public void GetCertificateChain_WithUntrustedSelfIssuedCertificate_ReturnsChain() { using (var certificate = _fixture.GetDefaultCertificate()) { var logger = new TestLogger(); using (var chain = CertificateChainUtility.GetCertificateChain( certificate, new X509Certificate2Collection(), logger, CertificateType.Signature)) { Assert.Equal(1, chain.Count); Assert.NotSame(certificate, chain[0]); Assert.True(certificate.RawData.SequenceEqual(chain[0].RawData)); } Assert.Equal(0, logger.Errors); #if (IS_DESKTOP || NETCORE5_0) Assert.Equal(1, logger.Warnings); #else Assert.Equal(RuntimeEnvironmentHelper.IsLinux ? 2 : 1, logger.Warnings); #endif SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning); #if !NETCORE5_0 if (RuntimeEnvironmentHelper.IsLinux) { SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning); } #endif } }
[PlatformFact(Platform.Windows, Platform.Linux)] // https://github.com/NuGet/Home/issues/8047 public void Verify_WhenChainBuildingFails_Throws() { using (var certificate = _fixture.GetExpiredCertificate()) using (var request = CreateRequest(certificate)) { var logger = new TestLogger(); var exception = Assert.Throws <SignatureException>( () => SigningUtility.Verify(request, logger)); Assert.Equal(NuGetLogCode.NU3018, exception.Code); Assert.Equal("Certificate chain validation failed.", exception.Message); Assert.Equal(1, logger.Errors); if (RuntimeEnvironmentHelper.IsLinux) { Assert.Equal(2, logger.Warnings); SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning); } else { Assert.Equal(1, logger.Warnings); } SigningTestUtility.AssertNotTimeValid(logger.LogMessages, LogLevel.Error); SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning); } }
public void Verify_WithUntrustedSelfSignedCertificate_Succeeds() { using (var certificate = _fixture.GetDefaultCertificate()) using (var request = CreateRequest(certificate)) { var logger = new TestLogger(); SigningUtility.Verify(request, logger); Assert.Equal(0, logger.Errors); #if (IS_DESKTOP || NETCORE5_0) Assert.Equal(1, logger.Warnings); #else Assert.Equal(RuntimeEnvironmentHelper.IsLinux ? 2 : 1, logger.Warnings); #endif SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning); #if !NETCORE5_0 if (RuntimeEnvironmentHelper.IsLinux) { SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning); } #endif } }
public void GetCertificateChain_WithUntrustedSelfIssuedCertificate_ReturnsChain() { using (var certificate = _fixture.GetDefaultCertificate()) { var logger = new TestLogger(); using (var chain = CertificateChainUtility.GetCertificateChain( certificate, new X509Certificate2Collection(), logger, CertificateType.Signature)) { Assert.Equal(1, chain.Count); Assert.NotSame(certificate, chain[0]); Assert.True(certificate.RawData.SequenceEqual(chain[0].RawData)); } Assert.Equal(0, logger.Errors); Assert.Equal(RuntimeEnvironmentHelper.IsWindows ? 1 : 2, logger.Warnings); SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning); if (!RuntimeEnvironmentHelper.IsWindows) { SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning); } } }
public void GetCertificateChain_WithUntrustedRoot_Throws() { using (var chainHolder = new X509ChainHolder()) using (var rootCertificate = SigningTestUtility.GetCertificate("root.crt")) using (var intermediateCertificate = SigningTestUtility.GetCertificate("intermediate.crt")) using (var leafCertificate = SigningTestUtility.GetCertificate("leaf.crt")) { var chain = chainHolder.Chain; var extraStore = new X509Certificate2Collection() { rootCertificate, intermediateCertificate }; var logger = new TestLogger(); var exception = Assert.Throws <SignatureException>( () => CertificateChainUtility.GetCertificateChain( leafCertificate, extraStore, logger, CertificateType.Signature)); Assert.Equal(NuGetLogCode.NU3018, exception.Code); Assert.Equal("Certificate chain validation failed.", exception.Message); Assert.Equal(1, logger.Errors); SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Error); SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning); if (RuntimeEnvironmentHelper.IsWindows) { Assert.Equal(2, logger.Warnings); SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning); } else if (RuntimeEnvironmentHelper.IsLinux) { #if NETCORE5_0 Assert.Equal(2, logger.Warnings); SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning); #else Assert.Equal(1, logger.Warnings); #endif } else { Assert.Equal(1, logger.Warnings); } } }
public async Task SignAsync_WhenPackageEntryCountWouldRequireZip64_FailsAsync() { const ushort desiredFileCount = 0xFFFF - 1; var package = new SimpleTestPackageContext(); var requiredFileCount = desiredFileCount - package.Files.Count; for (var i = 0; i < requiredFileCount - 1 /*nuspec*/; ++i) { package.AddFile(i.ToString()); } using (var packageStream = await package.CreateAsStreamAsync()) { using (var zipArchive = new ZipArchive(packageStream, ZipArchiveMode.Read, leaveOpen: true)) { // Sanity check before testing. Assert.Equal(desiredFileCount, zipArchive.Entries.Count()); } packageStream.Position = 0; using (var test = SignTest.Create( _fixture.GetDefaultCertificate(), HashAlgorithmName.SHA256, packageStream.ToArray(), new X509SignatureProvider(timestampProvider: null))) { var exception = await Assert.ThrowsAsync <SignatureException>( () => SigningUtility.SignAsync(test.Options, test.Request, CancellationToken.None)); Assert.Equal(NuGetLogCode.NU3039, exception.Code); Assert.Equal("The package cannot be signed as it would require the Zip64 format.", exception.Message); Assert.Equal(0, test.Options.OutputPackageStream.Length); Assert.Equal(0, test.Logger.Errors); Assert.Equal(1, test.Logger.Warnings); Assert.Equal(1, test.Logger.Messages.Count()); SigningTestUtility.AssertUntrustedRoot(test.Logger.LogMessages, LogLevel.Warning); } } }
[PlatformFact(Platform.Windows, Platform.Linux)] // https://github.com/NuGet/Home/issues/8047 public void Verify_WithUntrustedSelfSignedCertificate_Succeeds() { using (var certificate = _fixture.GetDefaultCertificate()) using (var request = CreateRequest(certificate)) { var logger = new TestLogger(); SigningUtility.Verify(request, logger); Assert.Equal(0, logger.Errors); Assert.Equal(RuntimeEnvironmentHelper.IsLinux ? 2 : 1, logger.Warnings); SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning); if (RuntimeEnvironmentHelper.IsLinux) { SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning); } } }
public async Task SignAsync_WithUntrustedSelfSignedCertificate_SucceedsAsync() { var package = new SimpleTestPackageContext(); using (var packageStream = await package.CreateAsStreamAsync()) using (var test = SignTest.Create( _fixture.GetDefaultCertificate(), HashAlgorithmName.SHA256, packageStream.ToArray(), new X509SignatureProvider(timestampProvider: null))) { await SigningUtility.SignAsync(test.Options, test.Request, CancellationToken.None); Assert.True(await SignedArchiveTestUtility.IsSignedAsync(test.Options.OutputPackageStream)); Assert.Equal(0, test.Logger.Errors); Assert.Equal(1, test.Logger.Warnings); Assert.Equal(1, test.Logger.Messages.Count()); SigningTestUtility.AssertUntrustedRoot(test.Logger.LogMessages, LogLevel.Warning); } }
public async Task VerifySignaturesAsync_WithTimestampChainingToUntrustedRoot_NotAllowIgnoreTimestamp_FailAsync() { using (var nupkgStream = new MemoryStream(GetResource("UntrustedTimestampPackage.nupkg"))) using (var package = new PackageArchiveReader(nupkgStream, leaveStreamOpen: false)) { var verifier = new PackageSignatureVerifier(_trustProviders); // Act VerifySignaturesResult result = await verifier.VerifySignaturesAsync( package, _verifyCommandSettings, CancellationToken.None); IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any()); IEnumerable <ILogMessage> totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues()); // Assert result.IsValid.Should().BeFalse(); resultsWithErrors.Count().Should().Be(1); totalErrorIssues.Count().Should().Be(3); SigningTestUtility.AssertUntrustedRoot(totalErrorIssues, NuGetLogCode.NU3028, LogLevel.Error); } }
public async Task SignAsync_WhenChainBuildingFails_ThrowsAsync() { var package = new SimpleTestPackageContext(); using (var packageStream = await package.CreateAsStreamAsync()) using (var test = SignTest.Create( _fixture.GetExpiredCertificate(), HashAlgorithmName.SHA256, packageStream.ToArray(), new X509SignatureProvider(timestampProvider: null))) { var exception = await Assert.ThrowsAsync <SignatureException>( () => SigningUtility.SignAsync(test.Options, test.Request, CancellationToken.None)); Assert.Equal(NuGetLogCode.NU3018, exception.Code); Assert.Equal("Certificate chain validation failed.", exception.Message); Assert.Equal(1, test.Logger.Errors); Assert.Equal(1, test.Logger.Warnings); SigningTestUtility.AssertNotTimeValid(test.Logger.LogMessages, LogLevel.Error); SigningTestUtility.AssertUntrustedRoot(test.Logger.LogMessages, LogLevel.Warning); } }
public async Task Verify_WithUntrustedSelfSignedCertificateAndNotAllowUntrusted_FailsAsync() { var settings = new SignatureVerifySettings( allowIllegal: false, allowUntrusted: false, allowUnknownRevocation: false, reportUnknownRevocation: true, reportUntrustedRoot: true, revocationMode: RevocationMode.Online); using (var test = await VerifyTest.CreateAsync(settings, _untrustedTestCertificate.Cert)) { var result = test.PrimarySignature.Verify( timestamp: null, settings: settings, fingerprintAlgorithm: HashAlgorithmName.SHA256, certificateExtraStore: test.PrimarySignature.SignedCms.Certificates); Assert.Equal(SignatureVerificationStatus.Disallowed, result.Status); Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error)); SigningTestUtility.AssertUntrustedRoot(result.Issues, LogLevel.Error); } }