Merge pull request #327 from NuGet/dev

[ReleasePrep][2018.02.05]RI of dev into master

Author: loic-sharma

src/NuGet.Jobs.Common/JobRunner.cs

@@ -8,6 +8,7 @@
 using System.Linq;
 using System.Net;
 using System.Threading.Tasks;
+using Microsoft.ApplicationInsights.Extensibility;
 using Microsoft.Extensions.Logging;
 using NuGet.Services.Logging;
 
@@ -98,6 +99,9 @@ public static async Task Run(JobBase job, string[] commandLineArgs)
             {
                 _logger.LogError("Job runner threw an exception: {Exception}", ex);
             }
+
+            Trace.Close();
+            TelemetryConfiguration.Active.TelemetryChannel.Flush();
         }
 
         private static ILoggerFactory ConfigureLogging(JobBase job)

src/Validation.PackageSigning.ExtractAndValidateSignature/Validation.PackageSigning.ExtractAndValidateSignature.csproj

@@ -106,7 +106,7 @@
       <Version>1.1.2</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Packaging">
-      <Version>4.7.0-preview1-4870</Version>
+      <Version>4.7.0-preview1-4886</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Configuration">
       <Version>2.12.0</Version>

src/Validation.PackageSigning.ValidateCertificate/App.config

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
     <startup> 
-        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6"/>
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1"/>
     </startup>
 </configuration>

src/Validation.PackageSigning.ValidateCertificate/CertificateValidationService.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Security.Cryptography.X509Certificates;
 using NuGet.Services.Validation;
 
 namespace Validation.PackageSigning.ValidateCertificate
@@ -13,39 +14,166 @@ namespace Validation.PackageSigning.ValidateCertificate
     public class CertificateVerificationResult
     {
         /// <summary>
-        /// Create a new non-revoked certificate verification result.
+        /// Create a new verification result.
         /// </summary>
-        /// <param name="status">The status of the <see cref="X509Certificate2"/></param>
-        /// <param name="revocationTime">The time of </param>
-        public CertificateVerificationResult(EndCertificateStatus status)
+        /// <param name="status">The determined status of the verified certificate.</param>
+        /// <param name="statusFlags">The flags explaining the certificate's status.</param>
+        /// <param name="statusUpdateTime">The time the revocation info was published.</param>
+        /// <param name="revocationTime">The date the certificate was revoked, if applicable.</param>
+        public CertificateVerificationResult(
+            EndCertificateStatus status,
+            X509ChainStatusFlags statusFlags,
+            DateTime? statusUpdateTime = null,
+            DateTime? revocationTime = null)
         {
-            if (status == EndCertificateStatus.Revoked)
+            if (status != EndCertificateStatus.Revoked && revocationTime.HasValue)
             {
-                throw new ArgumentException("Provide a revocation date for a revoked certificate result.", nameof(status));
+                throw new ArgumentException(
+                    $"End certificate revoked at {revocationTime} but status isn't {nameof(EndCertificateStatus.Revoked)}",
+                    nameof(status));
+            }
+
+            switch (status)
+            {
+                case EndCertificateStatus.Good:
+                    if (statusFlags != X509ChainStatusFlags.NoError)
+                    {
+                        throw new ArgumentException(
+                            $"Invalid flags '{statusFlags}' for status '{status}'",
+                            nameof(statusFlags));
+                    }
+
+                    break;
+
+                case EndCertificateStatus.Invalid:
+                    if (statusFlags == X509ChainStatusFlags.NoError)
+                    {
+                        throw new ArgumentException(
+                            $"Invalid flags '{statusFlags}' for status '{status}'",
+                            nameof(statusFlags));
+                    }
+
+                    break;
+
+                case EndCertificateStatus.Revoked:
+                    if ((statusFlags & X509ChainStatusFlags.Revoked) == 0)
+                    {
+                        throw new ArgumentException(
+                            $"Invalid flags '{statusFlags}' for status '{status}'",
+                            nameof(statusFlags));
+                    }
+                    break;
+
+                case EndCertificateStatus.Unknown:
+                    if ((statusFlags & (X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation)) == 0)
+                    {
+                        throw new ArgumentException(
+                            $"Invalid flags '{statusFlags}' for status '{status}'",
+                            nameof(statusFlags));
+                    }
+
+                    break;
+
+                default:
+                    throw new ArgumentException($"Unknown status '{status}'", nameof(status));
             }
 
             Status = status;
+            StatusFlags = statusFlags;
+            StatusUpdateTime = statusUpdateTime;
+            RevocationTime = revocationTime;
         }
 
         /// <summary>
-        /// Create a new revoked certificate verification result.
+        /// The status of the end <see cref="X509Certificate2"/>.
         /// </summary>
-        /// <param name="revocationTime">The start of the certificate's invalidity period.</param>
-        public CertificateVerificationResult(DateTime revocationTime)
-        {
-            Status = EndCertificateStatus.Revoked;
-            RevocationTime = revocationTime;
-        }
+        public EndCertificateStatus Status { get; }
 
         /// <summary>
-        /// The status of the <see cref="X509Certificate2"/>.
+        /// The flattened flags for the <see cref="X509Certificate2"/>'s entire chain.
         /// </summary>
-        public EndCertificateStatus Status { get; }
+        public X509ChainStatusFlags StatusFlags { get; }
+
+        /// <summary>
+        /// The time that the end <see cref="X509Certificate2"/>'s status was last updated, according to the
+        /// Certificate Authority. This value may be <c>null</c> if the <see cref="Status"/> is
+        /// <see cref="EndCertificateStatus.Unknown"/> or if the status could not be determined.
+        /// </summary>
+        public DateTime? StatusUpdateTime { get; }
 
         /// <summary>
-        /// The time at which the <see cref="X509Certificate2"/> was revoked. Null unless
-        /// <see cref="Status"/> is <see cref="CertificateStatus.Revoked"/>.
+        /// The time at which the end <see cref="X509Certificate2"/> was revoked. If <see cref="Status"/>
+        /// is not <see cref="CertificateStatus.Revoked"/>, this will have a value of <c>null</c>.
         /// </summary>
         public DateTime? RevocationTime { get; }
+
+        /// <summary>
+        /// Convert a verification to a human readable string.
+        /// </summary>
+        /// <returns>A human readable string that summarizes the verification result.</returns>
+        public override string ToString()
+        {
+            switch (Status)
+            {
+                case EndCertificateStatus.Good:
+                    return $"Good (StatusUpdateTime = {StatusUpdateTime})";
+
+                case EndCertificateStatus.Invalid:
+                    return $"Invalid (Flags = {StatusFlags}, StatusUpdateTime = {StatusUpdateTime})";
+
+                case EndCertificateStatus.Revoked:
+                    return $"Revoked (Flags = {StatusFlags}, RevocationTime = {RevocationTime}, StatusUpdateTime = {StatusUpdateTime})";
+
+                case EndCertificateStatus.Unknown:
+                    return $"Unknown (Flags = {StatusFlags}, StatusUpdateTime = {StatusUpdateTime})";
+
+                default:
+                    throw new InvalidOperationException($"Unknown status {Status}");
+            }
+        }
+
+        /// <summary>
+        /// Helper used to create valid <see cref="CertificateVerificationResult"/>s.
+        /// </summary>
+        public class Builder
+        {
+            private EndCertificateStatus _status;
+            private X509ChainStatusFlags _statusFlags;
+            private DateTime? _statusUpdateTime;
+            private DateTime? _revocationTime;
+
+            public Builder WithStatus(EndCertificateStatus value)
+            {
+                _status = value;
+                return this;
+            }
+
+            public Builder WithStatusFlags(X509ChainStatusFlags value)
+            {
+                _statusFlags = value;
+                return this;
+            }
+
+            public Builder WithStatusUpdateTime(DateTime? value)
+            {
+                _statusUpdateTime = value;
+                return this;
+            }
+
+            public Builder WithRevocationTime(DateTime? value)
+            {
+                _revocationTime = value;
+                return this;
+            }
+
+            public CertificateVerificationResult Build()
+            {
+                return new CertificateVerificationResult(
+                    _status,
+                    _statusFlags,
+                    _statusUpdateTime,
+                    _revocationTime);
+            }
+        }
     }
 }

src/Validation.PackageSigning.ValidateCertificate/CertificateVerificationResult.cs

@@ -7,8 +7,19 @@ namespace Validation.PackageSigning.ValidateCertificate
 {
     public interface ITelemetryService
     {
+        /// <summary>
+        /// The event that tracks when a signature may be invalid and should be manually inspected.
+        /// Unlike <see cref="TrackPackageSignatureShouldBeInvalidatedEvent(PackageSignature)"/>, this
+        /// package MAY be found to still be valid!
+        /// </summary>
+        /// <param name="signature">The signature that should be invalidated.</param>
+        /// <returns>A task that returns when the event has been recorded.</returns>
+        void TrackPackageSignatureMayBeInvalidatedEvent(PackageSignature signature);
+
         /// <summary>
         /// The event that tracks when a signature should be manually invalidated.
+        /// Unlike <see cref="TrackPackageSignatureMayBeInvalidatedEvent(PackageSignature)"/>, this
+        /// package SHOULD be invalidated.
         /// </summary>
         /// <param name="signature">The signature that should be invalidated.</param>
         /// <returns>A task that returns when the event has been recorded.</returns>

src/Validation.PackageSigning.ValidateCertificate/ITelemetryService.cs

@@ -0,0 +1,149 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using System.Security.Cryptography.X509Certificates;
+using NuGet.Services.Validation;
+
+namespace Validation.PackageSigning.ValidateCertificate
+{
+    /// <summary>
+    /// Deciders are created from a given <see cref="CertificateVerificationResult"/> to decide
+    /// how each of the certificate's dependent <see cref="PackageSignature"/>s should be affected.
+    /// </summary>
+    /// <param name="signature">A signature that depends on the <see cref="EndCertificate"/> that was verified.</param>
+    /// <returns>How the signature should be handled.</returns>
+    public delegate SignatureDecision SignatureDecider(PackageSignature signature);
+
+    /// <summary>
+    /// Creates functions that decide how <see cref="PackageSignature"/>s should be affected by
+    /// <see cref="EndCertificate.Status"/> changes.
+    /// </summary>
+    public class SignatureDeciderFactory
+    {
+        /// <summary>
+        /// Create a function to decide how signatures should be affected by a revoked certificate.
+        /// </summary>
+        /// <param name="certificate">The certificate that was revoked.</param>
+        /// <param name="result">The verification result that describes when the certificate was revoked.</param>
+        /// <returns>The function that describes how dependent signatures should be affected by the certificate status change.</returns>
+        public SignatureDecider MakeDeciderForRevokedCertificate(EndCertificate certificate, CertificateVerificationResult result)
+        {
+            switch (certificate.Use)
+            {
+                case EndCertificateUse.Timestamping:
+                    return RejectSignaturesAtIngestionOtherwiseWarnDecider;
+
+                case EndCertificateUse.CodeSigning:
+                    return MakeDeciderForRevokedCodeSigningCertificate(result.RevocationTime);
+
+                default:
+                    throw new InvalidOperationException($"Revoked certificate has unknown use: {certificate.Use}");
+            }
+        }
+
+        /// <summary>
+        /// Create a function to decide how signatures should be affected by an invalidated certificate.
+        /// </summary>
+        /// <param name="certificate">The certificate that was invalidated.</param>
+        /// <param name="result">The verification result that describes why the certificate was invalidated.</param>
+        /// <returns>The function that describes how dependent signatures should be affected by the certificate status change.</returns>
+        public SignatureDecider MakeDeciderForInvalidatedCertificate(EndCertificate certificate, CertificateVerificationResult result)
+        {
+            if (result.Status != EndCertificateStatus.Invalid)
+            {
+                throw new ArgumentException($"Result must have a status of {nameof(EndCertificateStatus.Invalid)}", nameof(result));
+            }
+
+            if (result.StatusFlags == X509ChainStatusFlags.NoError ||
+                (result.StatusFlags & (X509ChainStatusFlags.OfflineRevocation | X509ChainStatusFlags.RevocationStatusUnknown)) != 0)
+            {
+                throw new ArgumentException($"Invalid flags on invalid verification result: {result.StatusFlags}!", nameof(result));
+            }
+
+            // If a certificate used for the primary signature is revoked, all dependent signatures should be invalidated.
+            // Note that in this case the revoked certificate is a parent of the end certificate - NOT the end certificate.
+            if (certificate.Use == EndCertificateUse.CodeSigning && (result.StatusFlags & X509ChainStatusFlags.Revoked) != 0)
+            {
+                return RejectAllSignaturesDecider;
+            }
+
+            // NotTimeValid and HasWeakSignature fail packages only at ingestion.
+            else if (ResultHasOnlyFlags(result, X509ChainStatusFlags.NotTimeValid | X509ChainStatusFlags.HasWeakSignature))
+            {
+                return RejectSignaturesAtIngestionDecider;
+            }
+
+            // NotTimeNested does not affect signatures and should be ignored.
+            else if (ResultHasOnlyFlags(result, X509ChainStatusFlags.NotTimeNested))
+            {
+                return NoActionDecider;
+            }
+
+            // In all other cases, reject signatures at ingestion and warn on all other signatures.
+            else
+            {
+                return RejectSignaturesAtIngestionOtherwiseWarnDecider;
+            }
+        }
+
+        private SignatureDecider MakeDeciderForRevokedCodeSigningCertificate(DateTime? revocationTime)
+        {
+            // If the time the certificate was revoked is unknown, assume the worst and reject all dependent signatures.
+            if (!revocationTime.HasValue)
+            {
+                return RejectAllSignaturesDecider;
+            }
+
+            return (PackageSignature signature) =>
+            {
+                // The revoked code signing certificate invalidates signatures with no valid timestamps.
+                // TODO: This should skip trusted timestamps with invalid/revoked certs. This requires:
+                //          * Getting trusted timestamps' certificates and their statuses.
+                if (!signature.TrustedTimestamps.Any())
+                {
+                    return SignatureDecision.Reject;
+                }
+
+                // The revoked code signing certificate invalidates signatures with at least one trusted
+                // timestamp before the revocation date.
+                if (signature.TrustedTimestamps.Any(t => revocationTime.Value <= t.Value))
+                {
+                    return SignatureDecision.Reject;
+                }
+
+                // This signature lives to see another day.
+                return SignatureDecision.Ignore;
+            };
+        }
+
+        private SignatureDecision NoActionDecider(PackageSignature signature) => SignatureDecision.Ignore;
+
+        private SignatureDecision RejectAllSignaturesDecider(PackageSignature signature) => SignatureDecision.Reject;
+
+        private SignatureDecision RejectSignaturesAtIngestionDecider(PackageSignature signature)
+        {
+            return (signature.Status == PackageSignatureStatus.Unknown)
+                        ? SignatureDecision.Reject
+                        : SignatureDecision.Ignore;
+        }
+
+        private SignatureDecision RejectSignaturesAtIngestionOtherwiseWarnDecider(PackageSignature signature)
+        {
+            return (signature.Status == PackageSignatureStatus.Unknown)
+                    ? SignatureDecision.Reject
+                    : SignatureDecision.Warn;
+        }
+
+        private bool ResultHasOnlyFlags(CertificateVerificationResult result, X509ChainStatusFlags flags)
+        {
+            if (result.StatusFlags == X509ChainStatusFlags.NoError)
+            {
+                return flags == X509ChainStatusFlags.NoError;
+            }
+
+            return (result.StatusFlags & flags) == result.StatusFlags;
+        }
+    }
+}