public void GetCertificateChain_WhenCertChainNull_Throws()
{
var exception = Assert.Throws <ArgumentNullException>(
() => CertificateChainUtility.GetCertificateChain(x509Chain: null));
Assert.Equal("x509Chain", exception.ParamName);
}
public void GetCertificateChain_WithUntrustedSelfIssuedCertificate_ReturnsChain()
{
using (var certificate = _fixture.GetDefaultCertificate())
{
var logger = new TestLogger();
using (var chain = CertificateChainUtility.GetCertificateChain(
certificate,
new X509Certificate2Collection(),
logger,
CertificateType.Signature))
{
Assert.Equal(1, chain.Count);
Assert.NotSame(certificate, chain[0]);
Assert.True(certificate.RawData.SequenceEqual(chain[0].RawData));
}
Assert.Equal(0, logger.Errors);
Assert.Equal(RuntimeEnvironmentHelper.IsWindows ? 1 : 2, logger.Warnings);
SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning);
if (!RuntimeEnvironmentHelper.IsWindows)
{
SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
}
}
}
public async Task GetTimestampAsync_AssertCompleteChain_SuccessAsync()
{
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
var nupkg = new SimpleTestPackageContext();
using (var authorCert = new X509Certificate2(_trustedTestCert.Source.Cert))
using (var packageStream = await nupkg.CreateAsStreamAsync())
{
// Act
AuthorPrimarySignature signature = await SignedArchiveTestUtility.CreateAuthorSignatureForPackageAsync(authorCert, packageStream, timestampProvider);
var authorSignedCms = signature.SignedCms;
var timestamp = signature.Timestamps.First();
var timestampCms = timestamp.SignedCms;
IX509CertificateChain certificateChain;
var chainBuildSuccess = true;
// rebuild the chain to get the list of certificates
using (var chainHolder = new X509ChainHolder())
{
var chain = chainHolder.Chain;
var policy = chain.ChainPolicy;
policy.ApplicationPolicy.Add(new Oid(Oids.TimeStampingEku));
policy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid;
policy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
policy.RevocationMode = X509RevocationMode.Online;
var timestampSignerCertificate = timestampCms.SignerInfos[0].Certificate;
chainBuildSuccess = chain.Build(timestampSignerCertificate);
certificateChain = CertificateChainUtility.GetCertificateChain(chain);
}
using (certificateChain)
{
// Assert
authorSignedCms.Should().NotBeNull();
authorSignedCms.Detached.Should().BeFalse();
authorSignedCms.ContentInfo.Should().NotBeNull();
authorSignedCms.SignerInfos.Count.Should().Be(1);
authorSignedCms.SignerInfos[0].UnsignedAttributes.Count.Should().Be(1);
authorSignedCms.SignerInfos[0].UnsignedAttributes[0].Oid.Value.Should().Be(Oids.SignatureTimeStampTokenAttribute);
timestampCms.Should().NotBeNull();
timestampCms.Detached.Should().BeFalse();
timestampCms.ContentInfo.Should().NotBeNull();
chainBuildSuccess.Should().BeTrue();
certificateChain.Count.Should().Be(timestampCms.Certificates.Count);
foreach (var cert in certificateChain)
{
timestampCms.Certificates.Contains(cert).Should().BeTrue();
}
}
}
}
public void Sertifikat_exception_on_invalid_certificate()
{
Assert.Throws <SertifikatException>(
() => SenderCertificateValidator.ValidateAndThrowIfInvalid(
GetAvsenderTestCertificate(),
CertificateChainUtility.ProduksjonsSertifikater())
);
}
public void DebugMesages()
{
var i = 0;
foreach (var certificate in CertificateChainUtility.FunksjoneltTestmiljøSertifikater())
{
Trace.WriteLine($"{i++}: Issuer `{certificate.Issuer}`, thumbprint `{certificate.Thumbprint}`");
}
}
public void GetCertificateChainForSigning_WhenLoggerNull_Throws()
{
var exception = Assert.Throws <ArgumentNullException>(
() => CertificateChainUtility.GetCertificateChainForSigning(
new X509Certificate2(),
new X509Certificate2Collection(),
logger: null));
Assert.Equal("logger", exception.ParamName);
}
public void GetCertificateChainForSigning_WhenExtraStoreNull_Throws()
{
var exception = Assert.Throws <ArgumentNullException>(
() => CertificateChainUtility.GetCertificateChainForSigning(
new X509Certificate2(),
extraStore: null,
logger: NullLogger.Instance));
Assert.Equal("extraStore", exception.ParamName);
}
public void BuildWithPolicy_WhenChainIsNull_Throws()
{
using (X509Certificate2 certificate = _fixture.GetDefaultCertificate())
{
ArgumentNullException exception = Assert.Throws <ArgumentNullException>(
() => CertificateChainUtility.BuildWithPolicy(chain: null, certificate));
Assert.Equal("chain", exception.ParamName);
}
}
public void BuildWithPolicy_WhenCertificateIsNull_Throws()
{
using (var chain = new X509Chain())
{
ArgumentNullException exception = Assert.Throws <ArgumentNullException>(
() => CertificateChainUtility.BuildWithPolicy(chain, certificate: null));
Assert.Equal("certificate", exception.ParamName);
}
}
public void Returns_ok_if_valid_certificate_and_chain()
{
//Arrange
var funksjoneltTestmiljøSertifikater = CertificateChainUtility.FunksjoneltTestmiljøSertifikater();
//Act
var result = CertificateValidator.ValidateCertificateAndChain(CertificateResource.UnitTests.GetPostenCertificate(), "984661185", funksjoneltTestmiljøSertifikater);
//Assert
Assert.Equal(CertificateValidationType.Valid, result.Type);
}
public void Returns_fail_if_invalid_certificate_chain()
{
//Arrange
var funksjoneltTestmiljøSertifikater = CertificateChainUtility.FunksjoneltTestmiljøSertifikater();
//Act
var result = CertificateValidator.ValidateCertificateAndChain(CertificateResource.UnitTests.GetValidSelfSignedTestCertificate(), "988015814", funksjoneltTestmiljøSertifikater);
//Assert
Assert.Equal(CertificateValidationType.InvalidChain, result.Type);
}
public void GetCertificateChain_WhenCertificateNull_Throws()
{
var exception = Assert.Throws <ArgumentNullException>(
() => CertificateChainUtility.GetCertificateChain(
certificate: null,
extraStore: new X509Certificate2Collection(),
logger: NullLogger.Instance,
certificateType: CertificateType.Signature));
Assert.Equal("certificate", exception.ParamName);
}
public void GetCertificateChain_WhenCertificateTypeUndefined_Throws()
{
var exception = Assert.Throws <ArgumentException>(
() => CertificateChainUtility.GetCertificateChain(
new X509Certificate2(),
new X509Certificate2Collection(),
NullLogger.Instance,
(CertificateType)int.MaxValue));
Assert.Equal("certificateType", exception.ParamName);
}
public void Returns_fail_if_self_signed_certificate()
{
//Arrange
var funksjoneltTestmiljøSertifikater = CertificateChainUtility.FunksjoneltTestmiljøSertifikater();
//Act
var result = CertificateValidator.ValidateCertificateAndChainInternal(CertificateResource.UnitTests.GetValidSelfSignedTestCertificate(), "988015814", funksjoneltTestmiljøSertifikater);
//Assert
Assert.Equal(CertificateValidationType.InvalidChain, result.Type);
Assert.Contains("is invalid because the chain length is 1", result.Message);
}
public void Returns_fail_if_certificate_error()
{
//Arrange
var funksjoneltTestmiljøSertifikater = CertificateChainUtility.FunksjoneltTestmiljøSertifikater();
//Act
var result = CertificateValidator.ValidateCertificateAndChainInternal(CertificateResource.UnitTests.GetExpiredSelfSignedTestCertificate(), "988015814", funksjoneltTestmiljøSertifikater);
//Assert
Assert.Equal(CertificateValidationType.InvalidCertificate, result.Type);
Assert.Contains("expired on", result.Message);
}
public void Returnerer_initialisert_produksjonsmiljø_norsk_helsenett()
{
//Arrange
var url = "https://meldingsformidler.nhn.digipost.no:4444/api/";
var miljø = Miljø.ProduksjonsmiljøNorskHelsenett;
var sertifikater = CertificateChainUtility.ProduksjonsSertifikater();
//Act
//Assert
Assert.Equal(url, miljø.Url.ToString());
Assert.Equal(sertifikater, miljø.GodkjenteKjedeSertifikater);
}
public void Valid_with_correct_root_and_intermediate()
{
//Arrange
var productionCertificate = CertificateResource.UnitTests.GetProduksjonsMottakerSertifikatOppslagstjenesten();
var certificateChainValidator = new CertificateChainValidator(CertificateChainUtility.ProduksjonsSertifikater());
//Act
var result = certificateChainValidator.Validate(productionCertificate);
//Assert
Assert.Equal(CertificateValidationType.Valid, result.Type);
Assert.Contains("et gyldig sertifikat", result.Message);
}
public void Fails_with_self_signed_certificate()
{
//Arrange
var selfSignedCertificate = CertificateResource.UnitTests.GetEnhetstesterSelvsignertSertifikat();
var certificateChainValidator = new CertificateChainValidator(CertificateChainUtility.ProduksjonsSertifikater());
//Act
var result = certificateChainValidator.Validate(selfSignedCertificate);
//Assert
Assert.Equal(CertificateValidationType.InvalidChain, result.Type);
Assert.Contains("sertifikatet er selvsignert", result.Message);
}
public void Fails_with_wrong_root_and_intermediate()
{
//Arrange
var productionCertificate = CertificateResource.UnitTests.GetProduksjonsMottakerSertifikatOppslagstjenesten();
//Act
var certificateChainValidator = new CertificateChainValidator(CertificateChainUtility.FunksjoneltTestmiljøSertifikater());
var result = certificateChainValidator.Validate(productionCertificate);
//Assert
Assert.Equal(CertificateValidationType.InvalidChain, result.Type);
Assert.Contains("blir hentet fra Certificate Store på Windows", result.Message);
}
public void Gets_initialize_localhost_environment()
{
//Arrange
var url = new Uri("https://localhost:8443");
var certificates = CertificateChainUtility.FunksjoneltTestmiljøSertifikater();
//Act
var environment = Environment.Localhost;
//Assert
Assert.Equal(url, environment.Url);
Assert.Equal(certificates, environment.AllowedChainCertificates);
}
public void Gets_initialized_production_environment()
{
//Arrange
var url = new Uri("https://api.signering.posten.no");
var certificates = CertificateChainUtility.ProduksjonsSertifikater();
//Act
var environment = Environment.Production;
//Assert
Assert.Equal(url, environment.Url);
Assert.Equal(certificates, environment.AllowedChainCertificates);
}
public void Gets_initialized_difi_test_environment()
{
//Arrange
var url = new Uri("https://api.difitest.signering.posten.no");
var certificates = CertificateChainUtility.FunksjoneltTestmiljøSertifikater();
//Act
var environment = Environment.DifiTest;
//Assert
Assert.Equal(url, environment.Url);
Assert.Equal(certificates, environment.AllowedChainCertificates);
}
public void ReturnererFireSertifikaterMedThumbprint()
{
//Arrange
var sertifikater = CertificateChainUtility.ProduksjonsSertifikater();
//Act
//Assert
foreach (var sertifikat in sertifikater)
{
Assert.NotNull(sertifikat.Thumbprint);
}
}
public void Returnerer_initialisert_funksjonelt_testmiljø_norsk_helsenett()
{
//Arrange
var url = "https://qaoffentlig.meldingsformidler.nhn.digipost.no:4445/api/";
var miljø = Miljø.FunksjoneltTestmiljøNorskHelsenett;
var sertifikater = CertificateChainUtility.FunksjoneltTestmiljøSertifikater();
//Act
//Assert
Assert.Equal(url, miljø.Url.AbsoluteUri);
Assert.Equal(sertifikater, miljø.GodkjenteKjedeSertifikater);
}
public void Returns_four_certificates_with_thumbprint()
{
//Arrange
var certificates = CertificateChainUtility.ProduksjonsSertifikater();
//Act
//Assert
Assert.Equal(4, certificates.Count);
foreach (var certificate in certificates)
{
Assert.NotNull(certificate.Thumbprint);
}
}
public void Returns_initialized_production_environment()
{
//Arrange
var environment = Miljø.Produksjonsmiljø;
const string url = "https://kontaktinfo-ws.difi.no/kontaktinfo-external/ws-v5";
var requestCertificates = CertificateChainUtility.ProduksjonsSertifikater();
var responseCertificates = CertificateChainUtility.ProduksjonsSertifikater();
//Act
//Assert
Assert.Equal(url, environment.Url.ToString());
Assert.Equal(requestCertificates, environment.GodkjenteKjedeSertifikaterForRequest);
Assert.Equal(responseCertificates, environment.GodkjenteKjedeSertifikaterForRespons);
}
public void Returns_initialized_functional_test_environment_ver1()
{
//Arrange
var environment = Miljø.FunksjoneltTestmiljøVerifikasjon1;
const string url = "https://kontaktinfo-ws-ver1.difi.no/kontaktinfo-external/ws-v5";
var requestCertificates = CertificateChainUtility.FunksjoneltTestmiljøSertifikater();
var responseCertificates = CertificateChainUtility.ProduksjonsSertifikater();
//Act
//Assert
Assert.Equal(url, environment.Url.AbsoluteUri);
Assert.Equal(requestCertificates, environment.GodkjenteKjedeSertifikaterForRequest);
Assert.Equal(responseCertificates, environment.GodkjenteKjedeSertifikaterForRespons);
}
public void GetCertificateChain_WithUntrustedRoot_Throws()
{
using (var chainHolder = new X509ChainHolder())
using (var rootCertificate = SigningTestUtility.GetCertificate("root.crt"))
using (var intermediateCertificate = SigningTestUtility.GetCertificate("intermediate.crt"))
using (var leafCertificate = SigningTestUtility.GetCertificate("leaf.crt"))
{
var chain = chainHolder.Chain;
var extraStore = new X509Certificate2Collection()
{
rootCertificate, intermediateCertificate
};
var logger = new TestLogger();
var exception = Assert.Throws <SignatureException>(
() => CertificateChainUtility.GetCertificateChain(
leafCertificate,
extraStore,
logger,
CertificateType.Signature));
Assert.Equal(NuGetLogCode.NU3018, exception.Code);
Assert.Equal("Certificate chain validation failed.", exception.Message);
Assert.Equal(1, logger.Errors);
SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Error);
SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
if (RuntimeEnvironmentHelper.IsWindows)
{
Assert.Equal(2, logger.Warnings);
SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
}
else if (RuntimeEnvironmentHelper.IsLinux)
{
#if NETCORE5_0
Assert.Equal(2, logger.Warnings);
SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
#else
Assert.Equal(1, logger.Warnings);
#endif
}
else
{
Assert.Equal(1, logger.Warnings);
}
}
}
private static bool IsValid(X509Certificate2 certificate, X509Certificate2Collection extraStore)
{
try
{
using (var chain = CertificateChainUtility.GetCertificateChain(
certificate,
extraStore,
NullLogger.Instance,
CertificateType.Signature))
{
return(chain != null && chain.Count > 0);
}
}
catch (SignatureException)
{
return(false);
}
}
public void GetCertificateListFromChain_ReturnsCertificatesInOrder()
{
using (var chainHolder = new X509ChainHolder())
using (var rootCertificate = SignTestUtility.GetCertificate("root.crt"))
using (var intermediateCertificate = SignTestUtility.GetCertificate("intermediate.crt"))
using (var leafCertificate = SignTestUtility.GetCertificate("leaf.crt"))
{
var chain = chainHolder.Chain;
chain.ChainPolicy.ExtraStore.Add(rootCertificate);
chain.ChainPolicy.ExtraStore.Add(intermediateCertificate);
chain.Build(leafCertificate);
var certificateChain = CertificateChainUtility.GetCertificateListFromChain(chain);
Assert.Equal(3, certificateChain.Count);
Assert.Equal(leafCertificate.Thumbprint, certificateChain[0].Thumbprint);
Assert.Equal(intermediateCertificate.Thumbprint, certificateChain[1].Thumbprint);
Assert.Equal(rootCertificate.Thumbprint, certificateChain[2].Thumbprint);
}
}
