private static PrimarySignature AddCertificates(SignedCms destination, SignedCms source)
{
using (var readStream = new MemoryStream(destination.Encode()))
using (var writeStream = new MemoryStream())
{
var certificates = GetBouncyCastleCertificates(destination)
.Concat(GetBouncyCastleCertificates(source))
.Distinct()
.ToList();
var certificateStore = X509StoreFactory.Create(
"Certificate/" + BouncyCastleCollection,
new X509CollectionStoreParameters(certificates));
var crlStore = new CmsSignedData(destination.Encode()).GetCrls(BouncyCastleCollection);
var attributeCertificateStore = new CmsSignedData(destination.Encode()).GetAttributeCertificates(BouncyCastleCollection);
CmsSignedDataParser.ReplaceCertificatesAndCrls(
readStream,
certificateStore,
crlStore,
attributeCertificateStore,
writeStream);
return(PrimarySignature.Load(writeStream.ToArray()));
}
}
public void TestCertStoreReplacement()
{
IList certList = new ArrayList();
MemoryStream bOut = new MemoryStream();
byte[] data = Encoding.ASCII.GetBytes(TestMessage);
certList.Add(OrigDsaCert);
IX509Store x509Certs = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
Stream sigOut = gen.Open(bOut);
sigOut.Write(data, 0, data.Length);
sigOut.Close();
CheckSigParseable(bOut.ToArray());
//
// create new certstore with the right certificates
//
certList = new ArrayList();
certList.Add(OrigCert);
certList.Add(SignCert);
x509Certs = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
//
// replace certs
//
MemoryStream original = new MemoryStream(bOut.ToArray(), false);
MemoryStream newOut = new MemoryStream();
CmsSignedDataParser.ReplaceCertificatesAndCrls(original, x509Certs, null, null, newOut);
CmsSignedDataParser sp = new CmsSignedDataParser(new CmsTypedStream(new MemoryStream(data, false)), newOut.ToArray());
sp.GetSignedContent().Drain();
VerifySignatures(sp);
}
public async Task Load_WithReissuedSigningCertificate_ThrowsAsync()
{
var certificates = _testFixture.TrustedTestCertificateWithReissuedCertificate;
var packageContext = new SimpleTestPackageContext();
using (var directory = TestDirectory.Create())
using (var certificate1 = new X509Certificate2(certificates[0].Source.Cert))
using (var certificate2 = new X509Certificate2(certificates[1].Source.Cert))
{
var packageFilePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate1,
packageContext,
directory);
using (var packageReader = new PackageArchiveReader(packageFilePath))
{
var signature = (await packageReader.GetPrimarySignatureAsync(CancellationToken.None));
var certificateStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(
new[] { Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(certificate2) }));
var emptyCertificateStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(Array.Empty <Org.BouncyCastle.X509.X509Certificate>()));
var crlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(Array.Empty <Org.BouncyCastle.X509.X509Crl>()));
var bytes = signature.SignedCms.Encode();
using (var readStream = new MemoryStream(bytes))
using (var writeStream = new MemoryStream())
{
CmsSignedDataParser.ReplaceCertificatesAndCrls(
readStream,
certificateStore,
crlStore,
emptyCertificateStore,
writeStream);
var exception = Assert.Throws <SignatureException>(
() => PrimarySignature.Load(writeStream.ToArray()));
Assert.Equal(NuGetLogCode.NU3011, exception.Code);
Assert.Equal("A certificate referenced by the signing-certificate-v2 attribute could not be found.", exception.Message);
}
}
}
}
public async Task Load_WithPrimarySignatureWithNoCertificates_ThrowsAsync()
{
var packageContext = new SimpleTestPackageContext();
using (var directory = TestDirectory.Create())
using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var packageFilePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory);
var signatureFileBytes = ReadSignatureFile(packageFilePath);
var signedCms = new SignedCms();
signedCms.Decode(signatureFileBytes);
var certificateStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(Array.Empty <Org.BouncyCastle.X509.X509Certificate>()));
var crlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(Array.Empty <Org.BouncyCastle.X509.X509Crl>()));
using (var readStream = new MemoryStream(signedCms.Encode()))
using (var writeStream = new MemoryStream())
{
CmsSignedDataParser.ReplaceCertificatesAndCrls(
readStream,
certificateStore,
crlStore,
certificateStore,
writeStream);
signedCms.Decode(writeStream.ToArray());
}
Assert.Empty(signedCms.Certificates);
var exception = Assert.Throws <SignatureException>(
() => PrimarySignature.Load(signedCms));
Assert.Equal(NuGetLogCode.NU3010, exception.Code);
Assert.Contains("The primary signature does not have a signing certificate.", exception.Message);
}
}
public void TestEncapsulatedCertStoreReplacement()
{
MemoryStream bOut = new MemoryStream();
IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigDsaCert);
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
Stream sigOut = gen.Open(bOut, true);
byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
//
// create new certstore with the right certificates
//
x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
//
// replace certs
//
MemoryStream original = new MemoryStream(bOut.ToArray(), false);
MemoryStream newOut = new MemoryStream();
CmsSignedDataParser.ReplaceCertificatesAndCrls(original, x509Certs, null, null, newOut);
CmsSignedDataParser sp = new CmsSignedDataParser(newOut.ToArray());
sp.GetSignedContent().Drain();
VerifySignatures(sp);
}
private static PrimarySignature GeneratePrimarySignatureWithNoCertificates(PrimarySignature signature)
{
var certificateStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(Array.Empty <Org.BouncyCastle.X509.X509Certificate>()));
var crlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(Array.Empty <Org.BouncyCastle.X509.X509Crl>()));
var bytes = signature.SignedCms.Encode();
using (var readStream = new MemoryStream(bytes))
using (var writeStream = new MemoryStream())
{
CmsSignedDataParser.ReplaceCertificatesAndCrls(
readStream,
certificateStore,
crlStore,
certificateStore,
writeStream);
return(PrimarySignature.Load(writeStream.ToArray()));
}
}
