public void GetSignedPackageVerifierSettings_RepoSignatureInfoCertificateListWithMultipleEntriesCorrectlyPassedToSetting() { // Arrange var target = VerificationTarget.Repository; var placement = SignaturePlacement.PrimarySignature | SignaturePlacement.Countersignature; var allSigned = true; var firstCertFingerprints = new Dictionary <string, string>() { { HashAlgorithmName.SHA256.ConvertToOidString(), $"{HashAlgorithmName.SHA256.ToString()}_first" }, { HashAlgorithmName.SHA384.ConvertToOidString(), $"{HashAlgorithmName.SHA384.ToString()}_first" }, { HashAlgorithmName.SHA512.ConvertToOidString(), $"{HashAlgorithmName.SHA512.ToString()}_first" } }; var secondCertFingerprints = new Dictionary <string, string>() { { HashAlgorithmName.SHA256.ConvertToOidString(), $"{HashAlgorithmName.SHA256.ToString()}_second" }, }; var repoCertificateInfo = new List <IRepositoryCertificateInfo>() { new TestRepositoryCertificateInfo() { ContentUrl = @"https://unit.test/1", Fingerprints = new Fingerprints(firstCertFingerprints), Issuer = "CN=Issuer1", Subject = "CN=Subject1", NotBefore = DateTimeOffset.UtcNow, NotAfter = DateTimeOffset.UtcNow }, new TestRepositoryCertificateInfo() { ContentUrl = @"https://unit.test/2", Fingerprints = new Fingerprints(secondCertFingerprints), Issuer = "CN=Issuer2", Subject = "CN=Subject2", NotBefore = DateTimeOffset.UtcNow, NotAfter = DateTimeOffset.UtcNow } }; var expectedAllowList = new List <CertificateHashAllowListEntry>() { new CertificateHashAllowListEntry(target, placement, $"{HashAlgorithmName.SHA256.ToString()}_first", HashAlgorithmName.SHA256), new CertificateHashAllowListEntry(target, placement, $"{HashAlgorithmName.SHA384.ToString()}_first", HashAlgorithmName.SHA384), new CertificateHashAllowListEntry(target, placement, $"{HashAlgorithmName.SHA512.ToString()}_first", HashAlgorithmName.SHA512), new CertificateHashAllowListEntry(target, placement, $"{HashAlgorithmName.SHA256.ToString()}_second", HashAlgorithmName.SHA256) }; var repoSignatureInfo = new RepositorySignatureInfo(allSigned, repoCertificateInfo); // Act var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo, _defaultSettings); // Assert settings.AllowUnsigned.Should().BeFalse(); settings.AllowNoClientCertificateList.Should().BeTrue(); settings.AllowNoRepositoryCertificateList.Should().BeFalse(); settings.RepositoryCertificateList.Should().NotBeNull(); settings.RepositoryCertificateList.ShouldBeEquivalentTo(expectedAllowList); }
private static async Task VerifyPackageSignatureAsync( string source, Guid parentId, PackageIdentity package, PackageExtractionContext packageExtractionContext, ISignedPackageReader signedPackageReader, CancellationToken token) { if (packageExtractionContext.SignedPackageVerifier != null) { var repositorySignatureInfo = GetRepositorySignatureInfo(source); var verifierSettings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings( repositorySignatureInfo, packageExtractionContext.SignedPackageVerifierSettings); var verifyResult = await packageExtractionContext.SignedPackageVerifier.VerifySignaturesAsync( signedPackageReader, verifierSettings, token, parentId); if (!verifyResult.Valid) { throw new SignatureException(verifyResult.Results, package); } } }
public void GetSignedPackageVerifierSettings_NullRepoSignatureInfoReturnsFallbackSettings() { // Arrange & Act var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo: null, fallbackSettings: _defaultSettings); // Assert settings.Should().Be(_defaultSettings); }
public void GetSignedPackageVerifierSettings_NullFallbackSettingsThrows() { // Arrange & Act Action action = () => RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo: null, fallbackSettings: null); // Assert action.ShouldThrow <ArgumentNullException>(); }
public void GetSignedPackageVerifierSettings_RepoSignatureInfoFalseAllSignedDoesNotSetAllowUnsigned() { // Arrange var repoSignatureInfo = new RepositorySignatureInfo(allRepositorySigned: false, repositoryCertificateInfos: null); // Act var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo, _defaultSettings); // Assert settings.ShouldBeEquivalentTo(_defaultSettings); }
private static async Task VerifyPackageSignatureAsync( string source, Guid parentId, PackageIdentity package, PackageExtractionContext packageExtractionContext, ISignedPackageReader signedPackageReader, CancellationToken token) { if (packageExtractionContext.SignedPackageVerifier != null) { var repositorySignatureInfo = GetRepositorySignatureInfo(source); var verifierSettings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings( repositorySignatureInfo, packageExtractionContext.SignedPackageVerifierSettings); var verifyResult = await packageExtractionContext.SignedPackageVerifier.VerifySignaturesAsync( signedPackageReader, verifierSettings, token, parentId); if (verifyResult.Signed) { await LogPackageSignatureVerificationAsync(source, package, packageExtractionContext.Logger, verifyResult); // Update errors and warnings with package id and source verifyResult.Results .SelectMany(r => r.Issues) .ForEach(e => AddPackageIdentityToSignatureLog(source, package, e)); if (verifyResult.Valid) { // log any warnings var warnings = verifyResult.Results.SelectMany(r => r.GetWarningIssues()); foreach (var warning in warnings) { await packageExtractionContext.Logger.LogAsync(warning); } } else { throw new SignatureException(verifyResult.Results, package); } } } }
public void GetSignedPackageVerifierSettings_RepoSignatureInfoCertificateListWithOneEntryCorrectlyPassedToSetting() { // Arrange var target = VerificationTarget.Repository; var allSigned = true; var certFingerprints = new Dictionary <string, string>() { { HashAlgorithmName.SHA256.ConvertToOidString(), HashAlgorithmName.SHA256.ToString() }, { HashAlgorithmName.SHA384.ConvertToOidString(), HashAlgorithmName.SHA384.ToString() }, { HashAlgorithmName.SHA512.ConvertToOidString(), HashAlgorithmName.SHA512.ToString() }, { "1.3.14.3.2.26", "SHA1" }, }; var testCertInfo = new TestRepositoryCertificateInfo() { ContentUrl = @"https://unit.test", Fingerprints = new Fingerprints(certFingerprints), Issuer = "CN=Issuer", Subject = "CN=Subject", NotBefore = DateTimeOffset.UtcNow, NotAfter = DateTimeOffset.UtcNow }; var repoCertificateInfo = new List <IRepositoryCertificateInfo>() { testCertInfo }; var expectedAllowList = new List <CertificateHashAllowListEntry>() { new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA256.ToString(), HashAlgorithmName.SHA256), new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA384.ToString(), HashAlgorithmName.SHA384), new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA512.ToString(), HashAlgorithmName.SHA512) }; var repoSignatureInfo = new RepositorySignatureInfo(allSigned, repoCertificateInfo); // Act var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo, _defaultSettings); // Assert settings.AllowUnsigned.Should().BeFalse(); settings.AllowNoClientCertificateList.Should().BeTrue(); settings.AllowNoRepositoryCertificateList.Should().BeFalse(); settings.RepositoryCertificateList.Should().NotBeNull(); settings.RepositoryCertificateList.ShouldBeEquivalentTo(expectedAllowList); }
public void GetSignedPackageVerifierSettings_RepoSignatureInfoTrueAllSignedClearsAllowUnsignedIfSet() { // Arrange var allSigned = true; var repoSignatureInfo = new RepositorySignatureInfo(allSigned, repositoryCertificateInfos: null); // Act var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo, _defaultSettings); // Assert settings.AllowUnsigned.Should().BeFalse(); settings.AllowIllegal.Should().BeTrue(); settings.AllowUntrusted.Should().BeTrue(); settings.AllowUntrustedSelfIssuedCertificate.Should().BeTrue(); settings.AllowIgnoreTimestamp.Should().BeTrue(); settings.AllowNoTimestamp.Should().BeTrue(); settings.AllowMultipleTimestamps.Should().BeTrue(); settings.AllowUnknownRevocation.Should().BeTrue(); }
public void GetSignedPackageVerifierSettings_RepoSignatureInfoAllSignedTrue_ClearsAllowUnsignedIfSet() { // Arrange var allSigned = true; var repoSignatureInfo = new RepositorySignatureInfo(allSigned, repositoryCertificateInfos: null); // Act var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo, _defaultSettings); // Assert settings.AllowUnsigned.Should().BeFalse(); settings.AllowIllegal.Should().BeTrue(); settings.AllowUntrusted.Should().BeFalse(); settings.AllowIgnoreTimestamp.Should().BeTrue(); settings.AllowNoTimestamp.Should().BeTrue(); settings.AllowMultipleTimestamps.Should().BeTrue(); settings.AllowUnknownRevocation.Should().BeTrue(); settings.ReportUnknownRevocation.Should().BeFalse(); settings.VerificationTarget.Should().Be(VerificationTarget.All); settings.SignaturePlacement.Should().Be(SignaturePlacement.Any); settings.RepositoryCountersignatureVerificationBehavior.Should().Be(SignatureVerificationBehavior.IfExistsAndIsNecessary); }
public void GetSignedPackageVerifierSettings_ClientAllowListInfoPassedToSetting() { // Arrange var target = VerificationTarget.Repository; var allSigned = true; var certFingerprints = new Dictionary <string, string>() { { HashAlgorithmName.SHA256.ConvertToOidString(), HashAlgorithmName.SHA256.ToString() }, { HashAlgorithmName.SHA384.ConvertToOidString(), HashAlgorithmName.SHA384.ToString() }, { HashAlgorithmName.SHA512.ConvertToOidString(), HashAlgorithmName.SHA512.ToString() }, { "1.3.14.3.2.26", "SHA1" }, }; var testCertInfo = new TestRepositoryCertificateInfo() { ContentUrl = @"https://unit.test", Fingerprints = new Fingerprints(certFingerprints), Issuer = "CN=Issuer", Subject = "CN=Subject", NotBefore = DateTimeOffset.UtcNow, NotAfter = DateTimeOffset.UtcNow }; var repoCertificateInfo = new List <IRepositoryCertificateInfo>() { testCertInfo }; var expectedClientAllowList = new List <CertificateHashAllowListEntry>() { new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA256.ToString(), HashAlgorithmName.SHA256) }; var expectedRepoAllowList = new List <CertificateHashAllowListEntry>() { new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA256.ToString(), HashAlgorithmName.SHA256), new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA384.ToString(), HashAlgorithmName.SHA384), new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA512.ToString(), HashAlgorithmName.SHA512) }; var repoSignatureInfo = new RepositorySignatureInfo(allSigned, repoCertificateInfo); var fallbackSettings = new SignedPackageVerifierSettings( allowUnsigned: true, allowIllegal: true, allowUntrusted: true, allowUntrustedSelfIssuedCertificate: true, allowIgnoreTimestamp: true, allowMultipleTimestamps: true, allowNoTimestamp: true, allowUnknownRevocation: true, allowNoRepositoryCertificateList: true, allowNoClientCertificateList: false, repoAllowListEntries: null, clientAllowListEntries: expectedClientAllowList); // Act var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo, fallbackSettings); // Assert settings.AllowUnsigned.Should().BeFalse(); settings.AllowNoClientCertificateList.Should().BeFalse(); settings.AllowNoRepositoryCertificateList.Should().BeFalse(); settings.ClientCertificateList.Should().NotBeNull(); settings.ClientCertificateList.ShouldBeEquivalentTo(expectedClientAllowList); settings.RepositoryCertificateList.Should().NotBeNull(); settings.RepositoryCertificateList.ShouldBeEquivalentTo(expectedRepoAllowList); }