/// <summary> /// Gets certificates in the certificate chain for a timestamp on the repository countersignature. /// </summary> /// <param name="primarySignature">The primary signature.</param> /// <param name="repositoryCountersignature">The repository countersignature.</param> /// <returns>A non-empty, read-only list of X.509 certificates ordered from signing certificate to root.</returns> /// <exception cref="ArgumentNullException">Thrown if <paramref name="primarySignature" /> is <c>null</c>.</exception> /// <exception cref="ArgumentNullException">Thrown if <paramref name="repositoryCountersignature" /> is <c>null</c>.</exception> /// <exception cref="SignatureException">Thrown if <paramref name="repositoryCountersignature" /> does not have a valid /// timestamp.</exception> /// <remarks> /// WARNING: This method does not perform revocation, trust, or certificate validity checking. /// </remarks> public static IX509CertificateChain GetTimestampCertificateChain( PrimarySignature primarySignature, RepositoryCountersignature repositoryCountersignature) { if (primarySignature == null) { throw new ArgumentNullException(nameof(primarySignature)); } if (repositoryCountersignature == null) { throw new ArgumentNullException(nameof(repositoryCountersignature)); } if (!repositoryCountersignature.IsRelated(primarySignature)) { throw new ArgumentException(Strings.UnrelatedSignatures, nameof(repositoryCountersignature)); } var timestamp = repositoryCountersignature.Timestamps.FirstOrDefault(); if (timestamp == null) { throw new SignatureException(NuGetLogCode.NU3000, Strings.RepositoryCountersignatureHasNoTimestamp); } return(GetTimestampCertificates( timestamp.SignedCms, SigningSpecifications.V1, primarySignature.FriendlyName, includeChain: true)); }
public Task <PackageVerificationResult> GetTrustResultAsync( ISignedPackageReader package, PrimarySignature signature, SignedPackageVerifierSettings settings, CancellationToken token) { token.ThrowIfCancellationRequested(); if (package == null) { throw new ArgumentNullException(nameof(package)); } if (signature == null) { throw new ArgumentNullException(nameof(signature)); } if (settings == null) { throw new ArgumentNullException(nameof(settings)); } var result = Verify(signature, settings); return(Task.FromResult(result)); }
private static async Task <bool> RemoveRepositoryCountersignaturesAsync( Stream input, Stream output, SignedCms signedCms, CancellationToken cancellationToken) { if (TryRemoveRepositoryCountersignatures(signedCms, out var updatedSignedCms)) { var primarySignature = PrimarySignature.Load(updatedSignedCms.Encode()); using (var unsignedPackage = new MemoryStream()) { using (var package = new SignedPackageArchive(input, unsignedPackage)) { await package.RemoveSignatureAsync(cancellationToken); } using (var package = new SignedPackageArchive(unsignedPackage, output)) using (var signatureStream = new MemoryStream(primarySignature.GetBytes())) { await package.AddSignatureAsync(signatureStream, cancellationToken); } } return(true); } return(false); }
/// <summary> /// Gets certificates in the certificate chain for the repository countersignature. /// </summary> /// <param name="primarySignature">The primary signature.</param> /// <param name="repositoryCountersignature">The repository countersignature.</param> /// <returns>A non-empty, read-only list of X.509 certificates ordered from signing certificate to root.</returns> /// <exception cref="ArgumentNullException">Thrown if <paramref name="primarySignature" /> is <c>null</c>.</exception> /// <exception cref="ArgumentNullException">Thrown if <paramref name="repositoryCountersignature" /> is <c>null</c>.</exception> /// <exception cref="ArgumentException">Thrown if <paramref name="repositoryCountersignature" /> is /// unrelated to <paramref name="primarySignature" />.</exception> /// <remarks> /// WARNING: This method does not perform revocation, trust, or certificate validity checking. /// </remarks> public static IX509CertificateChain GetCertificateChain( PrimarySignature primarySignature, RepositoryCountersignature repositoryCountersignature) { if (primarySignature == null) { throw new ArgumentNullException(nameof(primarySignature)); } if (repositoryCountersignature == null) { throw new ArgumentNullException(nameof(repositoryCountersignature)); } if (!repositoryCountersignature.IsRelated(primarySignature)) { throw new ArgumentException(Strings.UnrelatedSignatures, nameof(repositoryCountersignature)); } return(GetRepositoryCountersignatureCertificates( primarySignature.SignedCms, repositoryCountersignature.SignerInfo, SigningSpecifications.V1, includeChain: true)); }
public static bool HasRepositoryCountersignature(PrimarySignature primarySignature) { if (primarySignature == null) { throw new ArgumentNullException(nameof(primarySignature)); } if (primarySignature is RepositoryPrimarySignature) { return(false); } var counterSignatures = primarySignature.SignerInfo.CounterSignerInfos; foreach (var counterSignature in counterSignatures) { var countersignatureType = AttributeUtility.GetSignatureType(counterSignature.SignedAttributes); if (countersignatureType == SignatureType.Repository) { return(true); } } return(false); }
internal bool IsRelated(PrimarySignature primarySignature) { if (primarySignature == null) { throw new ArgumentNullException(nameof(primarySignature)); } return(ReferenceEquals(_primarySignature, primarySignature)); }
private RepositoryCountersignature( PrimarySignature primarySignature, SignerInfo counterSignerInfo, Uri v3ServiceIndexUrl, IReadOnlyList <string> packageOwners) : base(counterSignerInfo, SignatureType.Repository) { _primarySignature = primarySignature; V3ServiceIndexUrl = v3ServiceIndexUrl; PackageOwners = packageOwners; }
private PackageVerificationResult VerifySignatureAndCountersignature( PrimarySignature signature, SignedPackageVerifierSettings settings) { var issues = new List <SignatureLog>(); var certificateExtraStore = signature.SignedCms.Certificates; var primarySignatureHasCountersignature = SignatureUtility.HasRepositoryCountersignature(signature); var status = SignatureVerificationStatus.Illegal; // Only accept untrusted root if the signature has a countersignature that we can validate against var verifySettings = new SignatureVerifySettings( treatIssuesAsErrors: !settings.AllowIllegal, allowUntrustedRoot: primarySignatureHasCountersignature, allowUnknownRevocation: settings.AllowUnknownRevocation, logOnSignatureExpired: !primarySignatureHasCountersignature); var primarySummary = VerifyValidityAndTrust(signature, settings, verifySettings, certificateExtraStore, issues); if (primarySummary != null) { status = primarySummary.Status; if (primarySignatureHasCountersignature) { if (settings.AlwaysVerifyCountersignature || ShouldFallbackToRepositoryCountersignature(primarySummary)) { var countersignature = RepositoryCountersignature.GetRepositoryCountersignature(signature); verifySettings = new SignatureVerifySettings( treatIssuesAsErrors: !settings.AllowIllegal, allowUntrustedRoot: false, allowUnknownRevocation: settings.AllowUnknownRevocation, logOnSignatureExpired: true); var counterSummary = VerifyValidityAndTrust(countersignature, settings, verifySettings, certificateExtraStore, issues); status = counterSummary.Status; if (!Rfc3161TimestampVerificationUtility.ValidateSignerCertificateAgainstTimestamp(signature.SignerInfo.Certificate, counterSummary.Timestamp)) { issues.Add(SignatureLog.Issue(!settings.AllowIllegal, NuGetLogCode.NU3011, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_SignatureNotTimeValid, signature.FriendlyName))); status = SignatureVerificationStatus.Illegal; } } else if (primarySummary.Flags.HasFlag(SignatureVerificationStatusFlags.CertificateExpired)) { // We are not adding this log if the primary signature has a countersignature to check the expiration against the countersignature's timestamp. // If the countersignature shouldn't be check and the primary signature was expired, add this log. issues.Add(SignatureLog.Issue(!settings.AllowIllegal, NuGetLogCode.NU3011, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_SignatureNotTimeValid, signature.FriendlyName))); } } } return(new SignedPackageVerificationResult(status, signature, issues)); }
/// <summary> /// Gets certificates in the certificate chain for the primary signature. /// </summary> /// <param name="primarySignature">The primary signature.</param> /// <returns>A non-empty, read-only list of X.509 certificates ordered from signing certificate to root.</returns> /// <exception cref="ArgumentNullException">Thrown if <paramref name="primarySignature" /> is <c>null</c>.</exception> /// <remarks> /// WARNING: This method does not perform revocation, trust, or certificate validity checking. /// </remarks> public static IX509CertificateChain GetCertificateChain(PrimarySignature primarySignature) { if (primarySignature == null) { throw new ArgumentNullException(nameof(primarySignature)); } return(GetPrimarySignatureCertificates( primarySignature.SignedCms, primarySignature.SignerInfo, SigningSpecifications.V1, includeChain: true)); }
private static string GetCertificateFingerprint( PrimarySignature signature, HashAlgorithmName fingerprintAlgorithm, IDictionary <HashAlgorithmName, string> CertificateFingerprintLookUp) { if (!CertificateFingerprintLookUp.TryGetValue(fingerprintAlgorithm, out var fingerprintString)) { var primarySignatureCertificateFingerprint = CertificateUtility.GetHash(signature.SignerInfo.Certificate, fingerprintAlgorithm); fingerprintString = BitConverter.ToString(primarySignatureCertificateFingerprint).Replace("-", ""); CertificateFingerprintLookUp[fingerprintAlgorithm] = fingerprintString; } return(fingerprintString); }
private bool IsSignatureAllowed( PrimarySignature signature, IReadOnlyList <VerificationAllowListEntry> allowList) { var primarySignatureCertificateFingerprintLookUp = new Dictionary <HashAlgorithmName, string>(); var countersignatureCertificateFingerprintLookUp = new Dictionary <HashAlgorithmName, string>(); var repositoryCountersignature = new Lazy <RepositoryCountersignature>(() => RepositoryCountersignature.GetRepositoryCountersignature(signature)); foreach (var allowedEntry in allowList) { // Verify the certificate hash allow list objects var certificateHashEntry = allowedEntry as CertificateHashAllowListEntry; if (certificateHashEntry != null) { if (certificateHashEntry.Placement.HasFlag(SignaturePlacement.PrimarySignature)) { // Get information needed for allow list verification var primarySignatureCertificateFingerprint = GetCertificateFingerprint( signature, certificateHashEntry.FingerprintAlgorithm, primarySignatureCertificateFingerprintLookUp); if (IsSignatureTargeted(certificateHashEntry.Target, signature) && StringComparer.OrdinalIgnoreCase.Equals(certificateHashEntry.Fingerprint, primarySignatureCertificateFingerprint)) { return(true); } } if (certificateHashEntry.Placement.HasFlag(SignaturePlacement.Countersignature)) { if (repositoryCountersignature.Value != null) { // Get information needed for allow list verification var countersignatureCertificateFingerprint = GetCertificateFingerprint( repositoryCountersignature.Value, certificateHashEntry.FingerprintAlgorithm, countersignatureCertificateFingerprintLookUp); if (IsSignatureTargeted(certificateHashEntry.Target, repositoryCountersignature.Value) && StringComparer.OrdinalIgnoreCase.Equals(certificateHashEntry.Fingerprint, countersignatureCertificateFingerprint)) { return(true); } } } } } return(false); }
private static PrimarySignature CreateRepositoryCountersignature(CmsSigner cmsSigner, PrimarySignature primarySignature, CngKey privateKey) { using (var primarySignatureNativeCms = NativeCms.Decode(primarySignature.GetBytes())) { primarySignatureNativeCms.AddCountersignature(cmsSigner, privateKey); var bytes = primarySignatureNativeCms.Encode(); var updatedCms = new SignedCms(); updatedCms.Decode(bytes); return(PrimarySignature.Load(updatedCms)); } }
/// <summary> /// Timestamps data present in the TimestampRequest. /// </summary> public async Task <PrimarySignature> TimestampSignatureAsync(PrimarySignature primarySignature, TimestampRequest request, ILogger logger, CancellationToken token) { SignedCms timestampCms = await GetTimestampAsync(request, logger, token); using (ICms signatureCms = CmsFactory.Create(primarySignature.GetBytes())) { if (request.Target == SignaturePlacement.Countersignature) { signatureCms.AddTimestampToRepositoryCountersignature(timestampCms); } else { signatureCms.AddTimestamp(timestampCms); } return(PrimarySignature.Load(signatureCms.Encode())); } }
/// <summary> /// Timestamps data present in the TimestampRequest. /// </summary> public Task <PrimarySignature> TimestampSignatureAsync(PrimarySignature primarySignature, TimestampRequest request, ILogger logger, CancellationToken token) { var timestampCms = GetTimestamp(request, logger, token); using (var signatureNativeCms = NativeCms.Decode(primarySignature.GetBytes())) { if (request.Target == SignaturePlacement.Countersignature) { signatureNativeCms.AddTimestampToRepositoryCountersignature(timestampCms); } else { signatureNativeCms.AddTimestamp(timestampCms); } return(Task.FromResult(PrimarySignature.Load(signatureNativeCms.Encode()))); } }
/// <summary> /// Gets certificates in the certificate chain for a timestamp on the primary signature. /// </summary> /// <param name="signature">The primary signature.</param> /// <returns>A non-empty, read-only list of X.509 certificates ordered from signing certificate to root.</returns> /// <exception cref="ArgumentNullException">Thrown if <paramref name="signature" /> is <c>null</c>.</exception> /// <remarks> /// WARNING: This method does not perform revocation, trust, or certificate validity checking. /// </remarks> public static IReadOnlyList <X509Certificate2> GetPrimarySignatureTimestampCertificates( PrimarySignature signature) { if (signature == null) { throw new ArgumentNullException(nameof(signature)); } var timestamp = signature.Timestamps.FirstOrDefault(); if (timestamp == null) { throw new SignatureException(NuGetLogCode.NU3029, Strings.PrimarySignatureHasNoTimestamp); } return(GetTimestampCertificates( timestamp.SignedCms, SigningSpecifications.V1, includeChain: true)); }
/// <summary> /// Gets certificates in the certificate chain for a timestamp on the primary signature. /// </summary> /// <param name="primarySignature">The primary signature.</param> /// <returns>A non-empty, read-only list of X.509 certificates ordered from signing certificate to root.</returns> /// <exception cref="ArgumentNullException">Thrown if <paramref name="primarySignature" /> is <c>null</c>.</exception> /// <exception cref="SignatureException">Thrown if <paramref name="primarySignature" /> does not have a valid /// timestamp.</exception> /// <remarks> /// WARNING: This method does not perform revocation, trust, or certificate validity checking. /// </remarks> public static IX509CertificateChain GetTimestampCertificateChain( PrimarySignature primarySignature) { if (primarySignature == null) { throw new ArgumentNullException(nameof(primarySignature)); } var timestamp = primarySignature.Timestamps.FirstOrDefault(); if (timestamp == null) { throw new SignatureException(NuGetLogCode.NU3000, Strings.PrimarySignatureHasNoTimestamp); } return(GetTimestampCertificates( timestamp.SignedCms, SigningSpecifications.V1, primarySignature.FriendlyName, includeChain: true)); }
private static PrimarySignature CreatePrimarySignature(CmsSigner cmsSigner, SignPackageRequest request, byte[] signingData) { var contentInfo = new ContentInfo(signingData); var cms = new SignedCms(contentInfo); try { cms.ComputeSignature(cmsSigner); } catch (CryptographicException ex) when(ex.HResult == INVALID_PROVIDER_TYPE_HRESULT) { var exceptionBuilder = new StringBuilder(); exceptionBuilder.AppendLine(Strings.SignFailureCertificateInvalidProviderType); exceptionBuilder.AppendLine(CertificateUtility.X509Certificate2ToString(request.Certificate, Common.HashAlgorithmName.SHA256)); throw new SignatureException(NuGetLogCode.NU3001, exceptionBuilder.ToString()); } return(PrimarySignature.Load(cms)); }
public static RepositoryCountersignature GetRepositoryCountersignature(PrimarySignature primarySignature) { if (primarySignature == null) { throw new ArgumentNullException(nameof(primarySignature)); } if (primarySignature.Type == SignatureType.Repository) { throw new SignatureException(NuGetLogCode.NU3033, Strings.Error_RepositorySignatureShouldNotHaveARepositoryCountersignature); } var countersignatures = primarySignature.SignerInfo.CounterSignerInfos; RepositoryCountersignature repositoryCountersignature = null; // Only look for repository countersignatures. foreach (var countersignature in countersignatures) { var countersignatureType = AttributeUtility.GetSignatureType(countersignature.SignedAttributes); if (countersignatureType == SignatureType.Repository) { if (repositoryCountersignature != null) { throw new SignatureException(NuGetLogCode.NU3032, Strings.Error_NotOneRepositoryCounterSignature); } var v3ServiceIndexUrl = AttributeUtility.GetNuGetV3ServiceIndexUrl(countersignature.SignedAttributes); var packageOwners = AttributeUtility.GetNuGetPackageOwners(countersignature.SignedAttributes); repositoryCountersignature = new RepositoryCountersignature( primarySignature, countersignature, v3ServiceIndexUrl, packageOwners); } } return(repositoryCountersignature); }
private bool IsSignatureAllowed(PrimarySignature signature) { // Get information needed for allow list verification var primarySignatureCertificateFingerprint = CertificateUtility.GetHash(signature.SignerInfo.Certificate, _fingerprintAlgorithm); var primarySignatureCertificateFingerprintString = BitConverter.ToString(primarySignatureCertificateFingerprint).Replace("-", ""); foreach (var allowedEntry in _allowList) { // Verify the certificate hash allow list objects var certificateHashEntry = allowedEntry as CertificateHashAllowListEntry; if (certificateHashEntry != null) { if (certificateHashEntry.VerificationTarget.HasFlag(VerificationTarget.Primary) && StringComparer.OrdinalIgnoreCase.Equals(certificateHashEntry.CertificateFingerprint, primarySignatureCertificateFingerprintString)) { return(true); } } } return(false); }
private static PrimarySignature CreateRepositoryCountersignature(CmsSigner cmsSigner, SignPackageRequest request, PrimarySignature primarySignature) { var cms = new SignedCms(); cms.Decode(primarySignature.GetBytes()); try { cms.SignerInfos[0].ComputeCounterSignature(cmsSigner); } catch (CryptographicException ex) when(ex.HResult == INVALID_PROVIDER_TYPE_HRESULT) { var exceptionBuilder = new StringBuilder(); exceptionBuilder.AppendLine(Strings.SignFailureCertificateInvalidProviderType); exceptionBuilder.AppendLine(CertificateUtility.X509Certificate2ToString(request.Certificate, Common.HashAlgorithmName.SHA256)); throw new SignatureException(NuGetLogCode.NU3001, exceptionBuilder.ToString()); } return(PrimarySignature.Load(cms)); }
public SignedPackageVerificationResult(SignatureVerificationStatus trust, PrimarySignature signature, IEnumerable <SignatureLog> issues) : base(trust, issues) { Signature = signature ?? throw new ArgumentNullException(nameof(signature)); }
private PackageVerificationResult VerifyAllowList(ISignedPackageReader package, PrimarySignature signature, SignedPackageVerifierSettings settings) { var treatIssuesAsErrors = !settings.AllowUntrusted; var status = SignatureVerificationStatus.Valid; var issues = new List <SignatureLog>(); if (_allowList == null || _allowList.Count == 0) { if (_requireNonEmptyAllowList) { status = SignatureVerificationStatus.Disallowed; issues.Add(SignatureLog.Error(code: NuGetLogCode.NU3034, message: _emptyListErrorMessage)); } } else if (!IsSignatureAllowed(signature, _allowList)) { if (!settings.AllowUntrusted) { status = SignatureVerificationStatus.Disallowed; } issues.Add(SignatureLog.Issue(fatal: treatIssuesAsErrors, code: NuGetLogCode.NU3034, message: _noMatchErrorMessage)); } return(new SignedPackageVerificationResult(status, signature, issues)); }
public Task <PackageVerificationResult> GetTrustResultAsync(ISignedPackageReader package, PrimarySignature signature, SignedPackageVerifierSettings settings, CancellationToken token) { return(Task.FromResult(VerifyAllowList(package, signature, settings))); }
private PackageVerificationResult Verify( PrimarySignature signature, SignedPackageVerifierSettings settings) { var certificateExtraStore = signature.SignedCms.Certificates; var repositoryCountersignatureExists = SignatureUtility.HasRepositoryCountersignature(signature); var isRepositoryCountersignatureVerificationRequested = settings.VerificationTarget.HasFlag(VerificationTarget.Repository) && settings.SignaturePlacement.HasFlag(SignaturePlacement.Countersignature); var allowDeferralToRepositoryCountersignature = isRepositoryCountersignatureVerificationRequested && repositoryCountersignatureExists; var status = SignatureVerificationStatus.Unknown; var issues = Enumerable.Empty <SignatureLog>(); var isUntrustedRootAllowed = IsUntrustedRootAllowed(signature); var verifySettings = new SignatureVerifySettings( allowIllegal: settings.AllowIllegal, allowUntrusted: settings.AllowUntrusted || isUntrustedRootAllowed, allowUnknownRevocation: settings.AllowUnknownRevocation, reportUnknownRevocation: settings.ReportUnknownRevocation, reportUntrustedRoot: !isUntrustedRootAllowed, revocationMode: settings.RevocationMode); SignatureVerificationSummary primarySummary = null; if (settings.SignaturePlacement.HasFlag(SignaturePlacement.PrimarySignature) && VerificationUtility.IsVerificationTarget(signature.Type, settings.VerificationTarget)) { primarySummary = VerifyValidityAndTrust(signature, settings, verifySettings, certificateExtraStore); issues = issues.Concat(primarySummary.Issues); status = primarySummary.Status; } Debug.Assert(isRepositoryCountersignatureVerificationRequested != (settings.RepositoryCountersignatureVerificationBehavior == SignatureVerificationBehavior.Never)); bool shouldVerifyRepositoryCountersignature; switch (settings.RepositoryCountersignatureVerificationBehavior) { case SignatureVerificationBehavior.IfExists: shouldVerifyRepositoryCountersignature = isRepositoryCountersignatureVerificationRequested && repositoryCountersignatureExists; break; case SignatureVerificationBehavior.IfExistsAndIsNecessary: // The repository countersignature should be evaluated if settings allow it, if a repository countersignature exists // and if either settings only allow a repository countersignature to be evaluated or the primary signature has some // validation/trust issues that may benefit from a repository countersignature fallback. shouldVerifyRepositoryCountersignature = isRepositoryCountersignatureVerificationRequested && repositoryCountersignatureExists && (primarySummary == null || (primarySummary != null && (HasUntrustedRoot(primarySummary) || IsSignatureExpired(primarySummary)))); break; case SignatureVerificationBehavior.Always: shouldVerifyRepositoryCountersignature = isRepositoryCountersignatureVerificationRequested; break; case SignatureVerificationBehavior.Never: shouldVerifyRepositoryCountersignature = false; break; default: throw new NotImplementedException(); } if (shouldVerifyRepositoryCountersignature) { var countersignature = RepositoryCountersignature.GetRepositoryCountersignature(signature); if (countersignature == null) { if (settings.RepositoryCountersignatureVerificationBehavior == SignatureVerificationBehavior.Always) { issues = issues.Concat(new[] { SignatureLog.Error(NuGetLogCode.NU3038, Strings.NoRepositoryCountersignature) }); status = SignatureVerificationStatus.Disallowed; } } else { isUntrustedRootAllowed = IsUntrustedRootAllowed(countersignature); verifySettings = new SignatureVerifySettings( allowIllegal: settings.AllowIllegal, allowUntrusted: settings.AllowUntrusted || isUntrustedRootAllowed, allowUnknownRevocation: settings.AllowUnknownRevocation, reportUnknownRevocation: settings.ReportUnknownRevocation, reportUntrustedRoot: !isUntrustedRootAllowed, revocationMode: settings.RevocationMode); var countersignatureSummary = VerifyValidityAndTrust(countersignature, settings, verifySettings, certificateExtraStore); if (primarySummary == null) { status = countersignatureSummary.Status; } else { if (countersignatureSummary.Status == SignatureVerificationStatus.Valid) { if (IsSignatureExpired(primarySummary) && HasUntrustedRoot(primarySummary)) { // Exclude the issue of the primary signature being untrusted since the repository countersignature fulfills the role of a trust anchor. issues = issues.Where(log => log.Code != NuGetLogCode.NU3018); if (countersignatureSummary.Timestamp != null && Rfc3161TimestampVerificationUtility.ValidateSignerCertificateAgainstTimestamp(signature.SignerInfo.Certificate, countersignatureSummary.Timestamp)) { // Exclude the issue of the primary signature being expired since the repository countersignature fulfills the role of a trusted timestamp. issues = issues.Where(log => log.Code != NuGetLogCode.NU3037); status = SignatureVerificationStatus.Valid; } } else if (IsSignatureExpired(primarySummary) && countersignatureSummary.Timestamp != null && Rfc3161TimestampVerificationUtility.ValidateSignerCertificateAgainstTimestamp(signature.SignerInfo.Certificate, countersignatureSummary.Timestamp)) { // Exclude the issue of the primary signature being expired since the repository countersignature fulfills the role of a trusted timestamp. issues = issues.Where(log => log.Code != NuGetLogCode.NU3037); status = SignatureVerificationStatus.Valid; } else if (HasUntrustedRoot(primarySummary)) { // Exclude the issue of the primary signature being untrusted since the repository countersignature fulfills the role of a trust anchor. issues = issues.Where(log => log.Code != NuGetLogCode.NU3018); status = SignatureVerificationStatus.Valid; } } // Both the primary signature and the repository countersignature were evaluated. // The overall status should be the more severe status of the two. status = (SignatureVerificationStatus)Math.Min((int)status, (int)countersignatureSummary.Status); } issues = issues.Concat(countersignatureSummary.Issues); } } return(new SignedPackageVerificationResult(status, signature, issues)); }
private PackageVerificationResult Verify( PrimarySignature signature, SignedPackageVerifierSettings settings) { throw new NotSupportedException(); }
public Task <PackageVerificationResult> GetTrustResultAsync(ISignedPackageReader package, PrimarySignature signature, SignedPackageVerifierSettings settings, CancellationToken token) { token.ThrowIfCancellationRequested(); var result = VerifyValidityAndTrust(signature, settings); return(Task.FromResult(result)); }
/// <summary> /// Timestamp a signature. /// </summary> public Task <PrimarySignature> TimestampSignatureAsync(PrimarySignature primarySignature, TimestampRequest timestampRequest, ILogger logger, CancellationToken token) { throw new NotImplementedException(); }
private PackageVerificationResult VerifyAllowList(ISignedPackageReader package, PrimarySignature signature, SignedPackageVerifierSettings settings) { throw new NotSupportedException(); }
/// <summary> /// Countersign the primary signature with a X509Certificate2. /// </summary> public Task <PrimarySignature> CreateRepositoryCountersignatureAsync(RepositorySignPackageRequest request, PrimarySignature primarySignature, ILogger logger, CancellationToken token) { if (request == null) { throw new ArgumentNullException(nameof(request)); } if (primarySignature == null) { throw new ArgumentNullException(nameof(primarySignature)); } if (logger == null) { throw new ArgumentNullException(nameof(logger)); } token.ThrowIfCancellationRequested(); var signature = CreateRepositoryCountersignature(request, primarySignature, logger); if (_timestampProvider == null) { return(Task.FromResult(signature)); } else { return(TimestampRepositoryCountersignatureAsync(request, logger, signature, token)); } }
private Task <PrimarySignature> TimestampRepositoryCountersignatureAsync(SignPackageRequest request, ILogger logger, PrimarySignature signature, CancellationToken token) { throw new NotSupportedException(); }