[apple/security.git] / sec / Security / Regressions / secitem / si-67-sectrust-blacklist.c

/*
 *  si-67-sectrust-blacklist.c
 *  regressions
 *
 *  Created by Conrad Sauerwald on 3/24/11.
 *  Copyright 2011 Apple Inc. All rights reserved.
 *
 */

#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
#include <Security/SecInternal.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrust.h>
#include <stdlib.h>
#include <unistd.h>

#include "si-67-sectrust-blacklist/Global Trustee.cer.h"
#include "si-67-sectrust-blacklist/login.yahoo.com.1.cer.h"
#include "si-67-sectrust-blacklist/UTN-USERFirst-Hardware.cer.h"
#include "si-67-sectrust-blacklist/login.yahoo.com.2.cer.h"
#include "si-67-sectrust-blacklist/addons.mozilla.org.cer.h"
#include "si-67-sectrust-blacklist/login.yahoo.com.cer.h"
#include "si-67-sectrust-blacklist/login.live.com.cer.h"
#include "si-67-sectrust-blacklist/mail.google.com.cer.h"
#include "si-67-sectrust-blacklist/login.skype.com.cer.h"
#include "si-67-sectrust-blacklist/www.google.com.cer.h"

#include "Security_regressions.h"

static void validate_one_cert(uint8_t *data, size_t len, int chain_length, SecTrustResultType trust_result)
{
    SecTrustRef trust;
	SecCertificateRef cert;
    SecPolicyRef policy = SecPolicyCreateSSL(false, NULL);
    CFArrayRef certs;

	isnt(cert = SecCertificateCreateWithBytes(NULL, data, len),
		NULL, "create cert");
    certs = CFArrayCreate(NULL, (const void **)&cert, 1, NULL);
    ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
        "create trust with single cert");
	//CFDateRef date = CFDateCreate(NULL, 1301008576);
    //ok_status(SecTrustSetVerifyDate(trust, date), "set date");
    //CFRelease(date);

	SecTrustResultType trustResult;
    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
	is(SecTrustGetCertificateCount(trust), chain_length, "cert count");
    is_status(trustResult, trust_result, "correct trustResult");
    CFRelease(trust);
    CFRelease(policy);
    CFRelease(certs);
    CFRelease(cert);
}

static void tests(void)
{
    validate_one_cert(Global_Trustee_cer, sizeof(Global_Trustee_cer), 3, kSecTrustResultFatalTrustFailure);
    validate_one_cert(login_yahoo_com_1_cer, sizeof(login_yahoo_com_1_cer), 3, kSecTrustResultFatalTrustFailure);
    /* this is the root, which isn't ok for ssl and fails here, but at the
       same time it proves that kSecTrustResultFatalTrustFailure isn't
       returned for policy failures that aren't blacklisting */
    validate_one_cert(login_yahoo_com_2_cer, sizeof(login_yahoo_com_2_cer), 3, kSecTrustResultFatalTrustFailure);
    validate_one_cert(addons_mozilla_org_cer, sizeof(addons_mozilla_org_cer), 3, kSecTrustResultFatalTrustFailure);
    validate_one_cert(login_yahoo_com_cer, sizeof(login_yahoo_com_cer), 3, kSecTrustResultFatalTrustFailure);
    validate_one_cert(login_live_com_cer, sizeof(login_live_com_cer), 3, kSecTrustResultFatalTrustFailure);
    validate_one_cert(mail_google_com_cer, sizeof(mail_google_com_cer), 3, kSecTrustResultFatalTrustFailure);
    validate_one_cert(login_skype_com_cer, sizeof(login_skype_com_cer), 3, kSecTrustResultFatalTrustFailure);
    validate_one_cert(www_google_com_cer, sizeof(www_google_com_cer), 3, kSecTrustResultFatalTrustFailure);
}

int si_67_sectrust_blacklist(int argc, char *const *argv)
{
	plan_tests(45);

	tests();

	return 0;
}
Commit	Line	Data
427c49bc A	1	/*
	2	* si-67-sectrust-blacklist.c
	3	* regressions
	4	*
	5	* Created by Conrad Sauerwald on 3/24/11.
	6	* Copyright 2011 Apple Inc. All rights reserved.
	7	*
	8	*/
	9
	10	#include <CoreFoundation/CoreFoundation.h>
	11	#include <Security/SecCertificate.h>
	12	#include <Security/SecCertificatePriv.h>
	13	#include <Security/SecInternal.h>
	14	#include <Security/SecPolicyPriv.h>
	15	#include <Security/SecTrust.h>
	16	#include <stdlib.h>
	17	#include <unistd.h>
	18
	19	#include "si-67-sectrust-blacklist/Global Trustee.cer.h"
	20	#include "si-67-sectrust-blacklist/login.yahoo.com.1.cer.h"
	21	#include "si-67-sectrust-blacklist/UTN-USERFirst-Hardware.cer.h"
	22	#include "si-67-sectrust-blacklist/login.yahoo.com.2.cer.h"
	23	#include "si-67-sectrust-blacklist/addons.mozilla.org.cer.h"
	24	#include "si-67-sectrust-blacklist/login.yahoo.com.cer.h"
	25	#include "si-67-sectrust-blacklist/login.live.com.cer.h"
	26	#include "si-67-sectrust-blacklist/mail.google.com.cer.h"
	27	#include "si-67-sectrust-blacklist/login.skype.com.cer.h"
	28	#include "si-67-sectrust-blacklist/www.google.com.cer.h"
	29
	30	#include "Security_regressions.h"
	31
	32	static void validate_one_cert(uint8_t *data, size_t len, int chain_length, SecTrustResultType trust_result)
	33	{
	34	SecTrustRef trust;
	35	SecCertificateRef cert;
	36	SecPolicyRef policy = SecPolicyCreateSSL(false, NULL);
	37	CFArrayRef certs;
	38
	39	isnt(cert = SecCertificateCreateWithBytes(NULL, data, len),
	40	NULL, "create cert");
	41	certs = CFArrayCreate(NULL, (const void **)&cert, 1, NULL);
	42	ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
	43	"create trust with single cert");
	44	//CFDateRef date = CFDateCreate(NULL, 1301008576);
	45	//ok_status(SecTrustSetVerifyDate(trust, date), "set date");
	46	//CFRelease(date);
	47
	48	SecTrustResultType trustResult;
	49	ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
	50	is(SecTrustGetCertificateCount(trust), chain_length, "cert count");
	51	is_status(trustResult, trust_result, "correct trustResult");
	52	CFRelease(trust);
	53	CFRelease(policy);
	54	CFRelease(certs);
	55	CFRelease(cert);
	56	}
	57
	58	static void tests(void)
	59	{
	60	validate_one_cert(Global_Trustee_cer, sizeof(Global_Trustee_cer), 3, kSecTrustResultFatalTrustFailure);
	61	validate_one_cert(login_yahoo_com_1_cer, sizeof(login_yahoo_com_1_cer), 3, kSecTrustResultFatalTrustFailure);
	62	/* this is the root, which isn't ok for ssl and fails here, but at the
	63	same time it proves that kSecTrustResultFatalTrustFailure isn't
	64	returned for policy failures that aren't blacklisting */
65	validate_one_cert(login_yahoo_com_2_cer, sizeof(login_yahoo_com_2_cer), 3, kSecTrustResultFatalTrustFailure);
66	validate_one_cert(addons_mozilla_org_cer, sizeof(addons_mozilla_org_cer), 3, kSecTrustResultFatalTrustFailure);
67	validate_one_cert(login_yahoo_com_cer, sizeof(login_yahoo_com_cer), 3, kSecTrustResultFatalTrustFailure);
68	validate_one_cert(login_live_com_cer, sizeof(login_live_com_cer), 3, kSecTrustResultFatalTrustFailure);
69	validate_one_cert(mail_google_com_cer, sizeof(mail_google_com_cer), 3, kSecTrustResultFatalTrustFailure);
70	validate_one_cert(login_skype_com_cer, sizeof(login_skype_com_cer), 3, kSecTrustResultFatalTrustFailure);
71	validate_one_cert(www_google_com_cer, sizeof(www_google_com_cer), 3, kSecTrustResultFatalTrustFailure);
72	}
73
74	int si_67_sectrust_blacklist(int argc, char const argv)
75	{
76	plan_tests(45);
77
78	tests();
79
80	return 0;
81	}