Open cpu opened 6 months ago
As a quick test I also tried going back to before https://github.com/rustls/rustls-platform-verifier/pull/17 landed and enabling the test with a fixed verification time and got the same result so whatever the root cause I don't think it's a regression from those changes.
I took a look through this one today and here's what I've found so far:
verifyDate
into revocation handling. I can't quite nail down exactly where its used though.pTime
we pass in "...does not affect trust list, revocation, or root store checking." I haven't been able to find any flags to overwrite that either.certificate was revoked: java.security.cert.CertPathValidatorException: timestamp check failed
. I haven't run it through a debugger yet though because it does that regardless of it I give the OSCP checker the right timestamp or not.Tl;dr the platforms are a mess again, what a surprise right?
After https://github.com/rustls/rustls-platform-verifier/pull/50 lands we should be able to enable the stapled OCSP test in the real world verification test suite: https://github.com/rustls/rustls-platform-verifier/blob/65b2a97aff062585d91c97ae3b7b1d17fbcd7b62/rustls-platform-verifier/src/tests/verification_real_world/mod.rs#L221-L239
As described in this comment (which should also be fixed up) this was commented out when it wasn't possible to specify a time to use for verification to avoid flakes from the very short OCSP response validity period.
We know that Webpki doesn't support revocation checking via stapled OCSP (see https://github.com/rustls/webpki/issues/217) so we will need to
cfg
gate the expected result to only assert a revocation error result for non-Linux/WASM platforms - something like:However, it appears the Windows verifier is returning
Ok(())
whereErr(TlsError::InvalidCertificate(CertificateError::Revoked))
is expected. Further investigation is required.