github.com/tcnksm/go@v0.0.0-20141208075154-439b32936367/src/crypto/x509/root_darwin_test.go

github.com/tcnksm/go@v0.0.0-20141208075154-439b32936367/src/crypto/x509/root_darwin_test.go (about)

     1  package x509
     2  
     3  import "testing"
     4  
     5  func TestSystemRoots(t *testing.T) {
     6  	sysRoots := systemRootsPool()         // actual system roots
     7  	execRoots, err := execSecurityRoots() // non-cgo roots
     8  
     9  	if err != nil {
    10  		t.Fatalf("failed to read system roots: %v", err)
    11  	}
    12  
    13  	for _, tt := range []*CertPool{sysRoots, execRoots} {
    14  		if tt == nil {
    15  			t.Fatal("no system roots")
    16  		}
    17  		// On Mavericks, there are 212 bundled certs; require only
    18  		// 150 here, since this is just a sanity check, and the
    19  		// exact number will vary over time.
    20  		if want, have := 150, len(tt.certs); have < want {
    21  			t.Fatalf("want at least %d system roots, have %d", want, have)
    22  		}
    23  	}
    24  
    25  	// Check that the two cert pools are roughly the same;
    26  	// |A∩B| > max(|A|, |B|) / 2 should be a reasonably robust check.
    27  
    28  	isect := make(map[string]bool, len(sysRoots.certs))
    29  	for _, c := range sysRoots.certs {
    30  		isect[string(c.Raw)] = true
    31  	}
    32  
    33  	have := 0
    34  	for _, c := range execRoots.certs {
    35  		if isect[string(c.Raw)] {
    36  			have++
    37  		}
    38  	}
    39  
    40  	var want int
    41  	if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexec {
    42  		want = nsys / 2
    43  	} else {
    44  		want = nexec / 2
    45  	}
    46  
    47  	if have < want {
    48  		t.Errorf("insufficent overlap between cgo and non-cgo roots; want at least %d, have %d", want, have)
    49  	}
    50  }