LEFT | RIGHT |
(no file at all) | |
| 1 package x509 |
| 2 |
| 3 import "testing" |
| 4 |
| 5 func TestSystemRoots(t *testing.T) { |
| 6 sysRoots := systemRootsPool() // actual system roots |
| 7 execRoots, err := execSecurityRoots() // non-cgo roots |
| 8 |
| 9 if err != nil { |
| 10 t.Fatalf("failed to read system roots: %v", err) |
| 11 } |
| 12 |
| 13 for _, tt := range []*CertPool{sysRoots, execRoots} { |
| 14 if tt == nil { |
| 15 t.Fatal("no system roots") |
| 16 } |
| 17 // On Mavericks, there are 212 bundled certs; require only |
| 18 // 150 here, since this is just a sanity check, and the |
| 19 // exact number will vary over time. |
| 20 if want, have := 150, len(tt.certs); have < want { |
| 21 t.Fatalf("want at least %d system roots, have %d", want,
have) |
| 22 } |
| 23 } |
| 24 |
| 25 // Check that the two cert pools are roughly the same; |
| 26 // |A∩B| > max(|A|, |B|) / 2 should be a reasonably robust check. |
| 27 |
| 28 isect := make(map[string]bool, len(sysRoots.certs)) |
| 29 for _, c := range sysRoots.certs { |
| 30 isect[string(c.Raw)] = true |
| 31 } |
| 32 |
| 33 have := 0 |
| 34 for _, c := range execRoots.certs { |
| 35 if isect[string(c.Raw)] { |
| 36 have++ |
| 37 } |
| 38 } |
| 39 |
| 40 var want int |
| 41 if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexe
c { |
| 42 want = nsys / 2 |
| 43 } else { |
| 44 want = nexec / 2 |
| 45 } |
| 46 |
| 47 if have < want { |
| 48 t.Errorf("insufficent overlap between cgo and non-cgo roots; wan
t at least %d, have %d", want, have) |
| 49 } |
| 50 } |
LEFT | RIGHT |