1 // Copyright 2013 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package x509 6 7 import ( 8 "runtime" 9 "testing" 10 ) 11 12 func TestSystemRoots(t *testing.T) { 13 switch runtime.GOARCH { 14 case "arm", "arm64": 15 t.Skipf("skipping on %s/%s, no system root", runtime.GOOS, runtime.GOARCH) 16 } 17 18 sysRoots := systemRootsPool() // actual system roots 19 execRoots, err := execSecurityRoots() // non-cgo roots 20 21 if err != nil { 22 t.Fatalf("failed to read system roots: %v", err) 23 } 24 25 for _, tt := range []*CertPool{sysRoots, execRoots} { 26 if tt == nil { 27 t.Fatal("no system roots") 28 } 29 // On Mavericks, there are 212 bundled certs; require only 30 // 150 here, since this is just a sanity check, and the 31 // exact number will vary over time. 32 if want, have := 150, len(tt.certs); have < want { 33 t.Fatalf("want at least %d system roots, have %d", want, have) 34 } 35 } 36 37 // Check that the two cert pools are roughly the same; 38 // |AB| > max(|A|, |B|) / 2 should be a reasonably robust check. 39 40 isect := make(map[string]bool, len(sysRoots.certs)) 41 for _, c := range sysRoots.certs { 42 isect[string(c.Raw)] = true 43 } 44 45 have := 0 46 for _, c := range execRoots.certs { 47 if isect[string(c.Raw)] { 48 have++ 49 } 50 } 51 52 var want int 53 if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexec { 54 want = nsys / 2 55 } else { 56 want = nexec / 2 57 } 58 59 if have < want { 60 t.Errorf("insufficent overlap between cgo and non-cgo roots; want at least %d, have %d", want, have) 61 } 62 } 63
