private void VerifyTimestampData( ISigningTestServer testServer, TimestampService timestampService, Action <Rfc3161TimestampProvider, TimestampRequest> verifyTimestampData) { using (testServer.RegisterResponder(timestampService)) { var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url); using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert)) { var timestampHashAlgorithm = Common.HashAlgorithmName.SHA256; var content = new SignatureContent(SigningSpecifications.V1, Common.HashAlgorithmName.SHA256, "peach"); var signedCms = SigningTestUtility.GenerateSignedCms(certificate, content.GetBytes()); var signature = PrimarySignature.Load(signedCms.Encode()); var signatureValue = signature.GetSignatureValue(); var messageHash = timestampHashAlgorithm.ComputeHash(signatureValue); var request = new TimestampRequest( SigningSpecifications.V1, messageHash, timestampHashAlgorithm, SignaturePlacement.PrimarySignature); verifyTimestampData(timestampProvider, request); } } }
public async Task GetTimestampCertificateChain_WithNoSigningCertificateUsage_Throws() { ISigningTestServer testServer = await _testFixture.GetSigningTestServerAsync(); CertificateAuthority rootCa = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync(); var options = new TimestampServiceOptions() { SigningCertificateUsage = SigningCertificateUsage.None }; TimestampService timestampService = TimestampService.Create(rootCa, options); using (testServer.RegisterResponder(timestampService)) { var nupkg = new SimpleTestPackageContext(); using (var certificate = new X509Certificate2(_testFixture.TrustedTestCertificate.Source.Cert)) using (TestDirectory directory = TestDirectory.Create()) { string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync( certificate, nupkg, directory, timestampService.Url); // Act CommandRunnerResult result = RunVerifyCommand(signedPackagePath); // Assert result.Success.Should().BeFalse(because: result.AllOutput); result.AllOutput.Should().Contain("Either the signing-certificate or signing-certificate-v2 attribute must be present."); result.AllOutput.Should().NotContain(_successfullyVerified); } } }
private void VerifyTimestampData( ISigningTestServer testServer, TimestampService timestampService, Action <Rfc3161TimestampProvider, TimestampRequest> verifyTimestampData) { using (testServer.RegisterResponder(timestampService)) { var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url); using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert)) { var content = Encoding.UTF8.GetBytes("peach"); var signedCms = SigningTestUtility.GenerateSignedCms(certificate, content); var request = new TimestampRequest() { SigningSpec = SigningSpecifications.V1, TimestampHashAlgorithm = Common.HashAlgorithmName.SHA256, Signature = signedCms.Encode() }; verifyTimestampData(timestampProvider, request); } } }
public static DisposableList <IDisposable> RegisterResponders( this ISigningTestServer testServer, CertificateAuthority ca, bool addCa = true, bool addOcsp = true) { var responders = new DisposableList <IDisposable>(); var currentCa = ca; while (currentCa != null) { if (addCa) { responders.Add(testServer.RegisterResponder(currentCa)); } if (addOcsp) { responders.Add(testServer.RegisterResponder(currentCa.OcspResponder)); } currentCa = currentCa.Parent; } return(responders); }
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestampWithTooLargeRange_FailsAsync() { ISigningTestServer testServer = await _testFixture.GetSigningTestServerAsync(); CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync(); var accuracy = new BcAccuracy(seconds: new DerInteger(30), millis: null, micros: null); var serviceOptions = new TimestampServiceOptions() { Accuracy = accuracy }; TimestampService timestampService = TimestampService.Create(ca, serviceOptions); AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048); DateTimeOffset now = DateTimeOffset.UtcNow; var issueOptions = new IssueCertificateOptions() { KeyPair = keyPair, NotAfter = now.AddSeconds(10), NotBefore = now.AddSeconds(-2), SubjectName = new X509Name("CN=NuGet Test Expired Certificate") }; BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions); using (testServer.RegisterResponder(timestampService)) using (TestDirectory directory = TestDirectory.Create()) using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair)) { var packageContext = new SimpleTestPackageContext(); string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync( certificate, packageContext, directory, timestampService.Url); await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate); var verifier = new PackageSignatureVerifier(_trustProviders); using (var packageReader = new PackageArchiveReader(signedPackagePath)) { VerifySignaturesResult results = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None); PackageVerificationResult result = results.Results.Single(); Assert.False(results.IsValid); Assert.Equal(SignatureVerificationStatus.Disallowed, result.Trust); Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error)); Assert.Equal(0, result.Issues.Count(issue => issue.Level == LogLevel.Warning)); Assert.Contains(result.Issues, issue => issue.Code == NuGetLogCode.NU3037 && issue.Level == LogLevel.Error && issue.Message.Contains("validity period has expired.")); } } }
public async Task GetTimestampCertificateChain_WithMismatchedEssCertIdCertificateHash_ReturnsChain( SigningCertificateUsage signingCertificateUsage) { ISigningTestServer testServer = await _fixture.GetSigningTestServerAsync(); CertificateAuthority rootCa = await _fixture.GetDefaultTrustedCertificateAuthorityAsync(); var options = new TimestampServiceOptions() { SigningCertificateUsage = signingCertificateUsage, SigningCertificateV1Hash = new byte[SHA1HashLength] }; TimestampService timestampService = TimestampService.Create(rootCa, options); using (testServer.RegisterResponder(timestampService)) { var nupkg = new SimpleTestPackageContext(); using (var certificate = new X509Certificate2(_fixture.TrustedTestCertificate.Source.Cert)) using (var directory = TestDirectory.Create()) { var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync( certificate, nupkg, directory, timestampService.Url); using (FileStream stream = File.OpenRead(signedPackagePath)) using (var reader = new PackageArchiveReader(stream)) { PrimarySignature signature = await reader.GetPrimarySignatureAsync(CancellationToken.None); using (IX509CertificateChain actualChain = SignatureUtility.GetTimestampCertificateChain(signature)) { Assert.NotEmpty(actualChain); IReadOnlyList <Org.BouncyCastle.X509.X509Certificate> expectedChain = GetExpectedCertificateChain(timestampService); Assert.Equal(expectedChain.Count, actualChain.Count); for (var i = 0; i < expectedChain.Count; ++i) { Org.BouncyCastle.X509.X509Certificate expectedCertificate = expectedChain[i]; X509Certificate2 actualCertificate = actualChain[i]; Assert.True( expectedCertificate.GetEncoded().SequenceEqual(actualCertificate.RawData), $"The certificate at index {i} in the chain is unexpected."); } } } } } }
public static DisposableList <IDisposable> RegisterRespondersForEntireChain( this ISigningTestServer testServer, CertificateAuthority ca, bool addCa = true, bool addOcsp = true) { var responders = new DisposableList <IDisposable>(); var currentCa = ca; while (currentCa != null) { responders.AddRange(testServer.RegisterResponders(currentCa, addCa, addOcsp)); currentCa = currentCa.Parent; } return(responders); }
public static DisposableList <IDisposable> RegisterDefaultResponders( this ISigningTestServer testServer, TimestampService timestampService) { var responders = new DisposableList <IDisposable>(); var ca = timestampService.CertificateAuthority; while (ca != null) { responders.Add(testServer.RegisterResponder(ca)); responders.Add(testServer.RegisterResponder(ca.OcspResponder)); ca = ca.Parent; } responders.Add(testServer.RegisterResponder(timestampService)); return(responders); }
public async Task DotnetSign_SignPackageWithUnsuportedTimestampHashAlgorithm_FailsAsync() { // Arrange using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); byte[] originalFile = File.ReadAllBytes(packageFilePath); ISigningTestServer testServer = await _signFixture.GetSigningTestServerAsync(); CertificateAuthority certificateAuthority = await _signFixture.GetDefaultTrustedCertificateAuthorityAsync(); var options = new TimestampServiceOptions() { SignatureHashAlgorithm = new Oid(Oids.Sha1) }; TimestampService timestampService = TimestampService.Create(certificateAuthority, options); IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore; using (testServer.RegisterResponder(timestampService)) { // Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, $"nuget sign {packageFilePath} " + $"--certificate-fingerprint {storeCertificate.Certificate.Thumbprint} " + $"--timestamper {timestampService.Url}", ignoreExitCode: true); // Assert result.Success.Should().BeFalse(because: result.AllOutput); result.AllOutput.Should().Contain(_timestampUnsupportedDigestAlgorithmCode); Assert.Contains("The timestamp signature has an unsupported digest algorithm (SHA1). The following algorithms are supported: SHA256, SHA384, SHA512.", result.AllOutput); byte[] resultingFile = File.ReadAllBytes(packageFilePath); Assert.Equal(resultingFile, originalFile); } } }
public static DisposableList <IDisposable> RegisterRespondersForTimestampServiceAndEntireChain( this ISigningTestServer testServer, TimestampService timestampService, bool addCa = true, bool addOcsp = true, bool addTimestamper = true) { var responders = testServer.RegisterRespondersForEntireChain( timestampService.CertificateAuthority, addCa, addOcsp); if (addTimestamper) { responders.Add(testServer.RegisterResponder(timestampService)); } return(responders); }
public async Task GetTimestampCertificateChain_WithShortEssCertIdCertificateHash_Throws( SigningCertificateUsage signingCertificateUsage) { ISigningTestServer testServer = await _fixture.GetSigningTestServerAsync(); CertificateAuthority rootCa = await _fixture.GetDefaultTrustedCertificateAuthorityAsync(); var options = new TimestampServiceOptions() { SigningCertificateUsage = signingCertificateUsage, SigningCertificateV1Hash = new byte[SHA1HashLength - 1] }; TimestampService timestampService = TimestampService.Create(rootCa, options); using (testServer.RegisterResponder(timestampService)) { var nupkg = new SimpleTestPackageContext(); using (var certificate = new X509Certificate2(_fixture.TrustedTestCertificate.Source.Cert)) using (var directory = TestDirectory.Create()) { var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync( certificate, nupkg, directory, timestampService.Url); using (FileStream stream = File.OpenRead(signedPackagePath)) using (var reader = new PackageArchiveReader(stream)) { PrimarySignature signature = await reader.GetPrimarySignatureAsync(CancellationToken.None); var exception = Assert.Throws <SignatureException>( () => SignatureUtility.GetTimestampCertificateChain(signature)); Assert.Equal( "A certificate referenced by the signing-certificate attribute could not be found.", exception.Message); } } } }
public static DisposableList <IDisposable> RegisterResponders( this ISigningTestServer testServer, CertificateAuthority ca, bool addCa = true, bool addOcsp = true) { var responders = new DisposableList <IDisposable>(); if (addCa) { responders.Add(testServer.RegisterResponder(ca)); } if (addOcsp) { responders.Add(testServer.RegisterResponder(ca.OcspResponder)); } return(responders); }
private CertificateAuthority CreateOfflineRevocationCA(ISigningTestServer testServer, DisposableList <IDisposable> responders) { var rootCa = CertificateAuthority.Create(testServer.Url); var intermediateCa = rootCa.CreateIntermediateCertificateAuthority(); var rootCertificate = new X509Certificate2(rootCa.Certificate.GetEncoded()); var trustedServerRoot = TrustedTestCert.Create( rootCertificate, StoreName.Root, StoreLocation.LocalMachine); var ca = intermediateCa; while (ca != null) { responders.Add(testServer.RegisterResponder(ca)); ca = ca.Parent; } return(intermediateCa); }
public async Task GetTimestampCertificateChain_WithMismatchedEssCertIdCertificateHash_ReturnsChain( SigningCertificateUsage signingCertificateUsage) { ISigningTestServer testServer = await _testFixture.GetSigningTestServerAsync(); CertificateAuthority rootCa = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync(); var options = new TimestampServiceOptions() { SigningCertificateUsage = signingCertificateUsage, SigningCertificateV1Hash = new byte[SHA1HashLength] }; TimestampService timestampService = TimestampService.Create(rootCa, options); using (testServer.RegisterResponder(timestampService)) { var nupkg = new SimpleTestPackageContext(); using (var certificate = new X509Certificate2(_testFixture.TrustedTestCertificate.Source.Cert)) using (TestDirectory directory = TestDirectory.Create()) { string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync( certificate, nupkg, directory, timestampService.Url); // Act CommandRunnerResult result = RunVerifyCommand(signedPackagePath); // Assert result.Success.Should().BeTrue(because: result.AllOutput); result.AllOutput.Should().Contain(_successfullyVerified); Regex.Matches(result.AllOutput, _noTimestamperWarning).Count.Should().Be(0); } } }