...
Run Format

Source file src/crypto/x509/root_darwin_test.go

Documentation: crypto/x509

     1  // Copyright 2013 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package x509
     6  
     7  import (
     8  	"runtime"
     9  	"testing"
    10  	"time"
    11  )
    12  
    13  func TestSystemRoots(t *testing.T) {
    14  	switch runtime.GOARCH {
    15  	case "arm", "arm64":
    16  		t.Skipf("skipping on %s/%s, no system root", runtime.GOOS, runtime.GOARCH)
    17  	}
    18  
    19  	switch runtime.GOOS {
    20  	case "darwin":
    21  		t.Skipf("skipping on %s/%s until golang.org/issue/24652 has been resolved.", runtime.GOOS, runtime.GOARCH)
    22  	}
    23  
    24  	t0 := time.Now()
    25  	sysRoots := systemRootsPool() // actual system roots
    26  	sysRootsDuration := time.Since(t0)
    27  
    28  	t1 := time.Now()
    29  	execRoots, err := execSecurityRoots() // non-cgo roots
    30  	execSysRootsDuration := time.Since(t1)
    31  
    32  	if err != nil {
    33  		t.Fatalf("failed to read system roots: %v", err)
    34  	}
    35  
    36  	t.Logf("    cgo sys roots: %v", sysRootsDuration)
    37  	t.Logf("non-cgo sys roots: %v", execSysRootsDuration)
    38  
    39  	for _, tt := range []*CertPool{sysRoots, execRoots} {
    40  		if tt == nil {
    41  			t.Fatal("no system roots")
    42  		}
    43  		// On Mavericks, there are 212 bundled certs, at least
    44  		// there was at one point in time on one machine.
    45  		// (Maybe it was a corp laptop with extra certs?)
    46  		// Other OS X users report
    47  		// 135, 142, 145...  Let's try requiring at least 100,
    48  		// since this is just a sanity check.
    49  		t.Logf("got %d roots", len(tt.certs))
    50  		if want, have := 100, len(tt.certs); have < want {
    51  			t.Fatalf("want at least %d system roots, have %d", want, have)
    52  		}
    53  	}
    54  
    55  	// Check that the two cert pools are roughly the same;
    56  	// |A∩B| > max(|A|, |B|) / 2 should be a reasonably robust check.
    57  
    58  	isect := make(map[string]bool, len(sysRoots.certs))
    59  	for _, c := range sysRoots.certs {
    60  		isect[string(c.Raw)] = true
    61  	}
    62  
    63  	have := 0
    64  	for _, c := range execRoots.certs {
    65  		if isect[string(c.Raw)] {
    66  			have++
    67  		}
    68  	}
    69  
    70  	var want int
    71  	if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexec {
    72  		want = nsys / 2
    73  	} else {
    74  		want = nexec / 2
    75  	}
    76  
    77  	if have < want {
    78  		t.Errorf("insufficient overlap between cgo and non-cgo roots; want at least %d, have %d", want, have)
    79  	}
    80  }
    81  

View as plain text