diff options
| author | Roland Shoemaker <roland@golang.org> | 2022-05-12 10:26:12 -0700 |
|---|---|---|
| committer | Roland Shoemaker <roland@golang.org> | 2022-05-12 20:58:12 +0000 |
| commit | 267013e6e9150e073510469e1ea024cdc5149dce (patch) | |
| tree | 19e2971e9ef6adba074ff290d89b000b74d80879 /src | |
| parent | 27ace7ab9e1b690a672d0f7720680cb99e559854 (diff) | |
| download | go-267013e6e9150e073510469e1ea024cdc5149dce.tar.xz | |
crypto/x509: attempt to prime windows root pool before hybrid test
In TestHybridPool attempt to prime to the windows root pool before
the real test actually happens. This is a bit of a band-aid, with
a better long term solution discussed in #52108.
Updates #51599
Change-Id: I406add8d9cd9e3fae37bfc20b97f5479c10a52c2
Reviewed-on: https://go-review.googlesource.com/c/go/+/405914
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/crypto/x509/hybrid_pool_test.go | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/src/crypto/x509/hybrid_pool_test.go b/src/crypto/x509/hybrid_pool_test.go index d4dd9d5c22..2b8eb62dd0 100644 --- a/src/crypto/x509/hybrid_pool_test.go +++ b/src/crypto/x509/hybrid_pool_test.go @@ -19,12 +19,40 @@ import ( ) func TestHybridPool(t *testing.T) { + t.Parallel() if !(runtime.GOOS == "windows" || runtime.GOOS == "darwin" || runtime.GOOS == "ios") { t.Skipf("platform verifier not available on %s", runtime.GOOS) } if !testenv.HasExternalNetwork() { t.Skip() } + if runtime.GOOS == "windows" { + // NOTE(#51599): on the Windows builders we sometimes see that the state + // of the root pool is not fully initialized, causing an expected + // platform verification to fail. In part this is because Windows + // dynamically populates roots into its local trust store at time of + // use. We can attempt to prime the pool by attempting TLS connections + // to google.com until it works, suggesting the pool has been properly + // updated. If after we hit the dealine, the pool has _still_ not been + // populated with the expected root, it's unlikely we are ever going to + // get into a good state, and so we just fail the test. #52108 suggests + // a better possible long term solution. + + deadline := time.Now().Add(time.Second * 10) + nextSleep := 10 * time.Millisecond + for i := 0; ; i++ { + c, err := tls.Dial("tcp", "google.com:443", nil) + if err == nil { + c.Close() + break + } + nextSleep = nextSleep * time.Duration(i) + if time.Until(deadline) < nextSleep { + t.Fatal("windows root pool appears to be in an uninitialized state (missing root that chains to google.com)") + } + time.Sleep(nextSleep) + } + } // Get the google.com chain, which should be valid on all platforms we // are testing @@ -63,7 +91,7 @@ func TestHybridPool(t *testing.T) { _, err = googChain[0].Verify(opts) if err != nil { - t.Fatalf("verification failed for google.com chain (empty pool): %s", err) + t.Fatalf("verification failed for google.com chain (system only pool): %s", err) } pool.AddCert(root) |