Test failures on `main` - suspected Windows verifier weirdness

[cpu]

Noticed CI is failing the Windows latest job:

---- tests::verification_mock::tests::stapled_revoked_dns stdout ----
thread 'tests::verification_mock::tests::stapled_revoked_dns' panicked at rustls-platform-verifier\src\tests\mod.rs:51:9:
assertion `left == right` failed
  left: Ok(())
 right: Err(InvalidCertificate(Revoked))
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

---- tests::verification_mock::tests::stapled_revoked_ipv4 stdout ----
thread 'tests::verification_mock::tests::stapled_revoked_ipv4' panicked at rustls-platform-verifier\src\tests\mod.rs:51:9:
assertion `left == right` failed
  left: Ok(())
 right: Err(InvalidCertificate(Revoked))

---- tests::verification_mock::tests::stapled_revoked_ipv6 stdout ----
thread 'tests::verification_mock::tests::stapled_revoked_ipv6' panicked at rustls-platform-verifier\src\tests\mod.rs:51:9:
assertion `left == right` failed
  left: Ok(())
 right: Err(InvalidCertificate(Revoked))

failures:
    tests::verification_mock::tests::stapled_revoked_dns
    tests::verification_mock::tests::stapled_revoked_ipv4
    tests::verification_mock::tests::stapled_revoked_ipv6

And the Android task:

07-30 18:14:51.040  3199  3229 I rustls_platform_verif..: verifying Err(InvalidCertificate(UnknownIssuer))
07-30 18:14:51.042  3199  3229 W rustls_platform_verif..: certificate was not trusted: java.
org.rustls.platformverifier.CertificateVerifierTests > runMockTestSuite[test(AVD) - 9] FAILED 
    org.junit.ComparisonFailure: A test failed. Check the logs above for Rust panics. expected:<[success]> but was:<[test failed!]>
    at org.junit.Assert.assertEquals(Assert.java:115)
security.cert.CertPathValidatorException: Trust anchor for certification path not found.

I won't have time to look into this right away, so filing for a rainy day.

[complexspaces]

I think that the mock suite's root expired the other day:

This might explain the test failure on Android (as it couldn't find a valid certification path), but I'm not sure what's happening on the Windows side yet.

[cpu]

I'm not sure what's happening on the Windows side yet.

Interestingly regenerating the expired root/intermediate also fixed the Windows build task.

I notice all the failures are related to stapled OCSP with revoked status. Is it possible that the Windows verifier doesn't consider revocation in that circumstance when the certificate chain is otherwise invalid due to expiry? :thinking:

[complexspaces]

Interestingly regenerating the expired root/intermediate also fixed the Windows build task.

Yeah I considered just doing that but I'm slightly concerned about the root cause of seeing Ok(()) in the test output 😓.

Is it possible that the Windows verifier doesn't consider revocation in that circumstance when the certificate chain is otherwise invalid due to expiry?

That would match with some behavior I've seen before IIRC but I have no idea why the platform verifier was returning Ok(()). I would have expected to see Err(Untrusted (or something close enough to that).

[cpu]

I'm slightly concerned about the root cause of seeing Ok(()) in the test output 😓.

Agreed - my thought process here was that we should investigate this deeper but it won't be better having main broken in the meantime.

Maybe I should cut a new issue specifically for this mystery so it won't get lost if this ticket gets closed with the CI fix?

I would have expected to see Err(Untrusted (or something close enough to that).

Also agreed :fearful:

[complexspaces]

With main fixed, I updated the issue title to be more reflective that this is now for hunting down whatever Windows weirdness is happening.