raise warning if insecure sha-1 certificate fingerprint is passed to mssign and reposign commands

[kartheekp-ms]

Bug

Fixes: https://github.com/NuGet/Client.Engineering/issues/2939

Description

Deprecate the usage of SHA-1 fingerprints in mssign and reposign commands especially for CertificateFingerprint option. Instead, allow mssign and reposign commands to accept SHA-2 (SHA-256, SHA-384 and SHA-512) family fingerprints for searching a local certificate store for the certificate.

Here is how the mssign and reposign commands after this PR has been merged:

• Validates the certificate fingerprint to ensure it is either SHA-1, SHA-256, SHA-384, or SHA-512 algorithm. Throws an error otherwise.
• Raises a warning if a SHA-1 certificate fingerprint is provided. This warning will be promoted to an error in the future.
• While searching for a certificate from the local store, if a SHA-1 hash is provided, finds the certificate using the existing API i.e. certCollection.Find(X509FindType.FindByThumbprint, CertificateFingerprint, validOnly: false);
• If a SHA-256, SHA-384, or SHA-512 certificate fingerprint is provided, loops through the certificates in the store to find the certificate with the matching hash.

I made similar changes to the dotnet sign command in #5895 and nuget.exe sign command in #5924.

PR Checklist

• Meaningful title, helpful description and a linked NuGet/Home issue
• Added tests
• Link to an issue or pull request to update docs if this PR changes settings, environment variables, new feature, etc. https://github.com/NuGet/Client.Engineering/issues/2876

[dotnet-policy-service]

This PR has been automatically marked as stale because it has no activity for 7 days. It will be closed if no further activity occurs within another 7 days of this comment. If it is closed, you may reopen it anytime when you're ready again, as long as you don't delete the branch.

[dtivel]

I think these break an IDE style rule that static and const fields shouldn't be _-prefixed. Only instance fields should be _-prefixed.

_noTimestamperWarningCode -> NoTimestamperWarningCode
_invalidCertificateFingerprintCode -> InvalidCertificateFingerprintCode
_sha1Hash -> Sha1Hash

[kartheekp-ms]

I renamed _sha1Hash -> Sha1Hash.

_noTimestamperWarningCode and _invalidCertificateFingerprintCode are read-only strings. IDE analyzers warned of the lack of the prefix _ if I remove the prefix. Hence, I didn't rename the variables.

[dtivel]

An invalid fingerprint is still a good negative test case. Instead of replacing this value, I suggest converting this test from a Fact into a Theory and test both cases, like you did here.

[kartheekp-ms]

In this test case we are validating that if an invalid hexadecimal hash has been passed to the certificate fingerprint, then then the command will fail with Can't find specified certificate. exception.

Once this PR has been merged, the command will throw an exception with NU3034 error code if non-hexadecimal string is passed as fingerprint.

As per your suggestion, I changed the test to pass invalid SHA1 and SHA256 hexadecimal hashes to ensure the certificate lookup fails with the expected exception.

[dtivel]

When testing one validation --- in this case, timestamp algorithm --- amongst many, it's important to pass reasonably valid values for all other (non-tested) validations to isolate the validation under test.

Previously, we passed a GUID string for certificate fingerprint, but now we pass a SHA-1 fingerprint. This PR changes fingerprint validation, specifically for SHA-1 fingerprints, so it's doubly weird that we're passing a deprecated value for a property we're not even testing.

I recommend creating a fake SHA-256 fingerprint and using it wherever we're not testing certificate fingerprint validation.

[kartheekp-ms]

Thanks for the feedback. Updated tests