X509Certificates.Tests: make tests pass when sha1 cert signatures are not supported

Co-authored-by: NJeremy Barton <jbarton@microsoft.com>

src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs

@@ -168,7 +168,7 @@ public static void TestDispose()
             Assert.Equal(IntPtr.Zero, chain.ChainContext);
         }
 
-        [Fact]
+        [ConditionalFact(typeof(SignatureSupport), nameof(SignatureSupport.SupportsX509Sha1Signatures))]
         public static void TestResetMethod()
         {
             using (var sampleCert = new X509Certificate2(TestData.DssCer))
@@ -312,7 +312,12 @@ public static IEnumerable<object[]> BuildChainCustomTrustStoreData()
             if (!PlatformDetection.IsAndroid)
             {
                 // Android doesn't support an empty custom root
-                yield return new object[] { false, X509ChainStatusFlags.UntrustedRoot, BuildChainCustomTrustStoreTestArguments.TrustedIntermediateUntrustedRoot };
+                X509ChainStatusFlags flags = X509ChainStatusFlags.UntrustedRoot;
+                if (!SignatureSupport.SupportsX509Sha1Signatures)
+                {
+                    flags |= X509ChainStatusFlags.NotSignatureValid;
+                }
+                yield return new object[] { false, flags, BuildChainCustomTrustStoreTestArguments.TrustedIntermediateUntrustedRoot };
             }
 
             yield return new object[] { true, X509ChainStatusFlags.NoError, BuildChainCustomTrustStoreTestArguments.UntrustedIntermediateTrustedRoot };
@@ -557,7 +562,7 @@ public static void BuildChain_WithApplicationPolicy_NoMatch()
             }
         }
 
-        [Fact]
+        [ConditionalFact(typeof(SignatureSupport), nameof(SignatureSupport.SupportsX509Sha1Signatures))]
         public static void BuildChain_WithCertificatePolicy_Match()
         {
             using (var cert = new X509Certificate2(TestData.CertWithPolicies))

src/libraries/System.Security.Cryptography.X509Certificates/tests/PublicKeyTests.cs

@@ -334,7 +334,7 @@ private static void VerifyKey_RSA(X509Certificate2 cert, RSA rsa)
             Assert.Equal(expectedExponent, originalExponent);
         }
 
-        [Fact]
+        [ConditionalFact(typeof(SignatureSupport), nameof(SignatureSupport.SupportsX509Sha1Signatures))]
         public static void TestKey_RSA384_ValidatesSignature()
         {
             byte[] signature =

src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/DynamicRevocationTests.cs

@@ -364,7 +364,7 @@ public static void RevokeEverything(PkiOptions pkiOptions)
                 });
         }
 
-        [Theory]
+        [ConditionalTheory(typeof(SignatureSupport), nameof(SignatureSupport.SupportsX509Sha1Signatures))]
         [InlineData(PkiOptions.OcspEverywhere)]
         [InlineData(PkiOptions.AllIssuerRevocation | PkiOptions.EndEntityRevocationViaOcsp)]
         [InlineData(PkiOptions.IssuerRevocationViaCrl | PkiOptions.EndEntityRevocationViaOcsp)]
@@ -449,7 +449,7 @@ public static void RevokeEndEntity_IssuerUnrelatedOcsp(PkiOptions pkiOptions)
                 });
         }
 
-        [Theory]
+        [ConditionalTheory(typeof(SignatureSupport), nameof(SignatureSupport.SupportsX509Sha1Signatures))]
         [InlineData(PkiOptions.OcspEverywhere)]
         [InlineData(PkiOptions.IssuerRevocationViaOcsp | PkiOptions.AllEndEntityRevocation)]
         [ActiveIssue("https://github.com/dotnet/runtime/issues/31249", PlatformSupport.AppleCrypto)]

src/libraries/System.Security.Cryptography.X509Certificates/tests/SignatureSupport.cs

+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace System.Security.Cryptography.X509Certificates.Tests
+{
+    public class SignatureSupport
+    {
+        // The RHEL9/CentOS9/Fedora39 change to disable SHA-1 signature support only affects OpenSSL's
+        // equivalent of RSA.SignHash/VerifyHash, but affects all asymmetric algorithms' versions of
+        // SignData/VerifyData. The OpenSSL library uses the VerifyData-esque path as an implementation
+        // detail when checking certificate signatures, and that means that in the context of X509Chain
+        // it's all SHA-1-based signatures.
+        //
+        // If there's ever a platform that blocks RSASSA+SHA-1 but doesn't block ECDSA or DSA with SHA-1,
+        // the logic here will need to get more complicated.
+        public static bool SupportsX509Sha1Signatures { get; } =
+            System.Security.Cryptography.Tests.SignatureSupport.CanProduceSha1Signature(RSA.Create());
+    }
+}

src/libraries/System.Security.Cryptography.X509Certificates/tests/System.Security.Cryptography.X509Certificates.Tests.csproj

@@ -64,6 +64,8 @@
              Link="CommonTest\System\Security\Cryptography\ByteUtils.cs" />
     <Compile Include="$(CommonTestPath)System\Security\Cryptography\PlatformSupport.cs"
              Link="CommonTest\System\Security\Cryptography\PlatformSupport.cs" />
+    <Compile Include="$(CommonTestPath)System\Security\Cryptography\SignatureSupport.cs"
+             Link="CommonTest\System\Security\Cryptography\SignatureSupport.cs" />
     <Compile Include="ImportTests.cs" />
     <Compile Include="CertificateCreation\CertificateRequestApiTests.cs" />
     <Compile Include="CertificateCreation\CertificateRequestChainTests.cs" />
@@ -89,6 +91,7 @@
     <Compile Include="DynamicChainTests.cs" />
     <Compile Include="ECDsaOther.cs" />
     <Compile Include="RSAOther.cs" />
+    <Compile Include="SignatureSupport.cs" />
     <Compile Include="TestDataGenerator.cs" />
     <Compile Include="$(CommonPath)DisableRuntimeMarshalling.cs"
              Link="Common\DisableRuntimeMarshalling.cs" />