private static async Task <List <SignatureLog> > VerifyUnavailableRevocationInfo(
SignatureVerificationStatus expectedStatus,
LogLevel expectedLogLevel,
SignedPackageVerifierSettings setting)
{
var verificationProvider = new SignatureTrustAndValidityVerificationProvider();
using (var nupkgStream = new MemoryStream(GetResource("UnavailableCrlPackage.nupkg")))
using (var package = new PackageArchiveReader(nupkgStream, leaveStreamOpen: false))
{
// Read a signature that is valid in every way except that the CRL information is unavailable.
var signature = await package.GetSignatureAsync(CancellationToken.None);
var rootCertificate = SignatureUtility.GetPrimarySignatureCertificates(signature).Last();
// Trust the root CA of the signing certificate.
using (var testCertificate = TrustedTestCert.Create(
rootCertificate,
StoreName.Root,
StoreLocation.LocalMachine,
maximumValidityPeriod: TimeSpan.MaxValue))
{
// Act
var result = await verificationProvider.GetTrustResultAsync(package, signature, setting, CancellationToken.None);
// Assert
Assert.Equal(expectedStatus, result.Trust);
return(result
.Issues
.Where(x => x.Level >= expectedLogLevel)
.OrderBy(x => x.Message)
.ToList());
}
}
}
private async Task <CertificateAuthority> CreateDefaultTrustedCertificateAuthorityAsync()
{
var testServer = await _testServer.Value;
var rootCa = CertificateAuthority.Create(testServer.Url);
var intermediateCa = rootCa.CreateIntermediateCertificateAuthority();
var rootCertificate = new X509Certificate2(rootCa.Certificate.GetEncoded());
StoreLocation storeLocation = CertificateStoreUtilities.GetTrustedCertificateStoreLocation();
_trustedTimestampRoot = TrustedTestCert.Create(
rootCertificate,
StoreName.Root,
storeLocation);
var ca = intermediateCa;
while (ca != null)
{
_responders.Add(testServer.RegisterResponder(ca));
_responders.Add(testServer.RegisterResponder(ca.OcspResponder));
ca = ca.Parent;
}
return(intermediateCa);
}
public CertificatesFixture()
{
_defaultCertificate = SigningTestUtility.GenerateCertificate("test", generator => { });
X509Certificate2 _defaultCertificateForTrust = SigningTestUtility.GenerateCertificate("test trusted", generator => { });
_trustedDefaultCertificate = TrustedTestCert.Create(
new X509Certificate2(_defaultCertificateForTrust),
StoreName.My,
StoreLocation.CurrentUser);
}
private CertificateAuthority CreateOfflineRevocationCA(ISigningTestServer testServer, DisposableList <IDisposable> responders)
{
var rootCa = CertificateAuthority.Create(testServer.Url);
var intermediateCa = rootCa.CreateIntermediateCertificateAuthority();
var rootCertificate = new X509Certificate2(rootCa.Certificate.GetEncoded());
var trustedServerRoot = TrustedTestCert.Create(
rootCertificate,
StoreName.Root,
StoreLocation.LocalMachine);
var ca = intermediateCa;
while (ca != null)
{
responders.Add(testServer.RegisterResponder(ca));
ca = ca.Parent;
}
return(intermediateCa);
}
public async Task Timestamp_Verify_WithOfflineRevocation_ReturnsCorrectFlagsAndLogsAsync()
{
var nupkg = new SimpleTestPackageContext();
using (var testServer = await SigningTestServer.CreateAsync())
using (var responders = new DisposableList <IDisposable>())
using (var packageStream = await nupkg.CreateAsStreamAsync())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
CertificateAuthority rootCa = CertificateAuthority.Create(testServer.Url);
CertificateAuthority intermediateCa = rootCa.CreateIntermediateCertificateAuthority();
responders.Add(testServer.RegisterResponder(intermediateCa));
responders.Add(testServer.RegisterResponder(rootCa));
using (var trustedServerRoot = TrustedTestCert.Create(
new X509Certificate2(rootCa.Certificate.GetEncoded()),
StoreName.Root,
StoreLocation.LocalMachine))
{
var timestampService = TimestampService.Create(intermediateCa);
responders.Add(testServer.RegisterResponder(timestampService));
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
AuthorPrimarySignature signature = await SignedArchiveTestUtility.CreateAuthorSignatureForPackageAsync(testCertificate, packageStream, timestampProvider);
var timestamp = signature.Timestamps.First();
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowUntrusted: false,
allowIllegal: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: false,
allowNoTimestamp: false,
allowUnknownRevocation: false,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.Always,
revocationMode: RevocationMode.Online);
var logs = new List <SignatureLog>();
var result = timestamp.Verify(signature, settings, HashAlgorithmName.SHA256, logs);
result.HasFlag(SignatureVerificationStatusFlags.UnknownRevocation).Should().BeTrue();
var errors = logs.Where(l => l.Level == LogLevel.Error);
errors.Count().Should().Be(RuntimeEnvironmentHelper.IsWindows ? 2 : 1);
if (RuntimeEnvironmentHelper.IsWindows)
{
errors.Should().Contain(w => w.Code == NuGetLogCode.NU3028 && w.Message.Contains("The revocation function was unable to check revocation because the revocation server could not be reached."));
errors.Should().Contain(w => w.Code == NuGetLogCode.NU3028 && w.Message.Contains("The revocation function was unable to check revocation for the certificate."));
}
else
{
errors.Should().Contain(w => w.Code == NuGetLogCode.NU3028 && w.Message.Contains("unable to get certificate CRL"));
}
}
}
}