]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/Regressions/secitem/si-20-sectrust.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57740.31.2.tar.gz
[apple/security.git] / OSX / sec / Security / Regressions / secitem / si-20-sectrust.c
1 /*
2 * Copyright (c) 2006-2010,2012-2015 Apple Inc. All Rights Reserved.
3 */
4
5 #include <CoreFoundation/CoreFoundation.h>
6 #include <Security/SecCertificate.h>
7 #include <Security/SecCertificatePriv.h>
8 #include <Security/SecPolicyPriv.h>
9 #include <Security/SecTrustPriv.h>
10 #include <Security/SecItem.h>
11 #include <utilities/array_size.h>
12 #include <utilities/SecCFWrappers.h>
13 #include <stdlib.h>
14 #include <unistd.h>
15
16 #if TARGET_OS_IPHONE
17 #include <Security/SecInternal.h>
18 #include <ipc/securityd_client.h>
19 #endif
20
21 #include "shared_regressions.h"
22 #include "si-20-sectrust.h"
23
24 /* Test SecTrust API. */
25 static void basic_tests(void)
26 {
27 SecTrustRef trust = NULL;
28 CFArrayRef _anchors = NULL, certs = NULL, anchors = NULL, replacementPolicies;
29 SecCertificateRef cert0 = NULL, cert1 = NULL, _root = NULL, cert_xedge2 = NULL, garthc2 = NULL;
30 SecPolicyRef policy = NULL, replacementPolicy = NULL, replacementPolicy2 = NULL;
31 CFDateRef date = NULL;
32 CFDataRef c0_serial = NULL, serial = NULL;
33 CFDictionaryRef query = NULL;
34
35 isnt(cert0 = SecCertificateCreateWithBytes(NULL, _c0, sizeof(_c0)),
36 NULL, "create cert0");
37 isnt(cert1 = SecCertificateCreateWithBytes(NULL, _c1, sizeof(_c1)),
38 NULL, "create cert1");
39 const void *v_certs[] = {
40 cert0,
41 cert1
42 };
43 policy = SecPolicyCreateSSL(false, NULL);
44 certs = CFArrayCreate(NULL, v_certs,
45 array_size(v_certs), NULL);
46
47 /* SecTrustCreateWithCertificates failures. */
48 is_status(SecTrustCreateWithCertificates(kCFBooleanTrue, policy, &trust),
49 errSecParam, "create trust with boolean instead of cert");
50 is_status(SecTrustCreateWithCertificates(cert0, kCFBooleanTrue, &trust),
51 errSecParam, "create trust with boolean instead of policy");
52
53 /* SecTrustCreateWithCertificates using array of certs. */
54 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
55
56 /* NOTE: prior to <rdar://11810677 SecTrustGetCertificateCount would return 1 at this point.
57 * Now, however, we do an implicit SecTrustEvaluate to build the chain if it has not yet been
58 * evaluated, so we now expect the full chain length.
59 */
60 is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
61 is(SecTrustGetCertificateAtIndex(trust, 0), cert0, "cert 0 is leaf");
62
63 /* Jul 30 2014. */
64 isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 7, 30, 12, 0, 0),
65 NULL, "create verify date");
66 if (!date) { goto errOut; }
67 ok_status(SecTrustSetVerifyDate(trust, date), "set date");
68
69 SecTrustResultType trustResult;
70
71 #if TARGET_OS_IPHONE
72 SKIP: {
73 #ifdef NO_SERVER
74 skip("Can't fail to connect to securityd in NO_SERVER mode", 4, false);
75 #endif
76 // Test Restore OS environment
77 SecServerSetMachServiceName("com.apple.security.doesn't-exist");
78 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust without securityd running");
79 is_status(trustResult, kSecTrustResultInvalid, "trustResult is kSecTrustResultInvalid");
80 is(SecTrustGetCertificateCount(trust), 1, "cert count is 1 without securityd running");
81 SecKeyRef pubKey = NULL;
82 ok(pubKey = SecTrustCopyPublicKey(trust), "copy public key without securityd running");
83 CFReleaseNull(pubKey);
84 SecServerSetMachServiceName(NULL);
85 // End of Restore OS environment tests
86 }
87 #endif
88
89 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
90 is_status(trustResult, kSecTrustResultUnspecified,
91 "trustResult is kSecTrustResultUnspecified");
92
93 is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
94
95 if (!cert0) { goto errOut; }
96 c0_serial = CFDataCreate(NULL, _c0_serial, sizeof(_c0_serial));
97 #if TARGET_OS_IPHONE
98 ok(serial = SecCertificateCopySerialNumber(cert0), "copy cert0 serial");
99 #else
100 CFErrorRef error = NULL;
101 ok(serial = SecCertificateCopySerialNumber(cert0, &error), "copy cert0 serial");
102 CFReleaseNull(error);
103 #endif
104 ok(CFEqual(c0_serial, serial), "serial matches");
105 CFReleaseNull(serial);
106 CFReleaseNull(c0_serial);
107
108 anchors = CFArrayCreate(NULL, (const void **)&cert1, 1, &kCFTypeArrayCallBacks);
109 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
110 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
111 is_status(trustResult, kSecTrustResultUnspecified,
112 "trust is kSecTrustResultUnspecified");
113 is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
114
115 CFReleaseNull(anchors);
116 anchors = CFArrayCreate(NULL, NULL, 0, NULL);
117 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set empty anchors list");
118 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
119 is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
120 "trust is kSecTrustResultRecoverableTrustFailure");
121 CFReleaseNull(anchors);
122
123 ok_status(SecTrustSetAnchorCertificatesOnly(trust, false), "trust passed in anchors and system anchors");
124 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
125 is_status(trustResult, kSecTrustResultUnspecified,
126 "trust is kSecTrustResultUnspecified");
127
128 ok_status(SecTrustSetAnchorCertificatesOnly(trust, true), "only trust passed in anchors (default)");
129 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
130 is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
131 "trust is kSecTrustResultRecoverableTrustFailure");
132
133 /* Test cert_1 intermediate from the keychain. */
134 CFReleaseNull(trust);
135 ok_status(SecTrustCreateWithCertificates(cert0, policy, &trust),
136 "create trust with single cert0");
137 ok_status(SecTrustSetVerifyDate(trust, date), "set date");
138
139 // Add cert1
140 query = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
141 kSecClass, kSecClassCertificate, kSecValueRef, cert1, NULL);
142 ok_status(SecItemAdd(query, NULL), "add cert1 to keychain");
143 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
144 // Cleanup added cert1.
145 ok_status(SecItemDelete(query), "remove cert1 from keychain");
146 CFReleaseNull(query);
147 is_status(trustResult, kSecTrustResultUnspecified,
148 "trust is kSecTrustResultUnspecified");
149 is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
150
151 /* Set certs to be the xedge2 leaf. */
152 CFReleaseNull(certs);
153 isnt(cert_xedge2 = SecCertificateCreateWithBytes(NULL, xedge2_certificate,
154 sizeof(xedge2_certificate)), NULL, "create cert_xedge2");
155 certs = CFArrayCreate(NULL, (const void **)&cert_xedge2, 1, NULL);
156
157 CFReleaseNull(trust);
158 CFReleaseNull(policy);
159 CFReleaseNull(date);
160 bool server = true;
161 policy = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
162 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
163 "create trust for ssl server xedge2.apple.com");
164
165 /* This test uses a cert whose root is no longer in our trust store,
166 * so we need to explicitly set it as a trusted anchor
167 */
168 isnt(_root = SecCertificateCreateWithBytes(NULL, entrust1024RootCA, sizeof(entrust1024RootCA)),
169 NULL, "create root");
170 const void *v_roots[] = { _root };
171 isnt(_anchors = CFArrayCreate(NULL, v_roots, array_size(v_roots), NULL),
172 NULL, "create anchors");
173 if (!_anchors) { goto errOut; }
174 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
175
176 /* Jan 1st 2009. */
177 date = CFDateCreate(NULL, 252288000.0);
178 ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
179 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
180 is_status(trustResult, kSecTrustResultUnspecified,
181 "trust is kSecTrustResultUnspecified");
182
183 CFReleaseNull(trust);
184 CFReleaseNull(policy);
185 server = false;
186 policy = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
187 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
188 "create trust for ssl client xedge2.apple.com");
189 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
190 ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
191 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
192 is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
193 "trust is kSecTrustResultRecoverableTrustFailure");
194
195 CFReleaseNull(trust);
196 CFReleaseNull(policy);
197 server = true;
198 policy = SecPolicyCreateIPSec(server, CFSTR("xedge2.apple.com"));
199 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
200 "create trust for ip server xedge2.apple.com");
201 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
202 ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
203 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
204 #if 0
205 /* Although this shouldn't be a valid ipsec cert, since we no longer
206 check for ekus in the ipsec policy it is. */
207 is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
208 "trust is kSecTrustResultRecoverableTrustFailure");
209 #else
210 is_status(trustResult, kSecTrustResultUnspecified,
211 "trust is kSecTrustResultUnspecified");
212 #endif
213
214 CFReleaseNull(trust);
215 CFReleaseNull(policy);
216 server = true;
217 policy = SecPolicyCreateSSL(server, CFSTR("nowhere.com"));
218 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
219 "create trust for ssl server nowhere.com");
220 replacementPolicy = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
221 SecTrustSetPolicies(trust, replacementPolicy);
222 CFReleaseNull(replacementPolicy);
223 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
224 ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
225 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
226 is_status(trustResult, kSecTrustResultUnspecified,
227 "trust is kSecTrustResultUnspecified");
228
229 CFReleaseNull(trust);
230 CFReleaseNull(policy);
231 server = true;
232 policy = SecPolicyCreateSSL(server, CFSTR("nowhere.com"));
233 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
234 "create trust for ssl server nowhere.com");
235 replacementPolicy2 = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
236 replacementPolicies = CFArrayCreate(kCFAllocatorDefault, (CFTypeRef*)&replacementPolicy2, 1, &kCFTypeArrayCallBacks);
237 SecTrustSetPolicies(trust, replacementPolicies);
238 CFReleaseNull(replacementPolicy2);
239 CFReleaseNull(replacementPolicies);
240 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
241 ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
242 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
243 is_status(trustResult, kSecTrustResultUnspecified,
244 "trust is kSecTrustResultUnspecified");
245
246 /* Test self signed ssl cert with cert itself set as anchor. */
247 CFReleaseNull(trust);
248 CFReleaseNull(policy);
249 CFReleaseNull(certs);
250 CFReleaseNull(date);
251 server = true;
252 isnt(garthc2 = SecCertificateCreateWithBytes(NULL, garthc2_certificate,
253 sizeof(garthc2_certificate)), NULL, "create garthc2");
254 certs = CFArrayCreate(NULL, (const void **)&garthc2, 1, NULL);
255 policy = SecPolicyCreateSSL(server, CFSTR("garthc2.apple.com"));
256 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
257 "create trust for ip server garthc2.apple.com");
258 date = CFDateCreate(NULL, 269568000.0);
259 ok_status(SecTrustSetVerifyDate(trust, date),
260 "set garthc2 trust date to Aug 2009");
261 ok_status(SecTrustSetAnchorCertificates(trust, certs),
262 "set garthc2 as anchor");
263 ok_status(SecTrustEvaluate(trust, &trustResult),
264 "evaluate self signed cert with cert as anchor");
265 is_status(trustResult, kSecTrustResultUnspecified,
266 "trust is kSecTrustResultUnspecified");
267
268
269 errOut:
270 CFReleaseSafe(garthc2);
271 CFReleaseSafe(cert_xedge2);
272 CFReleaseSafe(anchors);
273 CFReleaseSafe(trust);
274 CFReleaseSafe(serial);
275 CFReleaseSafe(c0_serial);
276 CFReleaseSafe(policy);
277 CFReleaseSafe(certs);
278 CFReleaseSafe(cert0);
279 CFReleaseSafe(cert1);
280 CFReleaseSafe(date);
281
282 CFReleaseSafe(_root);
283 CFReleaseSafe(_anchors);
284 }
285
286 static void negative_integer_tests(void)
287 {
288 /* Test that we can handle and fix up negative integer value(s) in ECDSA signature */
289 const void *negIntSigLeaf;
290 isnt(negIntSigLeaf = SecCertificateCreateWithBytes(NULL, _leaf_NegativeIntInSig,
291 sizeof(_leaf_NegativeIntInSig)), NULL, "create negIntSigLeaf");
292 CFArrayRef certs = NULL;
293 isnt(certs = CFArrayCreate(NULL, &negIntSigLeaf, 1, NULL), NULL, "failed to create certs array");
294 SecPolicyRef policy = NULL;
295 isnt(policy = SecPolicyCreateiAP(), NULL, "failed to create policy");
296 SecTrustRef trust = NULL;
297 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
298 "create trust for negIntSigLeaf");
299
300 const void *rootAACA2;
301 isnt(rootAACA2 = SecCertificateCreateWithBytes(NULL, _root_AACA2,
302 sizeof(_root_AACA2)), NULL, "create rootAACA2");
303 CFArrayRef anchors = NULL;
304 isnt(anchors = CFArrayCreate(NULL, &rootAACA2, 1, NULL), NULL, "failed to create anchors array");
305 if (!anchors) { goto errOut; }
306 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchor certificates");
307
308 SecTrustResultType trustResult;
309 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
310 is_status(trustResult, kSecTrustResultUnspecified, "expected kSecTrustResultUnspecified");
311
312 errOut:
313 CFReleaseNull(trust);
314 CFReleaseNull(certs);
315 CFReleaseNull(anchors);
316 CFReleaseNull(negIntSigLeaf);
317 CFReleaseNull(rootAACA2);
318 CFReleaseNull(policy);
319 }
320
321 static void rsa8k_tests(void)
322 {
323 /* Test prt_forest_fi that have a 8k RSA key */
324 const void *prt_forest_fi;
325 isnt(prt_forest_fi = SecCertificateCreateWithBytes(NULL, prt_forest_fi_certificate,
326 sizeof(prt_forest_fi_certificate)), NULL, "create prt_forest_fi");
327 CFArrayRef certs = NULL;
328 isnt(certs = CFArrayCreate(NULL, &prt_forest_fi, 1, NULL), NULL, "failed to create cert array");
329 SecPolicyRef policy = NULL;
330 isnt(policy = SecPolicyCreateSSL(false, CFSTR("owa.prt-forest.fi")), NULL, "failed to create policy");
331 SecTrustRef trust = NULL;
332 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
333 "create trust for ip client owa.prt-forest.fi");
334 CFDateRef date = CFDateCreate(NULL, 391578321.0);
335 ok_status(SecTrustSetVerifyDate(trust, date),
336 "set owa.prt-forest.fi trust date to May 2013");
337
338 SecKeyRef pubkey = SecTrustCopyPublicKey(trust);
339 isnt(pubkey, NULL, "pubkey returned");
340
341 CFReleaseNull(certs);
342 CFReleaseNull(prt_forest_fi);
343 CFReleaseNull(policy);
344 CFReleaseNull(trust);
345 CFReleaseNull(pubkey);
346 CFReleaseNull(date);
347 }
348
349 static void date_tests(void)
350 {
351 /* Test long-lived cert chain that expires in 9999 */
352 CFDateRef date = NULL;
353 const void *leaf, *root;
354 isnt(leaf = SecCertificateCreateWithBytes(NULL, longleaf, sizeof(longleaf)), NULL, "create leaf");
355 isnt(root = SecCertificateCreateWithBytes(NULL, longroot, sizeof(longroot)), NULL, "create root");
356
357 CFArrayRef certs = NULL;
358 isnt(certs = CFArrayCreate(NULL, &leaf, 1, NULL), NULL, "failed to create cert array");
359 CFArrayRef anchors = NULL;
360 isnt(anchors = CFArrayCreate(NULL, &root, 1, NULL), NULL, "failed to create anchors array");
361
362 SecPolicyRef policy = NULL;
363 isnt(policy = SecPolicyCreateBasicX509(), NULL, "failed to create policy");
364 SecTrustRef trust = NULL;
365 SecTrustResultType trustResult;
366 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
367 if (!anchors) { goto errOut; }
368 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
369
370 /* September 4, 2013 (prior to "notBefore" date of 2 April 2014, should fail) */
371 isnt(date = CFDateCreate(NULL, 400000000), NULL, "failed to create date");
372 if (!date) { goto errOut; }
373 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 23 Sep 2013");
374 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 23 Sep 2013");
375 is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "expected kSecTrustResultRecoverableTrustFailure");
376 CFReleaseNull(date);
377
378 /* January 17, 2016 (recent date within validity period, should succeed) */
379 isnt(date = CFDateCreate(NULL, 474747474), NULL, "failed to create date");
380 if (!date) { goto errOut; }
381 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 17 Jan 2016");
382 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 17 Jan 2016");
383 is_status(trustResult, kSecTrustResultUnspecified, "expected kSecTrustResultUnspecified");
384 CFReleaseNull(date);
385
386 /* December 20, 9999 (far-future date within validity period, should succeed) */
387 isnt(date = CFDateCreate(NULL, 252423000000), NULL, "failed to create date");
388 if (!date) { goto errOut; }
389 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 20 Dec 9999");
390 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 20 Dec 9999");
391 is_status(trustResult, kSecTrustResultUnspecified, "expected kSecTrustResultUnspecified");
392 CFReleaseNull(date);
393
394 /* January 12, 10000 (after the "notAfter" date of 31 Dec 9999, should fail) */
395 isnt(date = CFDateCreate(NULL, 252425000000), NULL, "failed to create date");
396 if (!date) { goto errOut; }
397 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 12 Jan 10000");
398 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 12 Jan 10000");
399 is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "expected kSecTrustResultRecoverableTrustFailure");
400 CFReleaseNull(date);
401
402 errOut:
403 CFReleaseNull(trust);
404 CFReleaseNull(policy);
405 CFReleaseNull(anchors);
406 CFReleaseNull(certs);
407 CFReleaseNull(root);
408 CFReleaseNull(leaf);
409 }
410
411 static bool test_chain_of_three(uint8_t *cert0, size_t cert0len,
412 uint8_t *cert1, size_t cert1len,
413 uint8_t *root, size_t rootlen,
414 bool should_succeed, CF_RETURNS_RETAINED CFStringRef *failureReason)
415 {
416 bool ok = false;
417
418 const void *secCert0, *secCert1, *secRoot;
419 isnt(secCert0 = SecCertificateCreateWithBytes(NULL, cert0, cert0len), NULL, "create leaf");
420 isnt(secCert1 = SecCertificateCreateWithBytes(NULL, cert1, cert1len), NULL, "create subCA");
421 isnt(secRoot = SecCertificateCreateWithBytes(NULL, root, rootlen), NULL, "create root");
422
423 const void *v_certs[] = { secCert0, secCert1 };
424 CFArrayRef certs = NULL;
425 isnt(certs = CFArrayCreate(NULL, v_certs, sizeof(v_certs)/sizeof(*v_certs), NULL),
426 NULL, "failed to create cert array");
427 CFArrayRef anchors = NULL;
428 isnt(anchors = CFArrayCreate(NULL, &secRoot, 1, NULL), NULL, "failed to create anchors array");
429
430 SecPolicyRef policy = NULL;
431 isnt(policy = SecPolicyCreateBasicX509(), NULL, "failed to create policy");
432 CFDateRef date = NULL;
433 isnt(date = CFDateCreate(NULL, 472100000.0), NULL, "failed to create date"); // 17 Dec 2015
434
435 SecTrustRef trust = NULL;
436 SecTrustResultType trustResult;
437 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "failed to create trust");
438 if (!date) { goto errOut; }
439 ok_status(SecTrustSetVerifyDate(trust, date), "failed to set verify date");
440 if (!anchors) { goto errOut; }
441 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "failed to set anchors");
442
443 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate chain");
444 is(SecTrustGetCertificateCount(trust), 3, "expected chain of 3");
445 bool did_succeed = (trustResult == kSecTrustResultUnspecified);
446
447 if (failureReason && should_succeed && !did_succeed) {
448 *failureReason = SecTrustCopyFailureDescription(trust);
449 } else if (failureReason && !should_succeed && did_succeed) {
450 *failureReason = CFSTR("expected kSecTrustResultRecoverableTrustFailure");
451 }
452
453 if ((should_succeed && did_succeed) || (!should_succeed && !did_succeed)) {
454 ok = true;
455 }
456
457 errOut:
458 CFReleaseNull(secCert0);
459 CFReleaseNull(secCert1);
460 CFReleaseNull(secRoot);
461 CFReleaseNull(certs);
462 CFReleaseNull(anchors);
463 CFReleaseNull(date);
464 CFReleaseNull(policy);
465 CFReleaseNull(trust);
466
467 return ok;
468 }
469
470 static void rsa_key_size_tests() {
471
472 ok(test_chain_of_three(_leaf2048A, sizeof(_leaf2048A),_int2048A, sizeof(_int2048A), _root512, sizeof(_root512),
473 false, NULL), "SECURITY: failed to detect weak root");
474 ok(test_chain_of_three(_leaf2048B, sizeof(_leaf2048B), _int512, sizeof(_int512), _root2048, sizeof(_root2048),
475 false, NULL), "SECURITY: failed to detect weak intermediate");
476 ok(test_chain_of_three(_leaf512, sizeof(_leaf512), _int2048B, sizeof(_int2048B), _root2048, sizeof(_root2048),
477 false, NULL), "SECURITY: failed to detect weak leaf");
478
479 CFStringRef failureReason = NULL;
480 ok(test_chain_of_three(_leaf1024, sizeof(_leaf1024), _int2048B, sizeof(_int2048B), _root2048, sizeof(_root2048),
481 true, &failureReason), "REGRESSION: key size test 1024-bit leaf: %@", failureReason);
482 CFReleaseNull(failureReason);
483 ok(test_chain_of_three(_leaf2048C, sizeof(_leaf2048C), _int2048B, sizeof(_int2048B), _root2048, sizeof(_root2048),
484 true, &failureReason), "REGRESSION: key size test 2048-bit leaf: %@", failureReason);
485 CFReleaseNull(failureReason);
486
487 }
488
489 static void ec_key_size_tests() {
490
491 /* Because CoreCrypto does not support P128, we fail to chain if any CAs use weakly sized curves */
492 ok(test_chain_of_three(_leaf128, sizeof(_leaf128), _int384B, sizeof(_int384B), _root384, sizeof(_root384),
493 false, NULL), "SECURITY: failed to detect weak leaf");
494
495 CFStringRef failureReason = NULL;
496 ok(test_chain_of_three(_leaf192, sizeof(_leaf192), _int384B, sizeof(_int384B), _root384, sizeof(_root384),
497 true, &failureReason), "REGRESSION: key size test 192-bit leaf: %@", failureReason);
498 CFReleaseNull(failureReason);
499 ok(test_chain_of_three(_leaf384C, sizeof(_leaf384C), _int384B, sizeof(_int384B), _root384, sizeof(_root384),
500 true, &failureReason), "REGRESSION: key size test 384-bit leaf: %@", failureReason);
501 CFReleaseNull(failureReason);
502
503 }
504
505 int si_20_sectrust(int argc, char *const *argv)
506 {
507 #if TARGET_OS_IPHONE
508 plan_tests(101+9+(8*13));
509 #else
510 plan_tests(97+9+(8*13));
511 #endif
512
513 basic_tests();
514 negative_integer_tests();
515 rsa8k_tests();
516 date_tests();
517 rsa_key_size_tests();
518 ec_key_size_tests();
519
520 return 0;
521 }
mirror of Security