Switch to dynamic cert gen for tests

HaoK · HaoK · commit efcd7f5315c1 · 2022-01-21T12:55:25.000-08:00
diff --git a/src/Security/Authentication/test/CertificateTests.cs b/src/Security/Authentication/test/CertificateTests.cs
@@ -3,7 +3,9 @@
 
 using System.Globalization;
 using System.Net;
+using System.Runtime.CompilerServices;
 using System.Security.Claims;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Builder;
@@ -929,39 +931,110 @@ private static async Task<IHost> CreateHost(
 
     private static class Certificates
     {
-        public static X509Certificate2 SelfSignedPrimaryRoot { get; private set; } =
-            new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedPrimaryRootCertificate.cer"));
+        private static string ServerEku = "1.3.6.1.5.5.7.3.1";
+        private static string ClientEku = "1.3.6.1.5.5.7.3.2";
 
-        public static X509Certificate2 SignedSecondaryRoot { get; private set; } =
-            new X509Certificate2(GetFullyQualifiedFilePath("validSignedSecondaryRootCertificate.cer"));
+        static Certificates()
+        {
+            DateTimeOffset now = DateTimeOffset.UtcNow;
+
+            SelfSignedPrimaryRoot = MakeCert(
+                "CN=Valid Self Signed Client EKU,OU=dev,DC=idunno-dev,DC=org",
+                ClientEku,
+                now);
+
+            SignedSecondaryRoot = MakeCert(
+                "CN=Valid Signed Secondary Root EKU,OU=dev,DC=idunno-dev,DC=org",
+                ClientEku,
+                now);
+
+            SelfSignedValidWithServerEku = MakeCert(
+                "CN=Valid Self Signed Server EKU,OU=dev,DC=idunno-dev,DC=org",
+                ServerEku,
+                now);
+
+            SelfSignedValidWithClientEku = MakeCert(
+                "CN=Valid Self Signed Server EKU,OU=dev,DC=idunno-dev,DC=org",
+                ClientEku,
+                now);
+
+            SelfSignedValidWithNoEku = MakeCert(
+                "CN=Valid Self Signed No EKU,OU=dev,DC=idunno-dev,DC=org",
+                eku: null,
+                now);
+
+            SelfSignedExpired = MakeCert(
+                "CN=Expired Self Signed,OU=dev,DC=idunno-dev,DC=org",
+                eku: null,
+                now.AddYears(-1),
+                now.AddDays(-1));
+
+            SelfSignedNotYetValid = MakeCert(
+                "CN=Not Valid Yet Self Signed,OU=dev,DC=idunno-dev,DC=org",
+                eku: null,
+                now.AddYears(2),
+                now.AddYears(3));
+
+            SignedClient = MakeCert(
+                "CN=Valid Signed Client,OU=dev,DC=idunno-dev,DC=org",
+                ClientEku,
+                now);
 
-        public static X509Certificate2 SignedClient { get; private set; } =
-            new X509Certificate2(GetFullyQualifiedFilePath("validSignedClientCertificate.cer"));
+        }
 
-        public static X509Certificate2 SelfSignedValidWithClientEku { get; private set; } =
-            new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedClientEkuCertificate.cer"));
+        private static readonly X509KeyUsageExtension s_digitalSignatureOnlyUsage =
+               new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, true);
 
-        public static X509Certificate2 SelfSignedValidWithNoEku { get; private set; } =
-            new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedNoEkuCertificate.cer"));
+        private static X509Certificate2 MakeCert(
+            string subjectName,
+            string eku,
+            DateTimeOffset now)
+        {
+            return MakeCert(subjectName, eku, now, now.AddYears(5));
+        }
 
-        public static X509Certificate2 SelfSignedValidWithServerEku { get; private set; } =
-            new X509Certificate2(GetFullyQualifiedFilePath("validSelfSignedServerEkuCertificate.cer"));
+        private static X509Certificate2 MakeCert(
+            string subjectName,
+            string eku,
+            DateTimeOffset notBefore,
+            DateTimeOffset notAfter)
+        {
+            using (RSA key = RSA.Create(2048))
+            {
+                CertificateRequest request = new CertificateRequest(
+                    subjectName,
+                    key,
+                    HashAlgorithmName.SHA256,
+                    RSASignaturePadding.Pkcs1);
 
-        public static X509Certificate2 SelfSignedNotYetValid { get; private set; } =
-            new X509Certificate2(GetFullyQualifiedFilePath("selfSignedNoEkuCertificateNotValidYet.cer"));
+                request.CertificateExtensions.Add(s_digitalSignatureOnlyUsage);
 
-        public static X509Certificate2 SelfSignedExpired { get; private set; } =
-            new X509Certificate2(GetFullyQualifiedFilePath("selfSignedNoEkuCertificateExpired.cer"));
+                if (eku != null)
+                {
+                    request.CertificateExtensions.Add(
+                        new X509EnhancedKeyUsageExtension(
+                            new OidCollection { new Oid(eku, null) }, false));
+                }
 
-        private static string GetFullyQualifiedFilePath(string filename)
-        {
-            var filePath = Path.Combine(AppContext.BaseDirectory, filename);
-            if (!File.Exists(filePath))
-            {
-                throw new FileNotFoundException(filePath);
+                return request.CreateSelfSigned(notBefore, notAfter);
             }
-            return filePath;
         }
+
+        public static X509Certificate2 SelfSignedPrimaryRoot { get; private set; }
+
+        public static X509Certificate2 SignedSecondaryRoot { get; private set; }
+
+        public static X509Certificate2 SignedClient { get; private set; }
+
+        public static X509Certificate2 SelfSignedValidWithClientEku { get; private set; }
+
+        public static X509Certificate2 SelfSignedValidWithNoEku { get; private set; }
+
+        public static X509Certificate2 SelfSignedValidWithServerEku { get; private set; }
+
+        public static X509Certificate2 SelfSignedNotYetValid { get; private set; }
+
+        public static X509Certificate2 SelfSignedExpired { get; private set; }
     }
 }
 
