2 * Copyright (c) 2012,2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 #include <Security/Security.h>
26 #include <AssertMacros.h>
28 #include "ssl-utils.h"
30 #include <Security/SecCertificatePriv.h>
31 #include "test-certs/CA-RSA_Cert.h"
32 #include "test-certs/ServerRSA_Key.h"
33 #include "test-certs/ServerRSA_Cert_CA-RSA.h"
34 #include "test-certs/ClientRSA_Key.h"
35 #include "test-certs/ClientRSA_Cert_CA-RSA.h"
36 #include "test-certs/UntrustedClientRSA_Key.h"
37 #include "test-certs/UntrustedClientRSA_Cert_Untrusted-CA-RSA.h"
39 #include <Security/SecIdentityPriv.h>
40 #include <Security/SecCertificatePriv.h>
42 #include "test-certs/eckey.h"
43 #include "test-certs/eccert.h"
44 #include "test-certs/ecclientcert.h"
45 #include "test-certs/ecclientkey.h"
46 #include "privkey-1.h"
50 #include <Security/SecRSAKey.h>
51 #include <Security/SecECKey.h>
56 SecKeyRef
create_private_key_from_der(bool ecdsa
, const unsigned char *pkey_der
, size_t pkey_der_len
)
61 privKey
= SecKeyCreateECPrivateKey(kCFAllocatorDefault
, pkey_der
, pkey_der_len
, kSecKeyEncodingPkcs1
);
63 privKey
= SecKeyCreateRSAPrivateKey(kCFAllocatorDefault
, pkey_der
, pkey_der_len
, kSecKeyEncodingPkcs1
);
66 CFErrorRef error
= NULL
;
67 CFDataRef keyData
= CFDataCreate(kCFAllocatorDefault
, pkey_der
, pkey_der_len
);
68 CFMutableDictionaryRef parameters
= CFDictionaryCreateMutable(kCFAllocatorDefault
, 0, NULL
, NULL
);
69 CFDictionarySetValue(parameters
, kSecAttrKeyType
, ecdsa
?kSecAttrKeyTypeECDSA
:kSecAttrKeyTypeRSA
);
70 CFDictionarySetValue(parameters
, kSecAttrKeyClass
, kSecAttrKeyClassPrivate
);
71 privKey
= SecKeyCreateFromData(parameters
, keyData
, &error
);
72 CFReleaseNull(keyData
);
73 CFReleaseNull(parameters
);
80 CFArrayRef CF_RETURNS_RETAINED
chain_from_der(bool ecdsa
, const unsigned char *pkey_der
, size_t pkey_der_len
, const unsigned char *cert_der
, size_t cert_der_len
)
82 SecKeyRef pkey
= NULL
;
83 SecCertificateRef cert
= NULL
;
84 SecIdentityRef ident
= NULL
;
85 CFArrayRef items
= NULL
;
87 require(pkey
= create_private_key_from_der(ecdsa
, pkey_der
, pkey_der_len
), errOut
);
88 require(cert
= SecCertificateCreateWithBytes(kCFAllocatorDefault
, cert_der
, cert_der_len
), errOut
);
89 require(ident
= SecIdentityCreate(kCFAllocatorDefault
, cert
, pkey
), errOut
);
90 require(items
= CFArrayCreate(kCFAllocatorDefault
, (const void **)&ident
, 1, &kCFTypeArrayCallBacks
), errOut
);
99 CFArrayRef
server_ec_chain(void)
101 return chain_from_der(true, eckey_der
, eckey_der_len
, eccert_der
, eccert_der_len
);
104 CFArrayRef
trusted_roots(void)
106 SecCertificateRef cert
= NULL
;
107 CFArrayRef roots
= NULL
;
109 require(cert
= SecCertificateCreateWithBytes(kCFAllocatorDefault
, CA_RSA_Cert_der
, CA_RSA_Cert_der_len
), errOut
);
110 require(roots
= CFArrayCreate(kCFAllocatorDefault
, (const void **)&cert
, 1, &kCFTypeArrayCallBacks
), errOut
);
117 CFArrayRef
server_chain(void)
119 return chain_from_der(false, ServerRSA_Key_der
, ServerRSA_Key_der_len
,
120 ServerRSA_Cert_CA_RSA_der
, ServerRSA_Cert_CA_RSA_der_len
);
123 CFArrayRef
trusted_client_chain(void)
125 return chain_from_der(false, ClientRSA_Key_der
, ClientRSA_Key_der_len
,
126 ClientRSA_Cert_CA_RSA_der
, ClientRSA_Cert_CA_RSA_der_len
);
129 CFArrayRef
trusted_ec_client_chain(void)
131 return chain_from_der(true, ecclientkey_der
, ecclientkey_der_len
, ecclientcert_der
, ecclientcert_der_len
);
134 CFArrayRef
untrusted_client_chain(void)
136 return chain_from_der(false, UntrustedClientRSA_Key_der
, UntrustedClientRSA_Key_der_len
,
137 UntrustedClientRSA_Cert_Untrusted_CA_RSA_der
, UntrustedClientRSA_Cert_Untrusted_CA_RSA_der_len
);
140 const char *ciphersuite_name(SSLCipherSuite cs
)
143 #define C(x) case x: return #x;
146 /* TLS 1.2 addenda, RFC 5246 */
149 C(TLS_NULL_WITH_NULL_NULL
)
151 /* Server provided RSA certificate for key exchange. */
152 C(TLS_RSA_WITH_NULL_MD5
)
153 C(TLS_RSA_WITH_NULL_SHA
)
154 C(TLS_RSA_WITH_3DES_EDE_CBC_SHA
)
155 C(TLS_RSA_WITH_AES_128_CBC_SHA
)
156 C(TLS_RSA_WITH_AES_256_CBC_SHA
)
157 C(TLS_RSA_WITH_NULL_SHA256
)
158 C(TLS_RSA_WITH_AES_128_CBC_SHA256
)
159 C(TLS_RSA_WITH_AES_256_CBC_SHA256
)
161 /* Server-authenticated (and optionally client-authenticated) Diffie-Hellman. */
162 C(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
)
163 C(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
)
164 C(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
)
165 C(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
)
166 C(TLS_DH_DSS_WITH_AES_128_CBC_SHA
)
167 C(TLS_DH_RSA_WITH_AES_128_CBC_SHA
)
168 C(TLS_DHE_DSS_WITH_AES_128_CBC_SHA
)
169 C(TLS_DHE_RSA_WITH_AES_128_CBC_SHA
)
170 C(TLS_DH_DSS_WITH_AES_256_CBC_SHA
)
171 C(TLS_DH_RSA_WITH_AES_256_CBC_SHA
)
172 C(TLS_DHE_DSS_WITH_AES_256_CBC_SHA
)
173 C(TLS_DHE_RSA_WITH_AES_256_CBC_SHA
)
174 C(TLS_DH_DSS_WITH_AES_128_CBC_SHA256
)
175 C(TLS_DH_RSA_WITH_AES_128_CBC_SHA256
)
176 C(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
)
177 C(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
)
178 C(TLS_DH_DSS_WITH_AES_256_CBC_SHA256
)
179 C(TLS_DH_RSA_WITH_AES_256_CBC_SHA256
)
180 C(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
)
181 C(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
)
183 /* Completely anonymous Diffie-Hellman */
184 C(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
)
185 C(TLS_DH_anon_WITH_AES_128_CBC_SHA
)
186 C(TLS_DH_anon_WITH_AES_256_CBC_SHA
)
187 C(TLS_DH_anon_WITH_AES_128_CBC_SHA256
)
188 C(TLS_DH_anon_WITH_AES_256_CBC_SHA256
)
190 /* Addenda from rfc 5288 AES Galois Counter Mode (GCM) Cipher Suites
192 C(TLS_RSA_WITH_AES_128_GCM_SHA256
)
193 C(TLS_RSA_WITH_AES_256_GCM_SHA384
)
194 C(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
)
195 C(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
)
196 C(TLS_DH_RSA_WITH_AES_128_GCM_SHA256
)
197 C(TLS_DH_RSA_WITH_AES_256_GCM_SHA384
)
198 C(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
)
199 C(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
)
200 C(TLS_DH_DSS_WITH_AES_128_GCM_SHA256
)
201 C(TLS_DH_DSS_WITH_AES_256_GCM_SHA384
)
202 C(TLS_DH_anon_WITH_AES_128_GCM_SHA256
)
203 C(TLS_DH_anon_WITH_AES_256_GCM_SHA384
)
205 /* ECDSA addenda, RFC 4492 */
206 C(TLS_ECDH_ECDSA_WITH_NULL_SHA
)
207 C(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
)
208 C(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
)
209 C(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
)
210 C(TLS_ECDHE_ECDSA_WITH_NULL_SHA
)
211 C(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
)
212 C(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
)
213 C(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
)
214 C(TLS_ECDH_RSA_WITH_NULL_SHA
)
215 C(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
)
216 C(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
)
217 C(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
)
218 C(TLS_ECDHE_RSA_WITH_NULL_SHA
)
219 C(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
)
220 C(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
)
221 C(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
)
222 C(TLS_ECDH_anon_WITH_NULL_SHA
)
223 C(TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
)
224 C(TLS_ECDH_anon_WITH_AES_128_CBC_SHA
)
225 C(TLS_ECDH_anon_WITH_AES_256_CBC_SHA
)
227 /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
229 C(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
)
230 C(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
)
231 C(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
)
232 C(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
)
233 C(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
)
234 C(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
)
235 C(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
)
236 C(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
)
238 /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
239 SHA-256/384 and AES Galois Counter Mode (GCM) */
240 C(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
)
241 C(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
)
242 C(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
)
243 C(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
)
244 C(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
)
245 C(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
)
246 C(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
)
247 C(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
)
249 /* RFC 5746 - Secure Renegotiation */
250 C(TLS_EMPTY_RENEGOTIATION_INFO_SCSV
)
253 * Tags for SSL 2 cipher kinds which are not specified
256 C(SSL_RSA_WITH_RC2_CBC_MD5
)
257 C(SSL_RSA_WITH_IDEA_CBC_MD5
)
258 C(SSL_RSA_WITH_DES_CBC_MD5
)
259 C(SSL_RSA_WITH_3DES_EDE_CBC_MD5
)
260 C(SSL_NO_SUCH_CIPHERSUITE
)
262 C(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
)
263 C(SSL_RSA_WITH_IDEA_CBC_SHA
)
264 C(SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
)
265 C(SSL_RSA_WITH_DES_CBC_SHA
)
266 C(SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
)
267 C(SSL_DH_DSS_WITH_DES_CBC_SHA
)
268 C(SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
)
269 C(SSL_DH_RSA_WITH_DES_CBC_SHA
)
270 C(SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
)
271 C(SSL_DHE_DSS_WITH_DES_CBC_SHA
)
272 C(SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
)
273 C(SSL_DHE_RSA_WITH_DES_CBC_SHA
)
274 C(SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
)
275 C(SSL_DH_anon_WITH_DES_CBC_SHA
)
276 C(SSL_FORTEZZA_DMS_WITH_NULL_SHA
)
277 C(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA
)
280 C(TLS_PSK_WITH_AES_256_CBC_SHA384
)
281 C(TLS_PSK_WITH_AES_128_CBC_SHA256
)
282 C(TLS_PSK_WITH_AES_256_CBC_SHA
)
283 C(TLS_PSK_WITH_AES_128_CBC_SHA
)
284 C(TLS_PSK_WITH_3DES_EDE_CBC_SHA
)
285 C(TLS_PSK_WITH_NULL_SHA384
)
286 C(TLS_PSK_WITH_NULL_SHA256
)
287 C(TLS_PSK_WITH_NULL_SHA
)
291 return "Unknown Ciphersuite";