public void Read_WithValidInput_ReturnsSigningCertificateV2(HashAlgorithmName hashAlgorithmName)
{
using (var certificate = _fixture.GetDefaultCertificate())
{
var expectedSigningCertificateV2 = SigningCertificateV2.Create(certificate, hashAlgorithmName);
var bytes = expectedSigningCertificateV2.Encode();
var actualSigningCertificateV2 = SigningCertificateV2.Read(bytes);
Assert.Equal(
expectedSigningCertificateV2.Certificates.Count,
actualSigningCertificateV2.Certificates.Count);
for (var i = 0; i < expectedSigningCertificateV2.Certificates.Count; ++i)
{
var expectedEssCertIdV2 = expectedSigningCertificateV2.Certificates[i];
var actualEssCertIdV2 = actualSigningCertificateV2.Certificates[i];
Assert.Equal(
expectedEssCertIdV2.HashAlgorithm.Algorithm.Value,
actualEssCertIdV2.HashAlgorithm.Algorithm.Value);
SignTestUtility.VerifyByteArrays(
expectedEssCertIdV2.CertificateHash,
actualEssCertIdV2.CertificateHash);
Assert.Equal(
expectedEssCertIdV2.IssuerSerial.GeneralNames[0].DirectoryName.Name,
actualEssCertIdV2.IssuerSerial.GeneralNames[0].DirectoryName.Name);
SignTestUtility.VerifyByteArrays(expectedEssCertIdV2.IssuerSerial.SerialNumber,
actualEssCertIdV2.IssuerSerial.SerialNumber);
}
}
}
public void Read_WithMultipleEssCertIds_ReturnsSigningCertificate()
{
var bcEssCertId1 = CreateBcEssCertId("1");
var bcEssCertId2 = CreateBcEssCertId("2");
var bcEssCertId3 = CreateBcEssCertId("3");
var bcSigningCertificate = new BcSigningCertificate(
new DerSequence(new DerSequence(bcEssCertId1, bcEssCertId2, bcEssCertId3)));
var bytes = bcSigningCertificate.GetDerEncoded();
var signingCertificate = SigningCertificate.Read(bytes);
Assert.Equal(3, signingCertificate.Certificates.Count);
Assert.Null(signingCertificate.Policies);
SignTestUtility.VerifyByteArrays(
bcEssCertId1.GetCertHash(),
signingCertificate.Certificates[0].CertificateHash);
Assert.Null(signingCertificate.Certificates[0].IssuerSerial);
SignTestUtility.VerifyByteArrays(
bcEssCertId2.GetCertHash(),
signingCertificate.Certificates[1].CertificateHash);
Assert.Null(signingCertificate.Certificates[1].IssuerSerial);
SignTestUtility.VerifyByteArrays(
bcEssCertId3.GetCertHash(),
signingCertificate.Certificates[2].CertificateHash);
Assert.Null(signingCertificate.Certificates[2].IssuerSerial);
}
public void Read_WithMultipleEssCertIds_ReturnsSigningCertificateV2(HashAlgorithmName hashAlgorithmName)
{
var bcEssCertIdV2_1 = CreateBcEssCertIdV2(hashAlgorithmName, "1");
var bcEssCertIdV2_2 = CreateBcEssCertIdV2(hashAlgorithmName, "2");
var bcEssCertIdV2_3 = CreateBcEssCertIdV2(hashAlgorithmName, "3");
var bcSigningCertificateV2 = new BcSigningCertificateV2(
new[] { bcEssCertIdV2_1, bcEssCertIdV2_2, bcEssCertIdV2_3 });
var bytes = bcSigningCertificateV2.GetDerEncoded();
var signingCertificate = SigningCertificateV2.Read(bytes);
Assert.Equal(3, signingCertificate.Certificates.Count);
Assert.Null(signingCertificate.Policies);
SignTestUtility.VerifyByteArrays(
bcEssCertIdV2_1.GetCertHash(),
signingCertificate.Certificates[0].CertificateHash);
Assert.Null(signingCertificate.Certificates[0].IssuerSerial);
SignTestUtility.VerifyByteArrays(
bcEssCertIdV2_2.GetCertHash(),
signingCertificate.Certificates[1].CertificateHash);
Assert.Null(signingCertificate.Certificates[1].IssuerSerial);
SignTestUtility.VerifyByteArrays(
bcEssCertIdV2_3.GetCertHash(),
signingCertificate.Certificates[2].CertificateHash);
Assert.Null(signingCertificate.Certificates[2].IssuerSerial);
}
public void IsSelfIssued_WithPartialChain_ReturnsFalse()
{
using (var certificate = SignTestUtility.GetCertificate("leaf.crt"))
{
Assert.False(CertificateUtility.IsSelfIssued(certificate));
}
}
public void CreateSigningCertificateV2_WithValidInput_ReturnsAttribute(Common.HashAlgorithmName hashAlgorithmName)
{
using (var certificate = _fixture.GetDefaultCertificate())
{
var attribute = AttributeUtility.CreateSigningCertificateV2(certificate, hashAlgorithmName);
Assert.Equal(Oids.SigningCertificateV2, attribute.Oid.Value);
Assert.Equal(1, attribute.Values.Count);
var signingCertificateV2 = SigningCertificateV2.Read(attribute.Values[0].RawData);
Assert.Equal(1, signingCertificateV2.Certificates.Count);
var essCertIdV2 = signingCertificateV2.Certificates[0];
var expectedHash = SignTestUtility.GetHash(certificate, hashAlgorithmName);
SignTestUtility.VerifyByteArrays(expectedHash, essCertIdV2.CertificateHash);
Assert.Equal(
hashAlgorithmName,
CryptoHashUtility.OidToHashAlgorithmName(essCertIdV2.HashAlgorithm.Algorithm.Value));
Assert.Equal(certificate.IssuerName.Name, essCertIdV2.IssuerSerial.GeneralNames[0].DirectoryName.Name);
var serialNumber = certificate.GetSerialNumber();
// Convert from little endian to big endian.
Array.Reverse(serialNumber);
SignTestUtility.VerifyByteArrays(
serialNumber,
essCertIdV2.IssuerSerial.SerialNumber);
}
}
public void GetCertificateChainForSigning_WithUntrustedRoot_Throws()
{
using (var chainHolder = new X509ChainHolder())
using (var rootCertificate = SignTestUtility.GetCertificate("root.crt"))
using (var intermediateCertificate = SignTestUtility.GetCertificate("intermediate.crt"))
using (var leafCertificate = SignTestUtility.GetCertificate("leaf.crt"))
{
var chain = chainHolder.Chain;
var extraStore = new X509Certificate2Collection()
{
rootCertificate, intermediateCertificate
};
var logger = new TestLogger();
var exception = Assert.Throws <SignatureException>(
() => CertificateChainUtility.GetCertificateChainForSigning(
leafCertificate,
extraStore,
logger));
Assert.Equal(NuGetLogCode.NU3018, exception.Code);
Assert.Equal("Certificate chain validation failed.", exception.Message);
Assert.Equal(1, logger.Errors);
Assert.Equal(RuntimeEnvironmentHelper.IsWindows ? 2 : 1, logger.Warnings);
AssertUntrustedRoot(logger.LogMessages, LogLevel.Error);
AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
if (RuntimeEnvironmentHelper.IsWindows)
{
AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
}
}
}
public void Create_WithCertificate_InitializesFields()
{
using (var certificate = _fixture.GetDefaultCertificate())
{
var issuerSerial = IssuerSerial.Create(certificate);
Assert.Equal(1, issuerSerial.GeneralNames.Count);
Assert.Equal(certificate.IssuerName.Name, issuerSerial.GeneralNames[0].DirectoryName.Name);
SignTestUtility.VerifySerialNumber(certificate, issuerSerial);
}
}
public void GetPrimarySignatureTimestampCertificates_WithValidTimestamp_ReturnsCertificates()
{
var signature = PrimarySignature.Load(SignTestUtility.GetResourceBytes("SignatureWithTimestamp.p7s"));
var certificates = SignatureUtility.GetPrimarySignatureTimestampCertificates(signature);
Assert.Equal(3, certificates.Count);
Assert.Equal("ff162bef155cb3d5b5962bbe084b21fc4d740001", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("2aa752fe64c49abe82913c463529cf10ff2f04ee", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("3b1efd3a66ea28b16697394703a72ca340a05bd5", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
public void GetPrimarySignatureCertificates_WithAuthorSignature_ReturnsCertificates()
{
var signature = PrimarySignature.Load(SignTestUtility.GetResourceBytes("SignatureWithTimestamp.p7s"));
var certificates = SignatureUtility.GetPrimarySignatureCertificates(signature);
Assert.Equal(3, certificates.Count);
Assert.Equal("8219f5772ef562a3ea9b90da00ca7b9523a96fbf", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("d8198d59087bbe6a6e7d69af62030145366be93e", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("6d73d582b73b5b3b18a27506acceedea75ab63c2", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
public void GetCertificateChain_WithAuthorSignature_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
using (var certificates = SignatureUtility.GetCertificateChain(primarySignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("7d14ef1eaa95c41e3cb6c25bb177ce4f9bd7020c", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("0a08d814f1c1c4058bf709c4796a53a47df00e61", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("a1b6d9c348850849be54e3e8ac2ae9938e59e4b3", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void GetTimestampCertificateChain_WithAuthorSignatureTimestamp_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
using (var certificates = SignatureUtility.GetTimestampCertificateChain(primarySignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("5f970d4b17786b091a77eabdd0cf92ff8d1fdb43", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("c5e93f93089bd49dc1d8e2b657093b9e29132dcf", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("a0e355c9f370a3069823afa3ce22b14a91475e77", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void GetTimestampCertificateChain_WithoutTimestamp_Throws()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
primarySignature = RemoveTimestamp(primarySignature);
var exception = Assert.Throws <SignatureException>(
() => SignatureUtility.GetTimestampCertificateChain(primarySignature));
Assert.Equal(NuGetLogCode.NU3000, exception.Code);
Assert.Equal("The primary signature does not have a timestamp.", exception.Message);
}
public void Create_WithLargePositiveSerialNumber_ReturnsIssuerSerial()
{
using (var certificate = SigningTestUtility.GenerateCertificate("test", generator =>
{
generator.SetSerialNumber(BigInteger.ValueOf(long.MaxValue));
}))
{
var issuerSerial = IssuerSerial.Create(certificate);
SignTestUtility.VerifySerialNumber(certificate, issuerSerial);
}
}
public void Create_WithSmallSerialNumber_ReturnsIssuerSerial()
{
using (var certificate = SigningTestUtility.GenerateCertificate("test", generator =>
{
generator.SetSerialNumber(BigInteger.One);
}))
{
var issuerSerial = IssuerSerial.Create(certificate);
SignTestUtility.VerifySerialNumber(certificate, issuerSerial);
}
}
public void Read_WithOnlyCertificateHash_ReturnsEssCertIdV2()
{
var hash = CryptoHashUtility.ComputeHash(HashAlgorithmName.SHA256, Encoding.UTF8.GetBytes("peach"));
var bcEssCertId = new BcEssCertIdV2(hash);
var bytes = bcEssCertId.GetDerEncoded();
var essCertIdV2 = EssCertIdV2.Read(bytes);
Assert.Equal(Oids.Sha256, essCertIdV2.HashAlgorithm.Algorithm.Value);
SignTestUtility.VerifyByteArrays(hash, essCertIdV2.CertificateHash);
Assert.Null(essCertIdV2.IssuerSerial);
}
public void GetTimestampCertificateChain_WithRepositoryCountersignatureTimestamp_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
using (var certificates = SignatureUtility.GetTimestampCertificateChain(primarySignature, repositoryCountersignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("96b479acf63394f3bcc9928c396264afd60909ed", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("fa4e4ca3d9a26b92a73bb875f964972983b55ccd", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("88b288ff6d3d826469a9ef7816166a7def221885", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void GetCertificateChain_WithUnrelatedRepositoryCountersignature_Throws()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
primarySignature = RemoveRepositoryCountersignature(primarySignature);
var exception = Assert.Throws <ArgumentException>(
() => SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature));
Assert.Equal("repositoryCountersignature", exception.ParamName);
Assert.StartsWith("The primary signature and repository countersignature are unrelated.", exception.Message);
}
public void GetCertificateChain_WithRepositoryCountersignature_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SignTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
using (var certificates = SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("8d8cc5bdf9e5f86b971d7fb961fe24b999486483", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("c8ae47bfd632870a15e3775784affd2bdc96cbf1", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("d4e8185475a062de3518d1aa693f13c4283f81ff", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
private static void VerifyAttributes(
CryptographicAttributeObjectCollection attributes,
SignPackageRequest request)
{
var pkcs9SigningTimeAttributeFound = false;
var commitmentTypeIndicationAttributeFound = false;
var signingCertificateV2AttributeFound = false;
foreach (var attribute in attributes)
{
Assert.Equal(1, attribute.Values.Count);
switch (attribute.Oid.Value)
{
case "1.2.840.113549.1.9.5": // PKCS #9 signing time
Assert.IsType <Pkcs9SigningTime>(attribute.Values[0]);
pkcs9SigningTimeAttributeFound = true;
break;
case Oids.CommitmentTypeIndication:
var qualifier = CommitmentTypeQualifier.Read(attribute.Values[0].RawData);
var expectedCommitmentType = AttributeUtility.GetSignatureTypeOid(request.SignatureType);
Assert.Equal(expectedCommitmentType, qualifier.CommitmentTypeIdentifier.Value);
commitmentTypeIndicationAttributeFound = true;
break;
case Oids.SigningCertificateV2:
var signingCertificateV2 = SigningCertificateV2.Read(attribute.Values[0].RawData);
Assert.Equal(1, signingCertificateV2.Certificates.Count);
var essCertIdV2 = signingCertificateV2.Certificates[0];
Assert.Equal(SignTestUtility.GetHash(request.Certificate, request.SignatureHashAlgorithm), essCertIdV2.CertificateHash);
Assert.Equal(request.SignatureHashAlgorithm.ConvertToOidString(), essCertIdV2.HashAlgorithm.Algorithm.Value);
Assert.Equal(request.Certificate.IssuerName.Name, essCertIdV2.IssuerSerial.GeneralNames[0].DirectoryName.Name);
SignTestUtility.VerifySerialNumber(request.Certificate, essCertIdV2.IssuerSerial);
Assert.Null(signingCertificateV2.Policies);
signingCertificateV2AttributeFound = true;
break;
}
}
Assert.True(pkcs9SigningTimeAttributeFound);
Assert.True(commitmentTypeIndicationAttributeFound);
Assert.True(signingCertificateV2AttributeFound);
}
public void CreateSignedAttributes_SignPackageRequest_WithValidInput_ReturnsAttributes()
{
using (var rootCertificate = SignTestUtility.GetCertificate("root.crt"))
using (var intermediateCertificate = SignTestUtility.GetCertificate("intermediate.crt"))
using (var leafCertificate = SignTestUtility.GetCertificate("leaf.crt"))
using (var request = CreateRequest(leafCertificate))
{
var certList = new[] { leafCertificate, intermediateCertificate, rootCertificate };
var attributes = SigningUtility.CreateSignedAttributes(request, certList);
Assert.Equal(3, attributes.Count);
VerifyAttributes(attributes, request);
}
}
public void Create_WithSha512_ReturnsEssCertIdV2()
{
var hashAlgorithmName = HashAlgorithmName.SHA512;
using (var certificate = _fixture.GetDefaultCertificate())
{
var essCertIdV2 = EssCertIdV2.Create(certificate, hashAlgorithmName);
Assert.Equal(SignTestUtility.GetHash(certificate, hashAlgorithmName), essCertIdV2.CertificateHash);
Assert.Equal(Oids.Sha512, essCertIdV2.HashAlgorithm.Algorithm.Value);
Assert.Equal(1, essCertIdV2.IssuerSerial.GeneralNames.Count);
Assert.Equal(certificate.IssuerName.Name, essCertIdV2.IssuerSerial.GeneralNames[0].DirectoryName.Name);
SignTestUtility.VerifySerialNumber(certificate, essCertIdV2.IssuerSerial);
}
}
public void Create_WithValidInput_ReturnsSigningCertificateV2(HashAlgorithmName hashAlgorithmName)
{
using (var certificate = _fixture.GetDefaultCertificate())
{
var signingCertificateV2 = SigningCertificateV2.Create(certificate, hashAlgorithmName);
Assert.Equal(1, signingCertificateV2.Certificates.Count);
var essCertIdV2 = signingCertificateV2.Certificates[0];
Assert.Equal(hashAlgorithmName, CryptoHashUtility.OidToHashAlgorithmName(essCertIdV2.HashAlgorithm.Algorithm.Value));
Assert.Equal(SignTestUtility.GetHash(certificate, hashAlgorithmName), essCertIdV2.CertificateHash);
Assert.Equal(1, essCertIdV2.IssuerSerial.GeneralNames.Count);
Assert.Equal(certificate.IssuerName.Name, essCertIdV2.IssuerSerial.GeneralNames[0].DirectoryName.Name);
SignTestUtility.VerifySerialNumber(certificate, essCertIdV2.IssuerSerial);
Assert.Null(signingCertificateV2.Policies);
}
}
public void Read_WithDefaultAlgorithmIdentifier_ReturnsEssCertIdV2()
{
var directoryName = new X509Name("CN=test");
var generalNames = new GeneralNames(
new BcGeneralName(BcGeneralName.DirectoryName, directoryName));
var bcIssuerSerial = new BcIssuerSerial(generalNames, new DerInteger(BigInteger.One));
var hash = CryptoHashUtility.ComputeHash(HashAlgorithmName.SHA256, Encoding.UTF8.GetBytes("peach"));
var bcEssCertId = new BcEssCertIdV2(hash, bcIssuerSerial);
var bytes = bcEssCertId.GetDerEncoded();
var essCertIdV2 = EssCertIdV2.Read(bytes);
Assert.Equal(Oids.Sha256, essCertIdV2.HashAlgorithm.Algorithm.Value);
Assert.Equal(1, essCertIdV2.IssuerSerial.GeneralNames.Count);
Assert.Equal(directoryName.ToString(), essCertIdV2.IssuerSerial.GeneralNames[0].DirectoryName.Name);
SignTestUtility.VerifyByteArrays(hash, essCertIdV2.CertificateHash);
SignTestUtility.VerifyByteArrays(bcIssuerSerial.Serial.Value.ToByteArray(), essCertIdV2.IssuerSerial.SerialNumber);
}
public void Read_WithValidInput_ReturnsEssCertId()
{
using (var certificate = _fixture.GetDefaultCertificate())
{
var bcCertificate = DotNetUtilities.FromX509Certificate(certificate);
var bcGeneralNames = new GeneralNames(
new BcGeneralName(BcGeneralName.DirectoryName, bcCertificate.IssuerDN));
var bcIssuerSerial = new BcIssuerSerial(bcGeneralNames, new DerInteger(bcCertificate.SerialNumber));
var hash = SignTestUtility.GetHash(certificate, Common.HashAlgorithmName.SHA256);
var bcEssCertId = new BcEssCertId(hash, bcIssuerSerial);
var bytes = bcEssCertId.GetDerEncoded();
var essCertId = EssCertId.Read(bytes);
Assert.Equal(1, essCertId.IssuerSerial.GeneralNames.Count);
Assert.Equal(certificate.IssuerName.Name, essCertId.IssuerSerial.GeneralNames[0].DirectoryName.Name);
SignTestUtility.VerifyByteArrays(hash, essCertId.CertificateHash);
SignTestUtility.VerifyByteArrays(bcIssuerSerial.Serial.Value.ToByteArray(), essCertId.IssuerSerial.SerialNumber);
}
}
public void GetCertificateListFromChain_ReturnsCertificatesInOrder()
{
using (var chainHolder = new X509ChainHolder())
using (var rootCertificate = SignTestUtility.GetCertificate("root.crt"))
using (var intermediateCertificate = SignTestUtility.GetCertificate("intermediate.crt"))
using (var leafCertificate = SignTestUtility.GetCertificate("leaf.crt"))
{
var chain = chainHolder.Chain;
chain.ChainPolicy.ExtraStore.Add(rootCertificate);
chain.ChainPolicy.ExtraStore.Add(intermediateCertificate);
chain.Build(leafCertificate);
var certificateChain = CertificateChainUtility.GetCertificateListFromChain(chain);
Assert.Equal(3, certificateChain.Count);
Assert.Equal(leafCertificate.Thumbprint, certificateChain[0].Thumbprint);
Assert.Equal(intermediateCertificate.Thumbprint, certificateChain[1].Thumbprint);
Assert.Equal(rootCertificate.Thumbprint, certificateChain[2].Thumbprint);
}
}
