public async Task GetTrustResultAsync_WithUnavailableRevocationInformationInAcceptMode_DoesNotWarnAsync()
{
// Arrange
var setting = SignedPackageVerifierSettings.GetAcceptModeDefaultPolicy();
// Act & Assert
var matchingIssues = await VerifyUnavailableRevocationInfoAsync(
SignatureVerificationStatus.Valid,
LogLevel.Warning,
setting);
Assert.Empty(matchingIssues);
}
public Task <PackageVerificationResult> GetTrustResultAsync(
ISignedPackageReader package,
PrimarySignature signature,
SignedPackageVerifierSettings settings,
CancellationToken token)
{
var result = new SignedPackageVerificationResult(
SignatureVerificationStatus.Valid,
signature,
Enumerable.Empty <SignatureLog>());
return(Task.FromResult <PackageVerificationResult>(result));
}
public async Task GetTrustResultAsync_VerifyWithoutCertificateInAllowListWithAllowUntrusted_Warn()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
using (var dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(testCertificate, nupkg, dir);
var allowListHashes = new[] { "abc" };
var allowList = allowListHashes.Select(hash => new CertificateHashAllowListEntry(VerificationTarget.Primary, hash)).ToList();
var trustProviders = new[]
{
new AllowListVerificationProvider(allowList)
};
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: true,
allowUntrustedSelfIssuedCertificate: true,
allowIgnoreTimestamp: true,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: true);
var verifier = new PackageSignatureVerifier(trustProviders, settings);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
var resultsWithWarnings = result.Results.Where(r => r.GetWarningIssues().Any());
var totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
var totalWarningIssues = resultsWithWarnings.SelectMany(r => r.GetWarningIssues());
// Assert
result.Valid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
resultsWithWarnings.Count().Should().Be(1);
totalErrorIssues.Count().Should().Be(0);
totalWarningIssues.Count().Should().Be(1);
totalWarningIssues.First().Code.Should().Be(NuGetLogCode.NU3003);
totalWarningIssues.First().Message.Should().Contain(_noCertInAllowList);
}
}
}
public async Task VerifySignaturesAsync_WithExpiredPrimarySignature_ValidCountersignature_AndPrimarySignatureExpiredAtCountersignTime_Fails()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: true,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: true,
alwaysVerifyCountersignature: true,
allowNoClientCertificateList: true,
allowNoRepositoryCertificateList: true);
using (var dir = TestDirectory.Create())
using (var willExpireCert = new X509Certificate2(_testFixture.TrustedTestCertificateWillExpireIn5Seconds.Source.Cert))
using (var repoTestCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
DateTimeOffset certExpiration = DateTime.SpecifyKind(willExpireCert.NotAfter, DateTimeKind.Local);
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
willExpireCert,
nupkg,
dir);
// Wait for cert to expire
while (certExpiration > DateTimeOffset.Now)
{
Thread.Sleep(100);
}
var countersignedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(repoTestCertificate, signedPackagePath, dir, new Uri("https://v3serviceIndex.test/api/index.json"), timestampService.Url);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(countersignedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.Valid.Should().BeFalse();
resultsWithErrors.Count().Should().Be(1);
}
}
}
private static SignedPackageVerifierSettings GetSettingsPolicy(string policyString)
{
if (StringComparer.Ordinal.Equals(policyString, "command"))
{
return(SignedPackageVerifierSettings.GetVerifyCommandDefaultPolicy());
}
if (StringComparer.Ordinal.Equals(policyString, "vs"))
{
return(SignedPackageVerifierSettings.GetAcceptModeDefaultPolicy());
}
return(SignedPackageVerifierSettings.GetDefault());
}
private static SignedPackageVerifierSettings GetSettingsPolicy(string policyString)
{
if (StringComparer.Ordinal.Equals(policyString, "command"))
{
return(SignedPackageVerifierSettings.GetVerifyCommandDefaultPolicy(TestEnvironmentVariableReader.EmptyInstance));
}
if (StringComparer.Ordinal.Equals(policyString, "vs"))
{
return(SignedPackageVerifierSettings.GetAcceptModeDefaultPolicy(TestEnvironmentVariableReader.EmptyInstance));
}
return(SignedPackageVerifierSettings.GetDefault(TestEnvironmentVariableReader.EmptyInstance));
}
public static bool AreVerifierSettingsEqual(SignedPackageVerifierSettings first, SignedPackageVerifierSettings second)
{
return(first.AllowIgnoreTimestamp == second.AllowIgnoreTimestamp &&
first.AllowIllegal == second.AllowIllegal &&
first.AllowMultipleTimestamps == second.AllowMultipleTimestamps &&
first.AllowNoTimestamp == second.AllowNoTimestamp &&
first.AllowUnknownRevocation == second.AllowUnknownRevocation &&
first.ReportUnknownRevocation == second.ReportUnknownRevocation &&
first.AllowUnsigned == second.AllowUnsigned &&
first.AllowUntrusted == second.AllowUntrusted &&
first.VerificationTarget == second.VerificationTarget &&
first.SignaturePlacement == second.SignaturePlacement &&
first.RepositoryCountersignatureVerificationBehavior == second.RepositoryCountersignatureVerificationBehavior);
}
public AllowListVerificationProviderTests(SigningTestFixture fixture)
{
_testFixture = fixture ?? throw new ArgumentNullException(nameof(fixture));
_trustedTestCert = _testFixture.TrustedTestCertificate;
_settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowUntrustedSelfIssuedCertificate: true,
allowIgnoreTimestamp: true,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: true);
}
public async Task VerifySignaturesAsync_WithExpiredAndUntrustedPrimarySignature_ValidCountersignature_AndPrimarySignatureValidAtCountersignTime_SucceedsAsync()
{
var nupkg = new SimpleTestPackageContext();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: true,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: true,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.IfExistsAndIsNecessary,
revocationMode: RevocationMode.Online);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (TestDirectory testDirectory = TestDirectory.Create())
using (X509Certificate2 untrustedCertificate = _testFixture.CreateUntrustedTestCertificateThatWillExpireSoon().Cert)
using (var repositoryCertificate = new X509Certificate2(_testFixture.TrustedRepositoryCertificate.Source.Cert))
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
untrustedCertificate,
nupkg,
testDirectory);
string countersignedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(
repositoryCertificate,
signedPackagePath,
testDirectory,
TestServiceIndexUrl,
timestampService.Url);
await SignatureTestUtility.WaitForCertificateExpirationAsync(untrustedCertificate);
using (var packageReader = new PackageArchiveReader(countersignedPackagePath))
{
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
result.IsValid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
}
}
}
public async Task <int> ExecuteCommandAsync(VerifyArgs verifyArgs)
{
if (verifyArgs.Verifications.Count == 0)
{
verifyArgs.Logger.LogError(string.Format(CultureInfo.CurrentCulture, Strings.VerifyCommand_VerificationTypeNotSupported));
return(FailureCode);
}
var errorCount = 0;
if (ShouldExecuteVerification(verifyArgs, Verification.Signatures))
{
var packagesToVerify = LocalFolderUtility.ResolvePackageFromPath(verifyArgs.PackagePath);
LocalFolderUtility.EnsurePackageFileExists(verifyArgs.PackagePath, packagesToVerify);
var allowListEntries = verifyArgs.CertificateFingerprint.Select(fingerprint =>
new CertificateHashAllowListEntry(
VerificationTarget.Author | VerificationTarget.Repository,
SignaturePlacement.PrimarySignature,
fingerprint,
_defaultFingerprintAlgorithm)).ToList();
var verifierSettings = SignedPackageVerifierSettings.GetVerifyCommandDefaultPolicy();
var verificationProviders = SignatureVerificationProviderFactory.GetDefaultSignatureVerificationProviders();
verificationProviders.Add(
new AllowListVerificationProvider(
allowListEntries,
requireNonEmptyAllowList: false,
noMatchErrorMessage: Strings.Error_NoMatchingCertificate));
var verifier = new PackageSignatureVerifier(verificationProviders);
foreach (var package in packagesToVerify)
{
try
{
errorCount += await VerifySignatureForPackageAsync(package, verifyArgs.Logger, verifier, verifierSettings);
}
catch (InvalidDataException e)
{
verifyArgs.Logger.LogError(string.Format(CultureInfo.CurrentCulture, Strings.VerifyCommand_PackageIsNotValid, package));
ExceptionUtilities.LogException(e, verifyArgs.Logger);
}
}
}
return(errorCount == 0 ? SuccessCode : FailureCode);
}
public async Task VerifySignaturesAsync_WithBasicSignedCms_SucceedsAsync()
{
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: false,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.IfExistsAndIsNecessary,
revocationMode: RevocationMode.Online);
using (TestDirectory directory = TestDirectory.Create())
using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var packageContext = new SimpleTestPackageContext();
FileInfo unsignedPackageFile = await packageContext.CreateAsFileAsync(directory, "Package.nupkg");
FileInfo signedPackageFile = await SignedArchiveTestUtility.SignPackageFileWithBasicSignedCmsAsync(
directory,
unsignedPackageFile,
certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackageFile.FullName))
{
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
IEnumerable <ILogMessage> totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
Assert.Equal(1, result.Results.Count);
var signedPackageVerificationResult = (SignedPackageVerificationResult)result.Results[0];
SignerInfo signer = signedPackageVerificationResult.Signature.SignedCms.SignerInfos[0];
Assert.Equal(0, signer.SignedAttributes.Count);
Assert.Equal(0, signer.UnsignedAttributes.Count);
Assert.Equal(0, resultsWithErrors.Count());
Assert.Equal(0, totalErrorIssues.Count());
}
}
}
public VSAPIProjectContext(bool skipAssemblyReferences, bool bindingRedirectsDisabled)
{
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
PackageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv2,
PackageExtractionBehavior.XmlDocFileSaveMode,
new LoggerAdapter(this),
signedPackageVerifier,
SignedPackageVerifierSettings.GetDefault());
SourceControlManagerProvider = ServiceLocator.GetInstanceSafe <ISourceControlManagerProvider>();
SkipAssemblyReferences = skipAssemblyReferences;
BindingRedirectsDisabled = bindingRedirectsDisabled;
}
public static bool AreVerifierSettingsEqual(SignedPackageVerifierSettings first, SignedPackageVerifierSettings second)
{
return(first.AllowIgnoreTimestamp == second.AllowIgnoreTimestamp &&
first.AllowIllegal == second.AllowIllegal &&
first.AllowMultipleTimestamps == second.AllowMultipleTimestamps &&
first.AllowNoTimestamp == second.AllowNoTimestamp &&
first.AllowUnknownRevocation == second.AllowUnknownRevocation &&
first.AllowUnsigned == second.AllowUnsigned &&
first.AllowUntrusted == second.AllowUntrusted &&
first.AllowNoRepositoryCertificateList == second.AllowNoRepositoryCertificateList &&
first.AllowNoClientCertificateList == second.AllowNoClientCertificateList &&
first.AlwaysVerifyCountersignature == second.AlwaysVerifyCountersignature &&
AreCertificateHashAllowListEqual(first.ClientCertificateList, second.ClientCertificateList) &&
AreCertificateHashAllowListEqual(first.RepositoryCertificateList, second.RepositoryCertificateList));
}
public async Task ClientPolicies_WithNoTrustedSignersListAsync(SigningTestType signature, string validationMode, bool expectedResult, int expectedErrors)
{
// Arrange
using (var dir = TestDirectory.Create())
using (var authorCertificate = new X509Certificate2(_trustedAuthorTestCert.Source.Cert))
using (var repoCertificate = new X509Certificate2(_trustedRepoTestCert.Source.Cert))
{
var authorCertificateFingerprintString = SignatureTestUtility.GetFingerprint(authorCertificate, HashAlgorithmName.SHA256);
var repoCertificateFingerprintString = SignatureTestUtility.GetFingerprint(repoCertificate, HashAlgorithmName.SHA256);
var signedPackagePath = await CreateSignedPackageAsync(dir, signature, authorCertificate, repoCertificate);
var config = $@"
<configuration>
<config>
<add key=""signatureValidationMode"" value=""{validationMode}"" />
</config>
</configuration>";
var nugetConfigPath = "NuGet.Config";
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, dir, config);
// Act and Assert
var settings = new Settings(dir);
var verifierSettings = SignedPackageVerifierSettings.GetClientPolicy(settings, NullLogger.Instance);
var trustProviders = new[]
{
new AllowListVerificationProvider()
};
var verifier = new PackageSignatureVerifier(trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, verifierSettings, CancellationToken.None);
var resultsWithWarnings = result.Results.Where(r => r.GetWarningIssues().Any());
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
var totalWarningIssues = resultsWithWarnings.SelectMany(r => r.GetWarningIssues());
var totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
// Assert
result.Valid.Should().Be(expectedResult);
totalWarningIssues.Count().Should().Be(0);
totalErrorIssues.Count().Should().Be(expectedErrors);
}
}
}
private bool IsSigned(string path)
{
IEnumerable <ISignatureVerificationProvider> providers = SignatureVerificationProviderFactory.GetSignatureVerificationProviders();
var packageSignatureVerifier = new PackageSignatureVerifier(providers);
var verifierSettings = SignedPackageVerifierSettings.GetVerifyCommandDefaultPolicy(clientAllowListEntries: AllowListEntries);
IEnumerable <ISignatureVerificationProvider> verificationProviders = SignatureVerificationProviderFactory.GetSignatureVerificationProviders();
var verifier = new PackageSignatureVerifier(verificationProviders);
using (var pr = new PackageArchiveReader(path))
{
Task <VerifySignaturesResult> verifySignatureResult = packageSignatureVerifier.VerifySignaturesAsync(pr, verifierSettings, CancellationToken.None);
return(verifySignatureResult.Result.Valid);
}
}
public override bool CanVerifySignedPackages(SignedPackageVerifierSettings verifierSettings)
{
#if IS_SIGNING_SUPPORTED
// Mono support has been deprioritized, so verification on Mono is not enabled, tracking issue: https://github.com/NuGet/Home/issues/9027
if (RuntimeEnvironmentHelper.IsMono)
{
return(false);
}
else
{
return(true);
}
#else
return(false);
#endif
}
public async Task GetTrustResultAsync_WithUnavailableRevocationInformationInRequireMode_Warns()
{
// Arrange
var setting = SignedPackageVerifierSettings.GetRequireModeDefaultPolicy();
// Act & Assert
var matchingIssues = await VerifyUnavailableRevocationInfo(
SignatureVerificationStatus.Valid,
LogLevel.Warning,
setting);
Assert.Equal(2, matchingIssues.Count);
AssertOfflineRevocation(matchingIssues, LogLevel.Warning);
AssertRevocationStatusUnknown(matchingIssues, LogLevel.Warning);
}
public void InstallPackagesFromVSExtensionRepository(string extensionId, bool isPreUnzipped, bool skipAssemblyReferences, bool ignoreDependencies, Project project, IDictionary <string, string> packageVersions)
{
if (string.IsNullOrEmpty(extensionId))
{
throw new ArgumentException(CommonResources.Argument_Cannot_Be_Null_Or_Empty, nameof(extensionId));
}
if (project == null)
{
throw new ArgumentNullException(nameof(project));
}
if (!packageVersions.Any())
{
throw new ArgumentException(CommonResources.Argument_Cannot_Be_Null_Or_Empty, nameof(packageVersions));
}
RunJTFWithCorrectContext(project, () =>
{
var repoProvider = new PreinstalledRepositoryProvider(ErrorHandler, _sourceRepositoryProvider);
repoProvider.AddFromExtension(_sourceRepositoryProvider, extensionId);
var toInstall = GetIdentitiesFromDict(packageVersions);
// Skip assembly references and disable binding redirections should be done together
var disableBindingRedirects = skipAssemblyReferences;
var projectContext = new VSAPIProjectContext(skipAssemblyReferences, disableBindingRedirects);
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
var logger = new LoggerAdapter(projectContext);
projectContext.PackageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv2,
PackageExtractionBehavior.XmlDocFileSaveMode,
logger,
signedPackageVerifier,
SignedPackageVerifierSettings.GetClientPolicy(_settings, logger));
return(InstallInternalAsync(
project,
toInstall,
repoProvider,
projectContext,
includePrerelease: false,
ignoreDependencies: ignoreDependencies,
token: CancellationToken.None));
});
}
public async Task VerifySignaturesAsync_WithBasicSignedCms_SucceedsAsync()
{
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: false,
allowNoClientCertificateList: true,
allowNoRepositoryCertificateList: true,
alwaysVerifyCountersignature: false);
using (var directory = TestDirectory.Create())
using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var packageContext = new SimpleTestPackageContext();
var unsignedPackageFile = await packageContext.CreateAsFileAsync(directory, "Package.nupkg");
var signedPackageFile = await SignedArchiveTestUtility.SignPackageFileWithBasicSignedCmsAsync(
directory,
unsignedPackageFile,
certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackageFile.FullName))
{
var result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
var totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
Assert.Equal(1, result.Results.Count);
var signedPackageVerificationResult = (SignedPackageVerificationResult)result.Results[0];
var signer = signedPackageVerificationResult.Signature.SignedCms.SignerInfos[0];
Assert.Equal(0, signer.SignedAttributes.Count);
Assert.Equal(0, signer.UnsignedAttributes.Count);
Assert.Equal(0, resultsWithErrors.Count());
Assert.Equal(0, totalErrorIssues.Count());
}
}
}
public async Task GetTrustResultAsync_SettingsRequireExactlyOneTimestamp_MultipleTimestamps_Fails()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var testLogger = new TestLogger();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var setting = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowUntrustedSelfIssuedCertificate: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: false,
allowNoTimestamp: false,
allowUnknownRevocation: false,
allowNoClientCertificateList: true,
allowNoRepositoryCertificateList: true);
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
var verificationProvider = new SignatureTrustAndValidityVerificationProvider();
using (var package = new PackageArchiveReader(nupkg.CreateAsStream(), leaveStreamOpen: false))
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
using (var signatureRequest = new AuthorSignPackageRequest(testCertificate, HashAlgorithmName.SHA256))
{
var signature = await SignedArchiveTestUtility.CreatePrimarySignatureForPackageAsync(package, signatureRequest);
var timestampedSignature = await SignedArchiveTestUtility.TimestampSignature(timestampProvider, signature, signatureRequest.TimestampHashAlgorithm, SignaturePlacement.PrimarySignature, testLogger);
var reTimestampedSignature = await SignedArchiveTestUtility.TimestampSignature(timestampProvider, timestampedSignature, signatureRequest.TimestampHashAlgorithm, SignaturePlacement.PrimarySignature, testLogger);
timestampedSignature.Timestamps.Count.Should().Be(1);
reTimestampedSignature.Timestamps.Count.Should().Be(2);
// Act
var result = await verificationProvider.GetTrustResultAsync(package, reTimestampedSignature, setting, CancellationToken.None);
var totalErrorIssues = result.GetErrorIssues();
// Assert
result.Trust.Should().Be(SignatureVerificationStatus.Illegal);
totalErrorIssues.Count().Should().Be(1);
totalErrorIssues.First().Code.Should().Be(NuGetLogCode.NU3000);
}
}
public void ConstructorWithLists_InitializesProperties(
bool boolValue,
VerificationTarget verificationTarget,
SignaturePlacement signaturePlacement,
SignatureVerificationBehavior signatureVerificationBehavior,
RevocationMode revocationMode)
{
// Arrange
var repoList = new List <CertificateHashAllowListEntry>();
var clientList = new List <CertificateHashAllowListEntry>();
// Act
var settings = new SignedPackageVerifierSettings(
allowUnsigned: boolValue,
allowIllegal: boolValue,
allowUntrusted: boolValue,
allowIgnoreTimestamp: boolValue,
allowMultipleTimestamps: boolValue,
allowNoTimestamp: boolValue,
allowUnknownRevocation: boolValue,
reportUnknownRevocation: boolValue,
allowNoRepositoryCertificateList: boolValue,
allowNoClientCertificateList: boolValue,
verificationTarget: verificationTarget,
signaturePlacement: signaturePlacement,
repositoryCountersignatureVerificationBehavior: signatureVerificationBehavior,
revocationMode: revocationMode,
repoAllowListEntries: repoList,
clientAllowListEntries: clientList);
// Assert
settings.AllowUnsigned.Should().Be(boolValue);
settings.AllowIllegal.Should().Be(boolValue);
settings.AllowUntrusted.Should().Be(boolValue);
settings.AllowIgnoreTimestamp.Should().Be(boolValue);
settings.AllowMultipleTimestamps.Should().Be(boolValue);
settings.AllowNoTimestamp.Should().Be(boolValue);
settings.AllowUnknownRevocation.Should().Be(boolValue);
settings.AllowNoRepositoryCertificateList.Should().Be(boolValue);
settings.AllowNoClientCertificateList.Should().Be(boolValue);
settings.RepositoryCountersignatureVerificationBehavior.Should().Be(signatureVerificationBehavior);
settings.RevocationMode.Should().Be(revocationMode);
settings.RepositoryCertificateList.Should().BeSameAs(repoList);
settings.ClientCertificateList.Should().BeSameAs(clientList);
}
internal static async Task <GetTrustResultAsyncTest> CreateAsync(SignedPackageVerifierSettings settings, X509Certificate2 certificate)
{
using (var certificateClone = new X509Certificate2(certificate))
{
var directory = TestDirectory.Create();
var packageContext = new SimpleTestPackageContext();
var unsignedPackageFile = packageContext.CreateAsFile(directory, "package.nupkg");
var signedPackageFile = await SignedArchiveTestUtility.SignPackageFileWithBasicSignedCmsAsync(
directory,
unsignedPackageFile,
certificateClone);
var package = new SignedPackageArchive(signedPackageFile.OpenRead(), new MemoryStream());
var signature = await package.GetSignatureAsync(CancellationToken.None);
return(new GetTrustResultAsyncTest(directory, package, signature, settings));
}
}
public async Task VerifySignaturesAsync_SettingsRequireCheckCountersiganture_WithValidPrimarySignatureAndValidCountersignature_Succeeds()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: true,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: true,
alwaysVerifyCountersignature: true,
allowNoClientCertificateList: true,
allowNoRepositoryCertificateList: true);
using (var dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
using (var repoTestCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
testCertificate,
nupkg,
dir,
timestampService.Url);
var countersignedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(repoTestCertificate, signedPackagePath, dir, new Uri("https://v3serviceIndex.test/api/index.json"), timestampService.Url);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(countersignedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.Valid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
}
}
}
public NuGetUIFactory(
ICommonOperations commonOperations,
INuGetUILogger logger,
ISourceControlManagerProvider sourceControlManagerProvider)
{
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
ProjectContext = new NuGetUIProjectContext(
commonOperations,
logger,
sourceControlManagerProvider);
ProjectContext.PackageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv2,
PackageExtractionBehavior.XmlDocFileSaveMode,
new LoggerAdapter(ProjectContext),
signedPackageVerifier,
SignedPackageVerifierSettings.GetDefault());
}
private async Task PushPackageToFileSystem(Uri sourceUri,
string pathToPackage,
ILogger log,
CancellationToken token)
{
var root = sourceUri.LocalPath;
PackageIdentity packageIdentity = null;
using (var reader = new PackageArchiveReader(pathToPackage))
{
packageIdentity = reader.GetIdentity();
}
if (IsV2LocalRepository(root))
{
var pathResolver = new PackagePathResolver(root, useSideBySidePaths: true);
var packageFileName = pathResolver.GetPackageFileName(packageIdentity);
var fullPath = Path.Combine(root, packageFileName);
File.Copy(pathToPackage, fullPath, overwrite: true);
}
else
{
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
var packageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv3,
PackageExtractionBehavior.XmlDocFileSaveMode,
log,
signedPackageVerifier,
SignedPackageVerifierSettings.GetClientPolicy(Settings, log));
var context = new OfflineFeedAddContext(pathToPackage,
root,
log,
throwIfSourcePackageIsInvalid: true,
throwIfPackageExistsAndInvalid: false,
throwIfPackageExists: false,
extractionContext: packageExtractionContext);
await OfflineFeedUtility.AddPackageToSource(context, token);
}
}
/// <summary>
/// Asynchronously copies satellite files.
/// </summary>
/// <param name="packageIdentity">A package identity.</param>
/// <param name="nuGetProjectContext">A NuGet project context.</param>
/// <param name="token">A cancellation token.</param>
/// <returns>A task that represents the asynchronous operation.
/// The task result (<see cref="Task{TResult}.Result" />) returns a <see cref="bool" />
/// indication successfulness of the operation.</returns>
/// <exception cref="ArgumentNullException">Thrown if <paramref name="packageIdentity" />
/// is <c>null</c>.</exception>
/// <exception cref="ArgumentNullException">Thrown if <paramref name="nuGetProjectContext" />
/// is <c>null</c>.</exception>
/// <exception cref="OperationCanceledException">Thrown if <paramref name="token" />
/// is cancelled.</exception>
public async Task <bool> CopySatelliteFilesAsync(
PackageIdentity packageIdentity,
INuGetProjectContext nuGetProjectContext,
CancellationToken token)
{
if (packageIdentity == null)
{
throw new ArgumentNullException(nameof(packageIdentity));
}
if (nuGetProjectContext == null)
{
throw new ArgumentNullException(nameof(nuGetProjectContext));
}
token.ThrowIfCancellationRequested();
var packageExtractionContext = nuGetProjectContext.PackageExtractionContext;
if (packageExtractionContext == null)
{
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
packageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv2,
PackageExtractionBehavior.XmlDocFileSaveMode,
new LoggerAdapter(nuGetProjectContext),
signedPackageVerifier,
SignedPackageVerifierSettings.GetDefault());
}
var copiedSatelliteFiles = await PackageExtractor.CopySatelliteFilesAsync(
packageIdentity,
PackagePathResolver,
GetPackageSaveMode(nuGetProjectContext),
packageExtractionContext,
token);
FileSystemUtility.PendAddFiles(copiedSatelliteFiles, Root, nuGetProjectContext);
return(copiedSatelliteFiles.Any());
}
public TestRestoreRequest(
PackageSpec project,
IEnumerable <SourceRepository> sources,
string packagesDirectory,
IEnumerable <string> fallbackPackageFolders,
ILogger log) : this(
project,
sources,
packagesDirectory,
fallbackPackageFolders,
new TestSourceCacheContext(),
new PackageExtractionContext(
PackageSaveMode.Defaultv3,
PackageExtractionBehavior.XmlDocFileSaveMode,
log,
new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders()),
SignedPackageVerifierSettings.GetDefault()),
log)
{
}
public async Task GetTrustResultAsync_WithUnavailableRevocationInformationAndAllowUntrusted_Warns()
{
// Arrange
var setting = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowUntrusted: true,
allowUntrustedSelfSignedCertificate: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: false,
allowNoTimestamp: false,
allowUnknownRevocation: true);
// Act & Assert
var matchingIssues = await VerifyUnavailableRevocationInfo(
SignatureVerificationStatus.Trusted,
LogLevel.Warning,
setting);
Assert.Empty(matchingIssues);
}
/// <summary>
/// This constructor is just used for testing.
/// </summary>
public VsPathContextProvider(
ISettings settings,
IVsSolutionManager solutionManager,
NuGet.Common.ILogger logger,
Func <BuildIntegratedNuGetProject, Task <LockFile> > getLockFileOrNullAsync)
{
if (settings == null)
{
throw new ArgumentNullException(nameof(settings));
}
if (solutionManager == null)
{
throw new ArgumentNullException(nameof(solutionManager));
}
if (logger == null)
{
throw new ArgumentNullException(nameof(logger));
}
_settings = new Lazy <ISettings>(() => settings);
_solutionManager = new Lazy <IVsSolutionManager>(() => solutionManager);
_logger = new Lazy <NuGet.Common.ILogger>(() => logger);
_getLockFileOrNullAsync = getLockFileOrNullAsync ?? BuildIntegratedProjectUtility.GetLockFileOrNull;
_projectContext = new Lazy <INuGetProjectContext>(() => {
var projectContext = new VSAPIProjectContext();
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
var adapterLogger = new LoggerAdapter(projectContext);
projectContext.PackageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv2,
PackageExtractionBehavior.XmlDocFileSaveMode,
adapterLogger,
signedPackageVerifier,
SignedPackageVerifierSettings.GetClientPolicy(settings, adapterLogger));
return(projectContext);
});
}
public async Task VerifySignaturesAsync_SettingsRequireTimestamp_NoTimestamp_FailsAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: true,
allowNoTimestamp: false,
allowUnknownRevocation: false,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.IfExistsAndIsNecessary,
revocationMode: RevocationMode.Online);
using (TestDirectory dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(testCertificate, nupkg, dir);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
IEnumerable <ILogMessage> totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
// Assert
result.IsValid.Should().BeFalse();
resultsWithErrors.Count().Should().Be(1);
totalErrorIssues.Count().Should().Be(1);
totalErrorIssues.First().Code.Should().Be(NuGetLogCode.NU3027);
}
}
}
