Open bartonjs opened 5 years ago
I managed to move the needle on this a little bit. Apple does not like producedAt
on ResponseData
containing fractional seconds, or at least the way we're writing them. Apple's sources seem to indicate that it should handle them in genTimeToCFAbsTime
, but debugging the parsing of the OCSP response, it was returning NULL (parse failure) for producedAt.
Removing fractional time from there gets about 25% of the tests passing. The next hurdle seems to be that Apple is not processing revocation for intermediate certificates, or it does not like the response for the intermediate we're sending it.
Nice work!
@vcsjones Is there any sort of change from what you prototyped that lets us enable anything for net5? e.g. make the theory-generator return a subset of combinations on macOS for the time being and move the disabling attribute to any methods that are one-off-not-working
Is there any sort of change from what you prototyped that lets us enable anything for net5?
Yeah I can re-work the tests so that MacOS gets a some of these enabled. I think I got about a 30% of them passing without any changes to the tests themselves, just the fake OCSP server.
Out of curiously, when / how often do outerloop tests get run? (Aside from the obvious on-demand case with /azp)
They seem to get run at some interval against master, since https://github.com/dotnet/runtime/issues/38744 was a recent issue where one of these tests failed.
All responses are coming back from SecTrustEvaluate with RevocationStatusUnknown, so macOS is unhappy with either the OCSP Responses or the trust chain.
Enabling tracing on the revocation responder shows that the response was sent, and it works for Windows and Linux... so something OS-specific is going on.
Since the tests are still valueable for Windows and Linux, they're being committed with macOS disabled.