]> git.saurik.com Git - apple/security.git/blob - keychain/ckks/tests/CKKSTests+CurrentPointerAPI.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-59754.41.1.tar.gz
[apple/security.git] / keychain / ckks / tests / CKKSTests+CurrentPointerAPI.m
1 /*
2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #if OCTAGON
25
26 #import <CloudKit/CloudKit.h>
27 #import <XCTest/XCTest.h>
28 #import <OCMock/OCMock.h>
29
30 #include <Security/SecItemPriv.h>
31 #include <Security/SecEntitlements.h>
32 #include <ipc/server_security_helpers.h>
33
34 #import "keychain/ckks/tests/CloudKitMockXCTest.h"
35 #import "keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.h"
36 #import "keychain/ckks/CKKS.h"
37 #import "keychain/ckks/CKKSCurrentItemPointer.h"
38 #import "keychain/ckks/CKKSMirrorEntry.h"
39
40 #import "keychain/ckks/tests/MockCloudKit.h"
41 #import "keychain/ckks/tests/AutoreleaseTest.h"
42
43 #import "keychain/ckks/tests/CKKSTests.h"
44 #import "keychain/ckks/tests/CKKSTests+API.h"
45
46 @interface CloudKitKeychainSyncingCurrentPointerAPITests : CloudKitKeychainSyncingTestsBase
47 @end
48
49 @implementation CloudKitKeychainSyncingCurrentPointerAPITests
50
51 -(void)fetchCurrentPointer:(bool)cached persistentRef:(NSData*)persistentRef
52 {
53 XCTestExpectation* currentExpectation = [self expectationWithDescription: @"callback occurs"];
54 SecItemFetchCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
55 (__bridge CFStringRef)@"pcsservice",
56 (__bridge CFStringRef)@"keychain",
57 cached,
58 ^(CFDataRef currentPersistentRef, CFErrorRef cferror) {
59 XCTAssertNotNil((__bridge id)currentPersistentRef, "current item exists");
60 XCTAssertNil((__bridge id)cferror, "no error exists when there's a current item");
61 XCTAssertEqualObjects(persistentRef, (__bridge id)currentPersistentRef, "persistent ref matches expected persistent ref");
62 [currentExpectation fulfill];
63 });
64 [self waitForExpectationsWithTimeout:8.0 handler:nil];
65 }
66 -(void)fetchCurrentPointerExpectingError:(bool)fetchCloudValue
67 {
68 XCTestExpectation* currentExpectation = [self expectationWithDescription: @"callback occurs"];
69 TEST_API_AUTORELEASE_BEFORE(SecItemFetchCurrentItemAcrossAllDevices);
70 SecItemFetchCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
71 (__bridge CFStringRef)@"pcsservice",
72 (__bridge CFStringRef)@"keychain",
73 fetchCloudValue,
74 ^(CFDataRef currentPersistentRef, CFErrorRef cferror) {
75 XCTAssertNil((__bridge id)currentPersistentRef, "no current item exists");
76 XCTAssertNotNil((__bridge id)cferror, "Error exists when there's a current item");
77 [currentExpectation fulfill];
78 });
79 TEST_API_AUTORELEASE_AFTER(SecItemFetchCurrentItemAcrossAllDevices);
80 [self waitForExpectationsWithTimeout:8.0 handler:nil];
81 }
82
83 - (void)testPCSFetchCurrentPointerCachedAndUncached {
84 SecResetLocalSecuritydXPCFakeEntitlements();
85 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue);
86 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue);
87 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue);
88
89 [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test.
90 [self startCKKSSubsystem];
91
92 [self.keychainView waitForKeyHierarchyReadiness];
93 [self.keychainView waitUntilAllOperationsAreFinished]; // ensure everything finishes before we disallow fetches
94
95 // Ensure that local queries don't hit the server.
96 self.silentFetchesAllowed = false;
97 [self fetchCurrentPointerExpectingError:false];
98
99 // And ensure that global queries do.
100 [self expectCKFetch];
101 [self fetchCurrentPointerExpectingError:true];
102 OCMVerifyAllWithDelay(self.mockDatabase, 20);
103 SecResetLocalSecuritydXPCFakeEntitlements();
104 }
105
106 - (void)testPCSCurrentPointerAddAndUpdate {
107 SecResetLocalSecuritydXPCFakeEntitlements();
108 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue);
109 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue);
110 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue);
111
112 NSNumber* servIdentifier = @3;
113 NSData* publicKey = [@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding];
114 NSData* publicIdentity = [@"somedata" dataUsingEncoding:NSUTF8StringEncoding];
115
116 [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test.
117 [self startCKKSSubsystem];
118
119 // Let things shake themselves out.
120 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], @"key state should enter 'ready'");
121 [self.keychainView waitForOperationsOfClass:[CKKSIncomingQueueOperation class]];
122
123 // Ensure there's no current pointer
124 [self fetchCurrentPointerExpectingError:false];
125
126 XCTestExpectation* keychainChanged = [self expectChangeForView:self.keychainZoneID.zoneName];
127
128 [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID
129 checkItem: [self checkPCSFieldsBlock:self.keychainZoneID
130 PCSServiceIdentifier:(NSNumber *)servIdentifier
131 PCSPublicKey:publicKey
132 PCSPublicIdentity:publicIdentity]];
133
134 NSDictionary* result = [self pcsAddItem:@"testaccount"
135 data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding]
136 serviceIdentifier:(NSNumber*)servIdentifier
137 publicKey:(NSData*)publicKey
138 publicIdentity:(NSData*)publicIdentity
139 expectingSync:true];
140 XCTAssertNotNil(result, "Received result from adding item");
141 [self waitForExpectations:@[keychainChanged] timeout:8];
142
143 // Check that the record is where we expect it in CloudKit
144 [self waitForCKModifications];
145 CKRecordID* pcsItemRecordID = [[CKRecordID alloc] initWithRecordName: @"50184A35-4480-E8BA-769B-567CF72F1EC0" zoneID:self.keychainZoneID];
146 CKRecord* record = self.keychainZone.currentDatabase[pcsItemRecordID];
147 XCTAssertNotNil(record, "Found record in CloudKit at expected UUID");
148
149 NSData* persistentRef = result[(id)kSecValuePersistentRef];
150 NSData* sha1 = result[(id)kSecAttrSHA1];
151
152 [self expectCKModifyRecords:@{SecCKRecordCurrentItemType: [NSNumber numberWithUnsignedInteger: 1]}
153 deletedRecordTypeCounts:nil
154 zoneID:self.keychainZoneID
155 checkModifiedRecord:nil
156 runAfterModification:nil];
157
158 // Set the 'current' pointer.
159 XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs"];
160
161 // Ensure that setting the current pointer sends a notification
162 keychainChanged = [self expectChangeForView:self.keychainZoneID.zoneName];
163
164 TEST_API_AUTORELEASE_BEFORE(SecItemSetCurrentItemAcrossAllDevices);
165 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
166 (__bridge CFStringRef)@"pcsservice",
167 (__bridge CFStringRef)@"keychain",
168 (__bridge CFDataRef)persistentRef,
169 (__bridge CFDataRef)sha1, NULL, NULL, ^ (CFErrorRef cferror) {
170 NSError* error = (__bridge NSError*)cferror;
171 XCTAssertNil(error, "No error setting current item");
172 [setCurrentExpectation fulfill];
173 });
174 TEST_API_AUTORELEASE_AFTER(SecItemSetCurrentItemAcrossAllDevices);
175 OCMVerifyAllWithDelay(self.mockDatabase, 20);
176 [self waitForExpectations:@[keychainChanged] timeout:8];
177 [self waitForCKModifications];
178
179 [self waitForExpectationsWithTimeout:8.0 handler:nil];
180
181 CKRecord* currentItemPointer = self.keychainZone.currentDatabase[[[CKRecordID alloc] initWithRecordName:@"com.apple.security.ckks-pcsservice" zoneID:self.keychainZoneID]];
182 XCTAssertNotNil(currentItemPointer, "Found a CKRecord at the expected location in CloudKit");
183 XCTAssertEqualObjects(currentItemPointer.recordType, SecCKRecordCurrentItemType, "Saved CKRecord is correct type");
184 XCTAssertEqualObjects(((CKReference*)currentItemPointer[SecCKRecordItemRefKey]).recordID, pcsItemRecordID, "Current Item record points to correct record");
185
186 // Check that the status APIs return the right value
187 [self fetchCurrentPointer:false persistentRef:persistentRef];
188
189 // Rad. If we got here, adding a new current item pointer works. Let's see if we can modify one.
190 keychainChanged = [self expectChangeForView:self.keychainZoneID.zoneName];
191
192 [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID
193 checkItem: [self checkPCSFieldsBlock:self.keychainZoneID
194 PCSServiceIdentifier:(NSNumber *)servIdentifier
195 PCSPublicKey:publicKey
196 PCSPublicIdentity:publicIdentity]];
197
198 result = [self pcsAddItem:@"tOTHER-ITEM"
199 data:[@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding]
200 serviceIdentifier:(NSNumber*)servIdentifier
201 publicKey:(NSData*)publicKey
202 publicIdentity:(NSData*)publicIdentity
203 expectingSync:true];
204 XCTAssertNotNil(result, "Received result from adding item");
205 [self waitForExpectations:@[keychainChanged] timeout:8];
206
207 // Check that the record is where we expect it
208 [self waitForCKModifications];
209 CKRecordID* pcsOtherItemRecordID = [[CKRecordID alloc] initWithRecordName: @"2DEA6136-2505-6BFD-E3E8-B44A6E39C3B5" zoneID:self.keychainZoneID];
210 CKRecord* recordOther = self.keychainZone.currentDatabase[pcsOtherItemRecordID];
211 XCTAssertNotNil(recordOther, "Found other record in CloudKit at expected UUID");
212
213 NSData* otherPersistentRef = result[(id)kSecValuePersistentRef];
214 NSData* otherSha1 = result[(id)kSecAttrSHA1];
215
216 // change the 'current' pointer.
217
218 // Refetch the old item's hash, just in case it's changed (it does, about 50% of the time. I'm not sure why).
219 CFTypeRef cfresult = NULL;
220 XCTAssertEqual(errSecSuccess, SecItemCopyMatching((__bridge CFDictionaryRef) @{
221 (id)kSecValuePersistentRef : persistentRef,
222 (id)kSecReturnAttributes : @YES,
223 }, &cfresult), "Found original item by persistent reference");
224
225 XCTAssertNotNil((__bridge id)cfresult, "Received an item by finding persistent reference");
226 NSData* actualSHA1 = CFBridgingRelease(CFRetainSafe(CFDictionaryGetValue(cfresult, kSecAttrSHA1)));
227 XCTAssertNotNil(actualSHA1, "Have a SHA1 for the original item");
228 CFReleaseNull(cfresult);
229
230 if(![actualSHA1 isEqual:sha1]) {
231 ckksnotice_global("ckks", "SHA1s don't match, but why?");
232 }
233
234 XCTestExpectation* otherSetCurrentExpectation = [self expectationWithDescription: @"callback occurs"];
235
236 [self expectCKModifyRecords:@{SecCKRecordCurrentItemType: [NSNumber numberWithUnsignedInteger: 1]}
237 deletedRecordTypeCounts:nil
238 zoneID:self.keychainZoneID
239 checkModifiedRecord:nil
240 runAfterModification:nil];
241
242 // Ensure that setting the current pointer sends a notification
243 keychainChanged = [self expectChangeForView:self.keychainZoneID.zoneName];
244
245 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
246 (__bridge CFStringRef)@"pcsservice",
247 (__bridge CFStringRef)@"keychain",
248 (__bridge CFDataRef)otherPersistentRef,
249 (__bridge CFDataRef)otherSha1,
250 (__bridge CFDataRef)persistentRef,
251 (__bridge CFDataRef)actualSHA1, ^ (CFErrorRef cferror) {
252 NSError* error = (__bridge NSError*)cferror;
253 XCTAssertNil(error, "No error setting current item");
254 [otherSetCurrentExpectation fulfill];
255 });
256 OCMVerifyAllWithDelay(self.mockDatabase, 20);
257 [self waitForExpectations:@[keychainChanged] timeout:8];
258 [self waitForCKModifications];
259
260 [self waitForExpectationsWithTimeout:8.0 handler:nil];
261
262 currentItemPointer = self.keychainZone.currentDatabase[[[CKRecordID alloc] initWithRecordName:@"com.apple.security.ckks-pcsservice" zoneID:self.keychainZoneID]];
263 XCTAssertNotNil(currentItemPointer, "Found a CKRecord at the expected location in CloudKit");
264 XCTAssertEqualObjects(currentItemPointer.recordType, SecCKRecordCurrentItemType, "Saved CKRecord is correct type");
265 XCTAssertEqualObjects(((CKReference*)currentItemPointer[SecCKRecordItemRefKey]).recordID, pcsOtherItemRecordID, "Current Item record points to updated record");
266
267 // And: again
268 [self fetchCurrentPointer:false persistentRef:otherPersistentRef];
269 [self fetchCurrentPointer:true persistentRef:otherPersistentRef];
270
271 SecResetLocalSecuritydXPCFakeEntitlements();
272 }
273
274 - (void)testPCSCurrentPointerAddMissingItem {
275 SecResetLocalSecuritydXPCFakeEntitlements();
276 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue);
277 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue);
278 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue);
279
280 [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test.
281 [self startCKKSSubsystem];
282
283 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should become 'ready'");
284
285 [self fetchCurrentPointerExpectingError:false];
286
287 NSData* fakepersistentRef = [@"not a real pref" dataUsingEncoding:NSUTF8StringEncoding];
288 NSData* fakesha1 = [@"not a real sha1" dataUsingEncoding:NSUTF8StringEncoding];
289
290 XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs"];
291
292 TEST_API_AUTORELEASE_BEFORE(SecItemSetCurrentItemAcrossAllDevices);
293 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
294 (__bridge CFStringRef)@"pcsservice",
295 (__bridge CFStringRef)@"keychain",
296 (__bridge CFDataRef)fakepersistentRef,
297 (__bridge CFDataRef)fakesha1, NULL, NULL, ^ (CFErrorRef cferror) {
298 NSError* error = (__bridge NSError*)cferror;
299 XCTAssertNotNil(error, "Should error setting current item to a nonexistent item");
300 [setCurrentExpectation fulfill];
301 });
302 TEST_API_AUTORELEASE_AFTER(SecItemSetCurrentItemAcrossAllDevices);
303 OCMVerifyAllWithDelay(self.mockDatabase, 20);
304 [self waitForCKModifications];
305
306 [self waitForExpectationsWithTimeout:8.0 handler:nil];
307
308 SecResetLocalSecuritydXPCFakeEntitlements();
309 }
310
311 - (void)testPCSCurrentPointerAddMissingOldItem {
312 SecResetLocalSecuritydXPCFakeEntitlements();
313 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue);
314 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue);
315 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue);
316
317 NSNumber* servIdentifier = @3;
318 NSData* publicKey = [@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding];
319 NSData* publicIdentity = [@"somedata" dataUsingEncoding:NSUTF8StringEncoding];
320
321 [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test.
322 [self startCKKSSubsystem];
323
324 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should become 'ready'");
325
326 [self fetchCurrentPointerExpectingError:false];
327
328 XCTestExpectation* keychainChanged = [self expectChangeForView:self.keychainZoneID.zoneName];
329
330 [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID
331 checkItem: [self checkPCSFieldsBlock:self.keychainZoneID
332 PCSServiceIdentifier:(NSNumber *)servIdentifier
333 PCSPublicKey:publicKey
334 PCSPublicIdentity:publicIdentity]];
335
336 NSDictionary* result = [self pcsAddItem:@"testaccount"
337 data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding]
338 serviceIdentifier:(NSNumber*)servIdentifier
339 publicKey:(NSData*)publicKey
340 publicIdentity:(NSData*)publicIdentity
341 expectingSync:true];
342 XCTAssertNotNil(result, "Received result from adding item");
343 [self waitForExpectations:@[keychainChanged] timeout:8];
344
345 // Check that the record is where we expect it in CloudKit
346 [self waitForCKModifications];
347 CKRecordID* pcsItemRecordID = [[CKRecordID alloc] initWithRecordName: @"50184A35-4480-E8BA-769B-567CF72F1EC0" zoneID:self.keychainZoneID];
348 CKRecord* record = self.keychainZone.currentDatabase[pcsItemRecordID];
349 XCTAssertNotNil(record, "Found record in CloudKit at expected UUID");
350
351 NSData* persistentRef = result[(id)kSecValuePersistentRef];
352 NSData* sha1 = result[(id)kSecAttrSHA1];
353
354 // Set the 'current' pointer.
355 XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs"];
356
357 NSData* fakepersistentRef = [@"not a real pref" dataUsingEncoding:NSUTF8StringEncoding];
358 NSData* fakesha1 = [@"not a real sha1" dataUsingEncoding:NSUTF8StringEncoding];
359
360 TEST_API_AUTORELEASE_BEFORE(SecItemSetCurrentItemAcrossAllDevices);
361 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
362 (__bridge CFStringRef)@"pcsservice",
363 (__bridge CFStringRef)@"keychain",
364 (__bridge CFDataRef)persistentRef,
365 (__bridge CFDataRef)sha1,
366 (__bridge CFDataRef)fakepersistentRef,
367 (__bridge CFDataRef)fakesha1,
368 ^(CFErrorRef cferror) {
369 NSError* error = (__bridge NSError*)cferror;
370 XCTAssertNotNil(error, "Should error setting current item when passing garbage for old item");
371 [setCurrentExpectation fulfill];
372 });
373 TEST_API_AUTORELEASE_AFTER(SecItemSetCurrentItemAcrossAllDevices);
374 OCMVerifyAllWithDelay(self.mockDatabase, 20);
375 [self waitForCKModifications];
376
377 [self waitForExpectations:@[setCurrentExpectation] timeout:8];
378
379 SecResetLocalSecuritydXPCFakeEntitlements();
380 }
381
382 - (void)testPCSCurrentPointerAddNoCloudKitAccount {
383 SecResetLocalSecuritydXPCFakeEntitlements();
384 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue);
385 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue);
386 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue);
387
388 NSNumber* servIdentifier = @3;
389 NSData* publicKey = [@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding];
390 NSData* publicIdentity = [@"somedata" dataUsingEncoding:NSUTF8StringEncoding];
391
392 // Entirely signed out of iCloud. all current record writes should fail.
393 self.accountStatus = CKAccountStatusNoAccount;
394
395 self.mockSOSAdapter.circleStatus = kSOSCCNotInCircle;
396 [self.accountStateTracker notifyCircleStatusChangeAndWaitForSignal];
397
398 self.silentFetchesAllowed = false;
399 [self startCKKSSubsystem];
400
401 // Ensure there's no current pointer
402 [self fetchCurrentPointerExpectingError:false];
403
404 // Should NOT add an item to CloudKit
405 NSDictionary* result = [self pcsAddItem:@"testaccount"
406 data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding]
407 serviceIdentifier:(NSNumber*)servIdentifier
408 publicKey:(NSData*)publicKey
409 publicIdentity:(NSData*)publicIdentity
410 expectingSync:false];
411 XCTAssertNotNil(result, "Received result from adding item");
412
413 NSData* persistentRef = result[(id)kSecValuePersistentRef];
414 NSData* sha1 = result[(id)kSecAttrSHA1];
415
416 // Set the 'current' pointer. This should fail.
417 XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs"];
418
419 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
420 (__bridge CFStringRef)@"pcsservice",
421 (__bridge CFStringRef)@"keychain",
422 (__bridge CFDataRef)persistentRef,
423 (__bridge CFDataRef)sha1, NULL, NULL, ^ (CFErrorRef cferror) {
424 NSError* error = (__bridge NSError*)cferror;
425 XCTAssertNotNil(error, "Error setting current item with no CloudKit account");
426 [setCurrentExpectation fulfill];
427 });
428
429 [self waitForExpectationsWithTimeout:8.0 handler:nil];
430 SecResetLocalSecuritydXPCFakeEntitlements();
431 }
432
433 - (void)testPCSCurrentPointerAddNonSyncItem {
434 SecResetLocalSecuritydXPCFakeEntitlements();
435 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue);
436 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue);
437 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue);
438
439 NSNumber* servIdentifier = @3;
440 NSData* publicKey = [@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding];
441 NSData* publicIdentity = [@"somedata" dataUsingEncoding:NSUTF8StringEncoding];
442
443 [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test.
444 [self startCKKSSubsystem];
445 [self.keychainView waitForKeyHierarchyReadiness];
446
447 NSMutableDictionary* query = [self pcsAddItemQuery:@"account"
448 data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding]
449 serviceIdentifier:servIdentifier
450 publicKey:publicKey
451 publicIdentity:publicIdentity];
452 query[(id)kSecAttrSynchronizable] = @NO;
453
454 CFTypeRef cfresult = NULL;
455 XCTestExpectation* syncExpectation = [self expectationWithDescription: @"_SecItemAddAndNotifyOnSync callback occured"];
456
457 // Note that you will NOT receive a notification here, since you're adding a nonsync item
458 syncExpectation.inverted = YES;
459
460 XCTAssertEqual(errSecSuccess, _SecItemAddAndNotifyOnSync((__bridge CFDictionaryRef) query, &cfresult, ^(bool didSync, CFErrorRef error) {
461 XCTAssertFalse(didSync, "Item did not sync");
462 XCTAssertNotNil((__bridge NSError*)error, "Error syncing item");
463
464 [syncExpectation fulfill];
465 }), @"_SecItemAddAndNotifyOnSync succeeded");
466
467 // We don't expect this callback to fire, so give it a second or so
468 [self waitForExpectations:@[syncExpectation] timeout:20];
469
470 NSDictionary* result = CFBridgingRelease(cfresult);
471
472 XCTAssertNotNil(result, "Received result from adding item");
473
474 NSData* persistentRef = result[(id)kSecValuePersistentRef];
475 NSData* sha1 = result[(id)kSecAttrSHA1];
476
477 // Set the 'current' pointer. This should fail.
478 XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs"];
479
480 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
481 (__bridge CFStringRef)@"pcsservice",
482 (__bridge CFStringRef)@"keychain",
483 (__bridge CFDataRef)persistentRef,
484 (__bridge CFDataRef)sha1, NULL, NULL, ^ (CFErrorRef cferror) {
485 NSError* error = (__bridge NSError*)cferror;
486 XCTAssertNotNil(error, "Error setting current item to nonsyncable item");
487 [setCurrentExpectation fulfill];
488 });
489
490 [self waitForExpectations:@[setCurrentExpectation] timeout:20];
491 SecResetLocalSecuritydXPCFakeEntitlements();
492 }
493
494 - (void)testPCSCurrentPointerReceive {
495 SecResetLocalSecuritydXPCFakeEntitlements();
496 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue);
497 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue);
498 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue);
499
500 NSNumber* servIdentifier = @3;
501 NSData* publicKey = [@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding];
502 NSData* publicIdentity = [@"somedata" dataUsingEncoding:NSUTF8StringEncoding];
503
504 [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test.
505 [self startCKKSSubsystem];
506
507 // Let things shake themselves out.
508 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], @"key state should enter 'ready'");
509 [self.keychainView waitForOperationsOfClass:[CKKSIncomingQueueOperation class]];
510
511 // Ensure there's no current pointer
512 [self fetchCurrentPointerExpectingError:false];
513
514 [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID
515 checkItem: [self checkPCSFieldsBlock:self.keychainZoneID
516 PCSServiceIdentifier:(NSNumber *)servIdentifier
517 PCSPublicKey:publicKey
518 PCSPublicIdentity:publicIdentity]];
519
520 XCTestExpectation* keychainChanged = [self expectChangeForView:self.keychainZoneID.zoneName];
521
522 NSDictionary* result = [self pcsAddItem:@"testaccount"
523 data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding]
524 serviceIdentifier:(NSNumber*)servIdentifier
525 publicKey:(NSData*)publicKey
526 publicIdentity:(NSData*)publicIdentity
527 expectingSync:true];
528 XCTAssertNotNil(result, "Received result from adding item");
529 NSData* persistentRef = result[(id)kSecValuePersistentRef];
530
531 [self waitForExpectations:@[keychainChanged] timeout:8];
532
533 // And a second item
534 [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID
535 checkItem: [self checkPCSFieldsBlock:self.keychainZoneID
536 PCSServiceIdentifier:(NSNumber *)servIdentifier
537 PCSPublicKey:publicKey
538 PCSPublicIdentity:publicIdentity]];
539 result = [self pcsAddItem:@"testaccount2"
540 data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding]
541 serviceIdentifier:(NSNumber*)servIdentifier
542 publicKey:(NSData*)publicKey
543 publicIdentity:(NSData*)publicIdentity
544 expectingSync:true];
545 XCTAssertNotNil(result, "Received result from adding item");
546 NSData* persistentRef2 = result[(id)kSecValuePersistentRef];
547
548 // Check that the records are where we expect them in CloudKit
549 [self waitForCKModifications];
550 CKRecordID* pcsItemRecordID = [[CKRecordID alloc] initWithRecordName: @"50184A35-4480-E8BA-769B-567CF72F1EC0" zoneID:self.keychainZoneID];
551 CKRecord* record = self.keychainZone.currentDatabase[pcsItemRecordID];
552 XCTAssertNotNil(record, "Found record in CloudKit at expected UUID");
553
554 CKRecordID* pcsItemRecordID2 = [[CKRecordID alloc] initWithRecordName: @"10E76B80-CE1C-A52A-B0CB-462A2EBA05AF" zoneID:self.keychainZoneID];
555 CKRecord* record2 = self.keychainZone.currentDatabase[pcsItemRecordID2];
556 XCTAssertNotNil(record2, "Found 2nd record in CloudKit at expected UUID");
557
558 // Still no current pointer.
559 [self fetchCurrentPointerExpectingError:false];
560
561 // Another machine comes along and updates the pointer!
562 CKKSCurrentItemPointer* cip = [[CKKSCurrentItemPointer alloc] initForIdentifier:@"com.apple.security.ckks-pcsservice"
563 currentItemUUID:@"50184A35-4480-E8BA-769B-567CF72F1EC0"
564 state:SecCKKSProcessedStateRemote
565 zoneID:self.keychainZoneID
566 encodedCKRecord:nil];
567 [self.keychainZone addToZone: [cip CKRecordWithZoneID:self.keychainZoneID]];
568 CKRecordID* currentPointerRecordID = [[CKRecordID alloc] initWithRecordName: @"com.apple.security.ckks-pcsservice" zoneID:self.keychainZoneID];
569 CKRecord* currentPointerRecord = self.keychainZone.currentDatabase[currentPointerRecordID];
570 XCTAssertNotNil(currentPointerRecord, "Found record in CloudKit at expected UUID");
571
572 // Ensure that receiving the current item pointer generates a notification
573 keychainChanged = [self expectChangeForView:self.keychainZoneID.zoneName];
574
575 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
576 [self.keychainView waitForFetchAndIncomingQueueProcessing];
577
578 [self waitForExpectations:@[keychainChanged] timeout:8];
579 [self fetchCurrentPointer:false persistentRef:persistentRef];
580
581 // And again!
582 CKKSCurrentItemPointer* cip2 = [[CKKSCurrentItemPointer alloc] initForIdentifier:@"com.apple.security.ckks-pcsservice"
583 currentItemUUID:pcsItemRecordID2.recordName
584 state:SecCKKSProcessedStateRemote
585 zoneID:self.keychainZoneID
586 encodedCKRecord:nil];
587 [self.keychainZone addToZone: [cip2 CKRecordWithZoneID:self.keychainZoneID]];
588 CKRecordID* currentPointerRecordID2 = [[CKRecordID alloc] initWithRecordName: @"com.apple.security.ckks-pcsservice" zoneID:self.keychainZoneID];
589 CKRecord* currentPointerRecord2 = self.keychainZone.currentDatabase[currentPointerRecordID2];
590 XCTAssertNotNil(currentPointerRecord2, "Found record in CloudKit at expected UUID");
591
592 keychainChanged = [self expectChangeForView:self.keychainZoneID.zoneName];
593
594 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
595 [self.keychainView waitForFetchAndIncomingQueueProcessing];
596
597 [self waitForExpectations:@[keychainChanged] timeout:8];
598 [self fetchCurrentPointer:false persistentRef:persistentRef2];
599
600 SecResetLocalSecuritydXPCFakeEntitlements();
601 }
602
603
604 - (void)testPCSCurrentPointerReceiveDelete {
605 SecResetLocalSecuritydXPCFakeEntitlements();
606 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue);
607 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue);
608 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue);
609
610 NSNumber* servIdentifier = @3;
611 NSData* publicKey = [@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding];
612 NSData* publicIdentity = [@"somedata" dataUsingEncoding:NSUTF8StringEncoding];
613
614 [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test.
615 [self startCKKSSubsystem];
616
617 // Let things shake themselves out.
618 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], @"key state should enter 'ready'");
619 [self.keychainView waitForOperationsOfClass:[CKKSIncomingQueueOperation class]];
620
621 // Ensure there's no current pointer
622 [self fetchCurrentPointerExpectingError:false];
623
624 [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID
625 checkItem: [self checkPCSFieldsBlock:self.keychainZoneID
626 PCSServiceIdentifier:(NSNumber *)servIdentifier
627 PCSPublicKey:publicKey
628 PCSPublicIdentity:publicIdentity]];
629
630 NSDictionary* result = [self pcsAddItem:@"testaccount"
631 data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding]
632 serviceIdentifier:(NSNumber*)servIdentifier
633 publicKey:(NSData*)publicKey
634 publicIdentity:(NSData*)publicIdentity
635 expectingSync:true];
636 XCTAssertNotNil(result, "Received result from adding item");
637 NSData* persistentRef = result[(id)kSecValuePersistentRef];
638
639 // Check that the record is where we expect it in CloudKit
640 [self waitForCKModifications];
641 CKRecordID* pcsItemRecordID = [[CKRecordID alloc] initWithRecordName: @"50184A35-4480-E8BA-769B-567CF72F1EC0" zoneID:self.keychainZoneID];
642 CKRecord* record = self.keychainZone.currentDatabase[pcsItemRecordID];
643 XCTAssertNotNil(record, "Found record in CloudKit at expected UUID");
644
645 // Still no current pointer.
646 [self fetchCurrentPointerExpectingError:false];
647
648 // Another machine comes along and updates the pointer!
649 CKKSCurrentItemPointer* cip = [[CKKSCurrentItemPointer alloc] initForIdentifier:@"com.apple.security.ckks-pcsservice"
650 currentItemUUID:@"50184A35-4480-E8BA-769B-567CF72F1EC0"
651 state:SecCKKSProcessedStateRemote
652 zoneID:self.keychainZoneID
653 encodedCKRecord:nil];
654 [self.keychainZone addToZone: [cip CKRecordWithZoneID:self.keychainZoneID]];
655 CKRecordID* currentPointerRecordID = [[CKRecordID alloc] initWithRecordName: @"com.apple.security.ckks-pcsservice" zoneID:self.keychainZoneID];
656 CKRecord* currentPointerRecord = self.keychainZone.currentDatabase[currentPointerRecordID];
657 XCTAssertNotNil(currentPointerRecord, "Found record in CloudKit at expected UUID");
658
659 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
660 [self.keychainView waitForFetchAndIncomingQueueProcessing];
661
662 [self fetchCurrentPointer:false persistentRef:persistentRef];
663
664 // Ensure that receiving the current item pointer generates a notification
665 XCTestExpectation* keychainChanged = [self expectChangeForView:self.keychainZoneID.zoneName];
666
667 // Another machine comes along and deletes the pointer!
668 [self.keychainZone deleteCKRecordIDFromZone: currentPointerRecordID];
669
670 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
671 [self.keychainView waitForFetchAndIncomingQueueProcessing];
672 [self waitForExpectations:@[keychainChanged] timeout:8];
673
674 [self fetchCurrentPointerExpectingError:false];
675
676 SecResetLocalSecuritydXPCFakeEntitlements();
677 }
678
679
680 - (void)testPCSCurrentPointerRecoverFromRecordExistsError {
681 SecResetLocalSecuritydXPCFakeEntitlements();
682 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue);
683 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue);
684 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue);
685
686 NSNumber* servIdentifier = @3;
687 NSData* publicKey = [@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding];
688 NSData* publicIdentity = [@"somedata" dataUsingEncoding:NSUTF8StringEncoding];
689
690 [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test.
691 [self startCKKSSubsystem];
692
693 // Let things shake themselves out.
694 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], @"key state should enter 'ready'");
695 [self.keychainView waitForOperationsOfClass:[CKKSIncomingQueueOperation class]];
696
697 // Ensure there's no current pointer
698 [self fetchCurrentPointerExpectingError:false];
699
700 [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID
701 checkItem: [self checkPCSFieldsBlock:self.keychainZoneID
702 PCSServiceIdentifier:(NSNumber *)servIdentifier
703 PCSPublicKey:publicKey
704 PCSPublicIdentity:publicIdentity]];
705
706 NSDictionary* result = [self pcsAddItem:@"testaccount"
707 data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding]
708 serviceIdentifier:(NSNumber*)servIdentifier
709 publicKey:(NSData*)publicKey
710 publicIdentity:(NSData*)publicIdentity
711 expectingSync:true];
712 XCTAssertNotNil(result, "Received result from adding item");
713
714 // Check that the record is where we expect it in CloudKit
715 [self waitForCKModifications];
716 NSString* recordUUID = @"50184A35-4480-E8BA-769B-567CF72F1EC0";
717 CKRecordID* pcsItemRecordID = [[CKRecordID alloc] initWithRecordName:recordUUID zoneID:self.keychainZoneID];
718 CKRecord* record = self.keychainZone.currentDatabase[pcsItemRecordID];
719 XCTAssertNotNil(record, "Found record in CloudKit at expected UUID");
720
721 // Someone else sets the current record pointer
722 CKKSCurrentItemPointer* cip = [[CKKSCurrentItemPointer alloc] initForIdentifier:@"com.apple.security.ckks-pcsservice"
723 currentItemUUID:recordUUID
724 state:SecCKKSProcessedStateRemote
725 zoneID:self.keychainZoneID
726 encodedCKRecord:nil];
727 XCTAssertNotNil(cip, "Should have created a CIP");
728 CKRecord* cipRecord = [cip CKRecordWithZoneID:self.keychainZoneID];
729 XCTAssertNotNil(cipRecord, "Should have created a CKRecord for this CIP");
730 [self.keychainZone addToZone: cipRecord];
731
732 NSData* persistentRef = result[(id)kSecValuePersistentRef];
733 NSData* sha1 = result[(id)kSecAttrSHA1];
734
735 [self expectCKAtomicModifyItemRecordsUpdateFailure:self.keychainZoneID];
736
737 // Set the 'current' pointer.
738 XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs"];
739
740 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
741 (__bridge CFStringRef)@"pcsservice",
742 (__bridge CFStringRef)@"keychain",
743 (__bridge CFDataRef)persistentRef,
744 (__bridge CFDataRef)sha1, NULL, NULL, ^ (CFErrorRef cferror) {
745 NSError* error = (__bridge NSError*)cferror;
746 XCTAssertNotNil(error, "Should have received an error setting current item (because of conflict)");
747 [setCurrentExpectation fulfill];
748 });
749 OCMVerifyAllWithDelay(self.mockDatabase, 20);
750 [self waitForCKModifications];
751 [self waitForExpectationsWithTimeout:8.0 handler:nil];
752
753 [self.keychainView waitUntilAllOperationsAreFinished];
754
755 [self fetchCurrentPointer:false persistentRef:persistentRef];
756
757 SecResetLocalSecuritydXPCFakeEntitlements();
758 }
759
760 - (void)testPCSCurrentPointerWasCurrent {
761 SecResetLocalSecuritydXPCFakeEntitlements();
762 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue);
763 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue);
764 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue);
765
766 NSNumber* servIdentifier = @3;
767 NSData* publicKey = [@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding];
768 NSData* publicIdentity = [@"somedata" dataUsingEncoding:NSUTF8StringEncoding];
769
770 [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test.
771 [self startCKKSSubsystem];
772
773 // Let things shake themselves out.
774 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], @"key state should enter 'ready'");
775 [self.keychainView waitForOperationsOfClass:[CKKSIncomingQueueOperation class]];
776
777 // Ensure there's no current pointer
778 [self fetchCurrentPointerExpectingError:false];
779
780 [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID
781 checkItem: [self checkPCSFieldsBlock:self.keychainZoneID
782 PCSServiceIdentifier:(NSNumber *)servIdentifier
783 PCSPublicKey:publicKey
784 PCSPublicIdentity:publicIdentity]];
785
786 NSDictionary* result = [self pcsAddItem:@"testaccount"
787 data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding]
788 serviceIdentifier:(NSNumber*)servIdentifier
789 publicKey:(NSData*)publicKey
790 publicIdentity:(NSData*)publicIdentity
791 expectingSync:true];
792 XCTAssertNotNil(result, "Received result from adding item");
793
794 // Check that the record is where we expect it in CloudKit
795 [self waitForCKModifications];
796 CKRecordID* pcsItemRecordID = [[CKRecordID alloc] initWithRecordName: @"50184A35-4480-E8BA-769B-567CF72F1EC0" zoneID:self.keychainZoneID];
797 CKRecord* record = self.keychainZone.currentDatabase[pcsItemRecordID];
798 XCTAssertNotNil(record, "Found record in CloudKit at expected UUID");
799
800 NSData* persistentRef = result[(id)kSecValuePersistentRef];
801 NSData* sha1 = result[(id)kSecAttrSHA1];
802
803 [self expectCKModifyRecords:@{SecCKRecordCurrentItemType: [NSNumber numberWithUnsignedInteger: 1]}
804 deletedRecordTypeCounts:nil
805 zoneID:self.keychainZoneID
806 checkModifiedRecord:nil
807 runAfterModification:nil];
808
809 // Set the 'current' pointer.
810 XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs"];
811
812 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
813 (__bridge CFStringRef)@"pcsservice",
814 (__bridge CFStringRef)@"keychain",
815 (__bridge CFDataRef)persistentRef,
816 (__bridge CFDataRef)sha1, NULL, NULL, ^ (CFErrorRef cferror) {
817 NSError* error = (__bridge NSError*)cferror;
818 XCTAssertNil(error, "No error setting current item");
819 [setCurrentExpectation fulfill];
820 });
821 OCMVerifyAllWithDelay(self.mockDatabase, 20);
822 [self waitForExpectationsWithTimeout:8.0 handler:nil];
823 [self waitForCKModifications];
824
825 // Set the 'was current' flag on the record
826 CKRecord* modifiedRecord = [record copy];
827 modifiedRecord[SecCKRecordServerWasCurrent] = [NSNumber numberWithInteger:10];
828 [self.keychainZone addToZone:modifiedRecord];
829
830 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
831 [self.keychainView waitForFetchAndIncomingQueueProcessing];
832
833 // Check that the number is on the CKKSMirrorEntry
834 [self.keychainView dispatchSyncWithReadOnlySQLTransaction:^{
835 NSError* error = nil;
836 CKKSMirrorEntry* ckme = [CKKSMirrorEntry fromDatabase:@"50184A35-4480-E8BA-769B-567CF72F1EC0" zoneID:self.keychainZoneID error:&error];
837
838 XCTAssertNil(error, "no error fetching ckme");
839 XCTAssertNotNil(ckme, "Received a ckme");
840
841 XCTAssertEqual(ckme.wasCurrent, 10u, "Properly received wasCurrent");
842 }];
843 }
844
845 -(void)testPCSCurrentPointerWriteFailure {
846 SecResetLocalSecuritydXPCFakeEntitlements();
847 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue);
848 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue);
849 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue);
850
851 NSNumber* servIdentifier = @3;
852 NSData* publicKey = [@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding];
853 NSData* publicIdentity = [@"somedata" dataUsingEncoding:NSUTF8StringEncoding];
854
855 [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test.
856 [self startCKKSSubsystem];
857
858 // Let things shake themselves out.
859 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], @"key state should enter 'ready'");
860 [self.keychainView waitForOperationsOfClass:[CKKSIncomingQueueOperation class]];
861
862 // Ensure there's no current pointer
863 [self fetchCurrentPointerExpectingError:false];
864
865 [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID
866 checkItem: [self checkPCSFieldsBlock:self.keychainZoneID
867 PCSServiceIdentifier:(NSNumber *)servIdentifier
868 PCSPublicKey:publicKey
869 PCSPublicIdentity:publicIdentity]];
870
871 NSDictionary* result = [self pcsAddItem:@"testaccount"
872 data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding]
873 serviceIdentifier:(NSNumber*)servIdentifier
874 publicKey:(NSData*)publicKey
875 publicIdentity:(NSData*)publicIdentity
876 expectingSync:true];
877 XCTAssertNotNil(result, "Received result from adding item");
878
879 // Check that the record is where we expect it in CloudKit
880 [self waitForCKModifications];
881 CKRecordID* pcsItemRecordID = [[CKRecordID alloc] initWithRecordName: @"50184A35-4480-E8BA-769B-567CF72F1EC0" zoneID:self.keychainZoneID];
882 CKRecord* record = self.keychainZone.currentDatabase[pcsItemRecordID];
883 XCTAssertNotNil(record, "Found record in CloudKit at expected UUID");
884
885 NSData* persistentRef = result[(id)kSecValuePersistentRef];
886 NSData* sha1 = result[(id)kSecAttrSHA1];
887
888 [self failNextCKAtomicModifyItemRecordsUpdateFailure:self.keychainZoneID];
889
890 // Set the 'current' pointer.
891 XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs"];
892
893 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
894 (__bridge CFStringRef)@"pcsservice",
895 (__bridge CFStringRef)@"keychain",
896 (__bridge CFDataRef)persistentRef,
897 (__bridge CFDataRef)sha1, NULL, NULL, ^ (CFErrorRef cferror) {
898 NSError* error = (__bridge NSError*)cferror;
899 XCTAssertNotNil(error, "Error setting current item when the write fails");
900 [setCurrentExpectation fulfill];
901 });
902 OCMVerifyAllWithDelay(self.mockDatabase, 40);
903
904 [self waitForExpectationsWithTimeout:8.0 handler:nil];
905
906 SecResetLocalSecuritydXPCFakeEntitlements();
907 }
908
909 - (void)testPCSCurrentRecoverFromDanglingPointer {
910 SecResetLocalSecuritydXPCFakeEntitlements();
911 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue);
912 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue);
913 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue);
914
915 NSNumber* servIdentifier = @3;
916 NSData* publicKey = [@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding];
917 NSData* publicIdentity = [@"somedata" dataUsingEncoding:NSUTF8StringEncoding];
918
919 [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test.
920 [self startCKKSSubsystem];
921
922 // Let things shake themselves out.
923 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], @"key state should enter 'ready'");
924 [self.keychainView waitForOperationsOfClass:[CKKSIncomingQueueOperation class]];
925
926 // Ensure there's no current pointer
927 [self fetchCurrentPointerExpectingError:false];
928
929 [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID
930 checkItem: [self checkPCSFieldsBlock:self.keychainZoneID
931 PCSServiceIdentifier:(NSNumber *)servIdentifier
932 PCSPublicKey:publicKey
933 PCSPublicIdentity:publicIdentity]];
934
935 NSDictionary* result = [self pcsAddItem:@"testaccount"
936 data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding]
937 serviceIdentifier:(NSNumber*)servIdentifier
938 publicKey:(NSData*)publicKey
939 publicIdentity:(NSData*)publicIdentity
940 expectingSync:true];
941 XCTAssertNotNil(result, "Received result from adding item");
942
943 // Check that the record is where we expect it in CloudKit
944 [self waitForCKModifications];
945 CKRecordID* pcsItemRecordID = [[CKRecordID alloc] initWithRecordName: @"50184A35-4480-E8BA-769B-567CF72F1EC0" zoneID:self.keychainZoneID];
946 CKRecord* record = self.keychainZone.currentDatabase[pcsItemRecordID];
947 XCTAssertNotNil(record, "Found record in CloudKit at expected UUID");
948
949 NSData* persistentRef = result[(id)kSecValuePersistentRef];
950 NSData* sha1 = result[(id)kSecAttrSHA1];
951
952 [self expectCKModifyRecords:@{SecCKRecordCurrentItemType: [NSNumber numberWithUnsignedInteger: 1]}
953 deletedRecordTypeCounts:nil
954 zoneID:self.keychainZoneID
955 checkModifiedRecord:nil
956 runAfterModification:nil];
957
958 // Set the 'current' pointer.
959 XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs"];
960
961 // Ensure that setting the current pointer sends a notification
962 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
963 (__bridge CFStringRef)@"pcsservice",
964 (__bridge CFStringRef)@"keychain",
965 (__bridge CFDataRef)persistentRef,
966 (__bridge CFDataRef)sha1, NULL, NULL, ^ (CFErrorRef cferror) {
967 NSError* error = (__bridge NSError*)cferror;
968 XCTAssertNil(error, "No error setting current item");
969 [setCurrentExpectation fulfill];
970 });
971 OCMVerifyAllWithDelay(self.mockDatabase, 20);
972 [self waitForCKModifications];
973
974 [self waitForExpectationsWithTimeout:8.0 handler:nil];
975
976 // Delete the keychain item
977 [self expectCKDeleteItemRecords:1 zoneID:self.keychainZoneID];
978 XCTAssertEqual(errSecSuccess, SecItemDelete((__bridge CFDictionaryRef)@{
979 (id)kSecClass : (id)kSecClassGenericPassword,
980 (id)kSecAttrAccessGroup : @"com.apple.security.ckks",
981 (id)kSecAttrAccount:@"testaccount",
982 (id)kSecAttrSynchronizable : (id)kCFBooleanTrue,
983 }), "Should receive no error deleting item");
984 OCMVerifyAllWithDelay(self.mockDatabase, 20);
985
986 // Now, fetch the current pointer: we should get an error
987 [self fetchCurrentPointerExpectingError:false];
988
989 // Setting the current item pointer again, using a NULL old value, should work.
990 [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID
991 checkItem: [self checkPCSFieldsBlock:self.keychainZoneID
992 PCSServiceIdentifier:(NSNumber *)servIdentifier
993 PCSPublicKey:publicKey
994 PCSPublicIdentity:publicIdentity]];
995
996 result = [self pcsAddItem:@"testaccount2"
997 data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding]
998 serviceIdentifier:(NSNumber*)servIdentifier
999 publicKey:(NSData*)publicKey
1000 publicIdentity:(NSData*)publicIdentity
1001 expectingSync:true];
1002 XCTAssertNotNil(result, "Should have result from adding item2");
1003
1004 persistentRef = result[(id)kSecValuePersistentRef];
1005 sha1 = result[(id)kSecAttrSHA1];
1006
1007 [self expectCKModifyRecords:@{SecCKRecordCurrentItemType: [NSNumber numberWithUnsignedInteger: 1]}
1008 deletedRecordTypeCounts:nil
1009 zoneID:self.keychainZoneID
1010 checkModifiedRecord:nil
1011 runAfterModification:nil];
1012
1013 // Set the 'current' pointer.
1014 setCurrentExpectation = [self expectationWithDescription: @"callback occurs"];
1015
1016 // Ensure that setting the current pointer sends a notification
1017 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
1018 (__bridge CFStringRef)@"pcsservice",
1019 (__bridge CFStringRef)@"keychain",
1020 (__bridge CFDataRef)persistentRef,
1021 (__bridge CFDataRef)sha1, NULL, NULL, ^ (CFErrorRef cferror) {
1022 NSError* error = (__bridge NSError*)cferror;
1023 XCTAssertNil(error, "No error setting current item");
1024 [setCurrentExpectation fulfill];
1025 });
1026 OCMVerifyAllWithDelay(self.mockDatabase, 20);
1027 [self waitForCKModifications];
1028 [self waitForExpectationsWithTimeout:8.0 handler:nil];
1029
1030 SecResetLocalSecuritydXPCFakeEntitlements();
1031 }
1032
1033 -(void)testPCSCurrentSetConflictedItemAsCurrent {
1034 SecResetLocalSecuritydXPCFakeEntitlements();
1035 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue);
1036 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue);
1037 SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue);
1038
1039 NSNumber* servIdentifier = @3;
1040 NSData* publicKey = [@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding];
1041 NSData* publicIdentity = [@"somedata" dataUsingEncoding:NSUTF8StringEncoding];
1042
1043 [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test.
1044 [self startCKKSSubsystem];
1045
1046 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], "Key state should have become ready");
1047 [self.keychainView waitUntilAllOperationsAreFinished];
1048
1049 // Before CKKS can add the item, shove a conflicting one into CloudKit
1050 NSError* error = nil;
1051
1052 NSString* account = @"testaccount";
1053
1054 // Create an item in CloudKit that will conflict in both UUID and primary key
1055 NSData* itemdata = [[NSData alloc] initWithBase64EncodedString:@"YnBsaXN0MDDbAQIDBAUGBwgJCgsMDQ4PEBESEhMUFVZ2X0RhdGFUYWNjdFR0b21iVHN2Y2VUc2hhMVRtdXNyVGNkYXRUbWRhdFRwZG1uVGFncnBVY2xhc3NEYXNkZlt0ZXN0YWNjb3VudBAAUE8QFF7OzuEEGWTTwzzSp/rjY6ubHW2rQDNBv7zNQtQUQFJja18QF2NvbS5hcHBsZS5zZWN1cml0eS5ja2tzVGdlbnAIHyYrMDU6P0RJTlNZXmpsbYSFjpGrAAAAAAAAAQEAAAAAAAAAFgAAAAAAAAAAAAAAAAAAALA=" options:0];
1056 NSMutableDictionary * item = [[NSPropertyListSerialization propertyListWithData:itemdata
1057 options:0
1058 format:nil
1059 error:&error] mutableCopy];
1060 XCTAssertNil(error, "Error should be nil parsing base64 item");
1061
1062 item[@"v_Data"] = [@"conflictingdata" dataUsingEncoding:NSUTF8StringEncoding];
1063 item[@"vwht"] = @"keychain";
1064 CKRecordID* ckrid = [[CKRecordID alloc] initWithRecordName:@"50184A35-4480-E8BA-769B-567CF72F1EC0" zoneID:self.keychainZoneID];
1065 CKRecord* mismatchedRecord = [self newRecord:ckrid withNewItemData:item];
1066 [self.keychainZone addToZone: mismatchedRecord];
1067
1068 self.keychainView.holdIncomingQueueOperation = [CKKSResultOperation named:@"hold-incoming" withBlock:^{
1069 ckksnotice_global("ckks", "Releasing process incoming queue hold");
1070 }];
1071
1072 NSData* firstItemData = [@"asdf" dataUsingEncoding:NSUTF8StringEncoding];
1073
1074 [self expectCKAtomicModifyItemRecordsUpdateFailure:self.keychainZoneID];
1075 NSDictionary* result = [self pcsAddItem:account
1076 data:firstItemData
1077 serviceIdentifier:(NSNumber*)servIdentifier
1078 publicKey:(NSData*)publicKey
1079 publicIdentity:(NSData*)publicIdentity
1080 expectingSync:false];
1081 XCTAssertNotNil(result, "Should receive result from adding item");
1082
1083 NSData* persistentRef = result[(id)kSecValuePersistentRef];
1084 NSData* sha1 = result[(id)kSecAttrSHA1];
1085
1086 // Ensure that fetching the item without grabbing data returns the same SHA1
1087 NSDictionary* prefquery = @{(id)kSecClass : (id)kSecClassGenericPassword,
1088 (id)kSecReturnAttributes : @YES,
1089 (id)kSecAttrSynchronizable : @YES,
1090 (id)kSecAttrPersistentReference : persistentRef,
1091 (id)kSecMatchLimit : (id)kSecMatchLimitOne,
1092 };
1093 CFTypeRef prefresult = NULL;
1094 XCTAssertEqual(errSecSuccess, SecItemCopyMatching((__bridge CFDictionaryRef)prefquery, &prefresult), "Should be able to find item by persistent ref");
1095 NSDictionary* newPersistentRefResult = (NSDictionary*) CFBridgingRelease(prefresult);
1096 prefresult = NULL;
1097 XCTAssertNotNil(newPersistentRefResult, "Should have received item attributes");
1098 XCTAssertEqualObjects(newPersistentRefResult[(id)kSecAttrSHA1], sha1, "SHA1 should match between Add and Find (with data)");
1099 XCTAssertNil(newPersistentRefResult[(id)kSecValueData], "Should have returned no data");
1100
1101 // Ensure that fetching the item and grabbing data returns the same SHA1
1102 prefquery = @{(id)kSecClass : (id)kSecClassGenericPassword,
1103 (id)kSecReturnAttributes : @YES,
1104 (id)kSecReturnData : @YES,
1105 (id)kSecAttrSynchronizable : @YES,
1106 (id)kSecAttrPersistentReference : persistentRef,
1107 (id)kSecMatchLimit : (id)kSecMatchLimitOne,
1108 };
1109 XCTAssertEqual(errSecSuccess, SecItemCopyMatching((__bridge CFDictionaryRef)prefquery, &prefresult), "Should be able to find item by persistent ref");
1110 newPersistentRefResult = (NSDictionary*) CFBridgingRelease(prefresult);
1111 XCTAssertNotNil(newPersistentRefResult, "Should have received item attributes");
1112 XCTAssertEqualObjects(newPersistentRefResult[(id)kSecAttrSHA1], sha1, "SHA1 should match between Add and Find (with data)");
1113 XCTAssertEqualObjects(newPersistentRefResult[(id)kSecValueData], firstItemData, "Should have returned data matching the item we put in");
1114
1115 // Set the current pointer to the result of adding this item. This should fail.
1116 XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs before incoming queue operation"];
1117 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
1118 (__bridge CFStringRef)@"pcsservice",
1119 (__bridge CFStringRef)@"keychain",
1120 (__bridge CFDataRef)persistentRef,
1121 (__bridge CFDataRef)sha1, NULL, NULL, ^ (CFErrorRef cferror) {
1122 XCTAssertNotNil((__bridge NSError*)cferror, "Should error setting current item to hash of item which failed to sync (before incoming queue operation)");
1123 [setCurrentExpectation fulfill];
1124 });
1125
1126 [self waitForExpectations:@[setCurrentExpectation] timeout:20];
1127
1128 // Now, release the incoming queue processing and retry the failure
1129 [self.operationQueue addOperation:self.keychainView.holdIncomingQueueOperation];
1130 [self.keychainView waitForOperationsOfClass:[CKKSIncomingQueueOperation class]];
1131
1132 setCurrentExpectation = [self expectationWithDescription: @"callback occurs after incoming queue operation"];
1133 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
1134 (__bridge CFStringRef)@"pcsservice",
1135 (__bridge CFStringRef)@"keychain",
1136 (__bridge CFDataRef)persistentRef,
1137 (__bridge CFDataRef)sha1, NULL, NULL, ^ (CFErrorRef cferror) {
1138 XCTAssertNotNil((__bridge NSError*)cferror, "Should error setting current item to hash of item which failed to sync (after incoming queue operation)");
1139 [setCurrentExpectation fulfill];
1140 });
1141
1142 [self waitForExpectations:@[setCurrentExpectation] timeout:20];
1143
1144 // Reissue a fetch and find the new persistent ref and sha1 for the item at this UUID
1145 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
1146 [self.keychainView waitForFetchAndIncomingQueueProcessing];
1147
1148 // The conflicting item update should have won
1149 [self checkGenericPassword:@"conflictingdata" account:account];
1150
1151 NSDictionary *query = @{(id)kSecClass : (id)kSecClassGenericPassword,
1152 (id)kSecAttrAccessGroup : @"com.apple.security.ckks",
1153 (id)kSecAttrAccount : account,
1154 (id)kSecAttrSynchronizable : (id)kCFBooleanTrue,
1155 (id)kSecMatchLimit : (id)kSecMatchLimitOne,
1156 (id)kSecReturnAttributes: @YES,
1157 (id)kSecReturnPersistentRef: @YES,
1158 };
1159
1160 CFTypeRef cfresult = NULL;
1161 XCTAssertEqual(errSecSuccess, SecItemCopyMatching((__bridge CFDictionaryRef) query, &cfresult), "Finding item %@", account);
1162 NSDictionary* newResult = CFBridgingRelease(cfresult);
1163 XCTAssertNotNil(newResult, "Received an item");
1164
1165 NSData* newPersistentRef = newResult[(id)kSecValuePersistentRef];
1166 NSData* newSha1 = newResult[(id)kSecAttrSHA1];
1167
1168 [self expectCKModifyRecords:@{SecCKRecordCurrentItemType: [NSNumber numberWithUnsignedInteger: 1]}
1169 deletedRecordTypeCounts:nil
1170 zoneID:self.keychainZoneID
1171 checkModifiedRecord:nil
1172 runAfterModification:nil];
1173
1174 XCTestExpectation* newSetCurrentExpectation = [self expectationWithDescription: @"callback occurs"];
1175 SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks",
1176 (__bridge CFStringRef)@"pcsservice",
1177 (__bridge CFStringRef)@"keychain",
1178 (__bridge CFDataRef)newPersistentRef,
1179 (__bridge CFDataRef)newSha1, NULL, NULL, ^ (CFErrorRef cferror) {
1180 XCTAssertNil((__bridge NSError*)cferror, "Shouldn't error setting current item");
1181 [newSetCurrentExpectation fulfill];
1182 });
1183
1184 [self waitForExpectations:@[newSetCurrentExpectation] timeout:20];
1185
1186 SecResetLocalSecuritydXPCFakeEntitlements();
1187 }
1188
1189 @end
1190
1191 #endif // OCTAGON
mirror of Security