public async Task TimestampData_AssertCompleteChain_Success() { var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync(); var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url); var nupkg = new SimpleTestPackageContext(); using (var authorCert = new X509Certificate2(_trustedTestCert.Source.Cert)) using (var packageStream = nupkg.CreateAsStream()) { // Act var signature = await SignedArchiveTestUtility.CreatePrimarySignatureForPackageAsync(authorCert, packageStream, timestampProvider); var authorSignedCms = signature.SignedCms; var timestamp = signature.Timestamps.First(); var timestampCms = timestamp.SignedCms; IReadOnlyList <X509Certificate2> chainCertificates = new List <X509Certificate2>(); var chainBuildSuccess = true; // rebuild the chain to get the list of certificates using (var chainHolder = new X509ChainHolder()) { var chain = chainHolder.Chain; var policy = chain.ChainPolicy; policy.ApplicationPolicy.Add(new Oid(Oids.TimeStampingEku)); policy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid | X509VerificationFlags.IgnoreCtlNotTimeValid; policy.RevocationFlag = X509RevocationFlag.ExcludeRoot; policy.RevocationMode = X509RevocationMode.Online; var timestampSignerCertificate = timestampCms.SignerInfos[0].Certificate; chainBuildSuccess = chain.Build(timestampSignerCertificate); chainCertificates = CertificateChainUtility.GetCertificateListFromChain(chain); } // Assert authorSignedCms.Should().NotBeNull(); authorSignedCms.Detached.Should().BeFalse(); authorSignedCms.ContentInfo.Should().NotBeNull(); authorSignedCms.SignerInfos.Count.Should().Be(1); authorSignedCms.SignerInfos[0].UnsignedAttributes.Count.Should().Be(1); authorSignedCms.SignerInfos[0].UnsignedAttributes[0].Oid.Value.Should().Be(Oids.SignatureTimeStampTokenAttribute); timestampCms.Should().NotBeNull(); timestampCms.Detached.Should().BeFalse(); timestampCms.ContentInfo.Should().NotBeNull(); chainBuildSuccess.Should().BeTrue(); chainCertificates.Count.Should().Be(timestampCms.Certificates.Count); foreach (var cert in chainCertificates) { timestampCms.Certificates.Contains(cert).Should().BeTrue(); } } }
public async Task HasRepositoryCountersignature_WithSignatureWithoutRepositoryCountersignature_ReturnsFalseAsync() { using (var certificate = _fixture.GetDefaultCertificate()) { var packageContext = new SimpleTestPackageContext(); var unsignedPackageStream = packageContext.CreateAsStream(); var signature = await SignedArchiveTestUtility.CreatePrimarySignatureForPackageAsync( certificate, unsignedPackageStream); var hasRepoCountersignature = SignatureUtility.HasRepositoryCountersignature(signature); Assert.False(hasRepoCountersignature); } }
public async Task GetTrustResultAsync_SettingsRequireExactlyOneTimestamp_MultipleTimestamps_Fails() { // Arrange var nupkg = new SimpleTestPackageContext(); var testLogger = new TestLogger(); var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync(); var setting = new SignedPackageVerifierSettings( allowUnsigned: false, allowIllegal: false, allowUntrusted: false, allowUntrustedSelfIssuedCertificate: false, allowIgnoreTimestamp: false, allowMultipleTimestamps: false, allowNoTimestamp: false, allowUnknownRevocation: false, allowNoClientCertificateList: true, allowNoRepositoryCertificateList: true); var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url); var verificationProvider = new SignatureTrustAndValidityVerificationProvider(); using (var package = new PackageArchiveReader(nupkg.CreateAsStream(), leaveStreamOpen: false)) using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert)) using (var signatureRequest = new AuthorSignPackageRequest(testCertificate, HashAlgorithmName.SHA256)) { var signature = await SignedArchiveTestUtility.CreatePrimarySignatureForPackageAsync(package, signatureRequest); var timestampedSignature = await SignedArchiveTestUtility.TimestampSignature(timestampProvider, signature, signatureRequest.TimestampHashAlgorithm, SignaturePlacement.PrimarySignature, testLogger); var reTimestampedSignature = await SignedArchiveTestUtility.TimestampSignature(timestampProvider, timestampedSignature, signatureRequest.TimestampHashAlgorithm, SignaturePlacement.PrimarySignature, testLogger); timestampedSignature.Timestamps.Count.Should().Be(1); reTimestampedSignature.Timestamps.Count.Should().Be(2); // Act var result = await verificationProvider.GetTrustResultAsync(package, reTimestampedSignature, setting, CancellationToken.None); var totalErrorIssues = result.GetErrorIssues(); // Assert result.Trust.Should().Be(SignatureVerificationStatus.Illegal); totalErrorIssues.Count().Should().Be(1); totalErrorIssues.First().Code.Should().Be(NuGetLogCode.NU3000); } }