OSX/sec/Security/Regressions/secitem/si-18-certificate-parse.m

   1 /*
   2  * Copyright (c) 2017 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #include "shared_regressions.h"
  25
  26 #include <AssertMacros.h>
  27 #import <Foundation/Foundation.h>
  28
  29 #include <utilities/SecInternalReleasePriv.h>
  30 #include <utilities/SecCFRelease.h>
  31 #include <Security/SecCertificate.h>
  32 #include <Security/SecCertificatePriv.h>
  33 #include <Security/SecCertificateInternal.h>
  34
  35 const NSString *kSecTestParseFailureResources = @"si-18-certificate-parse/ParseFailureCerts";
  36 const NSString *kSecTestParseSuccessResources = @"si-18-certificate-parse/ParseSuccessCerts";
  37 const NSString *kSecTestKeyFailureResources = @"si-18-certificate-parse/KeyFailureCerts";
  38 const NSString *kSecTestPathFailureResources = @"si-18-certificate-parse/PathFailureCerts";
  39 const NSString *kSecTestTODOFailureResources = @"si-18-certificate-parse/TODOFailureCerts";
  40
  41 static uint64_t num_certs() {
  42     uint64_t num_certs = 0;
  43     NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestParseFailureResources];
  44     num_certs += [certURLs count];
  45     certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestParseSuccessResources];
  46     num_certs += [certURLs count];
  47     certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestKeyFailureResources];
  48     num_certs += [certURLs count];
  49     certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestPathFailureResources];
  50     num_certs += [certURLs count];
  51     certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestTODOFailureResources];
  52     num_certs += [certURLs count];
  53
  54     return num_certs;
  55 }
  56
  57 static void test_parse_failure(void) {
  58     /* A bunch of certificates with different parsing errors */
  59     NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestParseFailureResources];
  60     require_action([certURLs count] > 0, testOut,
  61                    fail("Unable to find parse test failure certs in bundle."));
  62
  63     [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
  64         NSData *certData = [NSData dataWithContentsOfURL:url];
  65         SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
  66         is(cert, NULL, "Successfully parsed bad cert: %@", url);
  67         CFReleaseNull(cert);
  68     }];
  69
  70 testOut:
  71     return;
  72 }
  73
  74 static void test_parse_success(void) {
  75     /* A bunch of certificates with different parsing variations */
  76     NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestParseSuccessResources];
  77     require_action([certURLs count] > 0, testOut,
  78                    fail("Unable to find parse test failure certs in bundle."));
  79
  80     [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
  81         NSData *certData = [NSData dataWithContentsOfURL:url];
  82         SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
  83         isnt(cert, NULL, "Failed to parse good cert: %@", url);
  84         CFReleaseNull(cert);
  85     }];
  86
  87 testOut:
  88     return;
  89 }
  90
  91 static void test_key_failure(void) {
  92     /* Parse failures that require public key extraction */
  93     NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestKeyFailureResources];
  94     require_action([certURLs count] > 0, testOut,
  95                    fail("Unable to find parse test failure certs in bundle."));
  96
  97     [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
  98         NSData *certData = [NSData dataWithContentsOfURL:url];
  99         SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
 100         SecKeyRef pubkey = NULL;
 101         require_action(cert, blockOut,
 102                        fail("Failed to parse cert with SPKI error: %@", url));
 103         pubkey = SecCertificateCopyKey(cert);
 104         is(pubkey, NULL, "Successfully parsed bad SPKI: %@", url);
 105
 106     blockOut:
 107         CFReleaseNull(cert);
 108         CFReleaseNull(pubkey);
 109     }];
 110
 111 testOut:
 112     return;
 113 }
 114
 115 static void test_path_parse_failure(void) {
 116     NSArray <NSURL *>* certURLs = nil;
 117     SecCertificateRef root = nil;
 118
 119     NSURL *rootURL = [[NSBundle mainBundle] URLForResource:@"root" withExtension:@".cer" subdirectory:@"si-18-certificate-parse"];
 120     root = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)[NSData dataWithContentsOfURL:rootURL]);
 121     require_action(root, testOut,
 122                    fail("Unable to create root cert"));
 123     certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestPathFailureResources];
 124     require_action([certURLs count] > 0, testOut,
 125                    fail("Unable to find parse test failure certs in bundle."));
 126
 127     [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
 128         NSData *certData = [NSData dataWithContentsOfURL:url];
 129         SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
 130         SecTrustRef trust = NULL;
 131         SecPolicyRef policy = SecPolicyCreateBasicX509();
 132         SecTrustResultType trustResult = kSecTrustResultInvalid;
 133
 134         require_noerr_action(SecTrustCreateWithCertificates(cert, policy, &trust), blockOut,
 135                              fail("Unable to create trust with certificate: %@", url));
 136         require_noerr_action(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)[NSArray arrayWithObject:(__bridge id)root]),
 137                              blockOut, fail("Unable to set trust in root cert: %@", url));
 138         require_noerr_action(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)[NSDate dateWithTimeIntervalSinceReferenceDate:507200000.0]),
 139                              blockOut, fail("Unable to set verify date: %@", url));
 140         require_noerr_action(SecTrustEvaluate(trust, &trustResult), blockOut,
 141                              fail("Failed to evaluate trust with error: %@", url));
 142         is(trustResult, kSecTrustResultRecoverableTrustFailure, "Got wrong trust result (%d) for %@", trustResult, url);
 143
 144         require_action(cert, blockOut,
 145                        fail("Failed to parse cert with SPKI error: %@", url));
 146
 147     blockOut:
 148         CFReleaseNull(cert);
 149         CFReleaseNull(trust);
 150         CFReleaseNull(policy);
 151     }];
 152
 153
 154 testOut:
 155     CFReleaseNull(root);
 156 }
 157
 158 static void test_todo_failures(void) {
 159     /* A bunch of certificates with different parsing errors that currently succeed. */
 160     NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestTODOFailureResources];
 161     require_action([certURLs count] > 0, testOut,
 162                    fail("Unable to find parse test failure certs in bundle."));
 163
 164     [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
 165         NSData *certData = [NSData dataWithContentsOfURL:url];
 166         SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
 167         {
 168             NSString *reason = [NSString stringWithFormat:@"Bad cert succeeds: %@",url];
 169             todo([reason UTF8String]);
 170             is(cert, NULL, "Successfully parsed bad cert: %@", url);
 171         }
 172         CFReleaseNull(cert);
 173     }];
 174
 175 testOut:
 176     return;
 177 }
 178
 179 int si_18_certificate_parse(int argc, char *const *argv)
 180 {
 181
 182     plan_tests((int)num_certs());
 183
 184     test_parse_failure();
 185     test_parse_success();
 186     test_key_failure();
 187     test_path_parse_failure();
 188     test_todo_failures();
 189
 190     return 0;
 191 }