2 * Copyright (c) 2016-2018 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 /* INSTRUCTIONS FOR ADDING NEW SUBTESTS:
26 * 1. Add the certificates, as DER-encoded files with the 'cer' extension, to OSX/shared_regressions/si-20-sectrust-policies-data/
27 * NOTE: If your cert needs to be named with "(i[Pp]hone|i[Pp]ad|i[Pp]od)", you need to make two copies -- one named properly
28 * and another named such that it doesn't match that regex. Use the regex trick below for TARGET_OS_TV to make sure your test
30 * 2. Add a new dictionary to the test plist (OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist).
31 * This dictionary must include: (see constants below)
38 * It is strongly recommended that all test dictionaries include the Anchors and VerifyDate keys.
39 * Addtional optional keys are defined below.
42 /* INSTRUCTIONS FOR DEBUGGING SUBTESTS:
43 * Add a debugging.plist to OSX/shared_regressions/si-20-sectrust-policies-data/ containing only those subtest dictionaries
47 #include <AssertMacros.h>
48 #import <XCTest/XCTest.h>
49 #import <Foundation/Foundation.h>
51 #include <utilities/SecInternalReleasePriv.h>
52 #include <utilities/SecCFRelease.h>
53 #include <Security/SecCertificate.h>
54 #include <Security/SecCertificatePriv.h>
55 #include <Security/SecPolicyPriv.h>
56 #include <Security/SecTrust.h>
57 #include <Security/SecTrustPriv.h>
59 #import "TrustEvaluationTestCase.h"
60 #include "../TestMacroConversions.h"
61 #include "../TrustEvaluationTestHelpers.h"
63 const NSString *kSecTrustTestPinningPolicyResources = @"si-20-sectrust-policies-data";
65 @interface PolicyTests : TrustEvaluationTestCase
68 @implementation PolicyTests
70 - (void)testPolicies {
71 NSURL *testPlist = nil;
72 NSArray *testsArray = nil;
74 testPlist = [[NSBundle bundleForClass:[self class]] URLForResource:@"debugging" withExtension:@"plist"
75 subdirectory:(NSString *)kSecTrustTestPinningPolicyResources];
77 testPlist = [[NSBundle bundleForClass:[self class]] URLForResource:nil withExtension:@"plist"
78 subdirectory:(NSString *)kSecTrustTestPinningPolicyResources ];
81 fail("Failed to get tests plist from %@", kSecTrustTestPinningPolicyResources);
85 testsArray = [NSArray arrayWithContentsOfURL: testPlist];
87 fail("Failed to create array from plist");
91 [testsArray enumerateObjectsUsingBlock:^(NSDictionary *testDict, NSUInteger idx, BOOL * _Nonnull stop) {
92 TestTrustEvaluation *testObj = [[TestTrustEvaluation alloc] initWithTrustDictionary:testDict];
93 XCTAssertNotNil(testObj, "failed to create test object for %lu", (unsigned long)idx);
95 NSError *testError = nil;
96 XCTAssert([testObj evaluateForExpectedResults:&testError], "Test %@ failed: %@", testObj.fullTestName, testError);
100 - (void)testPinningDisable
102 SecCertificateRef baltimoreRoot = NULL, appleISTCA2 = NULL, pinnedNonCT = NULL;
103 SecTrustRef trust = NULL;
104 SecPolicyRef policy = SecPolicyCreateSSL(true, CFSTR("caldav.icloud.com"));
105 NSDate *date = [NSDate dateWithTimeIntervalSinceReferenceDate:580000000.0]; // May 19, 2019 at 4:06:40 PM PDT
106 NSArray *certs = nil, *enforcement_anchors = nil;
107 NSUserDefaults *defaults = [[NSUserDefaults alloc] initWithSuiteName:@"com.apple.security"];
109 require_action(baltimoreRoot = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"BaltimoreCyberTrustRoot"
110 subdirectory:(NSString *)kSecTrustTestPinningPolicyResources],
111 errOut, fail("failed to create geotrust root"));
112 require_action(appleISTCA2 = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"AppleISTCA2G1-Baltimore"
113 subdirectory:(NSString *)kSecTrustTestPinningPolicyResources],
114 errOut, fail("failed to create apple IST CA"));
115 require_action(pinnedNonCT = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"caldav"
116 subdirectory:(NSString *)kSecTrustTestPinningPolicyResources],
117 errOut, fail("failed to create deprecated SSL Server cert"));
119 certs = @[ (__bridge id)pinnedNonCT, (__bridge id)appleISTCA2 ];
120 enforcement_anchors = @[ (__bridge id)baltimoreRoot ];
121 require_noerr_action(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), errOut, fail("failed to create trust"));
122 require_noerr_action(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)date), errOut, fail("failed to set verify date"));
123 require_noerr_action(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)enforcement_anchors), errOut, fail("failed to set anchors"));
124 require_noerr_action(SecTrustSetPinningPolicyName(trust, kSecPolicyNameAppleAMPService), errOut, fail("failed to set policy name"));
125 #if !TARGET_OS_BRIDGE
126 XCTAssertFalse(SecTrustEvaluateWithError(trust, NULL), "pinning against wrong profile succeeded");
129 // Test with pinning disabled
130 [defaults setBool:YES forKey:@"AppleServerAuthenticationNoPinning"];
131 [defaults synchronize];
132 SecTrustSetNeedsEvaluation(trust);
133 XCTAssert(SecTrustEvaluateWithError(trust, NULL), "failed to disable pinning");
134 [defaults setBool:NO forKey:@"AppleServerAuthenticationNoPinning"];
135 [defaults synchronize];
138 CFReleaseNull(baltimoreRoot);
139 CFReleaseNull(appleISTCA2);
140 CFReleaseNull(pinnedNonCT);
141 CFReleaseNull(policy);
142 CFReleaseNull(trust);