private static async Task <MemoryStream> CreateSignedPackageAsync(
X509Certificate2 certificate,
Stream unsignedPackage = null)
{
if (unsignedPackage == null)
{
var packageContext = new SimpleTestPackageContext();
unsignedPackage = packageContext.CreateAsStream();
}
var signatureProvider = new X509SignatureProvider(timestampProvider: null);
var overwrite = true;
using (var request = new AuthorSignPackageRequest(certificate, HashAlgorithmName.SHA256))
using (var outputPackageStream = new MemoryStream())
using (var options = new SigningOptions(
new Lazy <Stream>(() => unsignedPackage),
new Lazy <Stream>(() => outputPackageStream),
overwrite,
signatureProvider,
NullLogger.Instance))
{
await SigningUtility.SignAsync(options, request, CancellationToken.None);
var isSigned = await SignedArchiveTestUtility.IsSignedAsync(options.OutputPackageStream);
Assert.True(isSigned);
return(new MemoryStream(outputPackageStream.ToArray()));
}
}
public async Task SignAsync_WhenRepositoryCountersigningRepositorySignedPackage_ThrowsAsync()
{
using (var test = await Test.CreateAsync(_testFixture.TrustedTestCertificate.Source.Cert))
{
await SigningUtility.SignAsync(test.Options, test.RepositoryRequest, CancellationToken.None);
using (var package = new PackageArchiveReader(test.Options.OutputPackageStream))
{
var primarySignature = await package.GetPrimarySignatureAsync(CancellationToken.None);
Assert.IsType <RepositoryPrimarySignature>(primarySignature);
}
using (var countersignatureOptions = SigningOptions.CreateFromFilePaths(
test.OutputFile.FullName,
test.GetNewTempFilePath(),
overwrite: false,
signatureProvider: new X509SignatureProvider(timestampProvider: null),
logger: NullLogger.Instance))
{
var exception = await Assert.ThrowsAsync <SignatureException>(
() => SigningUtility.SignAsync(countersignatureOptions, test.RepositoryRequest, CancellationToken.None));
Assert.Equal(NuGetLogCode.NU3033, exception.Code);
Assert.Contains("A repository primary signature must not have a repository countersignature", exception.Message);
}
}
}
public async Task SignAsync_WhenRepositoryCountersigningPrimarySignature_SucceedsAsync()
{
using (var test = await Test.CreateAsync(_testFixture.TrustedTestCertificate.Source.Cert))
{
await SigningUtility.SignAsync(test.Options, test.AuthorRequest, CancellationToken.None);
using (var package = new PackageArchiveReader(test.Options.OutputPackageStream))
{
var primarySignature = await package.GetPrimarySignatureAsync(CancellationToken.None);
Assert.IsType <AuthorPrimarySignature>(primarySignature);
}
using (var countersignatureOptions = SigningOptions.CreateFromFilePaths(
test.OutputFile.FullName,
test.GetNewTempFilePath(),
overwrite: false,
signatureProvider: new X509SignatureProvider(timestampProvider: null),
logger: NullLogger.Instance))
{
await SigningUtility.SignAsync(countersignatureOptions, test.RepositoryRequest, CancellationToken.None);
var isRepositoryCountersigned = await SignedArchiveTestUtility.IsRepositoryCountersignedAsync(countersignatureOptions.OutputPackageStream);
Assert.True(isRepositoryCountersigned);
}
}
}
public TransactionSignature Sign(Key key, SigningOptions signingOptions)
{
if (this.IsFinalized())
{
return(null);
}
signingOptions ??= new SigningOptions();
CheckCompatibleSigHash(signingOptions.SigHash);
if (PartialSigs.ContainsKey(key.PubKey))
{
var signature = PartialSigs[key.PubKey];
if (signingOptions.SigHash != signature.SigHash)
{
throw new InvalidOperationException("A signature with a different sighash is already in the partial sigs");
}
return(signature);
}
AssertSanity();
var coin = GetSignableCoin();
if (coin == null)
{
return(null);
}
var builder = Parent.CreateTransactionBuilder();
builder.AddCoins(coin);
builder.AddKeys(key);
if (builder.TrySignInput(Transaction, Index, signingOptions, out var signature2))
{
this.PartialSigs.TryAdd(key.PubKey, signature2);
}
return(signature2);
}
public void CreateFromFilePaths_WithValidInput_InitializesProperties()
{
using (var directory = TestDirectory.Create())
{
var inputPackageFilePath = Path.Combine(directory, "a");
var outputPackageFilePath = Path.Combine(directory, "b");
var overwrite = false;
var signatureProvider = Mock.Of <ISignatureProvider>();
var logger = Mock.Of <ILogger>();
File.WriteAllBytes(inputPackageFilePath, Array.Empty <byte>());
using (var options = SigningOptions.CreateFromFilePaths(
inputPackageFilePath,
outputPackageFilePath,
overwrite,
signatureProvider,
logger))
{
Assert.NotNull(options.InputPackageStream);
Assert.NotNull(options.OutputPackageStream);
Assert.Equal(overwrite, options.Overwrite);
Assert.Same(signatureProvider, options.SignatureProvider);
Assert.Same(logger, options.Logger);
}
}
}
public async Task <bool> SignAsync(string packagePath, string outputPath, string timestampUrl, Uri v3ServiceIndex, IReadOnlyList <string> packageOwners,
SignatureType signatureType, HashAlgorithmName signatureHashAlgorithm, HashAlgorithmName timestampHashAlgorithm,
bool overwrite, X509Certificate2 publicCertificate, System.Security.Cryptography.RSA rsa, CancellationToken cancellationToken = default)
{
var packagesToSign = LocalFolderUtility.ResolvePackageFromPath(packagePath);
var signatureProvider = new KeyVaultSignatureProvider(rsa, new Rfc3161TimestampProvider(new Uri(timestampUrl)));
SignPackageRequest request = null;
if (signatureType == SignatureType.Author)
{
request = new AuthorSignPackageRequest(publicCertificate, signatureHashAlgorithm, timestampHashAlgorithm);
}
else if (signatureType == SignatureType.Repository)
{
request = new RepositorySignPackageRequest(publicCertificate, signatureHashAlgorithm, timestampHashAlgorithm, v3ServiceIndex, packageOwners);
}
else
{
throw new ArgumentOutOfRangeException(nameof(signatureType));
}
string originalPackageCopyPath = null;
foreach (var package in packagesToSign)
{
cancellationToken.ThrowIfCancellationRequested();
logger.LogInformation($"{nameof(SignAsync)} [{package}]: Begin Signing {Path.GetFileName(package)}");
try
{
originalPackageCopyPath = CopyPackage(package);
using var options = SigningOptions.CreateFromFilePaths(originalPackageCopyPath, outputPath, overwrite, signatureProvider, new NuGetLogger(logger, package));
await SigningUtility.SignAsync(options, request, cancellationToken);
}
catch (Exception e)
{
logger.LogError(e, e.Message);
return(false);
}
finally
{
try
{
FileUtility.Delete(originalPackageCopyPath);
}
catch
{
}
logger.LogInformation($"{nameof(SignAsync)} [{package}]: End Signing {Path.GetFileName(package)}");
}
}
return(true);
}
private SignTest(SignPackageRequest request,
TestDirectory directory,
SigningOptions options,
TestLogger logger)
{
Request = request;
Options = options;
Logger = logger;
_directory = directory;
}
public TransactionSignature Sign(uint256 hash, SigningOptions signingOptions)
{
if (hash == null)
{
throw new ArgumentNullException(nameof(hash));
}
AssertNotDisposed();
signingOptions ??= new SigningOptions();
return(new TransactionSignature(Sign(hash, signingOptions.EnforceLowR), signingOptions.SigHash));
}
public void CreateFromFilePaths_WhenLoggerIsNull_Throws()
{
var exception = Assert.Throws <ArgumentNullException>(
() => SigningOptions.CreateFromFilePaths(
inputPackageFilePath: Path.Combine(Path.GetTempPath(), "a"),
outputPackageFilePath: Path.Combine(Path.GetTempPath(), "b"),
overwrite: true,
signatureProvider: Mock.Of <ISignatureProvider>(),
logger: null));
Assert.Equal("logger", exception.ParamName);
}
public void CreateFromFilePaths_WhenInputPackageFilePathAndOutputPackageFilePathAreEquivalent_Throws()
{
var exception = Assert.Throws <ArgumentException>(
() => SigningOptions.CreateFromFilePaths(
inputPackageFilePath: Path.Combine(Path.GetTempPath(), "file"),
outputPackageFilePath: Path.Combine(Path.GetTempPath(), "FILE"),
overwrite: true,
signatureProvider: Mock.Of <ISignatureProvider>(),
logger: Mock.Of <ILogger>()));
Assert.Equal("inputPackageFilePath and outputPackageFilePath should be different. Package signing cannot be done in place.", exception.Message);
}
public void CreateFromFilePaths_WhenOutputPackageFilePathIsNullOrEmpty_Throws(string outputPackageFilePath)
{
var exception = Assert.Throws <ArgumentException>(
() => SigningOptions.CreateFromFilePaths(
inputPackageFilePath: "a",
outputPackageFilePath: outputPackageFilePath,
overwrite: true,
signatureProvider: Mock.Of <ISignatureProvider>(),
logger: Mock.Of <ILogger>()));
Assert.Equal("outputPackageFilePath", exception.ParamName);
}
public static async Task CreateSignedPackageAsync(
SignPackageRequest request,
Stream packageReadStream,
Stream packageWriteStream)
{
using (var signedPackage = new SignedPackageArchive(packageReadStream, packageWriteStream))
using (var options = new SigningOptions(
new Lazy <Stream>(() => packageReadStream),
new Lazy <Stream>(() => packageWriteStream),
overwrite: false,
signatureProvider: new X509SignatureProvider(timestampProvider: null),
logger: NullLogger.Instance))
{
await SigningUtility.SignAsync(options, request, CancellationToken.None);
}
}
public void Constructor_WithValidInput_InitializesProperties()
{
var inputPackageStream = new Lazy <Stream>(() => Stream.Null);
var outputPackageStream = new Lazy <Stream>(() => Stream.Null);
var overwrite = true;
var signatureProvider = Mock.Of <ISignatureProvider>();
var logger = Mock.Of <ILogger>();
using (var options = new SigningOptions(inputPackageStream, outputPackageStream, overwrite, signatureProvider, logger))
{
Assert.Same(inputPackageStream.Value, options.InputPackageStream);
Assert.Same(outputPackageStream.Value, options.OutputPackageStream);
Assert.Equal(overwrite, options.Overwrite);
Assert.Same(signatureProvider, options.SignatureProvider);
Assert.Same(logger, options.Logger);
}
}
public void Dispose_DisposesStreams()
{
var inputPackageStream = new Lazy <Stream>(() => new MemoryStream());
var outputPackageStream = new Lazy <Stream>(() => new MemoryStream());
var overwrite = true;
var signatureProvider = Mock.Of <ISignatureProvider>();
var logger = Mock.Of <ILogger>();
using (var options = new SigningOptions(inputPackageStream, outputPackageStream, overwrite, signatureProvider, logger))
{
Assert.True(inputPackageStream.Value.CanWrite);
Assert.True(outputPackageStream.Value.CanWrite);
}
Assert.False(inputPackageStream.Value.CanWrite);
Assert.False(outputPackageStream.Value.CanWrite);
}
private Test(X509Certificate2 certificate, TestDirectory dir, FileInfo package)
{
_authorCertificate = new X509Certificate2(certificate);
_repositoryCertificate = new X509Certificate2(certificate);
_directory = dir;
var outputPath = GetNewTempFilePath();
OutputFile = new FileInfo(outputPath);
var signatureProvider = new X509SignatureProvider(timestampProvider: null);
AuthorRequest = new AuthorSignPackageRequest(_authorCertificate, HashAlgorithmName.SHA256);
RepositoryRequest = new RepositorySignPackageRequest(_repositoryCertificate, HashAlgorithmName.SHA256, HashAlgorithmName.SHA256, new Uri("https://test/api/index.json"), packageOwners: null);
var overwrite = true;
Options = SigningOptions.CreateFromFilePaths(package.FullName, outputPath, overwrite, signatureProvider, NullLogger.Instance);
}
public async Task SignAsync_WhenRepositoryCountersigningRepositoryCountersignedPackage_ThrowsAsync()
{
using (var test = await Test.CreateAsync(_testFixture.TrustedTestCertificate.Source.Cert))
{
await SigningUtility.SignAsync(test.Options, test.AuthorRequest, CancellationToken.None);
using (var package = new PackageArchiveReader(test.Options.OutputPackageStream))
{
var isSigned = await SignedArchiveTestUtility.IsSignedAsync(test.Options.OutputPackageStream);
Assert.True(isSigned);
}
var countersignedPackageOutputPath = test.GetNewTempFilePath();
using (var countersignatureOptions = SigningOptions.CreateFromFilePaths(
test.OutputFile.FullName,
countersignedPackageOutputPath,
overwrite: false,
signatureProvider: new X509SignatureProvider(timestampProvider: null),
logger: NullLogger.Instance))
{
await SigningUtility.SignAsync(countersignatureOptions, test.RepositoryRequest, CancellationToken.None);
var isRepositoryCountersigned = await SignedArchiveTestUtility.IsRepositoryCountersignedAsync(countersignatureOptions.OutputPackageStream);
Assert.True(isRepositoryCountersigned);
}
using (var countersignatureOptions = SigningOptions.CreateFromFilePaths(
countersignedPackageOutputPath,
test.GetNewTempFilePath(),
overwrite: false,
signatureProvider: new X509SignatureProvider(timestampProvider: null),
logger: NullLogger.Instance))
{
var exception = await Assert.ThrowsAsync <SignatureException>(
() => SigningUtility.SignAsync(countersignatureOptions, test.RepositoryRequest, CancellationToken.None));
Assert.Equal(NuGetLogCode.NU3032, exception.Code);
Assert.Contains("The package already contains a repository countersignature", exception.Message);
}
}
}
/// <summary>
/// Sign and timestamp a package for test purposes.
/// This method timestamps a package and should only be used with tests marked with [CIOnlyFact]
/// </summary>
private static async Task SignAndTimeStampPackageAsync(
TestLogger testLogger,
string inputPackagePath,
string outputPackagePath,
Uri timestampService,
AuthorSignPackageRequest request)
{
var testSignatureProvider = new X509SignatureProvider(new Rfc3161TimestampProvider(timestampService));
var overwrite = false;
using (var options = SigningOptions.CreateFromFilePaths(
inputPackagePath,
outputPackagePath,
overwrite,
testSignatureProvider,
testLogger))
{
await SigningUtility.SignAsync(options, request, CancellationToken.None);
}
}
/// <summary>
/// Sign a package for test purposes.
/// This does not timestamp a signature and can be used outside corp network.
/// </summary>
private static async Task SignPackageAsync(TestLogger testLogger, X509Certificate2 certificate, string inputPackagePath, string outputPackagePath)
{
#if IS_DESKTOP
var testSignatureProvider = new X509SignatureProvider(timestampProvider: null);
using (var cert = new X509Certificate2(certificate))
using (var request = new AuthorSignPackageRequest(cert, HashAlgorithmName.SHA256))
{
const bool overwrite = false;
using (var options = SigningOptions.CreateFromFilePaths(
inputPackagePath,
outputPackagePath,
overwrite,
testSignatureProvider,
testLogger))
{
await SigningUtility.SignAsync(options, request, CancellationToken.None);
}
}
#endif
}
public async Task <bool> SignAsync(string packagePath, string outputPath, string timestampUrl, HashAlgorithmName signatureHashAlgorithm, HashAlgorithmName timestampHashAlgorithm, bool overwrite, X509Certificate2 publicCertificate, System.Security.Cryptography.RSA rsa)
{
var fileName = Path.GetFileName(packagePath);
logger.LogInformation($"{nameof(SignAsync)} [{fileName}]: Begin Signing {packagePath}");
var signatureProvider = new KeyVaultSignatureProvider(rsa, new Rfc3161TimestampProvider(new Uri(timestampUrl)));
var request = new AuthorSignPackageRequest(publicCertificate, signatureHashAlgorithm, timestampHashAlgorithm);
string originalPackageCopyPath = null;
try
{
originalPackageCopyPath = CopyPackage(packagePath);
using (var options = SigningOptions.CreateFromFilePaths(originalPackageCopyPath, outputPath, overwrite, signatureProvider, new NuGetLogger(logger, fileName)))
{
await SigningUtility.SignAsync(options, request, CancellationToken.None);
}
}
catch (Exception e)
{
logger.LogError(e, e.Message);
return(false);
}
finally
{
try
{
FileUtility.Delete(originalPackageCopyPath);
}
catch
{
}
logger.LogInformation($"{nameof(SignAsync)} [{fileName}]: End Signing {packagePath}");
}
return(true);
}
internal static SignTest Create(
X509Certificate2 certificate,
HashAlgorithmName hashAlgorithm,
byte[] package = null,
ISignatureProvider signatureProvider = null)
{
var directory = TestDirectory.Create();
var signedPackageFile = new FileInfo(Path.Combine(directory, Guid.NewGuid().ToString()));
var outputPackageFile = new FileInfo(Path.Combine(directory, Guid.NewGuid().ToString()));
if (package == null)
{
File.WriteAllBytes(signedPackageFile.FullName, Array.Empty <byte>());
}
else
{
using (var fileStream = signedPackageFile.Create())
{
fileStream.Write(package, 0, package.Length);
}
}
signatureProvider = signatureProvider ?? Mock.Of <ISignatureProvider>();
var logger = new TestLogger();
var request = new AuthorSignPackageRequest(certificate, hashAlgorithm);
var overwrite = false;
var options = SigningOptions.CreateFromFilePaths(
signedPackageFile.FullName,
outputPackageFile.FullName,
overwrite,
signatureProvider,
logger);
return(new SignTest(
request,
directory,
options,
logger));
}
internal Test(X509Certificate2 certificate)
{
_directory = TestDirectory.Create();
_authorCertificate = new X509Certificate2(certificate);
_repositoryCertificate = new X509Certificate2(certificate);
var outputPath = GetNewTempFilePath();
OutputFile = new FileInfo(outputPath);
var packageContext = new SimpleTestPackageContext();
var packageFileName = Guid.NewGuid().ToString();
var package = packageContext.CreateAsFile(_directory, packageFileName);
var signatureProvider = new X509SignatureProvider(timestampProvider: null);
AuthorRequest = new AuthorSignPackageRequest(_authorCertificate, HashAlgorithmName.SHA256);
RepositoryRequest = new RepositorySignPackageRequest(_repositoryCertificate, HashAlgorithmName.SHA256, HashAlgorithmName.SHA256, new Uri("https://test/api/index.json"), packageOwners: null);
var overwrite = true;
Options = SigningOptions.CreateFromFilePaths(package.FullName, outputPath, overwrite, signatureProvider, NullLogger.Instance);
}
public void TrySign(IHDScriptPubKey accountHDScriptPubKey, IHDKey accountKey, RootedKeyPath accountKeyPath, SigningOptions signingOptions)
{
if (accountKey == null)
{
throw new ArgumentNullException(nameof(accountKey));
}
if (accountHDScriptPubKey == null)
{
throw new ArgumentNullException(nameof(accountHDScriptPubKey));
}
if (IsFinalized())
{
return;
}
var cache = accountKey.AsHDKeyCache();
accountHDScriptPubKey = accountHDScriptPubKey.AsHDKeyCache();
foreach (var hdk in this.HDKeysFor(accountHDScriptPubKey, cache, accountKeyPath))
{
if (((HDKeyCache)cache.Derive(hdk.AddressKeyPath)).Inner is ISecret k)
{
Sign(k.PrivateKey, signingOptions);
}
else
{
throw new ArgumentException(paramName: nameof(accountKey), message: "This should be a private key");
}
}
}
private static void ConfigureTokenValidationParameters(TokenValidationParameters validationParameters, JwtBearerTokenOptions tokenOptions, SigningOptions signingOptions)
{
validationParameters.IssuerSigningKey = signingOptions.SecurityKey;
validationParameters.ValidAudience = tokenOptions.Audience;
validationParameters.ValidIssuer = tokenOptions.Issuer;
validationParameters.ValidateIssuerSigningKey = true;
validationParameters.ValidateLifetime = true;
validationParameters.ClockSkew = TimeSpan.Zero;
}
/// <summary> Constructor. </summary>
/// <param name="options"> The settings service. </param>
/// <param name="dataService"> The data service. </param>
public SigningCredentialStore(SigningOptions options, IIdentityServerDataService dataService)
{
_signingOptions = options;
_dataService = dataService;
}
public async Task <int> ExecuteCommandAsync(
IEnumerable <string> packagesToSign,
SignPackageRequest signPackageRequest,
string timestamper,
ILogger logger,
string outputDirectory,
bool overwrite,
CancellationToken token)
{
var success = true;
try
{
SigningUtility.Verify(signPackageRequest, logger);
}
catch (Exception e)
{
success = false;
ExceptionUtilities.LogException(e, logger);
}
if (success)
{
var signatureProvider = GetSignatureProvider(timestamper);
foreach (var packagePath in packagesToSign)
{
// Set the output of the signing operation to a temp file because signing cannot be done in place.
var tempPackageFile = new FileInfo(Path.GetTempFileName());
try
{
string outputPath;
if (string.IsNullOrEmpty(outputDirectory))
{
outputPath = packagePath;
}
else
{
outputPath = Path.Combine(outputDirectory, Path.GetFileName(packagePath));
}
using (var options = SigningOptions.CreateFromFilePaths(
packagePath,
tempPackageFile.FullName,
overwrite,
signatureProvider,
logger))
{
await SigningUtility.SignAsync(options, signPackageRequest, token);
}
if (tempPackageFile.Length > 0)
{
FileUtility.Replace(tempPackageFile.FullName, outputPath);
}
else
{
throw new SignatureException(Strings.Error_UnableToSignPackage);
}
}
catch (Exception e)
{
success = false;
ExceptionUtilities.LogException(e, logger);
}
finally
{
FileUtility.Delete(tempPackageFile.FullName);
}
}
}
if (success)
{
logger.LogInformation(Strings.SignCommandSuccess);
}
return(success ? 0 : 1);
}
public IdServerOptions()
{
Signing = new SigningOptions();
}
public JwtBearerGenerator(IOptions <JwtBearerTokenOptions> jwtBearerTokenOptions, IOptions <SigningOptions> signingOptions)
{
_jwtBearerTokenOptions = jwtBearerTokenOptions.Value;
_signingOptions = signingOptions.Value;
}
