crypto/x509: attempt to prime windows root pool before hybrid test

rolandshoemaker · rolandshoemaker · commit 267013e6e915 · 2022-05-12T20:58:12.000Z
In TestHybridPool attempt to prime to the windows root pool before the real test actually happens. This is a bit of a band-aid, with a better long term solution discussed in #52108. Updates #51599 Change-Id: I406add8d9cd9e3fae37bfc20b97f5479c10a52c2 Reviewed-on: https://go-review.googlesource.com/c/go/+/405914 Reviewed-by: Bryan Mills <bcmills@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org>
diff --git a/src/crypto/x509/hybrid_pool_test.go b/src/crypto/x509/hybrid_pool_test.go
@@ -19,12 +19,40 @@ import (
 )
 
 func TestHybridPool(t *testing.T) {
+	t.Parallel()
 	if !(runtime.GOOS == "windows" || runtime.GOOS == "darwin" || runtime.GOOS == "ios") {
 		t.Skipf("platform verifier not available on %s", runtime.GOOS)
 	}
 	if !testenv.HasExternalNetwork() {
 		t.Skip()
 	}
+	if runtime.GOOS == "windows" {
+		// NOTE(#51599): on the Windows builders we sometimes see that the state
+		// of the root pool is not fully initialized, causing an expected
+		// platform verification to fail. In part this is because Windows
+		// dynamically populates roots into its local trust store at time of
+		// use. We can attempt to prime the pool by attempting TLS connections
+		// to google.com until it works, suggesting the pool has been properly
+		// updated. If after we hit the dealine, the pool has _still_ not been
+		// populated with the expected root, it's unlikely we are ever going to
+		// get into a good state, and so we just fail the test. #52108 suggests
+		// a better possible long term solution.
+
+		deadline := time.Now().Add(time.Second * 10)
+		nextSleep := 10 * time.Millisecond
+		for i := 0; ; i++ {
+			c, err := tls.Dial("tcp", "google.com:443", nil)
+			if err == nil {
+				c.Close()
+				break
+			}
+			nextSleep = nextSleep * time.Duration(i)
+			if time.Until(deadline) < nextSleep {
+				t.Fatal("windows root pool appears to be in an uninitialized state (missing root that chains to google.com)")
+			}
+			time.Sleep(nextSleep)
+		}
+	}
 
 	// Get the google.com chain, which should be valid on all platforms we
 	// are testing
@@ -63,7 +91,7 @@ func TestHybridPool(t *testing.T) {
 
 	_, err = googChain[0].Verify(opts)
 	if err != nil {
-		t.Fatalf("verification failed for google.com chain (empty pool): %s", err)
+		t.Fatalf("verification failed for google.com chain (system only pool): %s", err)
 	}
 
 	pool.AddCert(root)
