2 * Copyright (c) 2012,2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 #include <Security/Security.h>
26 #include <AssertMacros.h>
28 #include "ssl-utils.h"
30 #include <Security/SecCertificatePriv.h>
31 #include "test-certs/CA-RSA_Cert.h"
32 #include "test-certs/ServerRSA_Key.h"
33 #include "test-certs/ServerRSA_Cert_CA-RSA.h"
34 #include "test-certs/ClientRSA_Key.h"
35 #include "test-certs/ClientRSA_Cert_CA-RSA.h"
36 #include "test-certs/UntrustedClientRSA_Key.h"
37 #include "test-certs/UntrustedClientRSA_Cert_Untrusted-CA-RSA.h"
39 #include <Security/SecIdentityPriv.h>
40 #include <Security/SecCertificatePriv.h>
42 #include "test-certs/eckey.h"
43 #include "test-certs/eccert.h"
44 #include "test-certs/ecclientcert.h"
45 #include "test-certs/ecclientkey.h"
46 #include "privkey-1.h"
50 #include <Security/SecRSAKey.h>
51 #include <Security/SecECKey.h>
56 SecKeyRef
create_private_key_from_der(bool ecdsa
, const unsigned char *pkey_der
, size_t pkey_der_len
)
61 privKey
= SecKeyCreateECPrivateKey(kCFAllocatorDefault
, pkey_der
, pkey_der_len
, kSecKeyEncodingPkcs1
);
63 privKey
= SecKeyCreateRSAPrivateKey(kCFAllocatorDefault
, pkey_der
, pkey_der_len
, kSecKeyEncodingPkcs1
);
66 CFErrorRef error
= NULL
;
67 CFDataRef keyData
= CFDataCreate(kCFAllocatorDefault
, pkey_der
, pkey_der_len
);
68 CFMutableDictionaryRef parameters
= CFDictionaryCreateMutable(kCFAllocatorDefault
, 0, NULL
, NULL
);
69 CFDictionarySetValue(parameters
, kSecAttrKeyType
, ecdsa
?kSecAttrKeyTypeECDSA
:kSecAttrKeyTypeRSA
);
70 CFDictionarySetValue(parameters
, kSecAttrKeyClass
, kSecAttrKeyClassPrivate
);
71 privKey
= SecKeyCreateFromData(parameters
, keyData
, &error
);
72 CFReleaseNull(keyData
);
73 CFReleaseNull(parameters
);
80 CFArrayRef
chain_from_der(bool ecdsa
, const unsigned char *pkey_der
, size_t pkey_der_len
, const unsigned char *cert_der
, size_t cert_der_len
)
82 SecKeyRef pkey
= NULL
;
83 SecCertificateRef cert
= NULL
;
84 SecIdentityRef ident
= NULL
;
85 CFArrayRef items
= NULL
;
87 require(pkey
= create_private_key_from_der(ecdsa
, pkey_der
, pkey_der_len
), errOut
);
88 require(cert
= SecCertificateCreateWithBytes(kCFAllocatorDefault
, cert_der
, cert_der_len
), errOut
);
89 require(ident
= SecIdentityCreate(kCFAllocatorDefault
, cert
, pkey
), errOut
);
90 require(items
= CFArrayCreate(kCFAllocatorDefault
, (const void **)&ident
, 1, &kCFTypeArrayCallBacks
), errOut
);
99 CFArrayRef
server_ec_chain(void)
101 return chain_from_der(true, eckey_der
, eckey_der_len
, eccert_der
, eccert_der_len
);
104 CFArrayRef
trusted_roots(void)
106 SecCertificateRef cert
= NULL
;
107 CFArrayRef roots
= NULL
;
109 require(cert
= SecCertificateCreateWithBytes(kCFAllocatorDefault
, CA_RSA_Cert_der
, CA_RSA_Cert_der_len
), errOut
);
110 require(roots
= CFArrayCreate(kCFAllocatorDefault
, (const void **)&cert
, 1, &kCFTypeArrayCallBacks
), errOut
);
117 CFArrayRef
server_chain(void)
119 return chain_from_der(false, ServerRSA_Key_der
, ServerRSA_Key_der_len
,
120 ServerRSA_Cert_CA_RSA_der
, ServerRSA_Cert_CA_RSA_der_len
);
123 CFArrayRef
trusted_client_chain(void)
125 return chain_from_der(false, ClientRSA_Key_der
, ClientRSA_Key_der_len
,
126 ClientRSA_Cert_CA_RSA_der
, ClientRSA_Cert_CA_RSA_der_len
);
129 CFArrayRef
trusted_ec_client_chain(void)
131 return chain_from_der(true, ecclientkey_der
, ecclientkey_der_len
, ecclientcert_der
, ecclientcert_der_len
);
134 CFArrayRef
untrusted_client_chain(void)
136 return chain_from_der(false, UntrustedClientRSA_Key_der
, UntrustedClientRSA_Key_der_len
,
137 UntrustedClientRSA_Cert_Untrusted_CA_RSA_der
, UntrustedClientRSA_Cert_Untrusted_CA_RSA_der_len
);
140 const char *ciphersuite_name(SSLCipherSuite cs
)
143 #define C(x) case x: return #x;
146 /* TLS 1.2 addenda, RFC 5246 */
149 C(TLS_NULL_WITH_NULL_NULL
)
151 /* Server provided RSA certificate for key exchange. */
152 C(TLS_RSA_WITH_NULL_MD5
)
153 C(TLS_RSA_WITH_NULL_SHA
)
154 C(TLS_RSA_WITH_RC4_128_MD5
)
155 C(TLS_RSA_WITH_RC4_128_SHA
)
156 C(TLS_RSA_WITH_3DES_EDE_CBC_SHA
)
157 C(TLS_RSA_WITH_AES_128_CBC_SHA
)
158 C(TLS_RSA_WITH_AES_256_CBC_SHA
)
159 C(TLS_RSA_WITH_NULL_SHA256
)
160 C(TLS_RSA_WITH_AES_128_CBC_SHA256
)
161 C(TLS_RSA_WITH_AES_256_CBC_SHA256
)
163 /* Server-authenticated (and optionally client-authenticated) Diffie-Hellman. */
164 C(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
)
165 C(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
)
166 C(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
)
167 C(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
)
168 C(TLS_DH_DSS_WITH_AES_128_CBC_SHA
)
169 C(TLS_DH_RSA_WITH_AES_128_CBC_SHA
)
170 C(TLS_DHE_DSS_WITH_AES_128_CBC_SHA
)
171 C(TLS_DHE_RSA_WITH_AES_128_CBC_SHA
)
172 C(TLS_DH_DSS_WITH_AES_256_CBC_SHA
)
173 C(TLS_DH_RSA_WITH_AES_256_CBC_SHA
)
174 C(TLS_DHE_DSS_WITH_AES_256_CBC_SHA
)
175 C(TLS_DHE_RSA_WITH_AES_256_CBC_SHA
)
176 C(TLS_DH_DSS_WITH_AES_128_CBC_SHA256
)
177 C(TLS_DH_RSA_WITH_AES_128_CBC_SHA256
)
178 C(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
)
179 C(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
)
180 C(TLS_DH_DSS_WITH_AES_256_CBC_SHA256
)
181 C(TLS_DH_RSA_WITH_AES_256_CBC_SHA256
)
182 C(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
)
183 C(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
)
185 /* Completely anonymous Diffie-Hellman */
186 C(TLS_DH_anon_WITH_RC4_128_MD5
)
187 C(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
)
188 C(TLS_DH_anon_WITH_AES_128_CBC_SHA
)
189 C(TLS_DH_anon_WITH_AES_256_CBC_SHA
)
190 C(TLS_DH_anon_WITH_AES_128_CBC_SHA256
)
191 C(TLS_DH_anon_WITH_AES_256_CBC_SHA256
)
193 /* Addenda from rfc 5288 AES Galois Counter Mode (GCM) Cipher Suites
195 C(TLS_RSA_WITH_AES_128_GCM_SHA256
)
196 C(TLS_RSA_WITH_AES_256_GCM_SHA384
)
197 C(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
)
198 C(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
)
199 C(TLS_DH_RSA_WITH_AES_128_GCM_SHA256
)
200 C(TLS_DH_RSA_WITH_AES_256_GCM_SHA384
)
201 C(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
)
202 C(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
)
203 C(TLS_DH_DSS_WITH_AES_128_GCM_SHA256
)
204 C(TLS_DH_DSS_WITH_AES_256_GCM_SHA384
)
205 C(TLS_DH_anon_WITH_AES_128_GCM_SHA256
)
206 C(TLS_DH_anon_WITH_AES_256_GCM_SHA384
)
208 /* ECDSA addenda, RFC 4492 */
209 C(TLS_ECDH_ECDSA_WITH_NULL_SHA
)
210 C(TLS_ECDH_ECDSA_WITH_RC4_128_SHA
)
211 C(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
)
212 C(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
)
213 C(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
)
214 C(TLS_ECDHE_ECDSA_WITH_NULL_SHA
)
215 C(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
)
216 C(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
)
217 C(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
)
218 C(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
)
219 C(TLS_ECDH_RSA_WITH_NULL_SHA
)
220 C(TLS_ECDH_RSA_WITH_RC4_128_SHA
)
221 C(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
)
222 C(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
)
223 C(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
)
224 C(TLS_ECDHE_RSA_WITH_NULL_SHA
)
225 C(TLS_ECDHE_RSA_WITH_RC4_128_SHA
)
226 C(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
)
227 C(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
)
228 C(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
)
229 C(TLS_ECDH_anon_WITH_NULL_SHA
)
230 C(TLS_ECDH_anon_WITH_RC4_128_SHA
)
231 C(TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
)
232 C(TLS_ECDH_anon_WITH_AES_128_CBC_SHA
)
233 C(TLS_ECDH_anon_WITH_AES_256_CBC_SHA
)
235 /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
237 C(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
)
238 C(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
)
239 C(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
)
240 C(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
)
241 C(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
)
242 C(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
)
243 C(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
)
244 C(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
)
246 /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
247 SHA-256/384 and AES Galois Counter Mode (GCM) */
248 C(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
)
249 C(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
)
250 C(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
)
251 C(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
)
252 C(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
)
253 C(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
)
254 C(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
)
255 C(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
)
257 /* RFC 5746 - Secure Renegotiation */
258 C(TLS_EMPTY_RENEGOTIATION_INFO_SCSV
)
261 * Tags for SSL 2 cipher kinds which are not specified
264 C(SSL_RSA_WITH_RC2_CBC_MD5
)
265 C(SSL_RSA_WITH_IDEA_CBC_MD5
)
266 C(SSL_RSA_WITH_DES_CBC_MD5
)
267 C(SSL_RSA_WITH_3DES_EDE_CBC_MD5
)
268 C(SSL_NO_SUCH_CIPHERSUITE
)
270 C(SSL_RSA_EXPORT_WITH_RC4_40_MD5
)
271 C(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
)
272 C(SSL_RSA_WITH_IDEA_CBC_SHA
)
273 C(SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
)
274 C(SSL_RSA_WITH_DES_CBC_SHA
)
275 C(SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
)
276 C(SSL_DH_DSS_WITH_DES_CBC_SHA
)
277 C(SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
)
278 C(SSL_DH_RSA_WITH_DES_CBC_SHA
)
279 C(SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
)
280 C(SSL_DHE_DSS_WITH_DES_CBC_SHA
)
281 C(SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
)
282 C(SSL_DHE_RSA_WITH_DES_CBC_SHA
)
283 C(SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
)
284 C(SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
)
285 C(SSL_DH_anon_WITH_DES_CBC_SHA
)
286 C(SSL_FORTEZZA_DMS_WITH_NULL_SHA
)
287 C(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA
)
290 C(TLS_PSK_WITH_AES_256_CBC_SHA384
)
291 C(TLS_PSK_WITH_AES_128_CBC_SHA256
)
292 C(TLS_PSK_WITH_AES_256_CBC_SHA
)
293 C(TLS_PSK_WITH_AES_128_CBC_SHA
)
294 C(TLS_PSK_WITH_RC4_128_SHA
)
295 C(TLS_PSK_WITH_3DES_EDE_CBC_SHA
)
296 C(TLS_PSK_WITH_NULL_SHA384
)
297 C(TLS_PSK_WITH_NULL_SHA256
)
298 C(TLS_PSK_WITH_NULL_SHA
)
302 return "Unknown Ciphersuite";