From 75964ec8a19aa2941ec29ffa35a98a2cbb19a979 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Tue, 12 Mar 2024 15:09:33 -0400
Subject: [PATCH] android: more detail for test config verify exception

Recently CI started failing the real world verification suite on
Android. The root cause was the vendored Let's Encrypt end entity
certificate expiring. Figuring this out was hard for two main reasons:

1. CI was eating the Android logs we needed to see the error message.
   This has since been fixed.

2. The Android verifier was surfacing the expiration as an unknown
   issuer error with a generic "Chain validation failed" message.

This branch attempts to fix item 2 by surfacing a more relevant error
message.

Unfortunately doing so is a little bit annoying. The
`checkServerTrusted` call throws an exception with ~3 layers of wrapping
before you get at the `CertificateExpiredException` that's the root
cause.

Since non-test configurations should never have an expired exception
thrown at this stage (recall we check this explicitly earlier in
processing), we gate the more complicated excepting "digging" based on
`BuildConfig.TEST`.

This should be a good balance of:

* not changing existing behaviour, or introducing complexity for normal
  validation
* surfacing a better error message when test certificates expire and
  start to break CI.
---
 .../platformverifier/CertificateVerifier.kt   | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/android/rustls-platform-verifier/src/main/java/org/rustls/platformverifier/CertificateVerifier.kt b/android/rustls-platform-verifier/src/main/java/org/rustls/platformverifier/CertificateVerifier.kt
index 95f0e400..02909564 100644
--- a/android/rustls-platform-verifier/src/main/java/org/rustls/platformverifier/CertificateVerifier.kt
+++ b/android/rustls-platform-verifier/src/main/java/org/rustls/platformverifier/CertificateVerifier.kt
@@ -253,6 +253,32 @@ internal object CertificateVerifier {
         val validChain = try {
             trustManager.checkServerTrusted(certificateChain.toTypedArray(), authMethod, serverName)
         } catch (e: CertificateException) {
+            // In test configurations we may see `checkServerTrusted` fail once vendored test
+            // certificates pass their expiry date. We try to avoid that by using a fixed
+            // verification time when calling `endEntity.checkValidity` above, however we can't
+            // fix the time for the `checkServerTrusted` call.
+            //
+            // To make diagnosing CI test failures easier we try to find the root cause of
+            // checkServerTrusted failing, returning a different `StatusCode` as appropriate.
+            if (BuildConfig.TEST) {
+                var rootCause: Throwable = e
+                while (rootCause.cause != rootCause) {
+                    rootCause.cause?.let {
+                        rootCause = it
+                    }
+                }
+                return when (rootCause) {
+                    is CertificateExpiredException, is CertificateNotYetValidException -> VerificationResult(
+                        StatusCode.Expired,
+                        rootCause.toString()
+                    )
+
+                    else -> VerificationResult(StatusCode.UnknownCert, rootCause.toString())
+                }
+            }
+            // In non-test configurations we should have caught expiry errors earlier and
+            // can simply return an unknown cert error without digging through the exception
+            // cause chain.
             return VerificationResult(StatusCode.UnknownCert, e.toString())
         }