public async Task GetTimestamp_WhenRevocationInformationUnavailable_Success()
{
var testServer = await _testFixture.GetSigningTestServerAsync();
var ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var ca2 = ca.CreateIntermediateCertificateAuthority();
var timestampService = TimestampService.Create(ca2);
// Only register the AIA responder. Do not register the OCSP responder.
using (testServer.RegisterResponder(ca2))
{
VerifyTimestampData(
testServer,
timestampService,
(timestampProvider, request) =>
{
var logger = new TestLogger();
var timestamp = timestampProvider.GetTimestamp(request, logger, CancellationToken.None);
Assert.NotNull(timestamp);
Assert.Equal(0, logger.Errors);
Assert.Equal(2, logger.Warnings);
AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning);
AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning);
});
}
}
public async Task VerifyAsync_WithRevokedCountersignatureCertificate_ReturnsSuspect()
{
var testServer = await _fixture.GetSigningTestServerAsync();
var certificateAuthority = await _fixture.GetDefaultTrustedCertificateAuthorityAsync();
var issueCertificateOptions = IssueCertificateOptions.CreateDefaultForEndCertificate();
var bcCertificate = certificateAuthority.IssueCertificate(issueCertificateOptions);
var timestampService = await _fixture.GetDefaultTrustedTimestampServiceAsync();
using (var certificate = new X509Certificate2(bcCertificate.GetEncoded()))
{
certificate.PrivateKey = DotNetUtilities.ToRSA(issueCertificateOptions.KeyPair.Private as RsaPrivateCrtKeyParameters);
using (var test = await Test.CreateAuthorSignedRepositoryCountersignedPackageAsync(
_fixture.TrustedTestCertificate.Source.Cert,
certificate,
timestampService.Url,
timestampService.Url))
using (var packageReader = new PackageArchiveReader(test.PackageFile.FullName))
{
await certificateAuthority.OcspResponder.WaitForResponseExpirationAsync(bcCertificate);
certificateAuthority.Revoke(
bcCertificate,
RevocationReason.KeyCompromise,
DateTimeOffset.UtcNow.AddHours(-1));
var status = await _verifier.VerifyAsync(packageReader, CancellationToken.None);
Assert.Equal(SignatureVerificationStatus.Suspect, status);
}
}
}
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestamp_SuccessAsync()
{
CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
DateTimeOffset now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions);
using (TestDirectory directory = TestDirectory.Create())
using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair))
{
var packageContext = new SimpleTestPackageContext();
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
PackageVerificationResult trustProvider = result.Results.Single();
Assert.True(result.IsValid);
Assert.Equal(SignatureVerificationStatus.Valid, trustProvider.Trust);
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Warning));
}
}
}
public async Task TimestampData_WhenTimestampSigningCertificateRevoked_Throws()
{
var testServer = await _testFixture.GetSigningTestServerAsync();
var certificateAuthority = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var timestampService = TimestampService.Create(certificateAuthority);
certificateAuthority.Revoke(timestampService.Certificate, CrlReason.KeyCompromise, DateTimeOffset.UtcNow);
using (testServer.RegisterResponder(timestampService))
{
var logger = new TestLogger();
var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url);
var data = "Test data to be signed and timestamped";
using (var authorCert = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var signedCms = SigningTestUtility.GenerateSignedCms(authorCert, Encoding.ASCII.GetBytes(data));
var signatureValue = signedCms.Encode();
var request = new TimestampRequest
{
SigningSpec = SigningSpecifications.V1,
TimestampHashAlgorithm = Common.HashAlgorithmName.SHA256,
SignatureValue = signatureValue
};
var exception = Assert.Throws <TimestampException>(
() => timestampProvider.TimestampData(request, logger, CancellationToken.None));
Assert.Equal(
"The timestamp service's certificate chain could not be built: The certificate is revoked.",
exception.Message);
}
}
}
