コード例 #1
0
        [PlatformFact(Platform.Windows, Platform.Linux)] // https://github.com/NuGet/Home/issues/8047
        public void Verify_WhenChainBuildingFails_Throws()
        {
            using (var certificate = _fixture.GetExpiredCertificate())
                using (var request = CreateRequest(certificate))
                {
                    var logger = new TestLogger();

                    var exception = Assert.Throws <SignatureException>(
                        () => SigningUtility.Verify(request, logger));

                    Assert.Equal(NuGetLogCode.NU3018, exception.Code);
                    Assert.Equal("Certificate chain validation failed.", exception.Message);

                    Assert.Equal(1, logger.Errors);

                    if (RuntimeEnvironmentHelper.IsLinux)
                    {
                        Assert.Equal(2, logger.Warnings);
                        SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
                    }
                    else
                    {
                        Assert.Equal(1, logger.Warnings);
                    }

                    SigningTestUtility.AssertNotTimeValid(logger.LogMessages, LogLevel.Error);
                    SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning);
                }
        }
コード例 #2
0
        public void Verify_WithUntrustedSelfSignedCertificate_Succeeds()
        {
            using (var certificate = _fixture.GetDefaultCertificate())
                using (var request = CreateRequest(certificate))
                {
                    var logger = new TestLogger();

                    SigningUtility.Verify(request, logger);

                    Assert.Equal(0, logger.Errors);
#if (IS_DESKTOP || NETCORE5_0)
                    Assert.Equal(1, logger.Warnings);
#else
                    Assert.Equal(RuntimeEnvironmentHelper.IsLinux ? 2 : 1, logger.Warnings);
#endif

                    SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning);


#if !NETCORE5_0
                    if (RuntimeEnvironmentHelper.IsLinux)
                    {
                        SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
                    }
#endif
                }
        }
コード例 #3
0
        public void GetCertificateChain_WithUntrustedSelfIssuedCertificate_ReturnsChain()
        {
            using (var certificate = _fixture.GetDefaultCertificate())
            {
                var logger = new TestLogger();

                using (var chain = CertificateChainUtility.GetCertificateChain(
                           certificate,
                           new X509Certificate2Collection(),
                           logger,
                           CertificateType.Signature))
                {
                    Assert.Equal(1, chain.Count);
                    Assert.NotSame(certificate, chain[0]);
                    Assert.True(certificate.RawData.SequenceEqual(chain[0].RawData));
                }

                Assert.Equal(0, logger.Errors);
#if (IS_DESKTOP || NETCORE5_0)
                Assert.Equal(1, logger.Warnings);
#else
                Assert.Equal(RuntimeEnvironmentHelper.IsLinux ? 2 : 1, logger.Warnings);
#endif
                SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning);

#if !NETCORE5_0
                if (RuntimeEnvironmentHelper.IsLinux)
                {
                    SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
                }
#endif
            }
        }
コード例 #4
0
        public void GetCertificateChain_WithUntrustedRoot_Throws()
        {
            using (var chainHolder = new X509ChainHolder())
                using (var rootCertificate = SigningTestUtility.GetCertificate("root.crt"))
                    using (var intermediateCertificate = SigningTestUtility.GetCertificate("intermediate.crt"))
                        using (var leafCertificate = SigningTestUtility.GetCertificate("leaf.crt"))
                        {
                            var chain      = chainHolder.Chain;
                            var extraStore = new X509Certificate2Collection()
                            {
                                rootCertificate, intermediateCertificate
                            };
                            var logger = new TestLogger();

                            var exception = Assert.Throws <SignatureException>(
                                () => CertificateChainUtility.GetCertificateChain(
                                    leafCertificate,
                                    extraStore,
                                    logger,
                                    CertificateType.Signature));

                            Assert.Equal(NuGetLogCode.NU3018, exception.Code);
                            Assert.Equal("Certificate chain validation failed.", exception.Message);

                            Assert.Equal(1, logger.Errors);
                            SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Error);

                            SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
                            if (RuntimeEnvironmentHelper.IsWindows)
                            {
                                Assert.Equal(2, logger.Warnings);
                                SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
                            }
                            else if (RuntimeEnvironmentHelper.IsLinux)
                            {
#if NETCORE5_0
                                Assert.Equal(2, logger.Warnings);
                                SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
#else
                                Assert.Equal(1, logger.Warnings);
#endif
                            }
                            else
                            {
                                Assert.Equal(1, logger.Warnings);
                            }
                        }
        }
コード例 #5
0
        public async Task Timestamp_Verify_WithOfflineRevocation_ReturnsCorrectFlagsAndLogsAsync()
        {
            var nupkg = new SimpleTestPackageContext();

            using (var testServer = await SigningTestServer.CreateAsync())
                using (var responders = new DisposableList <IDisposable>())
                    using (var packageStream = await nupkg.CreateAsStreamAsync())
                        using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
                        {
                            CertificateAuthority rootCa         = CertificateAuthority.Create(testServer.Url);
                            CertificateAuthority intermediateCa = rootCa.CreateIntermediateCertificateAuthority();

                            responders.Add(testServer.RegisterResponder(intermediateCa));
                            responders.Add(testServer.RegisterResponder(rootCa));

                            StoreLocation storeLocation = CertificateStoreUtilities.GetTrustedCertificateStoreLocation();

                            using (var trustedServerRoot = TrustedTestCert.Create(
                                       new X509Certificate2(rootCa.Certificate.GetEncoded()),
                                       StoreName.Root,
                                       storeLocation))
                            {
                                var timestampService = TimestampService.Create(intermediateCa);

                                responders.Add(testServer.RegisterResponder(timestampService));

                                var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);

                                AuthorPrimarySignature signature = await SignedArchiveTestUtility.CreateAuthorSignatureForPackageAsync(testCertificate, packageStream, timestampProvider);

                                var timestamp = signature.Timestamps.First();

                                var settings = new SignedPackageVerifierSettings(
                                    allowUnsigned: false,
                                    allowUntrusted: false,
                                    allowIllegal: false,
                                    allowIgnoreTimestamp: false,
                                    allowMultipleTimestamps: false,
                                    allowNoTimestamp: false,
                                    allowUnknownRevocation: false,
                                    reportUnknownRevocation: true,
                                    verificationTarget: VerificationTarget.All,
                                    signaturePlacement: SignaturePlacement.Any,
                                    repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.Always,
                                    revocationMode: RevocationMode.Online);

                                var logs = new List <SignatureLog>();

                                var result = timestamp.Verify(signature, settings, HashAlgorithmName.SHA256, logs);

                                result.HasFlag(SignatureVerificationStatusFlags.UnknownRevocation).Should().BeTrue();

                                var errors = logs.Where(l => l.Level == LogLevel.Error);

                                if (RuntimeEnvironmentHelper.IsMacOSX)
                                {
                                    errors.Count().Should().Be(1);
                                }
                                else
                                {
                                    errors.Count().Should().Be(2);
                                    SigningTestUtility.AssertOfflineRevocationOnlineMode(errors, LogLevel.Error, NuGetLogCode.NU3028);
                                }
                                SigningTestUtility.AssertRevocationStatusUnknown(errors, LogLevel.Error, NuGetLogCode.NU3028);
                            }
                        }
        }