Add kid header to protected headers

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [v1.3.0-pre2](https://github.com/microsoft/CoseSignTool/tree/v1.3.0-pre2) (2024-11-20)
+
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.3.0-pre1...v1.3.0-pre2)
+
+**Merged pull requests:**
+
+- set shell in publish step [\#121](https://github.com/microsoft/CoseSignTool/pull/121) ([lemccomb](https://github.com/lemccomb))
+
 ## [v1.3.0-pre1](https://github.com/microsoft/CoseSignTool/tree/v1.3.0-pre1) (2024-11-20)
 
 [Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.0.0-Test1...v1.3.0-pre1)
@@ -14,7 +22,7 @@
 
 ## [v1.2.8-pre7](https://github.com/microsoft/CoseSignTool/tree/v1.2.8-pre7) (2024-10-30)
 
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.2.8-pre6...v1.2.8-pre7)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.3.0...v1.2.8-pre7)
 
 **Closed issues:**
 
@@ -24,13 +32,13 @@
 
 - Adds CLI install instructions [\#116](https://github.com/microsoft/CoseSignTool/pull/116) ([ivarprudnikov](https://github.com/ivarprudnikov))
 
-## [v1.2.8-pre6](https://github.com/microsoft/CoseSignTool/tree/v1.2.8-pre6) (2024-10-30)
+## [v1.3.0](https://github.com/microsoft/CoseSignTool/tree/v1.3.0) (2024-10-30)
 
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.3.0...v1.2.8-pre6)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.2.8-pre6...v1.3.0)
 
-## [v1.3.0](https://github.com/microsoft/CoseSignTool/tree/v1.3.0) (2024-10-30)
+## [v1.2.8-pre6](https://github.com/microsoft/CoseSignTool/tree/v1.2.8-pre6) (2024-10-30)
 
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.2.8-pre5...v1.3.0)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.2.8-pre5...v1.2.8-pre6)
 
 **Merged pull requests:**
 
@@ -216,7 +224,7 @@
 
 ## [v1.2.1-pre2](https://github.com/microsoft/CoseSignTool/tree/v1.2.1-pre2) (2024-03-15)
 
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.2.2...v1.2.1-pre2)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.2.1-pre1...v1.2.1-pre2)
 
 **Closed issues:**
 
@@ -226,13 +234,13 @@
 
 - more granular error codes [\#86](https://github.com/microsoft/CoseSignTool/pull/86) ([lemccomb](https://github.com/lemccomb))
 
-## [v1.2.2](https://github.com/microsoft/CoseSignTool/tree/v1.2.2) (2024-03-12)
+## [v1.2.1-pre1](https://github.com/microsoft/CoseSignTool/tree/v1.2.1-pre1) (2024-03-12)
 
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.2.1-pre1...v1.2.2)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.2.2...v1.2.1-pre1)
 
-## [v1.2.1-pre1](https://github.com/microsoft/CoseSignTool/tree/v1.2.1-pre1) (2024-03-12)
+## [v1.2.2](https://github.com/microsoft/CoseSignTool/tree/v1.2.2) (2024-03-12)
 
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.2.1...v1.2.1-pre1)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.2.1...v1.2.2)
 
 **Merged pull requests:**
 
@@ -252,15 +260,15 @@
 
 ## [v1.2.exeTest](https://github.com/microsoft/CoseSignTool/tree/v1.2.exeTest) (2024-03-06)
 
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.1.8-pre1...v1.2.exeTest)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.2.0...v1.2.exeTest)
 
-## [v1.1.8-pre1](https://github.com/microsoft/CoseSignTool/tree/v1.1.8-pre1) (2024-03-04)
+## [v1.2.0](https://github.com/microsoft/CoseSignTool/tree/v1.2.0) (2024-03-04)
 
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.2.0...v1.1.8-pre1)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.1.8-pre1...v1.2.0)
 
-## [v1.2.0](https://github.com/microsoft/CoseSignTool/tree/v1.2.0) (2024-03-04)
+## [v1.1.8-pre1](https://github.com/microsoft/CoseSignTool/tree/v1.1.8-pre1) (2024-03-04)
 
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.1.8...v1.2.0)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v1.1.8...v1.1.8-pre1)
 
 **Merged pull requests:**
 
@@ -449,7 +457,7 @@
 
 ## [v1.1.0](https://github.com/microsoft/CoseSignTool/tree/v1.1.0) (2023-10-10)
 
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.1-pre.9...v1.1.0)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.2...v1.1.0)
 
 **Merged pull requests:**
 
@@ -459,13 +467,13 @@
 - Port changes from ADO repo to GitHub repo [\#46](https://github.com/microsoft/CoseSignTool/pull/46) ([lemccomb](https://github.com/lemccomb))
 - Re-enable CodeQL [\#45](https://github.com/microsoft/CoseSignTool/pull/45) ([lemccomb](https://github.com/lemccomb))
 
-## [v0.3.1-pre.9](https://github.com/microsoft/CoseSignTool/tree/v0.3.1-pre.9) (2023-09-28)
+## [v0.3.2](https://github.com/microsoft/CoseSignTool/tree/v0.3.2) (2023-09-28)
 
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.2...v0.3.1-pre.9)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.1-pre.9...v0.3.2)
 
-## [v0.3.2](https://github.com/microsoft/CoseSignTool/tree/v0.3.2) (2023-09-28)
+## [v0.3.1-pre.9](https://github.com/microsoft/CoseSignTool/tree/v0.3.1-pre.9) (2023-09-28)
 
-[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.1-pre.8...v0.3.2)
+[Full Changelog](https://github.com/microsoft/CoseSignTool/compare/v0.3.1-pre.8...v0.3.1-pre.9)
 
 **Merged pull requests:**
 

CoseSign1.Certificates.Tests/CertificateCoseSigningKeyProviderTests.cs

@@ -129,7 +129,7 @@ public void TestGetProtectedHeadersSuccess()
         testObj.Protected().Verify("GetSigningCertificate", Times.AtLeastOnce());
         testObj.Protected().Verify("GetCertificateChain", Times.Once(), X509ChainSortOrder.LeafFirst);
         response.Should().NotBeNull();
-        response.Count.Should().Be(2);
+        response.Count.Should().Be(3);
     }
 
     /// <summary>

CoseSign1.Certificates/CertificateCoseSigningKeyProvider.cs

@@ -100,6 +100,9 @@ signingCertificate is null
         CoseHeaderValue value = CoseHeaderValue.FromEncodedValue(encodedBytes);
         protectedHeaders.Add(CertificateCoseHeaderLabels.X5T, value);
 
+        // Add key identifier
+        protectedHeaders.Add(CoseHeaderLabel.KeyIdentifier, GetKeyIdentifier(signingCertificate));
+
         //X509ChainSortOrder is based on x5Chain elements order suggested here <see cref="https://datatracker.ietf.org/doc/rfc9360/"/>.
         IEnumerable<X509Certificate2> chain = GetCertificateChain(X509ChainSortOrder.LeafFirst);
         X509Certificate2? firstCert = chain.FirstOrDefault();
@@ -143,5 +146,22 @@ public void AddRoots(List<X509Certificate2> roots, bool append = false)
 
         roots.ForEach(c => store.Add(c));
     }
+
+    /// <summary>
+    /// Calculate the fingerprint of a certificate.
+    /// Reference: https://stackoverflow.com/questions/34586588/how-can-i-get-an-sha-256-certificate-thumbprint
+    /// </summary>
+    /// <param name="cert">The certificate.</param>
+    /// <returns>The SHA256 fingerprint.</returns>
+    private static CoseHeaderValue GetKeyIdentifier(X509Certificate2 cert)
+    {
+        Byte[] hashBytes;
+        using (var hasher = SHA256.Create())
+        {
+            hashBytes = hasher.ComputeHash(cert.RawData);
+        }
+
+        return CoseHeaderValue.FromBytes(hashBytes);
+    }
 }
 

CoseSign1.Tests/CoseSign1IntegrationTestsWithBuilder.cs

@@ -38,10 +38,10 @@ public void TestBuildSuccess()
         response.Should().BeOfType<CoseSign1Message>();
         response.ProtectedHeaders.Should().NotBeNull();
 
-        // There should be 4 ProtectedHeaders.
-        // First one is the algo header provided by Cosesigner. The second and third are from the Default ProtectedHeaders provided by CertificateCoseSignerKeyProvider
+        // There should be 5 ProtectedHeaders.
+        // First one is the algo header provided by Cosesigner. The second, third and fourth are from the Default ProtectedHeaders provided by CertificateCoseSignerKeyProvider
         // The last is the Content Type header provided by the user.
-        response.ProtectedHeaders.Should().HaveCount(c => c == 4);
+        response.ProtectedHeaders.Should().HaveCount(c => c == 5);
 
         response.UnprotectedHeaders.Should().BeEmpty();
     }
@@ -79,8 +79,8 @@ public void TestBuildSuccessWithCustomHeaderExtender()
         response.Should().BeOfType<CoseSign1Message>();
         response.ProtectedHeaders.Should().NotBeNull();
 
-        // The count of protected headers should be 5.
-        response.ProtectedHeaders.Should().HaveCount(c => c == 5);
+        // The count of protected headers should be 6.
+        response.ProtectedHeaders.Should().HaveCount(c => c == 6);
         response.ProtectedHeaders.First().Key.Should().Be(CoseHeaderLabel.Algorithm); // this is the algo header added by the CoseSigner
 
         // Count of Unprotected headers should be 1.

CoseSign1.Tests/CoseSign1IntegrationTestsWithFactory.cs

@@ -40,7 +40,7 @@ public void TestCreateCoseSign1MessageBytesSuccess()
         var responseAsCoseSign1Message = Factory.CreateCoseSign1Message(testPayload, testSigningKeyProvider);
         responseAsCoseSign1Message.Equals(CoseMessage.DecodeSign1(responseAsBytes.ToArray()));
 
-        responseAsCoseSign1Message.ProtectedHeaders.Should().HaveCount(c => c == 4);
+        responseAsCoseSign1Message.ProtectedHeaders.Should().HaveCount(c => c == 5);
 
         responseAsCoseSign1Message.UnprotectedHeaders.Should().BeEmpty();
     }
@@ -79,8 +79,8 @@ public void TestWithCustomHeaderExtender()
 
         responseAsCoseSign1Message.ProtectedHeaders.Should().NotBeNull();
 
-        //checking if the count of protected headers are 4.
-        responseAsCoseSign1Message.ProtectedHeaders.Should().HaveCount(c => c == 5);
+        //checking if the count of protected headers are 6.
+        responseAsCoseSign1Message.ProtectedHeaders.Should().HaveCount(c => c == 6);
 
         responseAsCoseSign1Message.ProtectedHeaders.First().Key.Should().Be(CoseHeaderLabel.Algorithm); // this is the algo header added by the CoseSigner