crypto/x509: add support for CertPool to load certs lazily

(from patchset 1, 7cdc3c3e7427c9ef69e19224d6036c09c5ea1723, of
https://go-review.googlesource.com/c/go/+/229917/1)

This will allow building CertPools that consume less memory. (Most
certs are never accessed. Different users/programs access different
ones, but not many.)

This CL only adds the new internal mechanism (and uses it for the
old AddCert) but does not modify any existing root pool behavior.
(That is, the default Unix roots are still all slurped into memory as
of this CL)

Change-Id: Ib3a42e4050627b5e34413c595d8ced839c7bfa14
This commit is contained in:
Brad Fitzpatrick
2020-04-24 21:13:43 -07:00
parent 6b232b5a79
commit f5993f2440
6 changed files with 136 additions and 43 deletions
+10 -6
View File
@@ -113,15 +113,15 @@ func TestEnvVars(t *testing.T) {
// Verify that the returned certs match, otherwise report where the mismatch is.
for i, cn := range tc.cns {
if i >= len(r.certs) {
if i >= r.len() {
t.Errorf("missing cert %v @ %v", cn, i)
} else if r.certs[i].Subject.CommonName != cn {
fmt.Printf("%#v\n", r.certs[0].Subject)
t.Errorf("unexpected cert common name %q, want %q", r.certs[i].Subject.CommonName, cn)
} else if r.mustCert(i).Subject.CommonName != cn {
fmt.Printf("%#v\n", r.mustCert(0).Subject)
t.Errorf("unexpected cert common name %q, want %q", r.mustCert(i).Subject.CommonName, cn)
}
}
if len(r.certs) > len(tc.cns) {
t.Errorf("got %v certs, which is more than %v wanted", len(r.certs), len(tc.cns))
if r.len() > len(tc.cns) {
t.Errorf("got %v certs, which is more than %v wanted", r.len(), len(tc.cns))
}
})
}
@@ -197,6 +197,10 @@ func TestLoadSystemCertsLoadColonSeparatedDirs(t *testing.T) {
strCertPool := func(p *CertPool) string {
return string(bytes.Join(p.Subjects(), []byte("\n")))
}
zeroPoolFuncs(gotPool)
zeroPoolFuncs(wantPool)
if !reflect.DeepEqual(gotPool, wantPool) {
g, w := strCertPool(gotPool), strCertPool(wantPool)
t.Fatalf("Mismatched certPools\nGot:\n%s\n\nWant:\n%s", g, w)