tests: add x509-limbo coverage

This adds x509-limbo coverage using a vendored copy of the limbo.json
test data (bzipped to reduce the size from 39mb to 7.3mb). We take a git
dev dep on the upstream x509-limbo repo to reuse its harness helpers. By
doing this we can catch regressions proactively as part of the
development cycle instead of reactively when the upstream x509-limbo
project updates published webpki releases.

The test rigging is similar to the upstream "rustls-webpki" harness,
except that it tests against the expected outcomes per-testcase mod an
exceptions JSON file. That exceptions file is pre-populated based on the
current divergences listed on the x509-limbo.com website[0]. Some of
these divergences may motivate changes in the verifier that will remove
the exception, while others (e.g. not honoring EE cert CNs) will always
remain due to explicit design choices of this crate.

The test is ignored by default, because the runtime is longer than the
other tests.

With this in place we can also remove the ignored by default bettertls
coverage, since that project is included as a subset[1] of the x509-limbo
test cases.

[0]: https://x509-limbo.com/anomalous-results/rustls-webpki/
[1]: https://x509-limbo.com/testcases/bettertls/

Author: cpu

Cargo.lock

@@ -83,6 +83,8 @@ untrusted = "0.9"
 base64 = "0.22"
 bencher = "0.1.5"
 bzip2 = "0.6"
+chrono = "0.4"
+limbo-harness-support = { git = "https://github.com/C2SP/x509-limbo", rev = "9c7359242f16265a5154bc5989eca91822ef5ed2" }
 once_cell = "1.17.2"
 rcgen = { version = "0.14.2", default-features = false, features = ["aws_lc_rs"] }
 rustls-aws-lc-rs = { version = "0.1.0-dev.0" }

Cargo.toml

@@ -24,7 +24,11 @@ license-files = [
 
 [bans]
 wildcards = "deny"
+# Allow git/path dev-dependencies (like limbo-harness-support) without version specs
+allow-wildcard-paths = true
 
 [sources]
 unknown-registry = "deny"
 unknown-git = "deny"
+# Allow git source for x509-limbo test harness (dev dependency only)
+allow-git = ["https://github.com/C2SP/x509-limbo"]