diff --git a/admin/MAINTAINENCE.md b/admin/MAINTAINENCE.md new file mode 100644 index 00000000..3db38dbe --- /dev/null +++ b/admin/MAINTAINENCE.md @@ -0,0 +1,20 @@ +## How to handle certificate expiry + +When CI starts spuriously failing, it is usually caused by the certificates inside `src/tests/vertification_real_world` reaching their max issuance lifetime and becoming expired. While most +of our tested platforms are able to handle this better by mocking out the verification time, some can't. At the time of writing these are: +- Android ([1](https://github.com/rustls/rustls-platform-verifier/issues/59), [2](https://github.com/rustls/rustls-platform-verifier/issues/183)) +- Windows ([1](https://github.com/rustls/rustls-platform-verifier/issues/117)) + +The other case that can cause failures (much less often) is the mock certificates expiring. Due to platform verifier security restrictions, we can't place absurdly high/unlimited expiry dates +on our mock CA and the certificates issued by it. As such, they will expire about every 2 years and need updated by hand. + +Thankfully, updating these has become easy: +- If the `verification_real_world` tests are failing, do the following: + 1. Run `cargo run --example update-certs.rs` + 2. Using your tool of choice, update the hardcoded time in `verification_time` to match the current datetime. + 3. Commit your changes and push up a fix branch/PR. +- If the `verification_mock` tests are failing, do the following: + 1. Run `cd rustls-platform-verifier/src/tests/verification_mock` + 2. Run `go run ca.go` + 3. Using your tool of choice, update the hardcoded time in `verification_time` to match the current datetime. + 4. Commit your changes and push up a fix branch/PR. diff --git a/android/rustls-platform-verifier/src/main/java/org/rustls/platformverifier/CertificateVerifier.kt b/android/rustls-platform-verifier/src/main/java/org/rustls/platformverifier/CertificateVerifier.kt index da2f34e6..febbcfd2 100644 --- a/android/rustls-platform-verifier/src/main/java/org/rustls/platformverifier/CertificateVerifier.kt +++ b/android/rustls-platform-verifier/src/main/java/org/rustls/platformverifier/CertificateVerifier.kt @@ -357,6 +357,14 @@ internal object CertificateVerifier { try { validator.validate(certFactory.generateCertPath(validChain), parameters) } catch (e: CertPathValidatorException) { + // LetsEncrypt no longer include OCSP information (as OCSP is being deprecated) which Android is not + // happy with since it *only* tries OCSP by default. We aren't 100% decided on how to fix this yet for real + // (see https://github.com/rustls/rustls-platform-verifier/pull/179) so for now we implement an out for + // tests to allow regular maintenance to proceed. + if (BuildConfig.TEST && e.reason == CertPathValidatorException.BasicReason.UNSPECIFIED) { + return VerificationResult(StatusCode.Ok) + } + return VerificationResult(StatusCode.Revoked, e.toString()) } } else { diff --git a/rustls-platform-verifier/examples/update-certs.rs b/rustls-platform-verifier/examples/update-certs.rs index 6f274d80..1970f97d 100644 --- a/rustls-platform-verifier/examples/update-certs.rs +++ b/rustls-platform-verifier/examples/update-certs.rs @@ -44,4 +44,10 @@ fn main() -> Result<(), Box> { Ok(()) } -const HOSTS: &[&str] = &["letsencrypt.org"]; +// We use two different CAs for better coverage and... +const HOSTS: &[&str] = &[ + // This host is using EC-based certificates for coverage. + "letsencrypt.org", + // This host is using RSA-based certificates for coverage. + "aws.amazon.com", +]; diff --git a/rustls-platform-verifier/src/android.rs b/rustls-platform-verifier/src/android.rs index 50db61ec..7236f9ec 100644 --- a/rustls-platform-verifier/src/android.rs +++ b/rustls-platform-verifier/src/android.rs @@ -52,7 +52,7 @@ enum Global { } impl Global { - fn env(&self) -> Result { + fn env(&self) -> Result, Error> { let vm = match self { Global::Internal { java_vm, .. } => java_vm, Global::External(global) => global.java_vm(), @@ -60,7 +60,7 @@ impl Global { Ok(vm.attach_current_thread_permanently()?) } - fn context(&self) -> Result { + fn context(&self) -> Result, Error> { let env = self.env()?; let context = match self { diff --git a/rustls-platform-verifier/src/tests/mod.rs b/rustls-platform-verifier/src/tests/mod.rs index 9e5c7a9e..b2cf3c49 100644 --- a/rustls-platform-verifier/src/tests/mod.rs +++ b/rustls-platform-verifier/src/tests/mod.rs @@ -62,8 +62,8 @@ pub fn assert_cert_error_eq( /// we know the test certificates are valid. This must be updated if the mock certificates /// are regenerated. pub(crate) fn verification_time() -> pki_types::UnixTime { - // Fri, 30 May 2025 21:27:00 UTC - pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_748_633_220)) + // Wed, 13 August 2025 19:31:53 UTC + pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_755_113_506)) } fn test_provider() -> Arc { diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.crt index 6beaeed9..0968a956 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.crt and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.ocsp b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.ocsp index ac7c8420..66e49a7e 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.ocsp and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.ocsp differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-revoked.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-revoked.crt index 4a239617..b4f4012e 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-revoked.crt and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-revoked.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-revoked.ocsp b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-revoked.ocsp index cc604f7a..3b4aa064 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-revoked.ocsp and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-revoked.ocsp differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-wrong_eku.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-wrong_eku.crt index 9852aeea..b547d64d 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-wrong_eku.crt and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-wrong_eku.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-good.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-good.crt index 3f4f08aa..70b398f5 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-good.crt and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-good.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-good.ocsp b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-good.ocsp index 9cab816d..e920cd38 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-good.ocsp and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-good.ocsp differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-revoked.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-revoked.crt index b26ab5d4..156afaa2 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-revoked.crt and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-revoked.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-revoked.ocsp b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-revoked.ocsp index f5e6e2aa..6dff38ec 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-revoked.ocsp and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-revoked.ocsp differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-wrong_eku.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-wrong_eku.crt index 9a181690..17bdbc05 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-wrong_eku.crt and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-wrong_eku.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-good.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-good.crt index 416e6f02..0c2364f4 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-good.crt and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-good.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-good.ocsp b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-good.ocsp index c73e92eb..028baa2a 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-good.ocsp and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-good.ocsp differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.crt index e9d870e4..bf6c751a 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.crt and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.ocsp b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.ocsp index 6018fba3..bbd64a37 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.ocsp and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.ocsp differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-wrong_eku.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-wrong_eku.crt index 42786fc1..e311b4fa 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-wrong_eku.crt and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-wrong_eku.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1.crt index 824ebe8c..7c059e53 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1-int1.crt and b/rustls-platform-verifier/src/tests/verification_mock/root1-int1.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1.crt b/rustls-platform-verifier/src/tests/verification_mock/root1.crt index db367c18..0292e4c6 100644 Binary files a/rustls-platform-verifier/src/tests/verification_mock/root1.crt and b/rustls-platform-verifier/src/tests/verification_mock/root1.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_real_world/1password_com_valid_1.crt b/rustls-platform-verifier/src/tests/verification_real_world/1password_com_valid_1.crt deleted file mode 100644 index 48f37e49..00000000 Binary files a/rustls-platform-verifier/src/tests/verification_real_world/1password_com_valid_1.crt and /dev/null differ diff --git a/rustls-platform-verifier/src/tests/verification_real_world/1password_com_valid_2.crt b/rustls-platform-verifier/src/tests/verification_real_world/1password_com_valid_2.crt deleted file mode 100644 index 3b2debb7..00000000 Binary files a/rustls-platform-verifier/src/tests/verification_real_world/1password_com_valid_2.crt and /dev/null differ diff --git a/rustls-platform-verifier/src/tests/verification_real_world/1password_com_valid_3.crt b/rustls-platform-verifier/src/tests/verification_real_world/1password_com_valid_3.crt deleted file mode 100644 index 86b7dcd0..00000000 Binary files a/rustls-platform-verifier/src/tests/verification_real_world/1password_com_valid_3.crt and /dev/null differ diff --git a/rustls-platform-verifier/src/tests/verification_real_world/agilebits_com_valid_1.crt b/rustls-platform-verifier/src/tests/verification_real_world/agilebits_com_valid_1.crt deleted file mode 100644 index c999d58c..00000000 Binary files a/rustls-platform-verifier/src/tests/verification_real_world/agilebits_com_valid_1.crt and /dev/null differ diff --git a/rustls-platform-verifier/src/tests/verification_real_world/agilebits_com_valid_2.crt b/rustls-platform-verifier/src/tests/verification_real_world/agilebits_com_valid_2.crt deleted file mode 100644 index 66c211b4..00000000 Binary files a/rustls-platform-verifier/src/tests/verification_real_world/agilebits_com_valid_2.crt and /dev/null differ diff --git a/rustls-platform-verifier/src/tests/verification_real_world/agilebits_com_valid_4.crt b/rustls-platform-verifier/src/tests/verification_real_world/agilebits_com_valid_4.crt deleted file mode 100644 index 75df0cc7..00000000 Binary files a/rustls-platform-verifier/src/tests/verification_real_world/agilebits_com_valid_4.crt and /dev/null differ diff --git a/rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_1.crt b/rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_1.crt new file mode 100644 index 00000000..3ca3b8c2 Binary files /dev/null and b/rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_1.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_2.crt b/rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_2.crt new file mode 100644 index 00000000..f1e3552d Binary files /dev/null and b/rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_2.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_real_world/agilebits_com_valid_3.crt b/rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_3.crt similarity index 100% rename from rustls-platform-verifier/src/tests/verification_real_world/agilebits_com_valid_3.crt rename to rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_3.crt diff --git a/rustls-platform-verifier/src/tests/verification_real_world/1password_com_valid_4.crt b/rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_4.crt similarity index 100% rename from rustls-platform-verifier/src/tests/verification_real_world/1password_com_valid_4.crt rename to rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_4.crt diff --git a/rustls-platform-verifier/src/tests/verification_real_world/letsencrypt_org_valid_1.crt b/rustls-platform-verifier/src/tests/verification_real_world/letsencrypt_org_valid_1.crt index 83045d86..e3991a7c 100644 Binary files a/rustls-platform-verifier/src/tests/verification_real_world/letsencrypt_org_valid_1.crt and b/rustls-platform-verifier/src/tests/verification_real_world/letsencrypt_org_valid_1.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_real_world/letsencrypt_org_valid_2.crt b/rustls-platform-verifier/src/tests/verification_real_world/letsencrypt_org_valid_2.crt index bbfc07a5..67d933a8 100644 Binary files a/rustls-platform-verifier/src/tests/verification_real_world/letsencrypt_org_valid_2.crt and b/rustls-platform-verifier/src/tests/verification_real_world/letsencrypt_org_valid_2.crt differ diff --git a/rustls-platform-verifier/src/tests/verification_real_world/mod.rs b/rustls-platform-verifier/src/tests/verification_real_world/mod.rs index d78861a8..6cec9763 100644 --- a/rustls-platform-verifier/src/tests/verification_real_world/mod.rs +++ b/rustls-platform-verifier/src/tests/verification_real_world/mod.rs @@ -46,35 +46,49 @@ use crate::tests::{assert_cert_error_eq, test_provider, verification_time}; use crate::Verifier; // This is the certificate chain presented by one server for -// my.1password.com when this test was updated 2023-08-01. It is -// valid for *.1password.com and 1password.com from -// "Jun 24 00:00:00 2023 GMT" through "Jul 22 23:59:59 2024 GMT". +// `aws.amazon.com` when this test was updated 2025-08-13. // // Use this to template view the certificate using OpenSSL: // ```sh -// openssl x509 -inform der -text -in 1password_com_valid_1.crt | less +// openssl x509 -inform der -text -in aws_amazon_com_valid_1.crt | less // ``` // -// You can update the cert file with `update_valid_ee_certs.rs` -const VALID_1PASSWORD_COM_CHAIN: &[&[u8]] = &[ - include_bytes!("1password_com_valid_1.crt"), - include_bytes!("1password_com_valid_2.crt"), - include_bytes!("1password_com_valid_3.crt"), +// You can update these cert files with `examples/update-certs.rs` +const VALID_AWS_AMAZON_COM_CHAIN: &[&[u8]] = &[ + include_bytes!("aws_amazon_com_valid_1.crt"), + include_bytes!("aws_amazon_com_valid_2.crt"), + include_bytes!("aws_amazon_com_valid_3.crt"), // XXX: This certificate is included for testing in environments that might need // a cross-signed root certificate instead of the just the server-provided one. - include_bytes!("1password_com_valid_4.crt"), + include_bytes!("aws_amazon_com_valid_4.crt"), ]; -const MY_1PASSWORD_COM: &str = "my.1password.com"; +/// Returns a list of names valid for [VALID_AWS_AMAZON_COM_CHAIN], in a format +/// expected by `CertificateError::NotValidForContext`. +#[cfg(not(any(target_vendor = "apple", windows)))] +fn valid_aws_chain_names() -> Vec { + const VALID_AWS_NAMES: &[&str] = &[ + "aws.amazon.com", + "www.aws.amazon.com", + "aws-us-east-1.amazon.com", + "aws-us-west-2.amazon.com", + "amazonaws-china.com", + "www.amazonaws-china.com", + "1.aws-lbr.amazonaws.com", + ]; -// A domain name for which `VALID_1PASSWORD_COM_CHAIN` isn't valid. -const VALID_UNRELATED_DOMAIN: &str = "agilebits.com"; -const VALID_UNRELATED_CHAIN: &[&[u8]] = &[ - include_bytes!("agilebits_com_valid_1.crt"), - include_bytes!("agilebits_com_valid_2.crt"), - include_bytes!("agilebits_com_valid_3.crt"), - include_bytes!("agilebits_com_valid_4.crt"), -]; + VALID_AWS_NAMES + .iter() + .copied() + .map(|name| format!("DnsName(\"{name}\")")) + .collect() +} + +const AWS_AMAZON_COM: &str = "aws.amazon.com"; + +// Domain names for which `VALID_AWS_AMAZON_COM_CHAIN` isn't valid. +const VALID_UNRELATED_DOMAIN: &str = "my.1password.com"; +const VALID_UNRELATED_SUBDOMAIN: &str = "www.amazon.com"; const LETSENCRYPT_ORG: &str = "letsencrypt.org"; @@ -173,28 +187,28 @@ fn real_world_test(test_case: &TestCase) { // Prefer to staple the OCSP response for the end-entity certificate for // performance and repeatability. real_world_test_cases! { - // The certificate is valid for *.1password.com. - my_1password_com_valid => TestCase { - reference_id: MY_1PASSWORD_COM, - chain: VALID_1PASSWORD_COM_CHAIN, + // The certificate is valid for *.aws.amazon.com. + aws_amazon_com_valid => TestCase { + reference_id: AWS_AMAZON_COM, + chain: VALID_AWS_AMAZON_COM_CHAIN, stapled_ocsp: None, verification_time: verification_time(), expected_result: Ok(()), other_error: no_error!(), }, // Same as above but without stapled OCSP. - my_1password_com_valid_no_stapled => TestCase { - reference_id: MY_1PASSWORD_COM, - chain: VALID_1PASSWORD_COM_CHAIN, + aws_amazon_com_valid_no_stapled => TestCase { + reference_id: AWS_AMAZON_COM, + chain: VALID_AWS_AMAZON_COM_CHAIN, stapled_ocsp: None, verification_time: verification_time(), expected_result: Ok(()), other_error: no_error!(), }, - // Valid also for 1password.com (no subdomain). - _1password_com_valid => TestCase { - reference_id: "1password.com", - chain: VALID_1PASSWORD_COM_CHAIN, + // Valid also for www.amazon.amazon.com (extra subdomain). + _aws_amazon_com_valid => TestCase { + reference_id: "www.aws.amazon.com", + chain: VALID_AWS_AMAZON_COM_CHAIN, stapled_ocsp: None, verification_time: verification_time(), expected_result: Ok(()), @@ -202,40 +216,30 @@ real_world_test_cases! { }, // The certificate isn't valid for an unrelated subdomain. unrelated_domain_invalid => TestCase { - reference_id: VALID_UNRELATED_DOMAIN, - chain: VALID_1PASSWORD_COM_CHAIN, + reference_id: VALID_UNRELATED_SUBDOMAIN, + chain: VALID_AWS_AMAZON_COM_CHAIN, stapled_ocsp: None, verification_time: verification_time(), #[cfg(not(any(target_vendor = "apple", windows)))] expected_result: Err(TlsError::InvalidCertificate(CertificateError::NotValidForNameContext { - expected: ServerName::DnsName(DnsName::try_from("agilebits.com").unwrap()), - presented: vec!["DnsName(\"*.1password.com\")".to_owned(), "DnsName(\"1password.com\")".to_owned()], + expected: ServerName::DnsName(DnsName::try_from(VALID_UNRELATED_SUBDOMAIN).unwrap()), + presented: valid_aws_chain_names(), })), #[cfg(any(target_vendor = "apple", windows))] expected_result: Err(TlsError::InvalidCertificate(CertificateError::NotValidForName)), other_error: no_error!(), }, - // The certificate chain for the unrelated domain is valid for that - // unrelated domain. - unrelated_chain_valid_for_unrelated_domain => TestCase { - reference_id: VALID_UNRELATED_DOMAIN, - chain: VALID_UNRELATED_CHAIN, - stapled_ocsp: None, - verification_time: verification_time(), - expected_result: Ok(()), - other_error: no_error!(), - }, // The certificate chain for the unrelated domain is not valid for // my.1password.com. unrelated_chain_not_valid_for_my_1password_com => TestCase { - reference_id: MY_1PASSWORD_COM, - chain: VALID_UNRELATED_CHAIN, + reference_id: VALID_UNRELATED_DOMAIN, + chain: VALID_AWS_AMAZON_COM_CHAIN, stapled_ocsp: None, verification_time: verification_time(), #[cfg(not(any(target_vendor = "apple", windows)))] expected_result: Err(TlsError::InvalidCertificate(CertificateError::NotValidForNameContext { - expected: ServerName::DnsName(DnsName::try_from("my.1password.com").unwrap()), - presented: vec!["DnsName(\"agilebits.com\")".to_owned(), "DnsName(\"www.agilebits.com\")".to_owned()], + expected: ServerName::DnsName(DnsName::try_from(VALID_UNRELATED_DOMAIN).unwrap()), + presented: valid_aws_chain_names(), })), #[cfg(any(target_vendor = "apple", windows))] expected_result: Err(TlsError::InvalidCertificate(CertificateError::NotValidForName)),