Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: come up with better solution for testing platform verifiers #52108

rolandshoemaker opened this issue Apr 1, 2022 · 3 comments


Copy link

@rolandshoemaker rolandshoemaker commented Apr 1, 2022

As evidenced by #52094 and #51599, there are issues with relying on third-party services for testing the platform verifier implementations. Ideally we'd run these tests entirely locally, but this requires mutating the trust store on the systems being tested.

While we absolutely cannot start inserting arbitrary certificates into the trust stores of developers, it may be reasonable to do this on the trybots (although there will still be some gaps here, since user added roots are always going to be treated somewhat differently than roots the system chooses to trust.)

We should still have some kind of local testing that doesn't rely on trust store mutation though, perhaps just retaining the existing based tests but gating them behind a flag?

@rolandshoemaker rolandshoemaker added the NeedsFix label Apr 1, 2022
Copy link

@gopherbot gopherbot commented Apr 2, 2022

Change mentions this issue: crypto/x509: local platform verifier tests on trybots

Copy link

@gopherbot gopherbot commented May 12, 2022

Change mentions this issue: crypto/x509: attempt to prime windows root pool before hybrid test

gopherbot pushed a commit that referenced this issue May 12, 2022
In TestHybridPool attempt to prime to the windows root pool before
the real test actually happens. This is a bit of a band-aid, with
a better long term solution discussed in #52108.

Updates #51599

Change-Id: I406add8d9cd9e3fae37bfc20b97f5479c10a52c2
Reviewed-by: Bryan Mills <>
TryBot-Result: Gopher Robot <>
Run-TryBot: Roland Shoemaker <>
Copy link

@bcmills bcmills commented Jun 14, 2022

2022-06-06T18:37:38-fc97075/windows-amd64-longtest has another failure due to having a cert that is bad in the wrong kind of way:

--- FAIL: TestPlatformVerifier (15.19s)
    --- FAIL: TestPlatformVerifier/wrong_host_for_leaf (15.11s)
        root_windows_test.go:109: unexpected verification error: got "x509: certificate has expired or is not yet valid: ", want "x509: certificate is valid for *,, not"
FAIL	crypto/x509	32.031s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

No branches or pull requests

3 participants