Added tests for timestamping rule.

Author: vcsjones

AuthenticodeLint/Rules/TimestampedRule.cs

@@ -1,5 +1,4 @@
 using System;
-using System.Security.Cryptography.Pkcs;
 
 namespace AuthenticodeLint.Rules
 {
@@ -9,7 +8,7 @@ public class TimestampedRule : IAuthenticodeSignatureRule
 
         public string RuleName { get; } = "Timestamped Rule";
 
-        public string ShortDescription { get; } = "Signatures should have a time stamped counter signer.";
+        public string ShortDescription { get; } = "Signatures should have a timestamp counter signer.";
 
         public unsafe RuleResult Validate(Graph<Signature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
         {
@@ -48,7 +47,7 @@ public unsafe RuleResult Validate(Graph<Signature> graph, SignatureLogger verbos
                 }
                 if (!isSigned)
                 {
-                    verboseWriter.LogSignatureMessage(signatureInfo, $"Signature is not timestamped.");
+                    verboseWriter.LogSignatureMessage(signatureInfo, "Signature is not timestamped.");
                     pass = false;
                 }
                 else if (!strongSign)

AuthenticodeLint/SignatureExtractor.cs

@@ -58,7 +58,7 @@ private unsafe Graph<Signature> GetSignatures(CryptMsgSafeHandle messageHandle)
         }
 
 
-        public static Graph<Signature> RecursiveSigner(IList<byte[]> cmsData)
+        private static Graph<Signature> RecursiveSigner(IList<byte[]> cmsData)
         {
             var graphItems = new List<GraphItem<Signature>>();
             foreach (var data in cmsData)

AuthenticodeLintTests/AuthenticodeLintTests.csproj

@@ -38,11 +38,10 @@
   <ItemGroup>
     <Compile Include="CommandLineParsingTests.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
+    <Compile Include="Rules\TimestampedRuleTests.cs" />
     <Compile Include="Rules\WinCertificatePaddingRuleTests.cs" />
   </ItemGroup>
   <ItemGroup>
-    <None Include="inputs\wintrustnonpadded.ex_" />
-    <None Include="inputs\wintrustpadded.ex_" />
     <None Include="project.json" />
   </ItemGroup>
   <ItemGroup>

AuthenticodeLintTests/Rules/TimestampedRuleTests.cs

@@ -0,0 +1,58 @@
+using AuthenticodeLint;
+using AuthenticodeLint.Rules;
+using System.Collections.Generic;
+using Xunit;
+
+namespace AuthenticodeLintTests.Rules
+{
+    public class TimestampedRuleTests
+    {
+        private static CheckConfiguration Configuration => new CheckConfiguration(new List<string>(), null, false, new HashSet<int>(), false, RevocationChecking.None);
+
+        private static Graph<Signature> GetGraphForFile(string file)
+        {
+            var extractor = new SignatureExtractor();
+            return extractor.Extract(file);
+        }
+
+        [
+            Theory,
+            InlineData("../../inputs/notimestamp.ex_"),
+            InlineData("../../inputs/notimestamp.dl_")
+        ]
+        public void ShouldFailIfNoTimestamp(string file)
+        {
+            var signatures = GetGraphForFile(file);
+            var rule = new TimestampedRule();
+
+            var logger = new MemorySignatureLogger();
+            var result = rule.Validate(signatures, logger, Configuration);
+            Assert.Equal(RuleResult.Fail, result);
+            Assert.Collection(logger.Messages, s => s.EndsWith("Signature is not timestamped."));
+        }
+
+        [Fact]
+        public void ShouldFailIfTimestampUsesWeakSignatureAlgorithm()
+        {
+            var signatures = GetGraphForFile("../../inputs/timestampedweaksig.ex_");
+            var rule = new TimestampedRule();
+
+            var logger = new MemorySignatureLogger();
+            var result = rule.Validate(signatures, logger, Configuration);
+            Assert.Equal(RuleResult.Fail, result);
+            Assert.Collection(logger.Messages, s => s.EndsWith("Signature is not timestamped with the expected hash algorithm SHA256."));
+        }
+
+        [Fact]
+        public void ShouldPassIfTimestampedAlgorithmIsValid()
+        {
+            var signatures = GetGraphForFile("../../inputs/timestampedvalid.ex_");
+            var rule = new TimestampedRule();
+
+            var logger = new MemorySignatureLogger();
+            var result = rule.Validate(signatures, logger, Configuration);
+            Assert.Equal(RuleResult.Pass, result);
+            Assert.Empty(logger.Messages);
+        }
+    }
+}

AuthenticodeLintTests/Rules/WinCertificatePaddingRuleTests.cs

@@ -65,7 +65,6 @@ public void NonBinaryShouldThrow()
             //Rules shouldn't handle non-signed, non-binary content since that validation happens further up.
             var file = "../../inputs/nonbinary.txt";
             var rule = new WinCertificatePaddingRule();
-            var logger = new MemorySignatureLogger();
 
             Assert.Throws<InvalidOperationException>(() => rule.Validate(file, SignatureLogger.Null, Configuration));
         }