tests/TrustTests/EvaluationTests/EvaluationBasicTests.m

   1 /*
   2  * Copyright (c) 2018 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  *
  23  */
  24
  25 #include <AssertMacros.h>
  26 #import <XCTest/XCTest.h>
  27 #include <Security/SecItem.h>
  28 #include <Security/SecItemPriv.h>
  29 #include <Security/SecCertificatePriv.h>
  30 #include <Security/SecTrustPriv.h>
  31 #include <Security/SecPolicyPriv.h>
  32 #include "OSX/utilities/array_size.h"
  33 #include "OSX/utilities/SecCFWrappers.h"
  34
  35 #import "TrustEvaluationTestCase.h"
  36 #include "../TestMacroConversions.h"
  37 #include "EvaluationBasicTests_data.h"
  38
  39 @interface EvaluationBasicTests : TrustEvaluationTestCase
  40 @end
  41
  42 @implementation EvaluationBasicTests
  43
  44 - (void)testOptionalPolicyCheck {
  45     SecCertificateRef cert0 = NULL, cert1 = NULL, root = NULL;
  46     SecTrustRef trust = NULL;
  47     SecPolicyRef policy = NULL;
  48     CFArrayRef certs = NULL, anchors = NULL;
  49     CFDateRef date = NULL;
  50
  51     require_action(cert0 = SecCertificateCreateWithBytes(NULL, _eval_expired_badssl, sizeof(_eval_expired_badssl)), errOut,
  52                    fail("unable to create cert"));
  53     require_action(cert1 = SecCertificateCreateWithBytes(NULL, _eval_comodo_rsa_dvss, sizeof(_eval_comodo_rsa_dvss)), errOut,
  54                    fail("unable to create cert"));
  55     require_action(root = SecCertificateCreateWithBytes(NULL, _eval_comodo_rsa_root, sizeof(_eval_comodo_rsa_root)), errOut,
  56                    fail("unable to create cert"));
  57
  58     const void *v_certs[] = { cert0, cert1 };
  59     require_action(certs = CFArrayCreate(NULL, v_certs, array_size(v_certs), &kCFTypeArrayCallBacks), errOut,
  60                    fail("unable to create array"));
  61     require_action(anchors = CFArrayCreate(NULL, (const void **)&root, 1, &kCFTypeArrayCallBacks), errOut,
  62                    fail("unable to create anchors array"));
  63     require_action(date = CFDateCreateForGregorianZuluMoment(NULL, 2015, 4, 10, 12, 0, 0), errOut, fail("unable to create date"));
  64
  65     require_action(policy = SecPolicyCreateBasicX509(), errOut, fail("unable to create policy"));
  66     SecPolicySetOptionsValue(policy, CFSTR("not-a-policy-check"), kCFBooleanTrue);
  67
  68     ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "failed to create trust");
  69     require_noerr_action(SecTrustSetAnchorCertificates(trust, anchors), errOut,
  70                          fail("unable to set anchors"));
  71     require_noerr_action(SecTrustSetVerifyDate(trust, date), errOut, fail("unable to set verify date"));
  72
  73 #if NDEBUG
  74     ok(SecTrustEvaluateWithError(trust, NULL), "Trust evaluation failed");
  75 #else
  76     is(SecTrustEvaluateWithError(trust, NULL), false, "Expect failure in Debug config");
  77 #endif
  78
  79 errOut:
  80     CFReleaseNull(cert0);
  81     CFReleaseNull(cert1);
  82     CFReleaseNull(root);
  83     CFReleaseNull(certs);
  84     CFReleaseNull(anchors);
  85     CFReleaseNull(date);
  86     CFReleaseNull(policy);
  87     CFReleaseNull(trust);
  88 }
  89
  90 #if !TARGET_OS_BRIDGE
  91 - (void)testIntermediateFromKeychain {
  92     SecTrustRef trust = NULL;
  93     CFArrayRef certs = NULL;
  94     SecCertificateRef cert0 = NULL, cert1 = NULL, framework_cert1 = NULL;
  95     SecPolicyRef policy = NULL;
  96     CFDateRef date = NULL;
  97     CFDictionaryRef query = NULL;
  98
  99     /* Apr 14 2018. */
 100     isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2018, 4, 14, 12, 0, 0),
 101          NULL, "create verify date");
 102     if (!date) { goto errOut; }
 103
 104     isnt(cert0 = SecCertificateCreateWithBytes(NULL, _eval_c0, sizeof(_eval_c0)),
 105          NULL, "create cert0");
 106     isnt(cert1 = SecCertificateCreateWithBytes(NULL, _eval_c1, sizeof(_eval_c1)),
 107          NULL, "create cert1");
 108     policy = SecPolicyCreateSSL(false, NULL);
 109
 110     /* Test cert_1 intermediate from the keychain. */
 111     ok_status(SecTrustCreateWithCertificates(cert0, policy, &trust),
 112               "create trust with single cert0");
 113     ok_status(SecTrustSetVerifyDate(trust, date), "set date");
 114     ok_status(SecTrustSetNetworkFetchAllowed(trust, false), "set no network fetch allowed");
 115
 116     // Add cert1 to the keychain
 117     isnt(framework_cert1 = SecFrameworkCertificateCreate(_eval_c1, sizeof(_eval_c1)),
 118          NULL, "create framework cert1");
 119     query = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
 120                                          kSecClass, kSecClassCertificate,
 121                                          kSecValueRef, framework_cert1,
 122                                          kSecAttrAccessGroup, CFSTR("com.apple.trusttests"),
 123 #if TARGET_OS_OSX
 124                                          kSecUseDataProtectionKeychain, kCFBooleanTrue,
 125 #endif
 126                                          NULL);
 127     ok_status(SecItemAdd(query, NULL), "add cert1 to keychain");
 128     XCTAssert(SecTrustEvaluateWithError(trust, NULL), "evaluate trust and expect success");
 129     is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
 130
 131     // Cleanup added cert1.
 132     ok_status(SecItemDelete(query), "remove cert1 from keychain");
 133     CFReleaseNull(query);
 134     CFReleaseNull(framework_cert1);
 135
 136 errOut:
 137     CFReleaseNull(cert0);
 138     CFReleaseNull(cert1);
 139     CFReleaseNull(certs);
 140     CFReleaseNull(date);
 141     CFReleaseNull(policy);
 142     CFReleaseNull(trust);
 143 }
 144 #endif /* !TARGET_OS_BRIDGE */
 145
 146 - (void)testSelfSignedAnchor {
 147     SecCertificateRef garthc2 =  NULL;
 148     CFArrayRef certs = NULL;
 149     SecPolicyRef policy = NULL;
 150     SecTrustRef trust = NULL;
 151     CFDateRef date = NULL;
 152
 153     isnt(garthc2 = SecCertificateCreateWithBytes(NULL, _selfSignedAnchor,
 154                                                  sizeof(_selfSignedAnchor)), NULL, "create self-signed anchor");
 155     certs = CFArrayCreate(NULL, (const void **)&garthc2, 1, &kCFTypeArrayCallBacks);
 156     policy = SecPolicyCreateSSL(true, NULL);
 157     ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
 158               "create trust for self-signed anchor");
 159     date = CFDateCreate(NULL, 578000000.0); // April 26, 2019 at 12:33:20 PM PDT
 160     ok_status(SecTrustSetVerifyDate(trust, date),
 161               "set garthc2 trust date to April 2019");
 162     ok_status(SecTrustSetAnchorCertificates(trust, certs),
 163               "set garthc2 as anchor");
 164     XCTAssert(SecTrustEvaluateWithError(trust, NULL),
 165               "evaluate self signed cert with cert as anchor");
 166
 167     CFReleaseNull(garthc2);
 168     CFReleaseNull(certs);
 169     CFReleaseNull(policy);
 170     CFReleaseNull(trust);
 171     CFReleaseNull(date);
 172 }
 173
 174 @end