[release/6.0] Switch to dynamic cert gen for tests (#55811)

* [release/6.0] Switch to dynamic cert gen for tests

- Cherry-picked from #39685

* Remove non-existing project from AspNetCore.sln

* Log ClientCertificateAuthenticationTests

---------

Co-authored-by: Hao Kung <[email protected]>

Author: halter73

AspNetCore.sln

@@ -9750,22 +9750,6 @@ Global
 		{09FFBC53-3EFF-45C4-9822-5D66089CD6AD}.Release|x64.Build.0 = Release|Any CPU
 		{09FFBC53-3EFF-45C4-9822-5D66089CD6AD}.Release|x86.ActiveCfg = Release|Any CPU
 		{09FFBC53-3EFF-45C4-9822-5D66089CD6AD}.Release|x86.Build.0 = Release|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Debug|arm64.ActiveCfg = Debug|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Debug|arm64.Build.0 = Debug|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Debug|x64.ActiveCfg = Debug|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Debug|x64.Build.0 = Debug|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Debug|x86.Build.0 = Debug|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Release|Any CPU.Build.0 = Release|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Release|arm64.ActiveCfg = Release|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Release|arm64.Build.0 = Release|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Release|x64.ActiveCfg = Release|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Release|x64.Build.0 = Release|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Release|x86.ActiveCfg = Release|Any CPU
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765}.Release|x86.Build.0 = Release|Any CPU
 		{3044DFA5-DE4F-44D8-8DD8-EDF547BE513E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{3044DFA5-DE4F-44D8-8DD8-EDF547BE513E}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{3044DFA5-DE4F-44D8-8DD8-EDF547BE513E}.Debug|arm64.ActiveCfg = Debug|Any CPU
@@ -11171,7 +11155,6 @@ Global
 		{17F28812-983E-4415-A55D-842DD7EC6887} = {627BE8B3-59E6-4F1D-8C9C-76B804D41724}
 		{A07D3B13-388B-444F-9E37-DDC0787C4690} = {17F28812-983E-4415-A55D-842DD7EC6887}
 		{09FFBC53-3EFF-45C4-9822-5D66089CD6AD} = {17F28812-983E-4415-A55D-842DD7EC6887}
-		{A1D02CE6-1077-410A-81CB-D4BD500FD765} = {0508E463-0269-40C9-B5C2-3B600FB2A28B}
 		{3044DFA5-DE4F-44D8-8DD8-EDF547BE513E} = {C445B129-0A4D-41F5-8347-6534B6B12303}
 		{4BD6F0DB-BE9C-4C54-B52A-D20B88855ED5} = {C445B129-0A4D-41F5-8347-6534B6B12303}
 		{6CCCF618-2E70-4870-B39F-32C016FE08F0} = {088C37A5-30D2-40FB-B031-D163CFBED006}

src/Middleware/HttpOverrides/test/CertificateForwardingTest.cs

@@ -230,34 +230,5 @@ public async Task VerifyArrHeaderEncodedCertFailsOnBadEncoding()
                 c.Request.Headers["X-Client-Cert"] = "OOPS" + Convert.ToBase64String(Certificates.SelfSignedValidWithNoEku.RawData);
             });
         }
-
-        private static class Certificates
-        {
-            public static X509Certificate2 SelfSignedValidWithClientEku { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedClientEkuCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedValidWithNoEku { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedNoEkuCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedValidWithServerEku { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedServerEkuCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedNotYetValid { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("selfSignedNoEkuCertificateNotValidYet.cer"));
-
-            public static X509Certificate2 SelfSignedExpired { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("selfSignedNoEkuCertificateExpired.cer"));
-
-            private static string GetFullyQualifiedFilePath(string filename)
-            {
-                var filePath = Path.Combine(AppContext.BaseDirectory, filename);
-                if (!File.Exists(filePath))
-                {
-                    throw new FileNotFoundException(filePath);
-                }
-                return filePath;
-            }
-        }
-
     }
 }

src/Middleware/HttpOverrides/test/Microsoft.AspNetCore.HttpOverrides.Tests.csproj

@@ -5,6 +5,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <Compile Include="$(SharedSourceRoot)test\Certificates\Certificates.cs" />
     <Reference Include="Microsoft.AspNetCore.HttpOverrides" />
     <Reference Include="Microsoft.AspNetCore.TestHost" />
     <Content Include="$(SharedSourceRoot)test\Certificates\*.cer" CopyToOutputDirectory="PreserveNewest" CopyToPublishDirectory="PreserveNewest" />

src/Security/Authentication/test/CertificateTests.cs

@@ -24,7 +24,7 @@
 
 namespace Microsoft.AspNetCore.Authentication.Certificate.Test
 {
-    public class ClientCertificateAuthenticationTests
+    public class ClientCertificateAuthenticationTests : LoggedTest
     {
 
         [Fact]
@@ -159,7 +159,8 @@ public async Task VerifyValidSelfSignedWithServerFailsPurposeValidationIsOffButS
             Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
         }
 
-        [Fact]
+        [ConditionalFact]
+        [SkipOnHelix("https://github.com/dotnet/aspnetcore/issues/32813", Queues = "All.Ubuntu")]
         public async Task VerifyExpiredSelfSignedFails()
         {
             using var host = await CreateHost(
@@ -194,7 +195,7 @@ public async Task VerifyExpiredSelfSignedPassesIfDateRangeValidationIsDisabled()
         }
 
         [ConditionalFact]
-        [SkipOnHelix("https://github.com/dotnet/aspnetcore/issues/32813")]
+        [SkipOnHelix("https://github.com/dotnet/aspnetcore/issues/32813", Queues = "All.Ubuntu")]
         public async Task VerifyNotYetValidSelfSignedFails()
         {
             using var host = await CreateHost(
@@ -787,7 +788,7 @@ public async Task VerifyValidationResultNeverCachedAfter30Min(bool cache)
             Assert.Equal(laterExpected, count.First().Value);
         }
 
-        private static async Task<IHost> CreateHost(
+        private async Task<IHost> CreateHost(
             CertificateAuthenticationOptions configureOptions,
             X509Certificate2 clientCertificate = null,
             Func<HttpContext, bool> handler = null,
@@ -846,6 +847,8 @@ private static async Task<IHost> CreateHost(
                         })
                     .ConfigureServices(services =>
                     {
+                        AddTestLogging(services);
+
                         AuthenticationBuilder authBuilder;
                         if (configureOptions != null)
                         {
@@ -932,43 +935,5 @@ private static async Task<IHost> CreateHost(
                 return Task.CompletedTask;
             }
         };
-
-        private static class Certificates
-        {
-            public static X509Certificate2 SelfSignedPrimaryRoot { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedPrimaryRootCertificate.cer"));
-
-            public static X509Certificate2 SignedSecondaryRoot { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSignedSecondaryRootCertificate.cer"));
-
-            public static X509Certificate2 SignedClient { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSignedClientCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedValidWithClientEku { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedClientEkuCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedValidWithNoEku { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedNoEkuCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedValidWithServerEku { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedServerEkuCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedNotYetValid { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("selfSignedNoEkuCertificateNotValidYet.cer"));
-
-            public static X509Certificate2 SelfSignedExpired { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("selfSignedNoEkuCertificateExpired.cer"));
-
-            private static string GetFullyQualifiedFilePath(string filename)
-            {
-                var filePath = Path.Combine(AppContext.BaseDirectory, filename);
-                if (!File.Exists(filePath))
-                {
-                    throw new FileNotFoundException(filePath);
-                }
-                return filePath;
-            }
-        }
     }
 }
-

src/Security/Authentication/test/Microsoft.AspNetCore.Authentication.Test.csproj

@@ -13,6 +13,8 @@
   </ItemGroup>
 
   <ItemGroup>
+    <Compile Include="$(SharedSourceRoot)test\Certificates\Certificates.cs" />
+
     <Content Include="WsFederation\federationmetadata.xml">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </Content>

src/Shared/test/Certificates/Certificates.cs

@@ -0,0 +1,113 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+
+public static class Certificates
+{
+    private static string ServerEku = "1.3.6.1.5.5.7.3.1";
+    private static string ClientEku = "1.3.6.1.5.5.7.3.2";
+
+    static Certificates()
+    {
+        DateTimeOffset now = DateTimeOffset.UtcNow;
+
+        SelfSignedPrimaryRoot = MakeCert(
+            "CN=Valid Self Signed Client EKU,OU=dev,DC=idunno-dev,DC=org",
+            ClientEku,
+            now);
+
+        SignedSecondaryRoot = MakeCert(
+            "CN=Valid Signed Secondary Root EKU,OU=dev,DC=idunno-dev,DC=org",
+            ClientEku,
+            now);
+
+        SelfSignedValidWithServerEku = MakeCert(
+            "CN=Valid Self Signed Server EKU,OU=dev,DC=idunno-dev,DC=org",
+            ServerEku,
+            now);
+
+        SelfSignedValidWithClientEku = MakeCert(
+            "CN=Valid Self Signed Server EKU,OU=dev,DC=idunno-dev,DC=org",
+            ClientEku,
+            now);
+
+        SelfSignedValidWithNoEku = MakeCert(
+            "CN=Valid Self Signed No EKU,OU=dev,DC=idunno-dev,DC=org",
+            eku: null,
+            now);
+
+        SelfSignedExpired = MakeCert(
+            "CN=Expired Self Signed,OU=dev,DC=idunno-dev,DC=org",
+            eku: null,
+            now.AddYears(-2),
+            now.AddYears(-1));
+
+        SelfSignedNotYetValid = MakeCert(
+            "CN=Not Valid Yet Self Signed,OU=dev,DC=idunno-dev,DC=org",
+            eku: null,
+            now.AddYears(2),
+            now.AddYears(3));
+
+        SignedClient = MakeCert(
+            "CN=Valid Signed Client,OU=dev,DC=idunno-dev,DC=org",
+            ClientEku,
+            now);
+
+    }
+
+    private static readonly X509KeyUsageExtension s_digitalSignatureOnlyUsage =
+            new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, true);
+
+    private static X509Certificate2 MakeCert(
+        string subjectName,
+        string eku,
+        DateTimeOffset now)
+    {
+        return MakeCert(subjectName, eku, now, now.AddYears(5));
+    }
+
+    private static X509Certificate2 MakeCert(
+        string subjectName,
+        string eku,
+        DateTimeOffset notBefore,
+        DateTimeOffset notAfter)
+    {
+        using (var key = RSA.Create(2048))
+        {
+            CertificateRequest request = new CertificateRequest(
+                subjectName,
+                key,
+                HashAlgorithmName.SHA256,
+                RSASignaturePadding.Pkcs1);
+
+            request.CertificateExtensions.Add(s_digitalSignatureOnlyUsage);
+
+            if (eku != null)
+            {
+                request.CertificateExtensions.Add(
+                    new X509EnhancedKeyUsageExtension(
+                        new OidCollection { new Oid(eku, null) }, false));
+            }
+
+            return request.CreateSelfSigned(notBefore, notAfter);
+        }
+    }
+
+    public static X509Certificate2 SelfSignedPrimaryRoot { get; private set; }
+
+    public static X509Certificate2 SignedSecondaryRoot { get; private set; }
+
+    public static X509Certificate2 SignedClient { get; private set; }
+
+    public static X509Certificate2 SelfSignedValidWithClientEku { get; private set; }
+
+    public static X509Certificate2 SelfSignedValidWithNoEku { get; private set; }
+
+    public static X509Certificate2 SelfSignedValidWithServerEku { get; private set; }
+
+    public static X509Certificate2 SelfSignedNotYetValid { get; private set; }
+
+    public static X509Certificate2 SelfSignedExpired { get; private set; }
+}

src/Shared/test/Certificates/selfSignedNoEkuCertificateExpired.cer

@@ -57,6 +57,11 @@ private bool ShouldSkip()
                 return true;
             }
 
+            if (Queues.Contains("All.Ubuntu") && targetQueue.StartsWith("ubuntu", StringComparison.OrdinalIgnoreCase))
+            {
+                return true;
+            }
+
             return Queues.ToLowerInvariant().Split(';').Contains(targetQueue);
         }