go/src/crypto/x509/root_darwin_test.go

package x509

import "testing"

func TestSystemRoots(t *testing.T) {
	sysRoots := systemRootsPool()         // actual system roots
	execRoots, err := execSecurityRoots() // non-cgo roots

	if err != nil {
		t.Fatalf("failed to read system roots: %v", err)
	}

	for _, tt := range []*CertPool{sysRoots, execRoots} {
		if tt == nil {
			t.Fatal("no system roots")
		}
		// On Mavericks, there are 212 bundled certs; require only
		// 150 here, since this is just a sanity check, and the
		// exact number will vary over time.
		if want, have := 150, len(tt.certs); have < want {
			t.Fatalf("want at least %d system roots, have %d", want, have)
		}
	}

	// Check that the two cert pools are roughly the same;
	// |A∩B| > max(|A|, |B|) / 2 should be a reasonably robust check.

	isect := make(map[string]bool, len(sysRoots.certs))
	for _, c := range sysRoots.certs {
		isect[string(c.Raw)] = true
	}

	have := 0
	for _, c := range execRoots.certs {
		if isect[string(c.Raw)] {
			have++
		}
	}

	var want int
	if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexec {
		want = nsys / 2
	} else {
		want = nexec / 2
	}

	if have < want {
		t.Errorf("insufficent overlap between cgo and non-cgo roots; want at least %d, have %d", want, have)
	}
}
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045 2013-12-18 10:57:07 -05:00			`package x509`

			`import "testing"`

			`func TestSystemRoots(t *testing.T) {`
			`sysRoots := systemRootsPool() // actual system roots`
			`execRoots, err := execSecurityRoots() // non-cgo roots`

			`if err != nil {`
			`t.Fatalf("failed to read system roots: %v", err)`
			`}`

			`for _, tt := range []*CertPool{sysRoots, execRoots} {`
			`if tt == nil {`
			`t.Fatal("no system roots")`
			`}`
			`// On Mavericks, there are 212 bundled certs; require only`
			`// 150 here, since this is just a sanity check, and the`
			`// exact number will vary over time.`
			`if want, have := 150, len(tt.certs); have < want {`
			`t.Fatalf("want at least %d system roots, have %d", want, have)`
			`}`
			`}`

			`// Check that the two cert pools are roughly the same;`
			`// \|A∩B\| > max(\|A\|, \|B\|) / 2 should be a reasonably robust check.`

			`isect := make(map[string]bool, len(sysRoots.certs))`
			`for _, c := range sysRoots.certs {`
			`isect[string(c.Raw)] = true`
			`}`

			`have := 0`
			`for _, c := range execRoots.certs {`
			`if isect[string(c.Raw)] {`
			`have++`
			`}`
			`}`

			`var want int`
			`if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexec {`
			`want = nsys / 2`
			`} else {`
			`want = nexec / 2`
			`}`

			`if have < want {`
			`t.Errorf("insufficent overlap between cgo and non-cgo roots; want at least %d, have %d", want, have)`
			`}`
			`}`