public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestampWithTooLargeRange_FailsAsync()
            {
                ISigningTestServer testServer = await _testFixture.GetSigningTestServerAsync();

                CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();

                var accuracy       = new BcAccuracy(seconds: new DerInteger(30), millis: null, micros: null);
                var serviceOptions = new TimestampServiceOptions()
                {
                    Accuracy = accuracy
                };
                TimestampService        timestampService = TimestampService.Create(ca, serviceOptions);
                AsymmetricCipherKeyPair keyPair          = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
                DateTimeOffset          now = DateTimeOffset.UtcNow;
                var issueOptions            = new IssueCertificateOptions()
                {
                    KeyPair     = keyPair,
                    NotAfter    = now.AddSeconds(10),
                    NotBefore   = now.AddSeconds(-2),
                    SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
                };
                BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions);

                using (testServer.RegisterResponder(timestampService))
                    using (TestDirectory directory = TestDirectory.Create())
                        using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair))
                        {
                            var    packageContext    = new SimpleTestPackageContext();
                            string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
                                certificate,
                                packageContext,
                                directory,
                                timestampService.Url);

                            await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate);

                            var verifier = new PackageSignatureVerifier(_trustProviders);

                            using (var packageReader = new PackageArchiveReader(signedPackagePath))
                            {
                                VerifySignaturesResult results = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);

                                PackageVerificationResult result = results.Results.Single();

                                Assert.False(results.IsValid);
                                Assert.Equal(SignatureVerificationStatus.Disallowed, result.Trust);
                                Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error));
                                Assert.Equal(0, result.Issues.Count(issue => issue.Level == LogLevel.Warning));

                                Assert.Contains(result.Issues, issue =>
                                                issue.Code == NuGetLogCode.NU3037 &&
                                                issue.Level == LogLevel.Error &&
                                                issue.Message.Contains("validity period has expired."));
                            }
                        }
            }
Esempio n. 2
0
        public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestamp_Success()
        {
            var ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();

            var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();

            var keyPair      = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
            var now          = DateTimeOffset.UtcNow;
            var issueOptions = new IssueCertificateOptions()
            {
                KeyPair     = keyPair,
                NotAfter    = now.AddSeconds(10),
                NotBefore   = now.AddSeconds(-2),
                SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
            };
            var bcCertificate = ca.IssueCertificate(issueOptions);

            using (var certificate = new X509Certificate2(bcCertificate.GetEncoded()))
                using (var directory = TestDirectory.Create())
                {
                    certificate.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters);
                    var notAfter = certificate.NotAfter.ToUniversalTime();

                    var packageContext    = new SimpleTestPackageContext();
                    var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
                        certificate,
                        packageContext,
                        directory,
                        timestampService.Url);

                    var waitDuration = (notAfter - DateTimeOffset.UtcNow).Add(TimeSpan.FromSeconds(1));

                    // Wait for the certificate to expire.  Trust of the signature will require a valid timestamp.
                    await Task.Delay(waitDuration);

                    Assert.True(DateTime.UtcNow > notAfter);

                    var verifier = new PackageSignatureVerifier(_trustProviders);

                    using (var packageReader = new PackageArchiveReader(signedPackagePath))
                    {
                        var result = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);

                        var trustProvider = result.Results.Single();

                        Assert.True(result.Valid);
                        Assert.Equal(SignatureVerificationStatus.Valid, trustProvider.Trust);
                        Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Error));
                        Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Warning));
                    }
                }
        }
Esempio n. 3
0
        private async Task <X509Certificate2> CreateDefaultRepositorySigningCertificateAsync()
        {
            var ca = await CreateDefaultTrustedCertificateAuthorityAsync();

            var keyPair      = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
            var issueOptions = new IssueCertificateOptions()
            {
                KeyPair     = keyPair,
                NotBefore   = DateTimeOffset.UtcNow.AddSeconds(-2),
                NotAfter    = DateTimeOffset.UtcNow.AddHours(1),
                SubjectName = new X509Name("CN=NuGet Cross Verify Test Repository Signning Certificate")
            };
            var bcCertificate = ca.IssueCertificate(issueOptions);

            return(CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair));
        }
Esempio n. 4
0
        public async Task <X509Certificate2> GetWeakSignatureParentSigningCertificateAsync()
        {
            var testServer = await GetTestServerAsync();

            var rootCa = await GetRootCertificateAuthority();

            var issueOptions = IssueCertificateOptions.CreateDefaultForIntermediateCertificateAuthority();
            var keyPair      = SigningTestUtility.GenerateKeyPair(publicKeyLength: 512);

            issueOptions.KeyPair = keyPair;

            var intermediateCa = rootCa.CreateIntermediateCertificateAuthority(issueOptions);
            var responders     = GetResponders();

            responders.AddRange(testServer.RegisterResponders(intermediateCa));

            return(CreateSigningCertificate(intermediateCa));
        }
            public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestamp_SuccessAsync()
            {
                CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();

                TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();

                AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
                DateTimeOffset          now     = DateTimeOffset.UtcNow;
                var issueOptions = new IssueCertificateOptions()
                {
                    KeyPair     = keyPair,
                    NotAfter    = now.AddSeconds(10),
                    NotBefore   = now.AddSeconds(-2),
                    SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
                };
                BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions);

                using (TestDirectory directory = TestDirectory.Create())
                    using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair))
                    {
                        var    packageContext    = new SimpleTestPackageContext();
                        string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
                            certificate,
                            packageContext,
                            directory,
                            timestampService.Url);

                        await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate);

                        var verifier = new PackageSignatureVerifier(_trustProviders);

                        using (var packageReader = new PackageArchiveReader(signedPackagePath))
                        {
                            VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);

                            PackageVerificationResult trustProvider = result.Results.Single();

                            Assert.True(result.IsValid);
                            Assert.Equal(SignatureVerificationStatus.Valid, trustProvider.Trust);
                            Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Error));
                            Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Warning));
                        }
                    }
            }
        public CertificatesFixture()
        {
            DefaultKeyPair              = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
            _defaultCertificate         = SigningTestUtility.GenerateCertificate("test", DefaultKeyPair);
            _rsaSsaPssCertificate       = SigningTestUtility.GenerateCertificate("test", generator => { }, "SHA256WITHRSAANDMGF1");
            _lifetimeSigningCertificate = SigningTestUtility.GenerateCertificate(
                "test",
                generator =>
            {
                generator.AddExtension(
                    X509Extensions.ExtendedKeyUsage.Id,
                    critical: true,
                    extensionValue: new DerSequence(new DerObjectIdentifier(Oids.LifetimeSigningEku)));
            });
            _expiredCertificate = SigningTestUtility.GenerateCertificate(
                "test",
                SigningTestUtility.CertificateModificationGeneratorExpiredCert);
            _notYetValidCertificate = SigningTestUtility.GenerateCertificate(
                "test",
                SigningTestUtility.CertificateModificationGeneratorNotYetValidCert);
            _nonSelfSignedCertificate = SigningTestUtility.GenerateCertificate(
                "test non-self-signed certificate", // Must be different than the issuing certificate's subject name.
                generator => { },
                chainCertificateRequest: new ChainCertificateRequest()
            {
                Issuer = _defaultCertificate
            });
            _selfIssuedCertificate = SigningTestUtility.GenerateSelfIssuedCertificate(isCa: false);
            _rootCertificate       = SigningTestUtility.GenerateSelfIssuedCertificate(isCa: true);

            const string name1 = "NuGet Cyclic Test Certificate 1";
            const string name2 = "NuGet Cyclic Test Certificate 2";

            var keyPair1 = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
            var keyPair2 = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);

            _cyclicChain = new DisposableList <X509Certificate2>()
            {
                SigningTestUtility.GenerateCertificate(name1, name2, keyPair1.Private, keyPair2),
                SigningTestUtility.GenerateCertificate(name2, name1, keyPair2.Private, keyPair1)
            };
        }
Esempio n. 7
0
        protected (BCCertificate publicCertificate, X509Certificate2 certificate) IssueCertificate(
            CertificateAuthority ca,
            string name,
            Action <X509V3CertificateGenerator> customizeCertificate)
        {
            var keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);

            var publicCertificate = ca.IssueCertificate(new IssueCertificateOptions
            {
                CustomizeCertificate = customizeCertificate,
                NotAfter             = DateTime.UtcNow.AddMinutes(10),
                NotBefore            = DateTime.UtcNow.AddSeconds(-10),
                KeyPair = keyPair,

                SubjectName = new X509Name($"C=US,ST=WA,L=Redmond,O=NuGet,CN=NuGet Test ${name} Certificate ({Guid.NewGuid()})")
            });

            var certificate = publicCertificate.ToX509Certificate2();

            certificate.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters);

            return(publicCertificate, certificate);
        }
Esempio n. 8
0
        public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestampWithTooLargeRange_Fails()
        {
            var testServer = await _testFixture.GetSigningTestServerAsync();

            var ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();

            var accuracy       = new BcAccuracy(seconds: new DerInteger(30), millis: null, micros: null);
            var serviceOptions = new TimestampServiceOptions()
            {
                Accuracy = accuracy
            };
            var timestampService = TimestampService.Create(ca, serviceOptions);
            var keyPair          = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
            var now          = DateTimeOffset.UtcNow;
            var issueOptions = new IssueCertificateOptions()
            {
                KeyPair     = keyPair,
                NotAfter    = now.AddSeconds(10),
                NotBefore   = now.AddSeconds(-2),
                SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
            };
            var bcCertificate = ca.IssueCertificate(issueOptions);

            using (testServer.RegisterResponder(timestampService))
                using (var certificate = new X509Certificate2(bcCertificate.GetEncoded()))
                    using (var directory = TestDirectory.Create())
                    {
                        certificate.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters);

                        var packageContext    = new SimpleTestPackageContext();
                        var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
                            certificate,
                            packageContext,
                            directory,
                            timestampService.Url);

                        var waitDuration = (issueOptions.NotAfter - DateTimeOffset.UtcNow).Add(TimeSpan.FromSeconds(1));

                        // Wait for the certificate to expire.  Trust of the signature will require a valid timestamp.
                        if (waitDuration > TimeSpan.Zero)
                        {
                            await Task.Delay(waitDuration);
                        }

                        Assert.True(DateTime.UtcNow > issueOptions.NotAfter);

                        var verifier = new PackageSignatureVerifier(_trustProviders);

                        using (var packageReader = new PackageArchiveReader(signedPackagePath))
                        {
                            var results = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);

                            var result = results.Results.Single();

                            Assert.False(results.Valid);
                            Assert.Equal(SignatureVerificationStatus.Illegal, result.Trust);
                            Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error));
                            Assert.Equal(0, result.Issues.Count(issue => issue.Level == LogLevel.Warning));

                            Assert.Contains(result.Issues, issue =>
                                            issue.Code == NuGetLogCode.NU3011 &&
                                            issue.Level == LogLevel.Error &&
                                            issue.Message.Contains("validity period has expired."));
                        }
                    }
        }