Make OCSP stapling tests more stable

src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs

@@ -154,6 +154,17 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
             return ValueTask.FromResult(_ocspResponse);
         }
 
+        internal ValueTask<byte[]?> WaitForPendingOcspFetchAsync()
+        {
+            Task<byte[]?>? pending = _pendingDownload;
+            if (pending is not null && !pending.IsFaulted)
+            {
+                return new ValueTask<byte[]?>(pending);
+            }
+
+            return ValueTask.FromResult(DateTimeOffset.UtcNow <= _ocspExpiration ? _ocspResponse : null);
+        }
+
         private ValueTask<byte[]?> DownloadOcspAsync()
         {
             Task<byte[]?>? pending = _pendingDownload;

src/libraries/System.Net.Security/tests/UnitTests/SslStreamCertificateContextOcspLinuxTests.cs

@@ -18,6 +18,7 @@ namespace System.Net.Security.Tests;
 public class SslStreamCertificateContextOcspLinuxTests
 {
     [Fact]
+    [PlatformSpecific(TestPlatforms.Linux)]
     public async Task OfflineContext_NoFetchOcspResponse()
     {
         await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity, ctxFactory, responder) =>
@@ -31,6 +32,7 @@ await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity
     }
 
     [Fact]
+    [PlatformSpecific(TestPlatforms.Linux)]
     public async Task FetchOcspResponse_NoExpiration_Success()
     {
         await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity, ctxFactory, responder) =>
@@ -46,6 +48,7 @@ await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity
     [Theory]
     [InlineData(PkiOptions.OcspEverywhere)]
     [InlineData(PkiOptions.OcspEverywhere | PkiOptions.IssuerAuthorityHasDesignatedOcspResponder)]
+    [PlatformSpecific(TestPlatforms.Linux)]
     public async Task FetchOcspResponse_WithExpiration_Success(PkiOptions pkiOptions)
     {
         await SimpleTest(pkiOptions, async (root, intermediate, endEntity, ctxFactory, responder) =>
@@ -63,6 +66,7 @@ await SimpleTest(pkiOptions, async (root, intermediate, endEntity, ctxFactory, r
     }
 
     [Fact]
+    [PlatformSpecific(TestPlatforms.Linux)]
     public async Task FetchOcspResponse_Expired_ReturnsNull()
     {
         await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity, ctxFactory, responder) =>
@@ -76,6 +80,7 @@ await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity
     }
 
     [Fact]
+    [PlatformSpecific(TestPlatforms.Linux)]
     public async Task FetchOcspResponse_FirstInvalidThenValid()
     {
         await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity, ctxFactory, responder) =>
@@ -93,6 +98,7 @@ await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity
     }
 
     [Fact]
+    [PlatformSpecific(TestPlatforms.Linux)]
     public async Task RefreshOcspResponse_BeforeExpiration()
     {
         await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity, ctxFactory, responder) =>
@@ -101,7 +107,8 @@ await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity
             intermediate.RevocationExpiration = DateTimeOffset.UtcNow.Add(SslStreamCertificateContext.MinRefreshBeforeExpirationInterval);
 
             SslStreamCertificateContext ctx = ctxFactory(false);
-            byte[] ocsp = await ctx.GetOcspResponseAsync();
+            byte[] ocsp = await ctx.WaitForPendingOcspFetchAsync();
+
             Assert.NotNull(ocsp);
 
             intermediate.RevocationExpiration = DateTimeOffset.UtcNow.AddDays(1);
@@ -111,24 +118,26 @@ await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity
             byte[] ocsp2 = ctx.GetOcspResponseNoWaiting();
             Assert.Equal(ocsp, ocsp2);
 
-            await RetryHelper.ExecuteAsync(async () =>
-            {
-                byte[] ocsp3 = await ctx.GetOcspResponseAsync();
-                Assert.NotNull(ocsp3);
-                Assert.NotEqual(ocsp, ocsp3);
-            }, maxAttempts: 5, backoffFunc: i => (i + 1) * 200 /* ms */);
+            // The download should succeed
+            byte[] ocsp3 = await ctx.WaitForPendingOcspFetchAsync();
+            Assert.NotNull(ocsp3);
+            Assert.NotEqual(ocsp, ocsp3);
         });
     }
 
     [Fact]
+    [PlatformSpecific(TestPlatforms.Linux)]
     public async Task RefreshOcspResponse_AfterExpiration()
     {
         await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity, ctxFactory, responder) =>
         {
             intermediate.RevocationExpiration = DateTimeOffset.UtcNow.AddSeconds(1);
 
             SslStreamCertificateContext ctx = ctxFactory(false);
+            // Make sure the inner OCSP fetch finished
+            await ctx.WaitForPendingOcspFetchAsync();
 
+            // wait until the cached OCSP response expires
             await Task.Delay(2000);
 
             intermediate.RevocationExpiration = DateTimeOffset.UtcNow.AddDays(1);
@@ -137,14 +146,15 @@ await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity
             byte[] ocsp = ctx.GetOcspResponseNoWaiting();
             Assert.Null(ocsp);
 
-            // subsequent call will return the new response
-            byte[] ocsp2 = await ctx.GetOcspResponseAsync();
+            // The download should succeed
+            byte[] ocsp2 = await ctx.WaitForPendingOcspFetchAsync();
             Assert.NotNull(ocsp2);
         });
     }
 
     [Fact]
     [OuterLoop("Takes about 15 seconds")]
+    [PlatformSpecific(TestPlatforms.Linux)]
     public async Task RefreshOcspResponse_FirstInvalidThenValid()
     {
         Assert.True(SslStreamCertificateContext.MinRefreshBeforeExpirationInterval > SslStreamCertificateContext.RefreshAfterFailureBackOffInterval * 4, "Backoff interval is too long");
@@ -155,25 +165,33 @@ await SimpleTest(PkiOptions.OcspEverywhere, async (root, intermediate, endEntity
             intermediate.RevocationExpiration = DateTimeOffset.UtcNow.Add(SslStreamCertificateContext.MinRefreshBeforeExpirationInterval);
 
             SslStreamCertificateContext ctx = ctxFactory(false);
-            byte[] ocsp = await ctx.GetOcspResponseAsync();
+            // Make sure the inner OCSP fetch finished
+            byte[] ocsp = await ctx.WaitForPendingOcspFetchAsync();
             Assert.NotNull(ocsp);
 
             responder.RespondKind = RespondKind.Invalid;
-            for (int i = 0; i < 3; i++)
+            for (int i = 0; i < 2; i++)
             {
-                await Task.Delay(SslStreamCertificateContext.RefreshAfterFailureBackOffInterval);
                 byte[] ocsp2 = await ctx.GetOcspResponseAsync();
                 Assert.Equal(ocsp, ocsp2);
+                await Task.Delay(SslStreamCertificateContext.RefreshAfterFailureBackOffInterval);
             }
 
+            // make sure we try again only after backoff expires
+            await ctx.WaitForPendingOcspFetchAsync();
+            await Task.Delay(SslStreamCertificateContext.RefreshAfterFailureBackOffInterval);
+
             // after responder comes back online, the staple is eventually refreshed
+            intermediate.RevocationExpiration = DateTimeOffset.UtcNow.AddDays(1);
             responder.RespondKind = RespondKind.Normal;
-            await RetryHelper.ExecuteAsync(async () =>
-            {
-                byte[] ocsp3 = await ctx.GetOcspResponseAsync();
-                Assert.NotNull(ocsp3);
-                Assert.NotEqual(ocsp, ocsp3);
-            }, maxAttempts: 5, backoffFunc: i => (i + 1) * 200 /* ms */);
+
+            // dispatch background refresh (first call still returns the old cached value)
+            await ctx.GetOcspResponseAsync();
+
+            // after refresh we should have a new staple
+            byte[] ocsp3 = await ctx.WaitForPendingOcspFetchAsync();
+            Assert.NotNull(ocsp3);
+            Assert.NotEqual(ocsp, ocsp3);
         });
     }