internal static bool IsSigningCertificateValid(X509Certificate2 certificate, bool treatIssuesAsErrors, List <SignatureLog> issues)
{
var isValid = true;
if (!CertificateUtility.IsSignatureAlgorithmSupported(certificate))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3013, Strings.SigningCertificateHasUnsupportedSignatureAlgorithm));
isValid = false;
}
if (!CertificateUtility.IsCertificatePublicKeyValid(certificate))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3014, Strings.SigningCertificateFailsPublicKeyLengthRequirement));
isValid = false;
}
if (CertificateUtility.HasExtendedKeyUsage(certificate, Oids.LifetimeSigningEku))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3015, Strings.ErrorCertificateHasLifetimeSigningEKU));
isValid = false;
}
if (CertificateUtility.IsCertificateValidityPeriodInTheFuture(certificate))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3017, Strings.SignatureNotYetValid));
isValid = false;
}
return(isValid);
}
public static void Verify(SignPackageRequest request, ILogger logger)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (logger == null)
{
throw new ArgumentNullException(nameof(logger));
}
if (!CertificateUtility.IsSignatureAlgorithmSupported(request.Certificate))
{
throw new SignatureException(NuGetLogCode.NU3013, Strings.SigningCertificateHasUnsupportedSignatureAlgorithm);
}
if (!CertificateUtility.IsCertificatePublicKeyValid(request.Certificate))
{
throw new SignatureException(NuGetLogCode.NU3014, Strings.SigningCertificateFailsPublicKeyLengthRequirement);
}
if (CertificateUtility.HasExtendedKeyUsage(request.Certificate, Oids.LifetimeSigningEku))
{
throw new SignatureException(NuGetLogCode.NU3015, Strings.ErrorCertificateHasLifetimeSigningEKU);
}
if (CertificateUtility.IsCertificateValidityPeriodInTheFuture(request.Certificate))
{
throw new SignatureException(NuGetLogCode.NU3017, Strings.SignatureNotYetValid);
}
request.BuildSigningCertificateChainOnce(logger);
}
internal static SignatureVerificationStatusFlags ValidateSigningCertificate(X509Certificate2 certificate, bool treatIssuesAsErrors, string signatureFriendlyName, List <SignatureLog> issues)
{
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
if (issues == null)
{
throw new ArgumentNullException(nameof(issues));
}
var validationFlags = SignatureVerificationStatusFlags.NoErrors;
if (!CertificateUtility.IsSignatureAlgorithmSupported(certificate))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3013, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_CertificateHasUnsupportedSignatureAlgorithm, signatureFriendlyName)));
validationFlags |= SignatureVerificationStatusFlags.SignatureAlgorithmUnsupported;
}
if (!CertificateUtility.IsCertificatePublicKeyValid(certificate))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3014, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_CertificateFailsPublicKeyLengthRequirement, signatureFriendlyName)));
validationFlags |= SignatureVerificationStatusFlags.CertificatePublicKeyInvalid;
}
if (CertificateUtility.HasExtendedKeyUsage(certificate, Oids.LifetimeSigningEku))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3015, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_CertificateHasLifetimeSigningEKU, signatureFriendlyName)));
validationFlags |= SignatureVerificationStatusFlags.HasLifetimeSigningEku;
}
if (CertificateUtility.IsCertificateValidityPeriodInTheFuture(certificate))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3017, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_CertificateNotYetValid, signatureFriendlyName)));
validationFlags |= SignatureVerificationStatusFlags.CertificateValidityInTheFuture;
}
return(validationFlags);
}