public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestampWithTooLargeRange_FailsAsync()
{
ISigningTestServer testServer = await _testFixture.GetSigningTestServerAsync();
CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var accuracy = new BcAccuracy(seconds: new DerInteger(30), millis: null, micros: null);
var serviceOptions = new TimestampServiceOptions()
{
Accuracy = accuracy
};
TimestampService timestampService = TimestampService.Create(ca, serviceOptions);
AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
DateTimeOffset now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions);
using (testServer.RegisterResponder(timestampService))
using (TestDirectory directory = TestDirectory.Create())
using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair))
{
var packageContext = new SimpleTestPackageContext();
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
VerifySignaturesResult results = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
PackageVerificationResult result = results.Results.Single();
Assert.False(results.IsValid);
Assert.Equal(SignatureVerificationStatus.Disallowed, result.Trust);
Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, result.Issues.Count(issue => issue.Level == LogLevel.Warning));
Assert.Contains(result.Issues, issue =>
issue.Code == NuGetLogCode.NU3037 &&
issue.Level == LogLevel.Error &&
issue.Message.Contains("validity period has expired."));
}
}
}
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestamp_Success()
{
var ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
var now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
var bcCertificate = ca.IssueCertificate(issueOptions);
using (var certificate = new X509Certificate2(bcCertificate.GetEncoded()))
using (var directory = TestDirectory.Create())
{
certificate.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters);
var notAfter = certificate.NotAfter.ToUniversalTime();
var packageContext = new SimpleTestPackageContext();
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
var waitDuration = (notAfter - DateTimeOffset.UtcNow).Add(TimeSpan.FromSeconds(1));
// Wait for the certificate to expire. Trust of the signature will require a valid timestamp.
await Task.Delay(waitDuration);
Assert.True(DateTime.UtcNow > notAfter);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
var result = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
var trustProvider = result.Results.Single();
Assert.True(result.Valid);
Assert.Equal(SignatureVerificationStatus.Valid, trustProvider.Trust);
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Warning));
}
}
}
private async Task <X509Certificate2> CreateDefaultRepositorySigningCertificateAsync()
{
var ca = await CreateDefaultTrustedCertificateAuthorityAsync();
var keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotBefore = DateTimeOffset.UtcNow.AddSeconds(-2),
NotAfter = DateTimeOffset.UtcNow.AddHours(1),
SubjectName = new X509Name("CN=NuGet Cross Verify Test Repository Signning Certificate")
};
var bcCertificate = ca.IssueCertificate(issueOptions);
return(CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair));
}
public async Task <X509Certificate2> GetWeakSignatureParentSigningCertificateAsync()
{
var testServer = await GetTestServerAsync();
var rootCa = await GetRootCertificateAuthority();
var issueOptions = IssueCertificateOptions.CreateDefaultForIntermediateCertificateAuthority();
var keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 512);
issueOptions.KeyPair = keyPair;
var intermediateCa = rootCa.CreateIntermediateCertificateAuthority(issueOptions);
var responders = GetResponders();
responders.AddRange(testServer.RegisterResponders(intermediateCa));
return(CreateSigningCertificate(intermediateCa));
}
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestamp_SuccessAsync()
{
CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
DateTimeOffset now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions);
using (TestDirectory directory = TestDirectory.Create())
using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair))
{
var packageContext = new SimpleTestPackageContext();
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
PackageVerificationResult trustProvider = result.Results.Single();
Assert.True(result.IsValid);
Assert.Equal(SignatureVerificationStatus.Valid, trustProvider.Trust);
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Warning));
}
}
}
public CertificatesFixture()
{
DefaultKeyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
_defaultCertificate = SigningTestUtility.GenerateCertificate("test", DefaultKeyPair);
_rsaSsaPssCertificate = SigningTestUtility.GenerateCertificate("test", generator => { }, "SHA256WITHRSAANDMGF1");
_lifetimeSigningCertificate = SigningTestUtility.GenerateCertificate(
"test",
generator =>
{
generator.AddExtension(
X509Extensions.ExtendedKeyUsage.Id,
critical: true,
extensionValue: new DerSequence(new DerObjectIdentifier(Oids.LifetimeSigningEku)));
});
_expiredCertificate = SigningTestUtility.GenerateCertificate(
"test",
SigningTestUtility.CertificateModificationGeneratorExpiredCert);
_notYetValidCertificate = SigningTestUtility.GenerateCertificate(
"test",
SigningTestUtility.CertificateModificationGeneratorNotYetValidCert);
_nonSelfSignedCertificate = SigningTestUtility.GenerateCertificate(
"test non-self-signed certificate", // Must be different than the issuing certificate's subject name.
generator => { },
chainCertificateRequest: new ChainCertificateRequest()
{
Issuer = _defaultCertificate
});
_selfIssuedCertificate = SigningTestUtility.GenerateSelfIssuedCertificate(isCa: false);
_rootCertificate = SigningTestUtility.GenerateSelfIssuedCertificate(isCa: true);
const string name1 = "NuGet Cyclic Test Certificate 1";
const string name2 = "NuGet Cyclic Test Certificate 2";
var keyPair1 = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
var keyPair2 = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
_cyclicChain = new DisposableList <X509Certificate2>()
{
SigningTestUtility.GenerateCertificate(name1, name2, keyPair1.Private, keyPair2),
SigningTestUtility.GenerateCertificate(name2, name1, keyPair2.Private, keyPair1)
};
}
protected (BCCertificate publicCertificate, X509Certificate2 certificate) IssueCertificate(
CertificateAuthority ca,
string name,
Action <X509V3CertificateGenerator> customizeCertificate)
{
var keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
var publicCertificate = ca.IssueCertificate(new IssueCertificateOptions
{
CustomizeCertificate = customizeCertificate,
NotAfter = DateTime.UtcNow.AddMinutes(10),
NotBefore = DateTime.UtcNow.AddSeconds(-10),
KeyPair = keyPair,
SubjectName = new X509Name($"C=US,ST=WA,L=Redmond,O=NuGet,CN=NuGet Test ${name} Certificate ({Guid.NewGuid()})")
});
var certificate = publicCertificate.ToX509Certificate2();
certificate.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters);
return(publicCertificate, certificate);
}
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestampWithTooLargeRange_Fails()
{
var testServer = await _testFixture.GetSigningTestServerAsync();
var ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var accuracy = new BcAccuracy(seconds: new DerInteger(30), millis: null, micros: null);
var serviceOptions = new TimestampServiceOptions()
{
Accuracy = accuracy
};
var timestampService = TimestampService.Create(ca, serviceOptions);
var keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
var now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
var bcCertificate = ca.IssueCertificate(issueOptions);
using (testServer.RegisterResponder(timestampService))
using (var certificate = new X509Certificate2(bcCertificate.GetEncoded()))
using (var directory = TestDirectory.Create())
{
certificate.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters);
var packageContext = new SimpleTestPackageContext();
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
var waitDuration = (issueOptions.NotAfter - DateTimeOffset.UtcNow).Add(TimeSpan.FromSeconds(1));
// Wait for the certificate to expire. Trust of the signature will require a valid timestamp.
if (waitDuration > TimeSpan.Zero)
{
await Task.Delay(waitDuration);
}
Assert.True(DateTime.UtcNow > issueOptions.NotAfter);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
var results = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
var result = results.Results.Single();
Assert.False(results.Valid);
Assert.Equal(SignatureVerificationStatus.Illegal, result.Trust);
Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, result.Issues.Count(issue => issue.Level == LogLevel.Warning));
Assert.Contains(result.Issues, issue =>
issue.Code == NuGetLogCode.NU3011 &&
issue.Level == LogLevel.Error &&
issue.Message.Contains("validity period has expired."));
}
}
}