public async Task GetCertificateChain_WithUnknownSignature_ReturnsCertificatesAsync()
{
using (var directory = TestDirectory.Create())
using (var certificate = _fixture.GetDefaultCertificate())
{
var packageContext = new SimpleTestPackageContext();
var unsignedPackageFile = await packageContext.CreateAsFileAsync(directory, "Package.nupkg");
var signedPackageFile = await SignedArchiveTestUtility.SignPackageFileWithBasicSignedCmsAsync(
directory,
unsignedPackageFile,
certificate);
using (var packageReader = new PackageArchiveReader(signedPackageFile.FullName))
{
var signature = await packageReader.GetPrimarySignatureAsync(CancellationToken.None);
using (var certificates = SignatureUtility.GetCertificateChain(signature))
{
Assert.Equal(1, certificates.Count);
Assert.Equal(certificate.RawData, certificates[0].RawData);
}
}
}
}
public async Task MSSignCommand_ResignPackageWithOverwriteSuccessAsync()
{
var package = new SimpleTestPackageContext();
// Arrange
using (var test = new MSSignCommandTestContext(_trustedTestCertWithPrivateKey.TrustedCert))
{
var unsignedPackageFile = await package.CreateAsFileAsync(test.Directory, Guid.NewGuid().ToString());
var command = $"mssign {unsignedPackageFile} -CertificateFile {test.CertificatePath} -CSPName \"{test.CertificateCSPName}\" -KeyContainer \"{test.CertificateKeyContainer}\" -CertificateFingerprint {test.Cert.Thumbprint}";
var commandWithOverwrite = $"mssign {unsignedPackageFile} -CertificateFile {test.CertificatePath} -CSPName \"{test.CertificateCSPName}\" -KeyContainer \"{test.CertificateKeyContainer}\" -CertificateFingerprint {test.Cert.Thumbprint} -Overwrite";
var result = CommandRunner.Run(
_nugetExePath,
test.Directory,
command,
waitForExit: true);
result.Success.Should().BeTrue();
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
result = CommandRunner.Run(
_nugetExePath,
test.Directory,
commandWithOverwrite,
waitForExit: true);
result.Success.Should().BeTrue();
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task MSSignCommand_ResignPackageWithoutOverwriteFailsAsync()
{
var package = new SimpleTestPackageContext();
// Arrange
using (var test = new MSSignCommandTestContext(_trustedTestCertWithPrivateKey.TrustedCert))
{
var unsignedPackageFile = await package.CreateAsFileAsync(test.Directory, Guid.NewGuid().ToString());
var command = $"mssign {unsignedPackageFile} -CertificateFile {test.CertificatePath} -CSPName \"{test.CertificateCSPName}\" -KeyContainer \"{test.CertificateKeyContainer}\" -CertificateFingerprint {test.Cert.Thumbprint}";
var result = CommandRunner.Run(
_nugetExePath,
test.Directory,
command,
waitForExit: true);
result.Success.Should().BeTrue();
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
result = CommandRunner.Run(
_nugetExePath,
test.Directory,
command,
waitForExit: true);
result.Success.Should().BeFalse();
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
result.Errors.Should().Contain("NU3001: The package already contains a signature. Please remove the existing signature before adding a new signature.");
}
}
public async Task ReposignCommand_Countersign_AuthorSignedPackage_WithTimestampAsync()
{
var package = new SimpleTestPackageContext();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
// Arrange
using (var test = new MSSignCommandTestContext(_trustedTestCertWithPrivateKey.TrustedCert))
{
var unsignedPackageFile = await package.CreateAsFileAsync(test.Directory, Guid.NewGuid().ToString());
var authorSignCommand = $"mssign {unsignedPackageFile} -Timestamper {timestampService.Url} -CertificateFile {test.CertificatePath} -CSPName \"{test.CertificateCSPName}\" -KeyContainer \"{test.CertificateKeyContainer}\" -CertificateFingerprint {test.Cert.Thumbprint}";
var repoSignCommand = $"reposign {unsignedPackageFile} -Timestamper {timestampService.Url} -CertificateFile {test.CertificatePath} -CSPName \"{test.CertificateCSPName}\" -KeyContainer \"{test.CertificateKeyContainer}\" -CertificateFingerprint {test.Cert.Thumbprint} -V3ServiceIndexUrl https://v3serviceIndex.test/api/index.json";
var result = CommandRunner.Run(
_nugetExePath,
test.Directory,
authorSignCommand,
waitForExit: true);
result.Success.Should().BeTrue();
result.AllOutput.Should().NotContain(_noTimestamperWarningCode);
result = CommandRunner.Run(
_nugetExePath,
test.Directory,
repoSignCommand,
waitForExit: true);
result.Success.Should().BeTrue();
result.AllOutput.Should().NotContain(_noTimestamperWarningCode);
}
}
public async Task ReposignCommand_Countersign_RepositorySignedPackage_FailAsync()
{
var package = new SimpleTestPackageContext();
// Arrange
using (var test = new MSSignCommandTestContext(_trustedTestCertWithPrivateKey.TrustedCert))
{
var unsignedPackageFile = await package.CreateAsFileAsync(test.Directory, Guid.NewGuid().ToString());
var command = $"reposign {unsignedPackageFile} -CertificateFile {test.CertificatePath} -CSPName \"{test.CertificateCSPName}\" -KeyContainer \"{test.CertificateKeyContainer}\" -CertificateFingerprint {test.Cert.Thumbprint} -V3ServiceIndexUrl https://v3serviceIndex.test/api/index.json";
var result = CommandRunner.Run(
_nugetExePath,
test.Directory,
command,
waitForExit: true);
result.Success.Should().BeTrue();
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
result = CommandRunner.Run(
_nugetExePath,
test.Directory,
command,
waitForExit: true);
result.Success.Should().BeFalse();
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
result.Errors.Should().Contain("NU3033: A repository primary signature must not have a repository countersignature.");
}
}
internal static async Task <Test> CreateAsync(X509Certificate2 certificate)
{
var dir = TestDirectory.Create();
var packageContext = new SimpleTestPackageContext();
var packageFileName = Guid.NewGuid().ToString();
var package = await packageContext.CreateAsFileAsync(dir, packageFileName);
return(new Test(certificate, dir, package));
}
public async Task VerifySignaturesAsync_WithBasicSignedCms_SucceedsAsync()
{
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: false,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.IfExistsAndIsNecessary,
revocationMode: RevocationMode.Online);
using (TestDirectory directory = TestDirectory.Create())
using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var packageContext = new SimpleTestPackageContext();
FileInfo unsignedPackageFile = await packageContext.CreateAsFileAsync(directory, "Package.nupkg");
FileInfo signedPackageFile = await SignedArchiveTestUtility.SignPackageFileWithBasicSignedCmsAsync(
directory,
unsignedPackageFile,
certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackageFile.FullName))
{
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
IEnumerable <ILogMessage> totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
Assert.Equal(1, result.Results.Count);
var signedPackageVerificationResult = (SignedPackageVerificationResult)result.Results[0];
SignerInfo signer = signedPackageVerificationResult.Signature.SignedCms.SignerInfos[0];
Assert.Equal(0, signer.SignedAttributes.Count);
Assert.Equal(0, signer.UnsignedAttributes.Count);
Assert.Equal(0, resultsWithErrors.Count());
Assert.Equal(0, totalErrorIssues.Count());
}
}
}
public async Task VerifySignaturesAsync_WithBasicSignedCms_SucceedsAsync()
{
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: false,
allowNoClientCertificateList: true,
allowNoRepositoryCertificateList: true,
alwaysVerifyCountersignature: false);
using (var directory = TestDirectory.Create())
using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var packageContext = new SimpleTestPackageContext();
var unsignedPackageFile = await packageContext.CreateAsFileAsync(directory, "Package.nupkg");
var signedPackageFile = await SignedArchiveTestUtility.SignPackageFileWithBasicSignedCmsAsync(
directory,
unsignedPackageFile,
certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackageFile.FullName))
{
var result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
var totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
Assert.Equal(1, result.Results.Count);
var signedPackageVerificationResult = (SignedPackageVerificationResult)result.Results[0];
var signer = signedPackageVerificationResult.Signature.SignedCms.SignerInfos[0];
Assert.Equal(0, signer.SignedAttributes.Count);
Assert.Equal(0, signer.UnsignedAttributes.Count);
Assert.Equal(0, resultsWithErrors.Count());
Assert.Equal(0, totalErrorIssues.Count());
}
}
}
internal static async Task <VerifyTest> CreateAsync(SignatureVerifySettings settings, X509Certificate2 certificate)
{
using (var certificateClone = new X509Certificate2(certificate))
{
var directory = TestDirectory.Create();
var packageContext = new SimpleTestPackageContext();
var unsignedPackageFile = await packageContext.CreateAsFileAsync(directory, "package.nupkg");
var signedPackageFile = await SignedArchiveTestUtility.SignPackageFileWithBasicSignedCmsAsync(
directory,
unsignedPackageFile,
certificateClone);
var package = new SignedPackageArchive(signedPackageFile.OpenRead(), new MemoryStream());
var primarySignature = await package.GetPrimarySignatureAsync(CancellationToken.None);
return(new VerifyTest(directory, package, primarySignature, settings));
}
}
public async Task SignCommand_SignPackageWithUntrustedSelfIssuedCertificateInCertificateStoreAsync()
{
using (var directory = TestDirectory.Create())
{
var packageContext = new SimpleTestPackageContext();
var packageFile = await packageContext.CreateAsFileAsync(directory, fileName : Guid.NewGuid().ToString());
using (var certificate = _testFixture.UntrustedSelfIssuedCertificateInCertificateStore)
{
var result = CommandRunner.Run(
_nugetExePath,
directory,
$"sign {packageFile.FullName} -CertificateFingerprint {certificate.Thumbprint}",
waitForExit: true);
Assert.True(result.Success);
Assert.Contains(_noTimestamperWarningCode, result.AllOutput);
}
}
}
public async Task SignCommand_SignPackageWithUnsuportedTimestampHashAlgorithm_ShouldNotModifyPackageAsync()
{
var testServer = await _testFixture.GetSigningTestServerAsync();
var certificateAuthority = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
SignatureHashAlgorithm = new Oid(Oids.Sha1)
};
var timestampService = TimestampService.Create(certificateAuthority, options);
using (testServer.RegisterResponder(timestampService))
using (var directory = TestDirectory.Create())
{
var packageContext = new SimpleTestPackageContext();
var packageFile = await packageContext.CreateAsFileAsync(directory, fileName : Guid.NewGuid().ToString());
var originalFile = File.ReadAllBytes(packageFile.FullName);
using (var certificate = _testFixture.UntrustedSelfIssuedCertificateInCertificateStore)
{
var result = CommandRunner.Run(
_nugetExePath,
directory,
$"sign {packageFile.FullName} -CertificateFingerprint {certificate.Thumbprint} -Timestamper {timestampService.Url}",
waitForExit: true);
Assert.False(result.Success);
Assert.Contains(_timestampUnsupportedHashAlgorithmCode, result.AllOutput);
Assert.Contains("The timestamp response has an unsupported digest algorithm (SHA1). The following algorithms are supported: SHA256, SHA384, SHA512.", result.AllOutput);
var resultingFile = File.ReadAllBytes(packageFile.FullName);
Assert.Equal(resultingFile, originalFile);
}
}
}