go/src/crypto/x509/root_darwin_test.go

// Copyright 2013 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package x509

import (
	"runtime"
	"testing"
	"time"
)

func TestSystemRoots(t *testing.T) {
	switch runtime.GOARCH {
	case "arm", "arm64":
		t.Skipf("skipping on %s/%s, no system root", runtime.GOOS, runtime.GOARCH)
	}

	switch runtime.GOOS {
	case "darwin":
		t.Skipf("skipping on %s/%s until golang.org/issue/24652 has been resolved.", runtime.GOOS, runtime.GOARCH)
	}

	t0 := time.Now()
	sysRoots := systemRootsPool() // actual system roots
	sysRootsDuration := time.Since(t0)

	t1 := time.Now()
	execRoots, err := execSecurityRoots() // non-cgo roots
	execSysRootsDuration := time.Since(t1)

	if err != nil {
		t.Fatalf("failed to read system roots: %v", err)
	}

	t.Logf("    cgo sys roots: %v", sysRootsDuration)
	t.Logf("non-cgo sys roots: %v", execSysRootsDuration)

	for _, tt := range []*CertPool{sysRoots, execRoots} {
		if tt == nil {
			t.Fatal("no system roots")
		}
		// On Mavericks, there are 212 bundled certs, at least
		// there was at one point in time on one machine.
		// (Maybe it was a corp laptop with extra certs?)
		// Other OS X users report
		// 135, 142, 145...  Let's try requiring at least 100,
		// since this is just a sanity check.
		t.Logf("got %d roots", len(tt.certs))
		if want, have := 100, len(tt.certs); have < want {
			t.Fatalf("want at least %d system roots, have %d", want, have)
		}
	}

	// Check that the two cert pools are roughly the same;
	// |A∩B| > max(|A|, |B|) / 2 should be a reasonably robust check.

	isect := make(map[string]bool, len(sysRoots.certs))
	for _, c := range sysRoots.certs {
		isect[string(c.Raw)] = true
	}

	have := 0
	for _, c := range execRoots.certs {
		if isect[string(c.Raw)] {
			have++
		}
	}

	var want int
	if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexec {
		want = nsys / 2
	} else {
		want = nexec / 2
	}

	if have < want {
		t.Errorf("insufficient overlap between cgo and non-cgo roots; want at least %d, have %d", want, have)
	}
}
crypto/x509: add missing copyright Change-Id: Ida3b431a06527f6cd604ab4af5ce517959c8619b Reviewed-on: https://go-review.googlesource.com/2306 Reviewed-by: Dave Cheney <dave@cheney.net> 2015-01-05 15:29:10 +09:00			`// Copyright 2013 The Go Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045 2013-12-18 10:57:07 -05:00			`package x509`

crypto/x509: skip tests not made for darwin/arm Change-Id: I8b18dc840425b72d7172a35cb0ba004bd156492d Reviewed-on: https://go-review.googlesource.com/6252 Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com> 2015-02-27 09:08:35 -05:00			`import (`
			`"runtime"`
			`"testing"`
crypto/x509: speed up and deflake non-cgo Darwin root cert discovery Piping into security verify-cert only worked on macOS Sierra, and was flaky for unknown reasons. Users reported that the number of trusted root certs stopped randomly jumping around once they switched to using verify-cert against files on disk instead of /dev/stdin. But even using "security verify-cert" on 150-200 certs took too long. It took 3.5 seconds on my machine. More than 4 goroutines hitting verify-cert didn't help much, and soon started to hurt instead. New strategy, from comments in the code: // 1. Run "security trust-settings-export" and "security // trust-settings-export -d" to discover the set of certs with some // user-tweaked trusy policy. We're too lazy to parse the XML (at // least at this stage of Go 1.8) to understand what the trust // policy actually is. We just learn that there is _some_ policy. // // 2. Run "security find-certificate" to dump the list of system root // CAs in PEM format. // // 3. For each dumped cert, conditionally verify it with "security // verify-cert" if that cert was in the set discovered in Step 1. // Without the Step 1 optimization, running "security verify-cert" // 150-200 times takes 3.5 seconds. With the optimization, the // whole process takes about 180 milliseconds with 1 untrusted root // CA. (Compared to 110ms in the cgo path) Fixes #18203 Change-Id: I4e9c11fa50d0273c615382e0d8f9fd03498d4cb4 Reviewed-on: https://go-review.googlesource.com/34389 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Quentin Smith <quentin@golang.org> 2016-12-15 05:53:01 +00:00			`"time"`
crypto/x509: skip tests not made for darwin/arm Change-Id: I8b18dc840425b72d7172a35cb0ba004bd156492d Reviewed-on: https://go-review.googlesource.com/6252 Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com> 2015-02-27 09:08:35 -05:00			`)`
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045 2013-12-18 10:57:07 -05:00
			`func TestSystemRoots(t *testing.T) {`
crypto/x509: skip arm64 tests limited by iOS Just like darwin/arm. Change-Id: Ib0438021bfe9eb105222b93e5bb375c282cc7b8c Reviewed-on: https://go-review.googlesource.com/8822 Reviewed-by: Minux Ma <minux@golang.org> 2015-04-11 19:30:37 -04:00			`switch runtime.GOARCH {`
			`case "arm", "arm64":`
			`t.Skipf("skipping on %s/%s, no system root", runtime.GOOS, runtime.GOARCH)`
crypto/x509: skip tests not made for darwin/arm Change-Id: I8b18dc840425b72d7172a35cb0ba004bd156492d Reviewed-on: https://go-review.googlesource.com/6252 Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com> 2015-02-27 09:08:35 -05:00			`}`

crypto/x509: skip TestSystemRoots cgo and non-cgo code paths can disagree on the number of root certificates: === RUN TestSystemRoots --- FAIL: TestSystemRoots (0.31s) root_darwin_test.go:31: cgo sys roots: 93.605184ms root_darwin_test.go:32: non-cgo sys roots: 213.998586ms root_darwin_test.go:44: got 168 roots root_darwin_test.go:44: got 427 roots root_darwin_test.go:73: insufficient overlap between cgo and non-cgo roots; want at least 213, have 168 FAIL exit status 1 Updates #21416 Updates #24652 Change-Id: Idb6d35b17c142dfff79a10cf6b40a42d12f9d17e Reviewed-on: https://go-review.googlesource.com/125259 Run-TryBot: Martin Möhrmann <moehrmann@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> 2018-07-20 16:41:26 +02:00			`switch runtime.GOOS {`
			`case "darwin":`
			`t.Skipf("skipping on %s/%s until golang.org/issue/24652 has been resolved.", runtime.GOOS, runtime.GOARCH)`
			`}`

crypto/x509: speed up and deflake non-cgo Darwin root cert discovery Piping into security verify-cert only worked on macOS Sierra, and was flaky for unknown reasons. Users reported that the number of trusted root certs stopped randomly jumping around once they switched to using verify-cert against files on disk instead of /dev/stdin. But even using "security verify-cert" on 150-200 certs took too long. It took 3.5 seconds on my machine. More than 4 goroutines hitting verify-cert didn't help much, and soon started to hurt instead. New strategy, from comments in the code: // 1. Run "security trust-settings-export" and "security // trust-settings-export -d" to discover the set of certs with some // user-tweaked trusy policy. We're too lazy to parse the XML (at // least at this stage of Go 1.8) to understand what the trust // policy actually is. We just learn that there is _some_ policy. // // 2. Run "security find-certificate" to dump the list of system root // CAs in PEM format. // // 3. For each dumped cert, conditionally verify it with "security // verify-cert" if that cert was in the set discovered in Step 1. // Without the Step 1 optimization, running "security verify-cert" // 150-200 times takes 3.5 seconds. With the optimization, the // whole process takes about 180 milliseconds with 1 untrusted root // CA. (Compared to 110ms in the cgo path) Fixes #18203 Change-Id: I4e9c11fa50d0273c615382e0d8f9fd03498d4cb4 Reviewed-on: https://go-review.googlesource.com/34389 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Quentin Smith <quentin@golang.org> 2016-12-15 05:53:01 +00:00			`t0 := time.Now()`
			`sysRoots := systemRootsPool() // actual system roots`
			`sysRootsDuration := time.Since(t0)`

			`t1 := time.Now()`
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045 2013-12-18 10:57:07 -05:00			`execRoots, err := execSecurityRoots() // non-cgo roots`
crypto/x509: speed up and deflake non-cgo Darwin root cert discovery Piping into security verify-cert only worked on macOS Sierra, and was flaky for unknown reasons. Users reported that the number of trusted root certs stopped randomly jumping around once they switched to using verify-cert against files on disk instead of /dev/stdin. But even using "security verify-cert" on 150-200 certs took too long. It took 3.5 seconds on my machine. More than 4 goroutines hitting verify-cert didn't help much, and soon started to hurt instead. New strategy, from comments in the code: // 1. Run "security trust-settings-export" and "security // trust-settings-export -d" to discover the set of certs with some // user-tweaked trusy policy. We're too lazy to parse the XML (at // least at this stage of Go 1.8) to understand what the trust // policy actually is. We just learn that there is _some_ policy. // // 2. Run "security find-certificate" to dump the list of system root // CAs in PEM format. // // 3. For each dumped cert, conditionally verify it with "security // verify-cert" if that cert was in the set discovered in Step 1. // Without the Step 1 optimization, running "security verify-cert" // 150-200 times takes 3.5 seconds. With the optimization, the // whole process takes about 180 milliseconds with 1 untrusted root // CA. (Compared to 110ms in the cgo path) Fixes #18203 Change-Id: I4e9c11fa50d0273c615382e0d8f9fd03498d4cb4 Reviewed-on: https://go-review.googlesource.com/34389 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Quentin Smith <quentin@golang.org> 2016-12-15 05:53:01 +00:00			`execSysRootsDuration := time.Since(t1)`
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045 2013-12-18 10:57:07 -05:00
			`if err != nil {`
			`t.Fatalf("failed to read system roots: %v", err)`
			`}`

crypto/x509: speed up and deflake non-cgo Darwin root cert discovery Piping into security verify-cert only worked on macOS Sierra, and was flaky for unknown reasons. Users reported that the number of trusted root certs stopped randomly jumping around once they switched to using verify-cert against files on disk instead of /dev/stdin. But even using "security verify-cert" on 150-200 certs took too long. It took 3.5 seconds on my machine. More than 4 goroutines hitting verify-cert didn't help much, and soon started to hurt instead. New strategy, from comments in the code: // 1. Run "security trust-settings-export" and "security // trust-settings-export -d" to discover the set of certs with some // user-tweaked trusy policy. We're too lazy to parse the XML (at // least at this stage of Go 1.8) to understand what the trust // policy actually is. We just learn that there is _some_ policy. // // 2. Run "security find-certificate" to dump the list of system root // CAs in PEM format. // // 3. For each dumped cert, conditionally verify it with "security // verify-cert" if that cert was in the set discovered in Step 1. // Without the Step 1 optimization, running "security verify-cert" // 150-200 times takes 3.5 seconds. With the optimization, the // whole process takes about 180 milliseconds with 1 untrusted root // CA. (Compared to 110ms in the cgo path) Fixes #18203 Change-Id: I4e9c11fa50d0273c615382e0d8f9fd03498d4cb4 Reviewed-on: https://go-review.googlesource.com/34389 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Quentin Smith <quentin@golang.org> 2016-12-15 05:53:01 +00:00			`t.Logf(" cgo sys roots: %v", sysRootsDuration)`
			`t.Logf("non-cgo sys roots: %v", execSysRootsDuration)`

crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045 2013-12-18 10:57:07 -05:00			`for _, tt := range []*CertPool{sysRoots, execRoots} {`
			`if tt == nil {`
			`t.Fatal("no system roots")`
			`}`
crypto/x509: reduce test's sought number of system certs 150 is too high for some people. Reports of 132, 145, 149 on OS X. Fixes #18203 Change-Id: I559639aba7e87e07d1a1249f8b212b3f34a078ab Reviewed-on: https://go-review.googlesource.com/34019 Reviewed-by: Russ Cox <rsc@golang.org> 2016-12-07 16:18:51 +00:00			`// On Mavericks, there are 212 bundled certs, at least`
			`// there was at one point in time on one machine.`
			`// (Maybe it was a corp laptop with extra certs?)`
			`// Other OS X users report`
			`// 135, 142, 145... Let's try requiring at least 100,`
			`// since this is just a sanity check.`
crypto/x509: read Darwin trust settings for root CAs Darwin separately stores bits indicating whether a root certificate should be trusted; this changes Go to read and use those when initializing SystemCertPool. Unfortunately, the trust API is very slow. To avoid a delay of up to 0.5s in initializing the system cert pool, we assume that the trust settings found in kSecTrustSettingsDomainSystem will always indicate trust. (That is, all root certs Apple distributes are trusted.) This is not guaranteed by the API but is true in practice. In the non-cgo codepath, we do not have that benefit, so we must check the trust status of every certificate. This causes about 0.5s of delay in initializing the SystemCertPool. On OS X 10.11 and older, the "security" command requires a certificate to be provided in a file and not on stdin, so the non-cgo codepath creates temporary files for each certificate, further slowing initialization. Updates #18141. Change-Id: If681c514047afe5e1a68de6c9d40ceabbce54755 Reviewed-on: https://go-review.googlesource.com/33721 Run-TryBot: Quentin Smith <quentin@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org> 2016-11-30 15:16:37 -05:00			`t.Logf("got %d roots", len(tt.certs))`
crypto/x509: reduce test's sought number of system certs 150 is too high for some people. Reports of 132, 145, 149 on OS X. Fixes #18203 Change-Id: I559639aba7e87e07d1a1249f8b212b3f34a078ab Reviewed-on: https://go-review.googlesource.com/34019 Reviewed-by: Russ Cox <rsc@golang.org> 2016-12-07 16:18:51 +00:00			`if want, have := 100, len(tt.certs); have < want {`
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045 2013-12-18 10:57:07 -05:00			`t.Fatalf("want at least %d system roots, have %d", want, have)`
			`}`
			`}`

			`// Check that the two cert pools are roughly the same;`
			`// \|A∩B\| > max(\|A\|, \|B\|) / 2 should be a reasonably robust check.`

			`isect := make(map[string]bool, len(sysRoots.certs))`
			`for _, c := range sysRoots.certs {`
			`isect[string(c.Raw)] = true`
			`}`

			`have := 0`
			`for _, c := range execRoots.certs {`
			`if isect[string(c.Raw)] {`
			`have++`
			`}`
			`}`

			`var want int`
			`if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexec {`
			`want = nsys / 2`
			`} else {`
			`want = nexec / 2`
			`}`

			`if have < want {`
all: fix typos and spelling Change-Id: Icd06d99c42b8299fd931c7da821e1f418684d913 Reviewed-on: https://go-review.googlesource.com/19829 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 2016-02-24 11:55:20 +01:00			`t.Errorf("insufficient overlap between cgo and non-cgo roots; want at least %d, have %d", want, have)`
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045 2013-12-18 10:57:07 -05:00			`}`
			`}`