sec/Security/Regressions/secitem/si-67-sectrust-blacklist.c

   1 /*
   2  *  si-67-sectrust-blacklist.c
   3  *  regressions
   4  *
   5  *  Created by Conrad Sauerwald on 3/24/11.
   6  *  Copyright 2011 Apple Inc. All rights reserved.
   7  *
   8  */
   9
  10 #include <CoreFoundation/CoreFoundation.h>
  11 #include <Security/SecCertificate.h>
  12 #include <Security/SecCertificatePriv.h>
  13 #include <Security/SecInternal.h>
  14 #include <Security/SecPolicyPriv.h>
  15 #include <Security/SecTrust.h>
  16 #include <stdlib.h>
  17 #include <unistd.h>
  18
  19 #include "si-67-sectrust-blacklist/Global Trustee.cer.h"
  20 #include "si-67-sectrust-blacklist/login.yahoo.com.1.cer.h"
  21 #include "si-67-sectrust-blacklist/UTN-USERFirst-Hardware.cer.h"
  22 #include "si-67-sectrust-blacklist/login.yahoo.com.2.cer.h"
  23 #include "si-67-sectrust-blacklist/addons.mozilla.org.cer.h"
  24 #include "si-67-sectrust-blacklist/login.yahoo.com.cer.h"
  25 #include "si-67-sectrust-blacklist/login.live.com.cer.h"
  26 #include "si-67-sectrust-blacklist/mail.google.com.cer.h"
  27 #include "si-67-sectrust-blacklist/login.skype.com.cer.h"
  28 #include "si-67-sectrust-blacklist/www.google.com.cer.h"
  29
  30 #include "Security_regressions.h"
  31
  32 static void validate_one_cert(uint8_t *data, size_t len, int chain_length, SecTrustResultType trust_result)
  33 {
  34     SecTrustRef trust;
  35         SecCertificateRef cert;
  36     SecPolicyRef policy = SecPolicyCreateSSL(false, NULL);
  37     CFArrayRef certs;
  38
  39         isnt(cert = SecCertificateCreateWithBytes(NULL, data, len),
  40                 NULL, "create cert");
  41     certs = CFArrayCreate(NULL, (const void **)&cert, 1, NULL);
  42     ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
  43         "create trust with single cert");
  44         //CFDateRef date = CFDateCreate(NULL, 1301008576);
  45     //ok_status(SecTrustSetVerifyDate(trust, date), "set date");
  46     //CFRelease(date);
  47
  48         SecTrustResultType trustResult;
  49     ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
  50         is(SecTrustGetCertificateCount(trust), chain_length, "cert count");
  51     is_status(trustResult, trust_result, "correct trustResult");
  52     CFRelease(trust);
  53     CFRelease(policy);
  54     CFRelease(certs);
  55     CFRelease(cert);
  56 }
  57
  58 static void tests(void)
  59 {
  60     validate_one_cert(Global_Trustee_cer, sizeof(Global_Trustee_cer), 3, kSecTrustResultFatalTrustFailure);
  61     validate_one_cert(login_yahoo_com_1_cer, sizeof(login_yahoo_com_1_cer), 3, kSecTrustResultFatalTrustFailure);
  62     /* this is the root, which isn't ok for ssl and fails here, but at the
  63        same time it proves that kSecTrustResultFatalTrustFailure isn't
  64        returned for policy failures that aren't blacklisting */
  65     validate_one_cert(login_yahoo_com_2_cer, sizeof(login_yahoo_com_2_cer), 3, kSecTrustResultFatalTrustFailure);
  66     validate_one_cert(addons_mozilla_org_cer, sizeof(addons_mozilla_org_cer), 3, kSecTrustResultFatalTrustFailure);
  67     validate_one_cert(login_yahoo_com_cer, sizeof(login_yahoo_com_cer), 3, kSecTrustResultFatalTrustFailure);
  68     validate_one_cert(login_live_com_cer, sizeof(login_live_com_cer), 3, kSecTrustResultFatalTrustFailure);
  69     validate_one_cert(mail_google_com_cer, sizeof(mail_google_com_cer), 3, kSecTrustResultFatalTrustFailure);
  70     validate_one_cert(login_skype_com_cer, sizeof(login_skype_com_cer), 3, kSecTrustResultFatalTrustFailure);
  71     validate_one_cert(www_google_com_cer, sizeof(www_google_com_cer), 3, kSecTrustResultFatalTrustFailure);
  72 }
  73
  74 int si_67_sectrust_blacklist(int argc, char *const *argv)
  75 {
  76         plan_tests(45);
  77
  78         tests();
  79
  80         return 0;
  81 }