OSX/sec/Security/Regressions/secitem/si-85-sectrust-ssl-policy.c

   1 /*
   2  * Copyright (c) 2015 Apple Inc. All Rights Reserved.
   3  */
   4
   5 #include <Security/SecPolicyPriv.h>
   6 #include <Security/SecTrust.h>
   7 #include <Security/SecTrustPriv.h>
   8 #include <Security/SecCertificatePriv.h>
   9 #include <AssertMacros.h>
  10 #include <utilities/SecCFWrappers.h>
  11
  12 #include "shared_regressions.h"
  13
  14 #include "si-85-sectrust-ssl-policy.h"
  15
  16 static void runTestForDictionary (const void *test_key, const void *test_value, void *context) {
  17     CFDictionaryRef test_info = test_value;
  18     CFStringRef test_name = test_key, file = NULL, reason = NULL, expectedResult = NULL, failReason = NULL;
  19     CFURLRef cert_file_url = NULL;
  20     CFDataRef cert_data = NULL;
  21     bool expectTrustSuccess = false;
  22
  23     SecCertificateRef leaf = NULL, root = NULL;
  24     CFStringRef hostname = NULL;
  25     SecPolicyRef policy = NULL;
  26     SecTrustRef trust = NULL;
  27     CFArrayRef anchor_array = NULL;
  28     CFDateRef date = NULL;
  29
  30     /* Note that this is built without many of the test convenience macros
  31      * in order to ensure there's only one "test" per test.
  32      */
  33
  34     /* get filename in test dictionary */
  35     file = CFDictionaryGetValue(test_info, CFSTR("Filename"));
  36     require_action_quiet(file, cleanup, fail("%@: Unable to load filename from plist", test_name));
  37
  38     /* get leaf certificate from file */
  39     cert_file_url = CFBundleCopyResourceURL(CFBundleGetMainBundle(), file, CFSTR("cer"), CFSTR("ssl-policy-certs"));
  40     require_action_quiet(cert_file_url, cleanup, fail("%@: Unable to get url for cert file %@",
  41                                                       test_name, file));
  42
  43     SInt32 errorCode;
  44     require_action_quiet(CFURLCreateDataAndPropertiesFromResource(NULL, cert_file_url, &cert_data, NULL, NULL, &errorCode),
  45                          cleanup,
  46                          fail("%@: Could not create cert data for %@ with error %d",
  47                               test_name, file, (int)errorCode));
  48
  49     /* create certificates */
  50     leaf = SecCertificateCreateWithData(NULL, cert_data);
  51     root = SecCertificateCreateWithBytes(NULL, _SSLTrustPolicyTestRootCA, sizeof(_SSLTrustPolicyTestRootCA));
  52     CFRelease(cert_data);
  53     require_action_quiet(leaf && root, cleanup, fail("%@: Unable to create certificates", test_name));
  54
  55     /* create policy */
  56     hostname = CFDictionaryGetValue(test_info, CFSTR("Hostname"));
  57     require_action_quiet(hostname, cleanup, fail("%@: Unable to load hostname from plist", test_name));
  58
  59     policy = SecPolicyCreateSSL(true, hostname);
  60     require_action_quiet(policy, cleanup, fail("%@: Unable to create SSL policy with hostname %@",
  61                                                test_name, hostname));
  62
  63     /* create trust ref */
  64     OSStatus err = SecTrustCreateWithCertificates(leaf, policy, &trust);
  65     CFRelease(policy);
  66     require_noerr_action(err, cleanup, ok_status(err, "SecTrustCreateWithCertificates"));
  67
  68     /* set anchor in trust ref */
  69     anchor_array = CFArrayCreate(NULL, (const void **)&root, 1, &kCFTypeArrayCallBacks);
  70     require_action_quiet(anchor_array, cleanup, fail("%@: Unable to create anchor array", test_name));
  71     err = SecTrustSetAnchorCertificates(trust, anchor_array);
  72     require_noerr_action(err, cleanup, ok_status(err, "SecTrustSetAnchorCertificates"));
  73
  74     /* set date in trust ref to 4 Sep 2015 */
  75     date = CFDateCreate(NULL, 463079909.0);
  76     require_action_quiet(date, cleanup, fail("%@: Unable to create verify date", test_name));
  77     err = SecTrustSetVerifyDate(trust, date);
  78     CFRelease(date);
  79     require_noerr_action(err, cleanup, ok_status(err, "SecTrustSetVerifyDate"));
  80
  81     /* evaluate */
  82     SecTrustResultType actualResult = 0;
  83     err = SecTrustEvaluate(trust, &actualResult);
  84     require_noerr_action(err, cleanup, ok_status(err, "SecTrustEvaluate"));
  85     bool is_valid = (actualResult == kSecTrustResultProceed || actualResult == kSecTrustResultUnspecified);
  86     if (!is_valid) failReason = SecTrustCopyFailureDescription(trust);
  87
  88     /* get expected result for test */
  89     expectedResult = CFDictionaryGetValue(test_info, CFSTR("Result"));
  90     require_action_quiet(expectedResult, cleanup, fail("%@: Unable to get expected result",test_name));
  91     if (!CFStringCompare(expectedResult, CFSTR("kSecTrustResultUnspecified"), 0) ||
  92         !CFStringCompare(expectedResult, CFSTR("kSecTrustResultProceed"), 0)) {
  93         expectTrustSuccess = true;
  94     }
  95
  96     /* process results */
  97     if(!CFDictionaryGetValueIfPresent(test_info, CFSTR("Reason"), (const void **)&reason)) {
  98         /* not a known failure */
  99         ok(is_valid == expectTrustSuccess, "%s %@%@",
 100            expectTrustSuccess ? "REGRESSION" : "SECURITY",
 101            test_name,
 102            failReason ? failReason : CFSTR(""));
 103     }
 104     else if(reason) {
 105         /* known failure */
 106         todo(CFStringGetCStringPtr(reason, kCFStringEncodingUTF8));
 107         ok(is_valid == expectTrustSuccess, "%@%@",
 108            test_name, expectTrustSuccess ? (failReason ? failReason : CFSTR("")) : CFSTR(" valid"));
 109     }
 110     else {
 111         fail("%@: unable to get reason for known failure", test_name);
 112     }
 113
 114 cleanup:
 115     CFReleaseNull(cert_file_url);
 116     CFReleaseNull(leaf);
 117     CFReleaseNull(root);
 118     CFReleaseNull(trust);
 119     CFReleaseNull(anchor_array);
 120     CFReleaseNull(failReason);
 121 }
 122
 123 static void tests(void)
 124 {
 125     CFDataRef plist_data = NULL;
 126     CFArrayRef plist = NULL;
 127     CFPropertyListRef tests_dictionary = NULL;
 128
 129     plist = CFBundleCopyResourceURLsOfType(CFBundleGetMainBundle(), CFSTR("plist"), CFSTR("ssl-policy-certs"));
 130     if (CFArrayGetCount(plist) != 1) {
 131         fail("Incorrect number of plists found in ssl-policy-certs");
 132         goto exit;
 133     }
 134
 135     SInt32 errorCode;
 136     if(!CFURLCreateDataAndPropertiesFromResource(NULL, CFArrayGetValueAtIndex(plist, 0), &plist_data, NULL, NULL, &errorCode)) {
 137         fail("Could not create data from plist with error %d", (int)errorCode);
 138         goto exit;
 139     }
 140
 141     CFErrorRef err;
 142     tests_dictionary = CFPropertyListCreateWithData(NULL, plist_data, kCFPropertyListImmutable, NULL, &err);
 143     if(!tests_dictionary || (CFGetTypeID(tests_dictionary) != CFDictionaryGetTypeID())) {
 144         fail("Failed to create tests dictionary from plist");
 145         goto exit;
 146     }
 147
 148     CFDictionaryApplyFunction(tests_dictionary, runTestForDictionary, NULL);
 149
 150 exit:
 151     CFReleaseNull(plist);
 152     CFReleaseNull(plist_data);
 153     CFReleaseNull(tests_dictionary);
 154 }
 155
 156 int si_85_sectrust_ssl_policy(int argc, char *const *argv)
 157 {
 158     plan_tests(37);
 159
 160     tests();
 161
 162     return 0;
 163 }