[apple/security.git] / OSX / sec / Security / Regressions / secitem / si-67-sectrust-blacklist.c

/*
 * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrust.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <unistd.h>
#include <string.h>

#include "si-67-sectrust-blacklist/Global Trustee.cer.h"
#include "si-67-sectrust-blacklist/login.yahoo.com.1.cer.h"
#include "si-67-sectrust-blacklist/UTN-USERFirst-Hardware.cer.h"
#include "si-67-sectrust-blacklist/login.yahoo.com.2.cer.h"
#include "si-67-sectrust-blacklist/addons.mozilla.org.cer.h"
#include "si-67-sectrust-blacklist/login.yahoo.com.cer.h"
#include "si-67-sectrust-blacklist/login.live.com.cer.h"
#include "si-67-sectrust-blacklist/mail.google.com.cer.h"
#include "si-67-sectrust-blacklist/login.skype.com.cer.h"
#include "si-67-sectrust-blacklist/www.google.com.cer.h"

#include "shared_regressions.h"

static void validate_one_cert(uint8_t *data, size_t len, int chain_length, SecTrustResultType trust_result)
{
    SecTrustRef trust;
	SecCertificateRef cert;
    SecPolicyRef policy = SecPolicyCreateSSL(false, NULL);
    CFArrayRef certs;

	isnt(cert = SecCertificateCreateWithBytes(NULL, data, len),
		NULL, "create cert");
    certs = CFArrayCreate(NULL, (const void **)&cert, 1, NULL);
    ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
        "create trust with single cert");
	//CFDateRef date = CFDateCreate(NULL, 1301008576);
    //ok_status(SecTrustSetVerifyDate(trust, date), "set date");
    //CFRelease(date);

	SecTrustResultType trustResult;
    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
	is(SecTrustGetCertificateCount(trust), chain_length, "cert count");
    is_status(trustResult, trust_result, "correct trustResult");
    CFRelease(trust);
    CFRelease(policy);
    CFRelease(certs);
    CFRelease(cert);
}

static void tests(void)
{
    validate_one_cert(Global_Trustee_cer, sizeof(Global_Trustee_cer), 2, kSecTrustResultFatalTrustFailure);
    validate_one_cert(login_yahoo_com_1_cer, sizeof(login_yahoo_com_1_cer), 2, kSecTrustResultFatalTrustFailure);
    /* this is the root, which isn't ok for ssl and fails here, but at the
       same time it proves that kSecTrustResultFatalTrustFailure isn't
       returned for policy failures that aren't blacklisting */
    validate_one_cert(login_yahoo_com_2_cer, sizeof(login_yahoo_com_2_cer), 2, kSecTrustResultFatalTrustFailure);
    validate_one_cert(addons_mozilla_org_cer, sizeof(addons_mozilla_org_cer), 2, kSecTrustResultFatalTrustFailure);
    validate_one_cert(login_yahoo_com_cer, sizeof(login_yahoo_com_cer), 2, kSecTrustResultFatalTrustFailure);
    validate_one_cert(login_live_com_cer, sizeof(login_live_com_cer), 2, kSecTrustResultFatalTrustFailure);
    validate_one_cert(mail_google_com_cer, sizeof(mail_google_com_cer), 2, kSecTrustResultFatalTrustFailure);
    validate_one_cert(login_skype_com_cer, sizeof(login_skype_com_cer), 2, kSecTrustResultFatalTrustFailure);
    validate_one_cert(www_google_com_cer, sizeof(www_google_com_cer), 2, kSecTrustResultFatalTrustFailure);
}

static int ping_host(char *host_name){
    
    struct sockaddr_in pin;
    struct hostent *nlp_host;
    int sd;
    int port;
    int retries = 5;
    
    port=80;
    
    while ((nlp_host=gethostbyname(host_name))==0 && retries--){
        printf("Resolve Error! (%s) %d\n", host_name, h_errno);
        sleep(1);
    }

    if(nlp_host==0)
        return 0;
    
    bzero(&pin,sizeof(pin));
    pin.sin_family=AF_INET;
    pin.sin_addr.s_addr=htonl(INADDR_ANY);
    pin.sin_addr.s_addr=((struct in_addr *)(nlp_host->h_addr))->s_addr;
    pin.sin_port=htons(port);
    
    sd=socket(AF_INET,SOCK_STREAM,0);
    
    if (connect(sd,(struct sockaddr*)&pin,sizeof(pin))==-1){
        printf("connect error! (%s) %d\n", host_name, errno);
        close(sd);
        return 0;
    }
    else{
        close(sd);
        return 1;
    }
}
 
int si_67_sectrust_blacklist(int argc, char *const *argv)
{
    char *hosts[] = {
        "EVSecure-ocsp.verisign.com",
        "EVIntl-ocsp.verisign.com",
        "EVIntl-aia.verisign.com",
        "ocsp.comodoca.com",
        "crt.comodoca.com",
    };
    
    unsigned host_cnt = 0;

    plan_tests(45);

    for (host_cnt = 0; host_cnt < sizeof(hosts)/sizeof(hosts[0]); host_cnt ++)
        if(ping_host(hosts[host_cnt]) == 0){
            printf("Accessing specific server (%s) failed, check the network!\n", hosts[host_cnt]);
            return 0;
        }

	tests();

	return 0;
}
Commit	Line	Data
427c49bc	1	/*
d8f41ccd	2	* Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
427c49bc	3	*
d8f41ccd A	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
427c49bc A	22	*/
427c49bc A	23
d8f41ccd	24
427c49bc A	25	#include <CoreFoundation/CoreFoundation.h>
	26	#include <Security/SecCertificate.h>
	27	#include <Security/SecCertificatePriv.h>
427c49bc A	28	#include <Security/SecPolicyPriv.h>
	29	#include <Security/SecTrust.h>
	30	#include <stdlib.h>
d8f41ccd A	31	#include <sys/socket.h>
	32	#include <sys/types.h>
	33	#include <netinet/in.h>
	34	#include <arpa/inet.h>
	35	#include <netdb.h>
427c49bc	36	#include <unistd.h>
d8f41ccd	37	#include <string.h>
427c49bc A	38
	39	#include "si-67-sectrust-blacklist/Global Trustee.cer.h"
	40	#include "si-67-sectrust-blacklist/login.yahoo.com.1.cer.h"
	41	#include "si-67-sectrust-blacklist/UTN-USERFirst-Hardware.cer.h"
	42	#include "si-67-sectrust-blacklist/login.yahoo.com.2.cer.h"
	43	#include "si-67-sectrust-blacklist/addons.mozilla.org.cer.h"
	44	#include "si-67-sectrust-blacklist/login.yahoo.com.cer.h"
	45	#include "si-67-sectrust-blacklist/login.live.com.cer.h"
	46	#include "si-67-sectrust-blacklist/mail.google.com.cer.h"
	47	#include "si-67-sectrust-blacklist/login.skype.com.cer.h"
	48	#include "si-67-sectrust-blacklist/www.google.com.cer.h"
	49
fa7225c8	50	#include "shared_regressions.h"
427c49bc A	51
	52	static void validate_one_cert(uint8_t *data, size_t len, int chain_length, SecTrustResultType trust_result)
	53	{
	54	SecTrustRef trust;
	55	SecCertificateRef cert;
	56	SecPolicyRef policy = SecPolicyCreateSSL(false, NULL);
	57	CFArrayRef certs;
	58
	59	isnt(cert = SecCertificateCreateWithBytes(NULL, data, len),
	60	NULL, "create cert");
	61	certs = CFArrayCreate(NULL, (const void **)&cert, 1, NULL);
	62	ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
	63	"create trust with single cert");
	64	//CFDateRef date = CFDateCreate(NULL, 1301008576);
	65	//ok_status(SecTrustSetVerifyDate(trust, date), "set date");
	66	//CFRelease(date);
	67
	68	SecTrustResultType trustResult;
	69	ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
	70	is(SecTrustGetCertificateCount(trust), chain_length, "cert count");
	71	is_status(trustResult, trust_result, "correct trustResult");
	72	CFRelease(trust);
	73	CFRelease(policy);
	74	CFRelease(certs);
	75	CFRelease(cert);
	76	}
	77
	78	static void tests(void)
	79	{
fa7225c8 A	80	validate_one_cert(Global_Trustee_cer, sizeof(Global_Trustee_cer), 2, kSecTrustResultFatalTrustFailure);
fa7225c8 A	81	validate_one_cert(login_yahoo_com_1_cer, sizeof(login_yahoo_com_1_cer), 2, kSecTrustResultFatalTrustFailure);
427c49bc A	82	/* this is the root, which isn't ok for ssl and fails here, but at the
	83	same time it proves that kSecTrustResultFatalTrustFailure isn't
	84	returned for policy failures that aren't blacklisting */
fa7225c8 A	85	validate_one_cert(login_yahoo_com_2_cer, sizeof(login_yahoo_com_2_cer), 2, kSecTrustResultFatalTrustFailure);
	86	validate_one_cert(addons_mozilla_org_cer, sizeof(addons_mozilla_org_cer), 2, kSecTrustResultFatalTrustFailure);
	87	validate_one_cert(login_yahoo_com_cer, sizeof(login_yahoo_com_cer), 2, kSecTrustResultFatalTrustFailure);
	88	validate_one_cert(login_live_com_cer, sizeof(login_live_com_cer), 2, kSecTrustResultFatalTrustFailure);
	89	validate_one_cert(mail_google_com_cer, sizeof(mail_google_com_cer), 2, kSecTrustResultFatalTrustFailure);
	90	validate_one_cert(login_skype_com_cer, sizeof(login_skype_com_cer), 2, kSecTrustResultFatalTrustFailure);
	91	validate_one_cert(www_google_com_cer, sizeof(www_google_com_cer), 2, kSecTrustResultFatalTrustFailure);
427c49bc A	92	}
427c49bc A	93
d8f41ccd A	94	static int ping_host(char *host_name){
	95
	96	struct sockaddr_in pin;
	97	struct hostent *nlp_host;
	98	int sd;
	99	int port;
5c19dc3a	100	int retries = 5;
d8f41ccd A	101
	102	port=80;
	103
5c19dc3a A	104	while ((nlp_host=gethostbyname(host_name))==0 && retries--){
	105	printf("Resolve Error! (%s) %d\n", host_name, h_errno);
	106	sleep(1);
d8f41ccd	107	}
5c19dc3a A	108
	109	if(nlp_host==0)
	110	return 0;
d8f41ccd A	111
	112	bzero(&pin,sizeof(pin));
	113	pin.sin_family=AF_INET;
	114	pin.sin_addr.s_addr=htonl(INADDR_ANY);
	115	pin.sin_addr.s_addr=((struct in_addr *)(nlp_host->h_addr))->s_addr;
	116	pin.sin_port=htons(port);
	117
	118	sd=socket(AF_INET,SOCK_STREAM,0);
	119
	120	if (connect(sd,(struct sockaddr*)&pin,sizeof(pin))==-1){
5c19dc3a	121	printf("connect error! (%s) %d\n", host_name, errno);
d8f41ccd A	122	close(sd);
	123	return 0;
	124	}
	125	else{
	126	close(sd);
	127	return 1;
	128	}
	129	}
	130
427c49bc A	131	int si_67_sectrust_blacklist(int argc, char const argv)
427c49bc A	132	{
d8f41ccd A	133	char *hosts[] = {
	134	"EVSecure-ocsp.verisign.com",
	135	"EVIntl-ocsp.verisign.com",
	136	"EVIntl-aia.verisign.com",
	137	"ocsp.comodoca.com",
	138	"crt.comodoca.com",
	139	};
	140
5c19dc3a A	141	unsigned host_cnt = 0;
	142
	143	plan_tests(45);
	144
	145	for (host_cnt = 0; host_cnt < sizeof(hosts)/sizeof(hosts[0]); host_cnt ++)
d8f41ccd	146	if(ping_host(hosts[host_cnt]) == 0){
5c19dc3a	147	printf("Accessing specific server (%s) failed, check the network!\n", hosts[host_cnt]);
d8f41ccd A	148	return 0;
d8f41ccd A	149	}
427c49bc A	150
	151	tests();
	152
	153	return 0;
	154	}