public async Task <TimestampServiceWithUnavailableRevocation> CreateTimestampServiceWithUnavailableRevocationAsync() { var testServer = await _testServer.Value; var rootCa = CertificateAuthority.Create(testServer.Url); var rootCertificate = rootCa.Certificate.ToX509Certificate2(); var trust = new TrustedTestCert <X509Certificate2>( rootCertificate, certificate => certificate, StoreName.Root, StoreLocation.LocalMachine); var timestampService = TimestampService.Create(rootCa); var disposable = new DisposableList <IDisposable> { rootCertificate, trust }; Task WaitForResponseExpirationAsync() { return(rootCa.OcspResponder.WaitForResponseExpirationAsync(timestampService.Certificate)); } return(new TimestampServiceWithUnavailableRevocation( testServer, timestampService, WaitForResponseExpirationAsync, disposable)); }
private static async Task <List <SignatureLog> > VerifyUnavailableRevocationInfo( SignatureVerificationStatus expectedStatus, LogLevel expectedLogLevel, SignedPackageVerifierSettings setting) { var verificationProvider = new SignatureTrustAndValidityVerificationProvider(); using (var nupkgStream = new MemoryStream(GetResource("UnavailableCrlPackage.nupkg"))) using (var package = new PackageArchiveReader(nupkgStream, leaveStreamOpen: false)) { // Read a signature that is valid in every way except that the CRL information is unavailable. var signature = await package.GetSignatureAsync(CancellationToken.None); var rootCertificate = SignatureUtility.GetPrimarySignatureCertificates(signature).Last(); // Trust the root CA of the signing certificate. using (var testCertificate = TrustedTestCert.Create( rootCertificate, StoreName.Root, StoreLocation.LocalMachine, maximumValidityPeriod: TimeSpan.MaxValue)) { // Act var result = await verificationProvider.GetTrustResultAsync(package, signature, setting, CancellationToken.None); // Assert Assert.Equal(expectedStatus, result.Trust); return(result .Issues .Where(x => x.Level >= expectedLogLevel) .OrderBy(x => x.Message) .ToList()); } } }
public async Task DotnetSign_ResignPackageWithOverwrite_SuccessAsync() { // Arrange using (var pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); var packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); TrustedTestCert <TestCertificate> trustedCert = _signFixture.TrustedTestCertificateChain.Leaf; //Act CommandRunnerResult firstResult = _msbuildFixture.RunDotnet( pathContext.PackageSource, $"nuget sign {packageFilePath} --certificate-fingerprint {trustedCert.Source.Cert.Thumbprint} --certificate-store-name {trustedCert.StoreName} --certificate-store-location {trustedCert.StoreLocation}", ignoreExitCode: true); CommandRunnerResult secondResult = _msbuildFixture.RunDotnet( pathContext.PackageSource, $"nuget sign {packageFilePath} --certificate-fingerprint {trustedCert.Source.Cert.Thumbprint} --certificate-store-name {trustedCert.StoreName} --certificate-store-location {trustedCert.StoreLocation} --overwrite", ignoreExitCode: true); // Assert firstResult.Success.Should().BeTrue(because: firstResult.AllOutput); firstResult.AllOutput.Should().Contain(_noTimestamperWarningCode); secondResult.Success.Should().BeTrue(); secondResult.AllOutput.Should().Contain(_noTimestamperWarningCode); } }
public async Task DotnetSign_SignPackageWithPfxFileOfRelativePath_SuccessAsync() { // Arrange using (var pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); var packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); TrustedTestCert <TestCertificate> trustedCert = _signFixture.TrustedTestCertificateChain.Leaf; var pfxName = Guid.NewGuid().ToString() + ".pfx"; var pfxPath = Path.Combine(pathContext.PackageSource, pfxName); var password = Guid.NewGuid().ToString(); var pfxBytes = trustedCert.Source.Cert.Export(X509ContentType.Pfx, password); File.WriteAllBytes(pfxPath, pfxBytes); //Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, $"nuget sign {packageFilePath} --certificate-path .{Path.DirectorySeparatorChar}{pfxName} --certificate-password {password}", ignoreExitCode: true); // Assert result.Success.Should().BeTrue(because: result.AllOutput); result.AllOutput.Should().Contain(_noTimestamperWarningCode); } }
public async Task DotnetSign_SignPackageWithOutputDirectory_SucceedsAsync() { // Arrange using (var pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); var packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); var outputDir = Path.Combine(pathContext.WorkingDirectory, "Output"); Directory.CreateDirectory(outputDir); TrustedTestCert <TestCertificate> trustedCert = _signFixture.TrustedTestCertificateChain.Leaf; //Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, $"nuget sign {packageFilePath} --certificate-fingerprint {trustedCert.Source.Cert.Thumbprint} --certificate-store-name {trustedCert.StoreName} --certificate-store-location {trustedCert.StoreLocation} --output {outputDir}", ignoreExitCode: true); var signedPackagePath = Path.Combine(outputDir, "PackageA.1.0.0.nupkg"); // Assert result.Success.Should().BeTrue(because: result.AllOutput); result.AllOutput.Should().Contain(_noTimestamperWarningCode); File.Exists(signedPackagePath).Should().BeTrue(); } }
public async Task DotnetSign_SignPackageWithUnknownRevocationCertChain_SucceedsAsync() { // Arrange using (var pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); var packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); TrustedTestCert <TestCertificate> revocationUnknownCert = _signFixture.RevocationUnknownTestCertificateWithChain; //Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, $"nuget sign {packageFilePath} --certificate-fingerprint {revocationUnknownCert.Source.Cert.Thumbprint} --certificate-store-name {revocationUnknownCert.StoreName} --certificate-store-location {revocationUnknownCert.StoreLocation}", ignoreExitCode: true); // Assert result.Success.Should().BeTrue(because: result.AllOutput); result.AllOutput.Should().Contain(_noTimestamperWarningCode); result.AllOutput.Should().Contain(_chainBuildFailureErrorCode); result.AllOutput.Should().Contain(X509ChainStatusFlags.RevocationStatusUnknown.ToString()); } }
public async Task DotnetSign_SignPackageWithTimestamping_SucceedsAsync() { // Arrange using (var pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); var packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); var timestampService = await _signFixture.GetDefaultTrustedTimestampServiceAsync(); TrustedTestCert <TestCertificate> trustedCert = _signFixture.TrustedTestCertificateChain.Leaf; //Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, $"nuget sign {packageFilePath} --certificate-fingerprint {trustedCert.Source.Cert.Thumbprint} --certificate-store-name {trustedCert.StoreName} --certificate-store-location {trustedCert.StoreLocation} --timestamper {timestampService.Url.OriginalString}", ignoreExitCode: true); // Assert result.Success.Should().BeTrue(because: result.AllOutput); result.AllOutput.Should().NotContain(_noTimestamperWarningCode); } }
public async Task DotnetSign_SignPackageWithPfxFileWithoutPasswordAndWithNonInteractive_FailsAsync() { // Arrange using (var pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); var packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); TrustedTestCert <TestCertificate> trustedCert = _signFixture.TrustedTestCertificateChain.Leaf; var pfxPath = Path.Combine(pathContext.WorkingDirectory, Guid.NewGuid().ToString()); var password = Guid.NewGuid().ToString(); var pfxBytes = trustedCert.Source.Cert.Export(X509ContentType.Pfx, password); File.WriteAllBytes(pfxPath, pfxBytes); //Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, $"nuget sign {packageFilePath} --certificate-path {pfxPath}", ignoreExitCode: true); // Assert result.Success.Should().BeFalse(because: result.AllOutput); result.AllOutput.Should().Contain(string.Format(_invalidPasswordError, pfxPath)); } }
public async Task DotnetTrust_AuthorAction_RelativePathConfileFile_Succeeds(bool allowUntrustedRoot) { // Arrange var nugetConfigFileName = "NuGet.Config"; var package = new SimpleTestPackageContext(); using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) using (MemoryStream zipStream = await package.CreateAsStreamAsync()) using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate()) { string certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256); string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource); var config = $@"<?xml version=""1.0"" encoding=""utf-8""?> <configuration> <packageSources> <!--To inherit the global NuGet package sources remove the <clear/> line below --> <clear /> <add key=""NuGetSource"" value=""{pathContext.PackageSource}"" /> </packageSources> <config> <add key=""signaturevalidationmode"" value=""accept"" /> </config> <trustedSigners> </trustedSigners> </configuration>"; SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config); var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName); var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty; var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false"; // Act CommandRunnerResult resultAdd = _msbuildFixture.RunDotnet( pathContext.SolutionRoot, $"nuget trust author nuget {signedPackagePath} {allowUntrustedRootArg} --configfile ..{Path.DirectorySeparatorChar}{nugetConfigFileName}"); // Assert resultAdd.Success.Should().BeTrue(); resultAdd.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulAddTrustedSigner, "author", "nuget")); string expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?> <configuration> <packageSources> <!--To inherit the global NuGet package sources remove the < clear /> line below--> <clear/> <add key = ""NuGetSource"" value = ""{pathContext.PackageSource}""/> </packageSources > <config> <add key = ""signaturevalidationmode"" value = ""accept""/> </config> < trustedSigners> <author name = ""nuget""> <certificate fingerprint = ""{certFingerprint}"" hashAlgorithm = ""SHA256"" allowUntrustedRoot = ""{allowUntruestedRootValue}""/> </author> </trustedSigners> </configuration>"); SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult); } }
public PrimarySignatureTests(SigningTestFixture fixture) { _testFixture = fixture ?? throw new ArgumentNullException(nameof(fixture)); _trustedTestCert = _testFixture.TrustedTestCertificate; _trustProviders = _testFixture.TrustProviders; _signingSpecifications = _testFixture.SigningSpecifications; }
public VerifyCommandTests(SignCommandTestFixture fixture) { _testFixture = fixture ?? throw new ArgumentNullException(nameof(fixture)); _trustedTestCert = _testFixture.TrustedTestCertificate; _nugetExePath = _testFixture.NuGetExePath; _timestamper = _testFixture.Timestamper; }
private async Task <CertificateAuthority> CreateDefaultTrustedCertificateAuthorityAsync() { var testServer = await _testServer.Value; var rootCa = CertificateAuthority.Create(testServer.Url); var intermediateCa = rootCa.CreateIntermediateCertificateAuthority(); var rootCertificate = new X509Certificate2(rootCa.Certificate.GetEncoded()); StoreLocation storeLocation = CertificateStoreUtilities.GetTrustedCertificateStoreLocation(); _trustedTimestampRoot = TrustedTestCert.Create( rootCertificate, StoreName.Root, storeLocation); var ca = intermediateCa; while (ca != null) { _responders.Add(testServer.RegisterResponder(ca)); _responders.Add(testServer.RegisterResponder(ca.OcspResponder)); ca = ca.Parent; } return(intermediateCa); }
public MSSignCommandTests(MSSignCommandTestFixture fixture) { _testFixture = fixture ?? throw new ArgumentNullException(nameof(fixture)); _trustedTestCertWithPrivateKey = _testFixture.TrustedTestCertificateWithPrivateKey; _trustedTestCertWithoutPrivateKey = _testFixture.TrustedTestCertificateWithoutPrivateKey; _nugetExePath = _testFixture.NuGetExePath; }
public IntegrityVerificationProviderTests(SigningTestFixture fixture) { _testFixture = fixture ?? throw new ArgumentNullException(nameof(fixture)); _trustedTestCert = _testFixture.TrustedTestCertificate; _trustProviders = new List <ISignatureVerificationProvider>() { new IntegrityVerificationProvider() }; }
public async Task AcceptsTrustedSigningCertificateWithUnavailableRevocation() { // Arrange var testServer = await _fixture.GetTestServerAsync(); var rootCa = CertificateAuthority.Create(testServer.Url); var intermediateCa = rootCa.CreateIntermediateCertificateAuthority(); var rootCertificate = new X509Certificate2(rootCa.Certificate.GetEncoded()); var signingCertificate = _fixture.CreateSigningCertificate(intermediateCa); using (var trust = new TrustedTestCert <X509Certificate2>( rootCertificate, x => x, StoreName.Root, StoreLocation.LocalMachine)) { byte[] packageBytes; using (testServer.RegisterResponders(intermediateCa)) { packageBytes = await _fixture.GenerateSignedPackageBytesAsync( TestResources.SignedPackageLeaf1, signingCertificate, await _fixture.GetTimestampServiceUrlAsync(), _output); } // Wait one second for the OCSP response cached by the operating system during signing to get stale. // This can be mitigated by leaving the OCSP unavailable during signing once this work item is done: // https://github.com/NuGet/Home/issues/6508 await Task.Delay(TimeSpan.FromSeconds(1)); TestUtility.RequireSignedPackage(_corePackageService, TestResources.SignedPackageLeafId, signingCertificate.ComputeSHA256Thumbprint()); _packageStream = new MemoryStream(packageBytes); SignatureValidatorResult result; using (testServer.RegisterResponders(intermediateCa, addOcsp: false)) { // Act result = await _target.ValidateAsync( _packageKey, _packageStream, _message, _token); } // Assert VerifyPackageSigningStatus(result, ValidationStatus.Succeeded, PackageSigningStatus.Valid); Assert.Empty(result.Issues); var allMessages = string.Join(Environment.NewLine, _logger.Messages); Assert.Contains("NU3018: The revocation function was unable to check revocation because the revocation server was offline.", allMessages); Assert.Contains("NU3018: The revocation function was unable to check revocation for the certificate.", allMessages); } }
public CertificatesFixture() { _defaultCertificate = SigningTestUtility.GenerateCertificate("test", generator => { }); X509Certificate2 _defaultCertificateForTrust = SigningTestUtility.GenerateCertificate("test trusted", generator => { }); _trustedDefaultCertificate = TrustedTestCert.Create( new X509Certificate2(_defaultCertificateForTrust), StoreName.My, StoreLocation.CurrentUser); }
public async Task VerifySignaturesAsync_WithExpiredPrimarySignature_ValidCountersignature_AndPrimarySignatureExpiredAtCountersignTime_FailsAsync() { // Arrange var nupkg = new SimpleTestPackageContext(); TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync(); var settings = new SignedPackageVerifierSettings( allowUnsigned: false, allowIllegal: false, allowUntrusted: false, allowIgnoreTimestamp: true, allowMultipleTimestamps: true, allowNoTimestamp: true, allowUnknownRevocation: true, reportUnknownRevocation: true, verificationTarget: VerificationTarget.All, signaturePlacement: SignaturePlacement.Any, repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.IfExists, revocationMode: RevocationMode.Online); using (TestDirectory dir = TestDirectory.Create()) using (TrustedTestCert <TestCertificate> trustedCertificate = _testFixture.CreateTrustedTestCertificateThatWillExpireSoon()) using (var willExpireCert = new X509Certificate2(trustedCertificate.Source.Cert)) using (var repoTestCertificate = new X509Certificate2(_trustedTestCert.Source.Cert)) { string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync( willExpireCert, nupkg, dir); await SignatureTestUtility.WaitForCertificateExpirationAsync(willExpireCert); string countersignedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync( repoTestCertificate, signedPackagePath, dir, TestServiceIndexUrl, timestampService.Url); var verifier = new PackageSignatureVerifier(_trustProviders); using (var packageReader = new PackageArchiveReader(countersignedPackagePath)) { // Act VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None); IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any()); // Assert result.IsValid.Should().BeFalse(); resultsWithErrors.Count().Should().Be(1); } } }
public async Task RejectsUntrustedTimestampingCertificate() { // Arrange var testServer = await _fixture.GetTestServerAsync(); var untrustedRootCa = CertificateAuthority.Create(testServer.Url); var untrustedRootCertficate = new X509Certificate2(untrustedRootCa.Certificate.GetEncoded()); var timestampService = TimestampService.Create(untrustedRootCa); using (testServer.RegisterDefaultResponders(timestampService)) { byte[] packageBytes; using (var temporaryTrust = new TrustedTestCert <X509Certificate2>( untrustedRootCertficate, x => x, StoreName.Root, StoreLocation.LocalMachine)) { packageBytes = await _fixture.GenerateSignedPackageBytesAsync( TestResources.SignedPackageLeaf1, await _fixture.GetSigningCertificateAsync(), timestampService.Url, _output); } TestUtility.RequireSignedPackage(_corePackageService, TestResources.SignedPackageLeafId, await _fixture.GetSigningCertificateThumbprintAsync()); _packageStream = new MemoryStream(packageBytes); _message = new SignatureValidationMessage( TestResources.SignedPackageLeafId, TestResources.SignedPackageLeaf1Version, new Uri($"https://unit.test/validation/{TestResources.SignedPackageLeaf1.ToLowerInvariant()}"), Guid.NewGuid()); // Act var result = await _target.ValidateAsync( _packageKey, _packageStream, _message, _token); // Assert VerifyPackageSigningStatus(result, ValidationStatus.Failed, PackageSigningStatus.Invalid); var issue = Assert.Single(result.Issues); var clientIssue = Assert.IsType <ClientSigningVerificationFailure>(issue); Assert.Equal("NU3028", clientIssue.ClientCode); Assert.Equal( "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.", clientIssue.ClientMessage); } }
public async Task DotnetTrust_RepositoryAction_Succeeds(bool allowUntrustedRoot, string owners) { // Arrange var nugetConfigFileName = "NuGet.Config"; var package = new SimpleTestPackageContext(); using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) using (MemoryStream zipStream = await package.CreateAsStreamAsync()) using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate()) { var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256); var repoServiceIndex = "https://serviceindex.test/v3/index.json"; var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex)); var config = $@"<?xml version=""1.0"" encoding=""utf-8""?> <configuration> </configuration>"; SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config); var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName); var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty; var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false"; var ownersArgs = string.Empty; var expectedOwners = string.Empty; if (owners != null) { ownersArgs = $"--owners {owners}"; expectedOwners = $"<owners>{owners}</owners>"; } // Act CommandRunnerResult resultAdd = _msbuildFixture.RunDotnet( pathContext.SolutionRoot, $"nuget trust repository nuget {signedPackagePath} {allowUntrustedRootArg} {ownersArgs} --configfile {nugetConfigPath}"); // Assert resultAdd.Success.Should().BeTrue(); resultAdd.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulAddTrustedSigner, "repository", "nuget")); string expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?> <configuration> < trustedSigners> <repository name = ""nuget"" serviceIndex=""https://serviceindex.test/v3/index.json""> < certificate fingerprint = ""{certFingerprint}"" hashAlgorithm = ""SHA256"" allowUntrustedRoot = ""{allowUntruestedRootValue}""/>{expectedOwners} </repository> </trustedSigners> </configuration>"); SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult); } }
public async Task DotnetTrust_CertificateFingerPrintAction_WithExistingSigner_AppendSucceeds(bool allowUntrustedRoot) { // Arrange var nugetConfigFileName = "NuGet.Config"; var package = new SimpleTestPackageContext(); using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) using (MemoryStream zipStream = await package.CreateAsStreamAsync()) using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate()) { var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256); var repoServiceIndex = "https://serviceindex.test/v3/index.json"; var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex)); var config = @"<?xml version=""1.0"" encoding=""utf-8""?> <configuration> <trustedSigners> <author name=""MyCompanyCert""> <certificate fingerprint=""abcdefg"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" /> </author> </trustedSigners> </configuration>"; SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config); var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName); var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty; var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false"; var authorName = "MyCompanyCert"; // Act CommandRunnerResult resultAdd = _msbuildFixture.RunDotnet( pathContext.SolutionRoot, $"nuget trust certificate {authorName} {certFingerprint} {allowUntrustedRootArg} --algorithm SHA256 --configfile {nugetConfigPath}"); // Assert resultAdd.Success.Should().BeTrue(); resultAdd.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, "Successfully updated the trusted signer '{0}'.", authorName)); string expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?> <configuration> < trustedSigners> <author name = ""{authorName}""> < certificate fingerprint = ""abcdefg"" hashAlgorithm = ""SHA256"" allowUntrustedRoot = ""false""/> < certificate fingerprint = ""{certFingerprint}"" hashAlgorithm = ""SHA256"" allowUntrustedRoot = ""{allowUntruestedRootValue}""/> </author> </trustedSigners> </configuration>"); SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult); } }
public AllowListVerificationProviderTests(SigningTestFixture fixture) { _testFixture = fixture ?? throw new ArgumentNullException(nameof(fixture)); _trustedTestCert = _testFixture.TrustedTestCertificate; _settings = new SignedPackageVerifierSettings( allowUnsigned: false, allowIllegal: false, allowUntrusted: false, allowUntrustedSelfIssuedCertificate: true, allowIgnoreTimestamp: true, allowMultipleTimestamps: true, allowNoTimestamp: true, allowUnknownRevocation: true); }
private async Task <CertificateAuthority> CreateDefaultTrustedRootCertificateAuthorityAsync() { var testServer = await GetTestServerAsync(); var rootCa = CertificateAuthority.Create(testServer.Url); var rootCertificate = new X509Certificate2(rootCa.Certificate.GetEncoded()); _trustedRoot = new TrustedTestCert <X509Certificate2>( rootCertificate, certificate => certificate, StoreName.Root, StoreLocation.LocalMachine); return(rootCa); }
private void CreateSignedPackageWithExpiredCertificate() { _expiredSignedTestPackageV1Directory = TestDirectory.Create(); _trustedExpiredTestCert = SigningTestUtility.GenerateTrustedTestCertificateThatExpiresIn5Seconds(); _expiredSignedTestPackageV1 = Utils.CreatePackage(_expiredTestPackageName, _packageVersion); _expiredSignedTestPackageV1.AuthorSignatureCertificate = _trustedExpiredTestCert.Source.Cert; SimpleTestPackageUtility.CreatePackages(_expiredSignedTestPackageV1Directory, _expiredSignedTestPackageV1); _expiredSignedTestPackageV1Path = Path.Combine(_expiredSignedTestPackageV1Directory, _expiredSignedTestPackageV1.PackageName); // Wait for cert to expire Thread.Sleep(5000); Assert.True(IsCertificateExpired(_trustedExpiredTestCert.Source.Cert)); }
private async Task <CertificateAuthority> CreateDefaultTrustedRootCertificateAuthorityAsync() { var testServer = await GetTestServerAsync(); var rootCa = CertificateAuthority.Create(testServer.Url); var rootCertificate = rootCa.Certificate.ToX509Certificate2(); _trustedRoot = new TrustedTestCert <X509Certificate2>( rootCertificate, certificate => certificate, StoreName.Root, StoreLocation.LocalMachine); _responders.AddRange(testServer.RegisterResponders(rootCa)); return(rootCa); }
public async Task Verify_RepositorySignedPackage_WithRepositoryItemTrustedCertificate_AllowUntrustedRootSet_CorrectOwners_Succeeds(string allowUntrustedRoot, bool verifyCertificateFingerprint) { // Arrange TrustedTestCert <TestCertificate> cert = _testFixture.TrustedTestCertificateChain.Leaf; using (var pathContext = new SimpleTestPathContext()) { var package = new SimpleTestPackageContext(); string certFingerprint = SignatureTestUtility.GetFingerprint(cert.Source.Cert, HashAlgorithmName.SHA256); var packageOwners = new List <string>() { "nuget", "contoso" }; string repoServiceIndex = "https://serviceindex.test/v3/index.json"; string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(cert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex), null, packageOwners); string testDirectory = pathContext.WorkingDirectory; string trustedSignersSectionContent = $@" <trustedSigners> <repository name=""NuGetTrust"" serviceIndex=""{repoServiceIndex}""> <certificate fingerprint=""{certFingerprint}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" /> <owners>nuget;Contoso</owners> </repository> </trustedSigners> "; SimpleTestSettingsContext.AddSectionIntoNuGetConfig(testDirectory, trustedSignersSectionContent, "configuration"); string fingerprint = verifyCertificateFingerprint ? $"-CertificateFingerprint {certFingerprint};def" : string.Empty; //Act CommandRunnerResult verifyResult = CommandRunner.Run( _nugetExePath, pathContext.PackageSource, $"verify {signedPackagePath} -Signatures {fingerprint}", waitForExit: true); // Assert // For certificate with trusted root setting allowUntrustedRoot value true/false doesn't matter. // Owners is casesensitive, here owner "nuget" matches verifyResult.Success.Should().BeTrue(); verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode); } }
public async Task Verify_RepositorySignedPackage_WithRepositoryItemTrustedCertificate_AllowUntrustedRootSet_WrongOwners_Fails(string allowUntrustedRoot, bool verifyCertificateFingerprint) { // Arrange TrustedTestCert <TestCertificate> cert = _signFixture.TrustedTestCertificateChain.Leaf; using (var pathContext = new SimpleTestPathContext()) { var package = new SimpleTestPackageContext(); string certFingerprint = SignatureTestUtility.GetFingerprint(cert.Source.Cert, HashAlgorithmName.SHA256); var packageOwners = new List <string>() { "nuget", "contoso" }; string repoServiceIndex = "https://serviceindex.test/v3/index.json"; string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(cert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex), null, packageOwners); string testDirectory = pathContext.WorkingDirectory; // Arrange string trustedSignersSectionContent = $@" <trustedSigners> <repository name=""NuGetTrust"" serviceIndex=""{repoServiceIndex}""> <certificate fingerprint=""{certFingerprint}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" /> <owners>Nuget;Contoso</owners> </repository> </trustedSigners> "; SimpleTestSettingsContext.AddSectionIntoNuGetConfig(testDirectory, trustedSignersSectionContent, "configuration"); string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certFingerprint} --certificate-fingerprint DEF" : string.Empty; //Act CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet( testDirectory, $"nuget verify {signedPackagePath} {fingerprint}", ignoreExitCode: true); // Assert // Owners is casesensitive, owner info should be "nuget;contoso" not "Nuget;Contoso" verifyResult.Success.Should().BeFalse(); verifyResult.AllOutput.Should().Contain(_noMatchingCertErrorCode); } }
public async Task DotnetTrust_CertificateFingerPrintAction_TryAddSameFingerPrint_Fails(bool allowUntrustedRoot) { // Arrange var nugetConfigFileName = "NuGet.Config"; var package = new SimpleTestPackageContext(); using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) using (MemoryStream zipStream = await package.CreateAsStreamAsync()) using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate()) { var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256); var repoServiceIndex = "https://serviceindex.test/v3/index.json"; var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex)); var config = $@"<?xml version=""1.0"" encoding=""utf-8""?> <configuration> </configuration>"; SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config); var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName); var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty; var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false"; var authorName = "MyCompanyCert"; // Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.SolutionRoot, $"nuget trust certificate {authorName} {certFingerprint} {allowUntrustedRootArg} --algorithm SHA256 --configfile {nugetConfigPath}"); // Assert result.Success.Should().BeTrue(); result.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulAddTrustedSigner, "author", authorName)); // Try to add same certificate fingerprint should fail result = _msbuildFixture.RunDotnet( pathContext.SolutionRoot, $"nuget trust certificate {authorName} {certFingerprint} {allowUntrustedRootArg} --algorithm SHA256 --configfile {nugetConfigPath}", ignoreExitCode: true); // Main assert result.Success.Should().BeFalse(); result.AllOutput.Should().Contain("The certificate finger you're trying to add is already in the certificate fingerprint list"); result.AllOutput.Should().NotContain("--help"); } }
public async Task DotnetTrust_RemoveAction_Succeeds() { // Arrange var nugetConfigFileName = "NuGet.Config"; var package = new SimpleTestPackageContext(); using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) using (MemoryStream zipStream = await package.CreateAsStreamAsync()) using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate()) { var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256); var repoServiceIndex = "https://serviceindex.test/v3/index.json"; var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex)); var repositoryName = "nuget"; var config = $@"<?xml version=""1.0"" encoding=""utf-8""?> <configuration> <trustedSigners> <repository name = ""{repositoryName}"" serviceIndex=""https://serviceindex.test/v3/index.json""> <certificate fingerprint=""abcdef"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false""/> </repository> </trustedSigners> </configuration>"; SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config); var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName); // Act CommandRunnerResult resultSync = _msbuildFixture.RunDotnet( pathContext.SolutionRoot, $"nuget trust remove {repositoryName} --configfile {nugetConfigPath}"); // Assert resultSync.Success.Should().BeTrue(); resultSync.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulRemoveTrustedSigner, repositoryName)); string expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?> <configuration> </configuration>"); SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult); } }
public async Task VerifySignaturesAsync_WithSignedTimestampedCountersignedAndCountersignatureTimestampedPackage_SucceedsAsync() { // Arrange var nupkg = new SimpleTestPackageContext(); TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync(); using (TestDirectory dir = TestDirectory.Create()) using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert)) using (TrustedTestCert <TestCertificate> trusted = SigningTestUtility.GenerateTrustedTestCertificate()) using (var counterCertificate = new X509Certificate2(trusted.Source.Cert)) { string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync( testCertificate, nupkg, dir, timestampService.Url); string repositorySignedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync( counterCertificate, signedPackagePath, dir, TestServiceIndexUrl, timestampService.Url); var verifier = new PackageSignatureVerifier(_trustProviders); using (var packageReader = new PackageArchiveReader(repositorySignedPackagePath)) { // Act VerifySignaturesResult result = await verifier.VerifySignaturesAsync( packageReader, _verifyCommandSettings, CancellationToken.None); IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any()); // Assert result.IsValid.Should().BeTrue(); resultsWithErrors.Count().Should().Be(0); } } }
public async Task DotnetTrust_AuthorAction_TryAddSameAuthor_Fails(bool allowUntrustedRoot) { // Arrange var nugetConfigFileName = "NuGet.Config"; var package = new SimpleTestPackageContext(); using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) using (MemoryStream zipStream = await package.CreateAsStreamAsync()) using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate()) { string certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256); string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource); var config = $@"<?xml version=""1.0"" encoding=""utf-8""?> <configuration> </configuration>"; SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config); var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName); var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty; var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false"; // Act CommandRunnerResult resultAdd = _msbuildFixture.RunDotnet( pathContext.SolutionRoot, $"nuget trust author nuget {signedPackagePath} {allowUntrustedRootArg} --configfile {nugetConfigPath}"); // Assert resultAdd.Success.Should().BeTrue(); // Try to add same author again. resultAdd = _msbuildFixture.RunDotnet( pathContext.SolutionRoot, $"nuget trust author nuget {signedPackagePath} {allowUntrustedRootArg} --configfile {nugetConfigPath}", ignoreExitCode: true); // Main assert resultAdd.Success.Should().BeFalse(); resultAdd.AllOutput.Should().Contain("error: A trusted signer 'nuget' already exists."); resultAdd.AllOutput.Should().NotContain("--help"); } }