OSX/libsecurity_cms/regressions/cms-trust-settings-test.c

   1 /*
   2  * Copyright (c) 2016 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #include <sys/cdefs.h>
  25 #include <AssertMacros.h>
  26
  27 #include <utilities/SecCFRelease.h>
  28
  29 #include <Security/SecBase.h>
  30 #include <Security/SecImportExport.h>
  31 #include <Security/SecKeychain.h>
  32 #include <Security/SecCertificatePriv.h>
  33 #include <Security/SecTrustSettings.h>
  34 #include <Security/SecItem.h>
  35 #include <Security/SecTrust.h>
  36 #include <Security/SecPolicy.h>
  37 #include <Security/CMSDecoder.h>
  38
  39 #define kSystemLoginKeychainPath "/Library/Keychains/System.keychain"
  40
  41 #include "regressions/test/testmore.h"
  42 #include "cms_regressions.h"
  43 #include "cms-trust-settings-test.h"
  44
  45 // See <rdar://problem/8115188>
  46 static void test(void) {
  47     SecCertificateRef cert = NULL;
  48     SecKeychainRef kcRef = NULL;
  49     CFMutableDictionaryRef query = NULL;
  50     CFDictionaryRef trustSettings = NULL;
  51     CFArrayRef persistentRef = NULL;
  52     CMSDecoderRef decoder = NULL;
  53     SecPolicyRef policy = NULL;
  54     SecTrustRef trust = NULL;
  55     CMSSignerStatus signerStatus = kCMSSignerInvalidIndex;
  56     SecTrustResultType trustResult = kSecTrustResultInvalid;
  57
  58     /* Add cert to keychain */
  59     ok(cert = SecCertificateCreateWithBytes(NULL, _cert, sizeof(_cert)), "Create cert");
  60     ok_status(SecKeychainOpen(kSystemLoginKeychainPath, &kcRef), "Open system keychain");
  61     if (!kcRef) {
  62         goto out;
  63     }
  64     ok(query = CFDictionaryCreateMutable(NULL, 3, &kCFTypeDictionaryKeyCallBacks,
  65                                          &kCFTypeDictionaryValueCallBacks),
  66        "Create SecItem dictionary");
  67     CFDictionaryAddValue(query, kSecValueRef, cert);
  68     CFDictionaryAddValue(query, kSecUseKeychain, kcRef);
  69     CFDictionaryAddValue(query, kSecReturnPersistentRef, kCFBooleanTrue);
  70     ok_status(SecItemAdd(query, (void *)&persistentRef),
  71               "Add cert to system keychain");
  72
  73     /* Set trust settings */
  74     CFStringRef temp = kSecTrustSettingsResult;
  75     uint32_t otherTemp = kSecTrustSettingsResultDeny;
  76     CFNumberRef deny = CFNumberCreate(NULL, kCFNumberSInt32Type, &otherTemp);
  77     trustSettings = CFDictionaryCreate(NULL, (const void **)&temp, (const void **)&deny, 1,
  78                                        &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
  79     CFReleaseNull(deny);
  80     ok_status(SecTrustSettingsSetTrustSettings(cert, kSecTrustSettingsDomainAdmin, trustSettings),
  81               "Set cert as denied");
  82     // Wait for trustd to get the message
  83     sleep(1);
  84
  85     /* Create the Decoder */
  86     ok_status(CMSDecoderCreate(&decoder), "Create CMS decoder");
  87     ok_status(CMSDecoderUpdateMessage(decoder, _signed_message, sizeof(_signed_message)),
  88               "Update decoder with CMS message");
  89     ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder");
  90
  91     /* Evaluate trust */
  92     ok(policy = SecPolicyCreateBasicX509(), "Create policy");
  93     ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, true, &signerStatus, &trust, NULL),
  94               "Copy Signer status");
  95     ok_status(SecTrustGetTrustResult(trust, &trustResult), "Get trust result");
  96     is(trustResult, kSecTrustResultDeny, "Not denied");
  97
  98 out:
  99     if (persistentRef) {
 100         CFTypeRef item = CFArrayGetValueAtIndex(persistentRef, 0);
 101         CFDictionaryRef del = CFDictionaryCreate(NULL, (const void **)&kSecValuePersistentRef, &item, 1,
 102                                    &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
 103         SecItemDelete(del);
 104         CFReleaseNull(del);
 105     }
 106     CFReleaseNull(cert);
 107     CFReleaseNull(kcRef);
 108     CFReleaseNull(query);
 109     CFReleaseNull(persistentRef);
 110     CFReleaseNull(trustSettings);
 111     CFReleaseNull(decoder);
 112     CFReleaseNull(policy);
 113     CFReleaseNull(trust);
 114 }
 115
 116 int cms_trust_settings_test(int argc, char *const *argv) {
 117     plan_tests(12);
 118
 119 #if !TARGET_OS_IPHONE
 120     if (getuid() != 0) {
 121         printf("Test must be run as root on OS X");
 122         return 0;
 123     }
 124 #endif
 125
 126     test();
 127
 128     return 0;
 129 }