NuGet
diff --git a/‎Directory.Packages.props‎
Lines changed: 4 additions & 2 deletions b/‎Directory.Packages.props‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎NuGet.config‎
Lines changed: 4 additions & 1 deletion b/‎NuGet.config‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎tests/Validation.PackageSigning.Core.Tests/Support/CertificateIntegrationTestFixture.cs‎
Lines changed: 52 additions & 63 deletions b/‎tests/Validation.PackageSigning.Core.Tests/Support/CertificateIntegrationTestFixture.cs‎
Lines changed: 52 additions & 63 deletions
diff --git a/‎tests/Validation.PackageSigning.Core.Tests/Support/ExtensionMethods.cs‎
Lines changed: 1 addition & 8 deletions b/‎tests/Validation.PackageSigning.Core.Tests/Support/ExtensionMethods.cs‎
Lines changed: 1 addition & 8 deletions
diff --git a/‎tests/Validation.PackageSigning.Core.Tests/Support/X509AuthorityInformationAccessExtension.cs‎
Lines changed: 57 additions & 0 deletions b/‎tests/Validation.PackageSigning.Core.Tests/Support/X509AuthorityInformationAccessExtension.cs‎
Lines changed: 57 additions & 0 deletions
@@ -81,6 +81,7 @@
     <PackageVersion Include="Microsoft.Extensions.Primitives" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Identity.Client" Version="4.65.0" />
     <PackageVersion Include="Microsoft.Identity.Web" Version="3.6.2" />
+    <PackageVersion Include="Microsoft.Internal.NuGet.Testing.SignedPackages" Version="6.13.2-rc.1" />
     <PackageVersion Include="Microsoft.Net.Http" Version="2.2.29" />
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.10.0" />
     <PackageVersion Include="Microsoft.Owin.Host.SystemWeb" Version="4.2.2" />
@@ -136,16 +137,17 @@
     <PackageVersion Include="System.Data.SqlClient" Version="4.8.6" />
     <PackageVersion Include="System.Diagnostics.Debug" Version="4.3.0" />
     <PackageVersion Include="System.Drawing.Common" Version="9.0.0" />
-    <PackageVersion Include="System.Formats.Asn1" Version="8.0.1" />
+    <PackageVersion Include="System.Formats.Asn1" Version="8.0.2" />
     <PackageVersion Include="System.Linq.Expressions" Version="4.3.0" />
     <PackageVersion Include="System.Net.Http" Version="4.3.4" />
     <PackageVersion Include="System.Reflection.Metadata" Version="1.7.0-preview1-26717-04" />
     <PackageVersion Include="System.Runtime" Version="4.3.1" />
+    <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="8.0.1" />
+    <PackageVersion Include="System.Security.Cryptography.X509Certificates" Version="4.3.2" />
     <PackageVersion Include="System.Text.Encodings.Web" Version="8.0.0" />
     <PackageVersion Include="System.Text.Json" Version="8.0.5" />
     <PackageVersion Include="System.Threading.Tasks.Extensions" Version="4.5.4" />
     <PackageVersion Include="System.ValueTuple" Version="4.5.0" />
-    <PackageVersion Include="Test.Utility" Version="6.4.2-rc.25" />
     <PackageVersion Include="UAParser" Version="3.1.44" />
     <PackageVersion Include="WebActivatorEx" Version="2.0.6" />
     <PackageVersion Include="WebGrease" Version="1.6.0" />
 
@@ -2,6 +2,7 @@
 <configuration>
   <packageSources>
     <clear />
+    <add key="dotnet-tools" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json" />
     <add key="NuGet.org" value="https://api.nuget.org/v3/index.json" />
     <add key="nuget-build" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/nuget-build/nuget/v3/index.json" />
   </packageSources>
@@ -10,6 +11,9 @@
   </disabledPackageSources>
   <packageSourceMapping>
     <clear />
+    <packageSource key="dotnet-tools">
+      <package pattern="Microsoft.Internal.NuGet.Testing.SignedPackages" />
+    </packageSource>
     <packageSource key="NuGet.org">
       <package pattern="Antlr" />
       <package pattern="AngleSharp.*" />
@@ -78,7 +82,6 @@
       <package pattern="NuGet.Services.*" />
       <package pattern="NuGet.StrongName.*" />
       <package pattern="Strathweb.CacheOutput.WebApi2.StrongName" />
-      <package pattern="Test.Utility" />
     </packageSource>
     <packageSource key="nuget-server-upstreams">
       <package pattern="Microsoft.Internal.*" />
 
@@ -2,18 +2,13 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
+using Microsoft.Internal.NuGet.Testing.SignedPackages;
 using NuGet.Common;
-using Org.BouncyCastle.Asn1.X509;
-using Org.BouncyCastle.Crypto.Parameters;
-using Org.BouncyCastle.Security;
-using Org.BouncyCastle.X509;
-using Org.BouncyCastle.X509.Extension;
-using Test.Utility.Signing;
 using TestUtil;
 using Xunit;
-using BCCertificate = Org.BouncyCastle.X509.X509Certificate;
 
 namespace Validation.PackageSigning.Core.Tests.Support
 {
@@ -38,7 +33,7 @@ public CertificateIntegrationTestFixture()
         {
             Assert.True(
                 UserHelper.IsAdministrator(),
-                $"This test must be executing with administrator privileges since it installs a trusted root. Add {UserHelper.EnableSkipVariableName} environment variable to skip this test.");      
+                $"This test must be executing with administrator privileges since it installs a trusted root. Add {UserHelper.EnableSkipVariableName} environment variable to skip this test.");
             _testServer = new AsyncLazy<SigningTestServer>(SigningTestServer.CreateAsync);
             _rootCertificateAuthority = new AsyncLazy<CertificateAuthority>(CreateDefaultTrustedRootCertificateAuthorityAsync);
             _certificateAuthority = new AsyncLazy<CertificateAuthority>(CreateDefaultTrustedCertificateAuthorityAsync);
@@ -88,7 +83,7 @@ private async Task<CertificateAuthority> CreateDefaultTrustedRootCertificateAuth
         {
             var testServer = await GetTestServerAsync();
             var rootCa = CertificateAuthority.Create(testServer.Url);
-            var rootCertificate = rootCa.Certificate.ToX509Certificate2();
+            var rootCertificate = new X509Certificate2(rootCa.Certificate);
 
             _trustedRoot = new TrustedTestCert<X509Certificate2>(
                 rootCertificate,
@@ -138,10 +133,10 @@ private async Task<X509Certificate2> CreateDefaultTrustedSigningCertificateAsync
 
         public X509Certificate2 CreateSigningCertificate(CertificateAuthority ca)
         {
-            void CustomizeAsSigningCertificate(X509V3CertificateGenerator generator)
+            void CustomizeAsSigningCertificate(CertificateRequest certificateRequest)
             {
-                generator.AddSigningEku();
-                generator.AddAuthorityInfoAccess(ca, addOcsp: true, addCAIssuers: true);
+                certificateRequest.AddSigningEku();
+                certificateRequest.AddAuthorityInfoAccess(ca, addOcsp: true, addCAIssuers: true);
             }
 
             return IssueCertificate(ca, "Signing", CustomizeAsSigningCertificate).certificate;
@@ -151,49 +146,39 @@ public async Task<X509Certificate2> CreateUntrustedRootSigningCertificateAsync()
         {
             var options = IssueCertificateOptions.CreateDefaultForRootCertificateAuthority();
 
-            options.CustomizeCertificate = (X509V3CertificateGenerator generator) =>
+            options.CustomizeCertificate = (CertificateRequest certificateRequest) =>
             {
-                generator.AddExtension(
-                    X509Extensions.SubjectKeyIdentifier,
-                    critical: false,
-                    extensionValue: new SubjectKeyIdentifierStructure(options.KeyPair.Public));
-                generator.AddExtension(
-                    X509Extensions.BasicConstraints,
-                    critical: true,
-                    extensionValue: new BasicConstraints(cA: true));
-                generator.AddExtension(
-                    X509Extensions.KeyUsage,
-                    critical: true,
-                    extensionValue: new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyCertSign | KeyUsage.CrlSign));
-                generator.AddSigningEku();
+                certificateRequest.CertificateExtensions.Add(
+                    new X509SubjectKeyIdentifierExtension(certificateRequest.PublicKey, critical: false));
+                certificateRequest.CertificateExtensions.Add(
+                    new X509BasicConstraintsExtension(certificateAuthority: true, hasPathLengthConstraint: false, pathLengthConstraint: 0, critical: true));
+                certificateRequest.CertificateExtensions.Add(
+                    new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, critical: true));
+                certificateRequest.AddSigningEku();
             };
 
             var testServer = await GetTestServerAsync();
             var rootCa = CertificateAuthority.Create(testServer.Url, options);
 
-            var certificate = rootCa.Certificate.ToX509Certificate2();
-
-            certificate.PrivateKey = DotNetUtilities.ToRSA(options.KeyPair.Private as RsaPrivateCrtKeyParameters);
-
-            return certificate;
+            return rootCa.Certificate;
         }
 
         public async Task<RevokableCertificate> CreateRevokableSigningCertificateAsync()
         {
             var ca = await GetCertificateAuthorityAsync();
 
-            void CustomizeAsSigningCertificate(X509V3CertificateGenerator generator)
+            void CustomizeAsSigningCertificate(CertificateRequest certificateRequest)
             {
-                generator.AddSigningEku();
-                generator.AddAuthorityInfoAccess(ca, addOcsp: true, addCAIssuers: true);
+                certificateRequest.AddSigningEku();
+                certificateRequest.AddAuthorityInfoAccess(ca, addOcsp: true, addCAIssuers: true);
             }
 
             var issued = IssueCertificate(ca, "Revoked Signing", CustomizeAsSigningCertificate);
             var revocationDate = DateTimeOffset.UtcNow.Subtract(TimeSpan.FromHours(1));
 
             void Revoke()
             {
-                ca.Revoke(issued.publicCertificate, RevocationReason.Unspecified, revocationDate);
+                ca.Revoke(issued.publicCertificate, X509RevocationReason.Unspecified, revocationDate);
             }
 
             Task WaitForResponseExpirationAsync()
@@ -211,7 +196,7 @@ public async Task<UntrustedSigningCertificate> CreateUntrustedSigningCertificate
         {
             var testServer = await GetTestServerAsync();
             var untrustedRootCa = CertificateAuthority.Create(testServer.Url);
-            var untrustedRootCertificate = untrustedRootCa.Certificate.ToX509Certificate2();
+            var untrustedRootCertificate = new X509Certificate2(untrustedRootCa.Certificate);
             var responders = testServer.RegisterRespondersForEntireChain(untrustedRootCa);
 
             var certificate = CreateSigningCertificate(untrustedRootCa);
@@ -225,16 +210,16 @@ public async Task<X509Certificate2> CreateExpiringSigningCertificateAsync()
         {
             var ca = await GetCertificateAuthorityAsync();
 
-            void CustomizeExpiringSigningCertificate(X509V3CertificateGenerator generator)
+            void CustomizeExpiringSigningCertificate(CertificateRequest certificateRequest)
             {
-                generator.AddSigningEku();
-                generator.AddAuthorityInfoAccess(ca, addOcsp: true, addCAIssuers: true);
-
-                generator.SetNotBefore(DateTime.UtcNow.AddSeconds(-2));
-                generator.SetNotAfter(DateTime.UtcNow.AddSeconds(10));
+                certificateRequest.AddSigningEku();
+                certificateRequest.AddAuthorityInfoAccess(ca, addOcsp: true, addCAIssuers: true);
             }
 
-            var (@public, certificate) = IssueCertificate(ca, "Expired Signing", CustomizeExpiringSigningCertificate);
+            DateTimeOffset notBefore = DateTimeOffset.UtcNow.AddSeconds(-2);
+            DateTimeOffset notAfter = DateTimeOffset.UtcNow.AddSeconds(10);
+
+            var (@public, certificate) = IssueCertificate(ca, "Expired Signing", CustomizeExpiringSigningCertificate, notBefore, notAfter);
 
             return certificate;
         }
@@ -255,7 +240,7 @@ public async Task<UntrustedTimestampService> CreateUntrustedTimestampServiceAsyn
         {
             var testServer = await GetTestServerAsync();
             var untrustedRootCa = CertificateAuthority.Create(testServer.Url);
-            var untrustedRootCertificate = untrustedRootCa.Certificate.ToX509Certificate2();
+            var untrustedRootCertificate = new X509Certificate2(untrustedRootCa.Certificate);
             var timestampService = TimestampService.Create(untrustedRootCa);
             var responders = testServer.RegisterDefaultResponders(timestampService);
 
@@ -276,7 +261,7 @@ public async Task<RevokableTimestampService> CreateRevokableTimestampServiceAsyn
 
             void Revoke()
             {
-                rootCa.Revoke(timestampService.Certificate, RevocationReason.Unspecified, revocationDate);
+                rootCa.Revoke(timestampService.Certificate, X509RevocationReason.Unspecified, revocationDate);
             }
 
             Task WaitForResponseExpirationAsync()
@@ -304,10 +289,10 @@ IDisposable AddOcspResponder()
                 return testServer.RegisterResponder(intermediateCa.OcspResponder);
             }
 
-            void CustomizeAsSigningCertificate(X509V3CertificateGenerator generator)
+            void CustomizeAsSigningCertificate(CertificateRequest certificateRequest)
             {
-                generator.AddSigningEku();
-                generator.AddAuthorityInfoAccess(intermediateCa, addOcsp: true, addCAIssuers: true);
+                certificateRequest.AddSigningEku();
+                certificateRequest.AddAuthorityInfoAccess(intermediateCa, addOcsp: true, addCAIssuers: true);
             }
 
             var issued = IssueCertificate(intermediateCa, "Signing Certificate With Unavailable Revocation", CustomizeAsSigningCertificate);
@@ -328,7 +313,7 @@ public async Task<TimestampServiceWithUnavailableRevocation> CreateTimestampServ
         {
             var testServer = await GetTestServerAsync();
             var rootCa = CertificateAuthority.Create(testServer.Url);
-            var rootCertificate = rootCa.Certificate.ToX509Certificate2();
+            var rootCertificate = new X509Certificate2(rootCa.Certificate);
 
             var trust = new TrustedTestCert<X509Certificate2>(
                 rootCertificate,
@@ -356,27 +341,31 @@ Task WaitForResponseExpirationAsync()
                 disposable);
         }
 
-        protected (BCCertificate publicCertificate, X509Certificate2 certificate) IssueCertificate(
+        protected (X509Certificate2 publicCertificate, X509Certificate2 certificate) IssueCertificate(
             CertificateAuthority ca,
             string name,
-            Action<X509V3CertificateGenerator> customizeCertificate)
+            Action<CertificateRequest> customizeCertificate,
+            DateTimeOffset? notBefore = null,
+            DateTimeOffset? notAfter = null)
         {
-            var keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
-
-            var publicCertificate = ca.IssueCertificate(new IssueCertificateOptions
+            using (RSA keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048))
             {
-                CustomizeCertificate = customizeCertificate,
-                NotAfter = DateTime.UtcNow.AddMinutes(10),
-                NotBefore = DateTime.UtcNow.AddSeconds(-10),
-                KeyPair = keyPair,
+                notBefore ??= DateTimeOffset.UtcNow.AddSeconds(-10);
+                notAfter ??= DateTimeOffset.UtcNow.AddMinutes(10);
 
-                SubjectName = new X509Name($"C=US,ST=WA,L=Redmond,O=NuGet,CN=NuGet Test ${name} Certificate ({Guid.NewGuid()})")
-            });
+                X509Certificate2 certificate = ca.IssueCertificate(new IssueCertificateOptions
+                {
+                    CustomizeCertificate = customizeCertificate,
+                    NotAfter = notAfter.Value,
+                    NotBefore = notBefore.Value,
+                    KeyPair = keyPair,
+                    SubjectName = new X500DistinguishedName($"C=US,ST=WA,L=Redmond,O=NuGet,CN=NuGet Test ${name} Certificate ({Guid.NewGuid()})")
+                });
 
-            var certificate = publicCertificate.ToX509Certificate2();
-            certificate.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters);
+                X509Certificate2 publicCertificate = new(certificate.RawData);
 
-            return (publicCertificate, certificate);
+                return (publicCertificate, certificate);
+            }
         }
 
         private async Task<string> GetDefaultTrustedSigningCertificateThumbprintAsync()
 
@@ -2,19 +2,12 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Cryptography.X509Certificates;
-using Test.Utility.Signing;
-using BCCertificate = Org.BouncyCastle.X509.X509Certificate;
+using Microsoft.Internal.NuGet.Testing.SignedPackages;
 
 namespace Validation.PackageSigning.Core.Tests.Support
 {
     public static class ExtensionMethods
     {
-        public static X509Certificate2 ToX509Certificate2(this BCCertificate certificate)
-        {
-            return new X509Certificate2(certificate.GetEncoded());
-        }
-
         public static DisposableList<IDisposable> RegisterResponders(
             this ISigningTestServer testServer,
             CertificateAuthority ca,
 
@@ -0,0 +1,57 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+#nullable enable
+
+using System;
+using System.Formats.Asn1;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Microsoft.Internal.NuGet.Testing.SignedPackages
+{
+    internal sealed class X509AuthorityInformationAccessExtension : X509Extension
+    {
+        private static readonly string AuthorityInfoAccess = "1.3.6.1.5.5.7.1.1";
+        private static readonly string Ocsp = "1.3.6.1.5.5.7.48.1";
+        private static readonly string CaIssuers = "1.3.6.1.5.5.7.48.2";
+
+        internal X509AuthorityInformationAccessExtension(Uri? ocspResponderUrl, Uri? caIssuersUrl)
+            : base(AuthorityInfoAccess, Encode(ocspResponderUrl, caIssuersUrl), critical: false)
+        {
+        }
+
+        private static byte[] Encode(Uri? ocspResponderUrl, Uri? caIssuersUrl)
+        {
+            AsnWriter writer = new(AsnEncodingRules.DER);
+
+            using (writer.PushSequence())
+            {
+                if (ocspResponderUrl is not null)
+                {
+                    using (writer.PushSequence())
+                    {
+                        writer.WriteObjectIdentifier(Ocsp);
+                        writer.WriteCharacterString(
+                            UniversalTagNumber.IA5String,
+                            ocspResponderUrl.OriginalString,
+                            new Asn1Tag(TagClass.ContextSpecific, tagValue: 6));
+                    }
+                }
+
+                if (caIssuersUrl is not null)
+                {
+                    using (writer.PushSequence())
+                    {
+                        writer.WriteObjectIdentifier(CaIssuers);
+                        writer.WriteCharacterString(
+                            UniversalTagNumber.IA5String,
+                            caIssuersUrl.OriginalString,
+                            new Asn1Tag(TagClass.ContextSpecific, tagValue: 6));
+                    }
+                }
+            }
+
+            return writer.Encode();
+        }
+    }
+}