public void InvalidCertificateInvalidatesSignatures( EndCertificateUse use, X509ChainStatusFlags flags, SignatureDecision ingestionDecision, SignatureDecision gracePeriodDecision, SignatureDecision afterGracePeriodDecision) { // Arrange var certificate = new EndCertificate { Use = use }; var result = new CertificateVerificationResult( status: EndCertificateStatus.Invalid, statusFlags: flags); var signatureAtIngestion = new PackageSignature { Status = PackageSignatureStatus.Unknown }; var signatureAtGracePeriod = new PackageSignature { Status = PackageSignatureStatus.InGracePeriod }; var signatureAfterGracePeriod = new PackageSignature { Status = PackageSignatureStatus.Valid }; // Act & Assert var decider = _target.MakeDeciderForInvalidatedCertificate(certificate, result); Assert.Equal(ingestionDecision, decider(signatureAtIngestion)); Assert.Equal(gracePeriodDecision, decider(signatureAtGracePeriod)); Assert.Equal(afterGracePeriodDecision, decider(signatureAfterGracePeriod)); }
private static object[] InvalidCertificateInvalidatesSignaturesArguments( EndCertificateUse use, X509ChainStatusFlags flags, SignatureDecision ingestionDecision, SignatureDecision gracePeriodDecision, SignatureDecision afterGracePeriodDecision) { return(new object[] { use, flags, ingestionDecision, gracePeriodDecision, afterGracePeriodDecision, }); }
/// <summary> /// Handle the decision on how to update the signature. /// </summary> /// <param name="signature">The signature that should be updated.</param> /// <param name="decision">How the signature should be updated.</param> /// <param name="certificate">The certificate that signature depends on that changed the signature's state.</param> /// <param name="certificateVerificationResult">The certificate verification that changed the signature's state.</param> private void HandleSignatureDecision( PackageSignature signature, SignatureDecision decision, EndCertificate certificate, CertificateVerificationResult certificateVerificationResult) { switch (decision) { case SignatureDecision.Ignore: _logger.LogInformation( "Signature {SignatureKey} is not affected by certificate verification result: {CertificateVerificationResult}", signature.Key, certificateVerificationResult); break; case SignatureDecision.Warn: _logger.LogWarning( "Invalidating signature {SignatureKey} due to certificate verification result: {CertificateVerificationResult}", signature.Key, certificateVerificationResult); InvalidateSignature(signature, certificate); _telemetryService.TrackPackageSignatureMayBeInvalidatedEvent(signature); break; case SignatureDecision.Reject: _logger.LogWarning( "Rejecting signature {SignatureKey} due to certificate verification result: {CertificateVerificationResult}", signature.Key, certificateVerificationResult); InvalidateSignature(signature, certificate); _telemetryService.TrackPackageSignatureShouldBeInvalidatedEvent(signature); break; default: throw new InvalidOperationException( $"Unknown signature decision '{decision}' for certificate verification result: {certificateVerificationResult}"); } }
public void RevokedCodeSigningCertificateWithRevocationDateInvalidatesSignatures( TimeSpan signatureTimeDeltaToRevocationTime, SignatureDecision ingestionDecision, SignatureDecision gracePeriodDecision, SignatureDecision afterGracePeriodDecision) { // Arrange - only signatures that were created after the revocation date should // be rejected. var revocationTime = DateTime.UtcNow; var certificate = new EndCertificate { Use = EndCertificateUse.CodeSigning }; var timestamp = new TrustedTimestamp { Value = revocationTime + signatureTimeDeltaToRevocationTime, Status = TrustedTimestampStatus.Valid }; var result = new CertificateVerificationResult( status: EndCertificateStatus.Revoked, statusFlags: X509ChainStatusFlags.Revoked, revocationTime: revocationTime); var signatureAtIngestion = new PackageSignature { Status = PackageSignatureStatus.Unknown }; var signatureAtGracePeriod = new PackageSignature { Status = PackageSignatureStatus.InGracePeriod }; var signatureAfterGracePeriod = new PackageSignature { Status = PackageSignatureStatus.Valid }; signatureAtIngestion.TrustedTimestamps = new[] { timestamp }; signatureAtGracePeriod.TrustedTimestamps = new[] { timestamp }; signatureAfterGracePeriod.TrustedTimestamps = new[] { timestamp }; // Act & Assert var decider = _target.MakeDeciderForRevokedCertificate(certificate, result); Assert.Equal(ingestionDecision, decider(signatureAtIngestion)); Assert.Equal(gracePeriodDecision, decider(signatureAtGracePeriod)); Assert.Equal(afterGracePeriodDecision, decider(signatureAfterGracePeriod)); }