Enable DynamicRevocationTests on macOS

[bartonjs]

All responses are coming back from SecTrustEvaluate with RevocationStatusUnknown, so macOS is unhappy with either the OCSP Responses or the trust chain.

• Maybe they don't use the SecTrust anchors list, but the default trust list, when validating responses?
• Maybe they want some extra metadata in the cert chains somewhere?

Enabling tracing on the revocation responder shows that the response was sent, and it works for Windows and Linux... so something OS-specific is going on.

Since the tests are still valueable for Windows and Linux, they're being committed with macOS disabled.

[vcsjones]

I managed to move the needle on this a little bit. Apple does not like producedAt on ResponseData containing fractional seconds, or at least the way we're writing them. Apple's sources seem to indicate that it should handle them in genTimeToCFAbsTime, but debugging the parsing of the OCSP response, it was returning NULL (parse failure) for producedAt.

Removing fractional time from there gets about 25% of the tests passing. The next hurdle seems to be that Apple is not processing revocation for intermediate certificates, or it does not like the response for the intermediate we're sending it.

[bartonjs]

Nice work!

[bartonjs]

@vcsjones Is there any sort of change from what you prototyped that lets us enable anything for net5? e.g. make the theory-generator return a subset of combinations on macOS for the time being and move the disabling attribute to any methods that are one-off-not-working

[vcsjones]

Is there any sort of change from what you prototyped that lets us enable anything for net5?

Yeah I can re-work the tests so that MacOS gets a some of these enabled. I think I got about a 30% of them passing without any changes to the tests themselves, just the fake OCSP server.

Out of curiously, when / how often do outerloop tests get run? (Aside from the obvious on-demand case with /azp)

[bartonjs]

They seem to get run at some interval against master, since #38744 was a recent issue where one of these tests failed.

[dotnet-policy-service]

Due to lack of recent activity, this issue has been marked as a candidate for backlog cleanup. It will be closed if no further activity occurs within 14 more days. Any new comment (by anyone, not necessarily the author) will undo this process.

This process is part of our issue cleanup automation.

[dotnet-policy-service]

This issue will now be closed since it had been marked no-recent-activity but received no further activity in the past 14 days. It is still possible to reopen or comment on the issue, but please note that the issue will be locked if it remains inactive for another 30 days.