Example #1
0
        public async Task Timestamp_Verify_WithOfflineRevocation_ReturnsCorrectFlagsAndLogsAsync()
        {
            var nupkg = new SimpleTestPackageContext();

            using (var testServer = await SigningTestServer.CreateAsync())
                using (var responders = new DisposableList <IDisposable>())
                    using (var packageStream = await nupkg.CreateAsStreamAsync())
                        using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
                        {
                            var ca = CreateOfflineRevocationCA(testServer, responders);
                            var timestampService = TimestampService.Create(ca);

                            responders.Add(testServer.RegisterResponder(timestampService));

                            var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);

                            var signature = await SignedArchiveTestUtility.CreateAuthorSignatureForPackageAsync(testCertificate, packageStream, timestampProvider);

                            var timestamp = signature.Timestamps.First();

                            var settings = new SignedPackageVerifierSettings(
                                allowUnsigned: false,
                                allowUntrusted: false,
                                allowIllegal: false,
                                allowIgnoreTimestamp: false,
                                allowMultipleTimestamps: false,
                                allowNoTimestamp: false,
                                allowUnknownRevocation: false,
                                reportUnknownRevocation: true,
                                verificationTarget: VerificationTarget.All,
                                signaturePlacement: SignaturePlacement.Any,
                                repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.Always,
                                revocationMode: RevocationMode.Online);

                            var logs = new List <SignatureLog>();

                            var result = timestamp.Verify(signature, settings, HashAlgorithmName.SHA256, logs);

                            result.HasFlag(SignatureVerificationStatusFlags.UnknownRevocation).Should().BeTrue();

                            var errors = logs.Where(l => l.Level == LogLevel.Error);
                            errors.Count().Should().Be(RuntimeEnvironmentHelper.IsWindows ? 2 : 1);

                            if (RuntimeEnvironmentHelper.IsWindows)
                            {
                                errors.Should().Contain(w => w.Code == NuGetLogCode.NU3028 && w.Message.Contains("The revocation function was unable to check revocation because the revocation server could not be reached."));
                                errors.Should().Contain(w => w.Code == NuGetLogCode.NU3028 && w.Message.Contains("The revocation function was unable to check revocation for the certificate."));
                            }
                            else
                            {
                                errors.Should().Contain(w => w.Code == NuGetLogCode.NU3028 && w.Message.Contains("unable to get certificate CRL"));
                            }
                        }
        }
Example #2
0
        public async Task Timestamp_Verify_WithOfflineRevocation_ReturnsCorrectFlagsAndLogsAsync()
        {
            var nupkg = new SimpleTestPackageContext();

            using (var testServer = await SigningTestServer.CreateAsync())
                using (var responders = new DisposableList <IDisposable>())
                    using (var packageStream = await nupkg.CreateAsStreamAsync())
                        using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
                        {
                            CertificateAuthority rootCa         = CertificateAuthority.Create(testServer.Url);
                            CertificateAuthority intermediateCa = rootCa.CreateIntermediateCertificateAuthority();

                            responders.Add(testServer.RegisterResponder(intermediateCa));
                            responders.Add(testServer.RegisterResponder(rootCa));

                            StoreLocation storeLocation = CertificateStoreUtilities.GetTrustedCertificateStoreLocation();

                            using (var trustedServerRoot = TrustedTestCert.Create(
                                       new X509Certificate2(rootCa.Certificate.GetEncoded()),
                                       StoreName.Root,
                                       storeLocation))
                            {
                                var timestampService = TimestampService.Create(intermediateCa);

                                responders.Add(testServer.RegisterResponder(timestampService));

                                var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);

                                AuthorPrimarySignature signature = await SignedArchiveTestUtility.CreateAuthorSignatureForPackageAsync(testCertificate, packageStream, timestampProvider);

                                var timestamp = signature.Timestamps.First();

                                var settings = new SignedPackageVerifierSettings(
                                    allowUnsigned: false,
                                    allowUntrusted: false,
                                    allowIllegal: false,
                                    allowIgnoreTimestamp: false,
                                    allowMultipleTimestamps: false,
                                    allowNoTimestamp: false,
                                    allowUnknownRevocation: false,
                                    reportUnknownRevocation: true,
                                    verificationTarget: VerificationTarget.All,
                                    signaturePlacement: SignaturePlacement.Any,
                                    repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.Always,
                                    revocationMode: RevocationMode.Online);

                                var logs = new List <SignatureLog>();

                                var result = timestamp.Verify(signature, settings, HashAlgorithmName.SHA256, logs);

                                result.HasFlag(SignatureVerificationStatusFlags.UnknownRevocation).Should().BeTrue();

                                var errors = logs.Where(l => l.Level == LogLevel.Error);

                                if (RuntimeEnvironmentHelper.IsMacOSX)
                                {
                                    errors.Count().Should().Be(1);
                                }
                                else
                                {
                                    errors.Count().Should().Be(2);
                                    SigningTestUtility.AssertOfflineRevocationOnlineMode(errors, LogLevel.Error, NuGetLogCode.NU3028);
                                }
                                SigningTestUtility.AssertRevocationStatusUnknown(errors, LogLevel.Error, NuGetLogCode.NU3028);
                            }
                        }
        }