Windows CNG virtualization-based security (#102495)

* Windows CNG virtualization-based security

* Add missing change in Microsoft.Bcl.Cryptography.Tests

src/libraries/Common/tests/System/Net/Configuration.Certificates.Dynamic.cs

@@ -6,7 +6,6 @@
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Security.Cryptography.X509Certificates.Tests.Common;
-using Test.Cryptography;
 
 namespace System.Net.Test.Common
 {

src/libraries/Common/tests/System/Net/Configuration.Certificates.cs

@@ -7,7 +7,6 @@
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
-using Test.Cryptography;
 using Xunit;
 
 namespace System.Net.Test.Common

src/libraries/Common/tests/System/Security/Cryptography/CngKeyWrapper.cs

@@ -0,0 +1,75 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+#nullable enable
+
+using Xunit;
+using System;
+using System.Runtime.CompilerServices;
+using System.Security.Cryptography;
+
+namespace Test.Cryptography
+{
+    internal sealed class CngKeyWrapper : IDisposable
+    {
+        private CngKeyWrapper(
+            CngAlgorithm algorithm,
+            CngKeyCreationParameters cngCreationParameters,
+            string? keySuffix = null,
+            [CallerMemberName] string? testName = null)
+        {
+            Key = CngKey.Create(algorithm, $"{testName}{algorithm.Algorithm}{keySuffix}", cngCreationParameters);
+        }
+
+        public static CngKeyWrapper CreateMicrosoftPlatformCryptoProvider(
+            CngAlgorithm algorithm,
+            string? keySuffix = null,
+            [CallerMemberName] string? testName = null,
+            CngKeyCreationOptions creationOption = CngKeyCreationOptions.None,
+            params CngProperty[] additionalParameters)
+        {
+            const string MicrosoftPlatformCryptoProvider = "Microsoft Platform Crypto Provider";
+
+#if NETFRAMEWORK
+            CngProvider cngProvider = new(MicrosoftPlatformCryptoProvider);
+#else
+            Assert.Equal(MicrosoftPlatformCryptoProvider, CngProvider.MicrosoftPlatformCryptoProvider.Provider);
+            CngProvider cngProvider = CngProvider.MicrosoftPlatformCryptoProvider;
+#endif
+            CngKeyCreationParameters cngCreationParameters = new()
+            {
+                Provider = cngProvider,
+                KeyCreationOptions = creationOption | CngKeyCreationOptions.OverwriteExistingKey,
+            };
+
+            foreach (CngProperty parameter in additionalParameters)
+            {
+                cngCreationParameters.Parameters.Add(parameter);
+            }
+
+            return new CngKeyWrapper(algorithm, cngCreationParameters, keySuffix, testName);
+        }
+
+        public static CngKeyWrapper CreateMicrosoftSoftwareKeyStorageProvider(
+            CngAlgorithm algorithm,
+            CngKeyCreationOptions creationOption,
+            string? keySuffix = null,
+            [CallerMemberName] string? testName = null)
+        {
+            CngKeyCreationParameters cngCreationParameters = new()
+            {
+                Provider = CngProvider.MicrosoftSoftwareKeyStorageProvider,
+                KeyCreationOptions = creationOption | CngKeyCreationOptions.OverwriteExistingKey,
+            };
+
+            return new CngKeyWrapper(algorithm, cngCreationParameters, keySuffix, testName);
+        }
+
+        public CngKey Key { get; }
+
+        public void Dispose()
+        {
+            Key.Delete();
+        }
+    }
+}

src/libraries/Common/tests/System/Security/Cryptography/PlatformSupport.cs

@@ -37,30 +37,47 @@ static bool DetermineAlgorithmFunctional(CngAlgorithm algorithm)
                     return false;
                 }
 #endif
-
-                CngKey key = null;
-
                 try
                 {
-                    key = CngKey.Create(
+                    using CngKeyWrapper key = CngKeyWrapper.CreateMicrosoftPlatformCryptoProvider(
                             algorithm,
-                            $"{nameof(PlatformCryptoProviderFunctional)}{algorithm.Algorithm}Key",
-                        new CngKeyCreationParameters
-                        {
-                            Provider = new CngProvider("Microsoft Platform Crypto Provider"),
-                            KeyCreationOptions = CngKeyCreationOptions.OverwriteExistingKey,
-                        });
+                            keySuffix: $"{algorithm.Algorithm}Key");
 
                     return true;
                 }
                 catch (CryptographicException)
                 {
                     return false;
                 }
-                finally
-                {
-                    key?.Delete();
-                }
+            }
+        }
+
+        private static bool CheckIfVbsAvailable()
+        {
+#if !NETFRAMEWORK
+            if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                return false;
+            }
+#endif
+
+            try
+            {
+                const CngKeyCreationOptions RequireVbs = (CngKeyCreationOptions)0x00020000;
+#if !NETFRAMEWORK
+                Assert.Equal(CngKeyCreationOptions.RequireVbs, RequireVbs);
+#endif
+
+                using CngKeyWrapper key = CngKeyWrapper.CreateMicrosoftSoftwareKeyStorageProvider(
+                        CngAlgorithm.ECDsaP256,
+                        RequireVbs,
+                        keySuffix: $"{CngAlgorithm.ECDsaP256.Algorithm}Key");
+
+                return true;
+            }
+            catch (CryptographicException)
+            {
+                return false;
             }
         }
 
@@ -83,5 +100,8 @@ static bool DetermineAlgorithmFunctional(CngAlgorithm algorithm)
         internal static bool PlatformCryptoProviderFunctionalP256 => PlatformCryptoProviderFunctional(CngAlgorithm.ECDsaP256);
         internal static bool PlatformCryptoProviderFunctionalP384 => PlatformCryptoProviderFunctional(CngAlgorithm.ECDsaP384);
         internal static bool PlatformCryptoProviderFunctionalRsa => PlatformCryptoProviderFunctional(CngAlgorithm.Rsa);
+
+        private static bool? s_isVbsAvailable;
+        internal static bool IsVbsAvailable => s_isVbsAvailable ??= CheckIfVbsAvailable();
     }
 }

src/libraries/Microsoft.Bcl.Cryptography/tests/Microsoft.Bcl.Cryptography.Tests.csproj

@@ -12,6 +12,8 @@
              Link="CommonTest\System\Security\Cryptography\ByteUtils.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs"
              Link="CommonTest\System\Security\Cryptography\PlatformSupport.cs" />
+    <Compile Include="$(CommonTestPath)System\Security\Cryptography\CngKeyWrapper.cs"
+             Link="TestCommon\System\Security\Cryptography\CngKeyWrapper.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\SP800108HmacCounterKdfTests.ArgValidation.cs"
              Link="CommonTest\System\Security\Cryptography\SP800108HmacCounterKdfTests.ArgValidation.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\SP800108HmacCounterKdfTests.Functional.cs"

src/libraries/System.Net.Http.Json/tests/FunctionalTests/System.Net.Http.Json.Functional.Tests.csproj

@@ -27,7 +27,6 @@
     <Compile Include="$(CommonTestPath)System\Net\Http\GenericLoopbackServer.cs" Link="Common\System\Net\Http\GenericLoopbackServer.cs" />
     <Compile Include="$(CommonTestPath)System\Net\Http\LoopbackServer.cs" Link="Common\System\Net\Http\LoopbackServer.cs" />
     <Compile Include="$(CommonTestPath)System\Net\Http\TestHelper.cs" Link="Common\System\Net\Http\TestHelper.cs" />
-    <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs" Link="CommonTest\System\Security\Cryptography\PlatformSupport.cs" />
     <Compile Include="$(CommonTestPath)System\Threading\Tasks\TaskTimeoutExtensions.cs" Link="Common\System\Threading\Tasks\TaskTimeoutExtensions.cs" />
   </ItemGroup>
 

src/libraries/System.Net.Http.WinHttpHandler/tests/FunctionalTests/System.Net.Http.WinHttpHandler.Functional.Tests.csproj

@@ -133,8 +133,6 @@
              Link="Common\System\Net\Http\SyncBlockingContent.cs" />
     <Compile Include="$(CommonTestPath)System\Net\Http\ThrowingContent.cs"
              Link="Common\System\Net\Http\ThrowingContent.cs" />
-    <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs"
-             Link="CommonTest\System\Security\Cryptography\PlatformSupport.cs" />
     <Compile Include="$(CommonTestPath)System\Threading\Tasks\TaskTimeoutExtensions.cs"
              Link="Common\System\Threading\Tasks\TaskTimeoutExtensions.cs" />
     <Compile Include="$(CommonTestPath)System\Threading\TrackingSynchronizationContext.cs"

src/libraries/System.Net.Http/tests/FunctionalTests/System.Net.Http.Functional.Tests.csproj

@@ -69,8 +69,6 @@
              Link="Common\System\IO\DelegatingStream.cs" />
     <Compile Include="$(CommonTestPath)System\Net\RemoteServerQuery.cs"
              Link="Common\System\Net\RemoteServerQuery.cs" />
-    <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs"
-             Link="CommonTest\System\Security\Cryptography\PlatformSupport.cs" />
     <Compile Include="$(CommonTestPath)System\Net\Configuration.Certificates.cs"
              Link="Common\System\Net\Configuration.Certificates.cs" />
     <Compile Include="$(CommonTestPath)System\Net\Configuration.Certificates.Dynamic.cs"

src/libraries/System.Net.Quic/tests/FunctionalTests/System.Net.Quic.Functional.Tests.csproj

@@ -27,7 +27,6 @@
     <Compile Include="$(CommonTestPath)System\Net\Configuration.Security.cs" Link="Common\System\Net\Configuration.Security.cs" />
     <Compile Include="$(CommonTestPath)System\Net\Configuration.Sockets.cs" Link="Common\System\Net\Configuration.Sockets.cs" />
     <Compile Include="$(CommonTestPath)System\Net\RemoteExecutorExtensions.cs" Link="Common\System\Net\RemoteExecutorExtensions.cs" />
-    <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs" Link="TestCommon\System\Security\Cryptography\PlatformSupport.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\X509Certificates\CertificateAuthority.cs" Link="CommonTest\System\Security\Cryptography\X509Certificates\CertificateAuthority.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\X509Certificates\RevocationResponder.cs" Link="CommonTest\System\Security\Cryptography\X509Certificates\RevocationResponder.cs" />
     <Compile Include="$(CommonTestPath)System\Threading\Tasks\TaskTimeoutExtensions.cs" Link="TestCommon\System\Threading\Tasks\TaskTimeoutExtensions.cs" />

src/libraries/System.Net.Requests/tests/System.Net.Requests.Tests.csproj

@@ -38,8 +38,6 @@
              Link="Common\System\Net\Http\GenericLoopbackServer.cs" />
     <Compile Include="$(CommonTestPath)System\Net\Http\TestHelper.cs"
              Link="Common\System\Net\Http\TestHelper.cs" />
-    <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs"
-             Link="CommonTest\System\Security\Cryptography\PlatformSupport.cs" />
     <Compile Include="$(CommonTestPath)System\Threading\Tasks\TaskTimeoutExtensions.cs"
              Link="Common\System\Threading\Tasks\TaskTimeoutExtensions.cs" />
   </ItemGroup>

src/libraries/System.Net.Security/tests/FunctionalTests/System.Net.Security.Tests.csproj

@@ -91,8 +91,6 @@
              Link="Common\System\Net\EventSourceTestLogging.cs" />
     <Compile Include="$(CommonTestPath)System\Net\RemoteExecutorExtensions.cs"
              Link="Common\System\Net\RemoteExecutorExtensions.cs" />
-    <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs"
-             Link="CommonTest\System\Security\Cryptography\PlatformSupport.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\X509Certificates\CertificateAuthority.cs"
              Link="CommonTest\System\Security\Cryptography\X509Certificates\CertificateAuthority.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\X509Certificates\RevocationResponder.cs"

src/libraries/System.Net.WebClient/tests/System.Net.WebClient.Tests.csproj

@@ -25,8 +25,6 @@
              Link="Common\System\Net\Http\GenericLoopbackServer.cs" />
     <Compile Include="$(CommonTestPath)System\Net\Http\TestHelper.cs"
              Link="Common\System\Net\Http\TestHelper.cs" />
-    <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs"
-             Link="CommonTest\System\Security\Cryptography\PlatformSupport.cs" />
     <Compile Include="$(CommonTestPath)System\Threading\Tasks\TaskTimeoutExtensions.cs"
              Link="Common\System\Threading\Tasks\TaskTimeoutExtensions.cs" />
   </ItemGroup>

src/libraries/System.Net.WebSockets.Client/tests/System.Net.WebSockets.Client.Tests.csproj

@@ -47,7 +47,6 @@
     <Compile Include="$(CommonTestPath)System\Net\Http\HuffmanEncoder.cs" Link="Common\System\Net\Http\HuffmanEncoder.cs" />
     <Compile Include="$(CommonTestPath)System\Net\Http\HPackEncoder.cs" Link="Common\System\Net\Http\HPackEncoder.cs" />
     <Compile Include="$(CommonTestPath)System\Net\Http\GenericLoopbackServer.cs" Link="Common\System\Net\Http\GenericLoopbackServer.cs" />
-    <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs" Link="CommonTest\System\Security\Cryptography\PlatformSupport.cs" />
     <Compile Include="$(CommonTestPath)System\Threading\Tasks\TaskTimeoutExtensions.cs" Link="Common\System\Threading\Tasks\TaskTimeoutExtensions.cs" />
     <Compile Include="AbortTest.cs" />
     <Compile Include="AbortTest.Loopback.cs" />

src/libraries/System.Net.WebSockets.Client/tests/wasm/System.Net.WebSockets.Client.Wasm.Tests.csproj

@@ -40,8 +40,6 @@
              Link="Common\System\Net\Http\LoopbackServer.cs" />
     <Compile Include="$(CommonTestPath)System\Net\Http\GenericLoopbackServer.cs"
              Link="Common\System\Net\Http\GenericLoopbackServer.cs" />
-    <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs"
-             Link="CommonTest\System\Security\Cryptography\PlatformSupport.cs" />
     <Compile Include="$(CommonTestPath)System\Threading\Tasks\TaskTimeoutExtensions.cs"
              Link="Common\System\Threading\Tasks\TaskTimeoutExtensions.cs" />
     <Compile Include="..\ClientWebSocketTestBase.cs" />

src/libraries/System.Security.Cryptography.Cng/tests/ECDiffieHellmanCngTests.cs

@@ -193,8 +193,8 @@ public static void HashAlgorithm_SupportsOtherECDHImplementations()
         [OuterLoop("Hardware backed key generation takes several seconds.")]
         public static void PlatformCryptoProvider_DeriveKeyMaterial()
         {
-            using (CngPlatformProviderKey platformKey1 = new CngPlatformProviderKey(CngAlgorithm.ECDiffieHellmanP256, "key1"))
-            using (CngPlatformProviderKey platformKey2 = new CngPlatformProviderKey(CngAlgorithm.ECDiffieHellmanP256, "key2"))
+            using (CngKeyWrapper platformKey1 = CngKeyWrapper.CreateMicrosoftPlatformCryptoProvider(CngAlgorithm.ECDiffieHellmanP256, "key1"))
+            using (CngKeyWrapper platformKey2 = CngKeyWrapper.CreateMicrosoftPlatformCryptoProvider(CngAlgorithm.ECDiffieHellmanP256, "key2"))
             using (ECDiffieHellmanCng ecdhCng1 = new ECDiffieHellmanCng(platformKey1.Key))
             using (ECDiffieHellmanCng ecdhCng2 = new ECDiffieHellmanCng(platformKey2.Key))
             {

src/libraries/System.Security.Cryptography.Cng/tests/PropertyTests.cs

@@ -17,7 +17,7 @@ public static void CreatePersisted_PlatformEccKeyHasKeySize_P256(string algorith
         {
             CngAlgorithm cngAlgorithm = new CngAlgorithm(algorithm);
 
-            using (CngPlatformProviderKey platformKey = new CngPlatformProviderKey(cngAlgorithm))
+            using (CngKeyWrapper platformKey = CngKeyWrapper.CreateMicrosoftPlatformCryptoProvider(cngAlgorithm))
             {
                 Assert.Equal(256, platformKey.Key.KeySize);
             }
@@ -31,7 +31,7 @@ public static void CreatePersisted_PlatformEccKeyHasKeySize_P384(string algorith
         {
             CngAlgorithm cngAlgorithm = new CngAlgorithm(algorithm);
 
-            using (CngPlatformProviderKey platformKey = new CngPlatformProviderKey(cngAlgorithm))
+            using (CngKeyWrapper platformKey = CngKeyWrapper.CreateMicrosoftPlatformCryptoProvider(cngAlgorithm))
             {
                 Assert.Equal(384, platformKey.Key.KeySize);
             }
@@ -44,7 +44,7 @@ public static void CreatePersisted_PlatformEccKeyHasKeySize_P384(string algorith
         public static void CreatePersisted_PlatformRsaKeyHasKeySize(int keySize)
         {
             CngProperty keyLengthProperty = new CngProperty("Length", BitConverter.GetBytes(keySize), CngPropertyOptions.None);
-            CngPlatformProviderKey platformKey = new CngPlatformProviderKey(
+            CngKeyWrapper platformKey = CngKeyWrapper.CreateMicrosoftPlatformCryptoProvider(
                 CngAlgorithm.Rsa,
                 keySuffix: keySize.ToString(),
                 additionalParameters: keyLengthProperty);

src/libraries/System.Security.Cryptography.Cng/tests/System.Security.Cryptography.Cng.Tests.csproj

@@ -39,8 +39,8 @@
              Link="CommonTest\System\Security\Cryptography\AlgorithmImplementations\ECDiffieHellman\ECDiffieHellmanFactory.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\ByteUtils.cs"
              Link="CommonTest\System\Security\Cryptography\ByteUtils.cs" />
-    <Compile Include="$(CommonTestPath)System\Security\Cryptography\CngPlatformProviderKey.cs"
-             Link="CommonTest\System\Security\Cryptography\CngPlatformProviderKey.cs" />
+    <Compile Include="$(CommonTestPath)System\Security\Cryptography\CngKeyWrapper.cs"
+             Link="CommonTest\System\Security\Cryptography\CngKeyWrapper.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\CryptoUtils.cs"
              Link="CommonTest\System\Security\Cryptography\CryptoUtils.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs"

src/libraries/System.Security.Cryptography.Csp/tests/System.Security.Cryptography.Csp.Tests.csproj

@@ -22,6 +22,8 @@
              Link="CommonTest\System\Security\Cryptography\CryptoUtils.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs"
              Link="CommonTest\System\Security\Cryptography\PlatformSupport.cs" />
+    <Compile Include="$(CommonTestPath)System\Security\Cryptography\CngKeyWrapper.cs"
+             Link="TestCommon\System\Security\Cryptography\CngKeyWrapper.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\AlgorithmImplementations\RSA\EncryptDecrypt.cs"
              Link="CommonTest\System\Security\Cryptography\AlgorithmImplementations\RSA\EncryptDecrypt.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\AlgorithmImplementations\RSA\ImportExport.cs"

src/libraries/System.Security.Cryptography.OpenSsl/tests/System.Security.Cryptography.OpenSsl.Tests.csproj

@@ -14,6 +14,8 @@
              Link="CommonTest\System\Security\Cryptography\ByteUtils.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs"
              Link="CommonTest\System\Security\Cryptography\PlatformSupport.cs" />
+    <Compile Include="$(CommonTestPath)System\Security\Cryptography\CngKeyWrapper.cs"
+             Link="TestCommon\System\Security\Cryptography\CngKeyWrapper.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\SignatureSupport.cs"
              Link="CommonTest\System\Security\Cryptography\SignatureSupport.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\AlgorithmImplementations\RC2\RC2Factory.cs"

src/libraries/System.Security.Cryptography.Pkcs/tests/System.Security.Cryptography.Pkcs.Tests.csproj

@@ -9,6 +9,8 @@
              Link="CommonTest\System\Security\Cryptography\ByteUtils.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs"
              Link="CommonTest\System\Security\Cryptography\PlatformSupport.cs" />
+    <Compile Include="$(CommonTestPath)System\Security\Cryptography\CngKeyWrapper.cs"
+             Link="TestCommon\System\Security\Cryptography\CngKeyWrapper.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\SignatureSupport.cs"
              Link="CommonTest\System\Security\Cryptography\SignatureSupport.cs" />
     <Compile Include="Certificates.cs" />