public void InvalidCertificateInvalidatesSignatures(
EndCertificateUse use,
X509ChainStatusFlags flags,
SignatureDecision ingestionDecision,
SignatureDecision gracePeriodDecision,
SignatureDecision afterGracePeriodDecision)
{
// Arrange
var certificate = new EndCertificate {
Use = use
};
var result = new CertificateVerificationResult(
status: EndCertificateStatus.Invalid,
statusFlags: flags);
var signatureAtIngestion = new PackageSignature {
Status = PackageSignatureStatus.Unknown
};
var signatureAtGracePeriod = new PackageSignature {
Status = PackageSignatureStatus.InGracePeriod
};
var signatureAfterGracePeriod = new PackageSignature {
Status = PackageSignatureStatus.Valid
};
// Act & Assert
var decider = _target.MakeDeciderForInvalidatedCertificate(certificate, result);
Assert.Equal(ingestionDecision, decider(signatureAtIngestion));
Assert.Equal(gracePeriodDecision, decider(signatureAtGracePeriod));
Assert.Equal(afterGracePeriodDecision, decider(signatureAfterGracePeriod));
}
private static object[] InvalidCertificateInvalidatesSignaturesArguments(
EndCertificateUse use,
X509ChainStatusFlags flags,
SignatureDecision ingestionDecision,
SignatureDecision gracePeriodDecision,
SignatureDecision afterGracePeriodDecision)
{
return(new object[]
{
use,
flags,
ingestionDecision,
gracePeriodDecision,
afterGracePeriodDecision,
});
}
/// <summary>
/// Handle the decision on how to update the signature.
/// </summary>
/// <param name="signature">The signature that should be updated.</param>
/// <param name="decision">How the signature should be updated.</param>
/// <param name="certificate">The certificate that signature depends on that changed the signature's state.</param>
/// <param name="certificateVerificationResult">The certificate verification that changed the signature's state.</param>
private void HandleSignatureDecision(
PackageSignature signature,
SignatureDecision decision,
EndCertificate certificate,
CertificateVerificationResult certificateVerificationResult)
{
switch (decision)
{
case SignatureDecision.Ignore:
_logger.LogInformation(
"Signature {SignatureKey} is not affected by certificate verification result: {CertificateVerificationResult}",
signature.Key,
certificateVerificationResult);
break;
case SignatureDecision.Warn:
_logger.LogWarning(
"Invalidating signature {SignatureKey} due to certificate verification result: {CertificateVerificationResult}",
signature.Key,
certificateVerificationResult);
InvalidateSignature(signature, certificate);
_telemetryService.TrackPackageSignatureMayBeInvalidatedEvent(signature);
break;
case SignatureDecision.Reject:
_logger.LogWarning(
"Rejecting signature {SignatureKey} due to certificate verification result: {CertificateVerificationResult}",
signature.Key,
certificateVerificationResult);
InvalidateSignature(signature, certificate);
_telemetryService.TrackPackageSignatureShouldBeInvalidatedEvent(signature);
break;
default:
throw new InvalidOperationException(
$"Unknown signature decision '{decision}' for certificate verification result: {certificateVerificationResult}");
}
}
public void RevokedCodeSigningCertificateWithRevocationDateInvalidatesSignatures(
TimeSpan signatureTimeDeltaToRevocationTime,
SignatureDecision ingestionDecision,
SignatureDecision gracePeriodDecision,
SignatureDecision afterGracePeriodDecision)
{
// Arrange - only signatures that were created after the revocation date should
// be rejected.
var revocationTime = DateTime.UtcNow;
var certificate = new EndCertificate {
Use = EndCertificateUse.CodeSigning
};
var timestamp = new TrustedTimestamp {
Value = revocationTime + signatureTimeDeltaToRevocationTime, Status = TrustedTimestampStatus.Valid
};
var result = new CertificateVerificationResult(
status: EndCertificateStatus.Revoked,
statusFlags: X509ChainStatusFlags.Revoked,
revocationTime: revocationTime);
var signatureAtIngestion = new PackageSignature {
Status = PackageSignatureStatus.Unknown
};
var signatureAtGracePeriod = new PackageSignature {
Status = PackageSignatureStatus.InGracePeriod
};
var signatureAfterGracePeriod = new PackageSignature {
Status = PackageSignatureStatus.Valid
};
signatureAtIngestion.TrustedTimestamps = new[] { timestamp };
signatureAtGracePeriod.TrustedTimestamps = new[] { timestamp };
signatureAfterGracePeriod.TrustedTimestamps = new[] { timestamp };
// Act & Assert
var decider = _target.MakeDeciderForRevokedCertificate(certificate, result);
Assert.Equal(ingestionDecision, decider(signatureAtIngestion));
Assert.Equal(gracePeriodDecision, decider(signatureAtGracePeriod));
Assert.Equal(afterGracePeriodDecision, decider(signatureAfterGracePeriod));
}
