tests/TrustTests/EvaluationTests/CAIssuerTests.m

   1 /*
   2 * Copyright (c) 2006-2019 Apple Inc. All Rights Reserved.
   3 */
   4
   5 #include <AssertMacros.h>
   6 #import <XCTest/XCTest.h>
   7 #include <CoreFoundation/CoreFoundation.h>
   8 #include <Security/SecCertificate.h>
   9 #include <Security/SecCertificatePriv.h>
  10 #include <Security/SecPolicyPriv.h>
  11 #include <Security/SecTrustPriv.h>
  12 #include <utilities/array_size.h>
  13 #include <utilities/SecCFRelease.h>
  14
  15 #import "../TestMacroConversions.h"
  16 #import "../TrustEvaluationTestHelpers.h"
  17 #import "TrustEvaluationTestCase.h"
  18
  19 #import "CAIssuerTests_data.h"
  20
  21 @interface CAIssuerTests: TrustEvaluationTestCase
  22 @end
  23
  24 @implementation CAIssuerTests
  25
  26 #if !TARGET_OS_WATCH && !TARGET_OS_BRIDGE
  27 - (void) test_aia
  28 {
  29     if (!ping_host("crt.comodoca.com")) {
  30         XCTAssert(false, "Unable to contact required network resource");
  31         return;
  32     }
  33
  34     SecCertificateRef ovh = NULL, comodo_ev = NULL, comodo_aia = NULL;
  35     CFMutableArrayRef certs = NULL, policies = NULL;
  36     SecPolicyRef sslPolicy = NULL, revPolicy = NULL;
  37     CFDateRef verifyDate = NULL;
  38     SecTrustRef trust = NULL;
  39     SecTrustResultType trustResult = kSecTrustResultInvalid;
  40
  41     /* Initialize common variables */
  42     isnt(ovh = SecCertificateCreateWithBytes(NULL, ovh_certificate,
  43         sizeof(ovh_certificate)), NULL, "create ovh cert");
  44     isnt(comodo_ev = SecCertificateCreateWithBytes(NULL, comodo_ev_certificate,
  45         sizeof(comodo_ev_certificate)), NULL, "create comodo_ev cert");
  46     isnt(comodo_aia = SecCertificateCreateWithBytes(NULL,
  47         comodo_aia_certificate, sizeof(comodo_aia_certificate)), NULL,
  48         "create comodo_aia cert");
  49     certs = CFArrayCreateMutable(kCFAllocatorDefault, 0,
  50         &kCFTypeArrayCallBacks);
  51     policies = CFArrayCreateMutable(kCFAllocatorDefault, 0,
  52         &kCFTypeArrayCallBacks);
  53     sslPolicy = SecPolicyCreateSSL(false, NULL); // For now, use SSL client policy to avoid SHA-1 deprecation
  54     revPolicy = SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod);
  55     CFArrayAppendValue(policies, sslPolicy);
  56     CFArrayAppendValue(policies, revPolicy);
  57     /* May 9th 2018. */
  58     verifyDate = CFDateCreate(NULL, 547600500);
  59
  60     /* First run with no intermediate and disallow network fetching.
  61      * Evaluation should fail because it couldn't get the intermediate. */
  62     CFArrayAppendValue(certs, ovh);
  63     ok_status(SecTrustCreateWithCertificates(certs, policies, &trust),
  64               "create trust");
  65     ok_status(SecTrustSetVerifyDate(trust, verifyDate), "set date");
  66     ok_status(SecTrustSetNetworkFetchAllowed(trust, false), "set no network");
  67     ok_status(SecTrustGetTrustResult(trust, &trustResult), "evaluate trust");
  68     is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
  69        "trust is kSecTrustResultRecoverableTrustFailure");
  70
  71     /* Now allow networking. Evaluation should succeed after fetching
  72      * the intermediate. */
  73     ok_status(SecTrustSetNetworkFetchAllowed(trust, true), "set allow network");
  74     ok_status(SecTrustGetTrustResult(trust, &trustResult), "evaluate trust");
  75     is_status(trustResult, kSecTrustResultUnspecified,
  76        "trust is kSecTrustResultUnspecified");
  77     CFReleaseNull(trust);
  78
  79     /* Common variable cleanup. */
  80     CFReleaseSafe(sslPolicy);
  81     CFReleaseSafe(revPolicy);
  82     CFReleaseSafe(certs);
  83     CFReleaseSafe(policies);
  84     CFReleaseSafe(comodo_aia);
  85     CFReleaseSafe(comodo_ev);
  86     CFReleaseSafe(ovh);
  87     CFReleaseSafe(verifyDate);
  88 }
  89
  90 - (void) test_aia_https {
  91     SecCertificateRef leaf = NULL;
  92     SecPolicyRef policy = NULL;
  93     SecTrustRef trust = NULL;
  94     CFArrayRef certs = NULL;
  95     CFDateRef verifyDate = NULL;
  96     CFErrorRef error = NULL;
  97
  98     leaf = SecCertificateCreateWithBytes(NULL, _caissuer_https, sizeof(_caissuer_https));
  99     const void *v_certs[] = { leaf };
 100
 101     certs = CFArrayCreate(NULL, v_certs, 1, &kCFTypeArrayCallBacks);
 102     policy = SecPolicyCreateSSL(true, CFSTR("example.com"));
 103     require_noerr_action(SecTrustCreateWithCertificates(certs, policy, &trust), errOut, fail("failed to create trust object"));
 104
 105     verifyDate = CFDateCreate(NULL, 546700000.0); // April 29, 2018 at 6:06:40 AM PDT
 106     require_noerr_action(SecTrustSetVerifyDate(trust, verifyDate), errOut, fail("failed to set verify date"));
 107
 108     /* Evaluate trust. This cert does not chain to anything trusted and we can't fetch an
 109      * intermediate because the URI is https. */
 110     is(SecTrustEvaluateWithError(trust, &error), false, "leaf with missing intermediate and https CAIssuer URI succeeded");
 111     if (error) {
 112         is(CFErrorGetCode(error), errSecCreateChainFailed, "got wrong error code for revoked cert, got %ld, expected %d",
 113            (long)CFErrorGetCode(error), errSecCreateChainFailed);
 114     } else {
 115         fail("expected trust evaluation to fail and it did not.");
 116     }
 117
 118 errOut:
 119     CFReleaseNull(leaf);
 120     CFReleaseNull(policy);
 121     CFReleaseNull(trust);
 122     CFReleaseNull(certs);
 123     CFReleaseNull(verifyDate);
 124     CFReleaseNull(error);
 125 }
 126 #else /* TARGET_OS_WATCH || TARGET_OS_BRIDGE */
 127 - (void) testNoNetworking
 128 {
 129     SecCertificateRef ovh = NULL, comodo_ev = NULL, comodo_aia = NULL;
 130     CFMutableArrayRef certs = NULL, policies = NULL;
 131     SecPolicyRef sslPolicy = NULL, revPolicy = NULL;
 132     CFDateRef verifyDate = NULL;
 133     SecTrustRef trust = NULL;
 134     SecTrustResultType trustResult = kSecTrustResultInvalid;
 135
 136     /* Initialize common variables */
 137     isnt(ovh = SecCertificateCreateWithBytes(NULL, ovh_certificate,
 138         sizeof(ovh_certificate)), NULL, "create ovh cert");
 139     isnt(comodo_ev = SecCertificateCreateWithBytes(NULL, comodo_ev_certificate,
 140         sizeof(comodo_ev_certificate)), NULL, "create comodo_ev cert");
 141     isnt(comodo_aia = SecCertificateCreateWithBytes(NULL,
 142         comodo_aia_certificate, sizeof(comodo_aia_certificate)), NULL,
 143         "create comodo_aia cert");
 144     certs = CFArrayCreateMutable(kCFAllocatorDefault, 0,
 145         &kCFTypeArrayCallBacks);
 146     policies = CFArrayCreateMutable(kCFAllocatorDefault, 0,
 147         &kCFTypeArrayCallBacks);
 148     sslPolicy = SecPolicyCreateSSL(false, NULL); // For now, use SSL client policy to avoid SHA-1 deprecation
 149     revPolicy = SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod);
 150     CFArrayAppendValue(policies, sslPolicy);
 151     CFArrayAppendValue(policies, revPolicy);
 152     /* May 9th 2018. */
 153     verifyDate = CFDateCreate(NULL, 547600500);
 154
 155     /* Evaluation should fail because it couldn't get the intermediate. */
 156     CFArrayAppendValue(certs, ovh);
 157     ok_status(SecTrustCreateWithCertificates(certs, policies, &trust),
 158               "create trust");
 159     ok_status(SecTrustSetVerifyDate(trust, verifyDate), "set date");
 160     ok_status(SecTrustGetTrustResult(trust, &trustResult), "evaluate trust");
 161     is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
 162        "trust is kSecTrustResultRecoverableTrustFailure");
 163
 164     /* Common variable cleanup. */
 165     CFReleaseSafe(sslPolicy);
 166     CFReleaseSafe(revPolicy);
 167     CFReleaseSafe(certs);
 168     CFReleaseSafe(policies);
 169     CFReleaseSafe(comodo_aia);
 170     CFReleaseSafe(comodo_ev);
 171     CFReleaseSafe(ovh);
 172     CFReleaseSafe(verifyDate);
 173 }
 174 #endif
 175
 176 @end