public async Task GetTimestamp_WhenRevocationInformationUnavailable_Success() { var testServer = await _testFixture.GetSigningTestServerAsync(); var ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync(); var ca2 = ca.CreateIntermediateCertificateAuthority(); var timestampService = TimestampService.Create(ca2); // Only register the AIA responder. Do not register the OCSP responder. using (testServer.RegisterResponder(ca2)) { VerifyTimestampData( testServer, timestampService, (timestampProvider, request) => { var logger = new TestLogger(); var timestamp = timestampProvider.GetTimestamp(request, logger, CancellationToken.None); Assert.NotNull(timestamp); Assert.Equal(0, logger.Errors); Assert.Equal(2, logger.Warnings); AssertOfflineRevocation(logger.LogMessages, LogLevel.Warning); AssertRevocationStatusUnknown(logger.LogMessages, LogLevel.Warning); }); } }
public async Task VerifyAsync_WithRevokedCountersignatureCertificate_ReturnsSuspect() { var testServer = await _fixture.GetSigningTestServerAsync(); var certificateAuthority = await _fixture.GetDefaultTrustedCertificateAuthorityAsync(); var issueCertificateOptions = IssueCertificateOptions.CreateDefaultForEndCertificate(); var bcCertificate = certificateAuthority.IssueCertificate(issueCertificateOptions); var timestampService = await _fixture.GetDefaultTrustedTimestampServiceAsync(); using (var certificate = new X509Certificate2(bcCertificate.GetEncoded())) { certificate.PrivateKey = DotNetUtilities.ToRSA(issueCertificateOptions.KeyPair.Private as RsaPrivateCrtKeyParameters); using (var test = await Test.CreateAuthorSignedRepositoryCountersignedPackageAsync( _fixture.TrustedTestCertificate.Source.Cert, certificate, timestampService.Url, timestampService.Url)) using (var packageReader = new PackageArchiveReader(test.PackageFile.FullName)) { await certificateAuthority.OcspResponder.WaitForResponseExpirationAsync(bcCertificate); certificateAuthority.Revoke( bcCertificate, RevocationReason.KeyCompromise, DateTimeOffset.UtcNow.AddHours(-1)); var status = await _verifier.VerifyAsync(packageReader, CancellationToken.None); Assert.Equal(SignatureVerificationStatus.Suspect, status); } } }
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestampWithTooLargeRange_FailsAsync() { ISigningTestServer testServer = await _testFixture.GetSigningTestServerAsync(); CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync(); var accuracy = new BcAccuracy(seconds: new DerInteger(30), millis: null, micros: null); var serviceOptions = new TimestampServiceOptions() { Accuracy = accuracy }; TimestampService timestampService = TimestampService.Create(ca, serviceOptions); AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048); DateTimeOffset now = DateTimeOffset.UtcNow; var issueOptions = new IssueCertificateOptions() { KeyPair = keyPair, NotAfter = now.AddSeconds(10), NotBefore = now.AddSeconds(-2), SubjectName = new X509Name("CN=NuGet Test Expired Certificate") }; BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions); using (testServer.RegisterResponder(timestampService)) using (TestDirectory directory = TestDirectory.Create()) using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair)) { var packageContext = new SimpleTestPackageContext(); string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync( certificate, packageContext, directory, timestampService.Url); await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate); var verifier = new PackageSignatureVerifier(_trustProviders); using (var packageReader = new PackageArchiveReader(signedPackagePath)) { VerifySignaturesResult results = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None); PackageVerificationResult result = results.Results.Single(); Assert.False(results.IsValid); Assert.Equal(SignatureVerificationStatus.Disallowed, result.Trust); Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error)); Assert.Equal(0, result.Issues.Count(issue => issue.Level == LogLevel.Warning)); Assert.Contains(result.Issues, issue => issue.Code == NuGetLogCode.NU3037 && issue.Level == LogLevel.Error && issue.Message.Contains("validity period has expired.")); } } }
public async Task TimestampData_WhenTimestampSigningCertificateRevoked_Throws() { var testServer = await _testFixture.GetSigningTestServerAsync(); var certificateAuthority = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync(); var timestampService = TimestampService.Create(certificateAuthority); certificateAuthority.Revoke(timestampService.Certificate, CrlReason.KeyCompromise, DateTimeOffset.UtcNow); using (testServer.RegisterResponder(timestampService)) { var logger = new TestLogger(); var timestampProvider = new Rfc3161TimestampProvider(timestampService.Url); var data = "Test data to be signed and timestamped"; using (var authorCert = new X509Certificate2(_trustedTestCert.Source.Cert)) { var signedCms = SigningTestUtility.GenerateSignedCms(authorCert, Encoding.ASCII.GetBytes(data)); var signatureValue = signedCms.Encode(); var request = new TimestampRequest { SigningSpec = SigningSpecifications.V1, TimestampHashAlgorithm = Common.HashAlgorithmName.SHA256, SignatureValue = signatureValue }; var exception = Assert.Throws <TimestampException>( () => timestampProvider.TimestampData(request, logger, CancellationToken.None)); Assert.Equal( "The timestamp service's certificate chain could not be built: The certificate is revoked.", exception.Message); } } }