feat: EV validation

Author: deansheather

Installer/Program.cs

@@ -250,7 +250,9 @@ private static int BuildMsiPackage(MsiOptions opts)
         programFiles64Folder.AddDir(installDir);
         project.AddDir(programFiles64Folder);
 
-        // Add registry values that are consumed by the manager.
+        // Add registry values that are consumed by the manager. Note that these
+        // should not be changed. See Vpn.Service/Program.cs and
+        // Vpn.Service/ManagerConfig.cs for more details.
         project.AddRegValues(
             new RegValue(RegistryHive, RegistryKey, "Manager:ServiceRpcPipeName", "Coder.Desktop.Vpn"),
             new RegValue(RegistryHive, RegistryKey, "Manager:TunnelBinaryPath",

Tests.Vpn.Service/DownloaderTest.cs

@@ -1,4 +1,6 @@
+using System.Reflection;
 using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using Coder.Desktop.Vpn.Service;
 using Microsoft.Extensions.Logging.Abstractions;
@@ -59,17 +61,30 @@ public void DifferentCertTrusted(CancellationToken ct)
             Does.Contain("File is not signed with an embedded Authenticode signature: Kind=Catalog"));
     }
 
-    [Test(Description = "Test a binary signed by a different certificate")]
+    [Test(Description = "Test a binary signed by a non-EV certificate")]
     [CancelAfter(30_000)]
-    public void DifferentCertUntrusted(CancellationToken ct)
+    public void NonEvCert(CancellationToken ct)
     {
         // dotnet.exe is signed by .NET. During tests we can be pretty sure
         // this is installed.
         var ex = Assert.ThrowsAsync<Exception>(() =>
             AuthenticodeDownloadValidator.Coder.ValidateAsync(@"C:\Program Files\dotnet\dotnet.exe", ct));
         Assert.That(ex.Message,
             Does.Contain(
-                "File is signed by an unexpected certificate: ExpectedName='Coder Technologies Inc.', ActualName='.NET"));
+                "File is not signed with an Extended Validation Code Signing certificate"));
+    }
+
+    [Test(Description = "Test a binary signed by an EV certificate with a different name")]
+    [CancelAfter(30_000)]
+    public void EvDifferentCertName(CancellationToken ct)
+    {
+        var testBinaryPath = Path.Combine(TestContext.CurrentContext.TestDirectory, "testdata",
+            "hello-versioned-signed.exe");
+        var ex = Assert.ThrowsAsync<Exception>(() =>
+            new AuthenticodeDownloadValidator("Acme Corporation").ValidateAsync(testBinaryPath, ct));
+        Assert.That(ex.Message,
+            Does.Contain(
+                "File is signed by an unexpected certificate: ExpectedName='Acme Corporation', ActualName='Coder Technologies Inc.'"));
     }
 
     [Test(Description = "Test a binary signed by Coder's certificate")]
@@ -80,6 +95,37 @@ public async Task CoderSigned(CancellationToken ct)
             "hello-versioned-signed.exe");
         await AuthenticodeDownloadValidator.Coder.ValidateAsync(testBinaryPath, ct);
     }
+
+    [Test(Description = "Test if the EV check works")]
+    public void IsEvCert()
+    {
+        // To avoid potential API misuse the function is private.
+        var method = typeof(AuthenticodeDownloadValidator).GetMethod("IsExtendedValidationCertificate",
+            BindingFlags.NonPublic | BindingFlags.Static);
+        Assert.That(method, Is.Not.Null, "Could not find IsExtendedValidationCertificate method");
+
+        // Call it with various certificates.
+        var certs = new List<(string, bool)>
+        {
+            // EV:
+            (Path.Combine(TestContext.CurrentContext.TestDirectory, "testdata", "coder-ev.crt"), true),
+            (Path.Combine(TestContext.CurrentContext.TestDirectory, "testdata", "google-llc-ev.crt"), true),
+            (Path.Combine(TestContext.CurrentContext.TestDirectory, "testdata", "self-signed-ev.crt"), true),
+            // Not EV:
+            (Path.Combine(TestContext.CurrentContext.TestDirectory, "testdata", "mozilla-corporation.crt"), false),
+            (Path.Combine(TestContext.CurrentContext.TestDirectory, "testdata", "self-signed.crt"), false),
+        };
+
+        foreach (var (certPath, isEv) in certs)
+        {
+            var x509Cert = new X509Certificate2(certPath);
+            var result = (bool?)method!.Invoke(null, [x509Cert]);
+            Assert.That(result, Is.Not.Null,
+                $"IsExtendedValidationCertificate returned null for {Path.GetFileName(certPath)}");
+            Assert.That(result, Is.EqualTo(isEv),
+                $"IsExtendedValidationCertificate returned wrong result for {Path.GetFileName(certPath)}");
+        }
+    }
 }
 
 [TestFixture]

Tests.Vpn.Service/Tests.Vpn.Service.csproj

@@ -13,8 +13,6 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <None Remove="testdata\hello.go" />
-        <None Remove="testdata\winres.json" />
         <None Update="testdata\hello.exe">
             <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
         </None>
@@ -27,6 +25,21 @@
         <None Update="testdata\hello-versioned-signed.exe">
             <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
         </None>
+        <None Update="testdata\coder-ev.crt">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
+        <None Update="testdata\google-llc-ev.crt">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
+        <None Update="testdata\mozilla-corporation.crt">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
+        <None Update="testdata\self-signed.crt">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
+        <None Update="testdata\self-signed-ev.crt">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
     </ItemGroup>
 
     <ItemGroup>

Tests.Vpn.Service/testdata/README.md

@@ -0,0 +1,29 @@
+# Tests.Vpn.Service testdata
+
+### Executables
+
+`Build-Assets.ps1` creates `hello.exe` and derivatives. You need `go`,
+`go-winres` and Windows 10 SDK 10.0.19041.0 installed to run this.
+
+You must sign `hello-versioned-signed.exe` yourself with the Coder EV cert after
+the script completes.
+
+These files are checked into the repo so they shouldn't need to be built again.
+
+### Certificates
+
+- `coder-ev.crt` is the Extended Validation Code Signing certificate used by
+  Coder, extracted from a signed release binary on 2025-03-07
+- `google-llc-ev.crt` is the Extended Validation Code Signing certificate used
+  by Google Chrome, extracted from an official binary on 2025-03-07
+- `mozilla-corporation.crt` is a regular Code Signing certificate used by
+  Mozilla Firefox, extracted from an official binary on 2025-03-07
+- `self-signed-ev.crt` was generated with `gen-certs.sh` using Linux OpenSSL
+- `self-signed.crt` was generated with `gen-certs.sh` using Linux OpenSSL
+
+You can extract a certificate from an executable with the following PowerShell
+one-liner:
+
+```powershell
+Get-AuthenticodeSignature binary.exe | Select-Object -ExpandProperty SignerCertificate | Export-Certificate -Type CERT -FilePath output.crt
+```

Tests.Vpn.Service/testdata/coder-ev.crt

@@ -0,0 +1,49 @@
+#!/bin/bash
+set -euo pipefail
+
+# Generate a regular code signing certificate without the EV policy OID.
+openssl req \
+  -x509 \
+  -newkey rsa:2048 \
+  -keyout /dev/null \
+  -out self-signed.crt \
+  -days 3650 \
+  -nodes \
+  -subj "/CN=Coder Self Signed" \
+  -addext "keyUsage=digitalSignature" \
+  -addext "extendedKeyUsage=codeSigning"
+
+# Generate an EV code signing certificate by adding the EV policy OID. We add
+# a different OID before the EV OID to ensure the validator can handle multiple
+# policies.
+config="
+[req]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+CN = Coder Self Signed EV
+
+[v3_req]
+keyUsage = digitalSignature
+extendedKeyUsage = codeSigning
+certificatePolicies = @pol1,@pol2
+
+[pol1]
+policyIdentifier = 2.23.140.1.4.1
+CPS.1="https://coder.com"
+
+[pol2]
+policyIdentifier = 2.23.140.1.3
+CPS.1="https://coder.com"
+"
+
+openssl req \
+  -x509 \
+  -newkey rsa:2048 \
+  -keyout /dev/null \
+  -out self-signed-ev.crt \
+  -days 3650 \
+  -nodes \
+  -config <(echo "$config")

Tests.Vpn.Service/testdata/gen-certs.sh

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDcTCCAlmgAwIBAgIUEzhP7oxDynN4aXNmRqGZzPUCkxUwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUQ29kZXIgU2VsZiBTaWduZWQgRVYwHhcNMjUwMzA3MDQ0
+NzQ2WhcNMzUwMzA1MDQ0NzQ2WjAfMR0wGwYDVQQDDBRDb2RlciBTZWxmIFNpZ25l
+ZCBFVjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzzLlfpFYwEfQb6
+eizMaUr9/Op2ELLBRjabDT17uXBTPFHVtHewIaZfYPv7aY3B3rQTzHfE0y9YYO0+
+1Zhd2WpNKYO3iQM9OOcd69XYuDeRh09m6vOwcK7gSkSr55D/dUe4+vnjQBG9O6Na
+fby/kcJuDVNnR9rTPJpXqfnlgjrO2WNbBn3K0xJcNjVpMqFm2Iw9eYCRTVIUp559
++iUGnwM+NT0cGAMB8242Jyz6xgEaRnSmddmxLDkfWWfivamSpWaaopR2T5+6txFW
+C1vBeZ4Au+9FEne64NVefVDjdeIDU7pgwYxykPDf+Sc704L8Da5X0gEoa82pHOfw
+1DNP94kCAwEAAaOBpDCBoTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH
+AwMwXgYDVR0gBFcwVTApBgZngQwBBAEwHzAdBggrBgEFBQcCARYRaHR0cHM6Ly9j
+b2Rlci5jb20wKAYFZ4EMAQMwHzAdBggrBgEFBQcCARYRaHR0cHM6Ly9jb2Rlci5j
+b20wHQYDVR0OBBYEFL9MxyFpCw/CmWioihuEP6x8XW0zMA0GCSqGSIb3DQEBCwUA
+A4IBAQC19lsc4EEOD4H3VNtQpLaBPLmNU4dD4bpWpoqv2YIYFl0T2cSkZZ1ZmSKR
+PV+1D3w7HsdmOf+1wXQv8w4POy3Z/7m6pcy/Efw9ImYs5zwRr5AniFJxjRBkUYB2
+i2m3650v5OAab4qay0FWCY4/8MX866fiLrO0oyjFI6tU/Py8kWV7IgOa9RxJpNou
+oITfLXLZRgXULiaXaQRA4TdD5zI9Qe/wwvj6wJH3u8qpRq+m+vo0cxfQ47tisL11
+nMM59fUZrypxdOTRK0QiGz5rJlLmZXZO27RNT3ewpJsq4qjQ3CtJ946vdjDc8+kY
+ChQ9e6sS5mLBP4JXtuyG+P1Fdp5t
+-----END CERTIFICATE-----

Tests.Vpn.Service/testdata/google-llc-ev.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOzCCAiOgAwIBAgIUJAIgmuCtIc9yUfpTo3h0Srn3C88wDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRQ29kZXIgU2VsZiBTaWduZWQwHhcNMjUwMzA3MDQ0NzQ2
+WhcNMzUwMzA1MDQ0NzQ2WjAcMRowGAYDVQQDDBFDb2RlciBTZWxmIFNpZ25lZDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6uYLDXy/C7TC4XaUbEmBiK
+ICUAz/XDFB19aJrvG6LQYmdbR8sCV4uvoZAXYfribD+AGrysEDnpny1BzNORARLd
+szBy0m1fOGbWqaBXg7Ot37rHWkU2iT2NEminHinx9UoJZLWxXsT1h1pnyJO4uzBW
+jroRgYbOzkaccoDSWebDjnzAy4LA+Sfdzqm4RvJFD+5dhg/EXyJyLQApN22NWOTP
+/8UXO0guUwSC+TGNFGRE6DkN96uX851HaCgrflz9zdLN5FSrSqvTsSStMTF9tHU3
+RlZFjTL+pVD6XSRMLn78xbch87sD3egaxaTvKd9Crx88GMwAnmrp8HqFAdUm4WUC
+AwEAAaN1MHMwHQYDVR0OBBYEFDJM3fCTrkRAMNKQhoH3mWyLXY0JMB8GA1UdIwQY
+MBaAFDJM3fCTrkRAMNKQhoH3mWyLXY0JMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P
+BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBAQCU
+xdNbMynw3YexqDjzHaKFGp4p8pXH9lXAa50e2UsYQ2C3HjBRkDQ0VGwqZaWWidMo
+ZdL3TiKT3Gvd+eVEvZNVYAhOytevhztGa7RSIC54KbHM9pQiarQcCCpAVR3S1Ced
+zGExk2iVL/o4TZKipvv+lj9b+FmavtoWq9kDuO0Suja0rzBfk5/UpATWbVOSGzY9
+1u0Rm2aIGgKxpOVPaxjD8JzJ+47r7Z6tSoYt4PScRy1kgf0VwKeUUdWLiGN4JxoS
+dX/onACConyPh4gK1fbHuKaoxVkIV3nFRAk18AwF4jThqFDkCQmUwh7A0DSyiPiD
+WeRW1iidZptmwzaOLnwz
+-----END CERTIFICATE-----