Beispiel #1
0
        public async Task GetCertificateChain_WithUnknownSignature_ReturnsCertificatesAsync()
        {
            using (var directory = TestDirectory.Create())
                using (var certificate = _fixture.GetDefaultCertificate())
                {
                    var packageContext      = new SimpleTestPackageContext();
                    var unsignedPackageFile = await packageContext.CreateAsFileAsync(directory, "Package.nupkg");

                    var signedPackageFile = await SignedArchiveTestUtility.SignPackageFileWithBasicSignedCmsAsync(
                        directory,
                        unsignedPackageFile,
                        certificate);

                    using (var packageReader = new PackageArchiveReader(signedPackageFile.FullName))
                    {
                        var signature = await packageReader.GetPrimarySignatureAsync(CancellationToken.None);

                        using (var certificates = SignatureUtility.GetCertificateChain(signature))
                        {
                            Assert.Equal(1, certificates.Count);
                            Assert.Equal(certificate.RawData, certificates[0].RawData);
                        }
                    }
                }
        }
Beispiel #2
0
        public void HasRepositoryCountersignature_WithNullPrimarySignature_Throws()
        {
            var exception = Assert.Throws <ArgumentNullException>(
                () => SignatureUtility.HasRepositoryCountersignature(primarySignature: null));

            Assert.Equal("primarySignature", exception.ParamName);
        }
        public void GetCertificateChain_WhenPrimarySignatureNull_Throws()
        {
            var exception = Assert.Throws <ArgumentNullException>(
                () => SignatureUtility.GetCertificateChain(primarySignature: null));

            Assert.Equal("primarySignature", exception.ParamName);
        }
Beispiel #4
0
        public void GetPrimarySignatureTimestampCertificates_WhenSignatureNull_Throws()
        {
            var exception = Assert.Throws <ArgumentNullException>(
                () => SignatureUtility.GetPrimarySignatureTimestampCertificates(signature: null));

            Assert.Equal("signature", exception.ParamName);
        }
        protected void ValidateSignatureFromHeaderWithContent(string secretKey, string headerName)
        {
            var result    = false;
            var signature = this.Request.Headers[headerName].FirstOrDefault() ?? string.Empty;

            if (this.Request.Body.CanRead &&
                this.Request.Body.CanSeek)
            {
                MemoryStream stream = new MemoryStream();
                this.Request.Body.Seek(0, SeekOrigin.Begin);
                this.Request.Body.CopyTo(stream);
                this.Request.Body.Seek(0, SeekOrigin.Begin);

                using (StreamReader reader = new StreamReader(stream))
                {
                    stream.Seek(0, SeekOrigin.Begin);
                    var content = reader.ReadToEnd();
                    result = SignatureUtility.ValidateSignature(signature, secretKey, content);
                }
            }

            if (result == false)
            {
                throw new UnauthorizedException();
            }
        }
        private static async Task <List <SignatureLog> > VerifyUnavailableRevocationInfo(
            SignatureVerificationStatus expectedStatus,
            LogLevel expectedLogLevel,
            SignedPackageVerifierSettings setting)
        {
            var verificationProvider = new SignatureTrustAndValidityVerificationProvider();

            using (var nupkgStream = new MemoryStream(GetResource("UnavailableCrlPackage.nupkg")))
                using (var package = new PackageArchiveReader(nupkgStream, leaveStreamOpen: false))
                {
                    // Read a signature that is valid in every way except that the CRL information is unavailable.
                    var signature = await package.GetSignatureAsync(CancellationToken.None);

                    var rootCertificate = SignatureUtility.GetPrimarySignatureCertificates(signature).Last();

                    // Trust the root CA of the signing certificate.
                    using (var testCertificate = TrustedTestCert.Create(
                               rootCertificate,
                               StoreName.Root,
                               StoreLocation.LocalMachine,
                               maximumValidityPeriod: TimeSpan.MaxValue))
                    {
                        // Act
                        var result = await verificationProvider.GetTrustResultAsync(package, signature, setting, CancellationToken.None);

                        // Assert
                        Assert.Equal(expectedStatus, result.Trust);
                        return(result
                               .Issues
                               .Where(x => x.Level >= expectedLogLevel)
                               .OrderBy(x => x.Message)
                               .ToList());
                    }
                }
        }
        private static ExtractedCertificates ExtractCertificates(
            Context context,
            RepositoryCountersignature repositoryCountersignature)
        {
            IX509CertificateChain signatureCertificates;

            if (repositoryCountersignature == null)
            {
                signatureCertificates = SignatureUtility.GetCertificateChain(context.PrimarySignature);
            }
            else
            {
                signatureCertificates = SignatureUtility.GetCertificateChain(context.PrimarySignature, repositoryCountersignature);
            }

            context.Disposables.Add(signatureCertificates);

            if (signatureCertificates == null || !signatureCertificates.Any())
            {
                throw new InvalidOperationException("The provided signature must have at least one signing certificate.");
            }

            var hashedSignatureCertificates = signatureCertificates
                                              .Select(x => new HashedCertificate(x))
                                              .ToList();
            var signatureEndCertificate     = hashedSignatureCertificates.First();
            var signatureParentCertificates = hashedSignatureCertificates.Skip(1).ToList();

            IX509CertificateChain timestampCertificates;

            if (repositoryCountersignature == null)
            {
                timestampCertificates = SignatureUtility.GetTimestampCertificateChain(context.PrimarySignature);
            }
            else
            {
                timestampCertificates = SignatureUtility.GetTimestampCertificateChain(context.PrimarySignature, repositoryCountersignature);
            }

            context.Disposables.Add(timestampCertificates);

            if (timestampCertificates == null || !timestampCertificates.Any())
            {
                throw new InvalidOperationException("The provided signature must have at least one timestamp certificate.");
            }

            var hashedTimestampCertificates = timestampCertificates
                                              .Select(x => new HashedCertificate(x))
                                              .ToList();
            var timestampEndCertificate     = hashedTimestampCertificates.First();
            var timestampParentCertificates = hashedTimestampCertificates.Skip(1).ToList();

            return(new ExtractedCertificates(
                       signatureEndCertificate,
                       signatureParentCertificates,
                       timestampEndCertificate,
                       timestampParentCertificates));
        }
Beispiel #8
0
        public void GetPrimarySignatureCertificates_WithAuthorSignature_ReturnsCertificates()
        {
            var signature = PrimarySignature.Load(SignTestUtility.GetResourceBytes("SignatureWithTimestamp.p7s"));

            var certificates = SignatureUtility.GetPrimarySignatureCertificates(signature);

            Assert.Equal(3, certificates.Count);
            Assert.Equal("8219f5772ef562a3ea9b90da00ca7b9523a96fbf", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
            Assert.Equal("d8198d59087bbe6a6e7d69af62030145366be93e", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
            Assert.Equal("6d73d582b73b5b3b18a27506acceedea75ab63c2", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
        }
Beispiel #9
0
        public void GetPrimarySignatureTimestampCertificates_WithValidTimestamp_ReturnsCertificates()
        {
            var signature = PrimarySignature.Load(SignTestUtility.GetResourceBytes("SignatureWithTimestamp.p7s"));

            var certificates = SignatureUtility.GetPrimarySignatureTimestampCertificates(signature);

            Assert.Equal(3, certificates.Count);
            Assert.Equal("ff162bef155cb3d5b5962bbe084b21fc4d740001", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
            Assert.Equal("2aa752fe64c49abe82913c463529cf10ff2f04ee", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
            Assert.Equal("3b1efd3a66ea28b16697394703a72ca340a05bd5", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
        }
Beispiel #10
0
 private string GetShaFromSamplePackage(string samplePackage)
 {
     using (var packageReader = new PackageArchiveReader(samplePackage))
     {
         PrimarySignature primarySignature = packageReader.GetPrimarySignatureAsync(CancellationToken.None).GetAwaiter().GetResult();
         using (IX509CertificateChain certificateChain = SignatureUtility.GetCertificateChain(primarySignature))
         {
             return(certificateChain.First().GetCertHashString(HashAlgorithmName.SHA256));
         }
     }
 }
        public async Task GetTimestampCertificateChain_WithMismatchedEssCertIdCertificateHash_ReturnsChain(
            SigningCertificateUsage signingCertificateUsage)
        {
            ISigningTestServer testServer = await _fixture.GetSigningTestServerAsync();

            CertificateAuthority rootCa = await _fixture.GetDefaultTrustedCertificateAuthorityAsync();

            var options = new TimestampServiceOptions()
            {
                SigningCertificateUsage  = signingCertificateUsage,
                SigningCertificateV1Hash = new byte[SHA1HashLength]
            };
            TimestampService timestampService = TimestampService.Create(rootCa, options);

            using (testServer.RegisterResponder(timestampService))
            {
                var nupkg = new SimpleTestPackageContext();

                using (var certificate = new X509Certificate2(_fixture.TrustedTestCertificate.Source.Cert))
                    using (var directory = TestDirectory.Create())
                    {
                        var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
                            certificate,
                            nupkg,
                            directory,
                            timestampService.Url);

                        using (FileStream stream = File.OpenRead(signedPackagePath))
                            using (var reader = new PackageArchiveReader(stream))
                            {
                                PrimarySignature signature = await reader.GetPrimarySignatureAsync(CancellationToken.None);

                                using (IX509CertificateChain actualChain = SignatureUtility.GetTimestampCertificateChain(signature))
                                {
                                    Assert.NotEmpty(actualChain);

                                    IReadOnlyList <Org.BouncyCastle.X509.X509Certificate> expectedChain = GetExpectedCertificateChain(timestampService);

                                    Assert.Equal(expectedChain.Count, actualChain.Count);

                                    for (var i = 0; i < expectedChain.Count; ++i)
                                    {
                                        Org.BouncyCastle.X509.X509Certificate expectedCertificate = expectedChain[i];
                                        X509Certificate2 actualCertificate = actualChain[i];

                                        Assert.True(
                                            expectedCertificate.GetEncoded().SequenceEqual(actualCertificate.RawData),
                                            $"The certificate at index {i} in the chain is unexpected.");
                                    }
                                }
                            }
                    }
            }
        }
        public static void CreateSignature_Should_Return_A_Signature()
        {
            // arrange
            var message    = "some content";
            var privateKey = "my-key";

            // act
            var sign = SignatureUtility.CreateSignature(privateKey, message);

            // assert
            Assert.Equal("ae00f9ad096b6d2ca828e972bcda212ed74b338ebc1332c56b2d96bb06fc845e", sign);
        }
Beispiel #13
0
        public void ValidateSignatureFromHeaderWithContent(string secretKey, string headerName)
        {
            var signature = this.Request.Headers[headerName].FirstOrDefault() ?? string.Empty;
            var content   = RequestStream.FromStream(this.Request.Body).AsString() ?? string.Empty;

            var result = SignatureUtility.ValidateSignature(signature, secretKey, content);

            if (result == false)
            {
                throw new UnauthorizedException();
            }
        }
        public void GetTimestampCertificateChain_WithAuthorSignatureTimestamp_ReturnsCertificates()
        {
            var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));

            using (var certificates = SignatureUtility.GetTimestampCertificateChain(primarySignature))
            {
                Assert.Equal(3, certificates.Count);
                Assert.Equal("5f970d4b17786b091a77eabdd0cf92ff8d1fdb43", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
                Assert.Equal("c5e93f93089bd49dc1d8e2b657093b9e29132dcf", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
                Assert.Equal("a0e355c9f370a3069823afa3ce22b14a91475e77", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
            }
        }
        public void GetTimestampCertificateChain_WithoutTimestamp_Throws()
        {
            var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));

            primarySignature = RemoveTimestamp(primarySignature);

            var exception = Assert.Throws <SignatureException>(
                () => SignatureUtility.GetTimestampCertificateChain(primarySignature));

            Assert.Equal(NuGetLogCode.NU3000, exception.Code);
            Assert.Equal("The primary signature does not have a timestamp.", exception.Message);
        }
        public void GetCertificateChain_WithAuthorSignature_ReturnsCertificates()
        {
            var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));

            using (var certificates = SignatureUtility.GetCertificateChain(primarySignature))
            {
                Assert.Equal(3, certificates.Count);
                Assert.Equal("7d14ef1eaa95c41e3cb6c25bb177ce4f9bd7020c", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
                Assert.Equal("0a08d814f1c1c4058bf709c4796a53a47df00e61", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
                Assert.Equal("a1b6d9c348850849be54e3e8ac2ae9938e59e4b3", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
            }
        }
        public static void ValidateSignature_Should_Return_Unsuccess_Validate()
        {
            // arrange
            var message    = "some content2";
            var privateKey = "my-key";
            var sign       = "ae00f9ad096b6d2ca828e972bcda212ed74b338ebc1332c56b2d96bb06fc845e";

            // act
            var result = SignatureUtility.ValidateSignature(sign, privateKey, message);

            // assert
            Assert.False(result);
        }
        public void GetTimestampCertificateChain_WithRepositoryCountersignatureTimestamp_ReturnsCertificates()
        {
            var primarySignature           = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
            var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);

            using (var certificates = SignatureUtility.GetTimestampCertificateChain(primarySignature, repositoryCountersignature))
            {
                Assert.Equal(3, certificates.Count);
                Assert.Equal("96b479acf63394f3bcc9928c396264afd60909ed", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
                Assert.Equal("fa4e4ca3d9a26b92a73bb875f964972983b55ccd", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
                Assert.Equal("88b288ff6d3d826469a9ef7816166a7def221885", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
            }
        }
        public void GetCertificateChain_WithRepositoryCountersignature_ReturnsCertificates()
        {
            var primarySignature           = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
            var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);

            using (var certificates = SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature))
            {
                Assert.Equal(3, certificates.Count);
                Assert.Equal("8d8cc5bdf9e5f86b971d7fb961fe24b999486483", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
                Assert.Equal("c8ae47bfd632870a15e3775784affd2bdc96cbf1", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
                Assert.Equal("d4e8185475a062de3518d1aa693f13c4283f81ff", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
            }
        }
        public void GetCertificateChain_WithUnrelatedRepositoryCountersignature_Throws()
        {
            var primarySignature           = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
            var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);

            primarySignature = RemoveRepositoryCountersignature(primarySignature);

            var exception = Assert.Throws <ArgumentException>(
                () => SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature));

            Assert.Equal("repositoryCountersignature", exception.ParamName);
            Assert.StartsWith("The primary signature and repository countersignature are unrelated.", exception.Message);
        }
Beispiel #21
0
        private string GetShaFromSamplePackage(string samplePackage)
        {
            var packageReader = new PackageArchiveReader(samplePackage);

            Directory.CreateDirectory(_tempDirectory.Value);
            FilePath targetFilePath = _tempDirectory.WithFile(Path.GetRandomFileName());

            packageReader.ExtractFile(".signature.p7s", targetFilePath.Value, _logger);
            using var fs = new FileStream(targetFilePath.Value, FileMode.Open);
            PrimarySignature      primarySignature = PrimarySignature.Load(fs);
            IX509CertificateChain certificateChain = SignatureUtility.GetCertificateChain(primarySignature);
            var shaFromPackage = certificateChain[0].GetCertHashString(HashAlgorithmName.SHA256);

            return(shaFromPackage);
        }
        public static async Task <bool> IsRepositoryCountersignedAsync(Stream package)
        {
            using (var reader = new PackageArchiveReader(package, leaveStreamOpen: true))
            {
                var primarySignature = await reader.GetPrimarySignatureAsync(CancellationToken.None);

                if (primarySignature != null)
                {
#if IS_DESKTOP
                    return(SignatureUtility.HasRepositoryCountersignature(primarySignature));
#endif
                }

                return(false);
            }
        }
Beispiel #23
0
        public async Task HasRepositoryCountersignature_WithSignatureWithoutRepositoryCountersignature_ReturnsFalseAsync()
        {
            using (var certificate = _fixture.GetDefaultCertificate())
            {
                var packageContext        = new SimpleTestPackageContext();
                var unsignedPackageStream = packageContext.CreateAsStream();

                var signature = await SignedArchiveTestUtility.CreateAuthorSignatureForPackageAsync(
                    certificate,
                    unsignedPackageStream);

                var hasRepoCountersignature = SignatureUtility.HasRepositoryCountersignature(signature);

                Assert.False(hasRepoCountersignature);
            }
        }
        public static void CreateSignatureFromObject_Should_Return_A_Signature_With_Ignored_Field()
        {
            // arrange
            var obj = new TestSign
            {
                SomeString = "test-x",
                SomeInt    = 1,
                SomeNull   = null,
                SomeBool   = true
            };
            var privateKey = "my-key";

            // act
            var sign = SignatureUtility.CreateSignatureFromObject(privateKey, obj, "SomeInt");

            // assert
            Assert.Equal("403ceaa302f5e6c47c72b8049c5700f331542c802e8a44bdc80896ff090afd79", sign);
        }
        public static void CreateSignatureFromObject_Should_Return_A_Signature()
        {
            // arrange
            var obj = new TestSign
            {
                SomeString = "test-x",
                SomeInt    = 1,
                SomeNull   = null,
                SomeBool   = true
            };
            var privateKey = "my-key";

            // act
            var sign = SignatureUtility.CreateSignatureFromObject(privateKey, obj);

            // assert
            Assert.Equal("24507965277b7d0a2e7db0b8d369eb3bf549c6d623523157125be92174363153", sign);
        }
        public static void ValidateSignatureFromObject_Should_Return_Unsuccess_Validate()
        {
            // arrange
            var obj = new TestSign
            {
                SomeString = "test-y",
                SomeInt    = 1,
                SomeNull   = null,
                SomeBool   = true
            };
            var privateKey = "my-key";
            var sign       = "24507965277b7d0a2e7db0b8d369eb3bf549c6d623523157125be92174363153";

            // act
            var result = SignatureUtility.ValidateSignatureFromObject(sign, privateKey, obj);

            // assert
            Assert.False(result);
        }
Beispiel #27
0
        public async Task HasRepositoryCountersignature_WithSignatureWithRepositoryCountersignature_ReturnsTrueAsync()
        {
            using (var certificate = _fixture.GetDefaultCertificate())
                using (var repositoryCertificate = _fixture.GetDefaultCertificate())
                {
                    var packageContext        = new SimpleTestPackageContext();
                    var unsignedPackageStream = packageContext.CreateAsStream();

                    var signature = await SignedArchiveTestUtility.CreatePrimarySignatureForPackageAsync(
                        certificate,
                        unsignedPackageStream);

                    var reposignedSignature = await SignedArchiveTestUtility.RepositoryCountersignPrimarySignatureAsync(repositoryCertificate, signature);

                    var hasRepoCountersignature = SignatureUtility.HasRepositoryCountersignature(reposignedSignature);

                    Assert.True(hasRepoCountersignature);
                }
        }
        public static void ValidateSignatureFromObject_Should_Return_Unsuccess_Validate_With_Ignored_Field()
        {
            // arrange
            var obj = new TestSign
            {
                SomeString = "test-y",
                SomeInt    = 1,
                SomeNull   = null,
                SomeBool   = true
            };
            var privateKey = "my-key";
            var sign       = "403ceaa302f5e6c47c72b8049c5700f331542c802e8a44bdc80896ff090afd79";

            // act
            var result = SignatureUtility.ValidateSignatureFromObject(sign, privateKey, obj, "SomeInt");

            // assert
            Assert.False(result);
        }
        public async Task GetTimestampCertificateChain_WithShortEssCertIdCertificateHash_Throws(
            SigningCertificateUsage signingCertificateUsage)
        {
            ISigningTestServer testServer = await _fixture.GetSigningTestServerAsync();

            CertificateAuthority rootCa = await _fixture.GetDefaultTrustedCertificateAuthorityAsync();

            var options = new TimestampServiceOptions()
            {
                SigningCertificateUsage  = signingCertificateUsage,
                SigningCertificateV1Hash = new byte[SHA1HashLength - 1]
            };
            TimestampService timestampService = TimestampService.Create(rootCa, options);

            using (testServer.RegisterResponder(timestampService))
            {
                var nupkg = new SimpleTestPackageContext();

                using (var certificate = new X509Certificate2(_fixture.TrustedTestCertificate.Source.Cert))
                    using (var directory = TestDirectory.Create())
                    {
                        var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
                            certificate,
                            nupkg,
                            directory,
                            timestampService.Url);

                        using (FileStream stream = File.OpenRead(signedPackagePath))
                            using (var reader = new PackageArchiveReader(stream))
                            {
                                PrimarySignature signature = await reader.GetPrimarySignatureAsync(CancellationToken.None);

                                var exception = Assert.Throws <SignatureException>(
                                    () => SignatureUtility.GetTimestampCertificateChain(signature));

                                Assert.Equal(
                                    "A certificate referenced by the signing-certificate attribute could not be found.",
                                    exception.Message);
                            }
                    }
            }
        }
        public static void ValidateSignatureFromObject_Should_Return_Success_Validate_With_Ignored_List_Null()
        {
            // arrange
            var obj = new TestSign
            {
                SomeString = "test-x",
                SomeInt    = 1,
                SomeNull   = null,
                SomeBool   = true
            };
            var           privateKey  = "my-key";
            var           sign        = "24507965277b7d0a2e7db0b8d369eb3bf549c6d623523157125be92174363153";
            List <string> ignoredList = null;

            // act
            var result = SignatureUtility.ValidateSignatureFromObject(sign, privateKey, obj, ignoredList);

            // assert
            Assert.True(result);
        }