Enable DynamicRevocationTests on macOS

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.

https://docs.microsoft.com/dotnet/core/

MIT License

15.17k stars 4.72k forks source link

Enable DynamicRevocationTests on macOS #31249

Open bartonjs opened 5 years ago

bartonjs commented 5 years ago

All responses are coming back from SecTrustEvaluate with RevocationStatusUnknown, so macOS is unhappy with either the OCSP Responses or the trust chain.

Maybe they don't use the SecTrust anchors list, but the default trust list, when validating responses?
Maybe they want some extra metadata in the cert chains somewhere?

Enabling tracing on the revocation responder shows that the response was sent, and it works for Windows and Linux... so something OS-specific is going on.

Since the tests are still valueable for Windows and Linux, they're being committed with macOS disabled.

vcsjones commented 4 years ago

I managed to move the needle on this a little bit. Apple does not like producedAt on ResponseData containing fractional seconds, or at least the way we're writing them. Apple's sources seem to indicate that it should handle them in genTimeToCFAbsTime, but debugging the parsing of the OCSP response, it was returning NULL (parse failure) for producedAt.

Removing fractional time from there gets about 25% of the tests passing. The next hurdle seems to be that Apple is not processing revocation for intermediate certificates, or it does not like the response for the intermediate we're sending it.

bartonjs commented 4 years ago

Nice work!

bartonjs commented 4 years ago

@vcsjones Is there any sort of change from what you prototyped that lets us enable anything for net5? e.g. make the theory-generator return a subset of combinations on macOS for the time being and move the disabling attribute to any methods that are one-off-not-working

vcsjones commented 4 years ago

Is there any sort of change from what you prototyped that lets us enable anything for net5?

Yeah I can re-work the tests so that MacOS gets a some of these enabled. I think I got about a 30% of them passing without any changes to the tests themselves, just the fake OCSP server.

Out of curiously, when / how often do outerloop tests get run? (Aside from the obvious on-demand case with /azp)

bartonjs commented 4 years ago

They seem to get run at some interval against master, since https://github.com/dotnet/runtime/issues/38744 was a recent issue where one of these tests failed.