private PackageVerificationResult VerifyAllowList(ISignedPackageReader package, PrimarySignature signature, SignedPackageVerifierSettings settings) { var treatIssuesAsErrors = !settings.AllowUntrusted; var status = SignatureVerificationStatus.Valid; var issues = new List <SignatureLog>(); if (_allowList == null || _allowList.Count == 0) { if (_requireNonEmptyAllowList) { status = SignatureVerificationStatus.Disallowed; issues.Add(SignatureLog.Error(code: NuGetLogCode.NU3034, message: _emptyListErrorMessage)); } } else if (!IsSignatureAllowed(signature, _allowList)) { if (!settings.AllowUntrusted) { status = SignatureVerificationStatus.Disallowed; } issues.Add(SignatureLog.Issue(fatal: treatIssuesAsErrors, code: NuGetLogCode.NU3034, message: _noMatchErrorMessage)); } return(new SignedPackageVerificationResult(status, signature, issues)); }
private async Task <PackageVerificationResult> VerifyPackageIntegrityAsync(ISignedPackageReader package, PrimarySignature signature, SignedPackageVerifierSettings settings) { var status = SignatureVerificationStatus.Illegal; var issues = new List <SignatureLog>(); var validHashOids = SigningSpecifications.V1.AllowedHashAlgorithmOids; var signatureHashOid = signature.SignatureContent.HashAlgorithm.ConvertToOidString(); if (validHashOids.Contains(signatureHashOid, StringComparer.InvariantCultureIgnoreCase)) { issues.Add(SignatureLog.InformationLog(string.Format(CultureInfo.CurrentCulture, Strings.SignatureHashAlgorithm, signature.SignatureContent.HashAlgorithm))); try { await package.ValidateIntegrityAsync(signature.SignatureContent, CancellationToken.None); status = SignatureVerificationStatus.Valid; } catch (Exception e) { status = SignatureVerificationStatus.Suspect; issues.Add(SignatureLog.Error(NuGetLogCode.NU3008, Strings.SignaturePackageIntegrityFailure)); issues.Add(SignatureLog.DebugLog(e.ToString())); } } else { issues.Add(SignatureLog.Issue(!settings.AllowIllegal, NuGetLogCode.NU3016, Strings.SignatureFailureInvalidHashAlgorithmOid)); issues.Add(SignatureLog.DebugLog(string.Format(CultureInfo.CurrentCulture, Strings.SignatureDebug_HashOidFound, signatureHashOid))); } return(new SignedPackageVerificationResult(status, signature, issues)); }
/// <summary> /// Verify an allow list with a given request /// </summary> /// <param name="request">Information about the allow list verification to perform</param> /// <remarks>This method should never return a status unknown. Min is used to take the most severe status in <see cref="GetValidity"/> /// therefore, if unknown is returned the verification process will return an unknown status for the whole operation</remarks> private Task <SignedPackageVerificationResult> VerifyAllowList(CertificateListVerificationRequest request, bool allowUntrusted) { var status = SignatureVerificationStatus.Valid; var issues = new List <SignatureLog>(); if (request.CertificateList == null || request.CertificateList.Count == 0) { if (request.RequireCertificateList) { status = SignatureVerificationStatus.Disallowed; issues.Add(SignatureLog.Error(code: NuGetLogCode.NU3034, message: request.NoListErrorMessage)); } } else if (!IsSignatureAllowed(request.Signature, request.CertificateList)) { if (!allowUntrusted) { status = SignatureVerificationStatus.Disallowed; } issues.Add(SignatureLog.Issue(fatal: request.TreatIssuesAsErrors, code: NuGetLogCode.NU3034, message: request.NoMatchErrorMessage)); } return(Task.FromResult(new SignedPackageVerificationResult(status, request.Signature, issues))); }
/// <summary> /// Get a valid timestamp from the unsigned attributes if present /// </summary> /// <param name="settings">Specify what is allowed in the validation for timestamp</param> /// <param name="fingerprintAlgorithm">fingerprint algorithm for displaying timestamp's certificate information</param> /// <param name="issues">List of log messages.</param> /// <param name="verificationFlags">Flags that specify the status of the verification</param> /// <param name="validTimestamp">TTimestamp found in the signature that passes validation with the given <see cref="settings"/></param> /// <remarks>If <see cref="SignedPackageVerifierSettings.AllowNoTimestamp" /> is set to true this method return true with a <see cref="validTimestamp" /> set to null.</remarks> /// <returns>true if a valid timestamp was found</returns> internal bool TryGetValidTimestamp( SignedPackageVerifierSettings settings, HashAlgorithmName fingerprintAlgorithm, List <SignatureLog> issues, out SignatureVerificationStatusFlags verificationFlags, out Timestamp validTimestamp) { if (issues == null) { throw new ArgumentNullException(nameof(issues)); } if (settings == null) { throw new ArgumentNullException(nameof(settings)); } verificationFlags = SignatureVerificationStatusFlags.NoErrors; validTimestamp = null; var timestamps = Timestamps; if (timestamps.Count == 0) { issues.Add(SignatureLog.Issue(!settings.AllowNoTimestamp, NuGetLogCode.NU3027, Strings.ErrorNoTimestamp)); if (!settings.AllowNoTimestamp) { verificationFlags |= SignatureVerificationStatusFlags.NoValidTimestamp; return(false); } } if (timestamps.Count > 1 && !settings.AllowMultipleTimestamps) { issues.Add(SignatureLog.Error(NuGetLogCode.NU3000, Strings.ErrorMultipleTimestamps)); verificationFlags |= SignatureVerificationStatusFlags.MultipleTimestamps; return(false); } var timestamp = timestamps.FirstOrDefault(); if (timestamp != null) { verificationFlags |= timestamp.Verify(this, settings, fingerprintAlgorithm, issues); if (verificationFlags != SignatureVerificationStatusFlags.NoErrors && verificationFlags != SignatureVerificationStatusFlags.UnknownRevocation) { return(false); } validTimestamp = timestamp; } return(true); }
/// <summary> /// Verify if the signature object meets the specification trust and validity requirements. /// </summary> /// <param name="timestamp">Timestamp for this signature, if signature is not timestamped it can be null.</param> /// <param name="allowUntrusted">Setting that tells if a signature that does not meet any soft failure requirements can still be allowed. Used to know if warnings or errors should be logged for an issue.</param> /// <param name="allowUnknownRevocation">Setting that tells if unkown revocation is valid when building the chain.</param> /// <param name="allowUntrustedSelfSignedCertificate">Setting that tells if an untrusted self-signed certificate should be allowed as the signing certificate.</param> /// <param name="fingerprintAlgorithm">Algorithm used to calculate and display the certificate's fingerprint.</param> /// <param name="certificateExtraStore">Collection of certificates to help the chain building engine as an extra store.</param> /// <param name="issues">List of log messages.</param> /// <remarks>This is only public for ease of testing</remarks> /// <returns>Status of trust for signature.</returns> public virtual SignatureVerificationSummary Verify( Timestamp timestamp, SignatureVerifySettings settings, HashAlgorithmName fingerprintAlgorithm, X509Certificate2Collection certificateExtraStore) { settings = settings ?? SignatureVerifySettings.Default; var flags = SignatureVerificationStatusFlags.NoErrors; var issues = new List <SignatureLog>(); SignatureVerificationStatus status; var certificate = SignerInfo.Certificate; if (certificate == null) { issues.Add(SignatureLog.Issue(!settings.AllowIllegal, NuGetLogCode.NU3010, string.Format(CultureInfo.CurrentCulture, Strings.Verify_ErrorNoCertificate, FriendlyName))); flags |= SignatureVerificationStatusFlags.NoCertificate; status = settings.AllowIllegal? SignatureVerificationStatus.Valid: SignatureVerificationStatus.Disallowed; return(new SignatureVerificationSummary(Type, status, flags, issues)); } issues.Add(SignatureLog.InformationLog(string.Format(CultureInfo.CurrentCulture, Strings.VerificationCertDisplay, FriendlyName, $"{Environment.NewLine}{CertificateUtility.X509Certificate2ToString(certificate, fingerprintAlgorithm)}"))); try { SignerInfo.CheckSignature(verifySignatureOnly: true); } catch (Exception e) { issues.Add(SignatureLog.Issue(!settings.AllowIllegal, NuGetLogCode.NU3012, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_SignatureVerificationFailed, FriendlyName))); issues.Add(SignatureLog.DebugLog(e.ToString())); flags |= SignatureVerificationStatusFlags.SignatureCheckFailed; status = settings.AllowIllegal ? SignatureVerificationStatus.Valid : SignatureVerificationStatus.Disallowed; return(new SignatureVerificationSummary(Type, status, flags, issues)); } DateTimeOffset?expirationTime = null; var certificateFlags = VerificationUtility.ValidateSigningCertificate(certificate, !settings.AllowIllegal, FriendlyName, issues); if (certificateFlags != SignatureVerificationStatusFlags.NoErrors) { flags |= certificateFlags; } else { timestamp = timestamp ?? new Timestamp(); using (var chainHolder = new X509ChainHolder()) { var chain = chainHolder.Chain; // This flag should only be set for verification scenarios, not signing. chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid; CertificateChainUtility.SetCertBuildChainPolicy(chain.ChainPolicy, certificateExtraStore, timestamp.UpperLimit.LocalDateTime, CertificateType.Signature); if (settings.RevocationMode == RevocationMode.Offline) { chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline; } else { chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; } var chainBuildingSucceeded = CertificateChainUtility.BuildCertificateChain(chain, certificate, out var chainStatuses); var x509ChainString = CertificateUtility.X509ChainToString(chain, fingerprintAlgorithm); if (!string.IsNullOrWhiteSpace(x509ChainString)) { issues.Add(SignatureLog.DetailedLog(x509ChainString)); } var chainBuildingHasIssues = false; if (!chainBuildingSucceeded) { var statusFlags = CertificateChainUtility.DefaultObservedStatusFlags; IEnumerable <string> messages; if (CertificateChainUtility.TryGetStatusMessage(chainStatuses, statusFlags, out messages)) { foreach (var message in messages) { issues.Add(SignatureLog.Issue(!settings.AllowIllegal, NuGetLogCode.NU3012, string.Format(CultureInfo.CurrentCulture, Strings.VerifyChainBuildingIssue, FriendlyName, message))); } chainBuildingHasIssues = true; flags |= SignatureVerificationStatusFlags.ChainBuildingFailure; } // For all the special cases, chain status list only has unique elements for each chain status flag present // therefore if we are checking for one specific chain status we can use the first of the returned list // if we are combining checks for more than one, then we have to use the whole list. if (CertificateChainUtility.TryGetStatusMessage(chainStatuses, X509ChainStatusFlags.Revoked, out messages)) { issues.Add(SignatureLog.Error(NuGetLogCode.NU3012, string.Format(CultureInfo.CurrentCulture, Strings.VerifyChainBuildingIssue, FriendlyName, messages.First()))); flags |= SignatureVerificationStatusFlags.CertificateRevoked; return(new SignatureVerificationSummary(Type, SignatureVerificationStatus.Suspect, flags, timestamp, issues)); } if (CertificateChainUtility.TryGetStatusMessage(chainStatuses, X509ChainStatusFlags.UntrustedRoot, out messages)) { if (settings.ReportUntrustedRoot) { issues.Add(SignatureLog.Issue(!settings.AllowUntrusted, NuGetLogCode.NU3018, string.Format(CultureInfo.CurrentCulture, Strings.VerifyChainBuildingIssue, FriendlyName, messages.First()))); } if (!settings.AllowUntrusted) { chainBuildingHasIssues = true; flags |= SignatureVerificationStatusFlags.UntrustedRoot; } } var offlineRevocationErrors = CertificateChainUtility.TryGetStatusMessage(chainStatuses, X509ChainStatusFlags.OfflineRevocation, out var _); var unknownRevocationErrors = CertificateChainUtility.TryGetStatusMessage(chainStatuses, X509ChainStatusFlags.RevocationStatusUnknown, out var unknownRevocationStatusMessages); if (offlineRevocationErrors || unknownRevocationErrors) { if (settings.ReportUnknownRevocation) { string unknownRevocationMessage = null; if (unknownRevocationErrors) { unknownRevocationMessage = string.Format(CultureInfo.CurrentCulture, Strings.VerifyChainBuildingIssue, FriendlyName, unknownRevocationStatusMessages.First()); } if (settings.RevocationMode == RevocationMode.Offline) { if (offlineRevocationErrors) { issues.Add(SignatureLog.InformationLog(string.Format(CultureInfo.CurrentCulture, Strings.VerifyChainBuildingIssue, FriendlyName, Strings.VerifyCertTrustOfflineWhileRevocationModeOffline))); } if (unknownRevocationMessage != null) { issues.Add(SignatureLog.InformationLog(unknownRevocationMessage)); } } else { if (offlineRevocationErrors) { issues.Add(SignatureLog.Issue(!settings.AllowUnknownRevocation, NuGetLogCode.NU3018, string.Format(CultureInfo.CurrentCulture, Strings.VerifyChainBuildingIssue, FriendlyName, Strings.VerifyCertTrustOfflineWhileRevocationModeOnline))); } if (unknownRevocationMessage != null) { issues.Add(SignatureLog.Issue(!settings.AllowUnknownRevocation, NuGetLogCode.NU3018, unknownRevocationMessage)); } } } if (!settings.AllowUnknownRevocation) { chainBuildingHasIssues = true; flags |= SignatureVerificationStatusFlags.UnknownRevocation; } } // Debug log any errors issues.Add(SignatureLog.DebugLog( string.Format( CultureInfo.CurrentCulture, Strings.VerifyError_InvalidCertificateChain, FriendlyName, string.Join(", ", chainStatuses.Select(x => x.Status.ToString()))))); } var isSignatureTimeValid = Rfc3161TimestampVerificationUtility.ValidateSignerCertificateAgainstTimestamp(certificate, timestamp); if (isSignatureTimeValid && !chainBuildingHasIssues) { return(new SignatureVerificationSummary(Type, SignatureVerificationStatus.Valid, flags, timestamp, issues)); } else if (!isSignatureTimeValid) { issues.Add( SignatureLog.Issue( !settings.AllowUntrusted, NuGetLogCode.NU3037, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_SignatureNotTimeValid, FriendlyName))); if (!settings.AllowUntrusted) { flags |= SignatureVerificationStatusFlags.CertificateExpired; } expirationTime = DateTime.SpecifyKind(certificate.NotAfter, DateTimeKind.Local); } } } status = VerificationUtility.GetSignatureVerificationStatus(flags); return(new SignatureVerificationSummary(Type, status, flags, timestamp, expirationTime, issues)); }
private PackageVerificationResult Verify( PrimarySignature signature, SignedPackageVerifierSettings settings) { var certificateExtraStore = signature.SignedCms.Certificates; var repositoryCountersignatureExists = SignatureUtility.HasRepositoryCountersignature(signature); var isRepositoryCountersignatureVerificationRequested = settings.VerificationTarget.HasFlag(VerificationTarget.Repository) && settings.SignaturePlacement.HasFlag(SignaturePlacement.Countersignature); var allowDeferralToRepositoryCountersignature = isRepositoryCountersignatureVerificationRequested && repositoryCountersignatureExists; var status = SignatureVerificationStatus.Unknown; var issues = Enumerable.Empty <SignatureLog>(); var isUntrustedRootAllowed = IsUntrustedRootAllowed(signature); var verifySettings = new SignatureVerifySettings( allowIllegal: settings.AllowIllegal, allowUntrusted: settings.AllowUntrusted || isUntrustedRootAllowed, allowUnknownRevocation: settings.AllowUnknownRevocation, reportUnknownRevocation: settings.ReportUnknownRevocation, reportUntrustedRoot: !isUntrustedRootAllowed, revocationMode: settings.RevocationMode); SignatureVerificationSummary primarySummary = null; if (settings.SignaturePlacement.HasFlag(SignaturePlacement.PrimarySignature) && VerificationUtility.IsVerificationTarget(signature.Type, settings.VerificationTarget)) { primarySummary = VerifyValidityAndTrust(signature, settings, verifySettings, certificateExtraStore); issues = issues.Concat(primarySummary.Issues); status = primarySummary.Status; } Debug.Assert(isRepositoryCountersignatureVerificationRequested != (settings.RepositoryCountersignatureVerificationBehavior == SignatureVerificationBehavior.Never)); bool shouldVerifyRepositoryCountersignature; switch (settings.RepositoryCountersignatureVerificationBehavior) { case SignatureVerificationBehavior.IfExists: shouldVerifyRepositoryCountersignature = isRepositoryCountersignatureVerificationRequested && repositoryCountersignatureExists; break; case SignatureVerificationBehavior.IfExistsAndIsNecessary: // The repository countersignature should be evaluated if settings allow it, if a repository countersignature exists // and if either settings only allow a repository countersignature to be evaluated or the primary signature has some // validation/trust issues that may benefit from a repository countersignature fallback. shouldVerifyRepositoryCountersignature = isRepositoryCountersignatureVerificationRequested && repositoryCountersignatureExists && (primarySummary == null || (primarySummary != null && (HasUntrustedRoot(primarySummary) || IsSignatureExpired(primarySummary)))); break; case SignatureVerificationBehavior.Always: shouldVerifyRepositoryCountersignature = isRepositoryCountersignatureVerificationRequested; break; case SignatureVerificationBehavior.Never: shouldVerifyRepositoryCountersignature = false; break; default: throw new NotImplementedException(); } if (shouldVerifyRepositoryCountersignature) { var countersignature = RepositoryCountersignature.GetRepositoryCountersignature(signature); if (countersignature == null) { if (settings.RepositoryCountersignatureVerificationBehavior == SignatureVerificationBehavior.Always) { issues = issues.Concat(new[] { SignatureLog.Error(NuGetLogCode.NU3038, Strings.NoRepositoryCountersignature) }); status = SignatureVerificationStatus.Disallowed; } } else { isUntrustedRootAllowed = IsUntrustedRootAllowed(countersignature); verifySettings = new SignatureVerifySettings( allowIllegal: settings.AllowIllegal, allowUntrusted: settings.AllowUntrusted || isUntrustedRootAllowed, allowUnknownRevocation: settings.AllowUnknownRevocation, reportUnknownRevocation: settings.ReportUnknownRevocation, reportUntrustedRoot: !isUntrustedRootAllowed, revocationMode: settings.RevocationMode); var countersignatureSummary = VerifyValidityAndTrust(countersignature, settings, verifySettings, certificateExtraStore); if (primarySummary == null) { status = countersignatureSummary.Status; } else { if (countersignatureSummary.Status == SignatureVerificationStatus.Valid) { if (IsSignatureExpired(primarySummary) && HasUntrustedRoot(primarySummary)) { // Exclude the issue of the primary signature being untrusted since the repository countersignature fulfills the role of a trust anchor. issues = issues.Where(log => log.Code != NuGetLogCode.NU3018); if (countersignatureSummary.Timestamp != null && Rfc3161TimestampVerificationUtility.ValidateSignerCertificateAgainstTimestamp(signature.SignerInfo.Certificate, countersignatureSummary.Timestamp)) { // Exclude the issue of the primary signature being expired since the repository countersignature fulfills the role of a trusted timestamp. issues = issues.Where(log => log.Code != NuGetLogCode.NU3037); status = SignatureVerificationStatus.Valid; } } else if (IsSignatureExpired(primarySummary) && countersignatureSummary.Timestamp != null && Rfc3161TimestampVerificationUtility.ValidateSignerCertificateAgainstTimestamp(signature.SignerInfo.Certificate, countersignatureSummary.Timestamp)) { // Exclude the issue of the primary signature being expired since the repository countersignature fulfills the role of a trusted timestamp. issues = issues.Where(log => log.Code != NuGetLogCode.NU3037); status = SignatureVerificationStatus.Valid; } else if (HasUntrustedRoot(primarySummary)) { // Exclude the issue of the primary signature being untrusted since the repository countersignature fulfills the role of a trust anchor. issues = issues.Where(log => log.Code != NuGetLogCode.NU3018); status = SignatureVerificationStatus.Valid; } } // Both the primary signature and the repository countersignature were evaluated. // The overall status should be the more severe status of the two. status = (SignatureVerificationStatus)Math.Min((int)status, (int)countersignatureSummary.Status); } issues = issues.Concat(countersignatureSummary.Issues); } } return(new SignedPackageVerificationResult(status, signature, issues)); }
/// <summary> /// Verify if the timestamp object meets the specification requirements. /// </summary> /// <param name="signature">Signature which this timestamp is for.</param> /// <param name="allowIgnoreTimestamp">Setting that tells if a timestamp can be ignored if it doesn't meet the requirements. Used to know if warnings or errors should be logged for an issue.</param> /// <param name="allowUnknownRevocation">Setting that tells if unkown revocation is valid when building the chain.</param> /// <param name="issues">List of log messages.</param> /// <returns>true if the timestamp meets the requierements, false otherwise.</returns> internal SignatureVerificationStatusFlags Verify( Signature signature, SignedPackageVerifierSettings settings, HashAlgorithmName fingerprintAlgorithm, List <SignatureLog> issues) { settings = settings ?? SignedPackageVerifierSettings.GetDefault(); var flags = SignatureVerificationStatusFlags.NoErrors; if (signature == null) { throw new ArgumentNullException(nameof(signature)); } if (issues == null) { throw new ArgumentNullException(nameof(issues)); } var treatIssueAsError = !settings.AllowIgnoreTimestamp; var timestamperCertificate = SignerInfo.Certificate; if (timestamperCertificate == null) { flags |= SignatureVerificationStatusFlags.NoCertificate; issues.Add(SignatureLog.Issue(treatIssueAsError, NuGetLogCode.NU3020, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampNoCertificate, signature.FriendlyName))); return(flags); } flags |= VerificationUtility.ValidateTimestamp(this, signature, treatIssueAsError, issues, SigningSpecifications.V1); if (flags == SignatureVerificationStatusFlags.NoErrors) { issues.Add(SignatureLog.InformationLog(string.Format(CultureInfo.CurrentCulture, Strings.TimestampValue, GeneralizedTime.LocalDateTime.ToString()) + Environment.NewLine)); issues.Add(SignatureLog.InformationLog(string.Format(CultureInfo.CurrentCulture, Strings.VerificationTimestamperCertDisplay, signature.FriendlyName, $"{Environment.NewLine}{CertificateUtility.X509Certificate2ToString(timestamperCertificate, fingerprintAlgorithm)}"))); var certificateExtraStore = SignedCms.Certificates; using (var chainHolder = new X509ChainHolder()) { var chain = chainHolder.Chain; // This flag should only be set for verification scenarios, not signing. chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid; CertificateChainUtility.SetCertBuildChainPolicy(chain.ChainPolicy, certificateExtraStore, DateTime.Now, CertificateType.Timestamp); if (settings.RevocationMode == RevocationMode.Offline) { chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline; } else { chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; } var chainBuildSucceed = CertificateChainUtility.BuildCertificateChain(chain, timestamperCertificate, out var chainStatusList); var x509ChainString = CertificateUtility.X509ChainToString(chain, fingerprintAlgorithm); if (!string.IsNullOrWhiteSpace(x509ChainString)) { issues.Add(SignatureLog.DetailedLog(x509ChainString)); } if (chainBuildSucceed) { return(flags); } var chainBuildingHasIssues = false; IEnumerable <string> messages; var timestampInvalidCertificateFlags = CertificateChainUtility.DefaultObservedStatusFlags; if (CertificateChainUtility.TryGetStatusMessage(chainStatusList, timestampInvalidCertificateFlags, out messages)) { foreach (var message in messages) { issues.Add(SignatureLog.Issue(treatIssueAsError, NuGetLogCode.NU3028, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampVerifyChainBuildingIssue, signature.FriendlyName, message))); } flags |= SignatureVerificationStatusFlags.ChainBuildingFailure; chainBuildingHasIssues = true; } // For all the special cases, chain status list only has unique elements for each chain status flag present // therefore if we are checking for one specific chain status we can use the first of the returned list // if we are combining checks for more than one, then we have to use the whole list. if (CertificateChainUtility.TryGetStatusMessage(chainStatusList, X509ChainStatusFlags.UntrustedRoot, out messages)) { issues.Add(SignatureLog.Error(NuGetLogCode.NU3028, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampVerifyChainBuildingIssue, signature.FriendlyName, messages.First()))); flags |= SignatureVerificationStatusFlags.UntrustedRoot; chainBuildingHasIssues = true; } if (CertificateChainUtility.TryGetStatusMessage(chainStatusList, X509ChainStatusFlags.Revoked, out messages)) { issues.Add(SignatureLog.Error(NuGetLogCode.NU3028, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampVerifyChainBuildingIssue, signature.FriendlyName, messages.First()))); flags |= SignatureVerificationStatusFlags.CertificateRevoked; return(flags); } var offlineRevocationErrors = CertificateChainUtility.TryGetStatusMessage(chainStatusList, X509ChainStatusFlags.OfflineRevocation, out var _); var unknownRevocationErrors = CertificateChainUtility.TryGetStatusMessage(chainStatusList, X509ChainStatusFlags.RevocationStatusUnknown, out var unknownRevocationStatusMessages); if (offlineRevocationErrors || unknownRevocationErrors) { if (treatIssueAsError) { string unknownRevocationMessage = null; if (unknownRevocationErrors) { unknownRevocationMessage = string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampVerifyChainBuildingIssue, signature.FriendlyName, unknownRevocationStatusMessages.First()); } if (settings.RevocationMode == RevocationMode.Offline) { if (offlineRevocationErrors) { issues.Add(SignatureLog.InformationLog(string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampVerifyChainBuildingIssue, signature.FriendlyName, Strings.VerifyCertTrustOfflineWhileRevocationModeOffline))); } if (unknownRevocationMessage != null) { issues.Add(SignatureLog.InformationLog(unknownRevocationMessage)); } } else { if (offlineRevocationErrors) { issues.Add(SignatureLog.Issue(!settings.AllowUnknownRevocation, NuGetLogCode.NU3018, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampVerifyChainBuildingIssue, signature.FriendlyName, Strings.VerifyCertTrustOfflineWhileRevocationModeOnline))); } if (unknownRevocationMessage != null) { issues.Add(SignatureLog.Issue(!settings.AllowUnknownRevocation, NuGetLogCode.NU3018, unknownRevocationMessage)); } } } if (!chainBuildingHasIssues && (settings.AllowIgnoreTimestamp || settings.AllowUnknownRevocation)) { return(flags); } flags |= SignatureVerificationStatusFlags.UnknownRevocation; chainBuildingHasIssues = true; } // Debug log any errors issues.Add( SignatureLog.DebugLog( string.Format( CultureInfo.CurrentCulture, $"{signature.FriendlyName}'s timestamp", Strings.VerifyError_InvalidCertificateChain, string.Join(", ", chainStatusList.Select(x => x.Status.ToString()))))); } } return(flags); }
/// <summary> /// Verify if the signature object meets the specification trust and validity requirements. /// </summary> /// <param name="timestamp">Timestamp for this signature, if signature is not timestamped it can be null.</param> /// <param name="allowUntrusted">Setting that tells if a signature that does not meet any soft failure requirements can still be allowed. Used to know if warnings or errors should be logged for an issue.</param> /// <param name="allowUnknownRevocation">Setting that tells if unkown revocation is valid when building the chain.</param> /// <param name="allowUntrustedSelfSignedCertificate">Setting that tells if an untrusted self-signed certificate should be allowed as the signing certificate.</param> /// <param name="fingerprintAlgorithm">Algorithm used to calculate and display the certificate's fingerprint.</param> /// <param name="certificateExtraStore">Collection of certificates to help the chain building engine as an extra store.</param> /// <param name="issues">List of log messages.</param> /// <returns>Status of trust for signature.</returns> internal virtual SignatureVerificationStatus Verify( Timestamp timestamp, SignedPackageVerifierSettings settings, HashAlgorithmName fingerprintAlgorithm, X509Certificate2Collection certificateExtraStore, List <SignatureLog> issues) { if (issues == null) { throw new ArgumentNullException(nameof(issues)); } settings = settings ?? SignedPackageVerifierSettings.Default; var treatIssueAsError = !settings.AllowUntrusted; var certificate = SignerInfo.Certificate; if (certificate == null) { issues.Add(SignatureLog.Issue(treatIssueAsError, NuGetLogCode.NU3010, Strings.ErrorNoCertificate)); return(SignatureVerificationStatus.Invalid); } issues.Add(SignatureLog.InformationLog(string.Format(CultureInfo.CurrentCulture, Strings.VerificationAuthorCertDisplay, $"{Environment.NewLine}{CertificateUtility.X509Certificate2ToString(certificate, fingerprintAlgorithm)}"))); try { SignerInfo.CheckSignature(verifySignatureOnly: true); } catch (Exception e) { issues.Add(SignatureLog.Issue(treatIssueAsError, NuGetLogCode.NU3012, Strings.ErrorSignatureVerificationFailed)); issues.Add(SignatureLog.DebugLog(e.ToString())); return(SignatureVerificationStatus.Invalid); } if (VerificationUtility.IsSigningCertificateValid(certificate, treatIssueAsError, issues)) { timestamp = timestamp ?? new Timestamp(); if (Rfc3161TimestampVerificationUtility.ValidateSignerCertificateAgainstTimestamp(certificate, timestamp)) { using (var chainHolder = new X509ChainHolder()) { var chain = chainHolder.Chain; // These flags should only be set for verification scenarios not signing chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid | X509VerificationFlags.IgnoreCtlNotTimeValid; CertificateChainUtility.SetCertBuildChainPolicy(chain.ChainPolicy, certificateExtraStore, timestamp.UpperLimit.LocalDateTime, CertificateType.Signature); var chainBuildingSucceed = CertificateChainUtility.BuildCertificateChain(chain, certificate, out var chainStatuses); issues.Add(SignatureLog.DetailedLog(CertificateUtility.X509ChainToString(chain, fingerprintAlgorithm))); if (chainBuildingSucceed) { return(SignatureVerificationStatus.Trusted); } var chainBuildingHasIssues = false; var statusFlags = CertificateChainUtility.DefaultObservedStatusFlags; var isSelfSignedCertificate = CertificateUtility.IsSelfIssued(certificate); if (isSelfSignedCertificate) { statusFlags &= ~X509ChainStatusFlags.UntrustedRoot; } IEnumerable <string> messages; if (CertificateChainUtility.TryGetStatusMessage(chainStatuses, statusFlags, out messages)) { foreach (var message in messages) { issues.Add(SignatureLog.Issue(treatIssueAsError, NuGetLogCode.NU3012, message)); } chainBuildingHasIssues = true; } // For all the special cases, chain status list only has unique elements for each chain status flag present // therefore if we are checking for one specific chain status we can use the first of the returned list // if we are combining checks for more than one, then we have to use the whole list. IEnumerable <X509ChainStatus> chainStatus = null; if (CertificateChainUtility.ChainStatusListIncludesStatus(chainStatuses, X509ChainStatusFlags.Revoked, out chainStatus)) { var status = chainStatus.First(); issues.Add(SignatureLog.Error(NuGetLogCode.NU3012, status.StatusInformation)); return(SignatureVerificationStatus.Invalid); } if (isSelfSignedCertificate && CertificateChainUtility.TryGetStatusMessage(chainStatuses, X509ChainStatusFlags.UntrustedRoot, out messages)) { issues.Add(SignatureLog.Issue(!settings.AllowUntrustedSelfIssuedCertificate, NuGetLogCode.NU3018, messages.First())); if (!chainBuildingHasIssues && settings.AllowUntrustedSelfIssuedCertificate) { return(SignatureVerificationStatus.Trusted); } } const X509ChainStatusFlags RevocationStatusFlags = X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation; if (CertificateChainUtility.TryGetStatusMessage(chainStatuses, RevocationStatusFlags, out messages)) { if (treatIssueAsError) { foreach (var message in messages) { issues.Add(SignatureLog.Issue(!settings.AllowUnknownRevocation, NuGetLogCode.NU3018, message)); } } if (!chainBuildingHasIssues && settings.AllowUnknownRevocation) { return(SignatureVerificationStatus.Trusted); } chainBuildingHasIssues = true; } // Debug log any errors issues.Add(SignatureLog.DebugLog( string.Format( CultureInfo.CurrentCulture, Strings.ErrorInvalidCertificateChain, string.Join(", ", chainStatuses.Select(x => x.Status.ToString()))))); } } else { issues.Add(SignatureLog.Issue(treatIssueAsError, NuGetLogCode.NU3011, Strings.SignatureNotTimeValid)); } } return(SignatureVerificationStatus.Untrusted); }