[release/6.0] Switch to dynamic cert gen for tests

- Cherry-picked from #39685

Author: HaoK

src/Middleware/HttpOverrides/test/CertificateForwardingTest.cs

@@ -230,34 +230,5 @@ public async Task VerifyArrHeaderEncodedCertFailsOnBadEncoding()
                 c.Request.Headers["X-Client-Cert"] = "OOPS" + Convert.ToBase64String(Certificates.SelfSignedValidWithNoEku.RawData);
             });
         }
-
-        private static class Certificates
-        {
-            public static X509Certificate2 SelfSignedValidWithClientEku { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedClientEkuCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedValidWithNoEku { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedNoEkuCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedValidWithServerEku { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedServerEkuCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedNotYetValid { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("selfSignedNoEkuCertificateNotValidYet.cer"));
-
-            public static X509Certificate2 SelfSignedExpired { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("selfSignedNoEkuCertificateExpired.cer"));
-
-            private static string GetFullyQualifiedFilePath(string filename)
-            {
-                var filePath = Path.Combine(AppContext.BaseDirectory, filename);
-                if (!File.Exists(filePath))
-                {
-                    throw new FileNotFoundException(filePath);
-                }
-                return filePath;
-            }
-        }
-
     }
 }

src/Middleware/HttpOverrides/test/Microsoft.AspNetCore.HttpOverrides.Tests.csproj

@@ -5,6 +5,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <Compile Include="$(SharedSourceRoot)test\Certificates\Certificates.cs" />
     <Reference Include="Microsoft.AspNetCore.HttpOverrides" />
     <Reference Include="Microsoft.AspNetCore.TestHost" />
     <Content Include="$(SharedSourceRoot)test\Certificates\*.cer" CopyToOutputDirectory="PreserveNewest" CopyToPublishDirectory="PreserveNewest" />

src/Security/Authentication/test/CertificateTests.cs

@@ -159,7 +159,8 @@ public async Task VerifyValidSelfSignedWithServerFailsPurposeValidationIsOffButS
             Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
         }
 
-        [Fact]
+        [ConditionalFact]
+        [SkipOnHelix("https://github.com/dotnet/aspnetcore/issues/32813", Queues = "All.Ubuntu")]
         public async Task VerifyExpiredSelfSignedFails()
         {
             using var host = await CreateHost(
@@ -194,7 +195,7 @@ public async Task VerifyExpiredSelfSignedPassesIfDateRangeValidationIsDisabled()
         }
 
         [ConditionalFact]
-        [SkipOnHelix("https://github.com/dotnet/aspnetcore/issues/32813")]
+        [SkipOnHelix("https://github.com/dotnet/aspnetcore/issues/32813", Queues = "All.Ubuntu")]
         public async Task VerifyNotYetValidSelfSignedFails()
         {
             using var host = await CreateHost(
@@ -932,43 +933,5 @@ private static async Task<IHost> CreateHost(
                 return Task.CompletedTask;
             }
         };
-
-        private static class Certificates
-        {
-            public static X509Certificate2 SelfSignedPrimaryRoot { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedPrimaryRootCertificate.cer"));
-
-            public static X509Certificate2 SignedSecondaryRoot { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSignedSecondaryRootCertificate.cer"));
-
-            public static X509Certificate2 SignedClient { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSignedClientCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedValidWithClientEku { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedClientEkuCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedValidWithNoEku { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedNoEkuCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedValidWithServerEku { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedServerEkuCertificate.cer"));
-
-            public static X509Certificate2 SelfSignedNotYetValid { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("selfSignedNoEkuCertificateNotValidYet.cer"));
-
-            public static X509Certificate2 SelfSignedExpired { get; private set; } =
-                new X509Certificate2(GetFullyQualifiedFilePath("selfSignedNoEkuCertificateExpired.cer"));
-
-            private static string GetFullyQualifiedFilePath(string filename)
-            {
-                var filePath = Path.Combine(AppContext.BaseDirectory, filename);
-                if (!File.Exists(filePath))
-                {
-                    throw new FileNotFoundException(filePath);
-                }
-                return filePath;
-            }
-        }
     }
 }
-

src/Security/Authentication/test/Microsoft.AspNetCore.Authentication.Test.csproj

@@ -13,6 +13,8 @@
   </ItemGroup>
 
   <ItemGroup>
+    <Compile Include="$(SharedSourceRoot)test\Certificates\Certificates.cs" />
+
     <Content Include="WsFederation\federationmetadata.xml">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </Content>

src/Shared/test/Certificates/Certificates.cs

@@ -0,0 +1,113 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+
+public static class Certificates
+{
+    private static string ServerEku = "1.3.6.1.5.5.7.3.1";
+    private static string ClientEku = "1.3.6.1.5.5.7.3.2";
+
+    static Certificates()
+    {
+        DateTimeOffset now = DateTimeOffset.UtcNow;
+
+        SelfSignedPrimaryRoot = MakeCert(
+            "CN=Valid Self Signed Client EKU,OU=dev,DC=idunno-dev,DC=org",
+            ClientEku,
+            now);
+
+        SignedSecondaryRoot = MakeCert(
+            "CN=Valid Signed Secondary Root EKU,OU=dev,DC=idunno-dev,DC=org",
+            ClientEku,
+            now);
+
+        SelfSignedValidWithServerEku = MakeCert(
+            "CN=Valid Self Signed Server EKU,OU=dev,DC=idunno-dev,DC=org",
+            ServerEku,
+            now);
+
+        SelfSignedValidWithClientEku = MakeCert(
+            "CN=Valid Self Signed Server EKU,OU=dev,DC=idunno-dev,DC=org",
+            ClientEku,
+            now);
+
+        SelfSignedValidWithNoEku = MakeCert(
+            "CN=Valid Self Signed No EKU,OU=dev,DC=idunno-dev,DC=org",
+            eku: null,
+            now);
+
+        SelfSignedExpired = MakeCert(
+            "CN=Expired Self Signed,OU=dev,DC=idunno-dev,DC=org",
+            eku: null,
+            now.AddYears(-2),
+            now.AddYears(-1));
+
+        SelfSignedNotYetValid = MakeCert(
+            "CN=Not Valid Yet Self Signed,OU=dev,DC=idunno-dev,DC=org",
+            eku: null,
+            now.AddYears(2),
+            now.AddYears(3));
+
+        SignedClient = MakeCert(
+            "CN=Valid Signed Client,OU=dev,DC=idunno-dev,DC=org",
+            ClientEku,
+            now);
+
+    }
+
+    private static readonly X509KeyUsageExtension s_digitalSignatureOnlyUsage =
+            new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, true);
+
+    private static X509Certificate2 MakeCert(
+        string subjectName,
+        string eku,
+        DateTimeOffset now)
+    {
+        return MakeCert(subjectName, eku, now, now.AddYears(5));
+    }
+
+    private static X509Certificate2 MakeCert(
+        string subjectName,
+        string eku,
+        DateTimeOffset notBefore,
+        DateTimeOffset notAfter)
+    {
+        using (var key = RSA.Create(2048))
+        {
+            CertificateRequest request = new CertificateRequest(
+                subjectName,
+                key,
+                HashAlgorithmName.SHA256,
+                RSASignaturePadding.Pkcs1);
+
+            request.CertificateExtensions.Add(s_digitalSignatureOnlyUsage);
+
+            if (eku != null)
+            {
+                request.CertificateExtensions.Add(
+                    new X509EnhancedKeyUsageExtension(
+                        new OidCollection { new Oid(eku, null) }, false));
+            }
+
+            return request.CreateSelfSigned(notBefore, notAfter);
+        }
+    }
+
+    public static X509Certificate2 SelfSignedPrimaryRoot { get; private set; }
+
+    public static X509Certificate2 SignedSecondaryRoot { get; private set; }
+
+    public static X509Certificate2 SignedClient { get; private set; }
+
+    public static X509Certificate2 SelfSignedValidWithClientEku { get; private set; }
+
+    public static X509Certificate2 SelfSignedValidWithNoEku { get; private set; }
+
+    public static X509Certificate2 SelfSignedValidWithServerEku { get; private set; }
+
+    public static X509Certificate2 SelfSignedNotYetValid { get; private set; }
+
+    public static X509Certificate2 SelfSignedExpired { get; private set; }
+}

src/Shared/test/Certificates/selfSignedNoEkuCertificateExpired.cer

@@ -57,6 +57,11 @@ private bool ShouldSkip()
                 return true;
             }
 
+            if (Queues.Contains("All.Ubuntu") && targetQueue.StartsWith("ubuntu", StringComparison.OrdinalIgnoreCase))
+            {
+                return true;
+            }
+
             return Queues.ToLowerInvariant().Split(';').Contains(targetQueue);
         }