[apple/security.git] / OSX / sec / Security / Regressions / secitem / si-97-sectrust-path-scoring.m

/*
 * Copyright (c) 2016 Apple Inc. All Rights Reserved.
 */

#include <AssertMacros.h>
#import <Foundation/Foundation.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrust.h>
#include <utilities/SecCFRelease.h>

#include "shared_regressions.h"

#include "si-97-sectrust-path-scoring.h"

static SecCertificateRef leaf = NULL;
static SecCertificateRef intSHA2 = NULL;
static SecCertificateRef intSHA1 = NULL;
static SecCertificateRef int1024 = NULL;
static SecCertificateRef rootSHA2 = NULL;
static SecCertificateRef rootSHA1 = NULL;
static SecCertificateRef root1024 = NULL;
static SecCertificateRef crossSHA2_SHA1 = NULL;
static SecCertificateRef crossSHA2_SHA2 = NULL;
static SecCertificateRef rootSHA2_2 = NULL;
static SecPolicyRef basicPolicy = NULL;
static SecPolicyRef sslPolicy = NULL;
static NSDate *verifyDate1 = nil;
static NSDate *verifyDate2 = nil;

static void setup_globals(void) {
    leaf = SecCertificateCreateWithBytes(NULL, _pathScoringLeaf, sizeof(_pathScoringLeaf));
    intSHA2 = SecCertificateCreateWithBytes(NULL, _pathScoringIntSHA2, sizeof(_pathScoringIntSHA2));
    intSHA1 = SecCertificateCreateWithBytes(NULL, _pathScoringIntSHA1, sizeof(_pathScoringIntSHA1));
    int1024 = SecCertificateCreateWithBytes(NULL, _pathScoringInt1024, sizeof(_pathScoringInt1024));
    rootSHA2 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA2Root, sizeof(_pathScoringSHA2Root));
    rootSHA1 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA1Root, sizeof(_pathScoringSHA1Root));
    root1024 = SecCertificateCreateWithBytes(NULL, _pathScoring1024Root, sizeof(_pathScoring1024Root));
    crossSHA2_SHA1 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA2CrossSHA1, sizeof(_pathScoringSHA2CrossSHA1));
    crossSHA2_SHA2 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA2CrossSHA2, sizeof(_pathScoringSHA2CrossSHA2));
    rootSHA2_2 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA2Root2, sizeof(_pathScoringSHA2Root2));

    basicPolicy = SecPolicyCreateBasicX509();
    sslPolicy = SecPolicyCreateSSL(true, NULL);

    // May 1, 2016 at 5:53:20 AM PDT
    verifyDate1 = [NSDate dateWithTimeIntervalSinceReferenceDate:483800000.0];
    // May 27, 2016 at 4:20:50 PM PDT
    verifyDate2 = [NSDate dateWithTimeIntervalSinceReferenceDate:486084050.0];
}

static void cleanup_globals(void) {
    CFReleaseNull(leaf);
    CFReleaseNull(intSHA2);
    CFReleaseNull(intSHA1);
    CFReleaseNull(int1024);
    CFReleaseNull(rootSHA2);
    CFReleaseNull(rootSHA1);
    CFReleaseNull(root1024);
    CFReleaseNull(crossSHA2_SHA1);
    CFReleaseNull(crossSHA2_SHA2);
    CFReleaseNull(rootSHA2_2);

    CFReleaseNull(basicPolicy);
    CFReleaseNull(sslPolicy);
}

static bool testTrust(NSArray *certs, NSArray *anchors, SecPolicyRef policy,
                          NSDate *verifyDate, SecTrustResultType expectedResult,
                          NSArray *expectedChain) {
    bool testPassed = false;
    SecTrustRef trust = NULL;
    SecTrustResultType trustResult = kSecTrustResultInvalid;
    require_noerr_string(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs,
                                                        policy,
                                                        &trust),
                         errOut, "failed to create trust ref");
    if (anchors) {
        require_noerr_string(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors),
                             errOut, "failed to set anchors");
    }
    require_noerr_string(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate),
                         errOut, "failed to set verify date");
    require_noerr_string(SecTrustEvaluate(trust, &trustResult),
                         errOut, "failed to evaluate trust");

    /* check result */
    if (expectedResult == kSecTrustResultUnspecified) {
        require_string(trustResult == expectedResult,
                       errOut, "unexpected untrusted chain");
    } else if (expectedResult == kSecTrustResultRecoverableTrustFailure) {
        require_string(trustResult == expectedResult,
                       errOut, "unexpected trusted chain");
    }

    /* check the chain that returned */
    require_string((NSUInteger)SecTrustGetCertificateCount(trust) == [expectedChain count],
                   errOut, "wrong number of certs in result chain");
    NSUInteger ix, count = [expectedChain count];
    for (ix = 0; ix < count; ix++) {
        require_string(CFEqual(SecTrustGetCertificateAtIndex(trust, ix),
                               (__bridge SecCertificateRef)[expectedChain objectAtIndex:ix]),
                       errOut, "chain didn't match expected");
    }
    testPassed = true;

errOut:
    CFReleaseNull(trust);
    return testPassed;
}

/* Path Scoring Hierarchy
 *                                         leaf
 *                           ^               ^         ^
 *                          /                |          \
 *               intSHA2                    intSHA1     int1024
 *           ^      ^      ^                 ^          ^
 *          /       |       \                |          |
 *  rootSHA2 crossSHA2_SHA1 crossSHA2_SHA2  rootSHA1    root1024
 *                  ^               ^
 *                  |               |
 *              rootSHA1      rootSHA2_2
 */

static void tests(SecPolicyRef policy) {
    NSArray *certs = nil;
    NSArray *anchors = nil;
    NSArray *chain = nil;
    SecTrustResultType expectedTrustResult = ((policy == basicPolicy) ? kSecTrustResultUnspecified :
                                              kSecTrustResultRecoverableTrustFailure);

    /* Choose a short chain over a long chain, when ending in a self-signed cert */
    certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA2];
    anchors = @[(__bridge id)rootSHA2, (__bridge id)rootSHA2_2];
    chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)rootSHA2];
    ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
       "%s test: choose shorter chain over longer chain, SHA-2",
       (policy == basicPolicy) ? "accept" : "reject");

    certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1, (__bridge id)crossSHA2_SHA1];
    anchors = @[(__bridge id)rootSHA1];
    chain = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)rootSHA1];
    ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
       "%s test: choose shorter chain over longer chain, SHA-1",
       (policy == basicPolicy) ? "accept" : "reject");

    /* Choose a SHA-2 chain over a SHA-1 chain */
    certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1];
    anchors = @[(__bridge id)rootSHA1, (__bridge id)rootSHA2];
    chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)rootSHA2];
    ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
       "%s test: choose SHA-2 chain over SHA-1 chain, order 1",
       (policy == basicPolicy) ? "accept" : "reject");

    certs = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)intSHA2];
    anchors = @[(__bridge id)rootSHA2, (__bridge id)rootSHA1];
    ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
       "%s test: choose SHA-2 chain over SHA-1 chain, order 2",
       (policy == basicPolicy) ? "accept" : "reject");

    /* Choose a longer SHA-2 chain over the shorter SHA-1 chain */
    certs = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA2];
    anchors = @[(__bridge id)rootSHA1, (__bridge id)rootSHA2_2];
    chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA2, (__bridge id)rootSHA2_2];
    ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
       "%s test: choose longer SHA-2 chain over shorter SHA-1 chain",
       (policy == basicPolicy) ? "accept" : "reject");

    /* Choose 1024-bit temporally valid chain over 2048-bit invalid chain */
    certs = @[(__bridge id)leaf, (__bridge id)int1024, (__bridge id)intSHA1];
    anchors = @[(__bridge id)root1024, (__bridge id)rootSHA1];
    chain = @[(__bridge id)leaf, (__bridge id)int1024, (__bridge id)root1024];
    ok(testTrust(certs, anchors, policy, verifyDate2, expectedTrustResult, chain),
       "%s test: choose temporally valid chain over invalid chain",
       (policy == basicPolicy) ? "accept" : "reject");

    /* Choose an anchored chain over an unanchored chain */
    certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1, (__bridge id)rootSHA2];
    anchors = @[(__bridge id)rootSHA1];
    chain = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)rootSHA1];
    ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
       "%s test: choose an anchored chain over an unanchored chain",
       (policy == basicPolicy) ? "accept" : "reject");

    /* Choose an anchored SHA-1 chain over an unanchored SHA-2 chain */
    certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1, (__bridge id)rootSHA2];
    anchors = @[(__bridge id)rootSHA1];
    chain = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)rootSHA1];
    ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
       "%s test: choose anchored SHA-1 chain over unanchored SHA-2 chain",
       (policy == basicPolicy) ? "accept" : "reject");

    /* Choose an anchored SHA-1 cross-signed chain over unanchored SHA-2 chains */
    certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)rootSHA2,
              (__bridge id)crossSHA2_SHA1, (__bridge id)crossSHA2_SHA2, (__bridge id)rootSHA2_2];
    chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA1, (__bridge id)rootSHA1];
    ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
       "%s test: choose anchored cross-signed chain over unanchored chains",
       (policy == basicPolicy) ? "accept" : "reject");
}

static void accept_tests(void) {
    tests(basicPolicy);

}

static void reject_tests(void) {
    /* The leaf certificate is a client SSL certificate, and will fail the sslPolicy. */
    tests(sslPolicy);

    /* reject only tests */
    NSArray *certs = nil;
    NSArray *anchors = nil;
    NSArray *chain = nil;

    /* Choose a 2048-bit chain over a 1024-bit chain */
    certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)int1024];
    anchors = @[(__bridge id)rootSHA2, (__bridge id)root1024];
    chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)rootSHA2];
    ok(testTrust(certs, anchors, sslPolicy, verifyDate1, kSecTrustResultRecoverableTrustFailure, chain),
       "reject test: choose 2048-bit chain over 1024-bit chain, order 1");

    certs = @[(__bridge id)leaf, (__bridge id)int1024, (__bridge id)intSHA2];
    anchors = @[(__bridge id)root1024, (__bridge id)rootSHA2];
    ok(testTrust(certs, anchors, sslPolicy, verifyDate1, kSecTrustResultRecoverableTrustFailure, chain),
       "reject test: choose 2048-bit chain over 1024-bit chain, order 2");

    /* Choose a complete chain over an incomplete chain */
    certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1, (__bridge id)rootSHA1];
    anchors = @[];
    chain = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)rootSHA1];
    ok(testTrust(certs, anchors, sslPolicy, verifyDate1, kSecTrustResultRecoverableTrustFailure, chain),
       "reject test: choose a chain that ends in a self-signed cert over one that doesn't");

    /* Choose a long chain over a short chain when not ending with a self-signed cert */
    certs = @[(__bridge id)leaf, (__bridge id)crossSHA2_SHA2, (__bridge id)intSHA2];
    anchors = nil;
    chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA2];
    ok(testTrust(certs, anchors, sslPolicy, verifyDate1, kSecTrustResultRecoverableTrustFailure, chain),
       "reject test: choose longer chain over shorter chain, no roots");
}

int si_97_sectrust_path_scoring(int argc, char *const *argv)
{
    plan_tests(2*9 + 4);

    @autoreleasepool {
        setup_globals();
        accept_tests();
        reject_tests();
        cleanup_globals();
    }

    return 0;
}
Commit	Line	Data
fa7225c8 A	1	/*
	2	* Copyright (c) 2016 Apple Inc. All Rights Reserved.
	3	*/
	4
	5	#include <AssertMacros.h>
	6	#import <Foundation/Foundation.h>
	7	#include <Security/SecCertificate.h>
	8	#include <Security/SecCertificatePriv.h>
	9	#include <Security/SecPolicyPriv.h>
	10	#include <Security/SecTrust.h>
	11	#include <utilities/SecCFRelease.h>
	12
	13	#include "shared_regressions.h"
	14
	15	#include "si-97-sectrust-path-scoring.h"
	16
	17	static SecCertificateRef leaf = NULL;
	18	static SecCertificateRef intSHA2 = NULL;
	19	static SecCertificateRef intSHA1 = NULL;
	20	static SecCertificateRef int1024 = NULL;
	21	static SecCertificateRef rootSHA2 = NULL;
	22	static SecCertificateRef rootSHA1 = NULL;
	23	static SecCertificateRef root1024 = NULL;
	24	static SecCertificateRef crossSHA2_SHA1 = NULL;
	25	static SecCertificateRef crossSHA2_SHA2 = NULL;
	26	static SecCertificateRef rootSHA2_2 = NULL;
	27	static SecPolicyRef basicPolicy = NULL;
	28	static SecPolicyRef sslPolicy = NULL;
	29	static NSDate *verifyDate1 = nil;
	30	static NSDate *verifyDate2 = nil;
	31
	32	static void setup_globals(void) {
	33	leaf = SecCertificateCreateWithBytes(NULL, _pathScoringLeaf, sizeof(_pathScoringLeaf));
	34	intSHA2 = SecCertificateCreateWithBytes(NULL, _pathScoringIntSHA2, sizeof(_pathScoringIntSHA2));
	35	intSHA1 = SecCertificateCreateWithBytes(NULL, _pathScoringIntSHA1, sizeof(_pathScoringIntSHA1));
	36	int1024 = SecCertificateCreateWithBytes(NULL, _pathScoringInt1024, sizeof(_pathScoringInt1024));
	37	rootSHA2 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA2Root, sizeof(_pathScoringSHA2Root));
	38	rootSHA1 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA1Root, sizeof(_pathScoringSHA1Root));
	39	root1024 = SecCertificateCreateWithBytes(NULL, _pathScoring1024Root, sizeof(_pathScoring1024Root));
	40	crossSHA2_SHA1 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA2CrossSHA1, sizeof(_pathScoringSHA2CrossSHA1));
	41	crossSHA2_SHA2 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA2CrossSHA2, sizeof(_pathScoringSHA2CrossSHA2));
	42	rootSHA2_2 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA2Root2, sizeof(_pathScoringSHA2Root2));
	43
	44	basicPolicy = SecPolicyCreateBasicX509();
	45	sslPolicy = SecPolicyCreateSSL(true, NULL);
	46
	47	// May 1, 2016 at 5:53:20 AM PDT
	48	verifyDate1 = [NSDate dateWithTimeIntervalSinceReferenceDate:483800000.0];
	49	// May 27, 2016 at 4:20:50 PM PDT
	50	verifyDate2 = [NSDate dateWithTimeIntervalSinceReferenceDate:486084050.0];
	51	}
	52
	53	static void cleanup_globals(void) {
	54	CFReleaseNull(leaf);
	55	CFReleaseNull(intSHA2);
	56	CFReleaseNull(intSHA1);
	57	CFReleaseNull(int1024);
	58	CFReleaseNull(rootSHA2);
	59	CFReleaseNull(rootSHA1);
	60	CFReleaseNull(root1024);
	61	CFReleaseNull(crossSHA2_SHA1);
	62	CFReleaseNull(crossSHA2_SHA2);
	63	CFReleaseNull(rootSHA2_2);
	64
65	CFReleaseNull(basicPolicy);
66	CFReleaseNull(sslPolicy);
67	}
68
69	static bool testTrust(NSArray certs, NSArray anchors, SecPolicyRef policy,
70	NSDate *verifyDate, SecTrustResultType expectedResult,
71	NSArray *expectedChain) {
72	bool testPassed = false;
73	SecTrustRef trust = NULL;
74	SecTrustResultType trustResult = kSecTrustResultInvalid;
75	require_noerr_string(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs,
76	policy,
77	&trust),
78	errOut, "failed to create trust ref");
79	if (anchors) {
80	require_noerr_string(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors),
81	errOut, "failed to set anchors");
82	}
83	require_noerr_string(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate),
84	errOut, "failed to set verify date");
85	require_noerr_string(SecTrustEvaluate(trust, &trustResult),
86	errOut, "failed to evaluate trust");
87
88	/* check result */
89	if (expectedResult == kSecTrustResultUnspecified) {
90	require_string(trustResult == expectedResult,
91	errOut, "unexpected untrusted chain");
92	} else if (expectedResult == kSecTrustResultRecoverableTrustFailure) {
93	require_string(trustResult == expectedResult,
94	errOut, "unexpected trusted chain");
95	}
96
97	/* check the chain that returned */
98	require_string((NSUInteger)SecTrustGetCertificateCount(trust) == [expectedChain count],
99	errOut, "wrong number of certs in result chain");
100	NSUInteger ix, count = [expectedChain count];
101	for (ix = 0; ix < count; ix++) {
102	require_string(CFEqual(SecTrustGetCertificateAtIndex(trust, ix),
103	(__bridge SecCertificateRef)[expectedChain objectAtIndex:ix]),
104	errOut, "chain didn't match expected");
105	}
106	testPassed = true;
107
108	errOut:
109	CFReleaseNull(trust);
110	return testPassed;
111	}
112
113	/* Path Scoring Hierarchy
114	* leaf
115	* ^ ^ ^
116	* / \| \
117	* intSHA2 intSHA1 int1024
118	* ^ ^ ^ ^ ^
119	* / \| \ \| \|
120	* rootSHA2 crossSHA2_SHA1 crossSHA2_SHA2 rootSHA1 root1024
121	* ^ ^
122	* \| \|
123	* rootSHA1 rootSHA2_2
124	*/
125
126	static void tests(SecPolicyRef policy) {
127	NSArray *certs = nil;
128	NSArray *anchors = nil;
129	NSArray *chain = nil;
130	SecTrustResultType expectedTrustResult = ((policy == basicPolicy) ? kSecTrustResultUnspecified :
131	kSecTrustResultRecoverableTrustFailure);
132
133	/* Choose a short chain over a long chain, when ending in a self-signed cert */
134	certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA2];
135	anchors = @[(__bridge id)rootSHA2, (__bridge id)rootSHA2_2];
136	chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)rootSHA2];
137	ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
138	"%s test: choose shorter chain over longer chain, SHA-2",
139	(policy == basicPolicy) ? "accept" : "reject");
140
141	certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1, (__bridge id)crossSHA2_SHA1];
142	anchors = @[(__bridge id)rootSHA1];
143	chain = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)rootSHA1];
144	ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
145	"%s test: choose shorter chain over longer chain, SHA-1",
146	(policy == basicPolicy) ? "accept" : "reject");
147
148	/* Choose a SHA-2 chain over a SHA-1 chain */
149	certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1];
150	anchors = @[(__bridge id)rootSHA1, (__bridge id)rootSHA2];
151	chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)rootSHA2];
152	ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
153	"%s test: choose SHA-2 chain over SHA-1 chain, order 1",
154	(policy == basicPolicy) ? "accept" : "reject");
155
156	certs = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)intSHA2];
157	anchors = @[(__bridge id)rootSHA2, (__bridge id)rootSHA1];
158	ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
159	"%s test: choose SHA-2 chain over SHA-1 chain, order 2",
160	(policy == basicPolicy) ? "accept" : "reject");
161
162	/* Choose a longer SHA-2 chain over the shorter SHA-1 chain */
163	certs = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA2];
164	anchors = @[(__bridge id)rootSHA1, (__bridge id)rootSHA2_2];
165	chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA2, (__bridge id)rootSHA2_2];
166	ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
167	"%s test: choose longer SHA-2 chain over shorter SHA-1 chain",
168	(policy == basicPolicy) ? "accept" : "reject");
169
170	/* Choose 1024-bit temporally valid chain over 2048-bit invalid chain */
171	certs = @[(__bridge id)leaf, (__bridge id)int1024, (__bridge id)intSHA1];
172	anchors = @[(__bridge id)root1024, (__bridge id)rootSHA1];
173	chain = @[(__bridge id)leaf, (__bridge id)int1024, (__bridge id)root1024];
174	ok(testTrust(certs, anchors, policy, verifyDate2, expectedTrustResult, chain),
175	"%s test: choose temporally valid chain over invalid chain",
176	(policy == basicPolicy) ? "accept" : "reject");
177
178	/* Choose an anchored chain over an unanchored chain */
179	certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1, (__bridge id)rootSHA2];
180	anchors = @[(__bridge id)rootSHA1];
181	chain = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)rootSHA1];
182	ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
183	"%s test: choose an anchored chain over an unanchored chain",
184	(policy == basicPolicy) ? "accept" : "reject");
185
186	/* Choose an anchored SHA-1 chain over an unanchored SHA-2 chain */
187	certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1, (__bridge id)rootSHA2];
188	anchors = @[(__bridge id)rootSHA1];
189	chain = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)rootSHA1];
190	ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
191	"%s test: choose anchored SHA-1 chain over unanchored SHA-2 chain",
192	(policy == basicPolicy) ? "accept" : "reject");
193
194	/* Choose an anchored SHA-1 cross-signed chain over unanchored SHA-2 chains */
195	certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)rootSHA2,
196	(__bridge id)crossSHA2_SHA1, (__bridge id)crossSHA2_SHA2, (__bridge id)rootSHA2_2];
197	chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA1, (__bridge id)rootSHA1];
198	ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
199	"%s test: choose anchored cross-signed chain over unanchored chains",
200	(policy == basicPolicy) ? "accept" : "reject");
201	}
202
203	static void accept_tests(void) {
204	tests(basicPolicy);
205
206	}
207
208	static void reject_tests(void) {
209	/* The leaf certificate is a client SSL certificate, and will fail the sslPolicy. */
210	tests(sslPolicy);
211
212	/* reject only tests */
213	NSArray *certs = nil;
214	NSArray *anchors = nil;
215	NSArray *chain = nil;
216
217	/* Choose a 2048-bit chain over a 1024-bit chain */
218	certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)int1024];
219	anchors = @[(__bridge id)rootSHA2, (__bridge id)root1024];
220	chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)rootSHA2];
221	ok(testTrust(certs, anchors, sslPolicy, verifyDate1, kSecTrustResultRecoverableTrustFailure, chain),
222	"reject test: choose 2048-bit chain over 1024-bit chain, order 1");
223
224	certs = @[(__bridge id)leaf, (__bridge id)int1024, (__bridge id)intSHA2];
225	anchors = @[(__bridge id)root1024, (__bridge id)rootSHA2];
226	ok(testTrust(certs, anchors, sslPolicy, verifyDate1, kSecTrustResultRecoverableTrustFailure, chain),
227	"reject test: choose 2048-bit chain over 1024-bit chain, order 2");
228
229	/* Choose a complete chain over an incomplete chain */
230	certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1, (__bridge id)rootSHA1];
231	anchors = @[];
232	chain = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)rootSHA1];
233	ok(testTrust(certs, anchors, sslPolicy, verifyDate1, kSecTrustResultRecoverableTrustFailure, chain),
234	"reject test: choose a chain that ends in a self-signed cert over one that doesn't");
235
236	/* Choose a long chain over a short chain when not ending with a self-signed cert */
237	certs = @[(__bridge id)leaf, (__bridge id)crossSHA2_SHA2, (__bridge id)intSHA2];
238	anchors = nil;
239	chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA2];
240	ok(testTrust(certs, anchors, sslPolicy, verifyDate1, kSecTrustResultRecoverableTrustFailure, chain),
241	"reject test: choose longer chain over shorter chain, no roots");
242	}
243
244	int si_97_sectrust_path_scoring(int argc, char const argv)
245	{
246	plan_tests(2*9 + 4);
247
248	@autoreleasepool {
249	setup_globals();
250	accept_tests();
251	reject_tests();
252	cleanup_globals();
253	}
254
255	return 0;
256	}