]> git.saurik.com Git - apple/security.git/blob - tests/TrustTests/EvaluationTests/VerifyDateTests.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-59754.80.3.tar.gz
[apple/security.git] / tests / TrustTests / EvaluationTests / VerifyDateTests.m
1 /*
2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 */
24
25 #include <AssertMacros.h>
26 #import <XCTest/XCTest.h>
27 #include "OSX/utilities/SecCFWrappers.h"
28 #include <Security/SecCertificatePriv.h>
29 #include <Security/SecPolicy.h>
30 #include <Security/SecTrust.h>
31 #include <Security/SecTrustSettings.h>
32
33 #import "TrustEvaluationTestCase.h"
34 #include "../TestMacroConversions.h"
35 #include "VerifyDateTests_data.h"
36
37 @interface VerifyDateTests : TrustEvaluationTestCase
38 @end
39
40 @implementation VerifyDateTests
41 /* Test long-lived cert chain that expires in 9999 */
42
43 static SecTrustRef trust = nil;
44
45 + (void)setUp {
46 [super setUp];
47 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, longleaf, sizeof(longleaf));
48 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, longroot, sizeof(longroot));
49 NSArray *anchors = @[(__bridge id)root];
50
51 SecTrustCreateWithCertificates(leaf, NULL, &trust);
52 SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors);
53 CFReleaseNull(leaf);
54 CFReleaseNull(root);
55 }
56
57 + (void)tearDown {
58 CFReleaseNull(trust);
59 }
60
61 - (void)testPriorToNotBefore {
62 CFDateRef date = NULL;
63 /* September 4, 2013 (prior to "notBefore" date of 2 April 2014, should fail) */
64 isnt(date = CFDateCreate(NULL, 400000000), NULL, "failed to create date");
65 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 23 Sep 2013");
66 XCTAssertFalse(SecTrustEvaluateWithError(trust, NULL), "evaluate trust on 23 Sep 2013 and expect failure");
67 CFReleaseNull(date);
68 }
69
70 - (void)testRecentWithinValidity {
71 CFDateRef date = NULL;
72 /* January 17, 2016 (recent date within validity period, should succeed) */
73 isnt(date = CFDateCreate(NULL, 474747474), NULL, "failed to create date");
74 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 17 Jan 2016");
75 XCTAssert(SecTrustEvaluateWithError(trust, NULL), "evaluate trust on 17 Jan 2016 and expect success");
76 CFReleaseNull(date);
77 }
78
79 - (void)testFarFutureWithinValidity {
80 CFDateRef date = NULL;
81 /* December 20, 9999 (far-future date within validity period, should succeed) */
82 isnt(date = CFDateCreate(NULL, 252423000000), NULL, "failed to create date");
83 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 20 Dec 9999");
84 XCTAssert(SecTrustEvaluateWithError(trust, NULL), "evaluate trust on 20 Dec 9999 and expect success");
85 CFReleaseNull(date);
86 }
87
88 - (void)testAfterNotAfter {
89 CFDateRef date = NULL;
90 /* January 12, 10000 (after the "notAfter" date of 31 Dec 9999, should fail) */
91 isnt(date = CFDateCreate(NULL, 252425000000), NULL, "failed to create date");
92 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 12 Jan 10000");
93 XCTAssertFalse(SecTrustEvaluateWithError(trust, NULL), "evaluate trust on 12 Jan 10000 and expect failure");
94 CFReleaseNull(date);
95 }
96
97 @end
98
99 @interface ValidityPeriodRestrictionTests : TrustEvaluationTestCase
100 @end
101
102 @implementation ValidityPeriodRestrictionTests
103 // Note that the dates described in the test names are the issuance date not the VerifyDate
104
105 - (BOOL)runTrustEvaluation:(NSArray *)certs anchors:(NSArray *)anchors verifyTime:(NSTimeInterval)time error:(NSError **)error
106 {
107 SecPolicyRef policy = SecPolicyCreateSSL(true, CFSTR("example.com"));
108 NSDate *date = [NSDate dateWithTimeIntervalSinceReferenceDate:time];
109 SecTrustRef trustRef = NULL;
110 BOOL result = NO;
111 CFErrorRef cferror = NULL;
112
113 require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trustRef), errOut);
114 require_noerr(SecTrustSetVerifyDate(trustRef, (__bridge CFDateRef)date), errOut);
115
116 if (anchors) {
117 require_noerr(SecTrustSetAnchorCertificates(trustRef, (__bridge CFArrayRef)anchors), errOut);
118 }
119
120 result = SecTrustEvaluateWithError(trustRef, &cferror);
121 if (error && cferror) {
122 *error = (__bridge NSError*)cferror;
123 }
124
125 errOut:
126 CFReleaseNull(policy);
127 CFReleaseNull(trustRef);
128 CFReleaseNull(cferror);
129 return result;
130 }
131
132 - (BOOL)runTrustEvaluation:(NSArray *)certs anchors:(NSArray *)anchors error:(NSError **)error
133 {
134 return [self runTrustEvaluation:certs anchors:anchors verifyTime:590000000.0 error:error]; // September 12, 2019 at 9:53:20 AM PDT
135 }
136
137 - (void)testSystemTrust_MoreThan5Years
138 {
139 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
140 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
141 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_66Months, sizeof(_testLeaf_66Months));
142
143 NSError *error = nil;
144 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
145 "system-trusted 66 month cert succeeded");
146
147 [self removeTestRootAsSystem];
148 CFReleaseNull(root);
149 CFReleaseNull(leaf);
150 }
151
152 - (void)testSystemTrust_LessThan5Years_BeforeJul2016
153 {
154 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
155 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
156 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_5Years, sizeof(_testLeaf_5Years));
157
158 NSError *error = nil;
159 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
160 "system-trusted 5 year cert issued before 1 July 2016 failed: %@", error);
161
162 [self removeTestRootAsSystem];
163 CFReleaseNull(root);
164 CFReleaseNull(leaf);
165 }
166
167 - (void)testSystemTrust_MoreThan39Months_AfterJul2016
168 {
169 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
170 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
171 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_4Years, sizeof(_testLeaf_4Years));
172
173 NSError *error = nil;
174 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
175 "system-trusted 4 year cert issued after 1 July 2016 succeeded");
176
177 [self removeTestRootAsSystem];
178 CFReleaseNull(root);
179 CFReleaseNull(leaf);
180 }
181
182 - (void)testSystemTrust_LessThan39Months_BeforeMar2018
183 {
184 // This cert should be valid
185 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
186 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
187 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_39Months, sizeof(_testLeaf_39Months));
188
189 NSError *error = nil;
190 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
191 "system-trusted 39 month cert issued before 1 Mar 2018 failed: %@", error);
192
193 [self removeTestRootAsSystem];
194 CFReleaseNull(root);
195 CFReleaseNull(leaf);
196 }
197
198 - (void)testSystemTrust_MoreThan825Days_AfterMar2018
199 {
200 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
201 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
202 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
203
204 NSError *error = nil;
205 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
206 "system-trusted 3 year cert issued after 1 Mar 2018 succeeded");
207
208 [self removeTestRootAsSystem];
209 CFReleaseNull(root);
210 CFReleaseNull(leaf);
211 }
212
213 - (void)testSystemTrust_LessThan825Days_AfterMar2018
214 {
215 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
216 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
217 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_825Days, sizeof(_testLeaf_825Days));
218
219 NSError *error = nil;
220 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
221 "system-trusted 825 day cert issued after 1 Mar 2018 failed: %@", error);
222
223 [self removeTestRootAsSystem];
224 CFReleaseNull(root);
225 CFReleaseNull(leaf);
226 }
227
228 - (void)testSystemTrust_MoreThan398Days_AfterSep2020
229 {
230 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
231 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
232 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_2Years, sizeof(_testLeaf_2Years));
233
234 NSError *error = nil;
235 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf]
236 anchors:@[(__bridge id)root]
237 verifyTime:621000000.0 // September 5, 2020 at 5:00:00 AM PDT
238 error:&error],
239 "system-trusted 2 year cert issued after 1 Sept 2020 failed: %@", error);
240
241 [self removeTestRootAsSystem];
242 CFReleaseNull(root);
243 CFReleaseNull(leaf);
244 }
245
246 - (void)testSystemTrust_398Days_AfterSep2020
247 {
248 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
249 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
250 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_398Days, sizeof(_testLeaf_398Days));
251
252 NSError *error = nil;
253 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf]
254 anchors:@[(__bridge id)root]
255 verifyTime:621000000.0 // September 5, 2020 at 5:00:00 AM PDT
256 error:&error],
257 "system-trusted 398 day cert issued after 1 Sept 2020 failed: %@", error);
258
259 [self removeTestRootAsSystem];
260 CFReleaseNull(root);
261 CFReleaseNull(leaf);
262 }
263
264 - (void)testAppTrustRoot_MoreThan825Days_AfterJul2019
265 {
266 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
267 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
268
269 NSError *error = nil;
270 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
271 "app-trusted (root) 3 year cert issued after 1 Jul 2019 succeeded");
272
273 CFReleaseNull(root);
274 CFReleaseNull(leaf);
275 }
276
277 - (void)testAppTrustRoot_MoreThan825Days_BeforeJul2019
278 {
279 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
280 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_66Months, sizeof(_testLeaf_66Months));
281
282 NSError *error = nil;
283 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
284 "app-trusted (root) 66 month cert issued before 1 Jul 2019 failed: %@", error);
285
286 CFReleaseNull(root);
287 CFReleaseNull(leaf);
288 }
289
290 - (void)testAppTrustRoot_LessThan825Days_AfterJul2019
291 {
292 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
293 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_825Days, sizeof(_testLeaf_825Days));
294
295 NSError *error = nil;
296 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
297 "app-trusted (root) 825 day cert issued after 1 Jul 2019 failed: %@", error);
298
299 CFReleaseNull(root);
300 CFReleaseNull(leaf);
301 }
302
303 - (void)testAppTrustLeaf_MoreThan825Days_AfterJul2019
304 {
305 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
306
307 NSError *error = nil;
308 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)leaf] error:&error],
309 "app-trusted 3 year cert issued after 1 Jul 2019 succeeded");
310
311 CFReleaseNull(leaf);
312 }
313
314 - (void)testAppTrustLeaf_MoreThan825Days_BeforeJul2019
315 {
316 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_66Months, sizeof(_testLeaf_66Months));
317
318 NSError *error = nil;
319 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)leaf] error:&error],
320 "app-trusted 66 month cert issued before 1 Jul 2019 failed: %@", error);
321
322 CFReleaseNull(leaf);
323 }
324
325 - (void)testAppTrustLeaf_LessThan825Days_AfterJul2019
326 {
327 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_825Days, sizeof(_testLeaf_825Days));
328
329 NSError *error = nil;
330 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)leaf] error:&error],
331 "app-trusted 825 day cert issued after 1 Jul 2019 failed: %@", error);
332
333 CFReleaseNull(leaf);
334 }
335
336 #if !TARGET_OS_BRIDGE // bridgeOS doesn't have trust settings
337 - (void)testUserTrustRoot_MoreThan825Days_AfterJul2019
338 {
339 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
340 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
341 id persistentRef = [self addTrustSettingsForCert:root];
342 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
343
344 NSError *error = nil;
345 XCTAssertFalse([self runTrustEvaluation:certs anchors:nil error:&error],
346 "user-trusted (root) 3 year cert issued after 1 Jul 2019 succeeded");
347
348 [self removeTrustSettingsForCert:root persistentRef:persistentRef];
349 CFReleaseNull(root);
350 CFReleaseNull(leaf);
351 }
352
353 - (void)testUserTrustRoot_MoreThan825Days_BeforeJul2019
354 {
355 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
356 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_66Months, sizeof(_testLeaf_66Months));
357 id persistentRef = [self addTrustSettingsForCert:root];
358 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
359
360 NSError *error = nil;
361 XCTAssertTrue([self runTrustEvaluation:certs anchors:nil error:&error],
362 "user-trusted (root) 66 month cert issued before 1 Jul 2019 failed: %@", error);
363
364 [self removeTrustSettingsForCert:root persistentRef:persistentRef];
365 CFReleaseNull(root);
366 CFReleaseNull(leaf);
367 }
368
369 - (void)testUserTrustRoot_LessThan825Days_AfterJul2019
370 {
371 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
372 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_825Days, sizeof(_testLeaf_825Days));
373 id persistentRef = [self addTrustSettingsForCert:root];
374 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
375
376 NSError *error = nil;
377 XCTAssertTrue([self runTrustEvaluation:certs anchors:nil error:&error],
378 "app-trusted (root) 825 day cert issued after 1 Jul 2019 failed: %@", error);
379
380 [self removeTrustSettingsForCert:root persistentRef:persistentRef];
381 CFReleaseNull(root);
382 CFReleaseNull(leaf);
383 }
384
385 - (void)testUserTrustLeaf_MoreThan825Days_AfterJul2019
386 {
387 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
388 id persistentRef = [self addTrustSettingsForCert:leaf];
389
390 NSError *error = nil;
391 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:nil error:&error],
392 "user-trusted leaf 3 year cert issued after 1 Jul 2019 failed: %@", error);
393
394 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
395 CFReleaseNull(leaf);
396 }
397
398 - (void)testUserTrustLeaf_MoreThan825Days_BeforeJul2019
399 {
400 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_66Months, sizeof(_testLeaf_66Months));
401 id persistentRef = [self addTrustSettingsForCert:leaf];
402
403 NSError *error = nil;
404 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:nil error:&error],
405 "user-trusted leaf 66 month cert issued before 1 Jul 2019 failed: %@", error);
406
407 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
408 CFReleaseNull(leaf);
409 }
410
411 - (void)testUserTrustLeaf_LessThan825Days_AfterJul2019
412 {
413 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_825Days, sizeof(_testLeaf_825Days));
414 id persistentRef = [self addTrustSettingsForCert:leaf];
415
416 NSError *error = nil;
417 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:nil error:&error],
418 "user-trusted leaf 825 day cert issued after 1 Jul 2019 failed: %@", error);
419
420 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
421 CFReleaseNull(leaf);
422 }
423
424 - (void)testUserDistrustLeaf_MoreThan825Days_AfterJul2019
425 {
426 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
427 id persistentRef = [self addTrustSettingsForCert:leaf trustSettings: @{ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultDeny)}];
428
429 NSError *error = nil;
430 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:nil error:&error],
431 "user-denied leaf 3 year cert issued after 1 Jul 2019 suceeded");
432
433 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
434 CFReleaseNull(leaf);
435 }
436
437 - (void)testUserUnspecifiedLeaf_MoreThan825Days_AfterJul2019
438 {
439 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
440 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
441 id persistentRef = [self addTrustSettingsForCert:leaf trustSettings: @{ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultUnspecified)}];
442
443 NSError *error = nil;
444 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
445 "user-unspecified trust leaf 3 year cert issued after 1 Jul 2019 succeeded");
446
447 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
448 CFReleaseNull(leaf);
449 CFReleaseNull(root);
450 }
451 #endif // !TARGET_OS_BRIDGE
452
453 @end
mirror of Security