public void NonPaddedLibraryShouldPass()
{
var file = "../../inputs/wintrustnonpadded.dl_";
var rule = new WinCertificatePaddingRule();
var logger = new MemorySignatureLogger();
var result = rule.Validate(file, logger, Configuration);
Assert.Equal(RuleResult.Pass, result);
Assert.Empty(logger.Messages);
}
public void ShouldPassWhenUrlAndDescriptionPresent()
{
var signature = GetGraphForFile("../../inputs/pubinfovalid.ex_");
var rule = new PublisherInformationPresentRule();
var logger = new MemorySignatureLogger();
var result = rule.Validate(signature, logger, Configuration);
Assert.Equal(RuleResult.Pass, result);
Assert.Empty(logger.Messages);
}
public void ShouldFailWhenNoPublisherDescription()
{
var signature = GetGraphForFile("../../inputs/pubinfohasurl.ex_");
var rule = new PublisherInformationPresentRule();
var logger = new MemorySignatureLogger();
var result = rule.Validate(signature, logger, Configuration);
Assert.Equal(RuleResult.Fail, result);
Assert.Collection(logger.Messages, s => s.EndsWith("Signature does not have an accompanying description."));
}
public void ShouldFailWhenUrlIsBogus()
{
var signature = GetGraphForFile("../../inputs/pubinfohasbogusurl.ex_");
var rule = new PublisherInformationPresentRule();
var logger = new MemorySignatureLogger();
var result = rule.Validate(signature, logger, Configuration);
Assert.Equal(RuleResult.Fail, result);
Assert.Collection(logger.Messages, s => s.EndsWith("Signature's accompanying URL is not a valid URI."));
}
public void ShouldPassIfTimestampedAlgorithmIsValid()
{
var signatures = GetGraphForFile("../../inputs/timestampedvalid.ex_");
var rule = new TimestampedRule();
var logger = new MemorySignatureLogger();
var result = rule.Validate(signatures, logger, Configuration);
Assert.Equal(RuleResult.Pass, result);
Assert.Empty(logger.Messages);
}
public void ShouldFailIfTimestampUsesWeakSignatureAlgorithm()
{
var signatures = GetGraphForFile("../../inputs/timestampedweaksig.ex_");
var rule = new TimestampedRule();
var logger = new MemorySignatureLogger();
var result = rule.Validate(signatures, logger, Configuration);
Assert.Equal(RuleResult.Fail, result);
Assert.Collection(logger.Messages, s => s.EndsWith("Signature is not timestamped with the expected hash algorithm SHA256."));
}
public void ShouldFailIfNoTimestamp(string file)
{
var signatures = GetGraphForFile(file);
var rule = new TimestampedRule();
var logger = new MemorySignatureLogger();
var result = rule.Validate(signatures, logger, Configuration);
Assert.Equal(RuleResult.Fail, result);
Assert.Collection(logger.Messages, s => s.EndsWith("Signature is not timestamped."));
}
public void PaddedLibraryShouldFail()
{
var file = "../../inputs/wintrustpadded.dl_";
var rule = new WinCertificatePaddingRule();
var logger = new MemorySignatureLogger();
var result = rule.Validate(file, logger, Configuration);
Assert.Equal(RuleResult.Fail, result);
var expectedPadding = Convert.ToBase64String(System.Text.Encoding.ASCII.GetBytes("fail"));
Assert.Contains($"Non-zero data found after PKCS#7 structure: {expectedPadding}.", logger.Messages);
}
public void ShouldPassOnSha1Algorithm()
{
var algorithm = new Oid(KnownOids.SHA1);
var signature = new FakeSignature
{
DigestAlgorithm = algorithm
};
var check = new Sha1PrimarySignatureRule();
var logger = new MemorySignatureLogger();
var result = check.Validate(new List <ICmsSignature> {
signature
}, logger, Configuration);
Assert.Equal(RuleResult.Pass, result);
Assert.Empty(logger.Messages);
}
public void ShouldFailOnNonSha1Algorithms(string oid)
{
var algorithm = new Oid(oid);
var signature = new FakeSignature
{
DigestAlgorithm = algorithm
};
var check = new Sha1PrimarySignatureRule();
var logger = new MemorySignatureLogger();
var result = check.Validate(new List <ICmsSignature> {
signature
}, logger, Configuration);
Assert.Equal(RuleResult.Fail, result);
Assert.Contains($"Signature 000102030405060708090a: Expected {nameof(KnownOids.SHA1)} digest algorithm but is {algorithm.FriendlyName}.", logger.Messages);
}
public void ShouldFailOnMultiplePrimarySignatures()
{
var signature1 = new FakeSignature
{
DigestAlgorithm = new Oid(KnownOids.SHA1)
};
var signature2 = new FakeSignature
{
DigestAlgorithm = new Oid(KnownOids.SHA256)
};
var check = new SinglePrimarySignatureRule();
var logger = new MemorySignatureLogger();
var result = check.Validate(new List <ICmsSignature> {
signature1, signature2
}, logger, Configuration);
Assert.Equal(RuleResult.Fail, result);
Assert.Contains("Multiple primary signatures exist.", logger.Messages);
}
