public void GetCertificateChain_WhenPrimarySignatureNull_Throws()
{
var exception = Assert.Throws <ArgumentNullException>(
() => SignatureUtility.GetCertificateChain(primarySignature: null));
Assert.Equal("primarySignature", exception.ParamName);
}
public async Task GetCertificateChain_WithUnknownSignature_ReturnsCertificatesAsync()
{
using (var directory = TestDirectory.Create())
using (var certificate = _fixture.GetDefaultCertificate())
{
var packageContext = new SimpleTestPackageContext();
var unsignedPackageFile = await packageContext.CreateAsFileAsync(directory, "Package.nupkg");
var signedPackageFile = await SignedArchiveTestUtility.SignPackageFileWithBasicSignedCmsAsync(
directory,
unsignedPackageFile,
certificate);
using (var packageReader = new PackageArchiveReader(signedPackageFile.FullName))
{
var signature = await packageReader.GetPrimarySignatureAsync(CancellationToken.None);
using (var certificates = SignatureUtility.GetCertificateChain(signature))
{
Assert.Equal(1, certificates.Count);
Assert.Equal(certificate.RawData, certificates[0].RawData);
}
}
}
}
private static ExtractedCertificates ExtractCertificates(
Context context,
RepositoryCountersignature repositoryCountersignature)
{
IX509CertificateChain signatureCertificates;
if (repositoryCountersignature == null)
{
signatureCertificates = SignatureUtility.GetCertificateChain(context.PrimarySignature);
}
else
{
signatureCertificates = SignatureUtility.GetCertificateChain(context.PrimarySignature, repositoryCountersignature);
}
context.Disposables.Add(signatureCertificates);
if (signatureCertificates == null || !signatureCertificates.Any())
{
throw new InvalidOperationException("The provided signature must have at least one signing certificate.");
}
var hashedSignatureCertificates = signatureCertificates
.Select(x => new HashedCertificate(x))
.ToList();
var signatureEndCertificate = hashedSignatureCertificates.First();
var signatureParentCertificates = hashedSignatureCertificates.Skip(1).ToList();
IX509CertificateChain timestampCertificates;
if (repositoryCountersignature == null)
{
timestampCertificates = SignatureUtility.GetTimestampCertificateChain(context.PrimarySignature);
}
else
{
timestampCertificates = SignatureUtility.GetTimestampCertificateChain(context.PrimarySignature, repositoryCountersignature);
}
context.Disposables.Add(timestampCertificates);
if (timestampCertificates == null || !timestampCertificates.Any())
{
throw new InvalidOperationException("The provided signature must have at least one timestamp certificate.");
}
var hashedTimestampCertificates = timestampCertificates
.Select(x => new HashedCertificate(x))
.ToList();
var timestampEndCertificate = hashedTimestampCertificates.First();
var timestampParentCertificates = hashedTimestampCertificates.Skip(1).ToList();
return(new ExtractedCertificates(
signatureEndCertificate,
signatureParentCertificates,
timestampEndCertificate,
timestampParentCertificates));
}
private string GetShaFromSamplePackage(string samplePackage)
{
using (var packageReader = new PackageArchiveReader(samplePackage))
{
PrimarySignature primarySignature = packageReader.GetPrimarySignatureAsync(CancellationToken.None).GetAwaiter().GetResult();
using (IX509CertificateChain certificateChain = SignatureUtility.GetCertificateChain(primarySignature))
{
return(certificateChain.First().GetCertHashString(HashAlgorithmName.SHA256));
}
}
}
public void GetCertificateChain_WithAuthorSignature_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
using (var certificates = SignatureUtility.GetCertificateChain(primarySignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("7d14ef1eaa95c41e3cb6c25bb177ce4f9bd7020c", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("0a08d814f1c1c4058bf709c4796a53a47df00e61", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("a1b6d9c348850849be54e3e8ac2ae9938e59e4b3", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void GetCertificateChain_WithUnrelatedRepositoryCountersignature_Throws()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
primarySignature = RemoveRepositoryCountersignature(primarySignature);
var exception = Assert.Throws <ArgumentException>(
() => SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature));
Assert.Equal("repositoryCountersignature", exception.ParamName);
Assert.StartsWith("The primary signature and repository countersignature are unrelated.", exception.Message);
}
public void GetCertificateChain_WithRepositoryCountersignature_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
using (var certificates = SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("8d8cc5bdf9e5f86b971d7fb961fe24b999486483", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("c8ae47bfd632870a15e3775784affd2bdc96cbf1", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("d4e8185475a062de3518d1aa693f13c4283f81ff", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
private string GetShaFromSamplePackage(string samplePackage)
{
var packageReader = new PackageArchiveReader(samplePackage);
Directory.CreateDirectory(_tempDirectory.Value);
FilePath targetFilePath = _tempDirectory.WithFile(Path.GetRandomFileName());
packageReader.ExtractFile(".signature.p7s", targetFilePath.Value, _logger);
using var fs = new FileStream(targetFilePath.Value, FileMode.Open);
PrimarySignature primarySignature = PrimarySignature.Load(fs);
IX509CertificateChain certificateChain = SignatureUtility.GetCertificateChain(primarySignature);
var shaFromPackage = certificateChain[0].GetCertHashString(HashAlgorithmName.SHA256);
return(shaFromPackage);
}
private static async Task <List <SignatureLog> > VerifyUnavailableRevocationInfo(
SignatureVerificationStatus expectedStatus,
LogLevel expectedLogLevel,
SignedPackageVerifierSettings setting)
{
var verificationProvider = new SignatureTrustAndValidityVerificationProvider();
using (var nupkgStream = new MemoryStream(GetResource("UnavailableCrlPackage.nupkg")))
using (var package = new PackageArchiveReader(nupkgStream, leaveStreamOpen: false))
{
// Read a signature that is valid in every way except that the CRL information is unavailable.
var signature = await package.GetPrimarySignatureAsync(CancellationToken.None);
using (var certificateChain = SignatureUtility.GetCertificateChain(signature))
{
var rootCertificate = certificateChain.Last();
// Trust the root CA of the signing certificate.
using (var testCertificate = TrustedTestCert.Create(
new X509Certificate2(rootCertificate),
StoreName.Root,
StoreLocation.LocalMachine,
maximumValidityPeriod: TimeSpan.MaxValue))
{
// Act
var result = await verificationProvider.GetTrustResultAsync(package, signature, setting, CancellationToken.None);
// Assert
Assert.Equal(expectedStatus, result.Trust);
return(result
.Issues
.Where(x => x.Level >= expectedLogLevel)
.OrderBy(x => x.Message)
.ToList());
}
}
}
}
