]> git.saurik.com Git - apple/security.git/blob - tests/TrustTests/EvaluationTests/SignatureAlgorithmTests.m
Security-59306.101.1.tar.gz
[apple/security.git] / tests / TrustTests / EvaluationTests / SignatureAlgorithmTests.m
1 /*
2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 */
24
25 #include <AssertMacros.h>
26 #import <XCTest/XCTest.h>
27 #include <Security/SecCertificatePriv.h>
28 #include <Security/SecPolicyPriv.h>
29 #include <utilities/SecCFRelease.h>
30 #include <Security/SecTrustSettings.h>
31
32 #include "TrustEvaluationTestCase.h"
33 #include "../TestMacroConversions.h"
34 #include "SignatureAlgorithmTests_data.h"
35
36 @interface SignatureAlgorithmTests : TrustEvaluationTestCase
37 @end
38
39 @implementation SignatureAlgorithmTests
40
41 - (void)testMD5Root {
42 SecCertificateRef md5_root = NULL;
43 SecTrustRef trust = NULL;
44 CFArrayRef anchors = NULL;
45 CFDateRef verifyDate = NULL;
46 CFErrorRef error = NULL;
47
48 require_action(md5_root = SecCertificateCreateWithBytes(NULL, _md5_root, sizeof(_md5_root)), errOut,
49 fail("failed to create md5 root cert"));
50
51 require_action(anchors = CFArrayCreate(NULL, (const void **)&md5_root, 1, &kCFTypeArrayCallBacks), errOut,
52 fail("failed to create anchors array"));
53 require_action(verifyDate = CFDateCreate(NULL, 550600000), errOut, fail("failed to make verification date")); // June 13, 2018
54
55 /* Test self-signed MD5 cert. Should work since cert is a trusted anchor - rdar://39152516 */
56 require_noerr_action(SecTrustCreateWithCertificates(md5_root, NULL, &trust), errOut,
57 fail("failed to create trust object"));
58 require_noerr_action(SecTrustSetAnchorCertificates(trust, anchors), errOut,
59 fail("faild to set anchors"));
60 require_noerr_action(SecTrustSetVerifyDate(trust, verifyDate), errOut,
61 fail("failed to set verify date"));
62 ok(SecTrustEvaluateWithError(trust, &error), "self-signed MD5 cert failed");
63 is(error, NULL, "got a trust error for self-signed MD5 cert: %@", error);
64
65 errOut:
66 CFReleaseNull(error);
67 CFReleaseNull(trust);
68 CFReleaseNull(anchors);
69 CFReleaseNull(verifyDate);
70 CFReleaseNull(md5_root);
71 }
72
73 - (void)testMD5Leaf {
74 SecCertificateRef md5_leaf = NULL, sha256_root = NULL;
75 SecTrustRef trust = NULL;
76 CFArrayRef anchors = NULL;
77 CFDateRef verifyDate = NULL;
78 CFErrorRef error = NULL;
79
80 require_action(md5_leaf = SecCertificateCreateWithBytes(NULL, _md5_leaf, sizeof(_md5_leaf)), errOut,
81 fail("failed to create md5 leaf cert"));
82 require_action(sha256_root = SecCertificateCreateWithBytes(NULL, _sha256_root, sizeof(_sha256_root)), errOut,
83 fail("failed to create sha256 root cert"));
84
85 require_action(anchors = CFArrayCreate(NULL, (const void **)&sha256_root, 1, &kCFTypeArrayCallBacks), errOut,
86 fail("failed to create anchors array"));
87 require_action(verifyDate = CFDateCreate(NULL, 550600000), errOut, fail("failed to make verification date")); // June 13, 2018
88
89 /* Test non-self-signed MD5 cert. Should fail. */
90 require_noerr_action(SecTrustCreateWithCertificates(md5_leaf, NULL, &trust), errOut,
91 fail("failed to create trust object"));
92 require_noerr_action(SecTrustSetAnchorCertificates(trust, anchors), errOut,
93 fail("faild to set anchors"));
94 require_noerr_action(SecTrustSetVerifyDate(trust, verifyDate), errOut,
95 fail("failed to set verify date"));
96 is(SecTrustEvaluateWithError(trust, &error), false, "non-self-signed MD5 cert succeeded");
97 if (error) {
98 is(CFErrorGetCode(error), errSecInvalidDigestAlgorithm, "got wrong error code for MD5 leaf cert, got %ld, expected %d",
99 (long)CFErrorGetCode(error), (int)errSecInvalidDigestAlgorithm);
100 } else {
101 fail("expected trust evaluation to fail and it did not.");
102 }
103
104 errOut:
105 CFReleaseNull(md5_leaf);
106 CFReleaseNull(sha256_root);
107 CFReleaseNull(anchors);
108 CFReleaseNull(verifyDate);
109 CFReleaseNull(trust);
110 CFReleaseNull(error);
111 }
112
113 - (bool)runTrust:(NSArray *)certs
114 anchors:(NSArray *)anchors
115 policy:(SecPolicyRef)policy
116 verifyDate:(NSDate *)date
117 {
118 SecTrustRef trust = NULL;
119 XCTAssert(errSecSuccess == SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust));
120 if (anchors) {
121 XCTAssert(errSecSuccess == SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors));
122 }
123 XCTAssert(errSecSuccess == SecTrustSetVerifyDate(trust, (__bridge CFDateRef)date));
124
125 CFErrorRef error = NULL;
126 bool result = SecTrustEvaluateWithError(trust, &error);
127 CFReleaseNull(error);
128 CFReleaseNull(trust);
129 return result;
130 }
131
132 #if !TARGET_OS_BRIDGE // bridgeOS doesn't have a system trust store
133 - (void)testSHA1_systemTrusted {
134 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:500000000.0]; // November 4, 2016 at 5:53:20 PM PDT
135 SecCertificateRef sha1_leaf = SecCertificateCreateWithBytes(NULL, _badssl_sha1, sizeof(_badssl_sha1));
136 SecCertificateRef sha1_int = SecCertificateCreateWithBytes(NULL, _digiCertSSCA, sizeof(_digiCertSSCA));
137 NSArray *sha1_certs = @[ (__bridge id)sha1_leaf, (__bridge id)sha1_int];
138 CFReleaseNull(sha1_leaf);
139 CFReleaseNull(sha1_int);
140
141 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("www.badssl.com"));
142 XCTAssertFalse([self runTrust:sha1_certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "system trusted SHA1 certs succeeded for SSL server");
143 CFReleaseNull(serverPolicy);
144
145 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
146 XCTAssertTrue([self runTrust:sha1_certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "system trusted SHA1 certs failed for SSL client");
147 CFReleaseNull(clientPolicy);
148
149 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"www.badssl.com"]);
150 XCTAssertFalse([self runTrust:sha1_certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "system trusted SHA1 certs succeeded for EAP");
151 CFReleaseNull(eapPolicy);
152 }
153 #endif // !TARGET_OS_BRIDGE
154
155 - (void)testSHA1_appTrustedLeaf {
156 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:500000000.0]; // November 4, 2016 at 5:53:20 PM PDT
157 SecCertificateRef sha1_leaf = SecCertificateCreateWithBytes(NULL, _badssl_sha1, sizeof(_badssl_sha1));
158 SecCertificateRef sha1_int = SecCertificateCreateWithBytes(NULL, _digiCertSSCA, sizeof(_digiCertSSCA));
159 SecCertificateRef sha1_root = SecCertificateCreateWithBytes(NULL, _digiCertRoot, sizeof(_digiCertRoot));
160
161 NSArray *sha1_certs = @[ (__bridge id)sha1_leaf, (__bridge id)sha1_int];
162 NSArray *anchor = @[ (__bridge id)sha1_root ];
163 CFReleaseNull(sha1_leaf);
164 CFReleaseNull(sha1_int);
165 CFReleaseNull(sha1_root);
166
167 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("www.badssl.com"));
168 XCTAssertFalse([self runTrust:sha1_certs anchors:anchor policy:serverPolicy verifyDate:verifyDate], "anchor trusted SHA1 certs succeeded for SSL server");
169 CFReleaseNull(serverPolicy);
170
171 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
172 XCTAssertTrue([self runTrust:sha1_certs anchors:anchor policy:clientPolicy verifyDate:verifyDate], "anchor trusted SHA1 certs failed for SSL client");
173 CFReleaseNull(clientPolicy);
174
175 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"*.badssl.com", @"badssl.com"]);
176 XCTAssertTrue([self runTrust:sha1_certs anchors:anchor policy:eapPolicy verifyDate:verifyDate], "anchor trusted SHA1 certs failed for EAP");
177 CFReleaseNull(eapPolicy);
178
179 SecPolicyRef legacyPolicy = SecPolicyCreateLegacySSL(true, CFSTR("www.badssl.com"));
180 XCTAssertTrue([self runTrust:sha1_certs anchors:anchor policy:legacyPolicy verifyDate:verifyDate], "anchor trusted SHA1 certs failed for legacy SSL server");
181 CFReleaseNull(legacyPolicy);
182
183 SecPolicyRef legacyClientPolicy = SecPolicyCreateLegacySSL(false, NULL);
184 XCTAssertTrue([self runTrust:sha1_certs anchors:anchor policy:legacyClientPolicy verifyDate:verifyDate], "anchor trusted SHA1 certs failed for legacy SSL client");
185 CFReleaseNull(legacyClientPolicy);
186 }
187
188 - (void)testSHA1_appTrustedSelfSigned {
189 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
190 SecCertificateRef sha1_cert = SecCertificateCreateWithBytes(NULL, _testSHA1SelfSigned, sizeof(_testSHA1SelfSigned));
191 NSArray *sha1_certs = @[ (__bridge id)sha1_cert ];
192 NSArray *anchor = @[ (__bridge id)sha1_cert ];
193 CFReleaseNull(sha1_cert);
194
195 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
196 XCTAssertTrue([self runTrust:sha1_certs anchors:anchor policy:serverPolicy verifyDate:verifyDate], "anchor trusted self-signed SHA1 cert failed for SSL server");
197 CFReleaseNull(serverPolicy);
198
199 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
200 XCTAssertTrue([self runTrust:sha1_certs anchors:anchor policy:clientPolicy verifyDate:verifyDate], "anchor trusted self-signed SHA1 cert failed for SSL client");
201 CFReleaseNull(clientPolicy);
202
203 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
204 XCTAssertTrue([self runTrust:sha1_certs anchors:anchor policy:eapPolicy verifyDate:verifyDate], "anchor trusted self-signed SHA1 cert failed for EAP");
205 CFReleaseNull(eapPolicy);
206 }
207
208 #if !TARGET_OS_BRIDGE // bridgeOS doesn't have trust settings
209 - (void)testSHA1_trustSettingsOnRoot_TestLeaf {
210 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
211 SecCertificateRef sha1_leaf = SecCertificateCreateWithBytes(NULL, _testSHA1Leaf, sizeof(_testSHA1Leaf));
212 SecCertificateRef sha1_root = SecCertificateCreateWithBytes(NULL, _testRoot, sizeof(_testRoot));
213 NSArray *sha1_certs = @[ (__bridge id)sha1_leaf, (__bridge id)sha1_root ];
214 CFReleaseNull(sha1_leaf);
215
216 id persistentRef = [self addTrustSettingsForCert:sha1_root];
217
218 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
219 XCTAssertFalse([self runTrust:sha1_certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "trust settings on root, SHA1 leaf succeeded for SSL server");
220 CFReleaseNull(serverPolicy);
221
222 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
223 XCTAssertTrue([self runTrust:sha1_certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "trust settings on root, SHA1 leaf failed for SSL client");
224 CFReleaseNull(clientPolicy);
225
226 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
227 XCTAssertTrue([self runTrust:sha1_certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "trust settings on root, SHA1 leaf failed for EAP");
228 CFReleaseNull(eapPolicy);
229
230 [self removeTrustSettingsForCert:sha1_root persistentRef:persistentRef];
231 CFReleaseNull(sha1_root);
232 }
233
234 - (void)testSHA1_trustSettingsOnLeaf {
235 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
236 SecCertificateRef sha1_leaf = SecCertificateCreateWithBytes(NULL, _testSHA1Leaf, sizeof(_testSHA1Leaf));
237 NSArray *sha1_certs = @[ (__bridge id)sha1_leaf ];
238
239 id persistentRef = [self addTrustSettingsForCert:sha1_leaf];
240
241 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
242 XCTAssertTrue([self runTrust:sha1_certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "trust settings on SHA1 leaf failed for SSL server");
243 CFReleaseNull(serverPolicy);
244
245 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
246 XCTAssertTrue([self runTrust:sha1_certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "trust settings on SHA1 leaf failed for SSL client");
247 CFReleaseNull(clientPolicy);
248
249 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
250 XCTAssertTrue([self runTrust:sha1_certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "trust settings on SHA1 leaf failed for EAP");
251 CFReleaseNull(eapPolicy);
252
253 [self removeTrustSettingsForCert:sha1_leaf persistentRef:persistentRef];
254 CFReleaseNull(sha1_leaf);
255 }
256
257 - (void)testSHA1_trustSettingsSelfSigned {
258 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
259 SecCertificateRef sha1_cert = SecCertificateCreateWithBytes(NULL, _testSHA1SelfSigned, sizeof(_testSHA1SelfSigned));
260 NSArray *sha1_certs = @[ (__bridge id)sha1_cert ];
261
262 id persistentRef = [self addTrustSettingsForCert:sha1_cert];
263
264 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
265 XCTAssertTrue([self runTrust:sha1_certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "trust settings self-signed SHA1 cert failed for SSL server");
266 CFReleaseNull(serverPolicy);
267
268 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
269 XCTAssertTrue([self runTrust:sha1_certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "trust settings self-signed SHA1 cert failed for SSL client");
270 CFReleaseNull(clientPolicy);
271
272 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
273 XCTAssertTrue([self runTrust:sha1_certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "trust settings self-signed SHA1 cert failed for EAP");
274 CFReleaseNull(eapPolicy);
275
276 [self removeTrustSettingsForCert:sha1_cert persistentRef:persistentRef];
277 CFReleaseNull(sha1_cert);
278 }
279
280 - (void)testSHA1_denyTrustSettings {
281 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
282 SecCertificateRef sha1_leaf = SecCertificateCreateWithBytes(NULL, _testSHA1Leaf, sizeof(_testSHA1Leaf));
283 NSArray *sha1_certs = @[ (__bridge id)sha1_leaf ];
284
285 id persistentRef = [self addTrustSettingsForCert:sha1_leaf trustSettings: @{ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultDeny)}];
286
287 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
288 XCTAssertFalse([self runTrust:sha1_certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "deny trust settings on SHA1 leaf succeeded for SSL server");
289 CFReleaseNull(serverPolicy);
290
291 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
292 XCTAssertFalse([self runTrust:sha1_certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "deny trust settings on SHA1 leaf succeeded for SSL client");
293 CFReleaseNull(clientPolicy);
294
295 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
296 XCTAssertFalse([self runTrust:sha1_certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "deny trust settings on SHA1 leaf succeeded for EAP");
297 CFReleaseNull(eapPolicy);
298
299 [self removeTrustSettingsForCert:sha1_leaf persistentRef:persistentRef];
300 CFReleaseNull(sha1_leaf);
301 }
302
303 - (void)testSHA1_unspecifiedTrustSettings {
304 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
305 SecCertificateRef sha1_leaf = SecCertificateCreateWithBytes(NULL, _testSHA1Leaf, sizeof(_testSHA1Leaf));
306 SecCertificateRef sha1_root = SecCertificateCreateWithBytes(NULL, _testRoot, sizeof(_testRoot));
307 NSArray *sha1_certs = @[ (__bridge id)sha1_leaf ];
308 NSArray *anchor = @[ (__bridge id)sha1_root ];
309 CFReleaseNull(sha1_root);
310
311 id persistentRef = [self addTrustSettingsForCert:sha1_leaf trustSettings: @{ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultUnspecified)}];
312
313 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
314 XCTAssertFalse([self runTrust:sha1_certs anchors:anchor policy:serverPolicy verifyDate:verifyDate], "unspecified trust settings on SHA1 leaf succeeded for SSL server");
315 CFReleaseNull(serverPolicy);
316
317 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
318 XCTAssertTrue([self runTrust:sha1_certs anchors:anchor policy:clientPolicy verifyDate:verifyDate], "unspecified trust settings on SHA1 leaf failed for SSL client");
319 CFReleaseNull(clientPolicy);
320
321 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
322 XCTAssertTrue([self runTrust:sha1_certs anchors:anchor policy:eapPolicy verifyDate:verifyDate], "unspecified trust settings on SHA1 leaf failed for EAP");
323 CFReleaseNull(eapPolicy);
324
325 [self removeTrustSettingsForCert:sha1_leaf persistentRef:persistentRef];
326 CFReleaseNull(sha1_leaf);
327 }
328 #endif // !TARGET_OS_BRIDGE
329
330 #if !TARGET_OS_BRIDGE // bridgeOS doesn't have a system trust store
331 - (void)testSHA2_systemTrusted {
332 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:500000000.0]; // November 4, 2016 at 5:53:20 PM PDT
333
334 SecCertificateRef sha2_leaf = SecCertificateCreateWithBytes(NULL, _badssl_sha2, sizeof(_badssl_sha2));
335 SecCertificateRef sha2_int = SecCertificateCreateWithBytes(NULL, _COMODO_DV, sizeof(_COMODO_DV));
336 NSArray *sha2_certs = @[ (__bridge id)sha2_leaf, (__bridge id)sha2_int];
337 CFReleaseNull(sha2_leaf);
338 CFReleaseNull(sha2_int);
339
340 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("www.badssl.com"));
341 XCTAssertTrue([self runTrust:sha2_certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "system trusted SHA2 certs failed for SSL server");
342 CFReleaseNull(serverPolicy);
343
344 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
345 XCTAssertTrue([self runTrust:sha2_certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "system trusted SHA2 certs failed for SSL client");
346 CFReleaseNull(clientPolicy);
347
348 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"*.badssl.com", @"badssl.com"]);
349 XCTAssertTrue([self runTrust:sha2_certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "system trusted SHA2 certs failed for EAP");
350 CFReleaseNull(eapPolicy);
351 }
352 #endif
353
354 - (void)testSHA2_appTrustedLeaf {
355 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:500000000.0]; // November 4, 2016 at 5:53:20 PM PDT
356
357 SecCertificateRef sha2_leaf = SecCertificateCreateWithBytes(NULL, _badssl_sha2, sizeof(_badssl_sha2));
358 SecCertificateRef sha2_int = SecCertificateCreateWithBytes(NULL, _COMODO_DV, sizeof(_COMODO_DV));
359 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _COMODO_root, sizeof(_COMODO_root));
360
361 NSArray *sha2_certs = @[ (__bridge id)sha2_leaf, (__bridge id)sha2_int];
362 NSArray *anchor = @[ (__bridge id)root ];
363
364 CFReleaseNull(sha2_leaf);
365 CFReleaseNull(sha2_int);
366 CFReleaseNull(root);
367
368 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("www.badssl.com"));
369 XCTAssertTrue([self runTrust:sha2_certs anchors:anchor policy:serverPolicy verifyDate:verifyDate], "anchor trusted SHA2 certs failed for SSL server");
370 CFReleaseNull(serverPolicy);
371
372 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
373 XCTAssertTrue([self runTrust:sha2_certs anchors:anchor policy:clientPolicy verifyDate:verifyDate], "anchor trusted SHA2 certs failed for SSL client");
374 CFReleaseNull(clientPolicy);
375
376 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"*.badssl.com", @"badssl.com"]);
377 XCTAssertTrue([self runTrust:sha2_certs anchors:anchor policy:eapPolicy verifyDate:verifyDate], "anchor trusted SHA2 certs failed for EAP");
378 CFReleaseNull(eapPolicy);
379 }
380
381 - (void)testSHA2_appTrustedSelfSigned {
382 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
383 SecCertificateRef sha2_cert = SecCertificateCreateWithBytes(NULL, _testSHA2SelfSigned, sizeof(_testSHA2SelfSigned));
384 NSArray *sha2_certs = @[ (__bridge id)sha2_cert ];
385 NSArray *anchor = @[ (__bridge id)sha2_cert ];
386 CFReleaseNull(sha2_cert);
387
388 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
389 XCTAssertTrue([self runTrust:sha2_certs anchors:anchor policy:serverPolicy verifyDate:verifyDate], "anchor trusted self-signed SHA2 cert failed for SSL server");
390 CFReleaseNull(serverPolicy);
391
392 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
393 XCTAssertTrue([self runTrust:sha2_certs anchors:anchor policy:clientPolicy verifyDate:verifyDate], "anchor trusted self-signed SHA2 cert failed for SSL client");
394 CFReleaseNull(clientPolicy);
395
396 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
397 XCTAssertTrue([self runTrust:sha2_certs anchors:anchor policy:eapPolicy verifyDate:verifyDate], "anchor trusted self-signed SHA2 cert failed for EAP");
398 CFReleaseNull(eapPolicy);
399 }
400
401 #if !TARGET_OS_BRIDGE // bridgeOS doesn't have trust settings
402 - (void)testSHA2_trustSettingsOnRoot_TestLeaf {
403 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
404 SecCertificateRef sha2_leaf = SecCertificateCreateWithBytes(NULL, _testSHA2Leaf, sizeof(_testSHA2Leaf));
405 SecCertificateRef sha2_root = SecCertificateCreateWithBytes(NULL, _testRoot, sizeof(_testRoot));
406 NSArray *sha2_certs = @[ (__bridge id)sha2_leaf, (__bridge id)sha2_root ];
407 CFReleaseNull(sha2_leaf);
408
409 id persistentRef = [self addTrustSettingsForCert:sha2_root];
410
411 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
412 XCTAssertTrue([self runTrust:sha2_certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "trust settings on root, SHA2 leaf failed for SSL server");
413 CFReleaseNull(serverPolicy);
414
415 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
416 XCTAssertTrue([self runTrust:sha2_certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "trust settings on root, SHA2 leaf failed for SSL client");
417 CFReleaseNull(clientPolicy);
418
419 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
420 XCTAssertTrue([self runTrust:sha2_certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "trust settings on root, SHA2 leaf failed for EAP");
421 CFReleaseNull(eapPolicy);
422
423 [self removeTrustSettingsForCert:sha2_root persistentRef:persistentRef];
424 CFReleaseNull(sha2_root);
425 }
426
427 - (void)testSHA2_trustSettingsOnLeaf {
428 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
429 SecCertificateRef sha2_leaf = SecCertificateCreateWithBytes(NULL, _testSHA2Leaf, sizeof(_testSHA2Leaf));
430 NSArray *sha2_certs = @[ (__bridge id)sha2_leaf ];
431
432 id persistentRef = [self addTrustSettingsForCert:sha2_leaf];
433
434 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
435 XCTAssertTrue([self runTrust:sha2_certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "trust settings on SHA2 leaf failed for SSL server");
436 CFReleaseNull(serverPolicy);
437
438 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
439 XCTAssertTrue([self runTrust:sha2_certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "trust settings on SHA2 leaf failed for SSL client");
440 CFReleaseNull(clientPolicy);
441
442 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
443 XCTAssertTrue([self runTrust:sha2_certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "trust settings on SHA2 leaf failed for EAP");
444 CFReleaseNull(eapPolicy);
445
446 [self removeTrustSettingsForCert:sha2_leaf persistentRef:persistentRef];
447 CFReleaseNull(sha2_leaf);
448 }
449
450 - (void)testSHA2_trustSettingsSelfSigned {
451 NSDate *verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:578000000.0]; // April 26, 2019 at 12:33:20 PM PDT
452 SecCertificateRef sha2_cert = SecCertificateCreateWithBytes(NULL, _testSHA2SelfSigned, sizeof(_testSHA2SelfSigned));
453 NSArray *sha2_certs = @[ (__bridge id)sha2_cert ];
454
455 id persistentRef = [self addTrustSettingsForCert:sha2_cert];
456
457 SecPolicyRef serverPolicy = SecPolicyCreateSSL(true, CFSTR("example.com"));
458 XCTAssertTrue([self runTrust:sha2_certs anchors:nil policy:serverPolicy verifyDate:verifyDate], "trust settings self-signed SHA2 cert failed for SSL server");
459 CFReleaseNull(serverPolicy);
460
461 SecPolicyRef clientPolicy = SecPolicyCreateSSL(false, NULL);
462 XCTAssertTrue([self runTrust:sha2_certs anchors:nil policy:clientPolicy verifyDate:verifyDate], "trust settings self-signed SHA2 cert failed for SSL client");
463 CFReleaseNull(clientPolicy);
464
465 SecPolicyRef eapPolicy = SecPolicyCreateEAP(true, (__bridge CFArrayRef)@[@"example.com"]);
466 XCTAssertTrue([self runTrust:sha2_certs anchors:nil policy:eapPolicy verifyDate:verifyDate], "trust settings self-signed SHA2 cert failed for EAP");
467 CFReleaseNull(eapPolicy);
468
469 [self removeTrustSettingsForCert:sha2_cert persistentRef:persistentRef];
470 CFReleaseNull(sha2_cert);
471 }
472 #endif // !TARGET_OS_BRIDGE
473
474 @end