go/src/crypto/x509/root_darwin_test.go

// Copyright 2013 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package x509

import (
	"runtime"
	"testing"
)

func TestSystemRoots(t *testing.T) {
	switch runtime.GOARCH {
	case "arm", "arm64":
		t.Skipf("skipping on %s/%s, no system root", runtime.GOOS, runtime.GOARCH)
	}

	sysRoots := systemRootsPool()         // actual system roots
	execRoots, err := execSecurityRoots() // non-cgo roots

	if err != nil {
		t.Fatalf("failed to read system roots: %v", err)
	}

	for _, tt := range []*CertPool{sysRoots, execRoots} {
		if tt == nil {
			t.Fatal("no system roots")
		}
		// On Mavericks, there are 212 bundled certs; require only
		// 150 here, since this is just a sanity check, and the
		// exact number will vary over time.
		if want, have := 150, len(tt.certs); have < want {
			t.Fatalf("want at least %d system roots, have %d", want, have)
		}
	}

	// Check that the two cert pools are roughly the same;
	// |A∩B| > max(|A|, |B|) / 2 should be a reasonably robust check.

	isect := make(map[string]bool, len(sysRoots.certs))
	for _, c := range sysRoots.certs {
		isect[string(c.Raw)] = true
	}

	have := 0
	for _, c := range execRoots.certs {
		if isect[string(c.Raw)] {
			have++
		}
	}

	var want int
	if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexec {
		want = nsys / 2
	} else {
		want = nexec / 2
	}

	if have < want {
		t.Errorf("insufficient overlap between cgo and non-cgo roots; want at least %d, have %d", want, have)
	}
}
crypto/x509: add missing copyright Change-Id: Ida3b431a06527f6cd604ab4af5ce517959c8619b Reviewed-on: https://go-review.googlesource.com/2306 Reviewed-by: Dave Cheney <dave@cheney.net> 2015-01-05 15:29:10 +09:00			`// Copyright 2013 The Go Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045 2013-12-18 10:57:07 -05:00			`package x509`

crypto/x509: skip tests not made for darwin/arm Change-Id: I8b18dc840425b72d7172a35cb0ba004bd156492d Reviewed-on: https://go-review.googlesource.com/6252 Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com> 2015-02-27 09:08:35 -05:00			`import (`
			`"runtime"`
			`"testing"`
			`)`
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045 2013-12-18 10:57:07 -05:00
			`func TestSystemRoots(t *testing.T) {`
crypto/x509: skip arm64 tests limited by iOS Just like darwin/arm. Change-Id: Ib0438021bfe9eb105222b93e5bb375c282cc7b8c Reviewed-on: https://go-review.googlesource.com/8822 Reviewed-by: Minux Ma <minux@golang.org> 2015-04-11 19:30:37 -04:00			`switch runtime.GOARCH {`
			`case "arm", "arm64":`
			`t.Skipf("skipping on %s/%s, no system root", runtime.GOOS, runtime.GOARCH)`
crypto/x509: skip tests not made for darwin/arm Change-Id: I8b18dc840425b72d7172a35cb0ba004bd156492d Reviewed-on: https://go-review.googlesource.com/6252 Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com> 2015-02-27 09:08:35 -05:00			`}`

crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045 2013-12-18 10:57:07 -05:00			`sysRoots := systemRootsPool() // actual system roots`
			`execRoots, err := execSecurityRoots() // non-cgo roots`

			`if err != nil {`
			`t.Fatalf("failed to read system roots: %v", err)`
			`}`

			`for _, tt := range []*CertPool{sysRoots, execRoots} {`
			`if tt == nil {`
			`t.Fatal("no system roots")`
			`}`
			`// On Mavericks, there are 212 bundled certs; require only`
			`// 150 here, since this is just a sanity check, and the`
			`// exact number will vary over time.`
			`if want, have := 150, len(tt.certs); have < want {`
			`t.Fatalf("want at least %d system roots, have %d", want, have)`
			`}`
			`}`

			`// Check that the two cert pools are roughly the same;`
			`// \|A∩B\| > max(\|A\|, \|B\|) / 2 should be a reasonably robust check.`

			`isect := make(map[string]bool, len(sysRoots.certs))`
			`for _, c := range sysRoots.certs {`
			`isect[string(c.Raw)] = true`
			`}`

			`have := 0`
			`for _, c := range execRoots.certs {`
			`if isect[string(c.Raw)] {`
			`have++`
			`}`
			`}`

			`var want int`
			`if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexec {`
			`want = nsys / 2`
			`} else {`
			`want = nexec / 2`
			`}`

			`if have < want {`
all: fix typos and spelling Change-Id: Icd06d99c42b8299fd931c7da821e1f418684d913 Reviewed-on: https://go-review.googlesource.com/19829 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 2016-02-24 11:55:20 +01:00			`t.Errorf("insufficient overlap between cgo and non-cgo roots; want at least %d, have %d", want, have)`
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045 2013-12-18 10:57:07 -05:00			`}`
			`}`