2 * Copyright (c) 2006-2016 Apple Inc. All Rights Reserved.
5 #include <CoreFoundation/CoreFoundation.h>
6 #include <Security/SecCertificate.h>
7 #include <Security/SecCertificatePriv.h>
8 #include <Security/SecPolicyPriv.h>
9 #include <Security/SecTrust.h>
10 #include <utilities/array_size.h>
11 #include <utilities/SecCFRelease.h>
15 #include "shared_regressions.h"
17 #include "si-22-sectrust-iap.h"
19 static void tests(void)
22 SecCertificateRef iAP1CA
, iAP2CA
, leaf0
, leaf1
;
23 isnt(iAP1CA
= SecCertificateCreateWithBytes(NULL
, _iAP1CA
, sizeof(_iAP1CA
)),
24 NULL
, "create iAP1CA");
25 isnt(iAP2CA
= SecCertificateCreateWithBytes(NULL
, _iAP2CA
, sizeof(_iAP2CA
)),
26 NULL
, "create iAP2CA");
27 isnt(leaf0
= SecCertificateCreateWithBytes(NULL
, _leaf0
, sizeof(_leaf0
)),
28 NULL
, "create leaf0");
29 isnt(leaf1
= SecCertificateCreateWithBytes(NULL
, _leaf1
, sizeof(_leaf1
)),
30 NULL
, "create leaf1");
32 // temporarily grab some stack space and fill it with 0xFF;
33 // when we exit this scope, the stack pointer should shrink but leave the memory filled.
34 // this tests for a stack overflow bug inside SecPolicyCreateiAP (rdar://16056248)
36 memset(buf
, 0xFF, sizeof(buf
));
38 SecPolicyRef policy
= SecPolicyCreateiAP();
39 const void *v_anchors
[] = {
43 CFArrayRef anchors
= CFArrayCreate(NULL
, v_anchors
,
44 array_size(v_anchors
), NULL
);
45 CFArrayRef certs0
= CFArrayCreate(NULL
, (const void **)&leaf0
, 1, &kCFTypeArrayCallBacks
);
46 CFArrayRef certs1
= CFArrayCreate(NULL
, (const void **)&leaf1
, 1, &kCFTypeArrayCallBacks
);
47 ok_status(SecTrustCreateWithCertificates(certs0
, policy
, &trust
), "create trust for leaf0");
48 ok_status(SecTrustSetAnchorCertificates(trust
, anchors
), "set anchors");
51 CFDateRef date
= CFDateCreate(NULL
, 220752000.0);
52 ok_status(SecTrustSetVerifyDate(trust
, date
), "set date");
54 SecTrustResultType trustResult
;
55 ok_status(SecTrustEvaluate(trust
, &trustResult
), "evaluate trust");
56 is_status(trustResult
, kSecTrustResultUnspecified
,
57 "trust is kSecTrustResultUnspecified");
59 is(SecTrustGetCertificateCount(trust
), 2, "cert count is 2");
62 ok_status(SecTrustCreateWithCertificates(certs1
, policy
, &trust
), "create trust for leaf1");
63 ok_status(SecTrustSetAnchorCertificates(trust
, anchors
), "set anchors");
64 ok_status(SecTrustEvaluate(trust
, &trustResult
), "evaluate trust");
65 is_status(trustResult
, kSecTrustResultUnspecified
, "trust is kSecTrustResultUnspecified");
67 CFReleaseSafe(anchors
);
68 CFReleaseSafe(certs1
);
69 CFReleaseSafe(certs0
);
71 CFReleaseSafe(policy
);
74 CFReleaseSafe(iAP1CA
);
75 CFReleaseSafe(iAP2CA
);
79 static void test_v3(void) {
80 SecCertificateRef v3CA
= NULL
, v3leaf
= NULL
;
81 isnt(v3CA
= SecCertificateCreateWithBytes(NULL
, _v3ca
, sizeof(_v3ca
)),
82 NULL
, "create v3leaf");
83 isnt(v3leaf
= SecCertificateCreateWithBytes(NULL
, _v3leaf
, sizeof(_v3leaf
)),
84 NULL
, "create v3leaf");
86 /* Test v3 certs meet iAP policy */
87 SecPolicyRef policy
= NULL
;
88 SecTrustRef trust
= NULL
;
89 CFArrayRef certs
= NULL
, anchors
= NULL
;
90 CFDateRef date
= NULL
;
91 SecTrustResultType trustResult
;
93 certs
= CFArrayCreate(NULL
, (const void **)&v3leaf
, 1, &kCFTypeArrayCallBacks
);
94 anchors
= CFArrayCreate(NULL
, (const void **)&v3CA
, 1, &kCFTypeArrayCallBacks
);
95 policy
= SecPolicyCreateiAP();
96 ok_status(SecTrustCreateWithCertificates(certs
, policy
, &trust
), "create trust ref");
97 ok_status(SecTrustSetAnchorCertificates(trust
, anchors
), "set anchor");
98 ok(date
= CFDateCreate(NULL
, 484000000.0), "create date"); /* 3 May 2016 */
99 if (!date
) { goto trustFail
; }
100 ok_status(SecTrustSetVerifyDate(trust
, date
), "set verify date");
101 ok_status(SecTrustEvaluate(trust
, &trustResult
), "evaluate");
102 is_status(trustResult
, kSecTrustResultUnspecified
, "trust is kSecTrustResultUnspecified");
105 CFReleaseSafe(policy
);
106 CFReleaseSafe(trust
);
107 CFReleaseSafe(certs
);
108 CFReleaseSafe(anchors
);
112 /* Test interface for determining iAuth version */
113 SecCertificateRef leaf0
= NULL
, leaf1
= NULL
;
114 isnt(leaf0
= SecCertificateCreateWithBytes(NULL
, _leaf0
, sizeof(_leaf0
)),
115 NULL
, "create leaf0");
116 isnt(leaf1
= SecCertificateCreateWithBytes(NULL
, _leaf1
, sizeof(_leaf1
)),
117 NULL
, "create leaf1");
119 is_status(SecCertificateGetiAuthVersion(leaf0
), kSeciAuthVersion2
, "v2 certificate");
120 is_status(SecCertificateGetiAuthVersion(leaf1
), kSeciAuthVersion2
, "v2 certificate");
121 is_status(SecCertificateGetiAuthVersion(v3leaf
), kSeciAuthVersion3
, "v3 certificate");
123 CFReleaseSafe(leaf0
);
124 CFReleaseSafe(leaf1
);
126 /* Test the extension-copying interface */
127 CFDataRef extensionData
= NULL
;
128 uint8_t extensionValue
[32] = {
129 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
130 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0A,
132 ok(extensionData
= SecCertificateCopyiAPAuthCapabilities(v3leaf
),
133 "copy iAuthv3 extension data");
134 is(CFDataGetLength(extensionData
), 32, "compare expected size");
135 is(memcmp(extensionValue
, CFDataGetBytePtr(extensionData
), 32), 0,
136 "compare expected output");
137 CFReleaseNull(extensionData
);
139 /* Test extension-copying interface with a malformed extension. */
140 uint8_t extensionValue2
[32] = {
141 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
142 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,
144 SecCertificateRef malformedV3leaf
= NULL
;
145 isnt(malformedV3leaf
= SecCertificateCreateWithBytes(NULL
, _malformedV3Leaf
, sizeof(_malformedV3Leaf
)),
146 NULL
, "create malformed v3 leaf");
147 ok(extensionData
= SecCertificateCopyiAPAuthCapabilities(malformedV3leaf
),
148 "copy iAuthv3 extension data for malformed leaf");
149 is(CFDataGetLength(extensionData
), 32, "compare expected size");
150 is(memcmp(extensionValue2
, CFDataGetBytePtr(extensionData
), 32), 0,
151 "compare expected output");
152 CFReleaseNull(extensionData
);
153 CFReleaseNull(malformedV3leaf
);
155 CFReleaseSafe(v3leaf
);
159 int si_22_sectrust_iap(int argc
, char *const *argv
)