public void CannotCreateNonRevokedResultWithRevocationDate(EndCertificateStatus status, X509ChainStatusFlags flags)
{
var exception = Assert.Throws <ArgumentException>(
() => CreateResult()
.WithStatus(status)
.WithStatusFlags(flags)
.WithRevocationTime(new DateTime(2000, 1, 2))
.Build());
Assert.StartsWith($"End certificate revoked at 1/2/2000 12:00:00 AM but status is {status}", exception.Message);
}
private static object[] ValidateSigningCertificateArguments(
Func <CertificateIntegrationTestFixture, Task <X509Certificate2> > createCertificateFunc,
DateTime signatureTime,
EndCertificateStatus expectedCertificateStatus,
PackageSignatureStatus expectedStatusForSignatureAtIngestion,
PackageSignatureStatus expectedStatusForSignatureInGracePeriod,
PackageSignatureStatus expectedStatusForSignatureAfterGracePeriod)
{
return(new object[]
{
createCertificateFunc,
signatureTime,
expectedCertificateStatus,
expectedStatusForSignatureAtIngestion,
expectedStatusForSignatureInGracePeriod,
expectedStatusForSignatureAfterGracePeriod,
});
}
public async Task ValidateSigningCertificate(
Func <CertificateIntegrationTestFixture, Task <X509Certificate2> > createCertificateFunc,
DateTime signatureTime,
EndCertificateStatus expectedCertificateStatus,
PackageSignatureStatus expectedStatusForSignatureAtIngestion,
PackageSignatureStatus expectedStatusForSignatureInGracePeriod,
PackageSignatureStatus expectedStatusForSignatureAfterGracePeriod)
{
// Arrange
var certificate = await createCertificateFunc(_fixture);
var endCertificateKey = 123;
var validationId = Guid.NewGuid();
var packageSigningState1 = new PackageSigningState {
SigningStatus = PackageSigningStatus.Valid
};
var packageSigningState2 = new PackageSigningState {
SigningStatus = PackageSigningStatus.Valid
};
var packageSigningState3 = new PackageSigningState {
SigningStatus = PackageSigningStatus.Valid
};
var signatureAtIngestion = new PackageSignature
{
Status = PackageSignatureStatus.Unknown,
Type = PackageSignatureType.Author,
};
var signatureInGracePeriod = new PackageSignature
{
Status = PackageSignatureStatus.InGracePeriod,
Type = PackageSignatureType.Author,
};
var signatureAfterGracePeriod = new PackageSignature
{
Status = PackageSignatureStatus.Valid,
Type = PackageSignatureType.Author,
};
var trustedTimestamp1 = new TrustedTimestamp {
Status = TrustedTimestampStatus.Valid, Value = signatureTime
};
var trustedTimestamp2 = new TrustedTimestamp {
Status = TrustedTimestampStatus.Valid, Value = signatureTime
};
var trustedTimestamp3 = new TrustedTimestamp {
Status = TrustedTimestampStatus.Valid, Value = signatureTime
};
var endCertificate = new EndCertificate
{
Key = endCertificateKey,
Status = EndCertificateStatus.Unknown,
Use = EndCertificateUse.CodeSigning,
CertificateChainLinks = new CertificateChainLink[0],
};
var validation = new EndCertificateValidation
{
EndCertificateKey = endCertificateKey,
ValidationId = validationId,
Status = null,
EndCertificate = endCertificate
};
signatureAtIngestion.PackageSigningState = packageSigningState1;
signatureAtIngestion.EndCertificate = endCertificate;
signatureAtIngestion.TrustedTimestamps = new[] { trustedTimestamp1 };
signatureInGracePeriod.PackageSigningState = packageSigningState2;
signatureInGracePeriod.EndCertificate = endCertificate;
signatureInGracePeriod.TrustedTimestamps = new[] { trustedTimestamp2 };
signatureAfterGracePeriod.PackageSigningState = packageSigningState3;
signatureAfterGracePeriod.EndCertificate = endCertificate;
signatureAfterGracePeriod.TrustedTimestamps = new[] { trustedTimestamp3 };
_context.Mock(
packageSignatures: new[] { signatureAtIngestion, signatureInGracePeriod, signatureAfterGracePeriod },
endCertificates: new[] { endCertificate },
certificateValidations: new EndCertificateValidation[] { validation });
_certificateStore.Setup(s => s.LoadAsync(It.IsAny <string>(), It.IsAny <CancellationToken>()))
.Returns(Task.FromResult(certificate));
// Act
await _target.HandleAsync(new CertificateValidationMessage(certificateKey : endCertificateKey, validationId : validationId));
// Assert
Assert.Equal(expectedCertificateStatus, validation.Status);
Assert.Equal(expectedCertificateStatus, endCertificate.Status);
Assert.Equal(expectedStatusForSignatureAtIngestion, signatureAtIngestion.Status);
Assert.Equal(expectedStatusForSignatureInGracePeriod, signatureInGracePeriod.Status);
Assert.Equal(expectedStatusForSignatureAfterGracePeriod, signatureAfterGracePeriod.Status);
_context.Verify(c => c.SaveChangesAsync(), Times.Once);
}
/// <summary>
/// Create a new verification result.
/// </summary>
/// <param name="status">The determined status of the verified certificate.</param>
/// <param name="statusFlags">The flags explaining the certificate's status.</param>
/// <param name="statusUpdateTime">The time the revocation info was published.</param>
/// <param name="revocationTime">The date the certificate was revoked, if applicable.</param>
public CertificateVerificationResult(
EndCertificateStatus status,
X509ChainStatusFlags statusFlags,
DateTime?statusUpdateTime = null,
DateTime?revocationTime = null)
{
if (revocationTime.HasValue &&
status != EndCertificateStatus.Revoked &&
status != EndCertificateStatus.Invalid)
{
throw new ArgumentException(
$"End certificate revoked at {revocationTime} but status is {status}",
nameof(status));
}
switch (status)
{
case EndCertificateStatus.Good:
if (statusFlags != X509ChainStatusFlags.NoError)
{
throw new ArgumentException(
$"Invalid flags '{statusFlags}' for status '{status}'",
nameof(statusFlags));
}
break;
case EndCertificateStatus.Invalid:
if (statusFlags == X509ChainStatusFlags.NoError)
{
throw new ArgumentException(
$"Invalid flags '{statusFlags}' for status '{status}'",
nameof(statusFlags));
}
break;
case EndCertificateStatus.Revoked:
if ((statusFlags & X509ChainStatusFlags.Revoked) == 0)
{
throw new ArgumentException(
$"Invalid flags '{statusFlags}' for status '{status}'",
nameof(statusFlags));
}
break;
case EndCertificateStatus.Unknown:
if ((statusFlags & (X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation)) == 0)
{
throw new ArgumentException(
$"Invalid flags '{statusFlags}' for status '{status}'",
nameof(statusFlags));
}
break;
default:
throw new ArgumentException($"Unknown status '{status}'", nameof(status));
}
Status = status;
StatusFlags = statusFlags;
StatusUpdateTime = statusUpdateTime;
RevocationTime = revocationTime;
}
public Builder WithStatus(EndCertificateStatus value)
{
_status = value;
return(this);
}
