This PR fixes an issue on Android where the verifier was attempting to enforce revocation constraints even on self-signed certificates that don't (nor should need to) supply revocation information. This PR fixes this by bringing back our previous isKnownRoot check and using this to determine if we should even try the revocation codepaths. If a certificate isn't a known root, we don't let Android enforce revocation information.
A small cutout was left for cases where an explicit stapled OSCP response is provided by the server. This is for two reasons:
Our test suite needs to be able to verify a mocked, frozen-in-time, OCSP response is confirmed as revoked.
There might be a case where someone has this setup in the real world and they are probably expecting the OSCP data to be checked by clients.
This PR fixes an issue on Android where the verifier was attempting to enforce revocation constraints even on self-signed certificates that don't (nor should need to) supply revocation information. This PR fixes this by bringing back our previous
isKnownRoot
check and using this to determine if we should even try the revocation codepaths. If a certificate isn't a known root, we don't let Android enforce revocation information.A small cutout was left for cases where an explicit stapled OSCP response is provided by the server. This is for two reasons:
Closes https://github.com/rustls/rustls-platform-verifier/issues/69