]> git.saurik.com Git - apple/security.git/blob - tests/TrustTests/EvaluationTests/SSLPolicyTests.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-59754.41.1.tar.gz
[apple/security.git] / tests / TrustTests / EvaluationTests / SSLPolicyTests.m
1 /*
2 * Copyright (c) 2015-2019 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 */
24
25 #include <AssertMacros.h>
26 #import <Foundation/Foundation.h>
27 #import <XCTest/XCTest.h>
28
29 #include <Security/SecPolicyPriv.h>
30 #include <Security/SecTrust.h>
31 #include <Security/SecTrustPriv.h>
32 #include <Security/SecCertificatePriv.h>
33 #include <utilities/SecCFWrappers.h>
34
35 #include "../TestMacroConversions.h"
36 #include "SSLPolicyTests_data.h"
37 #import "TrustEvaluationTestCase.h"
38
39 NSString * const testDirectory = @"ssl-policy-certs";
40
41 @interface SSLPolicyTests : TrustEvaluationTestCase
42 @end
43
44 @implementation SSLPolicyTests
45
46 - (void)testSSLPolicyCerts
47 {
48 NSArray *testPlistURLs = [[NSBundle bundleForClass:[self class]] URLsForResourcesWithExtension:@"plist" subdirectory:testDirectory];
49 if (testPlistURLs.count != 1) {
50 fail("failed to find the test plist");
51 return;
52 }
53
54 NSDictionary <NSString *,NSDictionary *>*tests_dictionary = [NSDictionary dictionaryWithContentsOfURL:testPlistURLs[0]];
55 if (!tests_dictionary) {
56 fail("failed to create test driver dictionary");
57 return;
58 }
59
60 [tests_dictionary enumerateKeysAndObjectsUsingBlock:^(NSString * _Nonnull key, NSDictionary * _Nonnull obj, BOOL * _Nonnull stop) {
61 CFDictionaryRef test_info = (__bridge CFDictionaryRef)obj;
62 CFStringRef test_name = (__bridge CFStringRef)key, file = NULL, reason = NULL, expectedResult = NULL, failureReason = NULL;
63 CFErrorRef trustError = NULL;
64 NSURL *cert_file_url = NULL;
65 NSData *cert_data = nil;
66 bool expectTrustSuccess = false;
67
68 SecCertificateRef leaf = NULL, root = NULL;
69 CFStringRef hostname = NULL;
70 SecPolicyRef policy = NULL;
71 SecTrustRef trust = NULL;
72 CFArrayRef anchor_array = NULL;
73 CFDateRef date = NULL;
74
75 /* get filename in test dictionary */
76 file = CFDictionaryGetValue(test_info, CFSTR("Filename"));
77 require_action_quiet(file, cleanup, fail("%@: Unable to load filename from plist", test_name));
78
79 /* get leaf certificate from file */
80 cert_file_url = [[NSBundle bundleForClass:[self class]] URLForResource:(__bridge NSString *)file withExtension:@"cer" subdirectory:testDirectory];
81 require_action_quiet(cert_file_url, cleanup, fail("%@: Unable to get url for cert file %@",
82 test_name, file));
83
84 cert_data = [NSData dataWithContentsOfURL:cert_file_url];
85
86 /* create certificates */
87 leaf = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)cert_data);
88 root = SecCertificateCreateWithBytes(NULL, _SSLTrustPolicyTestRootCA, sizeof(_SSLTrustPolicyTestRootCA));
89 require_action_quiet(leaf && root, cleanup, fail("%@: Unable to create certificates", test_name));
90
91 /* create policy */
92 hostname = CFDictionaryGetValue(test_info, CFSTR("Hostname"));
93 require_action_quiet(hostname, cleanup, fail("%@: Unable to load hostname from plist", test_name));
94
95 policy = SecPolicyCreateSSL(true, hostname);
96 require_action_quiet(policy, cleanup, fail("%@: Unable to create SSL policy with hostname %@",
97 test_name, hostname));
98
99 /* create trust ref */
100 OSStatus err = SecTrustCreateWithCertificates(leaf, policy, &trust);
101 CFRelease(policy);
102 require_noerr_action(err, cleanup, ok_status(err, "SecTrustCreateWithCertificates"));
103
104 /* set anchor in trust ref */
105 anchor_array = CFArrayCreate(NULL, (const void **)&root, 1, &kCFTypeArrayCallBacks);
106 require_action_quiet(anchor_array, cleanup, fail("%@: Unable to create anchor array", test_name));
107 err = SecTrustSetAnchorCertificates(trust, anchor_array);
108 require_noerr_action(err, cleanup, ok_status(err, "SecTrustSetAnchorCertificates"));
109
110 /* set date in trust ref to 4 Sep 2015 */
111 date = CFDateCreate(NULL, 463079909.0);
112 require_action_quiet(date, cleanup, fail("%@: Unable to create verify date", test_name));
113 err = SecTrustSetVerifyDate(trust, date);
114 CFRelease(date);
115 require_noerr_action(err, cleanup, ok_status(err, "SecTrustSetVerifyDate"));
116
117 /* evaluate */
118 bool is_valid = SecTrustEvaluateWithError(trust, &trustError);
119 if (!is_valid) {
120 failureReason = CFErrorCopyDescription(trustError);
121 }
122
123 /* get expected result for test */
124 expectedResult = CFDictionaryGetValue(test_info, CFSTR("Result"));
125 require_action_quiet(expectedResult, cleanup, fail("%@: Unable to get expected result",test_name));
126 if (!CFStringCompare(expectedResult, CFSTR("kSecTrustResultUnspecified"), 0) ||
127 !CFStringCompare(expectedResult, CFSTR("kSecTrustResultProceed"), 0)) {
128 expectTrustSuccess = true;
129 }
130
131 /* process results */
132 if (!CFDictionaryGetValueIfPresent(test_info, CFSTR("Reason"), (const void **)&reason)) {
133 /* not a known failure */
134 ok(is_valid == expectTrustSuccess, "%s %@%@",
135 expectTrustSuccess ? "REGRESSION" : "SECURITY",
136 test_name,
137 trustError);
138 } else if (reason) {
139 /* known failure */
140 XCTAssertTrue(true, "TODO test: %@", reason);
141 ok(is_valid == expectTrustSuccess, "%@%@",
142 test_name, expectTrustSuccess ? failureReason : CFSTR(" valid"));
143 } else {
144 fail("%@: unable to get reason for known failure", test_name);
145 }
146
147 cleanup:
148 CFReleaseNull(leaf);
149 CFReleaseNull(root);
150 CFReleaseNull(trust);
151 CFReleaseNull(anchor_array);
152 CFReleaseNull(failureReason);
153 CFReleaseNull(trustError);
154 }];
155 }
156
157 - (BOOL)runTrustEvaluation:(NSArray *)certs anchors:(NSArray *)anchors error:(NSError **)error
158 {
159 return [self runTrustEvaluation:certs anchors:anchors date:590000000.0 error:error]; // September 12, 2019 at 9:53:20 AM PDT
160 }
161
162 - (BOOL)runTrustEvaluation:(NSArray *)certs anchors:(NSArray *)anchors date:(NSTimeInterval)evalTime error:(NSError **)error
163 {
164 SecPolicyRef policy = SecPolicyCreateSSL(true, CFSTR("example.com"));
165 NSDate *date = [NSDate dateWithTimeIntervalSinceReferenceDate:evalTime];
166 SecTrustRef trustRef = NULL;
167 BOOL result = NO;
168 CFErrorRef cferror = NULL;
169
170 require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trustRef), errOut);
171 require_noerr(SecTrustSetVerifyDate(trustRef, (__bridge CFDateRef)date), errOut);
172
173 if (anchors) {
174 require_noerr(SecTrustSetAnchorCertificates(trustRef, (__bridge CFArrayRef)anchors), errOut);
175 }
176
177 result = SecTrustEvaluateWithError(trustRef, &cferror);
178 if (error && cferror) {
179 *error = (__bridge NSError*)cferror;
180 }
181
182 errOut:
183 CFReleaseNull(policy);
184 CFReleaseNull(trustRef);
185 CFReleaseNull(cferror);
186 return result;
187 }
188
189 - (void)testSystemTrust_MissingEKU
190 {
191 [self setTestRootAsSystem:_EKUTestSSLRootHash];
192 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _noEKU_BeforeJul2019, sizeof(_noEKU_BeforeJul2019));
193 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _EKUTestSSLRoot, sizeof(_EKUTestSSLRoot));
194 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
195
196 NSError *error = nil;
197 XCTAssertFalse([self runTrustEvaluation:certs anchors:@[(__bridge id)root] error:&error], "system-trusted missing EKU cert succeeded");
198
199 [self removeTestRootAsSystem];
200 CFReleaseNull(leaf);
201 CFReleaseNull(root);
202 }
203
204 - (void)testSystemTrust_AnyEKU
205 {
206 [self setTestRootAsSystem:_EKUTestSSLRootHash];
207 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _anyEKU_BeforeJul2019, sizeof(_anyEKU_BeforeJul2019));
208 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _EKUTestSSLRoot, sizeof(_EKUTestSSLRoot));
209 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
210
211 NSError *error = nil;
212 XCTAssertFalse([self runTrustEvaluation:certs anchors:@[(__bridge id)root] error:&error], "system-trusted Any EKU cert succeeded");
213
214 [self removeTestRootAsSystem];
215 CFReleaseNull(leaf);
216 CFReleaseNull(root);
217 }
218
219 - (void)testSystemTrust_ServerAuthEKU
220 {
221 [self setTestRootAsSystem:_EKUTestSSLRootHash];
222 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _serverEKU_BeforeJul2019, sizeof(_serverEKU_BeforeJul2019));
223 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _EKUTestSSLRoot, sizeof(_EKUTestSSLRoot));
224 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
225
226 NSError *error = nil;
227 XCTAssertTrue([self runTrustEvaluation:certs anchors:@[(__bridge id)root] error:&error], "system-trusted ServerAuth EKU cert failed: %@", error);
228
229 [self removeTestRootAsSystem];
230 CFReleaseNull(leaf);
231 CFReleaseNull(root);
232 }
233
234 - (void)testSystemTrust_subCAMissingEKU
235 {
236 SecCertificateRef systemRoot = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_Root"
237 subdirectory:testDirectory];
238 NSData *rootHash = CFBridgingRelease(SecCertificateCopySHA256Digest(systemRoot));
239 [self setTestRootAsSystem:(const uint8_t *)[rootHash bytes]];
240
241 SecCertificateRef subCa = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_noEKU_ca"
242 subdirectory:testDirectory];
243 SecCertificateRef leaf = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_noEKU_leaf"
244 subdirectory:testDirectory];
245 NSArray *certs = @[(__bridge id)leaf, (__bridge id)subCa];
246 NSError *error = nil;
247 XCTAssertTrue([self runTrustEvaluation:certs anchors:@[(__bridge id)systemRoot] date:620000000.0 error:&error], //August 24, 2020 at 3:13:20 PM PDT
248 "system-trusted no EKU subCA cert failed: %@", error);
249
250 [self removeTestRootAsSystem];
251 CFReleaseNull(systemRoot);
252 CFReleaseNull(subCa);
253 CFReleaseNull(leaf);
254 }
255
256 - (void)testSystemTrust_subCAAnyEKU
257 {
258 SecCertificateRef systemRoot = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_Root"
259 subdirectory:testDirectory];
260 NSData *rootHash = CFBridgingRelease(SecCertificateCopySHA256Digest(systemRoot));
261 [self setTestRootAsSystem:(const uint8_t *)[rootHash bytes]];
262
263 SecCertificateRef subCa = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_anyEKU_ca"
264 subdirectory:testDirectory];
265 SecCertificateRef leaf = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_anyEKU_leaf"
266 subdirectory:testDirectory];
267 NSArray *certs = @[(__bridge id)leaf, (__bridge id)subCa];
268 NSError *error = nil;
269 XCTAssertTrue([self runTrustEvaluation:certs anchors:@[(__bridge id)systemRoot] date:620000000.0 error:&error], //August 24, 2020 at 3:13:20 PM PDT
270 "system-trusted anyEKU subCA cert failed: %@", error);
271
272 [self removeTestRootAsSystem];
273 CFReleaseNull(systemRoot);
274 CFReleaseNull(subCa);
275 CFReleaseNull(leaf);
276 }
277
278 - (void)testSystemTrust_subCAServerAuthEKU
279 {
280 SecCertificateRef systemRoot = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_Root"
281 subdirectory:testDirectory];
282 NSData *rootHash = CFBridgingRelease(SecCertificateCopySHA256Digest(systemRoot));
283 [self setTestRootAsSystem:(const uint8_t *)[rootHash bytes]];
284
285 SecCertificateRef subCa = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_ssl_ca"
286 subdirectory:testDirectory];
287 SecCertificateRef leaf = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_ssl_leaf"
288 subdirectory:testDirectory];
289 NSArray *certs = @[(__bridge id)leaf, (__bridge id)subCa];
290 NSError *error = nil;
291 XCTAssertTrue([self runTrustEvaluation:certs anchors:@[(__bridge id)systemRoot] date:620000000.0 error:&error], //August 24, 2020 at 3:13:20 PM PDT
292 "system-trusted SSL EKU subCA cert failed: %@", error);
293
294 [self removeTestRootAsSystem];
295 CFReleaseNull(systemRoot);
296 CFReleaseNull(subCa);
297 CFReleaseNull(leaf);
298 }
299
300 - (void)testSystemTrust_subCA_SMIME_EKU
301 {
302 SecCertificateRef systemRoot = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_Root"
303 subdirectory:testDirectory];
304 NSData *rootHash = CFBridgingRelease(SecCertificateCopySHA256Digest(systemRoot));
305 [self setTestRootAsSystem:(const uint8_t *)[rootHash bytes]];
306
307 SecCertificateRef subCa = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_smime_ca"
308 subdirectory:testDirectory];
309 SecCertificateRef leaf = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_smime_leaf"
310 subdirectory:testDirectory];
311 NSArray *certs = @[(__bridge id)leaf, (__bridge id)subCa];
312 NSError *error = nil;
313 XCTAssertFalse([self runTrustEvaluation:certs anchors:@[(__bridge id)systemRoot] date:620000000.0 error:&error], //August 24, 2020 at 3:13:20 PM PDT
314 "system-trusted SMIME subCA cert succeeded");
315 XCTAssertNotNil(error);
316 if (error) {
317 XCTAssertEqual(error.code, errSecInvalidExtendedKeyUsage);
318 }
319
320 [self removeTestRootAsSystem];
321 CFReleaseNull(systemRoot);
322 CFReleaseNull(subCa);
323 CFReleaseNull(leaf);
324 }
325
326 - (void)testAppTrust_subCA_SMIME_EKU
327 {
328 SecCertificateRef systemRoot = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_Root"
329 subdirectory:testDirectory];
330 SecCertificateRef subCa = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_smime_ca"
331 subdirectory:testDirectory];
332 SecCertificateRef leaf = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"subCA_EKU_smime_leaf"
333 subdirectory:testDirectory];
334 NSArray *certs = @[(__bridge id)leaf, (__bridge id)subCa];
335 NSError *error = nil;
336 XCTAssertTrue([self runTrustEvaluation:certs anchors:@[(__bridge id)systemRoot] date:620000000.0 error:&error], //August 24, 2020 at 3:13:20 PM PDT
337 "app-trusted smime subCA cert failed: %@", error);
338
339 CFReleaseNull(systemRoot);
340 CFReleaseNull(subCa);
341 CFReleaseNull(leaf);
342 }
343
344 // Other app trust of root SSL EKU tests of certs issued before July 2019 occur in testSSLPolicyCerts (Test4, Test17)
345
346 - (void)testAppTrustRoot_AnyEKU_BeforeJul2019
347 {
348 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _anyEKU_BeforeJul2019, sizeof(_anyEKU_BeforeJul2019));
349 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _EKUTestSSLRoot, sizeof(_EKUTestSSLRoot));
350 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
351
352 NSError *error = nil;
353 XCTAssertTrue([self runTrustEvaluation:certs anchors:@[(__bridge id)root] error:&error], "app-trusted root, anyEKU leaf failed: %@", error);
354
355 CFReleaseNull(leaf);
356 CFReleaseNull(root);
357 }
358
359 - (void)testAppTrustRoot_MissingEKU_AfterJul2019
360 {
361 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _noEKU_AfterJul2019, sizeof(_noEKU_AfterJul2019));
362 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _EKUTestSSLRoot, sizeof(_EKUTestSSLRoot));
363 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
364
365 NSError *error = nil;
366 XCTAssertFalse([self runTrustEvaluation:certs anchors:@[(__bridge id)root] error:&error], "app-trusted root, missing EKU leaf succeeded");
367
368 CFReleaseNull(leaf);
369 CFReleaseNull(root);
370 }
371
372 - (void)testAppTrustLegacy_MissingEKU_AfterJul2019
373 {
374 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _noEKU_AfterJul2019, sizeof(_noEKU_AfterJul2019));
375 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _EKUTestSSLRoot, sizeof(_EKUTestSSLRoot));
376 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
377
378 SecPolicyRef policy = SecPolicyCreateLegacySSL(true, CFSTR("example.com"));
379 NSDate *date = [NSDate dateWithTimeIntervalSinceReferenceDate:590000000.0]; // September 12, 2019 at 9:53:20 AM PDT
380 SecTrustRef trustRef = NULL;
381 CFErrorRef cferror = NULL;
382
383 require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trustRef), errOut);
384 require_noerr(SecTrustSetVerifyDate(trustRef, (__bridge CFDateRef)date), errOut);
385 require_noerr(SecTrustSetAnchorCertificates(trustRef, (__bridge CFArrayRef)@[(__bridge id)root]), errOut);
386
387 XCTAssertTrue(SecTrustEvaluateWithError(trustRef, &cferror));
388
389 errOut:
390 CFReleaseNull(policy);
391 CFReleaseNull(trustRef);
392 CFReleaseNull(cferror);
393 CFReleaseNull(leaf);
394 CFReleaseNull(root);
395 }
396
397 - (void)testAppTrustRoot_AnyEKU_AfterJul2019
398 {
399 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _anyEKU_AfterJul2019, sizeof(_anyEKU_AfterJul2019));
400 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _EKUTestSSLRoot, sizeof(_EKUTestSSLRoot));
401 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
402
403 NSError *error = nil;
404 XCTAssertFalse([self runTrustEvaluation:certs anchors:@[(__bridge id)root] error:&error], "app-trusted root, anyEKU leaf succeeded");
405
406 CFReleaseNull(leaf);
407 CFReleaseNull(root);
408 }
409
410 - (void)testAppTrustRoot_ServerAuthEKU_AfterJul2019
411 {
412 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _serverEKU_AfterJul2019, sizeof(_serverEKU_AfterJul2019));
413 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _EKUTestSSLRoot, sizeof(_EKUTestSSLRoot));
414 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
415
416 NSError *error = nil;
417 XCTAssertTrue([self runTrustEvaluation:certs anchors:@[(__bridge id)root] error:&error], "app-trusted root, serverAuth EKU leaf failed: %@", error);
418
419 CFReleaseNull(leaf);
420 CFReleaseNull(root);
421 }
422
423 - (void)testAppTrustLeaf_MissingEKU_AfterJul2019
424 {
425 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _noEKU_AfterJul2019, sizeof(_noEKU_AfterJul2019));
426
427 NSError *error = nil;
428 XCTAssertFalse([self runTrustEvaluation:@[(__bridge id)leaf] anchors:@[(__bridge id)leaf] error:&error], "app-trusted missing EKU leaf succeeded");
429
430 CFReleaseNull(leaf);
431 }
432
433 #if !TARGET_OS_BRIDGE // bridgeOS doesn't support trust settings
434 - (void)testUserTrustRoot_MissingEKU_AfterJul2019
435 {
436 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _noEKU_AfterJul2019, sizeof(_noEKU_AfterJul2019));
437 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _EKUTestSSLRoot, sizeof(_EKUTestSSLRoot));
438 id persistentRef = [self addTrustSettingsForCert:root];
439 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
440
441 NSError *error = nil;
442 XCTAssertTrue([self runTrustEvaluation:certs anchors:nil error:&error], "user-trusted root, missing EKU leaf failed: %@", error);
443
444 [self removeTrustSettingsForCert:root persistentRef:persistentRef];
445 CFReleaseNull(leaf);
446 CFReleaseNull(root);
447 }
448
449 - (void)testUserTrustRoot_AnyEKU_AfterJul2019
450 {
451 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _anyEKU_AfterJul2019, sizeof(_anyEKU_AfterJul2019));
452 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _EKUTestSSLRoot, sizeof(_EKUTestSSLRoot));
453 id persistentRef = [self addTrustSettingsForCert:root];
454 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
455
456 NSError *error = nil;
457 XCTAssertTrue([self runTrustEvaluation:certs anchors:nil error:&error], "user-trusted root, anyEKU leaf failed: %@", error);
458
459 [self removeTrustSettingsForCert:root persistentRef:persistentRef];
460 CFReleaseNull(leaf);
461 CFReleaseNull(root);
462 }
463
464 - (void)testUserTrustRoot_ServerAuthEKU_AfterJul2019
465 {
466 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _serverEKU_AfterJul2019, sizeof(_serverEKU_AfterJul2019));
467 SecCertificateRef root = SecCertificateCreateWithBytes(NULL, _EKUTestSSLRoot, sizeof(_EKUTestSSLRoot));
468 id persistentRef = [self addTrustSettingsForCert:root];
469 NSArray *certs = @[(__bridge id)leaf, (__bridge id)root];
470
471 NSError *error = nil;
472 XCTAssertTrue([self runTrustEvaluation:certs anchors:nil error:&error], "user-trusted root, serverAuth EKU leaf failed: %@", error);
473
474 [self removeTrustSettingsForCert:root persistentRef:persistentRef];
475 CFReleaseNull(leaf);
476 CFReleaseNull(root);
477 }
478
479 - (void)testUserTrustLeaf_MissingEKU_AfterJul2019
480 {
481 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _noEKU_AfterJul2019, sizeof(_noEKU_AfterJul2019));
482 id persistentRef = [self addTrustSettingsForCert:leaf];
483
484 NSError *error = nil;
485 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:nil error:&error], "user-trusted missing EKU leaf failed: %@", error);
486
487 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
488 CFReleaseNull(leaf);
489 }
490
491 - (void)testUserTrustLeaf_AnyEKU_AfterJul2019
492 {
493 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _anyEKU_AfterJul2019, sizeof(_anyEKU_AfterJul2019));
494 id persistentRef = [self addTrustSettingsForCert:leaf];
495
496 NSError *error = nil;
497 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:nil error:&error], "user-trusted anyEKU leaf failed: %@", error);
498
499 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
500 CFReleaseNull(leaf);
501 }
502
503 - (void)testUserTrustLeaf_ServerAuthEKU_AfterJul2019
504 {
505 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _serverEKU_AfterJul2019, sizeof(_serverEKU_AfterJul2019));
506 id persistentRef = [self addTrustSettingsForCert:leaf];
507
508 NSError *error = nil;
509 XCTAssertTrue([self runTrustEvaluation:@[(__bridge id)leaf] anchors:nil error:&error], "user-trusted serverAuth EKU leaf failed: %@", error);
510
511 [self removeTrustSettingsForCert:leaf persistentRef:persistentRef];
512 CFReleaseNull(leaf);
513 }
514 #endif // !TARGET_OS_BRIDGE
515
516 - (void)testIPAddressInDNSField
517 {
518 SecCertificateRef cert = SecCertificateCreateWithBytes(NULL, _ipAddress_dnsField, sizeof(_ipAddress_dnsField));
519 SecPolicyRef policy = SecPolicyCreateSSL(true, CFSTR("10.0.0.1"));
520 TestTrustEvaluation *eval = [[TestTrustEvaluation alloc] initWithCertificates:@[(__bridge id)cert]
521 policies:@[(__bridge id)policy]];
522 [eval setAnchors:@[(__bridge id)cert]];
523 [eval setVerifyDate:[NSDate dateWithTimeIntervalSinceReferenceDate:600000000.0]];
524 XCTAssertFalse([eval evaluate:nil]);
525
526 CFReleaseNull(cert);
527 CFReleaseNull(policy);
528 }
529
530 - (void)testIPAddressInSAN_Match
531 {
532 SecCertificateRef cert = SecCertificateCreateWithBytes(NULL, _ipAddress_SAN, sizeof(_ipAddress_SAN));
533 SecPolicyRef policy = SecPolicyCreateSSL(true, CFSTR("10.0.0.1"));
534 TestTrustEvaluation *eval = [[TestTrustEvaluation alloc] initWithCertificates:@[(__bridge id)cert]
535 policies:@[(__bridge id)policy]];
536 [eval setAnchors:@[(__bridge id)cert]];
537 [eval setVerifyDate:[NSDate dateWithTimeIntervalSinceReferenceDate:600000000.0]];
538 XCTAssert([eval evaluate:nil]);
539
540 CFReleaseNull(cert);
541 CFReleaseNull(policy);
542 }
543
544 - (void)testIPAddressInSAN_Mismatch
545 {
546 SecCertificateRef cert = SecCertificateCreateWithBytes(NULL, _ipAddress_SAN, sizeof(_ipAddress_SAN));
547 SecPolicyRef policy = SecPolicyCreateSSL(true, CFSTR("10.0.0.2"));
548 TestTrustEvaluation *eval = [[TestTrustEvaluation alloc] initWithCertificates:@[(__bridge id)cert]
549 policies:@[(__bridge id)policy]];
550 [eval setAnchors:@[(__bridge id)cert]];
551 [eval setVerifyDate:[NSDate dateWithTimeIntervalSinceReferenceDate:600000000.0]];
552 XCTAssertFalse([eval evaluate:nil]);
553
554 CFReleaseNull(cert);
555 CFReleaseNull(policy);
556 }
557
558 - (void)testIPAddressInCN
559 {
560 SecCertificateRef cert = SecCertificateCreateWithBytes(NULL, _ipAddress_CN, sizeof(_ipAddress_CN));
561 SecPolicyRef policy = SecPolicyCreateSSL(true, CFSTR("10.0.0.1"));
562 TestTrustEvaluation *eval = [[TestTrustEvaluation alloc] initWithCertificates:@[(__bridge id)cert]
563 policies:@[(__bridge id)policy]];
564 [eval setAnchors:@[(__bridge id)cert]];
565 [eval setVerifyDate:[NSDate dateWithTimeIntervalSinceReferenceDate:600000000.0]];
566 XCTAssertFalse([eval evaluate:nil]);
567
568 CFReleaseNull(cert);
569 CFReleaseNull(policy);
570 }
571
572 - (void)testBadIPAddressInSAN
573 {
574 SecCertificateRef cert = SecCertificateCreateWithBytes(NULL, _ipAddress_bad, sizeof(_ipAddress_bad));
575 SecPolicyRef policy = SecPolicyCreateSSL(true, CFSTR("10.0.0.1"));
576 TestTrustEvaluation *eval = [[TestTrustEvaluation alloc] initWithCertificates:@[(__bridge id)cert]
577 policies:@[(__bridge id)policy]];
578 [eval setAnchors:@[(__bridge id)cert]];
579 [eval setVerifyDate:[NSDate dateWithTimeIntervalSinceReferenceDate:600000000.0]];
580 XCTAssertFalse([eval evaluate:nil]);
581
582 CFReleaseNull(cert);
583 CFReleaseNull(policy);
584 }
585
586 @end
mirror of Security