public async Task <TimestampServiceWithUnavailableRevocation> CreateTimestampServiceWithUnavailableRevocationAsync()
{
var testServer = await _testServer.Value;
var rootCa = CertificateAuthority.Create(testServer.Url);
var rootCertificate = rootCa.Certificate.ToX509Certificate2();
var trust = new TrustedTestCert <X509Certificate2>(
rootCertificate,
certificate => certificate,
StoreName.Root,
StoreLocation.LocalMachine);
var timestampService = TimestampService.Create(rootCa);
var disposable = new DisposableList <IDisposable> {
rootCertificate, trust
};
Task WaitForResponseExpirationAsync()
{
return(rootCa.OcspResponder.WaitForResponseExpirationAsync(timestampService.Certificate));
}
return(new TimestampServiceWithUnavailableRevocation(
testServer,
timestampService,
WaitForResponseExpirationAsync,
disposable));
}
private static async Task <List <SignatureLog> > VerifyUnavailableRevocationInfo(
SignatureVerificationStatus expectedStatus,
LogLevel expectedLogLevel,
SignedPackageVerifierSettings setting)
{
var verificationProvider = new SignatureTrustAndValidityVerificationProvider();
using (var nupkgStream = new MemoryStream(GetResource("UnavailableCrlPackage.nupkg")))
using (var package = new PackageArchiveReader(nupkgStream, leaveStreamOpen: false))
{
// Read a signature that is valid in every way except that the CRL information is unavailable.
var signature = await package.GetSignatureAsync(CancellationToken.None);
var rootCertificate = SignatureUtility.GetPrimarySignatureCertificates(signature).Last();
// Trust the root CA of the signing certificate.
using (var testCertificate = TrustedTestCert.Create(
rootCertificate,
StoreName.Root,
StoreLocation.LocalMachine,
maximumValidityPeriod: TimeSpan.MaxValue))
{
// Act
var result = await verificationProvider.GetTrustResultAsync(package, signature, setting, CancellationToken.None);
// Assert
Assert.Equal(expectedStatus, result.Trust);
return(result
.Issues
.Where(x => x.Level >= expectedLogLevel)
.OrderBy(x => x.Message)
.ToList());
}
}
}
public async Task DotnetSign_ResignPackageWithOverwrite_SuccessAsync()
{
// Arrange
using (var pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
var packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
TrustedTestCert <TestCertificate> trustedCert = _signFixture.TrustedTestCertificateChain.Leaf;
//Act
CommandRunnerResult firstResult = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
$"nuget sign {packageFilePath} --certificate-fingerprint {trustedCert.Source.Cert.Thumbprint} --certificate-store-name {trustedCert.StoreName} --certificate-store-location {trustedCert.StoreLocation}",
ignoreExitCode: true);
CommandRunnerResult secondResult = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
$"nuget sign {packageFilePath} --certificate-fingerprint {trustedCert.Source.Cert.Thumbprint} --certificate-store-name {trustedCert.StoreName} --certificate-store-location {trustedCert.StoreLocation} --overwrite",
ignoreExitCode: true);
// Assert
firstResult.Success.Should().BeTrue(because: firstResult.AllOutput);
firstResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
secondResult.Success.Should().BeTrue();
secondResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task DotnetSign_SignPackageWithPfxFileOfRelativePath_SuccessAsync()
{
// Arrange
using (var pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
var packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
TrustedTestCert <TestCertificate> trustedCert = _signFixture.TrustedTestCertificateChain.Leaf;
var pfxName = Guid.NewGuid().ToString() + ".pfx";
var pfxPath = Path.Combine(pathContext.PackageSource, pfxName);
var password = Guid.NewGuid().ToString();
var pfxBytes = trustedCert.Source.Cert.Export(X509ContentType.Pfx, password);
File.WriteAllBytes(pfxPath, pfxBytes);
//Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
$"nuget sign {packageFilePath} --certificate-path .{Path.DirectorySeparatorChar}{pfxName} --certificate-password {password}",
ignoreExitCode: true);
// Assert
result.Success.Should().BeTrue(because: result.AllOutput);
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task DotnetSign_SignPackageWithOutputDirectory_SucceedsAsync()
{
// Arrange
using (var pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
var packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
var outputDir = Path.Combine(pathContext.WorkingDirectory, "Output");
Directory.CreateDirectory(outputDir);
TrustedTestCert <TestCertificate> trustedCert = _signFixture.TrustedTestCertificateChain.Leaf;
//Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
$"nuget sign {packageFilePath} --certificate-fingerprint {trustedCert.Source.Cert.Thumbprint} --certificate-store-name {trustedCert.StoreName} --certificate-store-location {trustedCert.StoreLocation} --output {outputDir}",
ignoreExitCode: true);
var signedPackagePath = Path.Combine(outputDir, "PackageA.1.0.0.nupkg");
// Assert
result.Success.Should().BeTrue(because: result.AllOutput);
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
File.Exists(signedPackagePath).Should().BeTrue();
}
}
public async Task DotnetSign_SignPackageWithUnknownRevocationCertChain_SucceedsAsync()
{
// Arrange
using (var pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
var packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
TrustedTestCert <TestCertificate> revocationUnknownCert = _signFixture.RevocationUnknownTestCertificateWithChain;
//Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
$"nuget sign {packageFilePath} --certificate-fingerprint {revocationUnknownCert.Source.Cert.Thumbprint} --certificate-store-name {revocationUnknownCert.StoreName} --certificate-store-location {revocationUnknownCert.StoreLocation}",
ignoreExitCode: true);
// Assert
result.Success.Should().BeTrue(because: result.AllOutput);
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
result.AllOutput.Should().Contain(_chainBuildFailureErrorCode);
result.AllOutput.Should().Contain(X509ChainStatusFlags.RevocationStatusUnknown.ToString());
}
}
public async Task DotnetSign_SignPackageWithTimestamping_SucceedsAsync()
{
// Arrange
using (var pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
var packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
var timestampService = await _signFixture.GetDefaultTrustedTimestampServiceAsync();
TrustedTestCert <TestCertificate> trustedCert = _signFixture.TrustedTestCertificateChain.Leaf;
//Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
$"nuget sign {packageFilePath} --certificate-fingerprint {trustedCert.Source.Cert.Thumbprint} --certificate-store-name {trustedCert.StoreName} --certificate-store-location {trustedCert.StoreLocation} --timestamper {timestampService.Url.OriginalString}",
ignoreExitCode: true);
// Assert
result.Success.Should().BeTrue(because: result.AllOutput);
result.AllOutput.Should().NotContain(_noTimestamperWarningCode);
}
}
public async Task DotnetSign_SignPackageWithPfxFileWithoutPasswordAndWithNonInteractive_FailsAsync()
{
// Arrange
using (var pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
var packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
TrustedTestCert <TestCertificate> trustedCert = _signFixture.TrustedTestCertificateChain.Leaf;
var pfxPath = Path.Combine(pathContext.WorkingDirectory, Guid.NewGuid().ToString());
var password = Guid.NewGuid().ToString();
var pfxBytes = trustedCert.Source.Cert.Export(X509ContentType.Pfx, password);
File.WriteAllBytes(pfxPath, pfxBytes);
//Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
$"nuget sign {packageFilePath} --certificate-path {pfxPath}",
ignoreExitCode: true);
// Assert
result.Success.Should().BeFalse(because: result.AllOutput);
result.AllOutput.Should().Contain(string.Format(_invalidPasswordError, pfxPath));
}
}
public async Task DotnetTrust_AuthorAction_RelativePathConfileFile_Succeeds(bool allowUntrustedRoot)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var package = new SimpleTestPackageContext();
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
using (MemoryStream zipStream = await package.CreateAsStreamAsync())
using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
string certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource);
var config = $@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<packageSources>
<!--To inherit the global NuGet package sources remove the <clear/> line below -->
<clear />
<add key=""NuGetSource"" value=""{pathContext.PackageSource}"" />
</packageSources>
<config>
<add key=""signaturevalidationmode"" value=""accept"" />
</config>
<trustedSigners>
</trustedSigners>
</configuration>";
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config);
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty;
var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false";
// Act
CommandRunnerResult resultAdd = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust author nuget {signedPackagePath} {allowUntrustedRootArg} --configfile ..{Path.DirectorySeparatorChar}{nugetConfigFileName}");
// Assert
resultAdd.Success.Should().BeTrue();
resultAdd.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulAddTrustedSigner, "author", "nuget"));
string expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<packageSources>
<!--To inherit the global NuGet package sources remove the < clear /> line below-->
<clear/>
<add key = ""NuGetSource"" value = ""{pathContext.PackageSource}""/>
</packageSources >
<config>
<add key = ""signaturevalidationmode"" value = ""accept""/>
</config>
< trustedSigners>
<author name = ""nuget"">
<certificate fingerprint = ""{certFingerprint}"" hashAlgorithm = ""SHA256"" allowUntrustedRoot = ""{allowUntruestedRootValue}""/>
</author>
</trustedSigners>
</configuration>");
SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult);
}
}
public PrimarySignatureTests(SigningTestFixture fixture)
{
_testFixture = fixture ?? throw new ArgumentNullException(nameof(fixture));
_trustedTestCert = _testFixture.TrustedTestCertificate;
_trustProviders = _testFixture.TrustProviders;
_signingSpecifications = _testFixture.SigningSpecifications;
}
public VerifyCommandTests(SignCommandTestFixture fixture)
{
_testFixture = fixture ?? throw new ArgumentNullException(nameof(fixture));
_trustedTestCert = _testFixture.TrustedTestCertificate;
_nugetExePath = _testFixture.NuGetExePath;
_timestamper = _testFixture.Timestamper;
}
private async Task <CertificateAuthority> CreateDefaultTrustedCertificateAuthorityAsync()
{
var testServer = await _testServer.Value;
var rootCa = CertificateAuthority.Create(testServer.Url);
var intermediateCa = rootCa.CreateIntermediateCertificateAuthority();
var rootCertificate = new X509Certificate2(rootCa.Certificate.GetEncoded());
StoreLocation storeLocation = CertificateStoreUtilities.GetTrustedCertificateStoreLocation();
_trustedTimestampRoot = TrustedTestCert.Create(
rootCertificate,
StoreName.Root,
storeLocation);
var ca = intermediateCa;
while (ca != null)
{
_responders.Add(testServer.RegisterResponder(ca));
_responders.Add(testServer.RegisterResponder(ca.OcspResponder));
ca = ca.Parent;
}
return(intermediateCa);
}
public MSSignCommandTests(MSSignCommandTestFixture fixture)
{
_testFixture = fixture ?? throw new ArgumentNullException(nameof(fixture));
_trustedTestCertWithPrivateKey = _testFixture.TrustedTestCertificateWithPrivateKey;
_trustedTestCertWithoutPrivateKey = _testFixture.TrustedTestCertificateWithoutPrivateKey;
_nugetExePath = _testFixture.NuGetExePath;
}
public IntegrityVerificationProviderTests(SigningTestFixture fixture)
{
_testFixture = fixture ?? throw new ArgumentNullException(nameof(fixture));
_trustedTestCert = _testFixture.TrustedTestCertificate;
_trustProviders = new List <ISignatureVerificationProvider>()
{
new IntegrityVerificationProvider()
};
}
public async Task AcceptsTrustedSigningCertificateWithUnavailableRevocation()
{
// Arrange
var testServer = await _fixture.GetTestServerAsync();
var rootCa = CertificateAuthority.Create(testServer.Url);
var intermediateCa = rootCa.CreateIntermediateCertificateAuthority();
var rootCertificate = new X509Certificate2(rootCa.Certificate.GetEncoded());
var signingCertificate = _fixture.CreateSigningCertificate(intermediateCa);
using (var trust = new TrustedTestCert <X509Certificate2>(
rootCertificate,
x => x,
StoreName.Root,
StoreLocation.LocalMachine))
{
byte[] packageBytes;
using (testServer.RegisterResponders(intermediateCa))
{
packageBytes = await _fixture.GenerateSignedPackageBytesAsync(
TestResources.SignedPackageLeaf1,
signingCertificate,
await _fixture.GetTimestampServiceUrlAsync(),
_output);
}
// Wait one second for the OCSP response cached by the operating system during signing to get stale.
// This can be mitigated by leaving the OCSP unavailable during signing once this work item is done:
// https://github.com/NuGet/Home/issues/6508
await Task.Delay(TimeSpan.FromSeconds(1));
TestUtility.RequireSignedPackage(_corePackageService, TestResources.SignedPackageLeafId, signingCertificate.ComputeSHA256Thumbprint());
_packageStream = new MemoryStream(packageBytes);
SignatureValidatorResult result;
using (testServer.RegisterResponders(intermediateCa, addOcsp: false))
{
// Act
result = await _target.ValidateAsync(
_packageKey,
_packageStream,
_message,
_token);
}
// Assert
VerifyPackageSigningStatus(result, ValidationStatus.Succeeded, PackageSigningStatus.Valid);
Assert.Empty(result.Issues);
var allMessages = string.Join(Environment.NewLine, _logger.Messages);
Assert.Contains("NU3018: The revocation function was unable to check revocation because the revocation server was offline.", allMessages);
Assert.Contains("NU3018: The revocation function was unable to check revocation for the certificate.", allMessages);
}
}
public CertificatesFixture()
{
_defaultCertificate = SigningTestUtility.GenerateCertificate("test", generator => { });
X509Certificate2 _defaultCertificateForTrust = SigningTestUtility.GenerateCertificate("test trusted", generator => { });
_trustedDefaultCertificate = TrustedTestCert.Create(
new X509Certificate2(_defaultCertificateForTrust),
StoreName.My,
StoreLocation.CurrentUser);
}
public async Task VerifySignaturesAsync_WithExpiredPrimarySignature_ValidCountersignature_AndPrimarySignatureExpiredAtCountersignTime_FailsAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: true,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: true,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.IfExists,
revocationMode: RevocationMode.Online);
using (TestDirectory dir = TestDirectory.Create())
using (TrustedTestCert <TestCertificate> trustedCertificate = _testFixture.CreateTrustedTestCertificateThatWillExpireSoon())
using (var willExpireCert = new X509Certificate2(trustedCertificate.Source.Cert))
using (var repoTestCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
willExpireCert,
nupkg,
dir);
await SignatureTestUtility.WaitForCertificateExpirationAsync(willExpireCert);
string countersignedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(
repoTestCertificate,
signedPackagePath,
dir,
TestServiceIndexUrl,
timestampService.Url);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(countersignedPackagePath))
{
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.IsValid.Should().BeFalse();
resultsWithErrors.Count().Should().Be(1);
}
}
}
public async Task RejectsUntrustedTimestampingCertificate()
{
// Arrange
var testServer = await _fixture.GetTestServerAsync();
var untrustedRootCa = CertificateAuthority.Create(testServer.Url);
var untrustedRootCertficate = new X509Certificate2(untrustedRootCa.Certificate.GetEncoded());
var timestampService = TimestampService.Create(untrustedRootCa);
using (testServer.RegisterDefaultResponders(timestampService))
{
byte[] packageBytes;
using (var temporaryTrust = new TrustedTestCert <X509Certificate2>(
untrustedRootCertficate,
x => x,
StoreName.Root,
StoreLocation.LocalMachine))
{
packageBytes = await _fixture.GenerateSignedPackageBytesAsync(
TestResources.SignedPackageLeaf1,
await _fixture.GetSigningCertificateAsync(),
timestampService.Url,
_output);
}
TestUtility.RequireSignedPackage(_corePackageService,
TestResources.SignedPackageLeafId,
await _fixture.GetSigningCertificateThumbprintAsync());
_packageStream = new MemoryStream(packageBytes);
_message = new SignatureValidationMessage(
TestResources.SignedPackageLeafId,
TestResources.SignedPackageLeaf1Version,
new Uri($"https://unit.test/validation/{TestResources.SignedPackageLeaf1.ToLowerInvariant()}"),
Guid.NewGuid());
// Act
var result = await _target.ValidateAsync(
_packageKey,
_packageStream,
_message,
_token);
// Assert
VerifyPackageSigningStatus(result, ValidationStatus.Failed, PackageSigningStatus.Invalid);
var issue = Assert.Single(result.Issues);
var clientIssue = Assert.IsType <ClientSigningVerificationFailure>(issue);
Assert.Equal("NU3028", clientIssue.ClientCode);
Assert.Equal(
"A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.",
clientIssue.ClientMessage);
}
}
public async Task DotnetTrust_RepositoryAction_Succeeds(bool allowUntrustedRoot, string owners)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var package = new SimpleTestPackageContext();
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
using (MemoryStream zipStream = await package.CreateAsStreamAsync())
using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
var repoServiceIndex = "https://serviceindex.test/v3/index.json";
var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex));
var config = $@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
</configuration>";
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config);
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty;
var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false";
var ownersArgs = string.Empty;
var expectedOwners = string.Empty;
if (owners != null)
{
ownersArgs = $"--owners {owners}";
expectedOwners = $"<owners>{owners}</owners>";
}
// Act
CommandRunnerResult resultAdd = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust repository nuget {signedPackagePath} {allowUntrustedRootArg} {ownersArgs} --configfile {nugetConfigPath}");
// Assert
resultAdd.Success.Should().BeTrue();
resultAdd.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulAddTrustedSigner, "repository", "nuget"));
string expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
< trustedSigners>
<repository name = ""nuget"" serviceIndex=""https://serviceindex.test/v3/index.json"">
< certificate fingerprint = ""{certFingerprint}"" hashAlgorithm = ""SHA256"" allowUntrustedRoot = ""{allowUntruestedRootValue}""/>{expectedOwners}
</repository>
</trustedSigners>
</configuration>");
SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult);
}
}
public async Task DotnetTrust_CertificateFingerPrintAction_WithExistingSigner_AppendSucceeds(bool allowUntrustedRoot)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var package = new SimpleTestPackageContext();
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
using (MemoryStream zipStream = await package.CreateAsStreamAsync())
using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
var repoServiceIndex = "https://serviceindex.test/v3/index.json";
var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex));
var config = @"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<trustedSigners>
<author name=""MyCompanyCert"">
<certificate fingerprint=""abcdefg"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
</trustedSigners>
</configuration>";
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config);
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty;
var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false";
var authorName = "MyCompanyCert";
// Act
CommandRunnerResult resultAdd = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust certificate {authorName} {certFingerprint} {allowUntrustedRootArg} --algorithm SHA256 --configfile {nugetConfigPath}");
// Assert
resultAdd.Success.Should().BeTrue();
resultAdd.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, "Successfully updated the trusted signer '{0}'.", authorName));
string expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
< trustedSigners>
<author name = ""{authorName}"">
< certificate fingerprint = ""abcdefg"" hashAlgorithm = ""SHA256"" allowUntrustedRoot = ""false""/>
< certificate fingerprint = ""{certFingerprint}"" hashAlgorithm = ""SHA256"" allowUntrustedRoot = ""{allowUntruestedRootValue}""/>
</author>
</trustedSigners>
</configuration>");
SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult);
}
}
public AllowListVerificationProviderTests(SigningTestFixture fixture)
{
_testFixture = fixture ?? throw new ArgumentNullException(nameof(fixture));
_trustedTestCert = _testFixture.TrustedTestCertificate;
_settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowUntrustedSelfIssuedCertificate: true,
allowIgnoreTimestamp: true,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: true);
}
private async Task <CertificateAuthority> CreateDefaultTrustedRootCertificateAuthorityAsync()
{
var testServer = await GetTestServerAsync();
var rootCa = CertificateAuthority.Create(testServer.Url);
var rootCertificate = new X509Certificate2(rootCa.Certificate.GetEncoded());
_trustedRoot = new TrustedTestCert <X509Certificate2>(
rootCertificate,
certificate => certificate,
StoreName.Root,
StoreLocation.LocalMachine);
return(rootCa);
}
private void CreateSignedPackageWithExpiredCertificate()
{
_expiredSignedTestPackageV1Directory = TestDirectory.Create();
_trustedExpiredTestCert = SigningTestUtility.GenerateTrustedTestCertificateThatExpiresIn5Seconds();
_expiredSignedTestPackageV1 = Utils.CreatePackage(_expiredTestPackageName, _packageVersion);
_expiredSignedTestPackageV1.AuthorSignatureCertificate = _trustedExpiredTestCert.Source.Cert;
SimpleTestPackageUtility.CreatePackages(_expiredSignedTestPackageV1Directory, _expiredSignedTestPackageV1);
_expiredSignedTestPackageV1Path = Path.Combine(_expiredSignedTestPackageV1Directory, _expiredSignedTestPackageV1.PackageName);
// Wait for cert to expire
Thread.Sleep(5000);
Assert.True(IsCertificateExpired(_trustedExpiredTestCert.Source.Cert));
}
private async Task <CertificateAuthority> CreateDefaultTrustedRootCertificateAuthorityAsync()
{
var testServer = await GetTestServerAsync();
var rootCa = CertificateAuthority.Create(testServer.Url);
var rootCertificate = rootCa.Certificate.ToX509Certificate2();
_trustedRoot = new TrustedTestCert <X509Certificate2>(
rootCertificate,
certificate => certificate,
StoreName.Root,
StoreLocation.LocalMachine);
_responders.AddRange(testServer.RegisterResponders(rootCa));
return(rootCa);
}
public async Task Verify_RepositorySignedPackage_WithRepositoryItemTrustedCertificate_AllowUntrustedRootSet_CorrectOwners_Succeeds(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
// Arrange
TrustedTestCert <TestCertificate> cert = _testFixture.TrustedTestCertificateChain.Leaf;
using (var pathContext = new SimpleTestPathContext())
{
var package = new SimpleTestPackageContext();
string certFingerprint = SignatureTestUtility.GetFingerprint(cert.Source.Cert, HashAlgorithmName.SHA256);
var packageOwners = new List <string>()
{
"nuget",
"contoso"
};
string repoServiceIndex = "https://serviceindex.test/v3/index.json";
string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(cert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex), null, packageOwners);
string testDirectory = pathContext.WorkingDirectory;
string trustedSignersSectionContent = $@"
<trustedSigners>
<repository name=""NuGetTrust"" serviceIndex=""{repoServiceIndex}"">
<certificate fingerprint=""{certFingerprint}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
<owners>nuget;Contoso</owners>
</repository>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(testDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"-CertificateFingerprint {certFingerprint};def" : string.Empty;
//Act
CommandRunnerResult verifyResult = CommandRunner.Run(
_nugetExePath,
pathContext.PackageSource,
$"verify {signedPackagePath} -Signatures {fingerprint}",
waitForExit: true);
// Assert
// For certificate with trusted root setting allowUntrustedRoot value true/false doesn't matter.
// Owners is casesensitive, here owner "nuget" matches
verifyResult.Success.Should().BeTrue();
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task Verify_RepositorySignedPackage_WithRepositoryItemTrustedCertificate_AllowUntrustedRootSet_WrongOwners_Fails(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
// Arrange
TrustedTestCert <TestCertificate> cert = _signFixture.TrustedTestCertificateChain.Leaf;
using (var pathContext = new SimpleTestPathContext())
{
var package = new SimpleTestPackageContext();
string certFingerprint = SignatureTestUtility.GetFingerprint(cert.Source.Cert, HashAlgorithmName.SHA256);
var packageOwners = new List <string>()
{
"nuget",
"contoso"
};
string repoServiceIndex = "https://serviceindex.test/v3/index.json";
string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(cert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex), null, packageOwners);
string testDirectory = pathContext.WorkingDirectory;
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<repository name=""NuGetTrust"" serviceIndex=""{repoServiceIndex}"">
<certificate fingerprint=""{certFingerprint}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
<owners>Nuget;Contoso</owners>
</repository>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(testDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certFingerprint} --certificate-fingerprint DEF" : string.Empty;
//Act
CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet(
testDirectory,
$"nuget verify {signedPackagePath} {fingerprint}",
ignoreExitCode: true);
// Assert
// Owners is casesensitive, owner info should be "nuget;contoso" not "Nuget;Contoso"
verifyResult.Success.Should().BeFalse();
verifyResult.AllOutput.Should().Contain(_noMatchingCertErrorCode);
}
}
public async Task DotnetTrust_CertificateFingerPrintAction_TryAddSameFingerPrint_Fails(bool allowUntrustedRoot)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var package = new SimpleTestPackageContext();
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
using (MemoryStream zipStream = await package.CreateAsStreamAsync())
using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
var repoServiceIndex = "https://serviceindex.test/v3/index.json";
var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex));
var config = $@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
</configuration>";
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config);
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty;
var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false";
var authorName = "MyCompanyCert";
// Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust certificate {authorName} {certFingerprint} {allowUntrustedRootArg} --algorithm SHA256 --configfile {nugetConfigPath}");
// Assert
result.Success.Should().BeTrue();
result.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulAddTrustedSigner, "author", authorName));
// Try to add same certificate fingerprint should fail
result = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust certificate {authorName} {certFingerprint} {allowUntrustedRootArg} --algorithm SHA256 --configfile {nugetConfigPath}", ignoreExitCode: true);
// Main assert
result.Success.Should().BeFalse();
result.AllOutput.Should().Contain("The certificate finger you're trying to add is already in the certificate fingerprint list");
result.AllOutput.Should().NotContain("--help");
}
}
public async Task DotnetTrust_RemoveAction_Succeeds()
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var package = new SimpleTestPackageContext();
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
using (MemoryStream zipStream = await package.CreateAsStreamAsync())
using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
var repoServiceIndex = "https://serviceindex.test/v3/index.json";
var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex));
var repositoryName = "nuget";
var config = $@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<trustedSigners>
<repository name = ""{repositoryName}"" serviceIndex=""https://serviceindex.test/v3/index.json"">
<certificate fingerprint=""abcdef"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false""/>
</repository>
</trustedSigners>
</configuration>";
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config);
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
// Act
CommandRunnerResult resultSync = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust remove {repositoryName} --configfile {nugetConfigPath}");
// Assert
resultSync.Success.Should().BeTrue();
resultSync.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulRemoveTrustedSigner, repositoryName));
string expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
</configuration>");
SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult);
}
}
public async Task VerifySignaturesAsync_WithSignedTimestampedCountersignedAndCountersignatureTimestampedPackage_SucceedsAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
using (TestDirectory dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
using (TrustedTestCert <TestCertificate> trusted = SigningTestUtility.GenerateTrustedTestCertificate())
using (var counterCertificate = new X509Certificate2(trusted.Source.Cert))
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
testCertificate,
nupkg,
dir,
timestampService.Url);
string repositorySignedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(
counterCertificate,
signedPackagePath,
dir,
TestServiceIndexUrl,
timestampService.Url);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(repositorySignedPackagePath))
{
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(
packageReader,
_verifyCommandSettings,
CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.IsValid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
}
}
}
public async Task DotnetTrust_AuthorAction_TryAddSameAuthor_Fails(bool allowUntrustedRoot)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var package = new SimpleTestPackageContext();
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
using (MemoryStream zipStream = await package.CreateAsStreamAsync())
using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
string certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource);
var config = $@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
</configuration>";
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config);
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty;
var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false";
// Act
CommandRunnerResult resultAdd = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust author nuget {signedPackagePath} {allowUntrustedRootArg} --configfile {nugetConfigPath}");
// Assert
resultAdd.Success.Should().BeTrue();
// Try to add same author again.
resultAdd = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust author nuget {signedPackagePath} {allowUntrustedRootArg} --configfile {nugetConfigPath}", ignoreExitCode: true);
// Main assert
resultAdd.Success.Should().BeFalse();
resultAdd.AllOutput.Should().Contain("error: A trusted signer 'nuget' already exists.");
resultAdd.AllOutput.Should().NotContain("--help");
}
}
