More Comprehensive Certificate Testing

Describe the feature you'd like supported

We support a number of scenarios related to certificates (and will have more coming with client certs in the queue) but we have minimal testing for these. We should add more positive and negative test cases in these areas.

[x] Accept valid server certificate (chain to trusted root)
[x] Accept valid client certificate (chain to trusted root)
[ ] Specific invalid certificate failures (expired, wrong EKU, etc.)
- [x] Expired server certificate
- [x] Expired client certificate
- [ ] Untrusted server certificate
- [ ] Untrusted client certificate
[ ] Specific look-up mechanisms (hash, principal name, different stores, etc.)
- [x] Hash (MY store)
- [x] Hash store (MY store)
- [x] Context
- [ ] Principal name (Depends on #1329)
- [x] OpenSSL file
- [x] OpenSSL file with password
- [x] OpenSSL PFX with password
[ ] More coverage of the cert callback mechanism (at QUIC layer). Cover the flag for cert validation.
- [ ] Portable certificates flag
- [ ] Client certificate
  - [ ] OpenSSL
  - [ ] Schannel
- [ ] Server certificate
  - [ ] OpenSSL
  - [ ] Schannel
- [ ] Ensure certificates are usable
- [ ] Client certificate
  - [ ] OpenSSL
  - [ ] Schannel
- [ ] Server certificate
  - [ ] OpenSSL
  - [ ] Schannel
[ ] Revocation checking
- [ ] Valid certificate
- [ ] CRL Offline
- [ ] Check the whole chain
- [ ] Check only the leaf
- [ ] Check chain excluding root
- [ ] Cache only
- [ ] Cache only with cache expired
- [ ] Revoked certificate
- [ ] CRL Offline
- [ ] Check the whole chain
- [ ] Check only the leaf
- [ ] Check chain excluding root
- [ ] Cache only
- [ ] Cache only with cache expired
[ ] OCSP

How do different error codes get exposed to the app? Might need core work around exposing individual error codes (might be worth a separate task).

microsoft / msquic

More Comprehensive Certificate Testing #1172

Describe the feature you'd like supported