]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/Regressions/secitem/si-18-certificate-parse.m
Security-58286.270.3.0.1.tar.gz
[apple/security.git] / OSX / sec / Security / Regressions / secitem / si-18-certificate-parse.m
1 /*
2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #include "shared_regressions.h"
25
26 #include <AssertMacros.h>
27 #import <Foundation/Foundation.h>
28
29 #include <utilities/SecInternalReleasePriv.h>
30 #include <utilities/SecCFRelease.h>
31 #include <Security/SecCertificate.h>
32 #include <Security/SecCertificatePriv.h>
33 #include <Security/SecCertificateInternal.h>
34
35 const NSString *kSecTestParseFailureResources = @"si-18-certificate-parse/ParseFailureCerts";
36 const NSString *kSecTestParseSuccessResources = @"si-18-certificate-parse/ParseSuccessCerts";
37 const NSString *kSecTestKeyFailureResources = @"si-18-certificate-parse/KeyFailureCerts";
38 const NSString *kSecTestPathFailureResources = @"si-18-certificate-parse/PathFailureCerts";
39 const NSString *kSecTestTODOFailureResources = @"si-18-certificate-parse/TODOFailureCerts";
40
41 static uint64_t num_certs() {
42 uint64_t num_certs = 0;
43 NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestParseFailureResources];
44 num_certs += [certURLs count];
45 certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestParseSuccessResources];
46 num_certs += [certURLs count];
47 certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestKeyFailureResources];
48 num_certs += [certURLs count];
49 certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestPathFailureResources];
50 num_certs += [certURLs count];
51 certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestTODOFailureResources];
52 num_certs += [certURLs count];
53
54 return num_certs;
55 }
56
57 static void test_parse_failure(void) {
58 /* A bunch of certificates with different parsing errors */
59 NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestParseFailureResources];
60 require_action([certURLs count] > 0, testOut,
61 fail("Unable to find parse test failure certs in bundle."));
62
63 [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
64 NSData *certData = [NSData dataWithContentsOfURL:url];
65 SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
66 is(cert, NULL, "Successfully parsed bad cert: %@", url);
67 CFReleaseNull(cert);
68 }];
69
70 testOut:
71 return;
72 }
73
74 static void test_parse_success(void) {
75 /* A bunch of certificates with different parsing variations */
76 NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestParseSuccessResources];
77 require_action([certURLs count] > 0, testOut,
78 fail("Unable to find parse test failure certs in bundle."));
79
80 [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
81 NSData *certData = [NSData dataWithContentsOfURL:url];
82 SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
83 isnt(cert, NULL, "Failed to parse good cert: %@", url);
84 CFReleaseNull(cert);
85 }];
86
87 testOut:
88 return;
89 }
90
91 static void test_key_failure(void) {
92 /* Parse failures that require public key extraction */
93 NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestKeyFailureResources];
94 require_action([certURLs count] > 0, testOut,
95 fail("Unable to find parse test failure certs in bundle."));
96
97 [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
98 NSData *certData = [NSData dataWithContentsOfURL:url];
99 SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
100 SecKeyRef pubkey = NULL;
101 require_action(cert, blockOut,
102 fail("Failed to parse cert with SPKI error: %@", url));
103 pubkey = SecCertificateCopyKey(cert);
104 is(pubkey, NULL, "Successfully parsed bad SPKI: %@", url);
105
106 blockOut:
107 CFReleaseNull(cert);
108 CFReleaseNull(pubkey);
109 }];
110
111 testOut:
112 return;
113 }
114
115 static void test_path_parse_failure(void) {
116 NSArray <NSURL *>* certURLs = nil;
117 SecCertificateRef root = nil;
118
119 NSURL *rootURL = [[NSBundle mainBundle] URLForResource:@"root" withExtension:@".cer" subdirectory:@"si-18-certificate-parse"];
120 root = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)[NSData dataWithContentsOfURL:rootURL]);
121 require_action(root, testOut,
122 fail("Unable to create root cert"));
123 certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestPathFailureResources];
124 require_action([certURLs count] > 0, testOut,
125 fail("Unable to find parse test failure certs in bundle."));
126
127 [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
128 NSData *certData = [NSData dataWithContentsOfURL:url];
129 SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
130 SecTrustRef trust = NULL;
131 SecPolicyRef policy = SecPolicyCreateBasicX509();
132 SecTrustResultType trustResult = kSecTrustResultInvalid;
133
134 require_noerr_action(SecTrustCreateWithCertificates(cert, policy, &trust), blockOut,
135 fail("Unable to create trust with certificate: %@", url));
136 require_noerr_action(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)[NSArray arrayWithObject:(__bridge id)root]),
137 blockOut, fail("Unable to set trust in root cert: %@", url));
138 require_noerr_action(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)[NSDate dateWithTimeIntervalSinceReferenceDate:507200000.0]),
139 blockOut, fail("Unable to set verify date: %@", url));
140 require_noerr_action(SecTrustEvaluate(trust, &trustResult), blockOut,
141 fail("Failed to evaluate trust with error: %@", url));
142 is(trustResult, kSecTrustResultRecoverableTrustFailure, "Got wrong trust result (%d) for %@", trustResult, url);
143
144 require_action(cert, blockOut,
145 fail("Failed to parse cert with SPKI error: %@", url));
146
147 blockOut:
148 CFReleaseNull(cert);
149 CFReleaseNull(trust);
150 CFReleaseNull(policy);
151 }];
152
153
154 testOut:
155 CFReleaseNull(root);
156 }
157
158 static void test_todo_failures(void) {
159 /* A bunch of certificates with different parsing errors that currently succeed. */
160 NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestTODOFailureResources];
161 require_action([certURLs count] > 0, testOut,
162 fail("Unable to find parse test failure certs in bundle."));
163
164 [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
165 NSData *certData = [NSData dataWithContentsOfURL:url];
166 SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
167 {
168 NSString *reason = [NSString stringWithFormat:@"Bad cert succeeds: %@",url];
169 todo([reason UTF8String]);
170 is(cert, NULL, "Successfully parsed bad cert: %@", url);
171 }
172 CFReleaseNull(cert);
173 }];
174
175 testOut:
176 return;
177 }
178
179 int si_18_certificate_parse(int argc, char *const *argv)
180 {
181
182 plan_tests((int)num_certs());
183
184 test_parse_failure();
185 test_parse_success();
186 test_key_failure();
187 test_path_parse_failure();
188 test_todo_failures();
189
190 return 0;
191 }