OSX/shared_regressions/si-88-sectrust-valid.m

   1 /*
   2  *  si-88-sectrust-valid.m
   3  *  Security
   4  *
   5  *  Copyright (c) 2017-2018 Apple Inc. All Rights Reserved.
   6  *
   7  */
   8
   9 #include <CoreFoundation/CoreFoundation.h>
  10 #include <Security/Security.h>
  11 #include <Security/SecTrust.h>
  12 #include <Security/SecPolicy.h>
  13 #include <stdlib.h>
  14 #include <unistd.h>
  15 #include <utilities/SecCFWrappers.h>
  16
  17 #include "shared_regressions.h"
  18
  19 static void test_valid_trust(SecCertificateRef leaf, SecCertificateRef ca, CFArrayRef anchors,
  20                              CFDateRef date, CFIndex policyID, SecTrustResultType expected, const char *test_name)
  21 {
  22     CFArrayRef policies=NULL;
  23     SecPolicyRef policy=NULL;
  24     SecTrustRef trust=NULL;
  25     SecTrustResultType trustResult;
  26     CFMutableArrayRef certs=NULL;
  27
  28     printf("Starting %s\n", test_name);
  29     isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
  30     if (certs) {
  31         if (leaf) {
  32             CFArrayAppendValue(certs, leaf);
  33         }
  34         if (ca) {
  35             CFArrayAppendValue(certs, ca);
  36         }
  37     }
  38
  39     if (policyID == 1) {
  40         isnt(policy = SecPolicyCreateSSL(true, NULL), NULL, "create ssl policy");
  41     } else {
  42         isnt(policy = SecPolicyCreateBasicX509(), NULL, "create basic policy");
  43     }
  44     isnt(policies = CFArrayCreate(kCFAllocatorDefault, (const void **)&policy, 1, &kCFTypeArrayCallBacks), NULL, "create policies");
  45     ok_status(SecTrustCreateWithCertificates(certs, policies, &trust), "create trust");
  46
  47     assert(trust); // silence analyzer
  48     ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
  49     ok_status(SecTrustSetVerifyDate(trust, date), "set date");
  50     ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
  51     ok(trustResult == expected, "trustResult %d expected (got %d)",
  52        (int)expected, (int)trustResult);
  53
  54     CFReleaseSafe(certs);
  55     CFReleaseSafe(policy);
  56     CFReleaseSafe(policies);
  57     CFReleaseSafe(trust);
  58 }
  59
  60 #import <Foundation/Foundation.h>
  61 SecCertificateRef SecCertificateCreateWithPEM(CFAllocatorRef allocator, CFDataRef pem_certificate);
  62
  63 static SecCertificateRef SecCertificateCreateFromResource(NSString *name)
  64 {
  65     NSString *resources = @"si-88-sectrust-valid-data";
  66     NSString *extension = @"pem";
  67
  68     NSURL *url = [[NSBundle mainBundle] URLForResource:name withExtension:extension subdirectory:resources];
  69     if (!url) {
  70         printf("No URL for resource \"%s.pem\"\n", [name UTF8String]);
  71         return NULL;
  72     }
  73
  74     NSData *certData = [NSData dataWithContentsOfURL:url];
  75     if (!certData) {
  76         printf("No cert data for resource \"%s.pem\"\n", [name UTF8String]);
  77         return NULL;
  78     }
  79
  80     return SecCertificateCreateWithPEM(kCFAllocatorDefault, (__bridge CFDataRef)certData);
  81 }
  82
  83 static void tests()
  84 {
  85     SecCertificateRef ca_na=NULL, ca_nb=NULL, root=NULL;
  86     SecCertificateRef leaf_na_ok1=NULL, leaf_na_ok2=NULL;
  87     SecCertificateRef leaf_nb_ok1=NULL, leaf_nb_ok2=NULL, leaf_nb_revoked1=NULL;
  88
  89     isnt(ca_na = SecCertificateCreateFromResource(@"ca-na"), NULL, "create ca-na cert");
  90     isnt(ca_nb = SecCertificateCreateFromResource(@"ca-nb"), NULL, "create ca-nb cert");
  91     isnt(root = SecCertificateCreateFromResource(@"root"), NULL, "create root cert");
  92     isnt(leaf_na_ok1 = SecCertificateCreateFromResource(@"leaf-na-ok1"), NULL, "create leaf-na-ok1 cert");
  93     isnt(leaf_na_ok2 = SecCertificateCreateFromResource(@"leaf-na-ok2"), NULL, "create leaf-na-ok2 cert");
  94     isnt(leaf_nb_ok1 = SecCertificateCreateFromResource(@"leaf-nb-ok1"), NULL, "create leaf-nb-ok1 cert");
  95     isnt(leaf_nb_ok2 = SecCertificateCreateFromResource(@"leaf-nb-ok2"), NULL, "create leaf-nb-ok2 cert");
  96     isnt(leaf_nb_revoked1 = SecCertificateCreateFromResource(@"leaf-nb-revoked1"), NULL, "create leaf-nb-revoked1 cert");
  97
  98     CFMutableArrayRef anchors=NULL;
  99     isnt(anchors = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create anchors array");
 100     if (anchors && root) {
 101         CFArrayAppendValue(anchors, root);
 102     }
 103     CFCalendarRef cal = NULL;
 104     CFAbsoluteTime at;
 105     CFDateRef date_20180102 = NULL; // a date when our test certs would all be valid, in the absence of Valid db info
 106
 107     isnt(cal = CFCalendarCreateWithIdentifier(kCFAllocatorDefault, kCFGregorianCalendar), NULL, "create calendar");
 108     ok(CFCalendarComposeAbsoluteTime(cal, &at, "yMd", 2018, 1, 2), "create verify absolute time 20180102");
 109     isnt(date_20180102 = CFDateCreate(kCFAllocatorDefault, at), NULL, "create verify date 20180102");
 110
 111     /* Case 0: leaf_na_ok1 (not revoked) */
 112     /* -- OK: cert issued 2017-10-20, before the CA not-after date of 2017-10-21 */
 113     /*        test cert has no SCT, but is expected to be OK since we now only apply the CT restriction for SSL. */
 114     test_valid_trust(leaf_na_ok1, ca_na, anchors, date_20180102, 0, kSecTrustResultUnspecified, "leaf_na_ok1 basic test");
 115
 116     /* Case 1: leaf_na_ok1 (not revoked) */
 117     /* -- BAD: since a not-after date now requires CT (for SSL) and the test cert has no SCT, this is fatal. */
 118     test_valid_trust(leaf_na_ok1, ca_na, anchors, date_20180102, 1, kSecTrustResultFatalTrustFailure, "leaf_na_ok1 ssl test");
 119
 120     /* Case 2: leaf_na_ok2 (revoked) */
 121     /* -- BAD: cert issued 2017-10-26, after the CA not-after date of 2017-10-21 */
 122     test_valid_trust(leaf_na_ok2, ca_na, anchors, date_20180102, 0, kSecTrustResultFatalTrustFailure, "leaf_na_ok2 basic test");
 123
 124     /* Case 3: leaf_nb_ok1 (revoked) */
 125     /* -- BAD: cert issued 2017-10-20, before the CA not-before date of 2017-10-22 */
 126     test_valid_trust(leaf_nb_ok1, ca_nb, anchors, date_20180102, 0, kSecTrustResultFatalTrustFailure, "leaf_nb_ok1 basic test");
 127
 128     /* Case 4: leaf_nb_ok2 (not revoked) */
 129     /* -- OK: cert issued 2017-10-26, after the CA not-before date of 2017-10-22 */
 130     test_valid_trust(leaf_nb_ok2, ca_nb, anchors, date_20180102, 0, kSecTrustResultUnspecified, "leaf_nb_ok2 basic test");
 131
 132     /* Case 5: leaf_nb_revoked1 (revoked) */
 133     /* -- BAD: cert issued 2017-10-20, before the CA not-before date of 2017-10-22 */
 134     test_valid_trust(leaf_nb_revoked1, ca_nb, anchors, date_20180102, 0, kSecTrustResultFatalTrustFailure, "leaf_nb_revoked1 basic test");
 135
 136     CFReleaseSafe(ca_na);
 137     CFReleaseSafe(ca_nb);
 138     CFReleaseSafe(root);
 139     CFReleaseSafe(leaf_na_ok1);
 140     CFReleaseSafe(leaf_na_ok2);
 141     CFReleaseSafe(leaf_nb_ok1);
 142     CFReleaseSafe(leaf_nb_ok2);
 143     CFReleaseSafe(leaf_nb_revoked1);
 144     CFReleaseSafe(anchors);
 145     CFReleaseSafe(cal);
 146     CFReleaseSafe(date_20180102);
 147 }
 148
 149
 150 int si_88_sectrust_valid(int argc, char *const *argv)
 151 {
 152     plan_tests(12+(6*8));
 153
 154     tests();
 155
 156     return 0;
 157 }