public void GetRepositoryCountersignature_WithNonRepositoryCountersignature_ReturnsNull()
{
using (var test = new Test(_fixture))
{
test.CreateValidAuthorPrimarySignature();
// Generate valid countersignature
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateNuGetV3ServiceIndexUrl(new Uri("https://api.nuget.org/v3/index.json")));
test.CounterCmsSigner.SignedAttributes.Add(
new Pkcs9SigningTime());
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateSigningCertificateV2(test.Certificate, HashAlgorithmName.SHA256));
// Create counter signature
test.PrimarySignedCms.SignerInfos[0].ComputeCounterSignature(test.CounterCmsSigner);
// Load primary signature
var primarySignature = PrimarySignature.Load(test.PrimarySignedCms.Encode());
// Validate countersignature
var countersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
Assert.Null(countersignature);
}
}
public async Task LoadSignatureDataAsync()
{
using (var reader = new PackageArchiveReader(_streamFactory(), false))
{
IsSigned = await reader.IsSignedAsync(CancellationToken.None);
if (IsSigned)
{
try
{
var sig = await reader.GetPrimarySignatureAsync(CancellationToken.None);
// Author signatures must be the primary, but they can contain
// a repository counter signature
if (sig.Type == SignatureType.Author)
{
PublisherSignature = new SignatureInfo(sig);
var counter = RepositoryCountersignature.GetRepositoryCountersignature(sig);
if (counter != null)
{
RepositorySignature = new RepositorySignatureInfo(counter);
}
}
else if (sig.Type == SignatureType.Repository)
{
RepositorySignature = new RepositorySignatureInfo(sig);
}
}
catch (SignatureException)
{
}
}
}
}
public void GetRepositoryCountersignature_WithRepositoryPrimarySignature_Throws()
{
using (var test = new Test(_fixture))
{
test.CreateValidRepositoryPrimarySignature();
// Generate valid countersignature
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateCommitmentTypeIndication(SignatureType.Repository));
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateNuGetV3ServiceIndexUrl(new Uri("https://api.nuget.org/v3/index.json")));
test.CounterCmsSigner.SignedAttributes.Add(
new Pkcs9SigningTime());
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateSigningCertificateV2(test.Certificate, HashAlgorithmName.SHA256));
// Create counter signature
test.PrimarySignedCms.SignerInfos[0].ComputeCounterSignature(test.CounterCmsSigner);
// Load primary signature
var primarySignature = PrimarySignature.Load(test.PrimarySignedCms.Encode());
// Validate countersignature
var exception = Assert.Throws <SignatureException>(
() => RepositoryCountersignature.GetRepositoryCountersignature(primarySignature));
Assert.Equal(NuGetLogCode.NU3033, exception.Code);
Assert.Equal("A repository primary signature must not have a repository countersignature.", exception.Message);
}
}
public void GetRepositoryCountersignature_WithValidRepositoryCountersignature_ReturnsRepositoryCountersignature()
{
using (var test = new Test(_fixture))
{
test.CreateValidAuthorPrimarySignature();
// Generate valid countersignature
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateCommitmentTypeIndication(SignatureType.Repository));
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateNuGetV3ServiceIndexUrl(new Uri("https://api.nuget.org/v3/index.json")));
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateNuGetPackageOwners(new List <string> {
"microsoft", "nuget"
}));
test.CounterCmsSigner.SignedAttributes.Add(
new Pkcs9SigningTime());
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateSigningCertificateV2(test.Certificate, HashAlgorithmName.SHA256));
// Create counter signature
test.PrimarySignedCms.SignerInfos[0].ComputeCounterSignature(test.CounterCmsSigner);
// Load primary signature
var primarySignature = PrimarySignature.Load(test.PrimarySignedCms.Encode());
// Validate countersignature
var countersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
Assert.Equal(SignatureType.Repository, countersignature.Type);
}
}
public void GetRepositoryCountersignature_WithRepositoryCountersignatureWithoutV3ServiceIndexUrl_Throws()
{
using (var test = new Test(_fixture))
{
test.CreateValidAuthorPrimarySignature();
// Generate countersignature
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateCommitmentTypeIndication(SignatureType.Repository));
test.CounterCmsSigner.SignedAttributes.Add(
new Pkcs9SigningTime());
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateSigningCertificateV2(test.Certificate, HashAlgorithmName.SHA256));
// Create counter signature
test.PrimarySignedCms.SignerInfos[0].ComputeCounterSignature(test.CounterCmsSigner);
// Load primary signature
var primarySignature = PrimarySignature.Load(test.PrimarySignedCms.Encode());
// Validate countersignature
var exception = Assert.Throws <SignatureException>(
() => RepositoryCountersignature.GetRepositoryCountersignature(primarySignature));
Assert.Equal(NuGetLogCode.NU3000, exception.Code);
Assert.Equal("Exactly one nuget-v3-service-index-url attribute is required.", exception.Message);
}
}
public void GetRepositoryCountersignature_WhenPrimarySignatureNull_Throws()
{
var exception = Assert.Throws <ArgumentNullException>(
() => RepositoryCountersignature.GetRepositoryCountersignature(primarySignature: null));
Assert.Equal("primarySignature", exception.ParamName);
}
private static void ExtractSignaturesAndCertificates(Context context)
{
if (context.PrimarySignature.Timestamps.Count != 1)
{
throw new InvalidOperationException("There should be exactly one timestamp on the primary signature.");
}
var primarySignatureCertificates = ExtractPrimarySignatureCertificates(context);
if (context.PrimarySignature.Type == SignatureType.Author)
{
context.Author = new SignatureAndCertificates(context.PrimarySignature, primarySignatureCertificates);
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(context.PrimarySignature);
if (repositoryCountersignature != null)
{
if (repositoryCountersignature.Timestamps.Count != 1)
{
throw new InvalidOperationException("There should be exactly one timestamp on the repository countersignature.");
}
var countersignatureCertificates = ExtractRepositoryCountersignatureCertificates(context, repositoryCountersignature);
context.Repository = new SignatureAndCertificates(repositoryCountersignature, countersignatureCertificates);
}
}
else if (context.PrimarySignature.Type == SignatureType.Repository)
{
context.Repository = new SignatureAndCertificates(context.PrimarySignature, primarySignatureCertificates);
}
else
{
throw new InvalidOperationException("The primary signature must be an author or repository signature.");
}
}
private static ExtractedCertificates ExtractCertificates(
Context context,
RepositoryCountersignature repositoryCountersignature)
{
IX509CertificateChain signatureCertificates;
if (repositoryCountersignature == null)
{
signatureCertificates = SignatureUtility.GetCertificateChain(context.PrimarySignature);
}
else
{
signatureCertificates = SignatureUtility.GetCertificateChain(context.PrimarySignature, repositoryCountersignature);
}
context.Disposables.Add(signatureCertificates);
if (signatureCertificates == null || !signatureCertificates.Any())
{
throw new InvalidOperationException("The provided signature must have at least one signing certificate.");
}
var hashedSignatureCertificates = signatureCertificates
.Select(x => new HashedCertificate(x))
.ToList();
var signatureEndCertificate = hashedSignatureCertificates.First();
var signatureParentCertificates = hashedSignatureCertificates.Skip(1).ToList();
IX509CertificateChain timestampCertificates;
if (repositoryCountersignature == null)
{
timestampCertificates = SignatureUtility.GetTimestampCertificateChain(context.PrimarySignature);
}
else
{
timestampCertificates = SignatureUtility.GetTimestampCertificateChain(context.PrimarySignature, repositoryCountersignature);
}
context.Disposables.Add(timestampCertificates);
if (timestampCertificates == null || !timestampCertificates.Any())
{
throw new InvalidOperationException("The provided signature must have at least one timestamp certificate.");
}
var hashedTimestampCertificates = timestampCertificates
.Select(x => new HashedCertificate(x))
.ToList();
var timestampEndCertificate = hashedTimestampCertificates.First();
var timestampParentCertificates = hashedTimestampCertificates.Skip(1).ToList();
return(new ExtractedCertificates(
signatureEndCertificate,
signatureParentCertificates,
timestampEndCertificate,
timestampParentCertificates));
}
public async Task GetRepositoryCountersignature_WithNoCountersignatures_ReturnsNull()
{
using (var test = await Test.CreateWithoutRepositoryCountersignatureAsync(_fixture.TrustedTestCertificate.Source.Cert))
{
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(test.PrimarySignature);
Assert.Null(repositoryCountersignature);
}
}
public async Task GetSignatureValue_WithSha256_ReturnsValue()
{
using (var test = await Test.CreateAsync(new X509Certificate2(_fixture.TrustedTestCertificate.Source.Cert)))
{
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(test.PrimarySignature);
var actualValue = repositoryCountersignature.GetSignatureValue();
var expectedValue = GetRepositoryCountersignatureSignatureValue(test.PrimarySignature.SignedCms);
Assert.Equal(expectedValue, actualValue);
}
}
public void GetCertificateChain_WithRepositoryCountersignature_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
using (var certificates = SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("8d8cc5bdf9e5f86b971d7fb961fe24b999486483", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("c8ae47bfd632870a15e3775784affd2bdc96cbf1", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("d4e8185475a062de3518d1aa693f13c4283f81ff", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void GetRepositoryCountersignature_WithoutCountersignature_ReturnsNull()
{
using (var test = new Test(_fixture))
{
test.CreateValidAuthorPrimarySignature();
var primarySignature = PrimarySignature.Load(test.PrimarySignedCms.Encode());
// Validate countersignature
var countersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
Assert.Null(countersignature);
}
}
public void GetTimestampCertificateChain_WithRepositoryCountersignatureTimestamp_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
using (var certificates = SignatureUtility.GetTimestampCertificateChain(primarySignature, repositoryCountersignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("96b479acf63394f3bcc9928c396264afd60909ed", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("fa4e4ca3d9a26b92a73bb875f964972983b55ccd", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("88b288ff6d3d826469a9ef7816166a7def221885", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void GetCertificateChain_WithUnrelatedRepositoryCountersignature_Throws()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
primarySignature = RemoveRepositoryCountersignature(primarySignature);
var exception = Assert.Throws <ArgumentException>(
() => SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature));
Assert.Equal("repositoryCountersignature", exception.ParamName);
Assert.StartsWith("The primary signature and repository countersignature are unrelated.", exception.Message);
}
private async Task <bool> HasAllValidRepositorySignaturesAsync(Context context)
{
if (context.Signature.Type == SignatureType.Repository)
{
if (!await IsValidRepositorySignatureAsync(context, (RepositoryPrimarySignature)context.Signature))
{
_logger.LogInformation(
"Signed package {PackageId} {PackageVersion} for validation {ValidationId} has repository " +
"primary signature that is invalid.",
context.Message.PackageId,
context.Message.PackageVersion,
context.Message.ValidationId);
return(false);
}
}
try
{
var repositoryCounterSignature = RepositoryCountersignature.GetRepositoryCountersignature(context.Signature);
if (repositoryCounterSignature != null &&
!await IsValidRepositorySignatureAsync(context, repositoryCounterSignature))
{
_logger.LogInformation(
"Signed package {PackageId} {PackageVersion} for validation {ValidationId} has repository " +
"countersignature that is invalid.",
context.Message.PackageId,
context.Message.PackageVersion,
context.Message.ValidationId);
return(false);
}
}
catch (SignatureException ex)
{
// This handles the case when there are multiple repository signatures.
_logger.LogInformation(
0,
ex,
"Signed package {PackageId} {PackageVersion} for validation {ValidationId} has repository " +
"countersignature that is invalid due to an exception.",
context.Message.PackageId,
context.Message.PackageVersion,
context.Message.ValidationId);
return(false);
}
return(true);
}
public void GetTimestampCertificateChain_WithRepositoryCountersignatureWithoutTimestamp_Throws()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
primarySignature = RemoveRepositoryCountersignatureTimestamp(primarySignature);
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
var exception = Assert.Throws <SignatureException>(
() => SignatureUtility.GetTimestampCertificateChain(primarySignature, repositoryCountersignature));
Assert.Equal(NuGetLogCode.NU3000, exception.Code);
Assert.Equal("The repository countersignature does not have a timestamp.", exception.Message);
}
private Task <PrimarySignature> TimestampRepositoryCountersignatureAsync(SignPackageRequest request, ILogger logger, PrimarySignature primarySignature, CancellationToken token)
{
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
var signatureValue = repositoryCountersignature.GetSignatureValue();
var messageHash = request.TimestampHashAlgorithm.ComputeHash(signatureValue);
var timestampRequest = new TimestampRequest(
signingSpecifications: SigningSpecifications.V1,
hashedMessage: messageHash,
hashAlgorithm: request.TimestampHashAlgorithm,
target: SignaturePlacement.Countersignature
);
return(timestampProvider.TimestampSignatureAsync(primarySignature, timestampRequest, logger, token));
}
public async Task TimestampSignatureAsync_TimestampingCountersignature_Succeeds()
{
var logger = new TestLogger();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
var signatureContent = new SignatureContent(SigningSpecifications.V1, Common.HashAlgorithmName.SHA256, "Test data to be signed and timestamped");
using (var authorCert = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var timestampHashAlgorithm = Common.HashAlgorithmName.SHA256;
var signedCms = SigningTestUtility.GenerateRepositoryCountersignedSignedCms(authorCert, signatureContent.GetBytes());
var signature = PrimarySignature.Load(signedCms.Encode());
var signatureValue = signature.GetSignatureValue();
var messageHash = timestampHashAlgorithm.ComputeHash(signatureValue);
var request = new TimestampRequest(
SigningSpecifications.V1,
messageHash,
timestampHashAlgorithm,
SignaturePlacement.Countersignature);
// Act
var primarySignature = await timestampProvider.TimestampSignatureAsync(signature, request, logger, CancellationToken.None);
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
// Assert
repositoryCountersignature.Should().NotBeNull();
repositoryCountersignature.SignerInfo.Should().NotBeNull();
repositoryCountersignature.SignerInfo.UnsignedAttributes.Count.Should().BeGreaterOrEqualTo(1);
var hasTimestampUnsignedAttribute = false;
var timestampCms = new SignedCms();
foreach (var attr in repositoryCountersignature.SignerInfo.UnsignedAttributes)
{
if (string.Compare(attr.Oid.Value, Oids.SignatureTimeStampTokenAttribute, CultureInfo.CurrentCulture, CompareOptions.Ordinal) == 0)
{
hasTimestampUnsignedAttribute = true;
timestampCms.Decode(attr.Values[0].RawData);
}
}
hasTimestampUnsignedAttribute.Should().BeTrue();
timestampCms.CheckSignature(verifySignatureOnly: true);
}
}
public async Task GetRepositoryCountersignature_WithRepositoryCountersignature_ReturnsInstance()
{
using (var test = await Test.CreateAsync(new X509Certificate2(_fixture.TrustedTestCertificate.Source.Cert)))
{
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(test.PrimarySignature);
Assert.NotNull(repositoryCountersignature);
Assert.Equal(test.Request.Certificate, repositoryCountersignature.SignerInfo.Certificate);
Assert.Equal(
test.Request.SignatureHashAlgorithm.ConvertToOidString(),
repositoryCountersignature.SignerInfo.DigestAlgorithm.Value);
Assert.Equal(test.Request.V3ServiceIndexUrl, repositoryCountersignature.V3ServiceIndexUrl);
Assert.Equal(test.Request.PackageOwners, repositoryCountersignature.PackageOwners);
}
}
protected async override Task RunInternalAsync(ValidationContext context)
{
// Get the package's signature, if any.
var signature = await GetPrimarySignatureOrNullAsync(context);
if (signature == null)
{
throw new MissingRepositorySignatureException(
$"Package {context.Package.Id} {context.Package.Version} is unsigned",
MissingRepositorySignatureReason.Unsigned);
}
// The repository signature can be the primary signature or the author signature's countersignature.
IRepositorySignature repositorySignature = null;
switch (signature.Type)
{
case SignatureType.Repository:
repositorySignature = (RepositoryPrimarySignature)signature;
break;
case SignatureType.Author:
repositorySignature = RepositoryCountersignature.GetRepositoryCountersignature(signature);
if (repositorySignature == null)
{
throw new MissingRepositorySignatureException(
$"Package {context.Package.Id} {context.Package.Version} is author signed but not repository signed",
MissingRepositorySignatureReason.AuthorSignedNoRepositoryCountersignature);
}
break;
default:
case SignatureType.Unknown:
throw new MissingRepositorySignatureException(
$"Package {context.Package.Id} {context.Package.Version} has an unknown signature type '{signature.Type}'",
MissingRepositorySignatureReason.UnknownSignature);
}
Logger.LogInformation(
"Package {PackageId} {PackageVersion} has a repository signature with service index {ServiceIndex} and owners {Owners}",
context.Package.Id,
context.Package.Version,
repositorySignature.V3ServiceIndexUrl,
repositorySignature.PackageOwners);
}
public void GetRepositoryCountersignature_WithRepositoryCountersignatureWithInvalidPackageOwners_Throws()
{
using (var test = new Test(_fixture))
{
test.CreateValidAuthorPrimarySignature();
// Generate countersignature
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateCommitmentTypeIndication(SignatureType.Repository));
var invalidPackageOwnersBytes = DerEncoder.ConstructSequence(
(new List <string> {
"", " "
}).Select(packageOwner => DerEncoder.SegmentedEncodeUtf8String(packageOwner.ToCharArray())));
var invalidPackageOwners = new System.Security.Cryptography.CryptographicAttributeObject(
new System.Security.Cryptography.Oid(Oids.NuGetPackageOwners),
new System.Security.Cryptography.AsnEncodedDataCollection(new System.Security.Cryptography.AsnEncodedData(Oids.NuGetPackageOwners, invalidPackageOwnersBytes)));
test.CounterCmsSigner.SignedAttributes.Add(
invalidPackageOwners);
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateNuGetV3ServiceIndexUrl(new Uri("https://api.nuget.org/v3/index.json")));
test.CounterCmsSigner.SignedAttributes.Add(
new Pkcs9SigningTime());
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateSigningCertificateV2(test.Certificate, HashAlgorithmName.SHA256));
// Create counter signature
test.PrimarySignedCms.SignerInfos[0].ComputeCounterSignature(test.CounterCmsSigner);
// Load primary signature
var primarySignature = PrimarySignature.Load(test.PrimarySignedCms.Encode());
// Validate countersignature
var exception = Assert.Throws <SignatureException>(
() => RepositoryCountersignature.GetRepositoryCountersignature(primarySignature));
Assert.Equal(NuGetLogCode.NU3000, exception.Code);
Assert.Equal("The nuget-package-owners attribute is invalid.", exception.Message);
}
}
public static Task <PrimarySignature> TimestampSignature(ITimestampProvider timestampProvider, PrimarySignature primarySignature, HashAlgorithmName hashAlgorithm, SignaturePlacement target, ILogger logger)
{
Signature signatureToTimestamp = primarySignature;
if (target == SignaturePlacement.Countersignature)
{
signatureToTimestamp = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
}
var signatureValue = signatureToTimestamp.GetSignatureValue();
var messageHash = hashAlgorithm.ComputeHash(signatureValue);
var timestampRequest = new TimestampRequest(
SigningSpecifications.V1,
messageHash,
hashAlgorithm,
target);
return(timestampProvider.TimestampSignatureAsync(primarySignature, timestampRequest, logger, CancellationToken.None));
}
public void GetRepositoryCountersignature_WithRepositoryCountersignatureWithInvalidV3ServiceIndexUrl_Throws()
{
using (var test = new Test(_fixture))
{
test.CreateValidAuthorPrimarySignature();
// Generate countersignature
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateCommitmentTypeIndication(SignatureType.Repository));
var invalidV3ServiceIndexBytes = DerEncoder.SegmentedEncodeIA5String("notAValidUri".ToCharArray())
.SelectMany(x => x)
.ToArray();
var invalidV3ServiceIndex = new System.Security.Cryptography.CryptographicAttributeObject(
new System.Security.Cryptography.Oid(Oids.NuGetV3ServiceIndexUrl),
new System.Security.Cryptography.AsnEncodedDataCollection(new System.Security.Cryptography.AsnEncodedData(Oids.NuGetV3ServiceIndexUrl, invalidV3ServiceIndexBytes)));
test.CounterCmsSigner.SignedAttributes.Add(
invalidV3ServiceIndex);
test.CounterCmsSigner.SignedAttributes.Add(
new Pkcs9SigningTime());
test.CounterCmsSigner.SignedAttributes.Add(
AttributeUtility.CreateSigningCertificateV2(test.Certificate, HashAlgorithmName.SHA256));
// Create counter signature
test.PrimarySignedCms.SignerInfos[0].ComputeCounterSignature(test.CounterCmsSigner);
// Load primary signature
var primarySignature = PrimarySignature.Load(test.PrimarySignedCms.Encode());
// Validate countersignature
var exception = Assert.Throws <SignatureException>(
() => RepositoryCountersignature.GetRepositoryCountersignature(primarySignature));
Assert.Equal(NuGetLogCode.NU3000, exception.Code);
Assert.Equal("The nuget-v3-service-index-url attribute is invalid.", exception.Message);
}
}
/// <summary>
/// Adds a trusted signer item to the settings based a signed package.
/// </summary>
/// <param name="name">Name of the trusted signer.</param>
/// <param name="package">Package to read signature from.</param>
/// <param name="trustTarget">Signature to trust from package.</param>
/// <param name="allowUntrustedRoot">Specifies if allowUntrustedRoot should be set to true.</param>
/// <param name="owners">Trusted owners that should be set when trusting a repository.</param>
/// <param name="token">Cancellation token for async request</param>
public async Task AddTrustedSignerAsync(string name, ISignedPackageReader package, VerificationTarget trustTarget, bool allowUntrustedRoot, IEnumerable <string> owners, CancellationToken token)
{
if (package == null)
{
throw new ArgumentNullException(nameof(package));
}
if (string.IsNullOrEmpty(name))
{
throw new ArgumentException(Strings.ArgumentCannotBeNullOrEmpty, nameof(name));
}
if (!Enum.IsDefined(typeof(VerificationTarget), trustTarget) || (trustTarget != VerificationTarget.Repository && trustTarget != VerificationTarget.Author))
{
throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Strings.Error_UnsupportedTrustTarget, trustTarget.ToString()));
}
if (trustTarget == VerificationTarget.Author && owners != null && owners.Any())
{
throw new ArgumentException(Strings.Error_TrustedAuthorNoOwners);
}
token.ThrowIfCancellationRequested();
string v3ServiceIndex = null;
IRepositorySignature repositorySignature = null;
var trustingRepository = trustTarget.HasFlag(VerificationTarget.Repository);
var primarySignature = await package.GetPrimarySignatureAsync(token);
if (primarySignature == null)
{
throw new InvalidOperationException(Strings.Error_PackageNotSigned);
}
if (trustingRepository)
{
if (primarySignature.Type == SignatureType.Repository)
{
repositorySignature = primarySignature as RepositoryPrimarySignature;
}
else
{
var countersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
repositorySignature = countersignature ?? throw new InvalidOperationException(Strings.Error_RepoTrustExpectedRepoSignature);
}
v3ServiceIndex = repositorySignature.V3ServiceIndexUrl.AbsoluteUri;
}
ValidateNoExistingSigner(name, v3ServiceIndex, trustingRepository);
if (trustingRepository)
{
var certificateItem = GetCertificateItemForSignature(repositorySignature, allowUntrustedRoot);
_trustedSignersProvider.AddOrUpdateTrustedSigner(new RepositoryItem(name, v3ServiceIndex, CreateOwnersList(owners), certificateItem));
await _logger.LogAsync(LogLevel.Information, string.Format(CultureInfo.CurrentCulture, Strings.SuccessfullyAddedTrustedRepository, name));
}
else
{
if (primarySignature.Type != SignatureType.Author)
{
throw new InvalidOperationException(Strings.Error_AuthorTrustExpectedAuthorSignature);
}
var certificateItem = GetCertificateItemForSignature(primarySignature, allowUntrustedRoot);
_trustedSignersProvider.AddOrUpdateTrustedSigner(new AuthorItem(name, certificateItem));
await _logger.LogAsync(LogLevel.Information, string.Format(CultureInfo.CurrentCulture, Strings.SuccessfullyAddedTrustedAuthor, name));
}
}
private static ExtractedCertificates ExtractRepositoryCountersignatureCertificates(
Context context,
RepositoryCountersignature repositoryCountersignature)
{
return(ExtractCertificates(context, repositoryCountersignature));
}
