[PlatformFact(Platform.Windows, Platform.Linux)] // https://github.com/NuGet/Home/issues/8047
public void Verify_WhenChainBuildingFails_Throws()
{
using (var certificate = _fixture.GetExpiredCertificate())
using (var request = CreateRequest(certificate))
{
var logger = new TestLogger();
var exception = Assert.Throws <SignatureException>(
() => SigningUtility.Verify(request, logger));
Assert.Equal(NuGetLogCode.NU3018, exception.Code);
Assert.Equal("Certificate chain validation failed.", exception.Message);
Assert.Equal(1, logger.Errors);
if (RuntimeEnvironmentHelper.IsLinux)
{
Assert.Equal(2, logger.Warnings);
SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
}
else
{
Assert.Equal(1, logger.Warnings);
}
SigningTestUtility.AssertNotTimeValid(logger.LogMessages, LogLevel.Error);
SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning);
}
}
public void Verify_WithUntrustedSelfSignedCertificate_Succeeds()
{
using (var certificate = _fixture.GetDefaultCertificate())
using (var request = CreateRequest(certificate))
{
var logger = new TestLogger();
SigningUtility.Verify(request, logger);
Assert.Equal(0, logger.Errors);
#if (IS_DESKTOP || NETCORE5_0)
Assert.Equal(1, logger.Warnings);
#else
Assert.Equal(RuntimeEnvironmentHelper.IsLinux ? 2 : 1, logger.Warnings);
#endif
SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning);
#if !NETCORE5_0
if (RuntimeEnvironmentHelper.IsLinux)
{
SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
}
#endif
}
}
public void GetCertificateChain_WithUntrustedSelfIssuedCertificate_ReturnsChain()
{
using (var certificate = _fixture.GetDefaultCertificate())
{
var logger = new TestLogger();
using (var chain = CertificateChainUtility.GetCertificateChain(
certificate,
new X509Certificate2Collection(),
logger,
CertificateType.Signature))
{
Assert.Equal(1, chain.Count);
Assert.NotSame(certificate, chain[0]);
Assert.True(certificate.RawData.SequenceEqual(chain[0].RawData));
}
Assert.Equal(0, logger.Errors);
#if (IS_DESKTOP || NETCORE5_0)
Assert.Equal(1, logger.Warnings);
#else
Assert.Equal(RuntimeEnvironmentHelper.IsLinux ? 2 : 1, logger.Warnings);
#endif
SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning);
#if !NETCORE5_0
if (RuntimeEnvironmentHelper.IsLinux)
{
SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
}
#endif
}
}
public void GetCertificateChain_WithUntrustedRoot_Throws()
{
using (var chainHolder = new X509ChainHolder())
using (var rootCertificate = SigningTestUtility.GetCertificate("root.crt"))
using (var intermediateCertificate = SigningTestUtility.GetCertificate("intermediate.crt"))
using (var leafCertificate = SigningTestUtility.GetCertificate("leaf.crt"))
{
var chain = chainHolder.Chain;
var extraStore = new X509Certificate2Collection()
{
rootCertificate, intermediateCertificate
};
var logger = new TestLogger();
var exception = Assert.Throws <SignatureException>(
() => CertificateChainUtility.GetCertificateChain(
leafCertificate,
extraStore,
logger,
CertificateType.Signature));
Assert.Equal(NuGetLogCode.NU3018, exception.Code);
Assert.Equal("Certificate chain validation failed.", exception.Message);
Assert.Equal(1, logger.Errors);
SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Error);
SigningTestUtility.AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
if (RuntimeEnvironmentHelper.IsWindows)
{
Assert.Equal(2, logger.Warnings);
SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
}
else if (RuntimeEnvironmentHelper.IsLinux)
{
#if NETCORE5_0
Assert.Equal(2, logger.Warnings);
SigningTestUtility.AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
#else
Assert.Equal(1, logger.Warnings);
#endif
}
else
{
Assert.Equal(1, logger.Warnings);
}
}
}
public async Task Timestamp_Verify_WithOfflineRevocation_ReturnsCorrectFlagsAndLogsAsync()
{
var nupkg = new SimpleTestPackageContext();
using (var testServer = await SigningTestServer.CreateAsync())
using (var responders = new DisposableList <IDisposable>())
using (var packageStream = await nupkg.CreateAsStreamAsync())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
CertificateAuthority rootCa = CertificateAuthority.Create(testServer.Url);
CertificateAuthority intermediateCa = rootCa.CreateIntermediateCertificateAuthority();
responders.Add(testServer.RegisterResponder(intermediateCa));
responders.Add(testServer.RegisterResponder(rootCa));
StoreLocation storeLocation = CertificateStoreUtilities.GetTrustedCertificateStoreLocation();
using (var trustedServerRoot = TrustedTestCert.Create(
new X509Certificate2(rootCa.Certificate.GetEncoded()),
StoreName.Root,
storeLocation))
{
var timestampService = TimestampService.Create(intermediateCa);
responders.Add(testServer.RegisterResponder(timestampService));
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
AuthorPrimarySignature signature = await SignedArchiveTestUtility.CreateAuthorSignatureForPackageAsync(testCertificate, packageStream, timestampProvider);
var timestamp = signature.Timestamps.First();
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowUntrusted: false,
allowIllegal: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: false,
allowNoTimestamp: false,
allowUnknownRevocation: false,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.Always,
revocationMode: RevocationMode.Online);
var logs = new List <SignatureLog>();
var result = timestamp.Verify(signature, settings, HashAlgorithmName.SHA256, logs);
result.HasFlag(SignatureVerificationStatusFlags.UnknownRevocation).Should().BeTrue();
var errors = logs.Where(l => l.Level == LogLevel.Error);
if (RuntimeEnvironmentHelper.IsMacOSX)
{
errors.Count().Should().Be(1);
}
else
{
errors.Count().Should().Be(2);
SigningTestUtility.AssertOfflineRevocationOnlineMode(errors, LogLevel.Error, NuGetLogCode.NU3028);
}
SigningTestUtility.AssertRevocationStatusUnknown(errors, LogLevel.Error, NuGetLogCode.NU3028);
}
}
}