MS Store cert pinning updates (#5732)

## Change
New certificate pinning guidelines/PKI allow us to pin only a trusted
intermediate. This means less churn due to renewals with the Store.

Adds functionality to the pinning validation to allow partial chain
definitions. This is leveraged to allow chains containing two new
intermediate certificates

The existing chains are left as is since they continue to be the current
in-operation values.

## Validation
Adds new tests covering partial chain definitions, etc.
Adds a new test to warn about the remaining lifetime of pinning
certificates.

Author: JohnMcPMS

.github/actions/spelling/expect.txt

@@ -18,6 +18,7 @@ AMap
 Amd
 amrutha
 ansistring
+anyissuer
 Aot
 APARTMENTTHREADED
 apfn
@@ -106,6 +107,7 @@ countryregion
 Cov
 CPIL
 createmanifestmetadata
+crt
 cswinrt
 ctc
 CTL
@@ -167,6 +169,7 @@ FECAFEB
 fedorapeople
 fileinuse
 filemode
+Filetime
 Filtercriteria
 Finalizers
 fintimes
@@ -452,6 +455,7 @@ removefile
 reparse
 repeatedkey
 REQS
+requirenonleaf
 restsource
 RGBQUAD
 rgp
@@ -538,6 +542,7 @@ thiscouldbeapc
 threehundred
 timespan
 Tlg
+TLSCAs
 tombstoned
 transitioning
 trimstart

src/AppInstallerCLITests/Certificates.cpp

@@ -18,7 +18,7 @@ TEST_CASE("Certificates_NoPinningSucceeds", "[certificates]")
     PinningDetails actual;
     actual.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
-    REQUIRE(expected.Validate(actual.GetCertificate()));
+    REQUIRE(CertificatePinningValidationResult::Accepted == expected.Validate(actual.GetCertificate(), CertificateChainPosition::Leaf));
 }
 
 TEST_CASE("Certificates_PublicKeyMismatch", "[certificates]")
@@ -29,7 +29,7 @@ TEST_CASE("Certificates_PublicKeyMismatch", "[certificates]")
     PinningDetails actual;
     actual.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
-    REQUIRE(!expected.Validate(actual.GetCertificate()));
+    REQUIRE(CertificatePinningValidationResult::Rejected == expected.Validate(actual.GetCertificate(), CertificateChainPosition::Leaf));
 }
 
 TEST_CASE("Certificates_PublicKeyMatch", "[certificates]")
@@ -40,7 +40,7 @@ TEST_CASE("Certificates_PublicKeyMatch", "[certificates]")
     PinningDetails actual;
     actual.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE);
 
-    REQUIRE(expected.Validate(actual.GetCertificate()));
+    REQUIRE(CertificatePinningValidationResult::Accepted == expected.Validate(actual.GetCertificate(), CertificateChainPosition::Root));
 }
 
 TEST_CASE("Certificates_SubjectMismatch", "[certificates]")
@@ -51,7 +51,7 @@ TEST_CASE("Certificates_SubjectMismatch", "[certificates]")
     PinningDetails actual;
     actual.LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE);
 
-    REQUIRE(!expected.Validate(actual.GetCertificate()));
+    REQUIRE(CertificatePinningValidationResult::Rejected == expected.Validate(actual.GetCertificate(), CertificateChainPosition::Intermediate));
 }
 
 TEST_CASE("Certificates_SubjectMatch", "[certificates]")
@@ -62,7 +62,7 @@ TEST_CASE("Certificates_SubjectMatch", "[certificates]")
     PinningDetails actual;
     actual.LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE);
 
-    REQUIRE(expected.Validate(actual.GetCertificate()));
+    REQUIRE(CertificatePinningValidationResult::Accepted == expected.Validate(actual.GetCertificate(), CertificateChainPosition::Intermediate));
 }
 
 TEST_CASE("Certificates_IssuerMismatch", "[certificates]")
@@ -73,7 +73,7 @@ TEST_CASE("Certificates_IssuerMismatch", "[certificates]")
     PinningDetails actual;
     actual.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
-    REQUIRE(!expected.Validate(actual.GetCertificate()));
+    REQUIRE(CertificatePinningValidationResult::Rejected == expected.Validate(actual.GetCertificate(), CertificateChainPosition::Leaf));
 }
 
 TEST_CASE("Certificates_IssuerMatch", "[certificates]")
@@ -84,7 +84,7 @@ TEST_CASE("Certificates_IssuerMatch", "[certificates]")
     PinningDetails actual;
     actual.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
-    REQUIRE(expected.Validate(actual.GetCertificate()));
+    REQUIRE(CertificatePinningValidationResult::Accepted == expected.Validate(actual.GetCertificate(), CertificateChainPosition::Leaf));
 }
 
 TEST_CASE("Certificates_ChainLengthDiffers", "[certificates]")
@@ -104,6 +104,122 @@ TEST_CASE("Certificates_ChainLengthDiffers", "[certificates]")
     REQUIRE(!config.Validate(details.GetCertificate()));
 }
 
+TEST_CASE("Certificates_ChainLengthDiffers_Partial", "[certificates]")
+{
+    PinningChain chain;
+    auto chainElement = chain.Root();
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey);
+    chainElement = chainElement.Next();
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
+    chain.PartialChain();
+
+    PinningConfiguration config;
+    config.AddChain(chain);
+
+    PinningDetails details;
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
+
+    REQUIRE(config.Validate(details.GetCertificate()));
+}
+
+TEST_CASE("CertificateChain_AnyIssuer_Intermediate", "[certificates]")
+{
+    PinningChain chain;
+    auto chainElement = chain.Root();
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey | PinningVerificationType::AnyIssuer | PinningVerificationType::RequireNonLeaf);
+    chain.PartialChain();
+
+    PinningConfiguration config;
+    config.AddChain(chain);
+
+    PinningDetails details;
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
+
+    REQUIRE(config.Validate(details.GetCertificate()));
+}
+
+TEST_CASE("CertificateChain_AnyIssuer_IntermediateDiffers", "[certificates]")
+{
+    PinningChain chain;
+    auto chainElement = chain.Root();
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_1, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey | PinningVerificationType::AnyIssuer | PinningVerificationType::RequireNonLeaf);
+    chain.PartialChain();
+
+    PinningConfiguration config;
+    config.AddChain(chain);
+
+    PinningDetails details;
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
+
+    REQUIRE(!config.Validate(details.GetCertificate()));
+}
+
+TEST_CASE("CertificateChain_AnyIssuer_IntermediateAndLeaf", "[certificates]")
+{
+    PinningChain chain;
+    auto chainElement = chain.Root();
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey | PinningVerificationType::AnyIssuer | PinningVerificationType::RequireNonLeaf);
+    chainElement = chainElement.Next();
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
+    chain.PartialChain();
+
+    PinningConfiguration config;
+    config.AddChain(chain);
+
+    PinningDetails details;
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
+
+    REQUIRE(config.Validate(details.GetCertificate()));
+}
+
+TEST_CASE("CertificateChain_AnyIssuer_Leaf", "[certificates]")
+{
+    PinningChain chain;
+    auto chainElement = chain.Root();
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey | PinningVerificationType::AnyIssuer);
+    chain.PartialChain();
+
+    PinningConfiguration config;
+    config.AddChain(chain);
+
+    PinningDetails details;
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
+
+    REQUIRE(config.Validate(details.GetCertificate()));
+}
+
+TEST_CASE("CertificateChain_AnyIssuer_LeafDiffers", "[certificates]")
+{
+    PinningChain chain;
+    auto chainElement = chain.Root();
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_1, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey | PinningVerificationType::AnyIssuer);
+    chain.PartialChain();
+
+    PinningConfiguration config;
+    config.AddChain(chain);
+
+    PinningDetails details;
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
+
+    REQUIRE(!config.Validate(details.GetCertificate()));
+}
+
+TEST_CASE("CertificateChain_AnyIssuer_SameLeaf_RequireNonLeaf", "[certificates]")
+{
+    PinningChain chain;
+    auto chainElement = chain.Root();
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey | PinningVerificationType::AnyIssuer | PinningVerificationType::RequireNonLeaf);
+    chain.PartialChain();
+
+    PinningConfiguration config;
+    config.AddChain(chain);
+
+    PinningDetails details;
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
+
+    REQUIRE(!config.Validate(details.GetCertificate()));
+}
+
 TEST_CASE("Certificates_EmptyChainRejects", "[certificates]")
 {
     PinningChain chain;
@@ -183,3 +299,47 @@ TEST_CASE("Certificates_MultipleChains_Success", "[certificates]")
 
     REQUIRE(config.Validate(details.GetCertificate()));
 }
+
+TEST_CASE("CertificateChain_Position", "[certificates]")
+{
+    CertificateChainPosition positions[3]{ CertificateChainPosition::Unknown, CertificateChainPosition::Unknown, CertificateChainPosition::Unknown };
+
+    PinningChain chain;
+    auto chainElement = chain.Root();
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE).SetCustomValidationFunction([&](const PinningDetails&, PCCERT_CONTEXT, CertificateChainPosition position) { positions[0] = position; return true; });
+    chainElement = chainElement.Next();
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE).SetCustomValidationFunction([&](const PinningDetails&, PCCERT_CONTEXT, CertificateChainPosition position) { positions[1] = position; return true; });
+    chainElement = chainElement.Next();
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE).SetCustomValidationFunction([&](const PinningDetails&, PCCERT_CONTEXT, CertificateChainPosition position) { positions[2] = position; return true; });
+
+    PinningConfiguration config;
+    config.AddChain(chain);
+
+    PinningDetails details;
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
+
+    REQUIRE(config.Validate(details.GetCertificate()));
+
+    REQUIRE(CertificateChainPosition::Root == positions[0]);
+    REQUIRE(CertificateChainPosition::Intermediate == positions[1]);
+    REQUIRE(CertificateChainPosition::Leaf == positions[2]);
+}
+
+TEST_CASE("CertificateChain_Position_SelfSigned", "[certificates]")
+{
+    CertificateChainPosition positions[1]{ CertificateChainPosition::Unknown };
+
+    PinningChain chain;
+    auto chainElement = chain.Root();
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE).SetCustomValidationFunction([&](const PinningDetails&, PCCERT_CONTEXT, CertificateChainPosition position) { positions[0] = position; return true; });
+
+    PinningConfiguration config;
+    config.AddChain(chain);
+
+    PinningDetails details;
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE);
+
+    REQUIRE(config.Validate(details.GetCertificate()));
+
+    REQUIRE((CertificateChainPosition::Root | CertificateChainPosition::Leaf) == positions[0]);
+}

src/AppInstallerCLITests/Sources.cpp

@@ -1339,3 +1339,24 @@ TEST_CASE("RepoSources_BuiltInDesktopFrameworkSourceAlwaysCreatable", "[sources]
     Source source(WellKnownSource::DesktopFrameworks);
     REQUIRE(source);
 }
+
+TEST_CASE("RepoSources_MicrosoftStore_CertificatePinningLifetimeCheck", "[sources]")
+{
+    TestHook_ClearSourceFactoryOverrides();
+
+    GroupPolicyTestOverride policies;
+    policies.SetState(TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore, PolicyState::Disabled);
+    Source source(WellKnownSource::MicrosoftStore);
+    REQUIRE_FALSE(source.GetDetails().CertificatePinningConfiguration.IsEmpty());
+
+    // The configuration's remaining lifetime is the *maximum* of the remaining lifetimes of the individual chains.
+    // A chain's remaining lifetime is the *minimum* of the remaining lifetimes of the individual certificates.
+    // A certificate's remaining lifetime is a value between 0.0 and 1.0 that is the ratio of remaining valid time to total valid time.
+
+    // The goal of this test is to warn when the pinning configuration may be in danger of expiration; either via certificate validity or
+    // more likely by renewals causing the pinning to reject the new, correct certificates. It operates in percentage lifetime to normalize
+    // the values across the chain.
+    INFO("If this test has failed, the pinning certificates may be nearing expiration and should be investigated.");
+    double lifetimePercentage = source.GetDetails().CertificatePinningConfiguration.GetRemainingLifetimePercentage();
+    REQUIRE(lifetimePercentage > 0.25);
+}

src/AppInstallerRepositoryCore/SourceList.cpp

@@ -343,9 +343,22 @@ namespace AppInstaller::Repository
                 chainElement2 = chainElement2.Next();
                 chainElement2->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
 
+                // See https://aka.ms/AzureTLSCAs (internal) for the source of these CAs
+                PinningChain chain3;
+                chain3.PartialChain().Root()->
+                    LoadCertificate(IDX_CERTIFICATE_MS_TLS_ECC_ROOT_G2, CERTIFICATE_RESOURCE_TYPE).
+                    SetPinning(PinningVerificationType::PublicKey | PinningVerificationType::AnyIssuer | PinningVerificationType::RequireNonLeaf);
+
+                PinningChain chain4;
+                chain4.PartialChain().Root()->
+                    LoadCertificate(IDX_CERTIFICATE_MS_TLS_RSA_ROOT_G2, CERTIFICATE_RESOURCE_TYPE).
+                    SetPinning(PinningVerificationType::PublicKey | PinningVerificationType::AnyIssuer | PinningVerificationType::RequireNonLeaf);
+
                 details.CertificatePinningConfiguration = PinningConfiguration("Microsoft Store Source");
                 details.CertificatePinningConfiguration.AddChain(std::move(chain));
                 details.CertificatePinningConfiguration.AddChain(std::move(chain2));
+                details.CertificatePinningConfiguration.AddChain(std::move(chain3));
+                details.CertificatePinningConfiguration.AddChain(std::move(chain4));
             }
 
             return details;