mirror of
https://github.com/golang/go.git
synced 2025-05-27 18:31:35 +00:00
7e5b2e0ec1
Darwin separately stores bits indicating whether a root certificate should be trusted; this changes Go to read and use those when initializing SystemCertPool. Unfortunately, the trust API is very slow. To avoid a delay of up to 0.5s in initializing the system cert pool, we assume that the trust settings found in kSecTrustSettingsDomainSystem will always indicate trust. (That is, all root certs Apple distributes are trusted.) This is not guaranteed by the API but is true in practice. In the non-cgo codepath, we do not have that benefit, so we must check the trust status of every certificate. This causes about 0.5s of delay in initializing the SystemCertPool. On OS X 10.11 and older, the "security" command requires a certificate to be provided in a file and not on stdin, so the non-cgo codepath creates temporary files for each certificate, further slowing initialization. Updates #18141. Change-Id: If681c514047afe5e1a68de6c9d40ceabbce54755 Reviewed-on: https://go-review.googlesource.com/33721 Run-TryBot: Quentin Smith <quentin@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
64 lines
1.6 KiB
Go
64 lines
1.6 KiB
Go
// Copyright 2013 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package x509
|
|
|
|
import (
|
|
"runtime"
|
|
"testing"
|
|
)
|
|
|
|
func TestSystemRoots(t *testing.T) {
|
|
switch runtime.GOARCH {
|
|
case "arm", "arm64":
|
|
t.Skipf("skipping on %s/%s, no system root", runtime.GOOS, runtime.GOARCH)
|
|
}
|
|
|
|
sysRoots := systemRootsPool() // actual system roots
|
|
execRoots, err := execSecurityRoots() // non-cgo roots
|
|
|
|
if err != nil {
|
|
t.Fatalf("failed to read system roots: %v", err)
|
|
}
|
|
|
|
for _, tt := range []*CertPool{sysRoots, execRoots} {
|
|
if tt == nil {
|
|
t.Fatal("no system roots")
|
|
}
|
|
// On Mavericks, there are 212 bundled certs; require only
|
|
// 150 here, since this is just a sanity check, and the
|
|
// exact number will vary over time.
|
|
t.Logf("got %d roots", len(tt.certs))
|
|
if want, have := 150, len(tt.certs); have < want {
|
|
t.Fatalf("want at least %d system roots, have %d", want, have)
|
|
}
|
|
}
|
|
|
|
// Check that the two cert pools are roughly the same;
|
|
// |A∩B| > max(|A|, |B|) / 2 should be a reasonably robust check.
|
|
|
|
isect := make(map[string]bool, len(sysRoots.certs))
|
|
for _, c := range sysRoots.certs {
|
|
isect[string(c.Raw)] = true
|
|
}
|
|
|
|
have := 0
|
|
for _, c := range execRoots.certs {
|
|
if isect[string(c.Raw)] {
|
|
have++
|
|
}
|
|
}
|
|
|
|
var want int
|
|
if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexec {
|
|
want = nsys / 2
|
|
} else {
|
|
want = nexec / 2
|
|
}
|
|
|
|
if have < want {
|
|
t.Errorf("insufficient overlap between cgo and non-cgo roots; want at least %d, have %d", want, have)
|
|
}
|
|
}
|