]> git.saurik.com Git - apple/security.git/blob - tests/TrustTests/EvaluationTests/KeySizeTests.m
Security-59306.101.1.tar.gz
[apple/security.git] / tests / TrustTests / EvaluationTests / KeySizeTests.m
1 /*
2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 */
24
25 #import <XCTest/XCTest.h>
26 #include <Security/SecCertificatePriv.h>
27 #include <Security/SecTrustPriv.h>
28 #include <Security/SecPolicyPriv.h>
29 #include "OSX/utilities/SecCFWrappers.h"
30
31 #import "TrustEvaluationTestCase.h"
32 #include "../TestMacroConversions.h"
33 #include "KeySizeTests_data.h"
34
35 @interface KeySizeTests : TrustEvaluationTestCase
36 @end
37
38 @implementation KeySizeTests
39
40 - (bool)run_chain_of_threetest:(NSData *)cert0 cert1:(NSData *)cert1 root:(NSData *)root
41 result:(bool)should_succeed failureReason:(NSString **)failureReason
42 {
43 bool ok = false;
44
45 const void *secCert0, *secCert1, *secRoot;
46 isnt(secCert0 = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)cert0), NULL, "create leaf");
47 isnt(secCert1 = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)cert1), NULL, "create subCA");
48 isnt(secRoot = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)root), NULL, "create root");
49
50 const void *v_certs[] = { secCert0, secCert1 };
51 CFArrayRef certs = NULL;
52 isnt(certs = CFArrayCreate(NULL, v_certs, sizeof(v_certs)/sizeof(*v_certs), &kCFTypeArrayCallBacks),
53 NULL, "failed to create cert array");
54 CFArrayRef anchors = NULL;
55 isnt(anchors = CFArrayCreate(NULL, &secRoot, 1, &kCFTypeArrayCallBacks), NULL, "failed to create anchors array");
56
57 SecPolicyRef policy = NULL;
58 isnt(policy = SecPolicyCreateBasicX509(), NULL, "failed to create policy");
59 CFDateRef date = NULL;
60 isnt(date = CFDateCreate(NULL, 472100000.0), NULL, "failed to create date"); // 17 Dec 2015
61
62 SecTrustRef trust = NULL;
63 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "failed to create trust");
64 if (!date) { goto errOut; }
65 ok_status(SecTrustSetVerifyDate(trust, date), "failed to set verify date");
66 if (!anchors) { goto errOut; }
67 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "failed to set anchors");
68
69 bool did_succeed = SecTrustEvaluateWithError(trust, NULL);
70 is(SecTrustGetCertificateCount(trust), 3, "expected chain of 3");
71
72 if (failureReason && should_succeed && !did_succeed) {
73 *failureReason = CFBridgingRelease(SecTrustCopyFailureDescription(trust));
74 } else if (failureReason && !should_succeed && did_succeed) {
75 *failureReason = @"expected kSecTrustResultFatalTrustFailure";
76 }
77
78 if ((should_succeed && did_succeed) || (!should_succeed && !did_succeed)) {
79 ok = true;
80 }
81
82 errOut:
83 CFReleaseNull(secCert0);
84 CFReleaseNull(secCert1);
85 CFReleaseNull(secRoot);
86 CFReleaseNull(certs);
87 CFReleaseNull(anchors);
88 CFReleaseNull(date);
89 CFReleaseNull(policy);
90 CFReleaseNull(trust);
91
92 return ok;
93 }
94
95 - (void)test8192BitKeySize {
96 /* Test prt_forest_fi that have a 8k RSA key */
97 const void *prt_forest_fi;
98 isnt(prt_forest_fi = SecCertificateCreateWithBytes(NULL, prt_forest_fi_certificate,
99 sizeof(prt_forest_fi_certificate)), NULL, "create prt_forest_fi");
100 CFArrayRef certs = NULL;
101 isnt(certs = CFArrayCreate(NULL, &prt_forest_fi, 1, &kCFTypeArrayCallBacks), NULL, "failed to create cert array");
102 SecPolicyRef policy = NULL;
103 isnt(policy = SecPolicyCreateSSL(true, CFSTR("owa.prt-forest.fi")), NULL, "failed to create policy");
104 SecTrustRef trust = NULL;
105 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
106 "create trust for ip client owa.prt-forest.fi");
107 CFDateRef date = CFDateCreate(NULL, 391578321.0);
108 ok_status(SecTrustSetVerifyDate(trust, date),
109 "set owa.prt-forest.fi trust date to May 2013");
110
111 SecKeyRef pubkey = SecTrustCopyPublicKey(trust);
112 isnt(pubkey, NULL, "pubkey returned");
113
114 CFReleaseNull(certs);
115 CFReleaseNull(prt_forest_fi);
116 CFReleaseNull(policy);
117 CFReleaseNull(trust);
118 CFReleaseNull(pubkey);
119 CFReleaseNull(date);
120 }
121
122 - (void)testRSAKeySizes {
123 ok([self run_chain_of_threetest:[NSData dataWithBytes:_leaf2048A length:sizeof(_leaf2048A)]
124 cert1:[NSData dataWithBytes:_int2048A length:sizeof(_int2048A)]
125 root:[NSData dataWithBytes:_root512 length:sizeof(_root512)]
126 result:false
127 failureReason:nil],
128 "SECURITY: failed to detect weak root");
129
130 ok([self run_chain_of_threetest:[NSData dataWithBytes:_leaf2048B length:sizeof(_leaf2048B)]
131 cert1:[NSData dataWithBytes:_int512 length:sizeof(_int512)]
132 root:[NSData dataWithBytes:_root2048 length:sizeof(_root2048)]
133 result:false
134 failureReason:nil],
135 "SECURITY: failed to detect weak intermediate");
136
137 ok([self run_chain_of_threetest:[NSData dataWithBytes:_leaf512 length:sizeof(_leaf512)]
138 cert1:[NSData dataWithBytes:_int2048B length:sizeof(_int2048B)]
139 root:[NSData dataWithBytes:_root2048 length:sizeof(_root2048)]
140 result:false
141 failureReason:nil],
142 "SECURITY: failed to detect weak leaf");
143
144 NSString *failureReason = nil;
145 ok([self run_chain_of_threetest:[NSData dataWithBytes:_leaf1024 length:sizeof(_leaf1024)]
146 cert1:[NSData dataWithBytes:_int2048B length:sizeof(_int2048B)]
147 root:[NSData dataWithBytes:_root2048 length:sizeof(_root2048)]
148 result:true
149 failureReason:&failureReason],
150 "REGRESSION: key size test 1024-bit leaf: %@", failureReason);
151
152 ok([self run_chain_of_threetest:[NSData dataWithBytes:_leaf2048C length:sizeof(_leaf2048C)]
153 cert1:[NSData dataWithBytes:_int2048B length:sizeof(_int2048B)]
154 root:[NSData dataWithBytes:_root2048 length:sizeof(_root2048)]
155 result:true
156 failureReason:&failureReason],
157 "REGRESSION: key size test 2048-bit leaf: %@", failureReason);
158 }
159
160 - (void)testECKeySizes {
161 /* Because CoreCrypto does not support P128, we fail to chain if any CAs use weakly sized curves */
162 ok([self run_chain_of_threetest:[NSData dataWithBytes:_leaf128 length:sizeof(_leaf128)]
163 cert1:[NSData dataWithBytes:_int384B length:sizeof(_int384B)]
164 root:[NSData dataWithBytes:_root384 length:sizeof(_root384)]
165 result:false
166 failureReason:nil],
167 "SECURITY: failed to detect weak leaf");
168
169 NSString *failureReason = nil;
170 ok([self run_chain_of_threetest:[NSData dataWithBytes:_leaf192 length:sizeof(_leaf192)]
171 cert1:[NSData dataWithBytes:_int384B length:sizeof(_int384B)]
172 root:[NSData dataWithBytes:_root384 length:sizeof(_root384)]
173 result:true
174 failureReason:&failureReason],
175 "REGRESSION: key size test 192-bit leaf: %@", failureReason);
176
177 ok([self run_chain_of_threetest:[NSData dataWithBytes:_leaf384C length:sizeof(_leaf384C)]
178 cert1:[NSData dataWithBytes:_int384B length:sizeof(_int384B)]
179 root:[NSData dataWithBytes:_root384 length:sizeof(_root384)]
180 result:true
181 failureReason:&failureReason],
182 "REGRESSION: key size test 384-bit leaf: %@", failureReason);
183 }
184
185 - (bool)runTrust:(NSArray *)certs
186 anchors:(NSArray *)anchors
187 policy:(SecPolicyRef)policy
188 verifyDate:(NSDate *)date
189 {
190 SecTrustRef trust = NULL;
191 XCTAssert(errSecSuccess == SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust));
192 if (anchors) {
193 XCTAssert(errSecSuccess == SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors));
194 }
195 XCTAssert(errSecSuccess == SecTrustSetVerifyDate(trust, (__bridge CFDateRef)date));
196
197 CFErrorRef error = NULL;
198 bool result = SecTrustEvaluateWithError(trust, &error);
199 CFReleaseNull(error);
200 CFReleaseNull(trust);
201 return result;
202 }
203
204 - (void)test1024_appTrustedLeaf {
205 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
206 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _leaf1024SSL, sizeof(_leaf1024SSL));
207 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _rootSSL, sizeof(_rootSSL));
208
209 NSArray *certs = @[ (__bridge id)leaf];
210 NSArray *anchor = @[ (__bridge id)root ];
211 CFReleaseNull(leaf);
212 CFReleaseNull(root);
213
214 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
215 XCTAssertFalse([self runTrust:certs anchors:anchor policy:serverPolicy verifyDate:verifyDate], "anchor trusted 1024-bit cert succeeded for SSL server");
216 CFReleaseNull(serverPolicy);
217
218 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
219 XCTAssertTrue([self runTrust:certs anchors:anchor policy:clientPolicy verifyDate:verifyDate], "anchor trusted 1024-bit cert failed for SSL client");
220 CFReleaseNull(clientPolicy);
221
222 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
223 XCTAssertTrue([self runTrust:certs anchors:anchor policy:eapPolicy verifyDate:verifyDate], "anchor trusted 1024-bit cert failed for EAP");
224 CFReleaseNull(eapPolicy);
225
226 SecPolicyRef legacyPolicy = SecPolicyCreateLegacySSL(true, CFSTR("example.com"));
227 XCTAssertTrue([self runTrust:certs anchors:anchor policy:legacyPolicy verifyDate:verifyDate], "anchor trusted 1024-bit cert failed for legacy SSL policy");
228 CFReleaseNull(legacyPolicy);
229
230 SecPolicyRef legacyClientPolicy = SecPolicyCreateLegacySSL(false, NULL);
231 XCTAssertTrue([self runTrust:certs anchors:anchor policy:legacyClientPolicy verifyDate:verifyDate], "anchor trusted 1024-bit cert failed for legacy SSL client policy");
232 CFReleaseNull(legacyClientPolicy);
233 }
234
235 #if !TARGET_OS_BRIDGE // bridgeOS doesn't have trust settings
236 - (void)test1024_trustSettingsOnRoot_TestLeaf {
237 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
238 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _leaf1024SSL, sizeof(_leaf1024SSL));
239 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _rootSSL, sizeof(_rootSSL));
240 NSArray *certs = @[ (__bridge id)leaf, (__bridge id)root ];
241 CFReleaseNull(leaf);
242
243 id persistentRef = [self addTrustSettingsForCert:root];
244
245 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
246 XCTAssertFalse([self runTrust:certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "trust settings on root, 1024-bit leaf succeeded for SSL server");
247 CFReleaseNull(serverPolicy);
248
249 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
250 XCTAssertTrue([self runTrust:certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "trust settings on root, 1024-bit leaf failed for SSL client");
251 CFReleaseNull(clientPolicy);
252
253 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
254 XCTAssertTrue([self runTrust:certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "trust settings on root, 1024-bit leaf failed for EAP");
255 CFReleaseNull(eapPolicy);
256
257 [self removeTrustSettingsForCert:root persistentRef:persistentRef];
258 CFReleaseNull(root);
259 }
260
261 - (void)test1024_trustSettingsOnLeaf {
262 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
263 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _leaf1024SSL, sizeof(_leaf1024SSL));
264 NSArray *certs = @[ (__bridge id)leaf ];
265
266 id persistentRef = [self addTrustSettingsForCert:leaf];
267
268 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
269 XCTAssertTrue([self runTrust:certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "trust settings on 1024-bit leaf failed for SSL server");
270 CFReleaseNull(serverPolicy);
271
272 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
273 XCTAssertTrue([self runTrust:certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "trust settings on 1024-bit leaf failed for SSL client");
274 CFReleaseNull(clientPolicy);
275
276 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
277 XCTAssertTrue([self runTrust:certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "trust settings on 1024-bit leaf failed for EAP");
278 CFReleaseNull(eapPolicy);
279
280 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
281 CFReleaseNull(leaf);
282 }
283 #endif // !TARGET_OS_BRIDGE
284
285 #if !TARGET_OS_BRIDGE // bridgeOS doesn't have a system trust store
286 - (void)test2048_systemTrusted {
287 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:500000000.0]; // April 26, 2019 at 12:33:20 PM PDT
288
289 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _leaf2048SystemTrust, sizeof(_leaf2048SystemTrust));
290 SecCertificateRef sha2_int = SecCertificateCreateWithBytes(NULL, _int2048SystemTrust, sizeof(_int2048SystemTrust));
291 NSArray *certs = @[ (__bridge id)leaf, (__bridge id)sha2_int];
292 CFReleaseNull(leaf);
293 CFReleaseNull(sha2_int);
294
295 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("www.badssl.com"));
296 XCTAssertTrue([self runTrust:certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "system trusted 2048-bit certs failed for SSL server");
297 CFReleaseNull(serverPolicy);
298
299 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
300 XCTAssertTrue([self runTrust:certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "system trusted 2048-bit certs failed for SSL client");
301 CFReleaseNull(clientPolicy);
302
303 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"*.badssl.com", @"badssl.com"]);
304 XCTAssertTrue([self runTrust:certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "system trusted 2048-bit certs failed for EAP");
305 CFReleaseNull(eapPolicy);
306 }
307 #endif // !TARGET_OS_BRIDGE
308
309 - (void)test2048_appTrustedLeaf {
310 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
311 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _leaf2048SSL, sizeof(_leaf2048SSL));
312 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _rootSSL, sizeof(_rootSSL));
313
314 NSArray *certs = @[ (__bridge id)leaf];
315 NSArray *anchor = @[ (__bridge id)root ];
316 CFReleaseNull(leaf);
317 CFReleaseNull(root);
318
319 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
320 XCTAssertTrue([self runTrust:certs anchors:anchor policy:serverPolicy verifyDate:verifyDate], "anchor trusted 2048-bit cert failed for SSL server");
321 CFReleaseNull(serverPolicy);
322
323 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
324 XCTAssertTrue([self runTrust:certs anchors:anchor policy:clientPolicy verifyDate:verifyDate], "anchor trusted 2048-bit cert failed for SSL client");
325 CFReleaseNull(clientPolicy);
326
327 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
328 XCTAssertTrue([self runTrust:certs anchors:anchor policy:eapPolicy verifyDate:verifyDate], "anchor trusted 2048-bit cert failed for EAP");
329 CFReleaseNull(eapPolicy);
330 }
331
332 #if !TARGET_OS_BRIDGE // bridgeOS doesn't have trust settings
333 - (void)test2048_trustSettingsOnRoot_TestLeaf {
334 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
335 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _leaf2048SSL, sizeof(_leaf2048SSL));
336 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _rootSSL, sizeof(_rootSSL));
337 NSArray *certs = @[ (__bridge id)leaf, (__bridge id)root ];
338 CFReleaseNull(leaf);
339
340 id persistentRef = [self addTrustSettingsForCert:root];
341
342 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
343 XCTAssertTrue([self runTrust:certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "trust settings on root, 2048-bit leaf failed for SSL server");
344 CFReleaseNull(serverPolicy);
345
346 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
347 XCTAssertTrue([self runTrust:certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "trust settings on root, 2048-bit leaf failed for SSL client");
348 CFReleaseNull(clientPolicy);
349
350 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
351 XCTAssertTrue([self runTrust:certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "trust settings on root, 2048-bit leaf failed for EAP");
352 CFReleaseNull(eapPolicy);
353
354 [self removeTrustSettingsForCert:root persistentRef:persistentRef];
355 CFReleaseNull(root);
356 }
357
358 - (void)test2048_trustSettingsOnLeaf {
359 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
360 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _leaf2048SSL, sizeof(_leaf2048SSL));
361 NSArray *certs = @[ (__bridge id)leaf ];
362
363 id persistentRef = [self addTrustSettingsForCert:leaf];
364
365 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
366 XCTAssertTrue([self runTrust:certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "trust settings on 2048-bit leaf failed for SSL server");
367 CFReleaseNull(serverPolicy);
368
369 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
370 XCTAssertTrue([self runTrust:certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "trust settings on 2048-bit leaf failed for SSL client");
371 CFReleaseNull(clientPolicy);
372
373 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
374 XCTAssertTrue([self runTrust:certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "trust settings on 2048-bit leaf failed for EAP");
375 CFReleaseNull(eapPolicy);
376
377 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
378 CFReleaseNull(leaf);
379 }
380 #endif // !TARGET_OS_BRIDGE
381
382 @end