public async Task GetCertificateChain_WithUnknownSignature_ReturnsCertificatesAsync()
{
using (var directory = TestDirectory.Create())
using (var certificate = _fixture.GetDefaultCertificate())
{
var packageContext = new SimpleTestPackageContext();
var unsignedPackageFile = await packageContext.CreateAsFileAsync(directory, "Package.nupkg");
var signedPackageFile = await SignedArchiveTestUtility.SignPackageFileWithBasicSignedCmsAsync(
directory,
unsignedPackageFile,
certificate);
using (var packageReader = new PackageArchiveReader(signedPackageFile.FullName))
{
var signature = await packageReader.GetPrimarySignatureAsync(CancellationToken.None);
using (var certificates = SignatureUtility.GetCertificateChain(signature))
{
Assert.Equal(1, certificates.Count);
Assert.Equal(certificate.RawData, certificates[0].RawData);
}
}
}
}
public void HasRepositoryCountersignature_WithNullPrimarySignature_Throws()
{
var exception = Assert.Throws <ArgumentNullException>(
() => SignatureUtility.HasRepositoryCountersignature(primarySignature: null));
Assert.Equal("primarySignature", exception.ParamName);
}
public void GetCertificateChain_WhenPrimarySignatureNull_Throws()
{
var exception = Assert.Throws <ArgumentNullException>(
() => SignatureUtility.GetCertificateChain(primarySignature: null));
Assert.Equal("primarySignature", exception.ParamName);
}
public void GetPrimarySignatureTimestampCertificates_WhenSignatureNull_Throws()
{
var exception = Assert.Throws <ArgumentNullException>(
() => SignatureUtility.GetPrimarySignatureTimestampCertificates(signature: null));
Assert.Equal("signature", exception.ParamName);
}
protected void ValidateSignatureFromHeaderWithContent(string secretKey, string headerName)
{
var result = false;
var signature = this.Request.Headers[headerName].FirstOrDefault() ?? string.Empty;
if (this.Request.Body.CanRead &&
this.Request.Body.CanSeek)
{
MemoryStream stream = new MemoryStream();
this.Request.Body.Seek(0, SeekOrigin.Begin);
this.Request.Body.CopyTo(stream);
this.Request.Body.Seek(0, SeekOrigin.Begin);
using (StreamReader reader = new StreamReader(stream))
{
stream.Seek(0, SeekOrigin.Begin);
var content = reader.ReadToEnd();
result = SignatureUtility.ValidateSignature(signature, secretKey, content);
}
}
if (result == false)
{
throw new UnauthorizedException();
}
}
private static async Task <List <SignatureLog> > VerifyUnavailableRevocationInfo(
SignatureVerificationStatus expectedStatus,
LogLevel expectedLogLevel,
SignedPackageVerifierSettings setting)
{
var verificationProvider = new SignatureTrustAndValidityVerificationProvider();
using (var nupkgStream = new MemoryStream(GetResource("UnavailableCrlPackage.nupkg")))
using (var package = new PackageArchiveReader(nupkgStream, leaveStreamOpen: false))
{
// Read a signature that is valid in every way except that the CRL information is unavailable.
var signature = await package.GetSignatureAsync(CancellationToken.None);
var rootCertificate = SignatureUtility.GetPrimarySignatureCertificates(signature).Last();
// Trust the root CA of the signing certificate.
using (var testCertificate = TrustedTestCert.Create(
rootCertificate,
StoreName.Root,
StoreLocation.LocalMachine,
maximumValidityPeriod: TimeSpan.MaxValue))
{
// Act
var result = await verificationProvider.GetTrustResultAsync(package, signature, setting, CancellationToken.None);
// Assert
Assert.Equal(expectedStatus, result.Trust);
return(result
.Issues
.Where(x => x.Level >= expectedLogLevel)
.OrderBy(x => x.Message)
.ToList());
}
}
}
private static ExtractedCertificates ExtractCertificates(
Context context,
RepositoryCountersignature repositoryCountersignature)
{
IX509CertificateChain signatureCertificates;
if (repositoryCountersignature == null)
{
signatureCertificates = SignatureUtility.GetCertificateChain(context.PrimarySignature);
}
else
{
signatureCertificates = SignatureUtility.GetCertificateChain(context.PrimarySignature, repositoryCountersignature);
}
context.Disposables.Add(signatureCertificates);
if (signatureCertificates == null || !signatureCertificates.Any())
{
throw new InvalidOperationException("The provided signature must have at least one signing certificate.");
}
var hashedSignatureCertificates = signatureCertificates
.Select(x => new HashedCertificate(x))
.ToList();
var signatureEndCertificate = hashedSignatureCertificates.First();
var signatureParentCertificates = hashedSignatureCertificates.Skip(1).ToList();
IX509CertificateChain timestampCertificates;
if (repositoryCountersignature == null)
{
timestampCertificates = SignatureUtility.GetTimestampCertificateChain(context.PrimarySignature);
}
else
{
timestampCertificates = SignatureUtility.GetTimestampCertificateChain(context.PrimarySignature, repositoryCountersignature);
}
context.Disposables.Add(timestampCertificates);
if (timestampCertificates == null || !timestampCertificates.Any())
{
throw new InvalidOperationException("The provided signature must have at least one timestamp certificate.");
}
var hashedTimestampCertificates = timestampCertificates
.Select(x => new HashedCertificate(x))
.ToList();
var timestampEndCertificate = hashedTimestampCertificates.First();
var timestampParentCertificates = hashedTimestampCertificates.Skip(1).ToList();
return(new ExtractedCertificates(
signatureEndCertificate,
signatureParentCertificates,
timestampEndCertificate,
timestampParentCertificates));
}
public void GetPrimarySignatureCertificates_WithAuthorSignature_ReturnsCertificates()
{
var signature = PrimarySignature.Load(SignTestUtility.GetResourceBytes("SignatureWithTimestamp.p7s"));
var certificates = SignatureUtility.GetPrimarySignatureCertificates(signature);
Assert.Equal(3, certificates.Count);
Assert.Equal("8219f5772ef562a3ea9b90da00ca7b9523a96fbf", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("d8198d59087bbe6a6e7d69af62030145366be93e", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("6d73d582b73b5b3b18a27506acceedea75ab63c2", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
public void GetPrimarySignatureTimestampCertificates_WithValidTimestamp_ReturnsCertificates()
{
var signature = PrimarySignature.Load(SignTestUtility.GetResourceBytes("SignatureWithTimestamp.p7s"));
var certificates = SignatureUtility.GetPrimarySignatureTimestampCertificates(signature);
Assert.Equal(3, certificates.Count);
Assert.Equal("ff162bef155cb3d5b5962bbe084b21fc4d740001", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("2aa752fe64c49abe82913c463529cf10ff2f04ee", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("3b1efd3a66ea28b16697394703a72ca340a05bd5", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
private string GetShaFromSamplePackage(string samplePackage)
{
using (var packageReader = new PackageArchiveReader(samplePackage))
{
PrimarySignature primarySignature = packageReader.GetPrimarySignatureAsync(CancellationToken.None).GetAwaiter().GetResult();
using (IX509CertificateChain certificateChain = SignatureUtility.GetCertificateChain(primarySignature))
{
return(certificateChain.First().GetCertHashString(HashAlgorithmName.SHA256));
}
}
}
public async Task GetTimestampCertificateChain_WithMismatchedEssCertIdCertificateHash_ReturnsChain(
SigningCertificateUsage signingCertificateUsage)
{
ISigningTestServer testServer = await _fixture.GetSigningTestServerAsync();
CertificateAuthority rootCa = await _fixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
SigningCertificateUsage = signingCertificateUsage,
SigningCertificateV1Hash = new byte[SHA1HashLength]
};
TimestampService timestampService = TimestampService.Create(rootCa, options);
using (testServer.RegisterResponder(timestampService))
{
var nupkg = new SimpleTestPackageContext();
using (var certificate = new X509Certificate2(_fixture.TrustedTestCertificate.Source.Cert))
using (var directory = TestDirectory.Create())
{
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
nupkg,
directory,
timestampService.Url);
using (FileStream stream = File.OpenRead(signedPackagePath))
using (var reader = new PackageArchiveReader(stream))
{
PrimarySignature signature = await reader.GetPrimarySignatureAsync(CancellationToken.None);
using (IX509CertificateChain actualChain = SignatureUtility.GetTimestampCertificateChain(signature))
{
Assert.NotEmpty(actualChain);
IReadOnlyList <Org.BouncyCastle.X509.X509Certificate> expectedChain = GetExpectedCertificateChain(timestampService);
Assert.Equal(expectedChain.Count, actualChain.Count);
for (var i = 0; i < expectedChain.Count; ++i)
{
Org.BouncyCastle.X509.X509Certificate expectedCertificate = expectedChain[i];
X509Certificate2 actualCertificate = actualChain[i];
Assert.True(
expectedCertificate.GetEncoded().SequenceEqual(actualCertificate.RawData),
$"The certificate at index {i} in the chain is unexpected.");
}
}
}
}
}
}
public static void CreateSignature_Should_Return_A_Signature()
{
// arrange
var message = "some content";
var privateKey = "my-key";
// act
var sign = SignatureUtility.CreateSignature(privateKey, message);
// assert
Assert.Equal("ae00f9ad096b6d2ca828e972bcda212ed74b338ebc1332c56b2d96bb06fc845e", sign);
}
public void ValidateSignatureFromHeaderWithContent(string secretKey, string headerName)
{
var signature = this.Request.Headers[headerName].FirstOrDefault() ?? string.Empty;
var content = RequestStream.FromStream(this.Request.Body).AsString() ?? string.Empty;
var result = SignatureUtility.ValidateSignature(signature, secretKey, content);
if (result == false)
{
throw new UnauthorizedException();
}
}
public void GetTimestampCertificateChain_WithAuthorSignatureTimestamp_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
using (var certificates = SignatureUtility.GetTimestampCertificateChain(primarySignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("5f970d4b17786b091a77eabdd0cf92ff8d1fdb43", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("c5e93f93089bd49dc1d8e2b657093b9e29132dcf", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("a0e355c9f370a3069823afa3ce22b14a91475e77", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void GetTimestampCertificateChain_WithoutTimestamp_Throws()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
primarySignature = RemoveTimestamp(primarySignature);
var exception = Assert.Throws <SignatureException>(
() => SignatureUtility.GetTimestampCertificateChain(primarySignature));
Assert.Equal(NuGetLogCode.NU3000, exception.Code);
Assert.Equal("The primary signature does not have a timestamp.", exception.Message);
}
public void GetCertificateChain_WithAuthorSignature_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
using (var certificates = SignatureUtility.GetCertificateChain(primarySignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("7d14ef1eaa95c41e3cb6c25bb177ce4f9bd7020c", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("0a08d814f1c1c4058bf709c4796a53a47df00e61", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("a1b6d9c348850849be54e3e8ac2ae9938e59e4b3", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public static void ValidateSignature_Should_Return_Unsuccess_Validate()
{
// arrange
var message = "some content2";
var privateKey = "my-key";
var sign = "ae00f9ad096b6d2ca828e972bcda212ed74b338ebc1332c56b2d96bb06fc845e";
// act
var result = SignatureUtility.ValidateSignature(sign, privateKey, message);
// assert
Assert.False(result);
}
public void GetTimestampCertificateChain_WithRepositoryCountersignatureTimestamp_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
using (var certificates = SignatureUtility.GetTimestampCertificateChain(primarySignature, repositoryCountersignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("96b479acf63394f3bcc9928c396264afd60909ed", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("fa4e4ca3d9a26b92a73bb875f964972983b55ccd", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("88b288ff6d3d826469a9ef7816166a7def221885", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void GetCertificateChain_WithRepositoryCountersignature_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
using (var certificates = SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("8d8cc5bdf9e5f86b971d7fb961fe24b999486483", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("c8ae47bfd632870a15e3775784affd2bdc96cbf1", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("d4e8185475a062de3518d1aa693f13c4283f81ff", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void GetCertificateChain_WithUnrelatedRepositoryCountersignature_Throws()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
primarySignature = RemoveRepositoryCountersignature(primarySignature);
var exception = Assert.Throws <ArgumentException>(
() => SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature));
Assert.Equal("repositoryCountersignature", exception.ParamName);
Assert.StartsWith("The primary signature and repository countersignature are unrelated.", exception.Message);
}
private string GetShaFromSamplePackage(string samplePackage)
{
var packageReader = new PackageArchiveReader(samplePackage);
Directory.CreateDirectory(_tempDirectory.Value);
FilePath targetFilePath = _tempDirectory.WithFile(Path.GetRandomFileName());
packageReader.ExtractFile(".signature.p7s", targetFilePath.Value, _logger);
using var fs = new FileStream(targetFilePath.Value, FileMode.Open);
PrimarySignature primarySignature = PrimarySignature.Load(fs);
IX509CertificateChain certificateChain = SignatureUtility.GetCertificateChain(primarySignature);
var shaFromPackage = certificateChain[0].GetCertHashString(HashAlgorithmName.SHA256);
return(shaFromPackage);
}
public static async Task <bool> IsRepositoryCountersignedAsync(Stream package)
{
using (var reader = new PackageArchiveReader(package, leaveStreamOpen: true))
{
var primarySignature = await reader.GetPrimarySignatureAsync(CancellationToken.None);
if (primarySignature != null)
{
#if IS_DESKTOP
return(SignatureUtility.HasRepositoryCountersignature(primarySignature));
#endif
}
return(false);
}
}
public async Task HasRepositoryCountersignature_WithSignatureWithoutRepositoryCountersignature_ReturnsFalseAsync()
{
using (var certificate = _fixture.GetDefaultCertificate())
{
var packageContext = new SimpleTestPackageContext();
var unsignedPackageStream = packageContext.CreateAsStream();
var signature = await SignedArchiveTestUtility.CreateAuthorSignatureForPackageAsync(
certificate,
unsignedPackageStream);
var hasRepoCountersignature = SignatureUtility.HasRepositoryCountersignature(signature);
Assert.False(hasRepoCountersignature);
}
}
public static void CreateSignatureFromObject_Should_Return_A_Signature_With_Ignored_Field()
{
// arrange
var obj = new TestSign
{
SomeString = "test-x",
SomeInt = 1,
SomeNull = null,
SomeBool = true
};
var privateKey = "my-key";
// act
var sign = SignatureUtility.CreateSignatureFromObject(privateKey, obj, "SomeInt");
// assert
Assert.Equal("403ceaa302f5e6c47c72b8049c5700f331542c802e8a44bdc80896ff090afd79", sign);
}
public static void CreateSignatureFromObject_Should_Return_A_Signature()
{
// arrange
var obj = new TestSign
{
SomeString = "test-x",
SomeInt = 1,
SomeNull = null,
SomeBool = true
};
var privateKey = "my-key";
// act
var sign = SignatureUtility.CreateSignatureFromObject(privateKey, obj);
// assert
Assert.Equal("24507965277b7d0a2e7db0b8d369eb3bf549c6d623523157125be92174363153", sign);
}
public static void ValidateSignatureFromObject_Should_Return_Unsuccess_Validate()
{
// arrange
var obj = new TestSign
{
SomeString = "test-y",
SomeInt = 1,
SomeNull = null,
SomeBool = true
};
var privateKey = "my-key";
var sign = "24507965277b7d0a2e7db0b8d369eb3bf549c6d623523157125be92174363153";
// act
var result = SignatureUtility.ValidateSignatureFromObject(sign, privateKey, obj);
// assert
Assert.False(result);
}
public async Task HasRepositoryCountersignature_WithSignatureWithRepositoryCountersignature_ReturnsTrueAsync()
{
using (var certificate = _fixture.GetDefaultCertificate())
using (var repositoryCertificate = _fixture.GetDefaultCertificate())
{
var packageContext = new SimpleTestPackageContext();
var unsignedPackageStream = packageContext.CreateAsStream();
var signature = await SignedArchiveTestUtility.CreatePrimarySignatureForPackageAsync(
certificate,
unsignedPackageStream);
var reposignedSignature = await SignedArchiveTestUtility.RepositoryCountersignPrimarySignatureAsync(repositoryCertificate, signature);
var hasRepoCountersignature = SignatureUtility.HasRepositoryCountersignature(reposignedSignature);
Assert.True(hasRepoCountersignature);
}
}
public static void ValidateSignatureFromObject_Should_Return_Unsuccess_Validate_With_Ignored_Field()
{
// arrange
var obj = new TestSign
{
SomeString = "test-y",
SomeInt = 1,
SomeNull = null,
SomeBool = true
};
var privateKey = "my-key";
var sign = "403ceaa302f5e6c47c72b8049c5700f331542c802e8a44bdc80896ff090afd79";
// act
var result = SignatureUtility.ValidateSignatureFromObject(sign, privateKey, obj, "SomeInt");
// assert
Assert.False(result);
}
public async Task GetTimestampCertificateChain_WithShortEssCertIdCertificateHash_Throws(
SigningCertificateUsage signingCertificateUsage)
{
ISigningTestServer testServer = await _fixture.GetSigningTestServerAsync();
CertificateAuthority rootCa = await _fixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
SigningCertificateUsage = signingCertificateUsage,
SigningCertificateV1Hash = new byte[SHA1HashLength - 1]
};
TimestampService timestampService = TimestampService.Create(rootCa, options);
using (testServer.RegisterResponder(timestampService))
{
var nupkg = new SimpleTestPackageContext();
using (var certificate = new X509Certificate2(_fixture.TrustedTestCertificate.Source.Cert))
using (var directory = TestDirectory.Create())
{
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
nupkg,
directory,
timestampService.Url);
using (FileStream stream = File.OpenRead(signedPackagePath))
using (var reader = new PackageArchiveReader(stream))
{
PrimarySignature signature = await reader.GetPrimarySignatureAsync(CancellationToken.None);
var exception = Assert.Throws <SignatureException>(
() => SignatureUtility.GetTimestampCertificateChain(signature));
Assert.Equal(
"A certificate referenced by the signing-certificate attribute could not be found.",
exception.Message);
}
}
}
}
public static void ValidateSignatureFromObject_Should_Return_Success_Validate_With_Ignored_List_Null()
{
// arrange
var obj = new TestSign
{
SomeString = "test-x",
SomeInt = 1,
SomeNull = null,
SomeBool = true
};
var privateKey = "my-key";
var sign = "24507965277b7d0a2e7db0b8d369eb3bf549c6d623523157125be92174363153";
List <string> ignoredList = null;
// act
var result = SignatureUtility.ValidateSignatureFromObject(sign, privateKey, obj, ignoredList);
// assert
Assert.True(result);
}
