]> git.saurik.com Git - apple/security.git/blob - tests/TrustTests/EvaluationTests/VerifyDateTests.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-59306.11.20.tar.gz
[apple/security.git] / tests / TrustTests / EvaluationTests / VerifyDateTests.m
1 /*
2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 */
24
25 #include <AssertMacros.h>
26 #import <XCTest/XCTest.h>
27 #include "OSX/utilities/SecCFWrappers.h"
28 #include <Security/SecCertificatePriv.h>
29 #include <Security/SecPolicy.h>
30 #include <Security/SecTrust.h>
31 #include <Security/SecTrustSettings.h>
32
33 #import "TrustEvaluationTestCase.h"
34 #include "../TestMacroConversions.h"
35 #include "VerifyDateTests_data.h"
36
37 @interface VerifyDateTests : TrustEvaluationTestCase
38 @end
39
40 @implementation VerifyDateTests
41 /* Test long-lived cert chain that expires in 9999 */
42
43 static SecTrustRef trust = nil;
44
45 + (void)setUp {
46 [super setUp];
47 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, longleaf, sizeof(longleaf));
48 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, longroot, sizeof(longroot));
49 NSArray *anchors = @[(__bridge id)root];
50
51 SecTrustCreateWithCertificates(leaf, NULL, &trust);
52 SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors);
53 CFReleaseNull(leaf);
54 CFReleaseNull(root);
55 }
56
57 + (void)tearDown {
58 CFReleaseNull(trust);
59 }
60
61 - (void)testPriorToNotBefore {
62 CFDateRef date = NULL;
63 /* September 4, 2013 (prior to "notBefore" date of 2 April 2014, should fail) */
64 isnt(date = CFDateCreate(NULL, 400000000), NULL, "failed to create date");
65 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 23 Sep 2013");
66 XCTAssertFalse(SecTrustEvaluateWithError(trust, NULL), "evaluate trust on 23 Sep 2013 and expect failure");
67 CFReleaseNull(date);
68 }
69
70 - (void)testRecentWithinValidity {
71 CFDateRef date = NULL;
72 /* January 17, 2016 (recent date within validity period, should succeed) */
73 isnt(date = CFDateCreate(NULL, 474747474), NULL, "failed to create date");
74 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 17 Jan 2016");
75 XCTAssert(SecTrustEvaluateWithError(trust, NULL), "evaluate trust on 17 Jan 2016 and expect success");
76 CFReleaseNull(date);
77 }
78
79 - (void)testFarFutureWithinValidity {
80 CFDateRef date = NULL;
81 /* December 20, 9999 (far-future date within validity period, should succeed) */
82 isnt(date = CFDateCreate(NULL, 252423000000), NULL, "failed to create date");
83 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 20 Dec 9999");
84 XCTAssert(SecTrustEvaluateWithError(trust, NULL), "evaluate trust on 20 Dec 9999 and expect success");
85 CFReleaseNull(date);
86 }
87
88 - (void)testAfterNotAfter {
89 CFDateRef date = NULL;
90 /* January 12, 10000 (after the "notAfter" date of 31 Dec 9999, should fail) */
91 isnt(date = CFDateCreate(NULL, 252425000000), NULL, "failed to create date");
92 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 12 Jan 10000");
93 XCTAssertFalse(SecTrustEvaluateWithError(trust, NULL), "evaluate trust on 12 Jan 10000 and expect failure");
94 CFReleaseNull(date);
95 }
96
97 @end
98
99 @interface ValidityPeriodRestrictionTests : TrustEvaluationTestCase
100 @end
101
102 @implementation ValidityPeriodRestrictionTests
103 // Note that the dates described in the test names are the issuance date not the VerifyDate
104
105 - (BOOL)runTrustEvaluation:(NSArray *)certs anchors:(NSArray *)anchors error:(NSError **)error
106 {
107 SecPolicyRef policy = SecPolicyCreateSSL(true, CFSTR("example.com"));
108 NSDate *date = [NSDate dateWithTimeIntervalSinceReferenceDate:590000000.0]; // September 12, 2019 at 9:53:20 AM PDT
109 SecTrustRef trustRef = NULL;
110 BOOL result = NO;
111 CFErrorRef cferror = NULL;
112
113 require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trustRef), errOut);
114 require_noerr(SecTrustSetVerifyDate(trustRef, (__bridge CFDateRef)date), errOut);
115
116 if (anchors) {
117 require_noerr(SecTrustSetAnchorCertificates(trustRef, (__bridge CFArrayRef)anchors), errOut);
118 }
119
120 result = SecTrustEvaluateWithError(trustRef, &cferror);
121 if (error && cferror) {
122 *error = (__bridge NSError*)cferror;
123 }
124
125 errOut:
126 CFReleaseNull(policy);
127 CFReleaseNull(trustRef);
128 CFReleaseNull(cferror);
129 return result;
130 }
131
132 - (void)testSystemTrust_MoreThan5Years
133 {
134 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
135 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
136 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_66Months, sizeof(_testLeaf_66Months));
137
138 NSError *error = nil;
139 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
140 "system-trusted 66 month cert succeeded");
141
142 [self removeTestRootAsSystem];
143 CFReleaseNull(root);
144 CFReleaseNull(leaf);
145 }
146
147 - (void)testSystemTrust_LessThan5Years_BeforeJul2016
148 {
149 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
150 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
151 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_5Years, sizeof(_testLeaf_5Years));
152
153 NSError *error = nil;
154 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
155 "system-trusted 5 year cert issued before 1 July 2016 failed: %@", error);
156
157 [self removeTestRootAsSystem];
158 CFReleaseNull(root);
159 CFReleaseNull(leaf);
160 }
161
162 - (void)testSystemTrust_MoreThan39Months_AfterJul2016
163 {
164 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
165 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
166 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_4Years, sizeof(_testLeaf_4Years));
167
168 NSError *error = nil;
169 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
170 "system-trusted 4 year cert issued after 1 July 2016 succeeded");
171
172 [self removeTestRootAsSystem];
173 CFReleaseNull(root);
174 CFReleaseNull(leaf);
175 }
176
177 - (void)testSystemTrust_LessThan39Months_BeforeMar2018
178 {
179 // This cert should be valid
180 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
181 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
182 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_39Months, sizeof(_testLeaf_39Months));
183
184 NSError *error = nil;
185 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
186 "system-trusted 39 month cert issued before 1 Mar 2018 failed: %@", error);
187
188 [self removeTestRootAsSystem];
189 CFReleaseNull(root);
190 CFReleaseNull(leaf);
191 }
192
193 - (void)testSystemTrust_MoreThan825Days_AfterMar2018
194 {
195 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
196 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
197 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
198
199 NSError *error = nil;
200 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
201 "system-trusted 3 year cert issued after 1 Mar 2018 succeeded");
202
203 [self removeTestRootAsSystem];
204 CFReleaseNull(root);
205 CFReleaseNull(leaf);
206 }
207
208 - (void)testSystemTrust_LessThan825Days_AfterMar2018
209 {
210 [self setTestRootAsSystem:_testValidityPeriodsRootHash];
211 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
212 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_825Days, sizeof(_testLeaf_825Days));
213
214 NSError *error = nil;
215 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
216 "system-trusted 825 day cert issued after 1 Mar 2018 failed: %@", error);
217
218 [self removeTestRootAsSystem];
219 CFReleaseNull(root);
220 CFReleaseNull(leaf);
221 }
222
223 - (void)testAppTrustRoot_MoreThan825Days_AfterJul2019
224 {
225 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
226 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
227
228 NSError *error = nil;
229 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
230 "app-trusted (root) 3 year cert issued after 1 Jul 2019 succeeded");
231
232 CFReleaseNull(root);
233 CFReleaseNull(leaf);
234 }
235
236 - (void)testAppTrustRoot_MoreThan825Days_BeforeJul2019
237 {
238 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
239 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_66Months, sizeof(_testLeaf_66Months));
240
241 NSError *error = nil;
242 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
243 "app-trusted (root) 66 month cert issued before 1 Jul 2019 failed: %@", error);
244
245 CFReleaseNull(root);
246 CFReleaseNull(leaf);
247 }
248
249 - (void)testAppTrustRoot_LessThan825Days_AfterJul2019
250 {
251 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
252 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_825Days, sizeof(_testLeaf_825Days));
253
254 NSError *error = nil;
255 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
256 "app-trusted (root) 825 day cert issued after 1 Jul 2019 failed: %@", error);
257
258 CFReleaseNull(root);
259 CFReleaseNull(leaf);
260 }
261
262 - (void)testAppTrustLeaf_MoreThan825Days_AfterJul2019
263 {
264 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
265
266 NSError *error = nil;
267 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)leaf] error:&error],
268 "app-trusted 3 year cert issued after 1 Jul 2019 succeeded");
269
270 CFReleaseNull(leaf);
271 }
272
273 - (void)testAppTrustLeaf_MoreThan825Days_BeforeJul2019
274 {
275 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_66Months, sizeof(_testLeaf_66Months));
276
277 NSError *error = nil;
278 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)leaf] error:&error],
279 "app-trusted 66 month cert issued before 1 Jul 2019 failed: %@", error);
280
281 CFReleaseNull(leaf);
282 }
283
284 - (void)testAppTrustLeaf_LessThan825Days_AfterJul2019
285 {
286 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_825Days, sizeof(_testLeaf_825Days));
287
288 NSError *error = nil;
289 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)leaf] error:&error],
290 "app-trusted 825 day cert issued after 1 Jul 2019 failed: %@", error);
291
292 CFReleaseNull(leaf);
293 }
294
295 #if !TARGET_OS_BRIDGE // bridgeOS doesn't have trust settings
296 - (void)testUserTrustRoot_MoreThan825Days_AfterJul2019
297 {
298 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
299 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
300 id persistentRef = [self addTrustSettingsForCert:root];
301 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
302
303 NSError *error = nil;
304 XCTAssertFalse([self runTrustEvaluation:certs anchors:nil error:&error],
305 "user-trusted (root) 3 year cert issued after 1 Jul 2019 succeeded");
306
307 [self removeTrustSettingsForCert:root persistentRef:persistentRef];
308 CFReleaseNull(root);
309 CFReleaseNull(leaf);
310 }
311
312 - (void)testUserTrustRoot_MoreThan825Days_BeforeJul2019
313 {
314 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
315 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_66Months, sizeof(_testLeaf_66Months));
316 id persistentRef = [self addTrustSettingsForCert:root];
317 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
318
319 NSError *error = nil;
320 XCTAssertTrue([self runTrustEvaluation:certs anchors:nil error:&error],
321 "user-trusted (root) 66 month cert issued before 1 Jul 2019 failed: %@", error);
322
323 [self removeTrustSettingsForCert:root persistentRef:persistentRef];
324 CFReleaseNull(root);
325 CFReleaseNull(leaf);
326 }
327
328 - (void)testUserTrustRoot_LessThan825Days_AfterJul2019
329 {
330 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
331 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_825Days, sizeof(_testLeaf_825Days));
332 id persistentRef = [self addTrustSettingsForCert:root];
333 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
334
335 NSError *error = nil;
336 XCTAssertTrue([self runTrustEvaluation:certs anchors:nil error:&error],
337 "app-trusted (root) 825 day cert issued after 1 Jul 2019 failed: %@", error);
338
339 [self removeTrustSettingsForCert:root persistentRef:persistentRef];
340 CFReleaseNull(root);
341 CFReleaseNull(leaf);
342 }
343
344 - (void)testUserTrustLeaf_MoreThan825Days_AfterJul2019
345 {
346 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
347 id persistentRef = [self addTrustSettingsForCert:leaf];
348
349 NSError *error = nil;
350 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:nil error:&error],
351 "user-trusted leaf 3 year cert issued after 1 Jul 2019 failed: %@", error);
352
353 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
354 CFReleaseNull(leaf);
355 }
356
357 - (void)testUserTrustLeaf_MoreThan825Days_BeforeJul2019
358 {
359 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_66Months, sizeof(_testLeaf_66Months));
360 id persistentRef = [self addTrustSettingsForCert:leaf];
361
362 NSError *error = nil;
363 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:nil error:&error],
364 "user-trusted leaf 66 month cert issued before 1 Jul 2019 failed: %@", error);
365
366 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
367 CFReleaseNull(leaf);
368 }
369
370 - (void)testUserTrustLeaf_LessThan825Days_AfterJul2019
371 {
372 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_825Days, sizeof(_testLeaf_825Days));
373 id persistentRef = [self addTrustSettingsForCert:leaf];
374
375 NSError *error = nil;
376 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:nil error:&error],
377 "user-trusted leaf 825 day cert issued after 1 Jul 2019 failed: %@", error);
378
379 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
380 CFReleaseNull(leaf);
381 }
382
383 - (void)testUserDistrustLeaf_MoreThan825Days_AfterJul2019
384 {
385 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
386 id persistentRef = [self addTrustSettingsForCert:leaf trustSettings: @{ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultDeny)}];
387
388 NSError *error = nil;
389 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:nil error:&error],
390 "user-denied leaf 3 year cert issued after 1 Jul 2019 suceeded");
391
392 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
393 CFReleaseNull(leaf);
394 }
395
396 - (void)testUserUnspecifiedLeaf_MoreThan825Days_AfterJul2019
397 {
398 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _testValidityPeriodsRoot, sizeof(_testValidityPeriodsRoot));
399 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _testLeaf_3Years, sizeof(_testLeaf_3Years));
400 id persistentRef = [self addTrustSettingsForCert:leaf trustSettings: @{ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultUnspecified)}];
401
402 NSError *error = nil;
403 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)root] error:&error],
404 "user-unspecified trust leaf 3 year cert issued after 1 Jul 2019 succeeded");
405
406 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
407 CFReleaseNull(leaf);
408 CFReleaseNull(root);
409 }
410 #endif // !TARGET_OS_BRIDGE
411
412 @end
mirror of Security