public void GetCertificateChain_WithUntrustedSelfIssuedCertificate_ReturnsChain()
{
using (var certificate = _fixture.GetDefaultCertificate())
{
var logger = new TestLogger();
using (var chain = CertificateChainUtility.GetCertificateChain(
certificate,
new X509Certificate2Collection(),
logger,
CertificateType.Signature))
{
Assert.Equal(1, chain.Count);
Assert.NotSame(certificate, chain[0]);
Assert.True(certificate.RawData.SequenceEqual(chain[0].RawData));
}
Assert.Equal(0, logger.Errors);
#if (IS_DESKTOP || NETCORE5_0)
Assert.Equal(1, logger.Warnings);
#else
Assert.Equal(RuntimeEnvironmentHelper.IsLinux ? 2 : 1, logger.Warnings);
#endif
SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning);
#if !NETCORE5_0
if (RuntimeEnvironmentHelper.IsLinux)
{
SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
}
#endif
}
}
[PlatformFact(Platform.Windows, Platform.Linux)] // https://github.com/NuGet/Home/issues/8047
public void Verify_WhenChainBuildingFails_Throws()
{
using (var certificate = _fixture.GetExpiredCertificate())
using (var request = CreateRequest(certificate))
{
var logger = new TestLogger();
var exception = Assert.Throws <SignatureException>(
() => SigningUtility.Verify(request, logger));
Assert.Equal(NuGetLogCode.NU3018, exception.Code);
Assert.Equal("Certificate chain validation failed.", exception.Message);
Assert.Equal(1, logger.Errors);
if (RuntimeEnvironmentHelper.IsLinux)
{
Assert.Equal(2, logger.Warnings);
SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
}
else
{
Assert.Equal(1, logger.Warnings);
}
SigningTestUtility.AssertNotTimeValid(logger.LogMessages, LogLevel.Error);
SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning);
}
}
public void Verify_WithUntrustedSelfSignedCertificate_Succeeds()
{
using (var certificate = _fixture.GetDefaultCertificate())
using (var request = CreateRequest(certificate))
{
var logger = new TestLogger();
SigningUtility.Verify(request, logger);
Assert.Equal(0, logger.Errors);
#if (IS_DESKTOP || NETCORE5_0)
Assert.Equal(1, logger.Warnings);
#else
Assert.Equal(RuntimeEnvironmentHelper.IsLinux ? 2 : 1, logger.Warnings);
#endif
SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning);
#if !NETCORE5_0
if (RuntimeEnvironmentHelper.IsLinux)
{
SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
}
#endif
}
}
public void GetCertificateChain_WithUntrustedSelfIssuedCertificate_ReturnsChain()
{
using (var certificate = _fixture.GetDefaultCertificate())
{
var logger = new TestLogger();
using (var chain = CertificateChainUtility.GetCertificateChain(
certificate,
new X509Certificate2Collection(),
logger,
CertificateType.Signature))
{
Assert.Equal(1, chain.Count);
Assert.NotSame(certificate, chain[0]);
Assert.True(certificate.RawData.SequenceEqual(chain[0].RawData));
}
Assert.Equal(0, logger.Errors);
Assert.Equal(RuntimeEnvironmentHelper.IsWindows ? 1 : 2, logger.Warnings);
SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning);
if (!RuntimeEnvironmentHelper.IsWindows)
{
SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
}
}
}
public void GetCertificateChain_WithUntrustedRoot_Throws()
{
using (var chainHolder = new X509ChainHolder())
using (var rootCertificate = SigningTestUtility.GetCertificate("root.crt"))
using (var intermediateCertificate = SigningTestUtility.GetCertificate("intermediate.crt"))
using (var leafCertificate = SigningTestUtility.GetCertificate("leaf.crt"))
{
var chain = chainHolder.Chain;
var extraStore = new X509Certificate2Collection()
{
rootCertificate, intermediateCertificate
};
var logger = new TestLogger();
var exception = Assert.Throws <SignatureException>(
() => CertificateChainUtility.GetCertificateChain(
leafCertificate,
extraStore,
logger,
CertificateType.Signature));
Assert.Equal(NuGetLogCode.NU3018, exception.Code);
Assert.Equal("Certificate chain validation failed.", exception.Message);
Assert.Equal(1, logger.Errors);
SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Error);
SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
if (RuntimeEnvironmentHelper.IsWindows)
{
Assert.Equal(2, logger.Warnings);
SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
}
else if (RuntimeEnvironmentHelper.IsLinux)
{
#if NETCORE5_0
Assert.Equal(2, logger.Warnings);
SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
#else
Assert.Equal(1, logger.Warnings);
#endif
}
else
{
Assert.Equal(1, logger.Warnings);
}
}
}
public async Task SignAsync_WhenPackageEntryCountWouldRequireZip64_FailsAsync()
{
const ushort desiredFileCount = 0xFFFF - 1;
var package = new SimpleTestPackageContext();
var requiredFileCount = desiredFileCount - package.Files.Count;
for (var i = 0; i < requiredFileCount - 1 /*nuspec*/; ++i)
{
package.AddFile(i.ToString());
}
using (var packageStream = await package.CreateAsStreamAsync())
{
using (var zipArchive = new ZipArchive(packageStream, ZipArchiveMode.Read, leaveOpen: true))
{
// Sanity check before testing.
Assert.Equal(desiredFileCount, zipArchive.Entries.Count());
}
packageStream.Position = 0;
using (var test = SignTest.Create(
_fixture.GetDefaultCertificate(),
HashAlgorithmName.SHA256,
packageStream.ToArray(),
new X509SignatureProvider(timestampProvider: null)))
{
var exception = await Assert.ThrowsAsync <SignatureException>(
() => SigningUtility.SignAsync(test.Options, test.Request, CancellationToken.None));
Assert.Equal(NuGetLogCode.NU3039, exception.Code);
Assert.Equal("The package cannot be signed as it would require the Zip64 format.", exception.Message);
Assert.Equal(0, test.Options.OutputPackageStream.Length);
Assert.Equal(0, test.Logger.Errors);
Assert.Equal(1, test.Logger.Warnings);
Assert.Equal(1, test.Logger.Messages.Count());
SigningTestUtility.AssertUntrustedRoot(test.Logger.LogMessages, LogLevel.Warning);
}
}
}
[PlatformFact(Platform.Windows, Platform.Linux)] // https://github.com/NuGet/Home/issues/8047
public void Verify_WithUntrustedSelfSignedCertificate_Succeeds()
{
using (var certificate = _fixture.GetDefaultCertificate())
using (var request = CreateRequest(certificate))
{
var logger = new TestLogger();
SigningUtility.Verify(request, logger);
Assert.Equal(0, logger.Errors);
Assert.Equal(RuntimeEnvironmentHelper.IsLinux ? 2 : 1, logger.Warnings);
SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning);
if (RuntimeEnvironmentHelper.IsLinux)
{
SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
}
}
}
public async Task SignAsync_WithUntrustedSelfSignedCertificate_SucceedsAsync()
{
var package = new SimpleTestPackageContext();
using (var packageStream = await package.CreateAsStreamAsync())
using (var test = SignTest.Create(
_fixture.GetDefaultCertificate(),
HashAlgorithmName.SHA256,
packageStream.ToArray(),
new X509SignatureProvider(timestampProvider: null)))
{
await SigningUtility.SignAsync(test.Options, test.Request, CancellationToken.None);
Assert.True(await SignedArchiveTestUtility.IsSignedAsync(test.Options.OutputPackageStream));
Assert.Equal(0, test.Logger.Errors);
Assert.Equal(1, test.Logger.Warnings);
Assert.Equal(1, test.Logger.Messages.Count());
SigningTestUtility.AssertUntrustedRoot(test.Logger.LogMessages, LogLevel.Warning);
}
}
public async Task VerifySignaturesAsync_WithTimestampChainingToUntrustedRoot_NotAllowIgnoreTimestamp_FailAsync()
{
using (var nupkgStream = new MemoryStream(GetResource("UntrustedTimestampPackage.nupkg")))
using (var package = new PackageArchiveReader(nupkgStream, leaveStreamOpen: false))
{
var verifier = new PackageSignatureVerifier(_trustProviders);
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(
package,
_verifyCommandSettings,
CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
IEnumerable <ILogMessage> totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
// Assert
result.IsValid.Should().BeFalse();
resultsWithErrors.Count().Should().Be(1);
totalErrorIssues.Count().Should().Be(3);
SigningTestUtility.AssertUntrustedRoot(totalErrorIssues, NuGetLogCode.NU3028, LogLevel.Error);
}
}
public async Task SignAsync_WhenChainBuildingFails_ThrowsAsync()
{
var package = new SimpleTestPackageContext();
using (var packageStream = await package.CreateAsStreamAsync())
using (var test = SignTest.Create(
_fixture.GetExpiredCertificate(),
HashAlgorithmName.SHA256,
packageStream.ToArray(),
new X509SignatureProvider(timestampProvider: null)))
{
var exception = await Assert.ThrowsAsync <SignatureException>(
() => SigningUtility.SignAsync(test.Options, test.Request, CancellationToken.None));
Assert.Equal(NuGetLogCode.NU3018, exception.Code);
Assert.Equal("Certificate chain validation failed.", exception.Message);
Assert.Equal(1, test.Logger.Errors);
Assert.Equal(1, test.Logger.Warnings);
SigningTestUtility.AssertNotTimeValid(test.Logger.LogMessages, LogLevel.Error);
SigningTestUtility.AssertUntrustedRoot(test.Logger.LogMessages, LogLevel.Warning);
}
}
public async Task Verify_WithUntrustedSelfSignedCertificateAndNotAllowUntrusted_FailsAsync()
{
var settings = new SignatureVerifySettings(
allowIllegal: false,
allowUntrusted: false,
allowUnknownRevocation: false,
reportUnknownRevocation: true,
reportUntrustedRoot: true,
revocationMode: RevocationMode.Online);
using (var test = await VerifyTest.CreateAsync(settings, _untrustedTestCertificate.Cert))
{
var result = test.PrimarySignature.Verify(
timestamp: null,
settings: settings,
fingerprintAlgorithm: HashAlgorithmName.SHA256,
certificateExtraStore: test.PrimarySignature.SignedCms.Certificates);
Assert.Equal(SignatureVerificationStatus.Disallowed, result.Status);
Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error));
SigningTestUtility.AssertUntrustedRoot(result.Issues, LogLevel.Error);
}
}
