public async Task VerifySignaturesAsync_ValidCertificateAndTimestampWithDifferentHashAlgorithms_Success()
{
var packageContext = new SimpleTestPackageContext();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
using (var directory = TestDirectory.Create())
using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var request = new AuthorSignPackageRequest(certificate, HashAlgorithmName.SHA512, HashAlgorithmName.SHA256);
var signedPackagePath = await SignedArchiveTestUtility.CreateSignedAndTimeStampedPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url,
request);
var verifier = new PackageSignatureVerifier(_trustProviders, SignedPackageVerifierSettings.VerifyCommandDefaultPolicy);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
var result = await verifier.VerifySignaturesAsync(packageReader, CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
result.Valid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
}
}
}
/// <summary>
/// Generates a signed copy of a package and returns the path to that package
/// This method timestamps a package and should only be used with tests marked with [CIOnlyFact]
/// </summary>
/// <param name="certificate">Certificate to be used while signing the package</param>
/// <param name="nupkg">Package to be signed</param>
/// <param name="dir">Directory for placing the signed package</param>
/// <param name="timestampService">RFC 3161 timestamp service URL.</param>
/// <param name="request">An author signing request.</param>
/// <returns>Path to the signed copy of the package</returns>
public static async Task <string> CreateSignedAndTimeStampedPackageAsync(
X509Certificate2 certificate,
SimpleTestPackageContext nupkg,
string dir,
Uri timestampService,
AuthorSignPackageRequest request = null)
{
var testLogger = new TestLogger();
using (var zipReadStream = nupkg.CreateAsStream())
using (var zipWriteStream = nupkg.CreateAsStream())
{
var signedPackagePath = Path.Combine(dir, Guid.NewGuid().ToString());
using (var signPackage = new SignedPackageArchive(zipReadStream, zipWriteStream))
{
request = request ?? new AuthorSignPackageRequest(certificate, HashAlgorithmName.SHA256);
// Sign the package
await SignAndTimeStampPackageAsync(testLogger, certificate, signPackage, timestampService, request);
}
zipWriteStream.Seek(offset: 0, loc: SeekOrigin.Begin);
using (Stream fileStream = File.OpenWrite(signedPackagePath))
{
zipWriteStream.CopyTo(fileStream);
}
return(signedPackagePath);
}
}
private static async Task <MemoryStream> CreateSignedPackageAsync(
X509Certificate2 certificate,
Stream unsignedPackage = null)
{
if (unsignedPackage == null)
{
var packageContext = new SimpleTestPackageContext();
unsignedPackage = packageContext.CreateAsStream();
}
var signatureProvider = new X509SignatureProvider(timestampProvider: null);
var overwrite = true;
using (var request = new AuthorSignPackageRequest(certificate, HashAlgorithmName.SHA256))
using (var outputPackageStream = new MemoryStream())
using (var options = new SigningOptions(
new Lazy <Stream>(() => unsignedPackage),
new Lazy <Stream>(() => outputPackageStream),
overwrite,
signatureProvider,
NullLogger.Instance))
{
await SigningUtility.SignAsync(options, request, CancellationToken.None);
var isSigned = await SignedArchiveTestUtility.IsSignedAsync(options.OutputPackageStream);
Assert.True(isSigned);
return(new MemoryStream(outputPackageStream.ToArray()));
}
}
public AuthorSignPackageRequest GetAuthorSignRequest()
{
ValidatePackagePath();
WarnIfNoTimestamper(Console);
ValidateCertificateInputs();
EnsureOutputDirectory();
var signingSpec = SigningSpecifications.V1;
var signatureHashAlgorithm = ValidateAndParseHashAlgorithm(HashAlgorithm, nameof(HashAlgorithm), signingSpec);
var timestampHashAlgorithm = ValidateAndParseHashAlgorithm(TimestampHashAlgorithm, nameof(TimestampHashAlgorithm), signingSpec);
var certCollection = GetCertificateCollection();
var certificate = GetCertificate(certCollection);
var privateKey = GetPrivateKey(certificate);
var request = new AuthorSignPackageRequest(
certificate,
signatureHashAlgorithm,
timestampHashAlgorithm)
{
PrivateKey = privateKey
};
request.AdditionalCertificates.AddRange(certCollection);
return(request);
}
internal static SignTest Create(
X509Certificate2 certificate,
HashAlgorithmName hashAlgorithm,
byte[] package = null,
ISignatureProvider signatureProvider = null)
{
ISignedPackage signedPackage;
MemoryStream readStream = null;
MemoryStream writeStream = null;
if (package == null)
{
signedPackage = Mock.Of <ISignedPackage>();
}
else
{
readStream = new MemoryStream(package);
writeStream = new MemoryStream();
signedPackage = new SignedPackageArchive(readStream, writeStream);
}
signatureProvider = signatureProvider ?? Mock.Of <ISignatureProvider>();
var signer = new Signer(signedPackage, signatureProvider);
var request = new AuthorSignPackageRequest(certificate, hashAlgorithm);
return(new SignTest(
signer,
signedPackage,
signatureProvider,
request,
readStream,
writeStream));
}
/// <summary>
/// Generates a signed copy of a package and returns the path to that package
/// This method timestamps a package and should only be used with tests marked with [CIOnlyFact]
/// </summary>
/// <param name="certificate">Certificate to be used while signing the package</param>
/// <param name="nupkg">Package to be signed</param>
/// <param name="dir">Directory for placing the signed package</param>
/// <param name="timestampService">RFC 3161 timestamp service URL.</param>
/// <param name="request">An author signing request.</param>
/// <returns>Path to the signed copy of the package</returns>
public static async Task <string> CreateSignedAndTimeStampedPackageAsync(
X509Certificate2 certificate,
SimpleTestPackageContext nupkg,
string dir,
Uri timestampService,
AuthorSignPackageRequest request = null)
{
var testLogger = new TestLogger();
var signedPackagePath = Path.Combine(dir, Guid.NewGuid().ToString());
var tempPath = Path.GetTempFileName();
using (var packageStream = nupkg.CreateAsStream())
using (var fileStream = File.OpenWrite(tempPath))
{
packageStream.CopyTo(fileStream);
}
#if IS_DESKTOP
using (var cert = new X509Certificate2(certificate))
using (request = request ?? new AuthorSignPackageRequest(cert, HashAlgorithmName.SHA256))
{
await SignAndTimeStampPackageAsync(testLogger, tempPath, signedPackagePath, timestampService, request);
}
#endif
FileUtility.Delete(tempPath);
return(signedPackagePath);
}
/// <summary>
/// Generates an author signed copy of a package and returns the path to that package
/// This method can timestamp a package and should only be used with tests marked with [CIOnlyFact]
/// </summary>
/// <param name="certificate">Certificate to be used while signing the package</param>
/// <param name="nupkg">Package to be signed</param>
/// <param name="dir">Directory for placing the signed package</param>
/// <param name="timestampService">RFC 3161 timestamp service URL.</param>
/// <param name="signatureHashAlgorithm">Hash algorithm to be used in the signature. Defaults to SHA256</param>
/// <param name="timestampHashAlgorithm">Hash algorithm to be used in the timestamp. Defaults to SHA256</param>
/// <returns>Path to the signed copy of the package</returns>
public static async Task <string> AuthorSignPackageAsync(
X509Certificate2 certificate,
SimpleTestPackageContext nupkg,
string dir,
Uri timestampService = null,
HashAlgorithmName signatureHashAlgorithm = HashAlgorithmName.SHA256,
HashAlgorithmName timestampHashAlgorithm = HashAlgorithmName.SHA256)
{
var testLogger = new TestLogger();
var signedPackagePath = Path.Combine(dir, $"{nupkg.Id}.{nupkg.Version}.nupkg");
var tempPath = Path.GetTempFileName();
using (var packageStream = await nupkg.CreateAsStreamAsync())
using (var fileStream = File.OpenWrite(tempPath))
{
packageStream.CopyTo(fileStream);
}
using (var originalPackage = File.OpenRead(tempPath))
using (var signedPackage = File.Open(signedPackagePath, FileMode.OpenOrCreate, FileAccess.ReadWrite))
using (var request = new AuthorSignPackageRequest(
new X509Certificate2(certificate),
signatureHashAlgorithm,
timestampHashAlgorithm))
{
await CreateSignedPackageAsync(request, originalPackage, signedPackage, timestampService);
}
FileUtility.Delete(tempPath);
return(signedPackagePath);
}
private async Task <int> SignPackageAsync(
string packagePath,
string outputPath,
ILogger logger,
bool Overwrite,
ISignatureProvider signatureProvider,
AuthorSignPackageRequest request,
CancellationToken token)
{
// For overwrite we need to first remove the signature and then sign the unsigned package
if (Overwrite)
{
var originalPackageCopyPath = CopyPackage(packagePath);
await RemoveSignatureAsync(logger, signatureProvider, packagePath, originalPackageCopyPath, token);
await AddSignatureAndUpdatePackageAsync(logger, signatureProvider, request, originalPackageCopyPath, outputPath, token);
FileUtility.Delete(originalPackageCopyPath);
}
else
{
await AddSignatureAndUpdatePackageAsync(logger, signatureProvider, request, packagePath, outputPath, token);
}
return(0);
}
/// <summary>
/// Sign a package for test purposes.
/// This does not timestamp a signature and can be used outside corp network.
/// </summary>
private static async Task SignPackageAsync(TestLogger testLogger, X509Certificate2 certificate, SignedPackageArchive signPackage)
{
var testSignatureProvider = new X509SignatureProvider(timestampProvider: null);
var signer = new Signer(signPackage, testSignatureProvider);
var request = new AuthorSignPackageRequest(certificate, HashAlgorithmName.SHA256);
await signer.SignAsync(request, testLogger, CancellationToken.None);
}
public void Verify_WithValidInput_DoesNotThrow()
{
using (var certificate = new X509Certificate2(_testFixture.TrustedTestCertificate.Source.PublicCert.RawData))
using (var request = new AuthorSignPackageRequest(certificate, HashAlgorithmName.SHA256, HashAlgorithmName.SHA256))
{
SigningUtility.Verify(request, NullLogger.Instance);
}
}
public async Task <bool> SignAsync(string packagePath, string outputPath, string timestampUrl, Uri v3ServiceIndex, IReadOnlyList <string> packageOwners,
SignatureType signatureType, HashAlgorithmName signatureHashAlgorithm, HashAlgorithmName timestampHashAlgorithm,
bool overwrite, X509Certificate2 publicCertificate, System.Security.Cryptography.RSA rsa, CancellationToken cancellationToken = default)
{
var packagesToSign = LocalFolderUtility.ResolvePackageFromPath(packagePath);
var signatureProvider = new KeyVaultSignatureProvider(rsa, new Rfc3161TimestampProvider(new Uri(timestampUrl)));
SignPackageRequest request = null;
if (signatureType == SignatureType.Author)
{
request = new AuthorSignPackageRequest(publicCertificate, signatureHashAlgorithm, timestampHashAlgorithm);
}
else if (signatureType == SignatureType.Repository)
{
request = new RepositorySignPackageRequest(publicCertificate, signatureHashAlgorithm, timestampHashAlgorithm, v3ServiceIndex, packageOwners);
}
else
{
throw new ArgumentOutOfRangeException(nameof(signatureType));
}
string originalPackageCopyPath = null;
foreach (var package in packagesToSign)
{
cancellationToken.ThrowIfCancellationRequested();
logger.LogInformation($"{nameof(SignAsync)} [{package}]: Begin Signing {Path.GetFileName(package)}");
try
{
originalPackageCopyPath = CopyPackage(package);
using var options = SigningOptions.CreateFromFilePaths(originalPackageCopyPath, outputPath, overwrite, signatureProvider, new NuGetLogger(logger, package));
await SigningUtility.SignAsync(options, request, cancellationToken);
}
catch (Exception e)
{
logger.LogError(e, e.Message);
return(false);
}
finally
{
try
{
FileUtility.Delete(originalPackageCopyPath);
}
catch
{
}
logger.LogInformation($"{nameof(SignAsync)} [{package}]: End Signing {Path.GetFileName(package)}");
}
}
return(true);
}
public async Task <int> ExecuteCommandAsync(SignArgs signArgs)
{
// resolve path into multiple packages if needed.
IEnumerable <string> packagesToSign = signArgs.PackagePaths.SelectMany(packagePath =>
{
IEnumerable <string> packages = LocalFolderUtility.ResolvePackageFromPath(packagePath);
LocalFolderUtility.EnsurePackageFileExists(packagePath, packages);
return(packages);
});
var success = true;
X509Certificate2 cert = null;
try
{
cert = await GetCertificateAsync(signArgs);
}
catch (Exception e)
{
success = false;
ExceptionUtilities.LogException(e, signArgs.Logger);
}
if (success)
{
signArgs.Logger.LogInformation(Environment.NewLine);
signArgs.Logger.LogInformation(Strings.SignCommandDisplayCertificate);
signArgs.Logger.LogInformation(CertificateUtility.X509Certificate2ToString(cert, HashAlgorithmName.SHA256));
if (!string.IsNullOrEmpty(signArgs.Timestamper))
{
signArgs.Logger.LogInformation(Strings.SignCommandDisplayTimestamper);
signArgs.Logger.LogInformation(signArgs.Timestamper);
}
if (!string.IsNullOrEmpty(signArgs.OutputDirectory))
{
signArgs.Logger.LogInformation(Strings.SignCommandOutputPath);
signArgs.Logger.LogInformation(signArgs.OutputDirectory);
}
using (var signRequest = new AuthorSignPackageRequest(cert, signArgs.SignatureHashAlgorithm, signArgs.TimestampHashAlgorithm))
{
return(await ExecuteCommandAsync(
packagesToSign,
signRequest,
signArgs.Timestamper,
signArgs.Logger,
signArgs.OutputDirectory,
signArgs.Overwrite,
signArgs.Token));
}
}
return(success ? 0 : 1);
}
public async Task <int> ExecuteCommandAsync(
IEnumerable <string> packagesToSign,
AuthorSignPackageRequest signPackageRequest,
string timestamper,
ILogger logger,
string outputDirectory,
bool overwrite,
CancellationToken token)
{
var success = true;
try
{
SigningUtility.Verify(signPackageRequest, logger);
}
catch (Exception e)
{
success = false;
ExceptionUtilities.LogException(e, logger);
}
if (success)
{
var signatureProvider = GetSignatureProvider(timestamper);
foreach (var packagePath in packagesToSign)
{
try
{
string outputPath;
if (string.IsNullOrEmpty(outputDirectory))
{
outputPath = packagePath;
}
else
{
outputPath = Path.Combine(outputDirectory, Path.GetFileName(packagePath));
}
await SignPackageAsync(packagePath, outputPath, logger, overwrite, signatureProvider, signPackageRequest, token);
}
catch (Exception e)
{
success = false;
ExceptionUtilities.LogException(e, logger);
}
}
}
if (success)
{
logger.LogInformation(Strings.SignCommandSuccess);
}
return(success ? 0 : 1);
}
public void CreateCmsSigner_WhenLoggerNull_Throws()
{
using (var request = new AuthorSignPackageRequest(new X509Certificate2(), Common.HashAlgorithmName.SHA256))
{
var exception = Assert.Throws <ArgumentNullException>(
() => SigningUtility.CreateCmsSigner(request, logger: null));
Assert.Equal("logger", exception.ParamName);
}
}
public void Constructor_CertificateHashAlgorithm_WithValidInput_InitializesProperties()
{
using (var certificate = _fixture.GetDefaultCertificate())
{
var request = new AuthorSignPackageRequest(certificate, HashAlgorithmName.SHA512);
Assert.Equal(SignatureType.Author, request.SignatureType);
Assert.Same(certificate, request.Certificate);
Assert.Equal(HashAlgorithmName.SHA512, request.SignatureHashAlgorithm);
Assert.Equal(HashAlgorithmName.SHA512, request.TimestampHashAlgorithm);
}
}
/// <summary>
/// Sign and timestamp a package for test purposes.
/// This method timestamps a package and should only be used with tests marked with [CIOnlyFact]
/// </summary>
private static async Task SignAndTimeStampPackageAsync(
TestLogger testLogger,
X509Certificate2 certificate,
SignedPackageArchive signPackage,
Uri timestampService,
AuthorSignPackageRequest request)
{
var testSignatureProvider = new X509SignatureProvider(new Rfc3161TimestampProvider(timestampService));
var signer = new Signer(signPackage, testSignatureProvider);
await signer.SignAsync(request, testLogger, CancellationToken.None);
}
/// <summary>
/// Generates a Signature for a package.
/// </summary>
/// <param name="testCert">Certificate to be used while generating the signature.</param>
/// <param name="packageStream">Package stream for which the signature has to be generated.</param>
/// <param name="timestampProvider">An optional timestamp provider.</param>
/// <returns>Signature for the package.</returns>
public static async Task <PrimarySignature> CreateAuthorSignatureForPackageAsync(
X509Certificate2 testCert,
Stream packageStream,
ITimestampProvider timestampProvider = null)
{
var hashAlgorithm = HashAlgorithmName.SHA256;
using (var request = new AuthorSignPackageRequest(testCert, hashAlgorithm))
using (var package = new PackageArchiveReader(packageStream, leaveStreamOpen: true))
{
return(await CreatePrimarySignatureForPackageAsync(package, request, timestampProvider));
}
}
public void CreateCmsSigner_WithAuthorSignPackageRequest_ReturnsInstance()
{
using (var certificate = _fixture.GetDefaultCertificate())
using (var request = new AuthorSignPackageRequest(certificate, Common.HashAlgorithmName.SHA256))
{
var signer = SigningUtility.CreateCmsSigner(request, NullLogger.Instance);
Assert.Equal(request.Certificate, signer.Certificate);
Assert.Equal(request.SignatureHashAlgorithm.ConvertToOidString(), signer.DigestAlgorithm.Value);
VerifyAttributes(signer.SignedAttributes, request);
}
}
internal Test(X509Certificate2 certificate)
{
_directory = TestDirectory.Create();
_certificate = new X509Certificate2(certificate);
var packageContext = new SimpleTestPackageContext();
ReadStream = packageContext.CreateAsStream();
WriteStream = packageContext.CreateAsStream();
Package = new SignedPackageArchive(ReadStream, WriteStream);
Request = new AuthorSignPackageRequest(_certificate, HashAlgorithmName.SHA256);
var signatureProvider = new X509SignatureProvider(timestampProvider: null);
Signer = new Signer(Package, signatureProvider);
}
public async Task GetTrustResultAsync_SettingsRequireExactlyOneTimestamp_MultipleTimestamps_Fails()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var testLogger = new TestLogger();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var setting = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowUntrustedSelfIssuedCertificate: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: false,
allowNoTimestamp: false,
allowUnknownRevocation: false,
allowNoClientCertificateList: true,
allowNoRepositoryCertificateList: true);
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
var verificationProvider = new SignatureTrustAndValidityVerificationProvider();
using (var package = new PackageArchiveReader(nupkg.CreateAsStream(), leaveStreamOpen: false))
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
using (var signatureRequest = new AuthorSignPackageRequest(testCertificate, HashAlgorithmName.SHA256))
{
var signature = await SignedArchiveTestUtility.CreatePrimarySignatureForPackageAsync(package, signatureRequest);
var timestampedSignature = await SignedArchiveTestUtility.TimestampSignature(timestampProvider, signature, signatureRequest.TimestampHashAlgorithm, SignaturePlacement.PrimarySignature, testLogger);
var reTimestampedSignature = await SignedArchiveTestUtility.TimestampSignature(timestampProvider, timestampedSignature, signatureRequest.TimestampHashAlgorithm, SignaturePlacement.PrimarySignature, testLogger);
timestampedSignature.Timestamps.Count.Should().Be(1);
reTimestampedSignature.Timestamps.Count.Should().Be(2);
// Act
var result = await verificationProvider.GetTrustResultAsync(package, reTimestampedSignature, setting, CancellationToken.None);
var totalErrorIssues = result.GetErrorIssues();
// Assert
result.Trust.Should().Be(SignatureVerificationStatus.Illegal);
totalErrorIssues.Count().Should().Be(1);
totalErrorIssues.First().Code.Should().Be(NuGetLogCode.NU3000);
}
}
internal async Task AuthorSignAsync()
{
using (var request = new AuthorSignPackageRequest(
new X509Certificate2(Certificate),
HashAlgorithmName.SHA256,
HashAlgorithmName.SHA256))
using (var originalPackage = new MemoryStream(Zip.ToByteArray(), writable: false))
using (var signedPackage = new MemoryStream())
{
await SignedArchiveTestUtility.CreateSignedPackageAsync(request, originalPackage, signedPackage);
SignedPackage = new MemoryStream(signedPackage.ToArray(), writable: false);
}
var isSigned = await SignedArchiveTestUtility.IsSignedAsync(SignedPackage);
Assert.True(isSigned);
}
/// <summary>
/// Generates a SignedCMS object for some content.
/// </summary>
/// <param name="content"></param>
/// <param name="cert">Certificate for cms signer</param>
/// <returns>SignedCms object</returns>
public static SignedCms GenerateRepositoryCountersignedSignedCms(X509Certificate2 cert, byte[] content)
{
var contentInfo = new ContentInfo(content);
var hashAlgorithm = NuGet.Common.HashAlgorithmName.SHA256;
using (var primarySignatureRequest = new AuthorSignPackageRequest(new X509Certificate2(cert), hashAlgorithm))
using (var countersignatureRequest = new RepositorySignPackageRequest(new X509Certificate2(cert), hashAlgorithm, hashAlgorithm, new Uri("https://api.nuget.org/v3/index.json"), null))
{
var cmsSigner = SigningUtility.CreateCmsSigner(primarySignatureRequest, NullLogger.Instance);
var cms = new SignedCms(contentInfo);
cms.ComputeSignature(cmsSigner);
var counterCmsSigner = SigningUtility.CreateCmsSigner(countersignatureRequest, NullLogger.Instance);
cms.SignerInfos[0].ComputeCounterSignature(counterCmsSigner);
return(cms);
}
}
private Test(X509Certificate2 certificate, TestDirectory dir, FileInfo package)
{
_authorCertificate = new X509Certificate2(certificate);
_repositoryCertificate = new X509Certificate2(certificate);
_directory = dir;
var outputPath = GetNewTempFilePath();
OutputFile = new FileInfo(outputPath);
var signatureProvider = new X509SignatureProvider(timestampProvider: null);
AuthorRequest = new AuthorSignPackageRequest(_authorCertificate, HashAlgorithmName.SHA256);
RepositoryRequest = new RepositorySignPackageRequest(_repositoryCertificate, HashAlgorithmName.SHA256, HashAlgorithmName.SHA256, new Uri("https://test/api/index.json"), packageOwners: null);
var overwrite = true;
Options = SigningOptions.CreateFromFilePaths(package.FullName, outputPath, overwrite, signatureProvider, NullLogger.Instance);
}
/// <summary>
/// Sign and timestamp a package for test purposes.
/// This method timestamps a package and should only be used with tests marked with [CIOnlyFact]
/// </summary>
private static async Task SignAndTimeStampPackageAsync(
TestLogger testLogger,
string inputPackagePath,
string outputPackagePath,
Uri timestampService,
AuthorSignPackageRequest request)
{
var testSignatureProvider = new X509SignatureProvider(new Rfc3161TimestampProvider(timestampService));
var overwrite = false;
using (var options = SigningOptions.CreateFromFilePaths(
inputPackagePath,
outputPackagePath,
overwrite,
testSignatureProvider,
testLogger))
{
await SigningUtility.SignAsync(options, request, CancellationToken.None);
}
}
/// <summary>
/// Sign a package for test purposes.
/// This does not timestamp a signature and can be used outside corp network.
/// </summary>
private static async Task SignPackageAsync(TestLogger testLogger, X509Certificate2 certificate, string inputPackagePath, string outputPackagePath)
{
#if IS_DESKTOP
var testSignatureProvider = new X509SignatureProvider(timestampProvider: null);
using (var cert = new X509Certificate2(certificate))
using (var request = new AuthorSignPackageRequest(cert, HashAlgorithmName.SHA256))
{
const bool overwrite = false;
using (var options = SigningOptions.CreateFromFilePaths(
inputPackagePath,
outputPackagePath,
overwrite,
testSignatureProvider,
testLogger))
{
await SigningUtility.SignAsync(options, request, CancellationToken.None);
}
}
#endif
}
/// <summary>
/// Generates a Signature for a package.
/// </summary>
/// <param name="testCert">Certificate to be used while generating the signature.</param>
/// <param name="packageStream">Package stream for which the signature has to be generated.</param>
/// <param name="timestampProvider">An optional timestamp provider.</param>
/// <returns>Signature for the package.</returns>
public static async Task <Signature> CreateSignatureForPackageAsync(
X509Certificate2 testCert,
Stream packageStream,
ITimestampProvider timestampProvider = null)
{
var testLogger = new TestLogger();
var hashAlgorithm = HashAlgorithmName.SHA256;
using (var request = new AuthorSignPackageRequest(testCert, hashAlgorithm))
using (var package = new PackageArchiveReader(packageStream, leaveStreamOpen: true))
{
var zipArchiveHash = await package.GetArchiveHashAsync(request.SignatureHashAlgorithm, CancellationToken.None);
var base64ZipArchiveHash = Convert.ToBase64String(zipArchiveHash);
var signatureContent = new SignatureContent(SigningSpecifications.V1, hashAlgorithm, base64ZipArchiveHash);
var testSignatureProvider = new X509SignatureProvider(timestampProvider);
return(await testSignatureProvider.CreateSignatureAsync(request, signatureContent, testLogger, CancellationToken.None));
}
}
private static async Task AddSignatureAndUpdatePackageAsync(
ILogger logger,
ISignatureProvider signatureProvider,
AuthorSignPackageRequest request,
string packagePath,
string outputPath,
CancellationToken token)
{
var originalPackageCopyPath = CopyPackage(packagePath);
using (var packageReadStream = File.OpenRead(packagePath))
using (var packageWriteStream = File.Open(originalPackageCopyPath, FileMode.Open))
using (var package = new SignedPackageArchive(packageReadStream, packageWriteStream))
{
var signer = new Signer(package, signatureProvider);
await signer.SignAsync(request, logger, token);
}
OverwritePackage(originalPackageCopyPath, outputPath);
FileUtility.Delete(originalPackageCopyPath);
}
public async Task <bool> SignAsync(string packagePath, string outputPath, string timestampUrl, HashAlgorithmName signatureHashAlgorithm, HashAlgorithmName timestampHashAlgorithm, bool overwrite, X509Certificate2 publicCertificate, System.Security.Cryptography.RSA rsa)
{
var fileName = Path.GetFileName(packagePath);
logger.LogInformation($"{nameof(SignAsync)} [{fileName}]: Begin Signing {packagePath}");
var signatureProvider = new KeyVaultSignatureProvider(rsa, new Rfc3161TimestampProvider(new Uri(timestampUrl)));
var request = new AuthorSignPackageRequest(publicCertificate, signatureHashAlgorithm, timestampHashAlgorithm);
string originalPackageCopyPath = null;
try
{
originalPackageCopyPath = CopyPackage(packagePath);
using (var options = SigningOptions.CreateFromFilePaths(originalPackageCopyPath, outputPath, overwrite, signatureProvider, new NuGetLogger(logger, fileName)))
{
await SigningUtility.SignAsync(options, request, CancellationToken.None);
}
}
catch (Exception e)
{
logger.LogError(e, e.Message);
return(false);
}
finally
{
try
{
FileUtility.Delete(originalPackageCopyPath);
}
catch
{
}
logger.LogInformation($"{nameof(SignAsync)} [{fileName}]: End Signing {packagePath}");
}
return(true);
}
internal Test(X509Certificate2 certificate)
{
_directory = TestDirectory.Create();
_authorCertificate = new X509Certificate2(certificate);
_repositoryCertificate = new X509Certificate2(certificate);
var outputPath = GetNewTempFilePath();
OutputFile = new FileInfo(outputPath);
var packageContext = new SimpleTestPackageContext();
var packageFileName = Guid.NewGuid().ToString();
var package = packageContext.CreateAsFile(_directory, packageFileName);
var signatureProvider = new X509SignatureProvider(timestampProvider: null);
AuthorRequest = new AuthorSignPackageRequest(_authorCertificate, HashAlgorithmName.SHA256);
RepositoryRequest = new RepositorySignPackageRequest(_repositoryCertificate, HashAlgorithmName.SHA256, HashAlgorithmName.SHA256, new Uri("https://test/api/index.json"), packageOwners: null);
var overwrite = true;
Options = SigningOptions.CreateFromFilePaths(package.FullName, outputPath, overwrite, signatureProvider, NullLogger.Instance);
}
internal static SignTest Create(
X509Certificate2 certificate,
HashAlgorithmName hashAlgorithm,
byte[] package = null,
ISignatureProvider signatureProvider = null)
{
var directory = TestDirectory.Create();
var signedPackageFile = new FileInfo(Path.Combine(directory, Guid.NewGuid().ToString()));
var outputPackageFile = new FileInfo(Path.Combine(directory, Guid.NewGuid().ToString()));
if (package == null)
{
File.WriteAllBytes(signedPackageFile.FullName, Array.Empty <byte>());
}
else
{
using (var fileStream = signedPackageFile.Create())
{
fileStream.Write(package, 0, package.Length);
}
}
signatureProvider = signatureProvider ?? Mock.Of <ISignatureProvider>();
var logger = new TestLogger();
var request = new AuthorSignPackageRequest(certificate, hashAlgorithm);
var overwrite = false;
var options = SigningOptions.CreateFromFilePaths(
signedPackageFile.FullName,
outputPackageFile.FullName,
overwrite,
signatureProvider,
logger);
return(new SignTest(
request,
directory,
options,
logger));
}
