private async Task <string> CreateSignedPackageAsync(TestDirectory dir, SigningTestType signature, X509Certificate2 authorcert, X509Certificate2 repocert) { var nupkg = new SimpleTestPackageContext(); var signedPackagePath = ""; if (signature == SigningTestType.Author || signature == SigningTestType.RepositoryCountersigned) { signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(authorcert, nupkg, dir); } if (signature == SigningTestType.RepositoryPrimary) { signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(repocert, nupkg, dir, new Uri(@"https://api.v3serviceIndex.test/json"), packageOwners : new List <string>() { "owner1", "owner2", "owner3" }); } if (signature == SigningTestType.RepositoryCountersigned) { signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(repocert, signedPackagePath, dir, new Uri(@"https://api.v3serviceIndex.test/json"), packageOwners : new List <string>() { "owner1", "owner2", "owner3" }); } return(signedPackagePath); }
public async Task ClientPolicies_WithSignerNotInTrustedSignersListAsync(SigningTestType signature, string validationMode, bool expectedResult, int expectedErrors, int expectedWarnings) { // Arrange using (var dir = TestDirectory.Create()) using (var authorCertificate = new X509Certificate2(_trustedAuthorTestCert.Source.Cert)) using (var repoCertificate = new X509Certificate2(_trustedRepoTestCert.Source.Cert)) { var authorCertificateFingerprintString = SignatureTestUtility.GetFingerprint(authorCertificate, HashAlgorithmName.SHA256); var repoCertificateFingerprintString = SignatureTestUtility.GetFingerprint(repoCertificate, HashAlgorithmName.SHA256); var signedPackagePath = await CreateSignedPackageAsync(dir, signature, authorCertificate, repoCertificate); var config = $@" <configuration> <config> <add key=""signatureValidationMode"" value=""{validationMode}"" /> </config> <trustedSigners> <author name=""randomAuthor""> <certificate fingerprint=""abc"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" /> </author> </trustedSigners> </configuration>"; var nugetConfigPath = "NuGet.Config"; SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, dir, config); // Act and Assert var settings = new Settings(dir); var verifierSettings = SignedPackageVerifierSettings.GetClientPolicy(settings, NullLogger.Instance); var trustProviders = new[] { new AllowListVerificationProvider() }; var verifier = new PackageSignatureVerifier(trustProviders); using (var packageReader = new PackageArchiveReader(signedPackagePath)) { // Act var result = await verifier.VerifySignaturesAsync(packageReader, verifierSettings, CancellationToken.None); var resultsWithWarnings = result.Results.Where(r => r.GetWarningIssues().Any()); var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any()); var totalWarningIssues = resultsWithWarnings.SelectMany(r => r.GetWarningIssues()); var totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues()); // Assert result.Valid.Should().Be(expectedResult); totalWarningIssues.Count().Should().Be(expectedWarnings); totalErrorIssues.Count().Should().Be(expectedErrors); } } }
public async Task ClientPolicies_WithSignerInTrustedSignersListAsync(SigningTestType signature, SignaturePlacement trustedSigner, string validationMode) { // Arrange using (var dir = TestDirectory.Create()) using (var authorCertificate = new X509Certificate2(_trustedAuthorTestCert.Source.Cert)) using (var repoCertificate = new X509Certificate2(_trustedRepoTestCert.Source.Cert)) { var authorCertificateFingerprintString = SignatureTestUtility.GetFingerprint(authorCertificate, HashAlgorithmName.SHA256); var repoCertificateFingerprintString = SignatureTestUtility.GetFingerprint(repoCertificate, HashAlgorithmName.SHA256); var signedPackagePath = await CreateSignedPackageAsync(dir, signature, authorCertificate, repoCertificate); var trustedSignerString = ""; if (signature == SigningTestType.Author || (signature == SigningTestType.RepositoryCountersigned && trustedSigner == SignaturePlacement.PrimarySignature)) { trustedSignerString = $@"<author name=""author1""><certificate fingerprint=""{authorCertificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" /></author>"; } else { trustedSignerString = $@"<repository name=""repo1"" serviceIndex=""https://api.v3serviceIndex.test/json""><certificate fingerprint=""{repoCertificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" /></repository>"; } var config = $@" <configuration> <config> <add key=""signatureValidationMode"" value=""{validationMode}"" /> </config> <trustedSigners> {trustedSignerString} </trustedSigners> </configuration>"; var nugetConfigPath = "NuGet.Config"; SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, dir, config); // Act and Assert var settings = new Settings(dir); var verifierSettings = SignedPackageVerifierSettings.GetClientPolicy(settings, NullLogger.Instance); var trustProviders = new[] { new AllowListVerificationProvider() }; var verifier = new PackageSignatureVerifier(trustProviders); using (var packageReader = new PackageArchiveReader(signedPackagePath)) { // Act var result = await verifier.VerifySignaturesAsync(packageReader, verifierSettings, CancellationToken.None); var resultsWithWarnings = result.Results.Where(r => r.GetWarningIssues().Any()); var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any()); var totalWarningIssues = resultsWithWarnings.SelectMany(r => r.GetWarningIssues()); var totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues()); // Assert result.Valid.Should().BeTrue(); totalWarningIssues.Count().Should().Be(0); totalErrorIssues.Count().Should().Be(0); } } }