public async Task VerifySignaturesAsync_ValidCertificateAndTimestamp_SuccessAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
using (TestDirectory dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
testCertificate,
nupkg,
dir,
timestampService.Url);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.IsValid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
}
}
}
public async Task RejectsSignedPackagesWithKnownCertificatesButFailedFullVerifyResult()
{
// Arrange
_packageStream = TestResources.GetResourceStream(TestResources.SignedPackageLeaf1);
TestUtility.RequireSignedPackage(
_corePackageService,
TestResources.SignedPackageLeafId,
TestResources.Leaf1Thumbprint);
_fullVerifyResult = new VerifySignaturesResult(valid: false);
_message = new SignatureValidationMessage(
TestResources.SignedPackageLeafId,
TestResources.SignedPackageLeaf1Version,
new Uri($"https://unit.test/{TestResources.SignedPackageLeaf1.ToLowerInvariant()}"),
Guid.NewGuid());
// Act
var result = await _target.ValidateAsync(
_packageKey,
_packageStream,
_message,
_cancellationToken);
// Assert
Validate(result, ValidationStatus.Failed, PackageSigningStatus.Invalid);
Assert.Empty(result.Issues);
}
public async Task LoadSignatureDataAsync()
{
using (var reader = new PackageArchiveReader(_streamFactory(), false))
{
IsSigned = await reader.IsSignedAsync(CancellationToken.None);
if (IsSigned)
{
// Load signature and verification data
var sigs = await reader.GetSignaturesAsync(CancellationToken.None);
var reposigs = new List <SignatureInfo>();
RepositorySignatures = reposigs;
foreach (var sig in sigs)
{
// There will only be one
if (sig.Type == SignatureType.Author)
{
PublisherSignature = new SignatureInfo(sig);
}
if (sig.Type == SignatureType.Repository)
{
reposigs.Add(new SignatureInfo(sig));
}
}
// Check verification
var trustProviders = SignatureVerificationProviderFactory.GetSignatureVerificationProviders();
var verifier = new PackageSignatureVerifier(trustProviders, SignedPackageVerifierSettings.RequireSigned);
VerificationResult = await verifier.VerifySignaturesAsync(reader, CancellationToken.None);
}
}
}
public async Task RejectsSignedPackagesWithFailedMinimalVerifyResult()
{
// Arrange
_packageStream = TestResources.GetResourceStream(TestResources.SignedPackageLeaf1);
_mimimalVerifyResult = new VerifySignaturesResult(valid: false);
_message = new SignatureValidationMessage(
TestResources.SignedPackageLeafId,
TestResources.SignedPackageLeaf1Version,
new Uri($"https://unit.test/{TestResources.SignedPackageLeaf1.ToLowerInvariant()}"),
Guid.NewGuid());
// Act
var result = await _target.ValidateAsync(
_packageKey,
_packageStream,
_message,
_cancellationToken);
// Assert
Validate(result, ValidationStatus.Failed, PackageSigningStatus.Invalid);
Assert.Empty(result.Issues);
_fullPackageSignatureVerifier.Verify(
x => x.VerifySignaturesAsync(It.IsAny <ISignedPackageReader>(), It.IsAny <CancellationToken>(), It.IsAny <Guid>()),
Times.Never);
}
public ValidateAsync(ITestOutputHelper output)
{
_packageStream = TestResources.GetResourceStream(TestResources.UnsignedPackage);
_packageKey = 42;
_message = new SignatureValidationMessage(
"NuGet.Versioning",
"4.3.0",
new Uri("https://example/nuget.versioning.4.3.0.nupkg"),
new Guid("b777135f-1aac-4ec2-a3eb-1f64fe1880d5"));
_cancellationToken = CancellationToken.None;
_packageSigningStateService = new Mock <IPackageSigningStateService>();
_formatValidator = new Mock <ISignatureFormatValidator>();
_minimalVerifyResult = new VerifySignaturesResult(valid: true, signed: true);
_formatValidator
.Setup(x => x.ValidateMinimalAsync(It.IsAny <ISignedPackageReader>(), It.IsAny <CancellationToken>()))
.ReturnsAsync(() => _minimalVerifyResult);
_fullVerifyResult = new VerifySignaturesResult(valid: true, signed: true);
_formatValidator
.Setup(x => x.ValidateAllSignaturesAsync(It.IsAny <ISignedPackageReader>(), It.IsAny <bool>(), It.IsAny <CancellationToken>()))
.ReturnsAsync(() => _fullVerifyResult);
_signaturePartsExtractor = new Mock <ISignaturePartsExtractor>();
_corePackageService = new Mock <ICorePackageService>();
var loggerFactory = new LoggerFactory().AddXunit(output);
_logger = loggerFactory.CreateLogger <SignatureValidator>();
_packageFileService = new Mock <IProcessorPackageFileService>();
_nupkgUri = new Uri("https://example-storage/TestProcessor/b777135f-1aac-4ec2-a3eb-1f64fe1880d5/nuget.versioning.4.3.0.nupkg");
_packageFileService
.Setup(x => x.GetReadAndDeleteUriAsync(It.IsAny <string>(), It.IsAny <string>(), It.IsAny <Guid>()))
.ReturnsAsync(() => _nupkgUri);
_optionsSnapshot = new Mock <IOptionsSnapshot <ProcessSignatureConfiguration> >();
_configuration = new ProcessSignatureConfiguration
{
AllowedRepositorySigningCertificates = new List <string> {
"fake-thumbprint"
},
V3ServiceIndexUrl = "http://example/v3/index.json",
};
_optionsSnapshot.Setup(x => x.Value).Returns(() => _configuration);
_telemetryService = new Mock <ITelemetryService>();
_target = new SignatureValidator(
_packageSigningStateService.Object,
_formatValidator.Object,
_signaturePartsExtractor.Object,
_packageFileService.Object,
_corePackageService.Object,
_optionsSnapshot.Object,
_telemetryService.Object,
_logger);
}
public async Task RejectsPackagesWithFullVerificationErrors()
{
// Arrange
_packageStream = TestResources.GetResourceStream(TestResources.SignedPackageLeaf1);
TestUtility.RequireSignedPackage(
_corePackageService,
TestResources.SignedPackageLeafId,
TestResources.SignedPackageLeaf1Version,
TestResources.Leaf1Thumbprint);
_fullVerifyResult = new VerifySignaturesResult(
valid: false,
signed: true,
results: new[]
{
new InvalidSignaturePackageVerificationResult(
SignatureVerificationStatus.Suspect,
new[]
{
SignatureLog.Issue(
fatal: true,
code: NuGetLogCode.NU3008,
message: "The package integrity check failed."),
SignatureLog.Issue(
fatal: false,
code: NuGetLogCode.NU3016,
message: "The package hash uses an unsupported hash algorithm."),
SignatureLog.Issue(
fatal: true,
code: NuGetLogCode.NU3000,
message: "Some other thing happened."),
})
});
_message = new SignatureValidationMessage(
TestResources.SignedPackageLeafId,
TestResources.SignedPackageLeaf1Version,
new Uri($"https://unit.test/{TestResources.SignedPackageLeaf1.ToLowerInvariant()}"),
Guid.NewGuid());
// Act
var result = await _target.ValidateAsync(
_packageKey,
_packageStream,
_message,
_cancellationToken);
// Assert
Validate(result, ValidationStatus.Failed, PackageSigningStatus.Invalid);
Assert.Equal(2, result.Issues.Count);
var issue1 = Assert.IsType <ClientSigningVerificationFailure>(result.Issues[0]);
Assert.Equal("NU3008", issue1.ClientCode);
Assert.Equal("The package integrity check failed.", issue1.ClientMessage);
var issue2 = Assert.IsType <ClientSigningVerificationFailure>(result.Issues[1]);
Assert.Equal("NU3000", issue2.ClientCode);
Assert.Equal("Some other thing happened.", issue2.ClientMessage);
}
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestampWithTooLargeRange_FailsAsync()
{
ISigningTestServer testServer = await _testFixture.GetSigningTestServerAsync();
CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var accuracy = new BcAccuracy(seconds: new DerInteger(30), millis: null, micros: null);
var serviceOptions = new TimestampServiceOptions()
{
Accuracy = accuracy
};
TimestampService timestampService = TimestampService.Create(ca, serviceOptions);
AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
DateTimeOffset now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions);
using (testServer.RegisterResponder(timestampService))
using (TestDirectory directory = TestDirectory.Create())
using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair))
{
var packageContext = new SimpleTestPackageContext();
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
VerifySignaturesResult results = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
PackageVerificationResult result = results.Results.Single();
Assert.False(results.IsValid);
Assert.Equal(SignatureVerificationStatus.Disallowed, result.Trust);
Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, result.Issues.Count(issue => issue.Level == LogLevel.Warning));
Assert.Contains(result.Issues, issue =>
issue.Code == NuGetLogCode.NU3037 &&
issue.Level == LogLevel.Error &&
issue.Message.Contains("validity period has expired."));
}
}
}
private static async Task LogPackageSignatureVerificationAsync(
string source,
PackageIdentity package,
ILogger logger,
VerifySignaturesResult verifyResult)
{
await logger.LogAsync(
LogLevel.Verbose,
string.Format(CultureInfo.CurrentCulture, Strings.PackageSignatureVerificationLog, package, source, verifyResult.Valid));
}
public ValidationResultViewModel(VerifySignaturesResult verifySignaturesResult)
{
this.verifySignaturesResult = verifySignaturesResult ?? throw new ArgumentNullException(nameof(verifySignaturesResult));
Trust = verifySignaturesResult.Results.Select(r => r.Trust).Min();
ErrorIssues = verifySignaturesResult.Results.SelectMany(prv => prv.GetErrorIssues()).ToList();
WarningIssues = verifySignaturesResult.Results.SelectMany(prv => prv.GetWarningIssues()).ToList();
InformationIssues = verifySignaturesResult.Results.SelectMany(prv => prv.Issues).Where(sl => sl.Level == LogLevel.Information).Select(sl => sl.ToLogMessage()).ToList();
}
public async Task VerifySignaturesAsync_WithExpiredPrimarySignature_ValidCountersignature_AndPrimarySignatureExpiredAtCountersignTime_FailsAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: true,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: true,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.IfExists,
revocationMode: RevocationMode.Online);
using (TestDirectory dir = TestDirectory.Create())
using (TrustedTestCert <TestCertificate> trustedCertificate = _testFixture.CreateTrustedTestCertificateThatWillExpireSoon())
using (var willExpireCert = new X509Certificate2(trustedCertificate.Source.Cert))
using (var repoTestCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
willExpireCert,
nupkg,
dir);
await SignatureTestUtility.WaitForCertificateExpirationAsync(willExpireCert);
string countersignedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(
repoTestCertificate,
signedPackagePath,
dir,
TestServiceIndexUrl,
timestampService.Url);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(countersignedPackagePath))
{
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.IsValid.Should().BeFalse();
resultsWithErrors.Count().Should().Be(1);
}
}
}
public async Task VerifySignaturesAsync_WithBasicSignedCms_SucceedsAsync()
{
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: false,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.IfExistsAndIsNecessary,
revocationMode: RevocationMode.Online);
using (TestDirectory directory = TestDirectory.Create())
using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var packageContext = new SimpleTestPackageContext();
FileInfo unsignedPackageFile = await packageContext.CreateAsFileAsync(directory, "Package.nupkg");
FileInfo signedPackageFile = await SignedArchiveTestUtility.SignPackageFileWithBasicSignedCmsAsync(
directory,
unsignedPackageFile,
certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackageFile.FullName))
{
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
IEnumerable <ILogMessage> totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
Assert.Equal(1, result.Results.Count);
var signedPackageVerificationResult = (SignedPackageVerificationResult)result.Results[0];
SignerInfo signer = signedPackageVerificationResult.Signature.SignedCms.SignerInfos[0];
Assert.Equal(0, signer.SignedAttributes.Count);
Assert.Equal(0, signer.UnsignedAttributes.Count);
Assert.Equal(0, resultsWithErrors.Count());
Assert.Equal(0, totalErrorIssues.Count());
}
}
}
public ValidateAsync(ITestOutputHelper output)
{
_packageStream = TestResources.GetResourceStream(TestResources.UnsignedPackage);
_packageKey = 42;
_message = new SignatureValidationMessage(
"NuGet.Versioning",
"4.3.0",
new Uri("https://example/nuget.versioning.4.3.0.nupkg"),
new Guid("b777135f-1aac-4ec2-a3eb-1f64fe1880d5"));
_cancellationToken = CancellationToken.None;
_packageSigningStateService = new Mock <IPackageSigningStateService>();
_mimimalVerifyResult = new VerifySignaturesResult(true);
_mimimalPackageSignatureVerifier = new Mock <IPackageSignatureVerifier>();
_mimimalPackageSignatureVerifier
.Setup(x => x.VerifySignaturesAsync(It.IsAny <ISignedPackageReader>(), It.IsAny <CancellationToken>(), It.IsAny <Guid>()))
.ReturnsAsync(() => _mimimalVerifyResult);
_fullVerifyResult = new VerifySignaturesResult(true);
_fullPackageSignatureVerifier = new Mock <IPackageSignatureVerifier>();
_fullPackageSignatureVerifier
.Setup(x => x.VerifySignaturesAsync(It.IsAny <ISignedPackageReader>(), It.IsAny <CancellationToken>(), It.IsAny <Guid>()))
.ReturnsAsync(() => _fullVerifyResult);
_signaturePartsExtractor = new Mock <ISignaturePartsExtractor>();
_corePackageService = new Mock <ICorePackageService>();
var loggerFactory = new LoggerFactory().AddXunit(output);
_logger = loggerFactory.CreateLogger <SignatureValidator>();
_packageFileService = new Mock <IProcessorPackageFileService>();
_nupkgUri = new Uri("https://example-storage/TestProcessor/b777135f-1aac-4ec2-a3eb-1f64fe1880d5/nuget.versioning.4.3.0.nupkg");
_packageFileService
.Setup(x => x.GetReadAndDeleteUriAsync(It.IsAny <string>(), It.IsAny <string>(), It.IsAny <Guid>()))
.ReturnsAsync(() => _nupkgUri);
_telemetryService = new Mock <ITelemetryService>();
_target = new SignatureValidator(
_packageSigningStateService.Object,
_mimimalPackageSignatureVerifier.Object,
_fullPackageSignatureVerifier.Object,
_signaturePartsExtractor.Object,
_packageFileService.Object,
_corePackageService.Object,
_telemetryService.Object,
_logger);
}
public async Task VerifySignatureAsync()
{
using (var reader = new PackageArchiveReader(_streamFactory(), false))
{
var signed = await reader.IsSignedAsync(CancellationToken.None);
if (signed)
{
// Check verification
var trustProviders = SignatureVerificationProviderFactory.GetSignatureVerificationProviders();
var verifier = new PackageSignatureVerifier(trustProviders, SignedPackageVerifierSettings.RequireSigned);
VerificationResult = await verifier.VerifySignaturesAsync(reader, CancellationToken.None);
}
}
}
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestamp_SuccessAsync()
{
CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
DateTimeOffset now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions);
using (TestDirectory directory = TestDirectory.Create())
using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair))
{
var packageContext = new SimpleTestPackageContext();
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
PackageVerificationResult trustProvider = result.Results.Single();
Assert.True(result.IsValid);
Assert.Equal(SignatureVerificationStatus.Valid, trustProvider.Trust);
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Warning));
}
}
}
public async Task VerifySignaturesAsync_WithExpiredTimestamp_NotAllowIgnoreTimestamp_ShouldNotBeAnErrorAsync()
{
using (var nupkgStream = new MemoryStream(GetResource("UntrustedTimestampPackage.nupkg")))
using (var package = new PackageArchiveReader(nupkgStream, leaveStreamOpen: false))
{
var verifier = new PackageSignatureVerifier(_trustProviders);
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(
package,
_verifyCommandSettings,
CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
IEnumerable <ILogMessage> totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
// Assert
totalErrorIssues.Select(i => i.Message).Should().NotContain("A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.");
}
}
public async Task VerifySignaturesAsync_SettingsRequireTimestamp_NoTimestamp_FailsAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: true,
allowNoTimestamp: false,
allowUnknownRevocation: false,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.IfExistsAndIsNecessary,
revocationMode: RevocationMode.Online);
using (TestDirectory dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(testCertificate, nupkg, dir);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
IEnumerable <ILogMessage> totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
// Assert
result.IsValid.Should().BeFalse();
resultsWithErrors.Count().Should().Be(1);
totalErrorIssues.Count().Should().Be(1);
totalErrorIssues.First().Code.Should().Be(NuGetLogCode.NU3027);
}
}
}
public async Task VerifySignatureAsync()
{
using (var reader = new PackageArchiveReader(_streamFactory(), false))
{
var signed = await reader.IsSignedAsync(CancellationToken.None);
if (signed)
{
// Check verification
var trustProviders = new ISignatureVerificationProvider[]
{
new IntegrityVerificationProvider(),
new SignatureTrustAndValidityVerificationProvider()
};
var verifier = new PackageSignatureVerifier(trustProviders);
VerificationResult = await verifier.VerifySignaturesAsync(reader, SignedPackageVerifierSettings.GetVerifyCommandDefaultPolicy(), CancellationToken.None);
}
}
}
public async Task RejectsPackagesWithMimimalVerificationErrors()
{
// Arrange
_packageStream = TestResources.GetResourceStream(TestResources.SignedPackageLeaf1);
_minimalVerifyResult = new VerifySignaturesResult(
valid: false,
signed: true,
results: new[]
{
new InvalidSignaturePackageVerificationResult(
SignatureVerificationStatus.Suspect,
new[]
{
SignatureLog.Issue(
fatal: true,
code: NuGetLogCode.NU3000,
message: "The package signature is invalid."),
})
});
_message = new SignatureValidationMessage(
TestResources.SignedPackageLeafId,
TestResources.SignedPackageLeaf1Version,
new Uri($"https://unit.test/{TestResources.SignedPackageLeaf1.ToLowerInvariant()}"),
Guid.NewGuid());
// Act
var result = await _target.ValidateAsync(
_packageKey,
_packageStream,
_message,
_cancellationToken);
// Assert
Validate(result, ValidationStatus.Failed, PackageSigningStatus.Invalid);
Assert.Single(result.Issues);
var issue = Assert.IsType <ClientSigningVerificationFailure>(result.Issues[0]);
Assert.Equal("NU3000", issue.ClientCode);
Assert.Equal("The package signature is invalid.", issue.ClientMessage);
}
public async Task VerifySignaturesAsync_WithSignedAndCountersignedPackage_SucceedsAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
using (TestDirectory dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
using (TrustedTestCert <TestCertificate> trusted = SigningTestUtility.GenerateTrustedTestCertificate())
using (var counterCertificate = new X509Certificate2(trusted.Source.Cert))
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
testCertificate,
nupkg,
dir);
string repositorySignedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(
counterCertificate,
signedPackagePath,
dir,
TestServiceIndexUrl);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(repositorySignedPackagePath))
{
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(
packageReader,
_verifyCommandSettings,
CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.IsValid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
}
}
}
public async Task VerifySignaturesAsync_WithTimestampChainingToUntrustedRoot_NotAllowIgnoreTimestamp_FailAsync()
{
using (var nupkgStream = new MemoryStream(GetResource("UntrustedTimestampPackage.nupkg")))
using (var package = new PackageArchiveReader(nupkgStream, leaveStreamOpen: false))
{
var verifier = new PackageSignatureVerifier(_trustProviders);
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(
package,
_verifyCommandSettings,
CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
IEnumerable <ILogMessage> totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
// Assert
result.IsValid.Should().BeFalse();
resultsWithErrors.Count().Should().Be(1);
totalErrorIssues.Count().Should().Be(3);
SigningTestUtility.AssertUntrustedRoot(totalErrorIssues, NuGetLogCode.NU3028, LogLevel.Error);
}
}
private async Task <SignatureValidatorResult> GetVerifyResult(
Context context,
string verificationName,
VerifySignaturesResult verifyResult)
{
var errorIssues = verifyResult
.Results
.SelectMany(x => x.GetErrorIssues())
.ToList();
var warningsForLogs = verifyResult
.Results
.SelectMany(x => x.GetWarningIssues())
.Select(x => $"{x.Code}: {x.Message}")
.ToList();
var errorsForLogs = errorIssues
.Select(x => $"{x.Code}: {x.Message}")
.ToList();
if (!verifyResult.IsValid)
{
_logger.LogInformation(
"Signed package {PackageId} {PackageVersion} is blocked during {VerificationName} for validation " +
"{ValidationId}. Errors: {Errors} Warnings: {Warnings}",
context.Message.PackageId,
context.Message.PackageVersion,
verificationName,
context.Message.ValidationId,
errorsForLogs,
warningsForLogs);
// Treat the "signature format version" error specially. This is because the message provided by the
// client does not make sense in the server context.
IValidationIssue[] errorValidationIssues;
if (errorIssues.Any(x => x.Code == NuGetLogCode.NU3007))
{
errorValidationIssues = new[]
{
ValidationIssue.OnlySignatureFormatVersion1Supported,
};
}
else
{
errorValidationIssues = errorIssues
.Select(x => new ClientSigningVerificationFailure(x.Code.ToString(), x.Message))
.ToArray();
}
return(await RejectAsync(context, errorValidationIssues));
}
else
{
_logger.LogInformation(
"Signed package {PackageId} {PackageVersion} passed {VerificationName} for validation " +
"{ValidationId}. Errors: {Errors} Warnings: {Warnings}",
context.Message.PackageId,
context.Message.PackageVersion,
verificationName,
context.Message.ValidationId,
errorsForLogs,
warningsForLogs);
return(null);
}
}
