
+            hasher.AppendData(data.ToArray());
+        }
+#endif
     }
 }

src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseMessage.cs

@@ -4,8 +4,11 @@
 using System.Buffers;
 using System.Diagnostics;
 using System.Formats.Cbor;
+using System.IO;
 using System.Runtime.InteropServices;
 using System.Runtime.Versioning;
+using System.Threading;
+using System.Threading.Tasks;
 
 namespace System.Security.Cryptography.Cose
 {
@@ -181,19 +184,80 @@ private static byte[] DecodeSignature(CborReader reader)
             return reader.ReadByteString();
         }
 
-        internal static int CreateToBeSigned(string context, ReadOnlySpan<byte> encodedProtectedHeader, ReadOnlySpan<byte> content, Span<byte> destination)
+        internal static void AppendToBeSigned(Span<byte> buffer, IncrementalHash hasher, string context, ReadOnlySpan<byte> encodedProtectedHeader, ReadOnlySpan<byte> contentBytes, Stream? contentStream, HashAlgorithmName hashAlgorithm)
+        {
+            int bytesWritten = CreateToBeSigned(buffer, context, encodedProtectedHeader, ReadOnlySpan<byte>.Empty);
+            bytesWritten -= 1; // Trim the empty bstr content, it is just a placeholder.
+
+            hasher.AppendData(buffer.Slice(0, bytesWritten));
+
+            if (contentStream == null)
+            {
+                // content length
+                CoseHelpers.WriteByteStringLength(hasher, (ulong)contentBytes.Length);
+
+                //content
+                hasher.AppendData(contentBytes);
+            }
+            else
+            {
+                // content length
+                CoseHelpers.WriteByteStringLength(hasher, (ulong)(contentStream.Length - contentStream.Position));
+
+                //content
+                byte[] contentBuffer = ArrayPool<byte>.Shared.Rent(4096);
+                int bytesRead;
+
+                try
+                {
+                    while ((bytesRead = contentStream.Read(contentBuffer, 0, contentBuffer.Length)) > 0)
+                    {
+                        hasher.AppendData(contentBuffer, 0, bytesRead);
+                    }
+                }
+                finally
+                {
+                    ArrayPool<byte>.Shared.Return(contentBuffer, clearArray: true);
+                }
+            }
+        }
+
+        internal static async Task AppendToBeSignedAsync(byte[] buffer, IncrementalHash hasher, string context, ReadOnlyMemory<byte> encodedProtectedHeader, Stream content, HashAlgorithmName hashAlgorithm, CancellationToken cancellationToken)
+        {
+            int bytesWritten = CreateToBeSigned(buffer, context, encodedProtectedHeader.Span, ReadOnlySpan<byte>.Empty);
+            bytesWritten -= 1; // Trim the empty bstr content, it is just a placeholder.
+
+            hasher.AppendData(buffer, 0, bytesWritten);
+
+            //content length
+            CoseHelpers.WriteByteStringLength(hasher, (ulong)(content.Length - content.Position));
+
+            // content
+            byte[] contentBuffer = ArrayPool<byte>.Shared.Rent(4096);
+            int bytesRead;
+#if NETSTANDARD2_0 || NETFRAMEWORK
+            while ((bytesRead = await content.ReadAsync(contentBuffer, 0, contentBuffer.Length, cancellationToken).ConfigureAwait(false)) > 0)
+#else
+            while ((bytesRead = await content.ReadAsync(contentBuffer, cancellationToken).ConfigureAwait(false)) > 0)
+#endif
+            {
+                hasher.AppendData(contentBuffer, 0, bytesRead);
+            }
+
+            ArrayPool<byte>.Shared.Return(contentBuffer, clearArray: true);
+        }
+
+        internal static int CreateToBeSigned(Span<byte> destination, string context, ReadOnlySpan<byte> encodedProtectedHeader, ReadOnlySpan<byte> content)
         {
             var writer = new CborWriter();
             writer.WriteStartArray(4);
             writer.WriteTextString(context); // context
             writer.WriteByteString(encodedProtectedHeader); // body_protected
             writer.WriteByteString(Span<byte>.Empty); // external_aad
-            writer.WriteByteString(content); //payload or content
+            writer.WriteByteString(content); // content
             writer.WriteEndArray();
-            int bytesWritten = writer.Encode(destination);
 
-            Debug.Assert(bytesWritten == writer.BytesWritten && bytesWritten == ComputeToBeSignedEncodedSize(context, encodedProtectedHeader, content));
-            return bytesWritten;
+            return writer.Encode(destination);
         }
 
         internal static int ComputeToBeSignedEncodedSize(string context, ReadOnlySpan<byte> encodedProtectedHeader, ReadOnlySpan<byte> content)
@@ -225,5 +289,15 @@ internal enum KeyType
             ECDsa,
             RSA,
         }
+
+        internal static KeyType GetKeyType(AsymmetricAlgorithm key)
+        {
+            return key switch
+            {
+                ECDsa => KeyType.ECDsa,
+                RSA => KeyType.RSA,
+                _ => throw new CryptographicException(SR.Format(SR.Sign1UnsupportedKey, key.GetType()))
+            };
+        }
     }
 }