Updated AssemblyStrongNameRule to verify public key tokens

ajaybhargavb · ajaybhargavb · commit feda5f471c84 · 2016-03-17T10:32:12.000-07:00
diff --git a/src/NuGetPackageVerifier/CompositeRules/AdxVerificationCompositeRule.cs b/src/NuGetPackageVerifier/CompositeRules/AdxVerificationCompositeRule.cs
@@ -20,6 +20,7 @@ public class AdxVerificationCompositeRule : IPackageVerifierRule
             new AssemblyHasProductAttributeRule(),
             new AssemblyHasServicingAttributeRule(),
             new AssemblyHasVersionAttributesRule(),
+            new AssemblyStrongNameRule(),
             new SatellitePackageRule(),
             new StrictSemanticVersionValidationRule(),
         };
diff --git a/src/NuGetPackageVerifier/CompositeRules/DefaultCompositeRule.cs b/src/NuGetPackageVerifier/CompositeRules/DefaultCompositeRule.cs
@@ -21,6 +21,7 @@ public class DefaultCompositeRule : IPackageVerifierRule
             new AssemblyHasProductAttributeRule(),
             new AssemblyHasServicingAttributeRule(),
             new AssemblyHasVersionAttributesRule(),
+            new AssemblyStrongNameRule(),
             new SatellitePackageRule(),
             new StrictSemanticVersionValidationRule(),
         };
diff --git a/src/NuGetPackageVerifier/CompositeRules/NonAdxVerificationCompositeRule.cs b/src/NuGetPackageVerifier/CompositeRules/NonAdxVerificationCompositeRule.cs
@@ -12,7 +12,6 @@ public class NonAdxVerificationCompositeRule : IPackageVerifierRule
     {
         IPackageVerifierRule[] _rules = new IPackageVerifierRule[]
         {
-            new AssemblyStrongNameRule(),
             new AuthenticodeSigningRule(),
         };
 
diff --git a/src/NuGetPackageVerifier/PackageIssueFactory.cs b/src/NuGetPackageVerifier/PackageIssueFactory.cs
@@ -95,6 +95,11 @@ public static PackageVerifierIssue AssemblyNotStrongNameSigned(string assemblyPa
             return new PackageVerifierIssue("SIGN_STRONGNAME", assemblyPath, string.Format("The managed assembly '{0}' in this package is either not signed or is delay signed. HRESULT=0x{1:X}", assemblyPath, hResult), MyPackageIssueLevel.Error);
         }
 
+        public static PackageVerifierIssue AssemblyHasWrongPublicKeyToken(string assemblyPath, string expectedToken)
+        {
+            return new PackageVerifierIssue("WRONG_PUBLICKEYTOKEN", assemblyPath, string.Format("The managed assembly '{0}' in this package does not have the expected public key token ({1}).", assemblyPath, expectedToken), MyPackageIssueLevel.Error);
+        }
+
         public static PackageVerifierIssue NotSemanticVersion(SemanticVersion version)
         {
             return new PackageVerifierIssue("VERSION_NOTSEMANTIC",
diff --git a/src/NuGetPackageVerifier/Rules/AssemblyStrongNameRule.cs b/src/NuGetPackageVerifier/Rules/AssemblyStrongNameRule.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Reflection;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using NuGet.Packaging;
@@ -13,6 +14,8 @@ namespace NuGetPackageVerifier.Rules
 {
     public class AssemblyStrongNameRule : IPackageVerifierRule
     {
+        private static string _publicKeyToken = "ADB9793829DDAE60";
+
         public IEnumerable<PackageVerifierIssue> Validate(
             FileInfo nupkgFile,
             IPackageMetadata package,
@@ -31,6 +34,7 @@ public IEnumerable<PackageVerifierIssue> Validate(
 
                         var isManagedCode = false;
                         var isStrongNameSigned = false;
+                        var hasCorrectPublicKeyToken = false;
                         var hresult = 0;
 
                         try
@@ -54,6 +58,13 @@ public IEnumerable<PackageVerifierIssue> Validate(
                                 {
                                     isStrongNameSigned = true;
                                 }
+
+                                var testAssembly = AssemblyName.GetAssemblyName(assemblyPath);
+                                var tokenHexString = BitConverter.ToString(testAssembly.GetPublicKeyToken()).Replace("-", "");
+                                if (_publicKeyToken.Equals(tokenHexString))
+                                {
+                                    hasCorrectPublicKeyToken = true;
+                                }
                             }
                         }
                         catch (Exception ex)
@@ -68,10 +79,16 @@ public IEnumerable<PackageVerifierIssue> Validate(
                                 File.Delete(assemblyPath);
                             }
                         }
+
                         if (isManagedCode && !isStrongNameSigned)
                         {
                             yield return PackageIssueFactory.AssemblyNotStrongNameSigned(currentFile, hresult);
                         }
+
+                        if (isManagedCode && !hasCorrectPublicKeyToken)
+                        {
+                            yield return PackageIssueFactory.AssemblyHasWrongPublicKeyToken(currentFile, _publicKeyToken);
+                        }
                     }
                 }
             }

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,6 @@ public class NonAdxVerificationCompositeRule : IPackageVerifierRule`
`12`	`12`	`{`
`13`	`13`	`IPackageVerifierRule[] _rules = new IPackageVerifierRule[]`
`14`	`14`	`{`
`15`		`- new AssemblyStrongNameRule(),`
`16`	`15`	`new AuthenticodeSigningRule(),`
`17`	`16`	`};`
`18`	`17`
Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,11 @@ public static PackageVerifierIssue AssemblyNotStrongNameSigned(string assemblyPa`
`95`	`95`	`return new PackageVerifierIssue("SIGN_STRONGNAME", assemblyPath, string.Format("The managed assembly '{0}' in this package is either not signed or is delay signed. HRESULT=0x{1:X}", assemblyPath, hResult), MyPackageIssueLevel.Error);`
`96`	`96`	`}`
`97`	`97`
	`98`	`+ public static PackageVerifierIssue AssemblyHasWrongPublicKeyToken(string assemblyPath, string expectedToken)`
	`99`	`+ {`
	`100`	`+ return new PackageVerifierIssue("WRONG_PUBLICKEYTOKEN", assemblyPath, string.Format("The managed assembly '{0}' in this package does not have the expected public key token ({1}).", assemblyPath, expectedToken), MyPackageIssueLevel.Error);`
	`101`	`+ }`
	`102`	`+`
`98`	`103`	`public static PackageVerifierIssue NotSemanticVersion(SemanticVersion version)`
`99`	`104`	`{`
`100`	`105`	`return new PackageVerifierIssue("VERSION_NOTSEMANTIC",`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`	`using System;`
`5`	`5`	`using System.Collections.Generic;`
`6`	`6`	`using System.IO;`
	`7`	`+using System.Reflection;`
`7`	`8`	`using System.Runtime.CompilerServices;`
`8`	`9`	`using System.Runtime.InteropServices;`
`9`	`10`	`using NuGet.Packaging;`
`@@ -13,6 +14,8 @@ namespace NuGetPackageVerifier.Rules`
`13`	`14`	`{`
`14`	`15`	`public class AssemblyStrongNameRule : IPackageVerifierRule`
`15`	`16`	`{`
	`17`	`+ private static string _publicKeyToken = "ADB9793829DDAE60";`
	`18`	`+`
`16`	`19`	`public IEnumerable<PackageVerifierIssue> Validate(`
`17`	`20`	`FileInfo nupkgFile,`
`18`	`21`	`IPackageMetadata package,`
`@@ -31,6 +34,7 @@ public IEnumerable<PackageVerifierIssue> Validate(`
`31`	`34`
`32`	`35`	`var isManagedCode = false;`
`33`	`36`	`var isStrongNameSigned = false;`
	`37`	`+ var hasCorrectPublicKeyToken = false;`
`34`	`38`	`var hresult = 0;`
`35`	`39`
`36`	`40`	`try`
`@@ -54,6 +58,13 @@ public IEnumerable<PackageVerifierIssue> Validate(`
`54`	`58`	`{`
`55`	`59`	`isStrongNameSigned = true;`
`56`	`60`	`}`
	`61`	`+`
	`62`	`+ var testAssembly = AssemblyName.GetAssemblyName(assemblyPath);`
	`63`	`+ var tokenHexString = BitConverter.ToString(testAssembly.GetPublicKeyToken()).Replace("-", "");`
	`64`	`+ if (_publicKeyToken.Equals(tokenHexString))`
	`65`	`+ {`
	`66`	`+ hasCorrectPublicKeyToken = true;`
	`67`	`+ }`
`57`	`68`	`}`
`58`	`69`	`}`
`59`	`70`	`catch (Exception ex)`
`@@ -68,10 +79,16 @@ public IEnumerable<PackageVerifierIssue> Validate(`
`68`	`79`	`File.Delete(assemblyPath);`
`69`	`80`	`}`
`70`	`81`	`}`
	`82`	`+`
`71`	`83`	`if (isManagedCode && !isStrongNameSigned)`
`72`	`84`	`{`
`73`	`85`	`yield return PackageIssueFactory.AssemblyNotStrongNameSigned(currentFile, hresult);`
`74`	`86`	`}`
	`87`	`+`
	`88`	`+ if (isManagedCode && !hasCorrectPublicKeyToken)`
	`89`	`+ {`
	`90`	`+ yield return PackageIssueFactory.AssemblyHasWrongPublicKeyToken(currentFile, _publicKeyToken);`
	`91`	`+ }`
`75`	`92`	`}`
`76`	`93`	`}`
`77`	`94`	`}`