public async Task VerifySignaturesAsync_ValidCertificateAndTimestamp_Success()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
using (var dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var signedPackagePath = await SignedArchiveTestUtility.CreateSignedAndTimeStampedPackageAsync(
testCertificate,
nupkg,
dir,
timestampService.Url);
var verifier = new PackageSignatureVerifier(_trustProviders, SignedPackageVerifierSettings.VerifyCommandDefaultPolicy);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.Valid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
}
}
}
public async Task VerifySignaturesAsync_ValidCertificateAndTimestampWithDifferentHashAlgorithms_Success()
{
var packageContext = new SimpleTestPackageContext();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
using (var directory = TestDirectory.Create())
using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var request = new AuthorSignPackageRequest(certificate, HashAlgorithmName.SHA512, HashAlgorithmName.SHA256);
var signedPackagePath = await SignedArchiveTestUtility.CreateSignedAndTimeStampedPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url,
request);
var verifier = new PackageSignatureVerifier(_trustProviders, SignedPackageVerifierSettings.VerifyCommandDefaultPolicy);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
var result = await verifier.VerifySignaturesAsync(packageReader, CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
result.Valid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
}
}
}
public async Task GetTrustResultAsync_WithInvalidSignature_Throws()
{
var package = new SimpleTestPackageContext();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
using (var directory = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var packageFilePath = await SignedArchiveTestUtility.CreateSignedAndTimeStampedPackageAsync(
testCertificate,
package,
directory,
timestampService.Url);
using (var packageReader = new PackageArchiveReader(packageFilePath))
{
var signature = await packageReader.GetSignatureAsync(CancellationToken.None);
var invalidSignature = SignedArchiveTestUtility.GenerateInvalidSignature(signature);
var provider = new SignatureTrustAndValidityVerificationProvider();
var result = await provider.GetTrustResultAsync(
packageReader,
invalidSignature,
SignedPackageVerifierSettings.Default,
CancellationToken.None);
var issue = result.Issues.FirstOrDefault(log => log.Code == NuGetLogCode.NU3012);
Assert.NotNull(issue);
Assert.Equal("Primary signature validation failed.", issue.Message);
}
}
}
public async Task Signature_HasTimestamp()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
using (var dir = TestDirectory.Create())
{
// Act
var signedPackagePath = await SignedArchiveTestUtility.CreateSignedAndTimeStampedPackageAsync(
_trustedTestCert.Source.Cert,
nupkg,
dir,
timestampService.Url);
// Assert
using (var stream = File.OpenRead(signedPackagePath))
using (var reader = new PackageArchiveReader(stream))
{
var signature = await reader.GetSignatureAsync(CancellationToken.None);
signature.Should().NotBeNull();
signature.Timestamps.Should().NotBeEmpty();
}
}
}
public async Task GetTrustResultAsync_WithNoSigningCertificate_Throws()
{
var package = new SimpleTestPackageContext();
using (var directory = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var packageFilePath = await SignedArchiveTestUtility.CreateSignedAndTimeStampedPackageAsync(testCertificate, package, directory);
using (var packageReader = new PackageArchiveReader(packageFilePath))
{
var signature = (await packageReader.GetSignaturesAsync(CancellationToken.None)).Single();
var signatureWithNoCertificates = GenerateSignatureWithNoCertificates(signature);
var provider = new SignatureTrustAndValidityVerificationProvider();
var result = await provider.GetTrustResultAsync(
packageReader,
signatureWithNoCertificates,
SignedPackageVerifierSettings.Default,
CancellationToken.None);
var issue = result.Issues.FirstOrDefault(log => log.Code == NuGetLogCode.NU3010);
Assert.NotNull(issue);
Assert.Equal("The primary signature does not have a signing certificate.", issue.Message);
}
}
}
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestamp_Success()
{
var ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
var now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
var bcCertificate = ca.IssueCertificate(issueOptions);
using (var certificate = new X509Certificate2(bcCertificate.GetEncoded()))
using (var directory = TestDirectory.Create())
{
certificate.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters);
var packageContext = new SimpleTestPackageContext();
var signedPackagePath = await SignedArchiveTestUtility.CreateSignedAndTimeStampedPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
var notAfter = certificate.NotAfter.ToUniversalTime();
var waitDuration = (notAfter - DateTimeOffset.UtcNow).Add(TimeSpan.FromSeconds(1));
// Wait for the certificate to expire. Trust of the signature will require a valid timestamp.
await Task.Delay(waitDuration);
Assert.True(DateTime.UtcNow > notAfter);
var verifier = new PackageSignatureVerifier(_trustProviders, SignedPackageVerifierSettings.VerifyCommandDefaultPolicy);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
var result = await verifier.VerifySignaturesAsync(packageReader, CancellationToken.None);
var trustProvider = result.Results.Single();
Assert.True(result.Valid);
Assert.Equal(SignatureVerificationStatus.Trusted, trustProvider.Trust);
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Warning));
}
}
}
public async Task Signature_HasTimestamp()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var testLogger = new TestLogger();
using (var dir = TestDirectory.Create())
{
// Act
var signedPackagePath = await SignedArchiveTestUtility.CreateSignedAndTimeStampedPackageAsync(_trustedTestCert.Source.Cert, nupkg, dir);
// Assert
using (var stream = File.OpenRead(signedPackagePath))
using (var reader = new PackageArchiveReader(stream))
{
var signatures = await reader.GetSignaturesAsync(CancellationToken.None);
signatures.Count.Should().Be(1);
var signature = signatures[0];
signature.Timestamps.Should().NotBeEmpty();
}
}
}
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestampWithTooLargeRange_Fails()
{
var testServer = await _testFixture.GetSigningTestServerAsync();
var ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var accuracy = new BcAccuracy(seconds: new DerInteger(30), millis: null, micros: null);
var serviceOptions = new TimestampServiceOptions()
{
Accuracy = accuracy
};
var timestampService = TimestampService.Create(ca, serviceOptions);
var keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
var now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
var bcCertificate = ca.IssueCertificate(issueOptions);
using (testServer.RegisterResponder(timestampService))
using (var certificate = new X509Certificate2(bcCertificate.GetEncoded()))
using (var directory = TestDirectory.Create())
{
certificate.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters);
var packageContext = new SimpleTestPackageContext();
var signedPackagePath = await SignedArchiveTestUtility.CreateSignedAndTimeStampedPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
var waitDuration = (issueOptions.NotAfter - DateTimeOffset.UtcNow).Add(TimeSpan.FromSeconds(1));
// Wait for the certificate to expire. Trust of the signature will require a valid timestamp.
if (waitDuration > TimeSpan.Zero)
{
await Task.Delay(waitDuration);
}
Assert.True(DateTime.UtcNow > issueOptions.NotAfter);
var verifier = new PackageSignatureVerifier(_trustProviders, SignedPackageVerifierSettings.VerifyCommandDefaultPolicy);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
var results = await verifier.VerifySignaturesAsync(packageReader, CancellationToken.None);
var result = results.Results.Single();
Assert.False(results.Valid);
Assert.Equal(SignatureVerificationStatus.Untrusted, result.Trust);
Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, result.Issues.Count(issue => issue.Level == LogLevel.Warning));
Assert.Contains(result.Issues, issue =>
issue.Code == NuGetLogCode.NU3011 &&
issue.Level == LogLevel.Error &&
issue.Message == "The primary signature validity period has expired.");
}
}
}
