tests/TrustTests/EvaluationTests/PolicyTests.m

   1 /*
   2  * Copyright (c) 2016-2018 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 /* INSTRUCTIONS FOR ADDING NEW SUBTESTS:
  26  *   1. Add the certificates, as DER-encoded files with the 'cer' extension, to OSX/shared_regressions/si-20-sectrust-policies-data/
  27  *        NOTE: If your cert needs to be named with "(i[Pp]hone|i[Pp]ad|i[Pp]od)", you need to make two copies -- one named properly
  28  *        and another named such that it doesn't match that regex. Use the regex trick below for TARGET_OS_TV to make sure your test
  29  *        works.
  30  *   2. Add a new dictionary to the test plist (OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist).
  31  *      This dictionary must include: (see constants below)
  32  *          MajorTestName
  33  *          MinorTestName
  34  *          Policies
  35  *          Leaf
  36  *          Intermediates
  37  *          ExpectedResult
  38  *      It is strongly recommended that all test dictionaries include the Anchors and VerifyDate keys.
  39  *      Addtional optional keys are defined below.
  40  */
  41
  42 /* INSTRUCTIONS FOR DEBUGGING SUBTESTS:
  43  *   Add a debugging.plist to OSX/shared_regressions/si-20-sectrust-policies-data/ containing only those subtest dictionaries
  44  *   you want to debug.
  45  */
  46
  47 #include <AssertMacros.h>
  48 #import <XCTest/XCTest.h>
  49 #import <Foundation/Foundation.h>
  50
  51 #include <utilities/SecInternalReleasePriv.h>
  52 #include <utilities/SecCFRelease.h>
  53 #include <Security/SecCertificate.h>
  54 #include <Security/SecCertificatePriv.h>
  55 #include <Security/SecPolicyPriv.h>
  56 #include <Security/SecTrust.h>
  57 #include <Security/SecTrustPriv.h>
  58
  59 #import "TrustEvaluationTestCase.h"
  60 #include "../TestMacroConversions.h"
  61 #include "../TrustEvaluationTestHelpers.h"
  62
  63 const NSString *kSecTrustTestPinningPolicyResources = @"si-20-sectrust-policies-data";
  64
  65 @interface PolicyTests : TrustEvaluationTestCase
  66 @end
  67
  68 @implementation PolicyTests
  69
  70 - (void)testPolicies {
  71     NSURL *testPlist = nil;
  72     NSArray *testsArray = nil;
  73
  74     testPlist = [[NSBundle bundleForClass:[self class]] URLForResource:@"debugging" withExtension:@"plist"
  75                                                           subdirectory:(NSString *)kSecTrustTestPinningPolicyResources];
  76     if (!testPlist) {
  77         testPlist = [[NSBundle bundleForClass:[self class]] URLForResource:nil withExtension:@"plist"
  78                                                               subdirectory:(NSString *)kSecTrustTestPinningPolicyResources ];
  79     }
  80     if (!testPlist) {
  81         fail("Failed to get tests plist from %@", kSecTrustTestPinningPolicyResources);
  82         return;
  83     }
  84
  85     testsArray = [NSArray arrayWithContentsOfURL: testPlist];
  86     if (!testsArray) {
  87         fail("Failed to create array from plist");
  88         return;
  89     }
  90
  91     [testsArray enumerateObjectsUsingBlock:^(NSDictionary *testDict, NSUInteger idx, BOOL * _Nonnull stop) {
  92         TestTrustEvaluation *testObj = [[TestTrustEvaluation alloc] initWithTrustDictionary:testDict];
  93         XCTAssertNotNil(testObj, "failed to create test object for %lu", (unsigned long)idx);
  94
  95         NSError *testError = nil;
  96         XCTAssert([testObj evaluateForExpectedResults:&testError], "Test %@ failed: %@", testObj.fullTestName, testError);
  97     }];
  98 }
  99
 100 - (void)testPinningDisable
 101 {
 102     SecCertificateRef baltimoreRoot = NULL, appleISTCA2 = NULL, pinnedNonCT = NULL;
 103     SecTrustRef trust = NULL;
 104     SecPolicyRef policy = SecPolicyCreateSSL(true, CFSTR("caldav.icloud.com"));
 105     NSDate *date = [NSDate dateWithTimeIntervalSinceReferenceDate:580000000.0]; // May 19, 2019 at 4:06:40 PM PDT
 106     NSArray *certs = nil, *enforcement_anchors = nil;
 107     NSUserDefaults *defaults = [[NSUserDefaults alloc] initWithSuiteName:@"com.apple.security"];
 108
 109     require_action(baltimoreRoot = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"BaltimoreCyberTrustRoot"
 110                                                                                          subdirectory:(NSString *)kSecTrustTestPinningPolicyResources],
 111                    errOut, fail("failed to create geotrust root"));
 112     require_action(appleISTCA2 = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"AppleISTCA2G1-Baltimore"
 113                                                                                        subdirectory:(NSString *)kSecTrustTestPinningPolicyResources],
 114                    errOut, fail("failed to create apple IST CA"));
 115     require_action(pinnedNonCT = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"caldav"
 116                                                                                        subdirectory:(NSString *)kSecTrustTestPinningPolicyResources],
 117                    errOut, fail("failed to create deprecated SSL Server cert"));
 118
 119     certs = @[ (__bridge id)pinnedNonCT, (__bridge id)appleISTCA2 ];
 120     enforcement_anchors = @[ (__bridge id)baltimoreRoot ];
 121     require_noerr_action(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), errOut, fail("failed to create trust"));
 122     require_noerr_action(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)date), errOut, fail("failed to set verify date"));
 123     require_noerr_action(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)enforcement_anchors), errOut, fail("failed to set anchors"));
 124     require_noerr_action(SecTrustSetPinningPolicyName(trust, kSecPolicyNameAppleAMPService), errOut, fail("failed to set policy name"));
 125 #if !TARGET_OS_BRIDGE
 126     XCTAssertFalse(SecTrustEvaluateWithError(trust, NULL), "pinning against wrong profile succeeded");
 127 #endif
 128
 129     // Test with pinning disabled
 130     [defaults setBool:YES forKey:@"AppleServerAuthenticationNoPinning"];
 131     [defaults synchronize];
 132     SecTrustSetNeedsEvaluation(trust);
 133     XCTAssert(SecTrustEvaluateWithError(trust, NULL), "failed to disable pinning");
 134     [defaults setBool:NO forKey:@"AppleServerAuthenticationNoPinning"];
 135     [defaults synchronize];
 136
 137 errOut:
 138     CFReleaseNull(baltimoreRoot);
 139     CFReleaseNull(appleISTCA2);
 140     CFReleaseNull(pinnedNonCT);
 141     CFReleaseNull(policy);
 142     CFReleaseNull(trust);
 143 }
 144
 145 @end