Add validate certificate job with some straw man implementations (#233)

Progress on NuGet/Engineering#787

Author: joelverhagen

NuGet.Jobs.sln

@@ -103,6 +103,12 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Validation.PackageSigning.E
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Validation.PackageSigning.ExtractAndValidateSignature.Tests", "tests\Validation.PackageSigning.ExtractAndValidateSignature.Tests\Validation.PackageSigning.ExtractAndValidateSignature.Tests.csproj", "{26435822-8938-48C9-96FD-0DCCF8F7CE00}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Validation.PackageSigning.ValidateCertificate", "src\Validation.PackageSigning.ValidateCertificate\Validation.PackageSigning.ValidateCertificate.csproj", "{A245E448-8AE0-452B-9338-8C0E0B637D72}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Validation.PackageSigning.ValidateCertificate.Tests", "tests\Validation.PackageSigning.ValidateCertificate.Tests\Validation.PackageSigning.ValidateCertificate.Tests.csproj", "{5ACE7756-F8D0-4D90-9957-872DE4A1381E}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Validation.PackageSigning.Helpers", "tests\Validation.PackageSigning.Helpers\Validation.PackageSigning.Helpers.csproj", "{2C5BE067-ADFD-49E3-BA9F-13A74436E5DB}"
+EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Validation.PackageSigning.Core.Tests", "tests\Validation.PackageSigning.Core.Tests\Validation.PackageSigning.Core.Tests.csproj", "{B4B7564A-965B-447B-927F-6749E2C08880}"
 EndProject
 Global
@@ -261,6 +267,18 @@ Global
 		{26435822-8938-48C9-96FD-0DCCF8F7CE00}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{26435822-8938-48C9-96FD-0DCCF8F7CE00}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{26435822-8938-48C9-96FD-0DCCF8F7CE00}.Release|Any CPU.Build.0 = Release|Any CPU
+		{A245E448-8AE0-452B-9338-8C0E0B637D72}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{A245E448-8AE0-452B-9338-8C0E0B637D72}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{A245E448-8AE0-452B-9338-8C0E0B637D72}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{A245E448-8AE0-452B-9338-8C0E0B637D72}.Release|Any CPU.Build.0 = Release|Any CPU
+		{5ACE7756-F8D0-4D90-9957-872DE4A1381E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{5ACE7756-F8D0-4D90-9957-872DE4A1381E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{5ACE7756-F8D0-4D90-9957-872DE4A1381E}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{5ACE7756-F8D0-4D90-9957-872DE4A1381E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{2C5BE067-ADFD-49E3-BA9F-13A74436E5DB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{2C5BE067-ADFD-49E3-BA9F-13A74436E5DB}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{2C5BE067-ADFD-49E3-BA9F-13A74436E5DB}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{2C5BE067-ADFD-49E3-BA9F-13A74436E5DB}.Release|Any CPU.Build.0 = Release|Any CPU
 		{B4B7564A-965B-447B-927F-6749E2C08880}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{B4B7564A-965B-447B-927F-6749E2C08880}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{B4B7564A-965B-447B-927F-6749E2C08880}.Release|Any CPU.ActiveCfg = Release|Any CPU
@@ -306,6 +324,9 @@ Global
 		{91C060DA-736F-4DA9-A57F-CB3AC0E6CB10} = {678D7B14-F8BC-4193-99AF-2EE8AA390A02}
 		{DD043977-6BCD-475A-BEE2-8C34309EC622} = {678D7B14-F8BC-4193-99AF-2EE8AA390A02}
 		{26435822-8938-48C9-96FD-0DCCF8F7CE00} = {6A776396-02B1-475D-A104-26940ADB04AB}
+		{A245E448-8AE0-452B-9338-8C0E0B637D72} = {678D7B14-F8BC-4193-99AF-2EE8AA390A02}
+		{5ACE7756-F8D0-4D90-9957-872DE4A1381E} = {6A776396-02B1-475D-A104-26940ADB04AB}
+		{2C5BE067-ADFD-49E3-BA9F-13A74436E5DB} = {6A776396-02B1-475D-A104-26940ADB04AB}
 		{B4B7564A-965B-447B-927F-6749E2C08880} = {6A776396-02B1-475D-A104-26940ADB04AB}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution

build.ps1

@@ -103,8 +103,8 @@ Invoke-BuildStep 'Set version metadata in AssemblyInfo.cs' { `
             "$PSScriptRoot\src\NuGetCDNRedirect\Properties\AssemblyInfo.g.cs",
             "$PSScriptRoot\src\NuGet.Services.Validation.Orchestrator\Properties\AssemblyInfo.g.cs",
             "$PSScriptRoot\src\Stats.CollectAzureChinaCDNLogs\Properties\AssemblyInfo.g.cs",
-            "$PSScriptRoot\src\Validation.PackageSigning.ExtractAndValidateSignature\Properties\AssemblyInfo.g.cs"
-
+            "$PSScriptRoot\src\Validation.PackageSigning.ExtractAndValidateSignature\Properties\AssemblyInfo.g.cs",
+            "$PSScriptRoot\src\Validation.PackageSigning.ValidateCertificate\Properties\AssemblyInfo.g.cs"
 
         $versionMetadata | ForEach-Object {
             Set-VersionInfo -Path $_ -Version $SimpleVersion -Branch $Branch -Commit $CommitSHA
@@ -152,7 +152,8 @@ Invoke-BuildStep 'Creating artifacts' {
             "src/NuGetCDNRedirect/NuGetCDNRedirect.csproj", `
             "src/NuGet.Services.Validation.Orchestrator/NuGet.Services.Validation.Orchestrator.csproj", `
             "src/Stats.CollectAzureChinaCDNLogs/Stats.CollectAzureChinaCDNLogs.csproj", `
-            "src/Validation.PackageSigning.ExtractAndValidateSignature/Validation.PackageSigning.ExtractAndValidateSignature.csproj"
+            "src/Validation.PackageSigning.ExtractAndValidateSignature/Validation.PackageSigning.ExtractAndValidateSignature.csproj", `
+            "src/Validation.PackageSigning.ValidateCertificate/Validation.PackageSigning.ValidateCertificate.csproj"
 
         Foreach ($Project in $Projects) {
             New-Package (Join-Path $PSScriptRoot "$Project") -Configuration $Configuration -BuildNumber $BuildNumber -Version $SemanticVersion -Branch $Branch -MSBuildVersion "$msBuildVersion"
@@ -174,4 +175,4 @@ if ($BuildErrors) {
     Error-Log "Builds completed with $($BuildErrors.Count) error(s):`r`n$($ErrorLines -join "`r`n")" -Fatal
 }
 
-Write-Host ("`r`n" * 3)
+Write-Host ("`r`n" * 3)

src/Validation.PackageSigning.ValidateCertificate/App.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6"/>
+    </startup>
+</configuration>

src/Validation.PackageSigning.ValidateCertificate/CertificateValidationMessageHandler.cs

@@ -0,0 +1,159 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using NuGet.Jobs.Validation.PackageSigning.Messages;
+using NuGet.Jobs.Validation.PackageSigning.Storage;
+using NuGet.Services.ServiceBus;
+using NuGet.Services.Validation;
+
+namespace Validation.PackageSigning.ValidateCertificate
+{
+    /// <summary>
+    /// The handler for <see cref="CertificateValidationMessage"/>. Upon receiving a message,
+    /// this will validate a <see cref="X509Certificate2"/> and perform online revocation checks.
+    /// </summary>
+    public sealed class CertificateValidationMessageHandler : IMessageHandler<CertificateValidationMessage>
+    {
+        private readonly ICertificateStore _certificateStore;
+        private readonly ICertificateValidationService _certificateValidationService;
+        private readonly ILogger<CertificateValidationMessageHandler> _logger;
+
+        private readonly int _maximumValidationFailures;
+
+        public CertificateValidationMessageHandler(
+            ICertificateStore certificateStore,
+            ICertificateValidationService certificateValidationService,
+            ILogger<CertificateValidationMessageHandler> logger,
+            int maximumValidationFailures = CertificateValidationService.DefaultMaximumValidationFailures)
+        {
+            _certificateStore = certificateStore ?? throw new ArgumentNullException(nameof(certificateStore));
+            _certificateValidationService = certificateValidationService ?? throw new ArgumentNullException(nameof(certificateValidationService));
+            _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+
+            _maximumValidationFailures = maximumValidationFailures;
+        }
+
+        /// <summary>
+        /// Perform the certificate validation request, including online revocation checks.
+        /// </summary>
+        /// <param name="message">The message requesting the certificate validation.</param>
+        /// <returns>Whether the validation completed. If false, the validation should be retried later.</returns>
+        public async Task<bool> HandleAsync(CertificateValidationMessage message)
+        {
+            var validation = await _certificateValidationService.FindCertificateValidationAsync(message);
+
+            if (validation == null)
+            {
+                _logger.LogInformation(
+                    "Could not find a certificate validation entity, failing (certificate: {CertificateKey} validation: {ValidationId})",
+                    message.CertificateKey,
+                    message.ValidationId);
+
+                return false;
+            }
+
+            if (validation.Status != null)
+            {
+                // A certificate validation should be queued with a Status of null, and once the certificate validation
+                // completes, the Status should be updated to a non-null value. Hence, the Status here SHOULD be null.
+                // A non-null Status may indicate message duplication.
+                _logger.LogWarning(
+                    "Invalid certificate validation entity's status, dropping message (certificate: {CertificateThumbprint} validation: {ValidationId})",
+                    validation.EndCertificate.Thumbprint,
+                    validation.ValidationId);
+
+                return true;
+            }
+
+            if (validation.EndCertificate.Status == EndCertificateStatus.Revoked)
+            {
+                if (message.RevalidateRevokedCertificate)
+                {
+                    _logger.LogWarning(
+                        "Revalidating certificate that is known to be revoked " +
+                        "(certificate: {CertificateThumbprint} validation: {ValidationId})",
+                        validation.EndCertificate.Thumbprint,
+                        validation.ValidationId);
+                }
+                else
+                {
+                    // Do NOT revalidate a certificate that is known to be revoked unless explicitly told to!
+                    // Certificate Authorities are not required to keep a certificate's revocation information
+                    // forever, therefore, revoked certificates should only be revalidated in special cases.
+                    _logger.LogError(
+                        "Certificate known to be revoked MUST be validated with the " +
+                        $"{nameof(CertificateValidationMessage.RevalidateRevokedCertificate)} flag enabled " +
+                        "(certificate: {CertificateThumbprint} validation: {ValidationId})",
+                        validation.EndCertificate.Thumbprint,
+                        validation.ValidationId);
+
+                    return true;
+                }
+            }
+
+            // Download and verify the certificate.
+            var certificate = await _certificateStore.LoadAsync(validation.EndCertificate.Thumbprint, CancellationToken.None);
+            var result = await _certificateValidationService.VerifyAsync(certificate);
+
+            // Save the result. This may alert if packages are invalidated.
+            if (!await _certificateValidationService.TrySaveResultAsync(validation, result))
+            {
+                _logger.LogWarning(
+                    "Failed to save certificate validation result " +
+                    "(certificate: {CertificateThumbprint} validation: {ValidationId}), " +
+                    "failing validation",
+                    validation.EndCertificate.Thumbprint,
+                    validation.ValidationId);
+
+                return false;
+            }
+
+            return HasValidationCompleted(validation, result);
+        }
+
+        private bool HasValidationCompleted(EndCertificateValidation validation, CertificateVerificationResult result)
+        {
+            // The validation is complete if the certificate was determined to be "Good", "Invalid", or "Revoked".
+            if (result.Status == EndCertificateStatus.Good
+                || result.Status == EndCertificateStatus.Invalid
+                || result.Status == EndCertificateStatus.Revoked)
+            {
+                return true;
+            }
+            else if (result.Status == EndCertificateStatus.Unknown)
+            {
+                // Certificates whose status failed to be determined will have an "Unknown"
+                // status. These certificates should be retried until "_maximumValidationFailures"
+                // is reached.
+                if (validation.EndCertificate.ValidationFailures >= _maximumValidationFailures)
+                {
+                    _logger.LogWarning(
+                        "Certificate {CertificateThumbprint} has reached maximum of {MaximumValidationFailures} failed validation attempts",
+                        validation.EndCertificate.Thumbprint,
+                        _maximumValidationFailures);
+
+                    return true;
+                }
+                else
+                {
+                    _logger.LogWarning(
+                        "Could not validate certificate {CertificateThumbprint}, {RetriesLeft} retries left",
+                        validation.EndCertificate.Thumbprint,
+                        _maximumValidationFailures - validation.EndCertificate.ValidationFailures);
+
+                    return false;
+                }
+            }
+
+            _logger.LogError(
+                $"Unknown {nameof(EndCertificateStatus)} value: {{CertificateStatus}}, throwing to retry",
+                result.Status);
+
+            throw new InvalidOperationException($"Unknown {nameof(EndCertificateStatus)} value: {result.Status}");
+        }
+    }
+}