]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/Regressions/secitem/si-20-sectrust.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57337.20.44.tar.gz
[apple/security.git] / OSX / sec / Security / Regressions / secitem / si-20-sectrust.c
1 /*
2 * Copyright (c) 2006-2010,2012-2015 Apple Inc. All Rights Reserved.
3 */
4
5 #include <CoreFoundation/CoreFoundation.h>
6 #include <Security/SecCertificate.h>
7 #include <Security/SecCertificatePriv.h>
8 #include <Security/SecInternal.h>
9 #include <Security/SecPolicyPriv.h>
10 #include <Security/SecTrustPriv.h>
11 #include <Security/SecItem.h>
12 #include <ipc/securityd_client.h>
13 #include <utilities/array_size.h>
14 #include <utilities/SecCFWrappers.h>
15 #include <stdlib.h>
16 #include <unistd.h>
17
18 #include "Security_regressions.h"
19 #include "si-20-sectrust.h"
20
21 /* Test basic add delete update copy matching stuff. */
22 static void basic_tests(void)
23 {
24 SecTrustRef trust;
25 SecCertificateRef cert0, cert1;
26 isnt(cert0 = SecCertificateCreateWithBytes(NULL, _c0, sizeof(_c0)),
27 NULL, "create cert0");
28 isnt(cert1 = SecCertificateCreateWithBytes(NULL, _c1, sizeof(_c1)),
29 NULL, "create cert1");
30 const void *v_certs[] = {
31 cert0,
32 cert1
33 };
34 SecPolicyRef policy = SecPolicyCreateSSL(false, NULL);
35 CFArrayRef certs = CFArrayCreate(NULL, v_certs,
36 array_size(v_certs), NULL);
37
38 /* SecTrustCreateWithCertificates failures. */
39 is_status(SecTrustCreateWithCertificates(kCFBooleanTrue, policy, &trust),
40 errSecParam, "create trust with boolean instead of cert");
41 is_status(SecTrustCreateWithCertificates(cert0, kCFBooleanTrue, &trust),
42 errSecParam, "create trust with boolean instead of policy");
43
44 /* SecTrustCreateWithCertificates using array of certs. */
45 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
46
47 /* NOTE: prior to <rdar://11810677 SecTrustGetCertificateCount would return 1 at this point.
48 * Now, however, we do an implicit SecTrustEvaluate to build the chain if it has not yet been
49 * evaluated, so we now expect the full chain length.
50 */
51 is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
52 is(SecTrustGetCertificateAtIndex(trust, 0), cert0, "cert 0 is leaf");
53
54 /* Jul 30 2014. */
55 CFDateRef date = NULL;
56 isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 7, 30, 12, 0, 0),
57 NULL, "create verify date");
58 ok_status(SecTrustSetVerifyDate(trust, date), "set date");
59
60 SecTrustResultType trustResult;
61
62 SKIP: {
63 #ifdef NO_SERVER
64 skip("Can't fail to connect to securityd in NO_SERVER mode", 4, false);
65 #endif
66 // Test Restore OS environment
67 SecServerSetMachServiceName("com.apple.security.doesn't-exist");
68 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust without securityd running");
69 is_status(trustResult, kSecTrustResultInvalid, "trustResult is kSecTrustResultInvalid");
70 is(SecTrustGetCertificateCount(trust), 1, "cert count is 1 without securityd running");
71 SecKeyRef pubKey = NULL;
72 ok(pubKey = SecTrustCopyPublicKey(trust), "copy public key without securityd running");
73 CFReleaseNull(pubKey);
74 SecServerSetMachServiceName(NULL);
75 // End of Restore OS environment tests
76 }
77
78 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
79 is_status(trustResult, kSecTrustResultUnspecified,
80 "trustResult is kSecTrustResultUnspecified");
81
82 is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
83
84 CFDataRef c0_serial = CFDataCreate(NULL, _c0_serial, sizeof(_c0_serial));
85 CFDataRef serial;
86 ok(serial = SecCertificateCopySerialNumber(cert0), "copy cert0 serial");
87 ok(CFEqual(c0_serial, serial), "serial matches");
88
89 CFArrayRef anchors = CFArrayCreate(NULL, (const void **)&cert1, 1, &kCFTypeArrayCallBacks);
90 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
91 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
92 is_status(trustResult, kSecTrustResultUnspecified,
93 "trust is kSecTrustResultUnspecified");
94 is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
95
96 CFReleaseSafe(anchors);
97 anchors = CFArrayCreate(NULL, NULL, 0, NULL);
98 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set empty anchors list");
99 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
100 is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
101 "trust is kSecTrustResultRecoverableTrustFailure");
102
103 ok_status(SecTrustSetAnchorCertificatesOnly(trust, false), "trust passed in anchors and system anchors");
104 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
105 is_status(trustResult, kSecTrustResultUnspecified,
106 "trust is kSecTrustResultUnspecified");
107
108 ok_status(SecTrustSetAnchorCertificatesOnly(trust, true), "only trust passed in anchors (default)");
109 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
110 is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
111 "trust is kSecTrustResultRecoverableTrustFailure");
112
113 /* Test cert_1 intermediate from the keychain. */
114 CFReleaseSafe(trust);
115 ok_status(SecTrustCreateWithCertificates(cert0, policy, &trust),
116 "create trust with single cert0");
117 ok_status(SecTrustSetVerifyDate(trust, date), "set date");
118
119 // Add cert1
120 CFDictionaryRef query = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
121 kSecClass, kSecClassCertificate, kSecValueRef, cert1, NULL);
122 ok_status(SecItemAdd(query, NULL), "add cert1 to keychain");
123 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
124 // Cleanup added cert1.
125 ok_status(SecItemDelete(query), "remove cert1 from keychain");
126 CFReleaseSafe(query);
127 is_status(trustResult, kSecTrustResultUnspecified,
128 "trust is kSecTrustResultUnspecified");
129 is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
130
131 /* Set certs to be the xedge2 leaf. */
132 CFReleaseSafe(certs);
133 const void *cert_xedge2;
134 isnt(cert_xedge2 = SecCertificateCreateWithBytes(NULL, xedge2_certificate,
135 sizeof(xedge2_certificate)), NULL, "create cert_xedge2");
136 certs = CFArrayCreate(NULL, &cert_xedge2, 1, NULL);
137
138 CFReleaseSafe(trust);
139 CFReleaseSafe(policy);
140 CFReleaseSafe(date);
141 bool server = true;
142 policy = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
143 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
144 "create trust for ssl server xedge2.apple.com");
145
146 /* This test uses a cert whose root is no longer in our trust store,
147 * so we need to explicitly set it as a trusted anchor
148 */
149 SecCertificateRef _root;
150 isnt(_root = SecCertificateCreateWithBytes(NULL, entrust1024RootCA, sizeof(entrust1024RootCA)),
151 NULL, "create root");
152 const void *v_roots[] = { _root };
153 CFArrayRef _anchors;
154 isnt(_anchors = CFArrayCreate(NULL, v_roots, array_size(v_roots), NULL),
155 NULL, "create anchors");
156 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
157
158 /* Jan 1st 2009. */
159 date = CFDateCreate(NULL, 252288000.0);
160 ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
161 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
162 is_status(trustResult, kSecTrustResultUnspecified,
163 "trust is kSecTrustResultUnspecified");
164
165 CFReleaseSafe(trust);
166 CFReleaseSafe(policy);
167 server = false;
168 policy = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
169 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
170 "create trust for ssl client xedge2.apple.com");
171 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
172 ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
173 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
174 is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
175 "trust is kSecTrustResultRecoverableTrustFailure");
176
177 CFReleaseSafe(trust);
178 CFReleaseSafe(policy);
179 server = true;
180 policy = SecPolicyCreateIPSec(server, CFSTR("xedge2.apple.com"));
181 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
182 "create trust for ip server xedge2.apple.com");
183 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
184 ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
185 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
186 #if 0
187 /* Although this shouldn't be a valid ipsec cert, since we no longer
188 check for ekus in the ipsec policy it is. */
189 is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
190 "trust is kSecTrustResultRecoverableTrustFailure");
191 #else
192 is_status(trustResult, kSecTrustResultUnspecified,
193 "trust is kSecTrustResultUnspecified");
194 #endif
195
196 CFReleaseSafe(trust);
197 CFReleaseSafe(policy);
198 server = true;
199 policy = SecPolicyCreateSSL(server, CFSTR("nowhere.com"));
200 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
201 "create trust for ssl server nowhere.com");
202 SecPolicyRef replacementPolicy = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
203 SecTrustSetPolicies(trust, replacementPolicy);
204 CFReleaseSafe(replacementPolicy);
205 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
206 ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
207 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
208 is_status(trustResult, kSecTrustResultUnspecified,
209 "trust is kSecTrustResultUnspecified");
210
211 CFReleaseSafe(trust);
212 CFReleaseSafe(policy);
213 server = true;
214 policy = SecPolicyCreateSSL(server, CFSTR("nowhere.com"));
215 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
216 "create trust for ssl server nowhere.com");
217 SecPolicyRef replacementPolicy2 = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
218 CFArrayRef replacementPolicies = CFArrayCreate(kCFAllocatorDefault, (CFTypeRef*)&replacementPolicy2, 1, &kCFTypeArrayCallBacks);
219 SecTrustSetPolicies(trust, replacementPolicies);
220 CFReleaseSafe(replacementPolicy2);
221 CFReleaseSafe(replacementPolicies);
222 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
223 ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
224 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
225 is_status(trustResult, kSecTrustResultUnspecified,
226 "trust is kSecTrustResultUnspecified");
227
228 /* Test self signed ssl cert with cert itself set as anchor. */
229 CFReleaseSafe(trust);
230 CFReleaseSafe(policy);
231 CFReleaseSafe(certs);
232 CFReleaseSafe(date);
233 const void *garthc2;
234 server = true;
235 isnt(garthc2 = SecCertificateCreateWithBytes(NULL, garthc2_certificate,
236 sizeof(garthc2_certificate)), NULL, "create garthc2");
237 certs = CFArrayCreate(NULL, &garthc2, 1, NULL);
238 policy = SecPolicyCreateSSL(server, CFSTR("garthc2.apple.com"));
239 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
240 "create trust for ip server garthc2.apple.com");
241 date = CFDateCreate(NULL, 269568000.0);
242 ok_status(SecTrustSetVerifyDate(trust, date),
243 "set garthc2 trust date to Aug 2009");
244 ok_status(SecTrustSetAnchorCertificates(trust, certs),
245 "set garthc2 as anchor");
246 ok_status(SecTrustEvaluate(trust, &trustResult),
247 "evaluate self signed cert with cert as anchor");
248 is_status(trustResult, kSecTrustResultUnspecified,
249 "trust is kSecTrustResultUnspecified");
250
251 CFReleaseSafe(garthc2);
252 CFReleaseSafe(cert_xedge2);
253 CFReleaseSafe(anchors);
254 CFReleaseSafe(trust);
255 CFReleaseSafe(serial);
256 CFReleaseSafe(c0_serial);
257 CFReleaseSafe(policy);
258 CFReleaseSafe(certs);
259 CFReleaseSafe(cert0);
260 CFReleaseSafe(cert1);
261 CFReleaseSafe(date);
262
263 CFReleaseSafe(_root);
264 CFReleaseSafe(_anchors);
265 }
266
267 static void rsa8k_tests(void)
268 {
269 /* Test prt_forest_fi that have a 8k RSA key */
270 const void *prt_forest_fi;
271 isnt(prt_forest_fi = SecCertificateCreateWithBytes(NULL, prt_forest_fi_certificate,
272 sizeof(prt_forest_fi_certificate)), NULL, "create prt_forest_fi");
273 CFArrayRef certs = NULL;
274 isnt(certs = CFArrayCreate(NULL, &prt_forest_fi, 1, NULL), NULL, "failed to create cert array");
275 SecPolicyRef policy = NULL;
276 isnt(policy = SecPolicyCreateSSL(false, CFSTR("owa.prt-forest.fi")), NULL, "failed to create policy");
277 SecTrustRef trust = NULL;
278 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
279 "create trust for ip client owa.prt-forest.fi");
280 CFDateRef date = CFDateCreate(NULL, 391578321.0);
281 ok_status(SecTrustSetVerifyDate(trust, date),
282 "set owa.prt-forest.fi trust date to May 2013");
283
284 SecKeyRef pubkey = SecTrustCopyPublicKey(trust);
285 isnt(pubkey, NULL, "pubkey returned");
286
287 CFReleaseSafe(certs);
288 CFReleaseNull(prt_forest_fi);
289 CFReleaseNull(policy);
290 CFReleaseNull(trust);
291 CFReleaseNull(pubkey);
292 CFReleaseNull(date);
293 }
294
295 static void date_tests(void)
296 {
297 /* Test long-lived cert chain that expires in 9999 */
298 CFDateRef date = NULL;
299 const void *leaf, *root;
300 isnt(leaf = SecCertificateCreateWithBytes(NULL, longleaf, sizeof(longleaf)), NULL, "create leaf");
301 isnt(root = SecCertificateCreateWithBytes(NULL, longroot, sizeof(longroot)), NULL, "create root");
302
303 CFArrayRef certs = NULL;
304 isnt(certs = CFArrayCreate(NULL, &leaf, 1, NULL), NULL, "failed to create cert array");
305 CFArrayRef anchors = NULL;
306 isnt(anchors = CFArrayCreate(NULL, &root, 1, NULL), NULL, "failed to create anchors array");
307
308 SecPolicyRef policy = NULL;
309 isnt(policy = SecPolicyCreateBasicX509(), NULL, "failed to create policy");
310 SecTrustRef trust = NULL;
311 SecTrustResultType trustResult;
312 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
313 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
314
315 /* September 4, 2013 (prior to "notBefore" date of 2 April 2014, should fail) */
316 isnt(date = CFDateCreate(NULL, 400000000), NULL, "failed to create date");
317 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 23 Sep 2013");
318 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 23 Sep 2013");
319 is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "expected kSecTrustResultRecoverableTrustFailure");
320 CFReleaseNull(date);
321
322 /* January 17, 2016 (recent date within validity period, should succeed) */
323 isnt(date = CFDateCreate(NULL, 474747474), NULL, "failed to create date");
324 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 17 Jan 2016");
325 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 17 Jan 2016");
326 is_status(trustResult, kSecTrustResultUnspecified, "expected kSecTrustResultUnspecified");
327 CFReleaseNull(date);
328
329 /* December 20, 9999 (far-future date within validity period, should succeed) */
330 isnt(date = CFDateCreate(NULL, 252423000000), NULL, "failed to create date");
331 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 20 Dec 9999");
332 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 20 Dec 9999");
333 is_status(trustResult, kSecTrustResultUnspecified, "expected kSecTrustResultUnspecified");
334 CFReleaseNull(date);
335
336 /* January 12, 10000 (after the "notAfter" date of 31 Dec 9999, should fail) */
337 isnt(date = CFDateCreate(NULL, 252425000000), NULL, "failed to create date");
338 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 12 Jan 10000");
339 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 12 Jan 10000");
340 is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "expected kSecTrustResultRecoverableTrustFailure");
341 CFReleaseNull(date);
342
343 CFReleaseSafe(trust);
344 CFReleaseSafe(policy);
345 CFReleaseSafe(anchors);
346 CFReleaseSafe(certs);
347 CFReleaseNull(root);
348 CFReleaseNull(leaf);
349 }
350
351 int si_20_sectrust(int argc, char *const *argv)
352 {
353 plan_tests(101);
354
355 basic_tests();
356 rsa8k_tests();
357 date_tests();
358
359 return 0;
360 }
mirror of Security