2 * Copyright (c) 2016 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the xLicense.
21 * @APPLE_LICENSE_HEADER_END@
24 #import <Security/Security.h>
25 #import <Security/SecCertificatePriv.h>
27 #include "keychain_regressions.h"
28 #include "kc-helpers.h"
29 #include "kc-item-helpers.h"
30 #include "kc-key-helpers.h"
34 SecKeychainRef kc
= getPopulatedTestKeychain();
36 CFMutableDictionaryRef query
= NULL
;
37 SecKeychainItemRef item
= NULL
;
39 // Perform keychain upgrade so future calls will check integrity, then lock keychain
40 query
= makeQueryCustomItemDictionaryWithService(kc
, kSecClassInternetPassword
, CFSTR("test_service"), CFSTR("test_service"));
41 item
= checkN(testName
, query
, 1);
43 ok_status(SecKeychainLock(kc
), "%s: SecKeychainLock", testName
);
46 query
= makeQueryCustomItemDictionaryWithService(kc
, kSecClassInternetPassword
, CFSTR("test_service"), CFSTR("test_service"));
47 item
= checkN(testName
, query
, 1);
48 readPasswordContentsWithResult(item
, errSecAuthFailed
, NULL
); // keychain is locked; AuthFailed is what securityd throws if UI access is not allowed
50 checkPrompts(0, "after reading a password in locked keychain without UI"); // this should be 1, but is 0 due to how denying UI access works in Credentials
52 query
= makeQueryCustomItemDictionaryWithService(kc
, kSecClassInternetPassword
, CFSTR("test_service_restrictive_acl"), CFSTR("test_service_restrictive_acl"));
53 item
= checkN(testName
, query
, 1);
54 readPasswordContentsWithResult(item
, errSecAuthFailed
, NULL
);
56 checkPrompts(0, "trying to read password in locked keychain without UI");
58 query
= makeQueryCustomItemDictionaryWithService(kc
, kSecClassGenericPassword
, CFSTR("test_service"), CFSTR("test_service"));
59 item
= checkN(testName
, query
, 1);
60 readPasswordContentsWithResult(item
, errSecAuthFailed
, NULL
); // keychain is locked
62 checkPrompts(0, "after reading a password in locked keychain without UI");
64 query
= makeQueryCustomItemDictionaryWithService(kc
, kSecClassGenericPassword
, CFSTR("test_service_restrictive_acl"), CFSTR("test_service_restrictive_acl"));
65 item
= checkN(testName
, query
, 1);
66 readPasswordContentsWithResult(item
, errSecAuthFailed
, NULL
); // we don't expect to be able to read this
68 checkPrompts(0, "trying to read password in locked keychain without UI");
70 // Find symmetric keys
71 query
= makeQueryKeyDictionary(kc
, kSecAttrKeyClassSymmetric
);
72 item
= checkN(testName
, query
, 2);
75 // Find asymmetric keys
76 query
= makeQueryKeyDictionary(kc
, kSecAttrKeyClassPublic
);
77 item
= checkN(testName
, query
, 2);
80 query
= makeQueryKeyDictionary(kc
, kSecAttrKeyClassPrivate
);
81 item
= checkN(testName
, query
, 2);
85 query
= makeBaseQueryDictionary(kc
, kSecClassCertificate
);
86 item
= checkN(testName
, query
, 3);
89 // ensure we can pull data from a certificate
90 query
= makeBaseQueryDictionary(kc
, kSecClassCertificate
);
91 CFDictionarySetValue(query
, kSecMatchSubjectWholeString
, CFSTR("test_codesigning"));
92 item
= checkN(testName
, query
, 1);
93 const unsigned char expectedSHA1
[] = { 0x94, 0xdf, 0x22, 0x4a, 0x4d, 0x49, 0x33, 0x27, 0x9e, 0xc5, 0x7e, 0x91, 0x95, 0xcc, 0xbd, 0x51, 0x3d, 0x59, 0xae, 0x34 };
94 CFDataRef expectedSHAData
= CFDataCreateWithBytesNoCopy(NULL
, expectedSHA1
, sizeof(expectedSHA1
), kCFAllocatorNull
);
95 eq_cf(SecCertificateGetSHA1Digest((SecCertificateRef
) item
), expectedSHAData
, "%s: expected SHA1 of certificate does not match", testName
);
97 CFReleaseNull(expectedSHAData
);
99 checkPrompts(0, "searching keys and certificates");
101 ok_status(SecKeychainDelete(kc
), "%s: SecKeychainDelete", testName
);
104 #define nTests (getPopulatedTestKeychainTests + checkNTests + 1 + \
105 checkNTests + readPasswordContentsWithResultTests + checkPromptsTests + \
106 checkNTests + readPasswordContentsWithResultTests + checkPromptsTests + \
107 checkNTests + readPasswordContentsWithResultTests + checkPromptsTests + \
108 checkNTests + readPasswordContentsWithResultTests + checkPromptsTests + \
114 checkPromptsTests + 1)
116 int kc_05_find_existing_items_locked(int argc
, char *const *argv
)
119 initializeKeychainTests(__FUNCTION__
);