Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: TestPlatformVerifier/revoked_leaf fails on macOS 13.1 #57428

Open
dmitshur opened this issue Dec 21, 2022 · 4 comments
Open

crypto/x509: TestPlatformVerifier/revoked_leaf fails on macOS 13.1 #57428

dmitshur opened this issue Dec 21, 2022 · 4 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. OS-Darwin
Milestone

Comments

@dmitshur
Copy link
Contributor

dmitshur commented Dec 21, 2022

I'm seeing the TestPlatformVerifier/revoked_leaf test in crypto/x509 failing at tip, 1.19.4, and 1.18.9 on darwin/arm64 running macOS 13.1 (22C65):

$ go test crypto/x509
--- FAIL: TestPlatformVerifier (1.39s)
    --- FAIL: TestPlatformVerifier/revoked_leaf (0.18s)
        root_darwin_test.go:116: unexpected verification error: got "x509: “revoked.badssl.com” certificate is expired", want "x509: “revoked.badssl.com” certificate is revoked"
FAIL
FAIL	crypto/x509	3.321s
FAIL

CC @rolandshoemaker.

@dmitshur dmitshur added OS-Darwin NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Dec 21, 2022
@dmitshur dmitshur added this to the Backlog milestone Dec 21, 2022
@rolandshoemaker
Copy link
Member

This appears to be a combination of chromium/badssl.com#515, and a change in the verification error precedence in macOS 13 (previously revoked seemed to take precedence over expiration, whereas now it's reversed).

This just further shows the importance of #52108, which I still don't have a good answer for. Probably something to seriously look at in the new year.

@dmitshur
Copy link
Contributor Author

dmitshur commented Dec 21, 2022

Also further motivation for #35678 / #49055, since that test is skipped in short mode so doesn't actually run on any builders we have today. (This explains why it wasn't reported by the darwin-amd64-13 builder earlier.)

@bcmills
Copy link
Contributor

bcmills commented Apr 6, 2023

The new darwin-amd64-longtest builder is indeed catching this! 🙃

(And leaf_missing_SCTs, too: https://build.golang.org/log/8815b334c89791bc3c30410757d4c1020e927e96)

@gopherbot
Copy link

Change https://go.dev/cl/482165 mentions this issue: crypto/x509: skip broken darwin root tests

gopherbot pushed a commit that referenced this issue Apr 10, 2023
For #57428.
For #35678.

Change-Id: I806c16d3ff3815b8681916753338356c444970d2
Reviewed-on: https://go-review.googlesource.com/c/go/+/482165
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Pratt <mpratt@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. OS-Darwin
Projects
None yet
Development

No branches or pull requests

4 participants