src/crypto/x509/root_darwin_test.go - go - Git at Google

 // Copyright 2013 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package x509

 import (
 	"runtime"
 	"testing"
 	"time"
 )

 func TestSystemRoots(t *testing.T) {
 	switch runtime.GOARCH {
 	case "arm", "arm64":
 		t.Skipf("skipping on %s/%s, no system root", runtime.GOOS, runtime.GOARCH)
 	}

 	t0 := time.Now()
 	sysRoots := systemRootsPool() // actual system roots
 	sysRootsDuration := time.Since(t0)

 	t1 := time.Now()
 	execRoots, err := execSecurityRoots() // non-cgo roots
 	execSysRootsDuration := time.Since(t1)

 	if err != nil {
 		t.Fatalf("failed to read system roots: %v", err)
 	}

 	t.Logf("    cgo sys roots: %v", sysRootsDuration)
 	t.Logf("non-cgo sys roots: %v", execSysRootsDuration)

 	for _, tt := range []*CertPool{sysRoots, execRoots} {
 		if tt == nil {
 			t.Fatal("no system roots")
 		}
 		// On Mavericks, there are 212 bundled certs, at least
 		// there was at one point in time on one machine.
 		// (Maybe it was a corp laptop with extra certs?)
 		// Other OS X users report
 		// 135, 142, 145...  Let's try requiring at least 100,
 		// since this is just a sanity check.
 		t.Logf("got %d roots", len(tt.certs))
 		if want, have := 100, len(tt.certs); have < want {
 			t.Fatalf("want at least %d system roots, have %d", want, have)
 		}
 	}

 	// Check that the two cert pools are roughly the same;
 	// |A∩B| > max(|A|, |B|) / 2 should be a reasonably robust check.

 	isect := make(map[string]bool, len(sysRoots.certs))
 	for _, c := range sysRoots.certs {
 		isect[string(c.Raw)] = true
 	}

 	have := 0
 	for _, c := range execRoots.certs {
 		if isect[string(c.Raw)] {
 			have++
 		}
 	}

 	var want int
 	if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexec {
 		want = nsys / 2
 	} else {
 		want = nexec / 2
 	}

 	if have < want {
 		t.Errorf("insufficient overlap between cgo and non-cgo roots; want at least %d, have %d", want, have)
 	}
 }
	// Copyright 2013 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package x509

	import (
	"runtime"
	"testing"
	"time"
	)

	func TestSystemRoots(t *testing.T) {
	switch runtime.GOARCH {
	case "arm", "arm64":
	t.Skipf("skipping on %s/%s, no system root", runtime.GOOS, runtime.GOARCH)
	}

	t0 := time.Now()
	sysRoots := systemRootsPool() // actual system roots
	sysRootsDuration := time.Since(t0)

	t1 := time.Now()
	execRoots, err := execSecurityRoots() // non-cgo roots
	execSysRootsDuration := time.Since(t1)

	if err != nil {
	t.Fatalf("failed to read system roots: %v", err)
	}

	t.Logf(" cgo sys roots: %v", sysRootsDuration)
	t.Logf("non-cgo sys roots: %v", execSysRootsDuration)

	for _, tt := range []*CertPool{sysRoots, execRoots} {
	if tt == nil {
	t.Fatal("no system roots")
	}
	// On Mavericks, there are 212 bundled certs, at least
	// there was at one point in time on one machine.
	// (Maybe it was a corp laptop with extra certs?)
	// Other OS X users report
	// 135, 142, 145... Let's try requiring at least 100,
	// since this is just a sanity check.
	t.Logf("got %d roots", len(tt.certs))
	if want, have := 100, len(tt.certs); have < want {
	t.Fatalf("want at least %d system roots, have %d", want, have)
	}
	}

	// Check that the two cert pools are roughly the same;
	// \|A∩B\| > max(\|A\|, \|B\|) / 2 should be a reasonably robust check.

	isect := make(map[string]bool, len(sysRoots.certs))
	for _, c := range sysRoots.certs {
	isect[string(c.Raw)] = true
	}

	have := 0
	for _, c := range execRoots.certs {
	if isect[string(c.Raw)] {
	have++
	}
	}

	var want int
	if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexec {
	want = nsys / 2
	} else {
	want = nexec / 2
	}

	if have < want {
	t.Errorf("insufficient overlap between cgo and non-cgo roots; want at least %d, have %d", want, have)
	}
	}