Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix X509 test failures on Android #50301

Merged
15 commits merged into from
Apr 6, 2021
Merged

Conversation

jkoritzinsky
Copy link
Member

@jkoritzinsky jkoritzinsky commented Mar 26, 2021

Disable tests on Android that use unsupported features (Brainpool curve, PSS padding in cert signatures).

Disable outerloop test that checks against a validation status that is unsupported on Android.

Handle JNI thread shutdown (Android API Level 21 is more strict about this than API Level 29).

Fix some memory leaks.

Disable tests that depend on OCSP when on older Android versions.

Older versions of Android can include the same cert in the cert collection twice if it is also the trusted root. Handle this case and don't return the cert twice.

Fixes #50565

@ghost
Copy link

ghost commented Mar 26, 2021

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

Disable tests on Android that use unsupported features (Brainpool curve, PSS padding in cert signatures).

Disable outerloop test that checks against a validation status that is unsupported on Android.

Handle JNI thread shutdown (Android API Level 21 is more strict about this than API Level 29).

Fix some memory leaks.

Disable tests that depend on OCSP when on older Android versions.

Older versions of Android can include the same cert in the cert collection twice if it is also the trusted root. Handle this case and don't return the cert twice.

Author: jkoritzinsky
Assignees: -
Labels:

area-System.Security, os-android

Milestone: -

Comment on lines 102 to 108
<ItemGroup Condition="'$(UseAndroidCrypto)' == 'true'">
<Compile Include="X509StoreMutableTests.Android.cs" />
</ItemGroup>
<ItemGroup Condition="'$(UseAndroidCrypto)' != 'true'">
<Compile Include="RevocationTests\DynamicRevocationTests.Default.cs" />
</ItemGroup>
<ItemGroup Condition="'$(UseAndroidCrypto)' == 'true'">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's reuse existing groups when possible.

@jkoritzinsky

This comment has been minimized.

@elinor-fung
Copy link
Member

CI wasm failure is happening because of the added [ConditionalClass(typeof(DynamicRevocationTests), nameof(SupportsDynamicRevocation))] attribute. During test discovery, this results in DynamicRevocationTests being loaded and its static fields being initialized. This fails because using Oid from System.Security.Cryptography.Encoding is throwing PNSE on browser.

private static readonly Oid s_tlsServerOid = new Oid("1.3.6.1.5.5.7.3.1", null);

This entire test assembly is actually disabled / marked as failing on browser:

[assembly: ActiveIssue("https://github.com/dotnet/runtime/issues/37669", TestPlatforms.Browser)]

But the test discovery still goes through every test method and tries to determine the traits for each method. We could rework this so that it continues avoiding using any types that will hit PNSE on browser during test discovery, but it seems weird/wasteful that we're making our test runs go through bundling, sending off to helix, test discovery, and result reporting when we know the entire suite (and many of its dependencies) are not currently supported.

@steveisok / @lewing is there a reason we want to have this suite disabled on browser through the ActiveIssue attribute instead of adding it to ProjectExclusions?

@steveisok
Copy link
Member

@elinor-fung There was probably a point in time where we thought labeling ActiveIssue at the assembly level was the way to skip whole suites. I think it makes sense to add to <ProjectExclusions> instead.

Copy link
Member

@bartonjs bartonjs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PublicKeyTests.SupportsBrainpool shouldn't be needed.

Copy link
Member

@bartonjs bartonjs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for humoring me.

@ghost
Copy link

ghost commented Apr 5, 2021

Hello @jkoritzinsky!

Because this pull request has the auto-merge label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.

@ghost ghost merged commit c0a710f into dotnet:main Apr 6, 2021
thaystg added a commit to thaystg/runtime that referenced this pull request Apr 6, 2021
…shim_mono

# By Aaron Robinson (10) and others
# Via GitHub
* upstream/main: (108 commits)
  [mbr] Add Apple sample (dotnet#50740)
  make EstablishProxyTunnelAsync throw on failure status code from proxy (dotnet#50763)
  Improve RGB Min Max evaluation performance by using 2 or 3 comparison… (dotnet#50622)
  [mono] More domain cleanups (dotnet#50479)
  Fix Crossgen2 of PlatformDefaultMemberFunction methods and calls. (dotnet#50754)
  Disable EventSource generator in design-time builds (dotnet#50741)
  Fix X509 test failures on Android (dotnet#50301)
  Do not confuse fgDispBasicBlocks in fgMorphBlocks (dotnet#50703)
  Enforce 64KB event payload size limit on EventPipe  (dotnet#50600)
  Reorganize CoreCLR native build to reduce CMake reconfigures when the build system is untouched (dotnet#49906)
  [mbr] Turn on hot reload for iOS, tvOS and MacCatalyst (dotnet#50458)
  improve connection scavenge logic by doing zero-byte read (dotnet#50545)
  Resolve call mdtokens when making tier 1 inline observations (dotnet#50675)
  Annotate APIs in System.Private.Xml (dotnet#49682)
  Support compiling against OpenSSL 3 headers
  Change Configuration.Json to use a regular Dictionary. (dotnet#50611)
  Remove unused BigNumFromBinary P/Invoke (dotnet#50670)
  Make Ninja the default CMake generator on Windows for the repo (dotnet#49715)
  [AppleAppBuilder] Entitlements to run tests on catalyst using the JIT (dotnet#50637)
  [mono] Fix delegate invokes to dynamic methods in mixed mode. (dotnet#50547)
  ...

# Conflicts:
#	src/mono/dlls/mscordbi/CMakeLists.txt
@ghost ghost locked as resolved and limited conversation to collaborators May 6, 2021
@karelz karelz added this to the 6.0.0 milestone May 20, 2021
@jkoritzinsky jkoritzinsky deleted the x509certs-test-fixes branch September 28, 2021 00:04
This pull request was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

System.Security.Cryptography.X509Certificates.Tests fail on Android
5 participants