[apple/security.git] / OSX / sec / Security / Regressions / secitem / si-22-sectrust-iap.c

/*
 * Copyright (c) 2006-2016 Apple Inc. All Rights Reserved.
 */

#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrust.h>
#include <utilities/array_size.h>
#include <utilities/SecCFRelease.h>
#include <stdlib.h>
#include <unistd.h>

#include "shared_regressions.h"

#include "si-22-sectrust-iap.h"

static void tests(void)
{
    SecTrustRef trust;
	SecCertificateRef iAP1CA, iAP2CA, leaf0, leaf1;
	isnt(iAP1CA = SecCertificateCreateWithBytes(NULL, _iAP1CA, sizeof(_iAP1CA)),
		NULL, "create iAP1CA");
	isnt(iAP2CA = SecCertificateCreateWithBytes(NULL, _iAP2CA, sizeof(_iAP2CA)),
		NULL, "create iAP2CA");
	isnt(leaf0 = SecCertificateCreateWithBytes(NULL, _leaf0, sizeof(_leaf0)),
		NULL, "create leaf0");
	isnt(leaf1 = SecCertificateCreateWithBytes(NULL, _leaf1, sizeof(_leaf1)),
		NULL, "create leaf1");
    {
        // temporarily grab some stack space and fill it with 0xFF;
        // when we exit this scope, the stack pointer should shrink but leave the memory filled.
        // this tests for a stack overflow bug inside SecPolicyCreateiAP (rdar://16056248)
        char buf[2048];
        memset(buf, 0xFF, sizeof(buf));
    }
    SecPolicyRef policy = SecPolicyCreateiAP();
	const void *v_anchors[] = {
		iAP1CA,
		iAP2CA
	};
    CFArrayRef anchors = CFArrayCreate(NULL, v_anchors,
		array_size(v_anchors), NULL);
    CFArrayRef certs0 = CFArrayCreate(NULL, (const void **)&leaf0, 1, &kCFTypeArrayCallBacks);
    CFArrayRef certs1 = CFArrayCreate(NULL, (const void **)&leaf1, 1, &kCFTypeArrayCallBacks);
    ok_status(SecTrustCreateWithCertificates(certs0, policy, &trust), "create trust for leaf0");
	ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");

	/* Jan 1st 2008. */
	CFDateRef date = CFDateCreate(NULL, 220752000.0);
    ok_status(SecTrustSetVerifyDate(trust, date), "set date");

	SecTrustResultType trustResult;
    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
    is_status(trustResult, kSecTrustResultUnspecified,
		"trust is kSecTrustResultUnspecified");

	is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");

	CFReleaseSafe(trust);
    ok_status(SecTrustCreateWithCertificates(certs1, policy, &trust), "create trust for leaf1");
	ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
    is_status(trustResult, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");

	CFReleaseSafe(anchors);
	CFReleaseSafe(certs1);
	CFReleaseSafe(certs0);
	CFReleaseSafe(trust);
	CFReleaseSafe(policy);
	CFReleaseSafe(leaf0);
	CFReleaseSafe(leaf1);
	CFReleaseSafe(iAP1CA);
	CFReleaseSafe(iAP2CA);
	CFReleaseSafe(date);
}

static void test_v3(void) {
    SecCertificateRef v3CA = NULL, v3leaf = NULL;
    isnt(v3CA = SecCertificateCreateWithBytes(NULL, _v3ca, sizeof(_v3ca)),
         NULL, "create v3leaf");
    isnt(v3leaf = SecCertificateCreateWithBytes(NULL, _v3leaf, sizeof(_v3leaf)),
         NULL, "create v3leaf");

    /* Test v3 certs meet iAP policy */
    SecPolicyRef policy = NULL;
    SecTrustRef trust = NULL;
    CFArrayRef certs = NULL, anchors = NULL;
    CFDateRef date = NULL;
    SecTrustResultType trustResult;

    certs = CFArrayCreate(NULL, (const void **)&v3leaf, 1, &kCFTypeArrayCallBacks);
    anchors = CFArrayCreate(NULL, (const void **)&v3CA, 1, &kCFTypeArrayCallBacks);
    policy = SecPolicyCreateiAP();
    ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust ref");
    ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchor");
    ok(date = CFDateCreate(NULL, 484000000.0), "create date");  /* 3 May 2016 */
    if (!date) { goto trustFail; }
    ok_status(SecTrustSetVerifyDate(trust, date), "set verify date");
    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate");
    is_status(trustResult, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");

trustFail:
    CFReleaseSafe(policy);
    CFReleaseSafe(trust);
    CFReleaseSafe(certs);
    CFReleaseSafe(anchors);
    CFReleaseSafe(date);

#if TARGET_OS_IPHONE
    /* Test interface for determining iAuth version */
    SecCertificateRef leaf0 = NULL, leaf1 = NULL;
    isnt(leaf0 = SecCertificateCreateWithBytes(NULL, _leaf0, sizeof(_leaf0)),
         NULL, "create leaf0");
    isnt(leaf1 = SecCertificateCreateWithBytes(NULL, _leaf1, sizeof(_leaf1)),
         NULL, "create leaf1");

    is_status(SecCertificateGetiAuthVersion(leaf0), kSeciAuthVersion2, "v2 certificate");
    is_status(SecCertificateGetiAuthVersion(leaf1), kSeciAuthVersion2, "v2 certificate");
    is_status(SecCertificateGetiAuthVersion(v3leaf), kSeciAuthVersion3, "v3 certificate");

    CFReleaseSafe(leaf0);
    CFReleaseSafe(leaf1);

    /* Test the extension-copying interface */
    CFDataRef extensionData = NULL;
    uint8_t extensionValue[32] = {
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0A,
    };
    ok(extensionData = SecCertificateCopyiAPAuthCapabilities(v3leaf),
       "copy iAuthv3 extension data");
    is(CFDataGetLength(extensionData), 32, "compare expected size");
    is(memcmp(extensionValue, CFDataGetBytePtr(extensionData), 32), 0,
       "compare expected output");
    CFReleaseNull(extensionData);

    /* Test extension-copying interface with a malformed extension. */
    uint8_t extensionValue2[32] = {
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,
    };
    SecCertificateRef malformedV3leaf = NULL;
    isnt(malformedV3leaf = SecCertificateCreateWithBytes(NULL, _malformedV3Leaf, sizeof(_malformedV3Leaf)),
         NULL, "create malformed v3 leaf");
    ok(extensionData = SecCertificateCopyiAPAuthCapabilities(malformedV3leaf),
       "copy iAuthv3 extension data for malformed leaf");
    is(CFDataGetLength(extensionData), 32, "compare expected size");
    is(memcmp(extensionValue2, CFDataGetBytePtr(extensionData), 32), 0,
       "compare expected output");
    CFReleaseNull(extensionData);
    CFReleaseNull(malformedV3leaf);
#endif
    CFReleaseSafe(v3leaf);
    CFReleaseSafe(v3CA);
}

int si_22_sectrust_iap(int argc, char *const *argv)
{
#if TARGET_OS_IPHONE
	plan_tests(14+20);
#else
    plan_tests(14+8);
#endif

	tests();
    test_v3();

	return 0;
}
Commit	Line	Data
427c49bc	1	/*
fa7225c8	2	* Copyright (c) 2006-2016 Apple Inc. All Rights Reserved.
427c49bc A	3	*/
	4
	5	#include <CoreFoundation/CoreFoundation.h>
	6	#include <Security/SecCertificate.h>
	7	#include <Security/SecCertificatePriv.h>
	8	#include <Security/SecPolicyPriv.h>
	9	#include <Security/SecTrust.h>
	10	#include <utilities/array_size.h>
fa7225c8	11	#include <utilities/SecCFRelease.h>
427c49bc A	12	#include <stdlib.h>
	13	#include <unistd.h>
	14
fa7225c8	15	#include "shared_regressions.h"
427c49bc	16
fa7225c8	17	#include "si-22-sectrust-iap.h"
427c49bc	18
427c49bc A	19	static void tests(void)
	20	{
	21	SecTrustRef trust;
	22	SecCertificateRef iAP1CA, iAP2CA, leaf0, leaf1;
	23	isnt(iAP1CA = SecCertificateCreateWithBytes(NULL, _iAP1CA, sizeof(_iAP1CA)),
	24	NULL, "create iAP1CA");
	25	isnt(iAP2CA = SecCertificateCreateWithBytes(NULL, _iAP2CA, sizeof(_iAP2CA)),
	26	NULL, "create iAP2CA");
	27	isnt(leaf0 = SecCertificateCreateWithBytes(NULL, _leaf0, sizeof(_leaf0)),
	28	NULL, "create leaf0");
	29	isnt(leaf1 = SecCertificateCreateWithBytes(NULL, _leaf1, sizeof(_leaf1)),
	30	NULL, "create leaf1");
d8f41ccd A	31	{
	32	// temporarily grab some stack space and fill it with 0xFF;
	33	// when we exit this scope, the stack pointer should shrink but leave the memory filled.
	34	// this tests for a stack overflow bug inside SecPolicyCreateiAP (rdar://16056248)
	35	char buf[2048];
	36	memset(buf, 0xFF, sizeof(buf));
	37	}
427c49bc A	38	SecPolicyRef policy = SecPolicyCreateiAP();
	39	const void *v_anchors[] = {
	40	iAP1CA,
	41	iAP2CA
	42	};
	43	CFArrayRef anchors = CFArrayCreate(NULL, v_anchors,
	44	array_size(v_anchors), NULL);
fa7225c8 A	45	CFArrayRef certs0 = CFArrayCreate(NULL, (const void **)&leaf0, 1, &kCFTypeArrayCallBacks);
fa7225c8 A	46	CFArrayRef certs1 = CFArrayCreate(NULL, (const void **)&leaf1, 1, &kCFTypeArrayCallBacks);
427c49bc A	47	ok_status(SecTrustCreateWithCertificates(certs0, policy, &trust), "create trust for leaf0");
	48	ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
	49
	50	/* Jan 1st 2008. */
	51	CFDateRef date = CFDateCreate(NULL, 220752000.0);
	52	ok_status(SecTrustSetVerifyDate(trust, date), "set date");
	53
	54	SecTrustResultType trustResult;
	55	ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
	56	is_status(trustResult, kSecTrustResultUnspecified,
	57	"trust is kSecTrustResultUnspecified");
	58
	59	is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
	60
	61	CFReleaseSafe(trust);
	62	ok_status(SecTrustCreateWithCertificates(certs1, policy, &trust), "create trust for leaf1");
	63	ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
	64	ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
fa7225c8	65	is_status(trustResult, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");
427c49bc A	66
	67	CFReleaseSafe(anchors);
	68	CFReleaseSafe(certs1);
	69	CFReleaseSafe(certs0);
	70	CFReleaseSafe(trust);
	71	CFReleaseSafe(policy);
	72	CFReleaseSafe(leaf0);
	73	CFReleaseSafe(leaf1);
	74	CFReleaseSafe(iAP1CA);
	75	CFReleaseSafe(iAP2CA);
	76	CFReleaseSafe(date);
	77	}
	78
fa7225c8 A	79	static void test_v3(void) {
	80	SecCertificateRef v3CA = NULL, v3leaf = NULL;
	81	isnt(v3CA = SecCertificateCreateWithBytes(NULL, _v3ca, sizeof(_v3ca)),
	82	NULL, "create v3leaf");
	83	isnt(v3leaf = SecCertificateCreateWithBytes(NULL, _v3leaf, sizeof(_v3leaf)),
	84	NULL, "create v3leaf");
	85
	86	/* Test v3 certs meet iAP policy */
	87	SecPolicyRef policy = NULL;
	88	SecTrustRef trust = NULL;
	89	CFArrayRef certs = NULL, anchors = NULL;
	90	CFDateRef date = NULL;
	91	SecTrustResultType trustResult;
	92
	93	certs = CFArrayCreate(NULL, (const void **)&v3leaf, 1, &kCFTypeArrayCallBacks);
	94	anchors = CFArrayCreate(NULL, (const void **)&v3CA, 1, &kCFTypeArrayCallBacks);
	95	policy = SecPolicyCreateiAP();
	96	ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust ref");
	97	ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchor");
	98	ok(date = CFDateCreate(NULL, 484000000.0), "create date"); /* 3 May 2016 */
	99	if (!date) { goto trustFail; }
	100	ok_status(SecTrustSetVerifyDate(trust, date), "set verify date");
	101	ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate");
	102	is_status(trustResult, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");
	103
	104	trustFail:
	105	CFReleaseSafe(policy);
	106	CFReleaseSafe(trust);
	107	CFReleaseSafe(certs);
	108	CFReleaseSafe(anchors);
	109	CFReleaseSafe(date);
	110
	111	#if TARGET_OS_IPHONE
	112	/* Test interface for determining iAuth version */
	113	SecCertificateRef leaf0 = NULL, leaf1 = NULL;
	114	isnt(leaf0 = SecCertificateCreateWithBytes(NULL, _leaf0, sizeof(_leaf0)),
	115	NULL, "create leaf0");
	116	isnt(leaf1 = SecCertificateCreateWithBytes(NULL, _leaf1, sizeof(_leaf1)),
	117	NULL, "create leaf1");
	118
	119	is_status(SecCertificateGetiAuthVersion(leaf0), kSeciAuthVersion2, "v2 certificate");
	120	is_status(SecCertificateGetiAuthVersion(leaf1), kSeciAuthVersion2, "v2 certificate");
	121	is_status(SecCertificateGetiAuthVersion(v3leaf), kSeciAuthVersion3, "v3 certificate");
	122
	123	CFReleaseSafe(leaf0);
	124	CFReleaseSafe(leaf1);
	125
	126	/* Test the extension-copying interface */
	127	CFDataRef extensionData = NULL;
	128	uint8_t extensionValue[32] = {
	129	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	130	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0A,
	131	};
	132	ok(extensionData = SecCertificateCopyiAPAuthCapabilities(v3leaf),
	133	"copy iAuthv3 extension data");
	134	is(CFDataGetLength(extensionData), 32, "compare expected size");
	135	is(memcmp(extensionValue, CFDataGetBytePtr(extensionData), 32), 0,
	136	"compare expected output");
	137	CFReleaseNull(extensionData);
	138
	139	/* Test extension-copying interface with a malformed extension. */
	140	uint8_t extensionValue2[32] = {
	141	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	142	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,
143	};
144	SecCertificateRef malformedV3leaf = NULL;
145	isnt(malformedV3leaf = SecCertificateCreateWithBytes(NULL, _malformedV3Leaf, sizeof(_malformedV3Leaf)),
146	NULL, "create malformed v3 leaf");
147	ok(extensionData = SecCertificateCopyiAPAuthCapabilities(malformedV3leaf),
148	"copy iAuthv3 extension data for malformed leaf");
149	is(CFDataGetLength(extensionData), 32, "compare expected size");
150	is(memcmp(extensionValue2, CFDataGetBytePtr(extensionData), 32), 0,
151	"compare expected output");
152	CFReleaseNull(extensionData);
153	CFReleaseNull(malformedV3leaf);
154	#endif
155	CFReleaseSafe(v3leaf);
156	CFReleaseSafe(v3CA);
157	}
158
427c49bc A	159	int si_22_sectrust_iap(int argc, char const argv)
427c49bc A	160	{
fa7225c8 A	161	#if TARGET_OS_IPHONE
	162	plan_tests(14+20);
	163	#else
	164	plan_tests(14+8);
	165	#endif
427c49bc A	166
427c49bc A	167	tests();
fa7225c8	168	test_v3();
427c49bc A	169
	170	return 0;
	171	}