private static async Task <List <SignatureLog> > VerifyUnavailableRevocationInfo(
SignatureVerificationStatus expectedStatus,
LogLevel expectedLogLevel,
SignedPackageVerifierSettings setting)
{
var verificationProvider = new SignatureTrustAndValidityVerificationProvider();
using (var nupkgStream = new MemoryStream(GetResource("UnavailableCrlPackage.nupkg")))
using (var package = new PackageArchiveReader(nupkgStream, leaveStreamOpen: false))
{
// Read a signature that is valid in every way except that the CRL information is unavailable.
var signature = await package.GetSignatureAsync(CancellationToken.None);
var rootCertificate = SignatureUtility.GetPrimarySignatureCertificates(signature).Last();
// Trust the root CA of the signing certificate.
using (var testCertificate = TrustedTestCert.Create(
rootCertificate,
StoreName.Root,
StoreLocation.LocalMachine,
maximumValidityPeriod: TimeSpan.MaxValue))
{
// Act
var result = await verificationProvider.GetTrustResultAsync(package, signature, setting, CancellationToken.None);
// Assert
Assert.Equal(expectedStatus, result.Trust);
return(result
.Issues
.Where(x => x.Level >= expectedLogLevel)
.OrderBy(x => x.Message)
.ToList());
}
}
}
public async Task GetTrustResultAsync_WithInvalidSignature_Throws()
{
var package = new SimpleTestPackageContext();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
using (var directory = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var packageFilePath = await SignedArchiveTestUtility.CreateSignedAndTimeStampedPackageAsync(
testCertificate,
package,
directory,
timestampService.Url);
using (var packageReader = new PackageArchiveReader(packageFilePath))
{
var signature = await packageReader.GetSignatureAsync(CancellationToken.None);
var invalidSignature = SignedArchiveTestUtility.GenerateInvalidSignature(signature);
var provider = new SignatureTrustAndValidityVerificationProvider();
var result = await provider.GetTrustResultAsync(
packageReader,
invalidSignature,
SignedPackageVerifierSettings.Default,
CancellationToken.None);
var issue = result.Issues.FirstOrDefault(log => log.Code == NuGetLogCode.NU3012);
Assert.NotNull(issue);
Assert.Equal("Primary signature validation failed.", issue.Message);
}
}
}
public async Task GetTrustResultAsync_WithNoSigningCertificate_Throws()
{
var package = new SimpleTestPackageContext();
using (var directory = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var packageFilePath = await SignedArchiveTestUtility.CreateSignedAndTimeStampedPackageAsync(testCertificate, package, directory);
using (var packageReader = new PackageArchiveReader(packageFilePath))
{
var signature = (await packageReader.GetSignaturesAsync(CancellationToken.None)).Single();
var signatureWithNoCertificates = GenerateSignatureWithNoCertificates(signature);
var provider = new SignatureTrustAndValidityVerificationProvider();
var result = await provider.GetTrustResultAsync(
packageReader,
signatureWithNoCertificates,
SignedPackageVerifierSettings.Default,
CancellationToken.None);
var issue = result.Issues.FirstOrDefault(log => log.Code == NuGetLogCode.NU3010);
Assert.NotNull(issue);
Assert.Equal("The primary signature does not have a signing certificate.", issue.Message);
}
}
}
private GetTrustResultAsyncTest(
TestDirectory directory,
SignedPackageArchive package,
Signature signature,
SignedPackageVerifierSettings settings)
{
_directory = directory;
Package = package;
Signature = signature;
Settings = settings;
Provider = new SignatureTrustAndValidityVerificationProvider();
}
public async Task GetTrustResultAsync_SettingsRequireExactlyOneTimestamp_MultipleTimestamps_Fails()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var testLogger = new TestLogger();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var setting = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowUntrustedSelfIssuedCertificate: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: false,
allowNoTimestamp: false,
allowUnknownRevocation: false,
allowNoClientCertificateList: true,
allowNoRepositoryCertificateList: true);
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
var verificationProvider = new SignatureTrustAndValidityVerificationProvider();
using (var package = new PackageArchiveReader(nupkg.CreateAsStream(), leaveStreamOpen: false))
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
using (var signatureRequest = new AuthorSignPackageRequest(testCertificate, HashAlgorithmName.SHA256))
{
var signature = await SignedArchiveTestUtility.CreatePrimarySignatureForPackageAsync(package, signatureRequest);
var timestampedSignature = await SignedArchiveTestUtility.TimestampSignature(timestampProvider, signature, signatureRequest.TimestampHashAlgorithm, SignaturePlacement.PrimarySignature, testLogger);
var reTimestampedSignature = await SignedArchiveTestUtility.TimestampSignature(timestampProvider, timestampedSignature, signatureRequest.TimestampHashAlgorithm, SignaturePlacement.PrimarySignature, testLogger);
timestampedSignature.Timestamps.Count.Should().Be(1);
reTimestampedSignature.Timestamps.Count.Should().Be(2);
// Act
var result = await verificationProvider.GetTrustResultAsync(package, reTimestampedSignature, setting, CancellationToken.None);
var totalErrorIssues = result.GetErrorIssues();
// Assert
result.Trust.Should().Be(SignatureVerificationStatus.Illegal);
totalErrorIssues.Count().Should().Be(1);
totalErrorIssues.First().Code.Should().Be(NuGetLogCode.NU3000);
}
}
public SignatureTrustAndValidityVerificationProviderTests()
{
_provider = new SignatureTrustAndValidityVerificationProvider();
}
