public async Task GetTimestamp_WithValidInput_ReturnsTimestampAsync()
{
var logger = new TestLogger();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
var content = new SignatureContent(SigningSpecifications.V1, Common.HashAlgorithmName.SHA256, "Test data to be signed and timestamped");
using (var authorCert = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var signedCms = SigningTestUtility.GenerateSignedCms(authorCert, content.GetBytes());
var primarySignature = PrimarySignature.Load(signedCms.Encode());
var timestampHashAlgorithm = Common.HashAlgorithmName.SHA256;
var signatureValue = primarySignature.GetSignatureValue();
var messageHash = timestampHashAlgorithm.ComputeHash(signatureValue);
var request = new TimestampRequest(
signingSpecifications: SigningSpecifications.V1,
hashedMessage: messageHash,
hashAlgorithm: timestampHashAlgorithm,
target: SignaturePlacement.PrimarySignature
);
// Act
var timestampedCms = timestampProvider.GetTimestamp(request, logger, CancellationToken.None);
// Assert
timestampedCms.Should().NotBeNull();
timestampedCms.Detached.Should().BeFalse();
timestampedCms.ContentInfo.Should().NotBeNull();
timestampedCms.SignerInfos.Count.Should().Be(1);
}
}
private void VerifyTimestampData(
ISigningTestServer testServer,
TimestampService timestampService,
Action <Rfc3161TimestampProvider, TimestampRequest> verifyTimestampData)
{
using (testServer.RegisterResponder(timestampService))
{
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var timestampHashAlgorithm = Common.HashAlgorithmName.SHA256;
var content = new SignatureContent(SigningSpecifications.V1, Common.HashAlgorithmName.SHA256, "peach");
var signedCms = SigningTestUtility.GenerateSignedCms(certificate, content.GetBytes());
var signature = PrimarySignature.Load(signedCms.Encode());
var signatureValue = signature.GetSignatureValue();
var messageHash = timestampHashAlgorithm.ComputeHash(signatureValue);
var request = new TimestampRequest(
SigningSpecifications.V1,
messageHash,
timestampHashAlgorithm,
SignaturePlacement.PrimarySignature);
verifyTimestampData(timestampProvider, request);
}
}
}
public async Task GetTimestamp_WhenCancelled_ThrowsAsync()
{
var logger = new TestLogger();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
var content = new SignatureContent(SigningSpecifications.V1, Common.HashAlgorithmName.SHA256, "Test data to be signed and timestamped");
using (var authorCert = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var timestampHashAlgorithm = Common.HashAlgorithmName.SHA256;
var signedCms = SigningTestUtility.GenerateSignedCms(authorCert, content.GetBytes());
var signature = PrimarySignature.Load(signedCms.Encode());
var signatureValue = signature.GetSignatureValue();
var messageHash = timestampHashAlgorithm.ComputeHash(signatureValue);
var request = new TimestampRequest(
signingSpecifications: SigningSpecifications.V1,
hashedMessage: messageHash,
hashAlgorithm: timestampHashAlgorithm,
target: SignaturePlacement.PrimarySignature
);
// Act
Action timestampAction = () => timestampProvider.GetTimestamp(request, logger, new CancellationToken(canceled: true));
// Assert
timestampAction.ShouldThrow <OperationCanceledException>()
.WithMessage(_operationCancelledExceptionMessage);
}
}
public void TrackStrippedRepositorySignatures(
string packageId,
string normalizedVersion,
Guid validationId,
PrimarySignature inputSignature,
PrimarySignature outputSignature)
{
var properties = new Dictionary <string, string>
{
{ PackageId, packageId },
{ NormalizedVersion, normalizedVersion },
{ ValidationId, validationId.ToString() },
{ InputSignatureType, inputSignature.Type.ToString() },
{ InputCounterSignatureCount, inputSignature.SignerInfo.CounterSignerInfos.Count.ToString() },
};
if (outputSignature != null)
{
properties.Add(OutputSignatureType, outputSignature.Type.ToString());
properties.Add(OutputCounterSignatureCount, outputSignature.SignerInfo.CounterSignerInfos.Count.ToString());
}
_telemetryClient.TrackMetric(
StrippedRepositorySignatures,
1,
properties);
}
public void Load_WhenDataNull_Throws()
{
var exception = Assert.Throws <ArgumentNullException>(
() => PrimarySignature.Load(data: null));
Assert.Equal("data", exception.ParamName);
}
public override async Task <PrimarySignature> GetPrimarySignatureAsync(CancellationToken token)
{
token.ThrowIfCancellationRequested();
if (ZipReadStream == null)
{
throw new SignatureException(Strings.SignedPackageUnableToAccessSignature);
}
PrimarySignature signature = null;
if (await IsSignedAsync(token))
{
using (var zip = new ZipArchive(ZipReadStream, ZipArchiveMode.Read, leaveOpen: true))
{
var signatureEntry = zip.GetEntry(SigningSpecifications.SignaturePath);
using (var signatureEntryStream = signatureEntry.Open())
{
#if IS_DESKTOP
signature = PrimarySignature.Load(signatureEntryStream);
#endif
}
}
}
return(signature);
}
public Context(int packageKey, PrimarySignature primarySignature, CancellationToken cancellationToken)
{
PackageKey = packageKey;
PrimarySignature = primarySignature ?? throw new ArgumentNullException(nameof(primarySignature));
CancellationToken = cancellationToken;
Disposables = new List <IDisposable>();
}
public async Task ExtractAsync(int packageKey, PrimarySignature primarySignature, CancellationToken cancellationToken)
{
using (var context = new Context(packageKey, primarySignature, cancellationToken))
{
if (primarySignature == null)
{
throw new ArgumentNullException(nameof(primarySignature));
}
// Extract the certificates found in the package signatures.
ExtractSignaturesAndCertificates(context);
// Prepare signature and certificate entities for the database but don't commit.
await PrepareSignaturesAndCertificatesRecordsAsync(context);
// Save the certificates to blob storage.
await SaveCertificatesToStoreAsync(context);
// Commit the database changes.
await _validationEntitiesContext.SaveChangesAsync();
// Update certificate information in the gallery.
await UpdateCertificateInformationAsync(context);
}
}
PrimarySignature CreateKeyVaultPrimarySignature(SignPackageRequest request, SignatureContent signatureContent, SignatureType signatureType)
{
// Get the chain
var getter = typeof(SignPackageRequest).GetProperty("Chain", BindingFlags.Instance | BindingFlags.NonPublic)
.GetGetMethod(true);
var certs = (IReadOnlyList <X509Certificate2>)getter.Invoke(request, null);
var attribs = SigningUtility.CreateSignedAttributes(request, certs);
// Convert .NET crypto attributes to Bouncy Castle
var attribTable = new AttributeTable(new Asn1EncodableVector(attribs.Cast <CryptographicAttributeObject>()
.Select(ToBcAttribute)
.ToArray()));
// SignerInfo generator setup
var signerInfoGeneratorBuilder = new SignerInfoGeneratorBuilder()
.WithSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(attribTable));
// Subject Key Identifier (SKI) is smaller and less prone to accidental matching than issuer and serial
// number. However, to ensure cross-platform verification, SKI should only be used if the certificate
// has the SKI extension attribute.
// Try to look for the value
var bcCer = DotNetUtilities.FromX509Certificate(request.Certificate);
var ext = bcCer.GetExtensionValue(new DerObjectIdentifier(Oids.SubjectKeyIdentifier));
SignerInfoGenerator signerInfoGenerator;
if (ext != null)
{
var ski = new SubjectKeyIdentifierStructure(ext);
signerInfoGenerator = signerInfoGeneratorBuilder.Build(new RsaSignatureFactory(HashAlgorithmToBouncyCastle(request.SignatureHashAlgorithm), provider), ski.GetKeyIdentifier());
}
else
{
signerInfoGenerator = signerInfoGeneratorBuilder.Build(new RsaSignatureFactory(HashAlgorithmToBouncyCastle(request.SignatureHashAlgorithm), provider), bcCer);
}
var generator = new CmsSignedDataGenerator();
generator.AddSignerInfoGenerator(signerInfoGenerator);
// Get the chain as bc certs
generator.AddCertificates(X509StoreFactory.Create("Certificate/Collection",
new X509CollectionStoreParameters(certs.Select(DotNetUtilities.FromX509Certificate).
ToList())));
var msg = new CmsProcessableByteArray(signatureContent.GetBytes());
var data = generator.Generate(msg, true);
var encoded = data.ContentInfo.GetDerEncoded();
return(PrimarySignature.Load(encoded));
}
public static PrimarySignature GenerateInvalidPrimarySignature(PrimarySignature signature)
{
var hash = Encoding.UTF8.GetBytes(signature.SignatureContent.HashValue);
var newHash = Encoding.UTF8.GetBytes(new string('0', hash.Length));
var bytes = signature.SignedCms.Encode();
var newBytes = FindAndReplaceSequence(bytes, hash, newHash);
return(PrimarySignature.Load(newBytes));
}
private string GetShaFromSamplePackage(string samplePackage)
{
using (var packageReader = new PackageArchiveReader(samplePackage))
{
PrimarySignature primarySignature = packageReader.GetPrimarySignatureAsync(CancellationToken.None).GetAwaiter().GetResult();
using (IX509CertificateChain certificateChain = SignatureUtility.GetCertificateChain(primarySignature))
{
return(certificateChain.First().GetCertHashString(HashAlgorithmName.SHA256));
}
}
}
public async Task GetTimestampCertificateChain_WithMismatchedEssCertIdCertificateHash_ReturnsChain(
SigningCertificateUsage signingCertificateUsage)
{
ISigningTestServer testServer = await _fixture.GetSigningTestServerAsync();
CertificateAuthority rootCa = await _fixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
SigningCertificateUsage = signingCertificateUsage,
SigningCertificateV1Hash = new byte[SHA1HashLength]
};
TimestampService timestampService = TimestampService.Create(rootCa, options);
using (testServer.RegisterResponder(timestampService))
{
var nupkg = new SimpleTestPackageContext();
using (var certificate = new X509Certificate2(_fixture.TrustedTestCertificate.Source.Cert))
using (var directory = TestDirectory.Create())
{
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
nupkg,
directory,
timestampService.Url);
using (FileStream stream = File.OpenRead(signedPackagePath))
using (var reader = new PackageArchiveReader(stream))
{
PrimarySignature signature = await reader.GetPrimarySignatureAsync(CancellationToken.None);
using (IX509CertificateChain actualChain = SignatureUtility.GetTimestampCertificateChain(signature))
{
Assert.NotEmpty(actualChain);
IReadOnlyList <Org.BouncyCastle.X509.X509Certificate> expectedChain = GetExpectedCertificateChain(timestampService);
Assert.Equal(expectedChain.Count, actualChain.Count);
for (var i = 0; i < expectedChain.Count; ++i)
{
Org.BouncyCastle.X509.X509Certificate expectedCertificate = expectedChain[i];
X509Certificate2 actualCertificate = actualChain[i];
Assert.True(
expectedCertificate.GetEncoded().SequenceEqual(actualCertificate.RawData),
$"The certificate at index {i} in the chain is unexpected.");
}
}
}
}
}
}
private VerifyTest(
TestDirectory directory,
SignedPackageArchive package,
PrimarySignature primarySignature,
SignatureVerifySettings settings)
{
_directory = directory;
Package = package;
PrimarySignature = primarySignature;
Settings = settings;
}
public void GetPrimarySignatureTimestampCertificates_WithValidTimestamp_ReturnsCertificates()
{
var signature = PrimarySignature.Load(SignTestUtility.GetResourceBytes("SignatureWithTimestamp.p7s"));
var certificates = SignatureUtility.GetPrimarySignatureTimestampCertificates(signature);
Assert.Equal(3, certificates.Count);
Assert.Equal("ff162bef155cb3d5b5962bbe084b21fc4d740001", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("2aa752fe64c49abe82913c463529cf10ff2f04ee", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("3b1efd3a66ea28b16697394703a72ca340a05bd5", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
public void Load_WithGenericSignature_ReturnsSignatureWithUnknownType()
{
using (var test = new LoadTest(_fixture))
{
test.SignedCms.ComputeSignature(test.CmsSigner);
var signature = PrimarySignature.Load(test.SignedCms.Encode());
Assert.Equal(SignatureType.Unknown, signature.Type);
}
}
public void GetPrimarySignatureCertificates_WithAuthorSignature_ReturnsCertificates()
{
var signature = PrimarySignature.Load(SignTestUtility.GetResourceBytes("SignatureWithTimestamp.p7s"));
var certificates = SignatureUtility.GetPrimarySignatureCertificates(signature);
Assert.Equal(3, certificates.Count);
Assert.Equal("8219f5772ef562a3ea9b90da00ca7b9523a96fbf", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("d8198d59087bbe6a6e7d69af62030145366be93e", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("6d73d582b73b5b3b18a27506acceedea75ab63c2", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
public void GetTimestampCertificateChain_WithAuthorSignatureTimestamp_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
using (var certificates = SignatureUtility.GetTimestampCertificateChain(primarySignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("5f970d4b17786b091a77eabdd0cf92ff8d1fdb43", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("c5e93f93089bd49dc1d8e2b657093b9e29132dcf", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("a0e355c9f370a3069823afa3ce22b14a91475e77", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void GetTimestampCertificateChain_WithoutTimestamp_Throws()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
primarySignature = RemoveTimestamp(primarySignature);
var exception = Assert.Throws <SignatureException>(
() => SignatureUtility.GetTimestampCertificateChain(primarySignature));
Assert.Equal(NuGetLogCode.NU3000, exception.Code);
Assert.Equal("The primary signature does not have a timestamp.", exception.Message);
}
private GetTrustResultAsyncTest(
TestDirectory directory,
SignedPackageArchive package,
PrimarySignature primarySignature,
SignedPackageVerifierSettings settings)
{
_directory = directory;
Package = package;
PrimarySignature = primarySignature;
Settings = settings;
Provider = new SignatureTrustAndValidityVerificationProvider();
}
public void GetCertificateChain_WithAuthorSignature_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
using (var certificates = SignatureUtility.GetCertificateChain(primarySignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("7d14ef1eaa95c41e3cb6c25bb177ce4f9bd7020c", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("0a08d814f1c1c4058bf709c4796a53a47df00e61", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("a1b6d9c348850849be54e3e8ac2ae9938e59e4b3", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
private VerifyTest(
TestDirectory directory,
FileStream signedPackageReadStream,
SignedPackageArchive package,
PrimarySignature primarySignature,
SignatureVerifySettings settings)
{
_directory = directory;
_signedPackageReadStream = signedPackageReadStream;
Package = package;
PrimarySignature = primarySignature;
Settings = settings;
}
public void GetCertificateChain_WithUnrelatedRepositoryCountersignature_Throws()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
primarySignature = RemoveRepositoryCountersignature(primarySignature);
var exception = Assert.Throws <ArgumentException>(
() => SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature));
Assert.Equal("repositoryCountersignature", exception.ParamName);
Assert.StartsWith("The primary signature and repository countersignature are unrelated.", exception.Message);
}
public void GetTimestampCertificateChain_WithRepositoryCountersignatureTimestamp_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
using (var certificates = SignatureUtility.GetTimestampCertificateChain(primarySignature, repositoryCountersignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("96b479acf63394f3bcc9928c396264afd60909ed", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("fa4e4ca3d9a26b92a73bb875f964972983b55ccd", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("88b288ff6d3d826469a9ef7816166a7def221885", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void GetCertificateChain_WithRepositoryCountersignature_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
using (var certificates = SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("8d8cc5bdf9e5f86b971d7fb961fe24b999486483", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("c8ae47bfd632870a15e3775784affd2bdc96cbf1", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("d4e8185475a062de3518d1aa693f13c4283f81ff", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public Task <PackageVerificationResult> GetTrustResultAsync(
ISignedPackageReader package,
PrimarySignature signature,
SignedPackageVerifierSettings settings,
CancellationToken token)
{
var result = new SignedPackageVerificationResult(
SignatureVerificationStatus.Valid,
signature,
Enumerable.Empty <SignatureLog>());
return(Task.FromResult <PackageVerificationResult>(result));
}
public void GetRepositoryCountersignature_WithoutCountersignature_ReturnsNull()
{
using (var test = new Test(_fixture))
{
test.CreateValidAuthorPrimarySignature();
var primarySignature = PrimarySignature.Load(test.PrimarySignedCms.Encode());
// Validate countersignature
var countersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
Assert.Null(countersignature);
}
}
public void Load_WitNoPrimarySignature_Throws()
{
using (var test = new LoadTest(_fixture))
{
test.SignedCms.ComputeSignature(test.CmsSigner);
test.SignedCms.RemoveSignature(index: 0);
var exception = Assert.Throws <SignatureException>(
() => PrimarySignature.Load(test.SignedCms.Encode()));
Assert.Equal(NuGetLogCode.NU3009, exception.Code);
Assert.Equal(NotExactlyOnePrimarySignature, exception.Message);
}
}
public async Task Load_WithReissuedSigningCertificate_ThrowsAsync()
{
var certificates = _testFixture.TrustedTestCertificateWithReissuedCertificate;
var packageContext = new SimpleTestPackageContext();
using (var directory = TestDirectory.Create())
using (var certificate1 = new X509Certificate2(certificates[0].Source.Cert))
using (var certificate2 = new X509Certificate2(certificates[1].Source.Cert))
{
var packageFilePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate1,
packageContext,
directory);
using (var packageReader = new PackageArchiveReader(packageFilePath))
{
var signature = (await packageReader.GetPrimarySignatureAsync(CancellationToken.None));
var certificateStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(
new[] { Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(certificate2) }));
var emptyCertificateStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(Array.Empty <Org.BouncyCastle.X509.X509Certificate>()));
var crlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(Array.Empty <Org.BouncyCastle.X509.X509Crl>()));
var bytes = signature.SignedCms.Encode();
using (var readStream = new MemoryStream(bytes))
using (var writeStream = new MemoryStream())
{
CmsSignedDataParser.ReplaceCertificatesAndCrls(
readStream,
certificateStore,
crlStore,
emptyCertificateStore,
writeStream);
var exception = Assert.Throws <SignatureException>(
() => PrimarySignature.Load(writeStream.ToArray()));
Assert.Equal(NuGetLogCode.NU3011, exception.Code);
Assert.Equal("A certificate referenced by the signing-certificate-v2 attribute could not be found.", exception.Message);
}
}
}
}
private string GetShaFromSamplePackage(string samplePackage)
{
var packageReader = new PackageArchiveReader(samplePackage);
Directory.CreateDirectory(_tempDirectory.Value);
FilePath targetFilePath = _tempDirectory.WithFile(Path.GetRandomFileName());
packageReader.ExtractFile(".signature.p7s", targetFilePath.Value, _logger);
using var fs = new FileStream(targetFilePath.Value, FileMode.Open);
PrimarySignature primarySignature = PrimarySignature.Load(fs);
IX509CertificateChain certificateChain = SignatureUtility.GetCertificateChain(primarySignature);
var shaFromPackage = certificateChain[0].GetCertHashString(HashAlgorithmName.SHA256);
return(shaFromPackage);
}
private static PrimarySignature RemoveUnsignedAttribute(PrimarySignature signature, Func <AttributeTable, AttributeTable> remover)
{
var bytes = signature.GetBytes();
var signedData = new CmsSignedData(bytes);
var signerInfos = signedData.GetSignerInfos();
var signerInfo = GetFirstSignerInfo(signerInfos);
var updatedAttributes = remover(signerInfo.UnsignedAttributes);
var updatedSignerInfo = SignerInformation.ReplaceUnsignedAttributes(signerInfo, updatedAttributes);
var updatedSignerInfos = new SignerInformationStore(updatedSignerInfo);
var updatedSignedData = CmsSignedData.ReplaceSigners(signedData, updatedSignerInfos);
return(PrimarySignature.Load(updatedSignedData.GetEncoded()));
}
