[Package Signing] Online Revocation Checking (#309)

Adds the groundwork to perform online revocation checking of certificates. This will be used by nuget.org's validation pipeline to ensure that packages are signed with certificates that are valid. This code will be run on Windows Server only on .NET Framework v4.6.1+.

Author: loic-sharma

LICENSE.txt

@@ -1,4 +1,6 @@
-Copyright (c) .NET Foundation. All rights reserved.
+Copyright (c) .NET Foundation and Contributors.
+
+All rights reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 these files except in compliance with the License. You may obtain a copy of the

src/Validation.PackageSigning.ValidateCertificate/CertificateValidationMessageHandler.cs

@@ -96,6 +96,8 @@ public async Task<bool> HandleAsync(CertificateValidationMessage message)
             }
 
             // Download and verify the certificate.
+            // TODO: Download all parent certificates and pass them to verification "VerifyAsync",
+            // will be done as part of: https://github.com/nuget/engineering/issues/787
             var certificate = await _certificateStore.LoadAsync(validation.EndCertificate.Thumbprint, CancellationToken.None);
             var result = await _certificateValidationService.VerifyAsync(certificate);
 

src/Validation.PackageSigning.ValidateCertificate/CertificateVerificationException.cs

@@ -0,0 +1,19 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Validation.PackageSigning.ValidateCertificate
+{
+    public class CertificateVerificationException : Exception
+    {
+        /// <summary>
+        /// Exception thrown by unexpected failures to validate a certificate.
+        /// </summary>
+        /// <param name="message">The message describing the failure.</param>
+        public CertificateVerificationException(string message)
+            : base(message)
+        {
+        }
+    }
+}

src/Validation.PackageSigning.ValidateCertificate/ICertificateValidationService.cs

@@ -1,7 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 using NuGet.Jobs.Validation.PackageSigning.Messages;

src/Validation.PackageSigning.ValidateCertificate/ICertificateVerifier.cs

@@ -0,0 +1,39 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Validation.PackageSigning.ValidateCertificate
+{
+    /// <summary>
+    /// Verifies <see cref="X509Certificate2"/>.
+    /// </summary>
+    public interface ICertificateVerifier
+    {
+        /// <summary>
+        /// Determine the status of a <see cref="X509Certificate2"/>.
+        /// </summary>
+        /// <param name="certificate">The certificate to verify.</param>
+        /// <param name="extraCertificates">A collection of certificates that may be used to build the certificate chain.</param>
+        /// <returns>The result of the verification.</returns>
+        [Obsolete("This will be removed when integration tests are created")]
+        CertificateVerificationResult VerifyCertificate(X509Certificate2 certificate, X509Certificate2[] extraCertificates);
+
+        /// <summary>
+        /// Determine the status of a code signing <see cref="X509Certificate2"/>.
+        /// </summary>
+        /// <param name="certificate">The certificate to verify.</param>
+        /// <param name="extraCertificates">A collection of certificates that may be used to build the certificate chain.</param>
+        /// <returns>The result of the verification.</returns>
+        CertificateVerificationResult VerifyCodeSigningCertificate(X509Certificate2 certificate, X509Certificate2[] extraCertificates);
+
+        /// <summary>
+        /// Determine the status of a timestamping <see cref="X509Certificate2"/>.
+        /// </summary>
+        /// <param name="certificate">The certificate to verify.</param>
+        /// <param name="extraCertificates">A collection of certificates that may be used to build the certificate chain.</param>
+        /// <returns>The result of the verification.</returns>
+        CertificateVerificationResult VerifyTimestampingCertificate(X509Certificate2 certificate, X509Certificate2[] extraCertificates);
+    }
+}

src/Validation.PackageSigning.ValidateCertificate/Job.cs

@@ -3,7 +3,6 @@
 
 using System;
 using System.Collections.Generic;
-using System.Diagnostics;
 using System.Threading.Tasks;
 using Autofac;
 using Autofac.Extensions.DependencyInjection;

src/Validation.PackageSigning.ValidateCertificate/OnlineCertificateVerifier.cs

@@ -0,0 +1,265 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Win32.SafeHandles;
+using NuGet.Services.Validation;
+
+namespace Validation.PackageSigning.ValidateCertificate
+{
+    /// <summary>
+    /// Performs online revocation verification for a <see cref="X509Certificate2"/>.
+    /// </summary>
+    /// <remarks>
+    /// This depends on Windows' native CryptoApi and will only work on Windows. This
+    /// verifier ignores NotTimeValid certificate statuses.
+    /// </remarks>
+    public class OnlineCertificateVerifier : ICertificateVerifier
+    {
+        /// <summary>
+        /// RFC 5280 codeSigning attribute, https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+        /// </summary>
+        private const string CodeSigningEku = "1.3.6.1.5.5.7.3.3";
+
+        /// <summary>
+        /// RFC 3280 "id-kp-timeStamping" https://tools.ietf.org/html/rfc3280.html#section-4.2.1.13
+        /// </summary>
+        private const string TimeStampingEku = "1.3.6.1.5.5.7.3.8";
+
+        /// <summary>
+        /// Chain status flags indicating that the revocation status could not be determined.
+        /// </summary>
+        private const X509ChainStatusFlags UnknownStatusFlags = X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation;
+
+        /// <summary>
+        /// Certificate trust errors indicating that the certificate was not verified online.
+        /// </summary>
+        private const CertTrustErrorStatus OfflineErrorStatusFlags = CertTrustErrorStatus.CERT_TRUST_REVOCATION_STATUS_UNKNOWN | CertTrustErrorStatus.CERT_TRUST_IS_OFFLINE_REVOCATION;
+
+        public CertificateVerificationResult VerifyCertificate(X509Certificate2 certificate, X509Certificate2[] extraCertificates)
+        {
+            return VerifyCertificate(certificate, extraCertificates, applicationPolicy: null);
+        }
+
+        public CertificateVerificationResult VerifyCodeSigningCertificate(X509Certificate2 certificate, X509Certificate2[] extraCertificates)
+        {
+            return VerifyCertificate(certificate, extraCertificates, applicationPolicy: new Oid(CodeSigningEku));
+        }
+
+        public CertificateVerificationResult VerifyTimestampingCertificate(X509Certificate2 certificate, X509Certificate2[] extraCertificates)
+        {
+            return VerifyCertificate(certificate, extraCertificates, applicationPolicy: new Oid(TimeStampingEku));
+        }
+
+        private CertificateVerificationResult VerifyCertificate(X509Certificate2 certificate, X509Certificate2[] extraCertificates, Oid applicationPolicy)
+        {
+            X509Chain chain = null;
+
+            try
+            {
+                chain = new X509Chain();
+
+                // Allow the chain to use whatever additional extra certificates were provided.
+                chain.ChainPolicy.ExtraStore.AddRange(extraCertificates);
+
+                if (applicationPolicy != null)
+                {
+                    chain.ChainPolicy.ApplicationPolicy.Add(applicationPolicy);
+                }
+
+                chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
+                chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
+
+                var resultBuilder = new CertificateVerificationResult.Builder();
+
+                if (chain.Build(certificate))
+                {
+                    resultBuilder.WithStatus(EndCertificateStatus.Good);
+                    resultBuilder.WithStatusFlags(X509ChainStatusFlags.NoError);
+                }
+                else
+                {
+                    resultBuilder.WithStatus(GetEndCertificateStatusFromInvalidChain(chain));
+                    resultBuilder.WithStatusFlags(FlattenChainStatusFlags(chain));
+                }
+
+                InspectChain(chain, certificate, resultBuilder);
+
+                return resultBuilder.Build();
+            }
+            finally
+            {
+                if (chain != null)
+                {
+                    foreach (var chainElement in chain.ChainElements)
+                    {
+                        chainElement.Certificate.Dispose();
+                    }
+
+                    chain.Dispose();
+                }
+            }
+        }
+
+        private EndCertificateStatus GetEndCertificateStatusFromInvalidChain(X509Chain chain)
+        {
+            // There are multiple reasons why an end certificate may not have a status of EndCertificateStatus.Good:
+            //
+            // * The end certificate may be revoked or invalid.
+            // * An issuing ancestor of the end certificate may be revoked or invalid.
+            // * Any combination of the above cases.
+            //
+            // If the ONLY issue is that the end certificate is revoked, then package signatures created after the revocation will be
+            // affected.  In any other case where any certificate has a revoked or invalid status, the end certificate status will be
+            // invalid.
+            //
+            // NOTE: This means that an end certificate that is revoked but has an ignored flag (like "NotTimeNested") will be
+            // determined to be invalid here.
+            if (OnlyEndCertificateRevokedInInvalidChain(chain))
+            {
+                return EndCertificateStatus.Revoked;
+            }
+
+            // If ANY status is anything other RevocationStatusUnknown, OfflineRevocation or NoError, the certificate is invalid and
+            // dependent signatures should be invalidated.
+            if (chain.ChainStatus.Any(s => (s.Status & ~UnknownStatusFlags) != X509ChainStatusFlags.NoError))
+            {
+                return EndCertificateStatus.Invalid;
+            }
+
+            // All status flags are RevocationStatusUnknown, OfflineRevocation, or NoError. The certificate's verification should be
+            // retried later.
+            return EndCertificateStatus.Unknown;
+        }
+
+        private bool OnlyEndCertificateRevokedInInvalidChain(X509Chain chain)
+        {
+            // Ensure that all of the chain statuses are the Revoked status flag.
+            if (chain.ChainStatus.Any(s => (s.Status & ~X509ChainStatusFlags.Revoked) != X509ChainStatusFlags.NoError))
+            {
+                return false;
+            }
+
+            // All chain statuses are Revoked status flags. Ensure that the end certificate has at least one of these Revoked statuses.
+            if (!chain.ChainElements[0].ChainElementStatus.Any())
+            {
+                return false;
+            }
+
+            // Ensure that all parent certificates have no errors.
+            var parentElements = chain.ChainElements
+                                      .Cast<X509ChainElement>()
+                                      .Skip(1);
+
+            return (parentElements.All(e => e.ChainElementStatus.All(s => s.Status == X509ChainStatusFlags.NoError)));
+        }
+
+        private X509ChainStatusFlags FlattenChainStatusFlags(X509Chain chain)
+        {
+            var result = X509ChainStatusFlags.NoError;
+
+            foreach (var chainStatus in chain.ChainStatus)
+            {
+                result |= chainStatus.Status;
+            }
+
+            return result;
+        }
+
+        private unsafe void InspectChain(X509Chain chain, X509Certificate2 certificate, CertificateVerificationResult.Builder resultBuilder)
+        {
+            var addedRef = false;
+            var chainHandle = chain.SafeHandle;
+
+            try
+            {
+                chainHandle.DangerousAddRef(ref addedRef);
+
+                CERT_REVOCATION_INFO* pRevocationInfo = GetEndCertificateRevocationInfoPointer(chainHandle, certificate);
+
+                if (CertificateWasVerifiedOnline(pRevocationInfo))
+                {
+                    resultBuilder.WithRevocationTime(GetRevocationTime(pRevocationInfo));
+                    resultBuilder.WithStatusUpdateTime(GetStatusUpdateTime(pRevocationInfo));
+                }
+            }
+            finally
+            {
+                if (addedRef)
+                {
+                    chainHandle.DangerousRelease();
+                }
+            }
+        }
+
+        private unsafe CERT_REVOCATION_INFO* GetEndCertificateRevocationInfoPointer(SafeX509ChainHandle chainHandle, X509Certificate2 certificate)
+        {
+            CERT_CHAIN_CONTEXT* pCertChainContext = (CERT_CHAIN_CONTEXT*)(chainHandle.DangerousGetHandle());
+
+            if (pCertChainContext == null)
+            {
+                throw new CertificateVerificationException($"Certificate's {certificate.Thumbprint} CERT_CHAIN_CONTEXT* should never be null on Windows");
+            }
+
+            if (pCertChainContext->cChain < 1)
+            {
+                throw new CertificateVerificationException($"Certificate's {certificate.Thumbprint} CERT_CHAIN_CONTEXT* should have at least one chain");
+            }
+
+            if (pCertChainContext->rgpChain[0]->cElement < 1)
+            {
+                throw new CertificateVerificationException($"Certificate's {certificate.Thumbprint} CERT_CHAIN_CONTEXT*'s first chain should have at least one element");
+            }
+
+            CERT_SIMPLE_CHAIN* pCertSimpleChain = pCertChainContext->rgpChain[0];
+            CERT_CHAIN_ELEMENT* pChainElement = pCertSimpleChain->rgpElement[0];
+
+            return pChainElement->pRevocationInfo;
+        }
+
+        private unsafe bool CertificateWasVerifiedOnline(CERT_REVOCATION_INFO* pRevocationInfo)
+        {
+            if (pRevocationInfo == null || pRevocationInfo->pCrlInfo == null)
+            {
+                return false;
+            }
+
+            return (pRevocationInfo->dwRevocationResult & OfflineErrorStatusFlags) == 0;
+        }
+
+        private unsafe DateTime? GetRevocationTime(CERT_REVOCATION_INFO* pRevocationInfo)
+        {
+            if (pRevocationInfo->dwRevocationResult == CertTrustErrorStatus.CERT_TRUST_NO_ERROR)
+            {
+                return null;
+            }
+
+            FILETIME revocationDate = pRevocationInfo->pCrlInfo->pCrlEntry->RevocationDate;
+
+            return revocationDate.ToDateTime().ToUniversalTime();
+        }
+
+        private unsafe DateTime? GetStatusUpdateTime(CERT_REVOCATION_INFO* pRevocationInfo)
+        {
+            CERT_REVOCATION_CRL_INFO* pCrlInfo = pRevocationInfo->pCrlInfo;
+
+            if (pCrlInfo->pDeltaCRLContext != null)
+            {
+                FILETIME statusUpdate = pCrlInfo->pDeltaCRLContext->pCrlInfo->ThisUpdate;
+
+                return statusUpdate.ToDateTime().ToUniversalTime();
+            }
+            else if (pCrlInfo->pBaseCRLContext != null)
+            {
+               FILETIME statusUpdate = pCrlInfo->pBaseCRLContext->pCrlInfo->ThisUpdate;
+
+               return statusUpdate.ToDateTime().ToUniversalTime();
+            }
+
+            return null;
+        }
+    }
+}