public async Task SignCommand_SignPackageWithUnsuportedTimestampHashAlgorithm_ShouldNotModifyPackageAsync()
{
var testServer = await _testFixture.GetSigningTestServerAsync();
var certificateAuthority = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
SignatureHashAlgorithm = new Oid(Oids.Sha1)
};
var timestampService = TimestampService.Create(certificateAuthority, options);
using (testServer.RegisterResponder(timestampService))
using (var directory = TestDirectory.Create())
{
var packageContext = new SimpleTestPackageContext();
var packageFile = packageContext.CreateAsFile(directory, fileName: Guid.NewGuid().ToString());
var originalFile = File.ReadAllBytes(packageFile.FullName);
using (var certificate = _testFixture.UntrustedSelfIssuedCertificateInCertificateStore)
{
var result = CommandRunner.Run(
_nugetExePath,
directory,
$"sign {packageFile.FullName} -CertificateFingerprint {certificate.Thumbprint} -Timestamper {timestampService.Url}",
waitForExit: true);
Assert.False(result.Success);
Assert.Contains("The timestamp certificate has an unsupported signature algorithm.", result.AllOutput);
var resultingFile = File.ReadAllBytes(packageFile.FullName);
Assert.Equal(resultingFile, originalFile);
}
}
}
public async Task VerifySignaturesAsync_ValidCertificateAndTimestamp_SuccessAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
using (TestDirectory dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
testCertificate,
nupkg,
dir,
timestampService.Url);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.IsValid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
}
}
}
private void VerifyTimestampData(
ISigningTestServer testServer,
TimestampService timestampService,
Action <Rfc3161TimestampProvider, TimestampRequest> verifyTimestampData)
{
using (testServer.RegisterResponder(timestampService))
{
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var timestampHashAlgorithm = Common.HashAlgorithmName.SHA256;
var content = new SignatureContent(SigningSpecifications.V1, Common.HashAlgorithmName.SHA256, "peach");
var signedCms = SigningTestUtility.GenerateSignedCms(certificate, content.GetBytes());
var signature = PrimarySignature.Load(signedCms.Encode());
var signatureValue = signature.GetSignatureValue();
var messageHash = timestampHashAlgorithm.ComputeHash(signatureValue);
var request = new TimestampRequest(
SigningSpecifications.V1,
messageHash,
timestampHashAlgorithm,
SignaturePlacement.PrimarySignature);
verifyTimestampData(timestampProvider, request);
}
}
}
public async Task DotnetSign_SignPackageWithTimestamping_SucceedsAsync()
{
// Arrange
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
TimestampService timestampService = await _signFixture.GetDefaultTrustedTimestampServiceAsync();
IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate;
// Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
GetDefaultArgs(packageFilePath, storeCertificate) +
$" --timestamper {timestampService.Url.OriginalString}",
ignoreExitCode: true);
// Assert
result.Success.Should().BeTrue(because: result.AllOutput);
result.AllOutput.Should().NotContain(_noTimestamperWarningCode);
}
}
public async Task VerifyAsync_WithRevokedTimestampCertificate_ReturnsSuspect()
{
var testServer = await _fixture.GetSigningTestServerAsync();
var certificateAuthority = await _fixture.GetDefaultTrustedCertificateAuthorityAsync();
var timestampService = await _fixture.GetDefaultTrustedTimestampServiceAsync();
var revokedTimestampService = TimestampService.Create(certificateAuthority);
using (testServer.RegisterResponder(revokedTimestampService))
using (var test = await Test.CreateAuthorSignedRepositoryCountersignedPackageAsync(
_fixture.TrustedTestCertificate.Source.Cert,
_fixture.TrustedRepositoryCertificate.Source.Cert,
timestampService.Url,
revokedTimestampService.Url))
using (var packageReader = new PackageArchiveReader(test.PackageFile.FullName))
{
await certificateAuthority.OcspResponder.WaitForResponseExpirationAsync(revokedTimestampService.Certificate);
certificateAuthority.Revoke(
revokedTimestampService.Certificate,
RevocationReason.KeyCompromise,
DateTimeOffset.UtcNow.AddHours(-1));
var status = await _verifier.VerifyAsync(packageReader, CancellationToken.None);
Assert.Equal(SignatureVerificationStatus.Suspect, status);
}
}
public async Task <RevokableTimestampService> CreateRevokableTimestampServiceAsync()
{
var testServer = await _testServer.Value;
var rootCa = await _rootCertificateAuthority.Value;
var timestampService = TimestampService.Create(rootCa);
var responders = testServer.RegisterDefaultResponders(timestampService);
var revocationDate = DateTimeOffset.UtcNow.Subtract(TimeSpan.FromHours(1));
void Revoke()
{
rootCa.Revoke(timestampService.Certificate, RevocationReason.Unspecified, revocationDate);
}
Task WaitForResponseExpirationAsync()
{
return(rootCa.OcspResponder.WaitForResponseExpirationAsync(timestampService.Certificate));
}
return(new RevokableTimestampService(
timestampService.Url,
Revoke,
WaitForResponseExpirationAsync,
responders));
}
public async Task GetTimestampAsync_TimestampGeneralizedTimeOutsideCertificateValidityPeriod_FailAsync()
{
// Arrange
var testServer = await _testFixture.GetSigningTestServerAsync();
var certificateAuthority = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
IssuedCertificateNotBefore = DateTimeOffset.UtcNow.AddHours(-1),
IssuedCertificateNotAfter = DateTimeOffset.UtcNow.AddHours(1),
GeneralizedTime = DateTimeOffset.UtcNow.AddHours(3)
};
var timestampService = TimestampService.Create(certificateAuthority, options);
VerifyTimestampData(
testServer,
timestampService,
async(timestampProvider, request) =>
{
var exception = await Assert.ThrowsAsync <TimestampException>(
() => timestampProvider.GetTimestampAsync(request, NullLogger.Instance, CancellationToken.None));
Assert.Equal(NuGetLogCode.NU3036, exception.Code);
Assert.Contains(
"The timestamp's generalized time is outside the timestamping certificate's validity period.",
exception.Message);
});
}
public async Task GetTimestamp_WithFailureReponse_Throws()
{
var testServer = await _testFixture.GetSigningTestServerAsync();
var certificateAuthority = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
ReturnFailure = true
};
var timestampService = TimestampService.Create(certificateAuthority, options);
VerifyTimestampData(
testServer,
timestampService,
(timestampProvider, request) =>
{
var exception = Assert.Throws <CryptographicException>(
() => timestampProvider.GetTimestamp(request, NullLogger.Instance, CancellationToken.None));
Assert.StartsWith(
"The timestamp signature and/or certificate could not be verified or is malformed.",
exception.Message);
});
}
public async Task <TimestampServiceWithUnavailableRevocation> CreateTimestampServiceWithUnavailableRevocationAsync()
{
var testServer = await _testServer.Value;
var rootCa = CertificateAuthority.Create(testServer.Url);
var rootCertificate = rootCa.Certificate.ToX509Certificate2();
var trust = new TrustedTestCert <X509Certificate2>(
rootCertificate,
certificate => certificate,
StoreName.Root,
StoreLocation.LocalMachine);
var timestampService = TimestampService.Create(rootCa);
var disposable = new DisposableList <IDisposable> {
rootCertificate, trust
};
Task WaitForResponseExpirationAsync()
{
return(rootCa.OcspResponder.WaitForResponseExpirationAsync(timestampService.Certificate));
}
return(new TimestampServiceWithUnavailableRevocation(
testServer,
timestampService,
WaitForResponseExpirationAsync,
disposable));
}
public async Task GetTimestampAsync_WhenCertificateSignatureAlgorithmIsSha1_ThrowsAsync()
{
var testServer = await _testFixture.GetSigningTestServerAsync();
var certificateAuthority = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var timestampServiceOptions = new TimestampServiceOptions()
{
SignatureHashAlgorithm = new Oid(Oids.Sha1)
};
var issueCertificateOptions = IssueCertificateOptions.CreateDefaultForTimestampService();
issueCertificateOptions.SignatureAlgorithmName = "SHA1WITHRSA";
var timestampService = TimestampService.Create(certificateAuthority, timestampServiceOptions, issueCertificateOptions);
VerifyTimestampData(
testServer,
timestampService,
async(timestampProvider, request) =>
{
var exception = await Assert.ThrowsAsync <TimestampException>(
() => timestampProvider.GetTimestampAsync(request, NullLogger.Instance, CancellationToken.None));
Assert.Equal(
"The timestamp certificate has an unsupported signature algorithm (SHA1RSA). The following algorithms are supported: SHA256RSA, SHA384RSA, SHA512RSA.",
exception.Message);
});
}
public async Task Verify_AuthorSignedTimestampedPackage_SuccessAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
X509Certificate2 defaultAuthorCertificate = await _testFixture.GetDefaultAuthorSigningCertificateAsync();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
using (TestDirectory dir = TestDirectory.Create())
using (var authorCertificate = new X509Certificate2(defaultAuthorCertificate))
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
authorCertificate,
nupkg,
dir,
timestampService.Url);
// Act
CommandRunnerResult result = RunVerifyCommand(signedPackagePath);
// Assert
result.Success.Should().BeTrue(because: result.AllOutput);
result.AllOutput.Should().Contain(_successfullyVerified);
Regex.Matches(result.AllOutput, _noTimestamperWarning).Count.Should().Be(0);
}
}
public async Task GetTimestampCertificateChain_WithNoSigningCertificateUsage_Throws()
{
ISigningTestServer testServer = await _testFixture.GetSigningTestServerAsync();
CertificateAuthority rootCa = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
SigningCertificateUsage = SigningCertificateUsage.None
};
TimestampService timestampService = TimestampService.Create(rootCa, options);
using (testServer.RegisterResponder(timestampService))
{
var nupkg = new SimpleTestPackageContext();
using (var certificate = new X509Certificate2(_testFixture.TrustedTestCertificate.Source.Cert))
using (TestDirectory directory = TestDirectory.Create())
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
nupkg,
directory,
timestampService.Url);
// Act
CommandRunnerResult result = RunVerifyCommand(signedPackagePath);
// Assert
result.Success.Should().BeFalse(because: result.AllOutput);
result.AllOutput.Should().Contain("Either the signing-certificate or signing-certificate-v2 attribute must be present.");
result.AllOutput.Should().NotContain(_successfullyVerified);
}
}
}
public async Task GetTimestamp_WhenSignatureHashAlgorithmIsSha1_Throws()
{
var testServer = await _testFixture.GetSigningTestServerAsync();
var certificateAuthority = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
SignatureHashAlgorithm = new Oid(Oids.Sha1)
};
var timestampService = TimestampService.Create(certificateAuthority, options);
VerifyTimestampData(
testServer,
timestampService,
(timestampProvider, request) =>
{
var exception = Assert.Throws <TimestampException>(
() => timestampProvider.GetTimestamp(request, NullLogger.Instance, CancellationToken.None));
Assert.Equal(
"The timestamp certificate has an unsupported signature algorithm.",
exception.Message);
});
}
private void VerifyTimestampData(
ISigningTestServer testServer,
TimestampService timestampService,
Action <Rfc3161TimestampProvider, TimestampRequest> verifyTimestampData)
{
using (testServer.RegisterResponder(timestampService))
{
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var content = Encoding.UTF8.GetBytes("peach");
var signedCms = SigningTestUtility.GenerateSignedCms(certificate, content);
var request = new TimestampRequest()
{
SigningSpec = SigningSpecifications.V1,
TimestampHashAlgorithm = Common.HashAlgorithmName.SHA256,
Signature = signedCms.Encode()
};
verifyTimestampData(timestampProvider, request);
}
}
}
public async Task GetTimestamp_WhenRevocationInformationUnavailable_Success()
{
var testServer = await _testFixture.GetSigningTestServerAsync();
var ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var ca2 = ca.CreateIntermediateCertificateAuthority();
var timestampService = TimestampService.Create(ca2);
// Only register the AIA responder. Do not register the OCSP responder.
using (testServer.RegisterResponder(ca2))
{
VerifyTimestampData(
testServer,
timestampService,
(timestampProvider, request) =>
{
var logger = new TestLogger();
var timestamp = timestampProvider.GetTimestamp(request, logger, CancellationToken.None);
Assert.NotNull(timestamp);
Assert.Equal(0, logger.Errors);
Assert.Equal(2, logger.Warnings);
AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
});
}
}
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestampWithTooLargeRange_FailsAsync()
{
ISigningTestServer testServer = await _testFixture.GetSigningTestServerAsync();
CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var accuracy = new BcAccuracy(seconds: new DerInteger(30), millis: null, micros: null);
var serviceOptions = new TimestampServiceOptions()
{
Accuracy = accuracy
};
TimestampService timestampService = TimestampService.Create(ca, serviceOptions);
AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
DateTimeOffset now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions);
using (testServer.RegisterResponder(timestampService))
using (TestDirectory directory = TestDirectory.Create())
using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair))
{
var packageContext = new SimpleTestPackageContext();
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
VerifySignaturesResult results = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
PackageVerificationResult result = results.Results.Single();
Assert.False(results.IsValid);
Assert.Equal(SignatureVerificationStatus.Disallowed, result.Trust);
Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, result.Issues.Count(issue => issue.Level == LogLevel.Warning));
Assert.Contains(result.Issues, issue =>
issue.Code == NuGetLogCode.NU3037 &&
issue.Level == LogLevel.Error &&
issue.Message.Contains("validity period has expired."));
}
}
}
private async Task <TimestampService> CreateDefaultTrustedTimestampServiceAsync()
{
var testServer = await _testServer.Value;
var ca = await _defaultTrustedCertificateAuthority.Value;
var timestampService = TimestampService.Create(ca);
_responders.Add(testServer.RegisterResponder(timestampService));
return(timestampService);
}
public void OnBeginSaveTransaction(Session session)
{
try {
TimestampService service = new TimestampService();
cachedTimeStamp = service.GetTime();
}
catch {
throw new Exception("Cannot access the TimeStampWebService. Make sure it's running.");
}
}
public async Task RejectsUntrustedTimestampingCertificate()
{
// Arrange
var testServer = await _fixture.GetTestServerAsync();
var untrustedRootCa = CertificateAuthority.Create(testServer.Url);
var untrustedRootCertficate = new X509Certificate2(untrustedRootCa.Certificate.GetEncoded());
var timestampService = TimestampService.Create(untrustedRootCa);
using (testServer.RegisterDefaultResponders(timestampService))
{
byte[] packageBytes;
using (var temporaryTrust = new TrustedTestCert <X509Certificate2>(
untrustedRootCertficate,
x => x,
StoreName.Root,
StoreLocation.LocalMachine))
{
packageBytes = await _fixture.GenerateSignedPackageBytesAsync(
TestResources.SignedPackageLeaf1,
await _fixture.GetSigningCertificateAsync(),
timestampService.Url,
_output);
}
TestUtility.RequireSignedPackage(_corePackageService,
TestResources.SignedPackageLeafId,
await _fixture.GetSigningCertificateThumbprintAsync());
_packageStream = new MemoryStream(packageBytes);
_message = new SignatureValidationMessage(
TestResources.SignedPackageLeafId,
TestResources.SignedPackageLeaf1Version,
new Uri($"https://unit.test/validation/{TestResources.SignedPackageLeaf1.ToLowerInvariant()}"),
Guid.NewGuid());
// Act
var result = await _target.ValidateAsync(
_packageKey,
_packageStream,
_message,
_token);
// Assert
VerifyPackageSigningStatus(result, ValidationStatus.Failed, PackageSigningStatus.Invalid);
var issue = Assert.Single(result.Issues);
var clientIssue = Assert.IsType <ClientSigningVerificationFailure>(issue);
Assert.Equal("NU3028", clientIssue.ClientCode);
Assert.Equal(
"A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.",
clientIssue.ClientMessage);
}
}
public async Task <CustomTimestampService> CreateCustomTimestampServiceAsync(TimestampServiceOptions options)
{
var testServer = await _testServer.Value;
var rootCa = await _rootCertificateAuthority.Value;
var timestampService = TimestampService.Create(rootCa, options);
var responders = testServer.RegisterDefaultResponders(timestampService);
return(new CustomTimestampService(
timestampService.Url,
responders));
}
public async Task VerifySignaturesAsync_WithExpiredPrimarySignature_ValidCountersignature_AndPrimarySignatureExpiredAtCountersignTime_FailsAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: true,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: true,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.IfExists,
revocationMode: RevocationMode.Online);
using (TestDirectory dir = TestDirectory.Create())
using (TrustedTestCert <TestCertificate> trustedCertificate = _testFixture.CreateTrustedTestCertificateThatWillExpireSoon())
using (var willExpireCert = new X509Certificate2(trustedCertificate.Source.Cert))
using (var repoTestCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
willExpireCert,
nupkg,
dir);
await SignatureTestUtility.WaitForCertificateExpirationAsync(willExpireCert);
string countersignedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(
repoTestCertificate,
signedPackagePath,
dir,
TestServiceIndexUrl,
timestampService.Url);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(countersignedPackagePath))
{
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.IsValid.Should().BeFalse();
resultsWithErrors.Count().Should().Be(1);
}
}
}
public async Task Timestamp_Verify_WithOfflineRevocation_ReturnsCorrectFlagsAndLogsAsync()
{
var nupkg = new SimpleTestPackageContext();
using (var testServer = await SigningTestServer.CreateAsync())
using (var responders = new DisposableList <IDisposable>())
using (var packageStream = await nupkg.CreateAsStreamAsync())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var ca = CreateOfflineRevocationCA(testServer, responders);
var timestampService = TimestampService.Create(ca);
responders.Add(testServer.RegisterResponder(timestampService));
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
var signature = await SignedArchiveTestUtility.CreateAuthorSignatureForPackageAsync(testCertificate, packageStream, timestampProvider);
var timestamp = signature.Timestamps.First();
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowUntrusted: false,
allowIllegal: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: false,
allowNoTimestamp: false,
allowUnknownRevocation: false,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.Always,
revocationMode: RevocationMode.Online);
var logs = new List <SignatureLog>();
var result = timestamp.Verify(signature, settings, HashAlgorithmName.SHA256, logs);
result.HasFlag(SignatureVerificationStatusFlags.UnknownRevocation).Should().BeTrue();
var errors = logs.Where(l => l.Level == LogLevel.Error);
errors.Count().Should().Be(RuntimeEnvironmentHelper.IsWindows ? 2 : 1);
if (RuntimeEnvironmentHelper.IsWindows)
{
errors.Should().Contain(w => w.Code == NuGetLogCode.NU3028 && w.Message.Contains("The revocation function was unable to check revocation because the revocation server could not be reached."));
errors.Should().Contain(w => w.Code == NuGetLogCode.NU3028 && w.Message.Contains("The revocation function was unable to check revocation for the certificate."));
}
else
{
errors.Should().Contain(w => w.Code == NuGetLogCode.NU3028 && w.Message.Contains("unable to get certificate CRL"));
}
}
}
public async Task GetTimestampCertificateChain_WithMismatchedEssCertIdCertificateHash_ReturnsChain(
SigningCertificateUsage signingCertificateUsage)
{
ISigningTestServer testServer = await _fixture.GetSigningTestServerAsync();
CertificateAuthority rootCa = await _fixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
SigningCertificateUsage = signingCertificateUsage,
SigningCertificateV1Hash = new byte[SHA1HashLength]
};
TimestampService timestampService = TimestampService.Create(rootCa, options);
using (testServer.RegisterResponder(timestampService))
{
var nupkg = new SimpleTestPackageContext();
using (var certificate = new X509Certificate2(_fixture.TrustedTestCertificate.Source.Cert))
using (var directory = TestDirectory.Create())
{
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
nupkg,
directory,
timestampService.Url);
using (FileStream stream = File.OpenRead(signedPackagePath))
using (var reader = new PackageArchiveReader(stream))
{
PrimarySignature signature = await reader.GetPrimarySignatureAsync(CancellationToken.None);
using (IX509CertificateChain actualChain = SignatureUtility.GetTimestampCertificateChain(signature))
{
Assert.NotEmpty(actualChain);
IReadOnlyList <Org.BouncyCastle.X509.X509Certificate> expectedChain = GetExpectedCertificateChain(timestampService);
Assert.Equal(expectedChain.Count, actualChain.Count);
for (var i = 0; i < expectedChain.Count; ++i)
{
Org.BouncyCastle.X509.X509Certificate expectedCertificate = expectedChain[i];
X509Certificate2 actualCertificate = actualChain[i];
Assert.True(
expectedCertificate.GetEncoded().SequenceEqual(actualCertificate.RawData),
$"The certificate at index {i} in the chain is unexpected.");
}
}
}
}
}
}
public TimestampServiceWithUnavailableRevocation(
SigningTestServer testServer,
TimestampService timestampService,
Func <Task> waitforResponseExpirationFunc,
IDisposable disposable)
{
_testServer = testServer ?? throw new ArgumentNullException(nameof(testServer));
_timestampService = timestampService ?? throw new ArgumentNullException(nameof(timestampService));
_waitforResponseExpirationFunc = waitforResponseExpirationFunc ?? throw new ArgumentNullException(nameof(waitforResponseExpirationFunc));
_disposable = disposable;
}
public async Task <UntrustedTimestampService> CreateUntrustedTimestampServiceAsync()
{
var testServer = await _testServer.Value;
var untrustedRootCa = CertificateAuthority.Create(testServer.Url);
var untrustedRootCertificate = untrustedRootCa.Certificate.ToX509Certificate2();
var timestampService = TimestampService.Create(untrustedRootCa);
var responders = testServer.RegisterDefaultResponders(timestampService);
return(new UntrustedTimestampService(
untrustedRootCertificate,
timestampService.Url,
responders));
}
/// <summary>
/// Releases the unmanaged resources used by the <see cref="TimestampTest"/> object and optionally releases the managed resources.
/// </summary>
/// <param name="disposing">true to release both managed and unmanaged resources; false to release only unmanaged resources.</param>
protected override void Dispose(bool disposing)
{
if (!m_disposed)
{
try
{
if (disposing)
{
// Dispose timestamp service.
if (m_timestampService != null)
{
m_timestampService.ServiceProcessException -= m_timestampService_ServiceProcessException;
m_timestampService.Dispose();
}
m_timestampService = null;
// Dispose purge timer.
if (m_purgeTimer != null)
{
m_purgeTimer.Elapsed -= m_purgeTimer_Elapsed;
m_purgeTimer.Dispose();
}
m_purgeTimer = null;
// Dispose warning timer.
if (m_warningTimer != null)
{
m_warningTimer.Elapsed -= m_warningTimer_Elapsed;
m_warningTimer.Dispose();
}
m_warningTimer = null;
// Dispose discarding adapter.
if (m_discardingAdapter != null)
{
m_discardingAdapter.DiscardingMeasurements -= m_discardingAdapter_DiscardingMeasurements;
m_discardingAdapter.Disposed -= m_discardingAdapter_Disposed;
}
m_discardingAdapter = null;
}
}
finally
{
m_disposed = true; // Prevent duplicate dispose.
base.Dispose(disposing); // Call base class Dispose().
}
}
}
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestamp_SuccessAsync()
{
CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
DateTimeOffset now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions);
using (TestDirectory directory = TestDirectory.Create())
using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair))
{
var packageContext = new SimpleTestPackageContext();
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
PackageVerificationResult trustProvider = result.Results.Single();
Assert.True(result.IsValid);
Assert.Equal(SignatureVerificationStatus.Valid, trustProvider.Trust);
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Warning));
}
}
}
public static DisposableList <IDisposable> RegisterRespondersForTimestampServiceAndEntireChain(
this ISigningTestServer testServer,
TimestampService timestampService,
bool addCa = true,
bool addOcsp = true,
bool addTimestamper = true)
{
var responders = testServer.RegisterRespondersForEntireChain(
timestampService.CertificateAuthority,
addCa,
addOcsp);
if (addTimestamper)
{
responders.Add(testServer.RegisterResponder(timestampService));
}
return(responders);
}
public async Task DotnetSign_SignPackageWithUnsuportedTimestampHashAlgorithm_FailsAsync()
{
// Arrange
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
byte[] originalFile = File.ReadAllBytes(packageFilePath);
ISigningTestServer testServer = await _signFixture.GetSigningTestServerAsync();
CertificateAuthority certificateAuthority = await _signFixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
SignatureHashAlgorithm = new Oid(Oids.Sha1)
};
TimestampService timestampService = TimestampService.Create(certificateAuthority, options);
IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore;
using (testServer.RegisterResponder(timestampService))
{
// Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
$"nuget sign {packageFilePath} " +
$"--certificate-fingerprint {storeCertificate.Certificate.Thumbprint} " +
$"--timestamper {timestampService.Url}",
ignoreExitCode: true);
// Assert
result.Success.Should().BeFalse(because: result.AllOutput);
result.AllOutput.Should().Contain(_timestampUnsupportedDigestAlgorithmCode);
Assert.Contains("The timestamp signature has an unsupported digest algorithm (SHA1). The following algorithms are supported: SHA256, SHA384, SHA512.", result.AllOutput);
byte[] resultingFile = File.ReadAllBytes(packageFilePath);
Assert.Equal(resultingFile, originalFile);
}
}
}
public async Task GetTimestampCertificateChain_WithShortEssCertIdCertificateHash_Throws(
SigningCertificateUsage signingCertificateUsage)
{
ISigningTestServer testServer = await _fixture.GetSigningTestServerAsync();
CertificateAuthority rootCa = await _fixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
SigningCertificateUsage = signingCertificateUsage,
SigningCertificateV1Hash = new byte[SHA1HashLength - 1]
};
TimestampService timestampService = TimestampService.Create(rootCa, options);
using (testServer.RegisterResponder(timestampService))
{
var nupkg = new SimpleTestPackageContext();
using (var certificate = new X509Certificate2(_fixture.TrustedTestCertificate.Source.Cert))
using (var directory = TestDirectory.Create())
{
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
nupkg,
directory,
timestampService.Url);
using (FileStream stream = File.OpenRead(signedPackagePath))
using (var reader = new PackageArchiveReader(stream))
{
PrimarySignature signature = await reader.GetPrimarySignatureAsync(CancellationToken.None);
var exception = Assert.Throws <SignatureException>(
() => SignatureUtility.GetTimestampCertificateChain(signature));
Assert.Equal(
"A certificate referenced by the signing-certificate attribute could not be found.",
exception.Message);
}
}
}
}
