private async Task <CertificateAuthority> CreateDefaultTrustedCertificateAuthorityAsync()
{
var testServer = await _testServer.Value;
var rootCa = CertificateAuthority.Create(testServer.Url);
var intermediateCa = rootCa.CreateIntermediateCertificateAuthority();
var rootCertificate = new X509Certificate2(rootCa.Certificate.GetEncoded());
StoreLocation storeLocation = CertificateStoreUtilities.GetTrustedCertificateStoreLocation();
_trustedTimestampRoot = TrustedTestCert.Create(
rootCertificate,
StoreName.Root,
storeLocation);
var ca = intermediateCa;
while (ca != null)
{
_responders.Add(testServer.RegisterResponder(ca));
_responders.Add(testServer.RegisterResponder(ca.OcspResponder));
ca = ca.Parent;
}
return(intermediateCa);
}
public async Task ExecuteCommandAsync_WithAmbiguousMatch_ThrowsAsync()
{
using (var test = await Test.CreateAsync(_fixture.GetDefaultCertificate()))
{
test.Args.CertificateSubjectName = "Root";
//X509 store is opened in ReadOnly mode in this code path. Hence StoreLocation is set to LocalMachine.
test.Args.CertificateStoreLocation = CertificateStoreUtilities.GetTrustedCertificateStoreLocation(readOnly: true);
test.Args.CertificateStoreName = StoreName.Root;
var exception = await Assert.ThrowsAsync <SignCommandException>(
() => test.Runner.ExecuteCommandAsync(test.Args));
Assert.Equal(NuGetLogCode.NU3001, exception.AsLogMessage().Code);
Assert.Equal("Multiple certificates were found that meet all the given criteria. Use the '-CertificateFingerprint' option with the hash of the desired certificate.", exception.Message);
}
}
public async Task ExecuteCommandAsync_WithAmbiguousMatch_RaisesErrorsOnceAsync()
{
using (TestContext testContext = await TestContext.CreateAsync(_fixture.GetDefaultCertificate()))
{
testContext.Args.CertificateSubjectName = "Root";
//X509 store is opened in ReadOnly mode in this code path. Hence StoreLocation is set to LocalMachine.
testContext.Args.CertificateStoreLocation = CertificateStoreUtilities.GetTrustedCertificateStoreLocation(readOnly: true);
testContext.Args.CertificateStoreName = StoreName.Root;
await testContext.Runner.ExecuteCommandAsync(testContext.Args);
var expectedMessage = "Multiple certificates were found that meet all the given criteria. Use the '-CertificateFingerprint' option with the hash of the desired certificate.";
Assert.Equal(1, testContext.Logger.LogMessages.Count(
message => message.Level == LogLevel.Error && message.Code == NuGetLogCode.NU3001 && message.Message.Equals(expectedMessage)));
}
}
public async Task Timestamp_Verify_WithOfflineRevocation_ReturnsCorrectFlagsAndLogsAsync()
{
var nupkg = new SimpleTestPackageContext();
using (var testServer = await SigningTestServer.CreateAsync())
using (var responders = new DisposableList <IDisposable>())
using (var packageStream = await nupkg.CreateAsStreamAsync())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
CertificateAuthority rootCa = CertificateAuthority.Create(testServer.Url);
CertificateAuthority intermediateCa = rootCa.CreateIntermediateCertificateAuthority();
responders.Add(testServer.RegisterResponder(intermediateCa));
responders.Add(testServer.RegisterResponder(rootCa));
StoreLocation storeLocation = CertificateStoreUtilities.GetTrustedCertificateStoreLocation();
using (var trustedServerRoot = TrustedTestCert.Create(
new X509Certificate2(rootCa.Certificate.GetEncoded()),
StoreName.Root,
storeLocation))
{
var timestampService = TimestampService.Create(intermediateCa);
responders.Add(testServer.RegisterResponder(timestampService));
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
AuthorPrimarySignature signature = await SignedArchiveTestUtility.CreateAuthorSignatureForPackageAsync(testCertificate, packageStream, timestampProvider);
var timestamp = signature.Timestamps.First();
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowUntrusted: false,
allowIllegal: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: false,
allowNoTimestamp: false,
allowUnknownRevocation: false,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.Always,
revocationMode: RevocationMode.Online);
var logs = new List <SignatureLog>();
var result = timestamp.Verify(signature, settings, HashAlgorithmName.SHA256, logs);
result.HasFlag(SignatureVerificationStatusFlags.UnknownRevocation).Should().BeTrue();
var errors = logs.Where(l => l.Level == LogLevel.Error);
if (RuntimeEnvironmentHelper.IsMacOSX)
{
errors.Count().Should().Be(1);
}
else
{
errors.Count().Should().Be(2);
SigningTestUtility.AssertOfflineRevocationOnlineMode(errors, LogLevel.Error, NuGetLogCode.NU3028);
}
SigningTestUtility.AssertRevocationStatusUnknown(errors, LogLevel.Error, NuGetLogCode.NU3028);
}
}
}