Certificates: add validation issue for unknown certificate (#415)

Author: dtivel

src/NuGet.Services.Validation.Orchestrator/NuGet.Services.Validation.Orchestrator.csproj

@@ -107,7 +107,7 @@
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="NuGet.Services.Validation.Issues">
-      <Version>2.25.0-master-29664</Version>
+      <Version>2.25.0-master-30191</Version>
     </PackageReference>
   </ItemGroup>
   <ItemGroup>

src/Validation.PackageSigning.ProcessSignature/SignatureValidator.cs

@@ -330,10 +330,10 @@ private async Task<SignatureValidatorResult> PerformFinalValidationAsync(Context
             }
 
             // Block packages with any unknown signing certificates.
-            var signingFingerprint = context.Signature
+            var signingCertificate = context.Signature
                 .SignerInfo
-                .Certificate
-                .ComputeSHA256Thumbprint();
+                .Certificate;
+            var signingFingerprint = signingCertificate.ComputeSHA256Thumbprint();
 
             var packageRegistration = _corePackageService.FindPackageRegistrationById(context.Message.PackageId);
 
@@ -348,7 +348,7 @@ private async Task<SignatureValidatorResult> PerformFinalValidationAsync(Context
 
                 return await RejectAsync(
                     context,
-                    ValidationIssue.PackageIsSigned);
+                    new UnauthorizedCertificateFailure(signingCertificate.Thumbprint.ToLowerInvariant()));
             }
 
             // Call the "verify" API, which does the main logic of signature validation.

tests/Validation.PackageSigning.ProcessSignature.Tests/SignatureValidatorFacts.cs

@@ -380,8 +380,10 @@ public async Task RejectsSignedPackagesWithUnknownCertificates()
 
                 // Assert
                 Validate(result, ValidationStatus.Failed, PackageSigningStatus.Invalid);
-                var issue = Assert.Single(result.Issues);
-                Assert.Equal(ValidationIssueCode.PackageIsSigned, issue.IssueCode);
+                Assert.Single(result.Issues);
+                var issue = Assert.IsType<UnauthorizedCertificateFailure>(result.Issues[0]);
+                Assert.Equal(ValidationIssueCode.PackageIsSignedWithUnauthorizedCertificate, issue.IssueCode);
+                Assert.Equal(TestResources.Leaf2Sha1Thumbprint, issue.Sha1Thumbprint);
             }
 
             [Fact]
@@ -514,9 +516,10 @@ public async Task StripsAndRejectsPackagesWithRepositorySignatureWhenPackageIsAu
                     _cancellationToken);
 
                 Validate(result, ValidationStatus.Failed, PackageSigningStatus.Invalid);
-                Assert.Equal(1, result.Issues.Count);
-                var issue = Assert.IsType<NoDataValidationIssue>(result.Issues[0]);
-                Assert.Equal(ValidationIssueCode.PackageIsSigned, issue.IssueCode);
+                Assert.Single(result.Issues);
+                var issue = Assert.IsType<UnauthorizedCertificateFailure>(result.Issues[0]);
+                Assert.Equal(ValidationIssueCode.PackageIsSignedWithUnauthorizedCertificate, issue.IssueCode);
+                Assert.Equal(TestResources.Leaf2Sha1Thumbprint, issue.Sha1Thumbprint);
             }
 
             [Fact]

tests/Validation.PackageSigning.ProcessSignature.Tests/Support/TestResources.cs

@@ -41,6 +41,11 @@ public static class TestResources
         /// </summary>
         public const string Leaf2Thumbprint = "a8cc70dbbd8bc61410231805b690cca7c5a8d07553c1c49b299a6aabaeb7ff9a";
 
+        /// <summary>
+        /// This is the SHA-1 thumbprint of the signing certificate in <see cref="SignedPackageLeaf2"/>.
+        /// </summary>
+        public const string Leaf2Sha1Thumbprint = "8e1b5dadf388dee204bcfd27b53f00b585fdca07";
+
         /// <summary>
         /// This is the SHA-256 thumbprint of the timestamp certificate in <see cref="SignedPackageLeaf1"/>.
         /// </summary>