]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/Regressions/secitem/si-20-sectrust.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-58286.251.4.tar.gz
[apple/security.git] / OSX / sec / Security / Regressions / secitem / si-20-sectrust.c
1 /*
2 * Copyright (c) 2006-2010,2012-2018 Apple Inc. All Rights Reserved.
3 */
4
5 #include <AssertMacros.h>
6 #include <CoreFoundation/CoreFoundation.h>
7 #include <Security/SecCertificate.h>
8 #include <Security/SecCertificatePriv.h>
9 #include <Security/SecPolicyPriv.h>
10 #include <Security/SecTrustPriv.h>
11 #include <Security/SecTrust.h>
12 #include <Security/SecItem.h>
13 #include <utilities/array_size.h>
14 #include <utilities/SecCFWrappers.h>
15 #include <stdlib.h>
16 #include <unistd.h>
17 #include <Security/SecTrustSettings.h>
18
19 #if TARGET_OS_IPHONE
20 #include <Security/SecInternal.h>
21 #include <ipc/securityd_client.h>
22 #endif
23
24 #include "shared_regressions.h"
25 #include "si-20-sectrust.h"
26
27 /* Test SecTrust API. */
28 static void basic_tests(void)
29 {
30 SecTrustRef trust = NULL;
31 CFArrayRef _anchors = NULL, certs = NULL, anchors = NULL, replacementPolicies;
32 SecCertificateRef cert0 = NULL, cert1 = NULL, _anchor = NULL, cert_google = NULL, garthc2 = NULL;
33 SecPolicyRef policy = NULL, replacementPolicy = NULL, replacementPolicy2 = NULL;
34 CFDateRef date = NULL;
35 CFDataRef c0_serial = NULL, serial = NULL;
36 CFDictionaryRef query = NULL;
37
38 isnt(cert0 = SecCertificateCreateWithBytes(NULL, _c0, sizeof(_c0)),
39 NULL, "create cert0");
40 isnt(cert1 = SecCertificateCreateWithBytes(NULL, _c1, sizeof(_c1)),
41 NULL, "create cert1");
42 const void *v_certs[] = {
43 cert0,
44 cert1
45 };
46 policy = SecPolicyCreateSSL(false, NULL);
47 certs = CFArrayCreate(NULL, v_certs,
48 array_size(v_certs), &kCFTypeArrayCallBacks);
49
50 /* SecTrustCreateWithCertificates failures. */
51 is_status(SecTrustCreateWithCertificates(kCFBooleanTrue, policy, &trust),
52 errSecParam, "create trust with boolean instead of cert");
53 is_status(SecTrustCreateWithCertificates(cert0, kCFBooleanTrue, &trust),
54 errSecParam, "create trust with boolean instead of policy");
55
56 /* SecTrustCreateWithCertificates using array of certs. */
57 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
58
59 /* NOTE: prior to <rdar://11810677 SecTrustGetCertificateCount would return 1 at this point.
60 * Now, however, we do an implicit SecTrustEvaluate to build the chain if it has not yet been
61 * evaluated, so we now expect the full chain length.
62 */
63 is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
64 is(SecTrustGetCertificateAtIndex(trust, 0), cert0, "cert 0 is leaf");
65
66 /* Apr 14 2018. */
67 isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2018, 4, 14, 12, 0, 0),
68 NULL, "create verify date");
69 if (!date) { goto errOut; }
70 ok_status(SecTrustSetVerifyDate(trust, date), "set date");
71
72 SecTrustResultType trustResult;
73
74 #if TARGET_OS_IPHONE
75 SKIP: {
76 #ifdef NO_SERVER
77 skip("Can't fail to connect to securityd in NO_SERVER mode", 4, false);
78 #endif
79 // Test Restore OS environment
80 SecServerSetTrustdMachServiceName("com.apple.security.doesn't-exist");
81 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust without securityd running");
82 is_status(trustResult, kSecTrustResultInvalid, "trustResult is kSecTrustResultInvalid");
83 is(SecTrustGetCertificateCount(trust), 1, "cert count is 1 without securityd running");
84 SecKeyRef pubKey = NULL;
85 ok(pubKey = SecTrustCopyPublicKey(trust), "copy public key without securityd running");
86 CFReleaseNull(pubKey);
87 SecServerSetTrustdMachServiceName("com.apple.trustd");
88 // End of Restore OS environment tests
89 }
90 #endif
91
92 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
93 is_status(trustResult, kSecTrustResultUnspecified,
94 "trustResult is kSecTrustResultUnspecified");
95
96 is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
97
98 if (!cert0) { goto errOut; }
99 c0_serial = CFDataCreate(NULL, _c0_serial, sizeof(_c0_serial));
100 CFErrorRef error = NULL;
101 ok(serial = SecCertificateCopySerialNumberData(cert0, &error), "copy cert0 serial");
102 CFReleaseNull(error);
103 ok(CFEqual(c0_serial, serial), "serial matches");
104 CFReleaseNull(serial);
105 CFReleaseNull(c0_serial);
106
107 anchors = CFArrayCreate(NULL, (const void **)&cert1, 1, &kCFTypeArrayCallBacks);
108 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
109 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
110 is_status(trustResult, kSecTrustResultUnspecified,
111 "trust is kSecTrustResultUnspecified");
112 is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
113 #if TARGET_OS_OSX
114 CFArrayRef certArray;
115 ok_status(SecTrustCopyAnchorCertificates(&certArray), "copy anchors");
116 CFReleaseSafe(certArray);
117 ok_status(SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainSystem, &certArray), "copy certificates");
118 CFReleaseSafe(certArray);
119 #endif
120 CFReleaseNull(anchors);
121 anchors = CFArrayCreate(NULL, NULL, 0, NULL);
122 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set empty anchors list");
123 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
124 is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
125 "trust is kSecTrustResultRecoverableTrustFailure");
126 CFReleaseNull(anchors);
127
128 ok_status(SecTrustSetAnchorCertificatesOnly(trust, false), "trust passed in anchors and system anchors");
129 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
130 is_status(trustResult, kSecTrustResultUnspecified,
131 "trust is kSecTrustResultUnspecified");
132
133 ok_status(SecTrustSetAnchorCertificatesOnly(trust, true), "only trust passed in anchors (default)");
134 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
135 is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
136 "trust is kSecTrustResultRecoverableTrustFailure");
137
138 /* Test cert_1 intermediate from the keychain. */
139 CFReleaseNull(trust);
140 ok_status(SecTrustCreateWithCertificates(cert0, policy, &trust),
141 "create trust with single cert0");
142 ok_status(SecTrustSetVerifyDate(trust, date), "set date");
143
144 // Add cert1
145 query = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
146 kSecClass, kSecClassCertificate, kSecValueRef, cert1, NULL);
147 ok_status(SecItemAdd(query, NULL), "add cert1 to keychain");
148 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
149 // Cleanup added cert1.
150 ok_status(SecItemDelete(query), "remove cert1 from keychain");
151 CFReleaseNull(query);
152 is_status(trustResult, kSecTrustResultUnspecified,
153 "trust is kSecTrustResultUnspecified");
154 is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
155
156 /* Set certs to be the www.google.com leaf. */
157 CFReleaseNull(certs);
158 isnt(cert_google = SecCertificateCreateWithBytes(NULL, google_certificate,
159 sizeof(google_certificate)), NULL, "create cert_google");
160 certs = CFArrayCreate(NULL, (const void **)&cert_google, 1, &kCFTypeArrayCallBacks);
161
162 CFReleaseNull(trust);
163 CFReleaseNull(policy);
164 CFReleaseNull(date);
165 bool server = true;
166 policy = SecPolicyCreateSSL(server, CFSTR("www.google.com"));
167 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
168 "create trust for ssl server www.google.com");
169
170 isnt(_anchor = SecCertificateCreateWithBytes(NULL, googleInternetAuthoritySubCA, sizeof(googleInternetAuthoritySubCA)),
171 NULL, "create root");
172 const void *v_anchors[] = { _anchor };
173 isnt(_anchors = CFArrayCreate(NULL, v_anchors, array_size(v_anchors), &kCFTypeArrayCallBacks),
174 NULL, "create anchors");
175 if (!_anchors) { goto errOut; }
176 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
177
178 /* May 23, 2018. */
179 date = CFDateCreate(NULL, 548800000.0);
180 ok_status(SecTrustSetVerifyDate(trust, date), "set www.google.com trust date to May 23, 2018");
181 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate www.google.com trust");
182 is_status(trustResult, kSecTrustResultUnspecified,
183 "trust is kSecTrustResultUnspecified");
184
185 CFReleaseNull(trust);
186 CFReleaseNull(policy);
187 server = false;
188 policy = SecPolicyCreateSSL(server, CFSTR("www.google.com"));
189 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
190 "create trust for ssl client www.google.com");
191 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
192 ok_status(SecTrustSetVerifyDate(trust, date), "set google trust date to May 23, 2018");
193 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate google trust");
194 is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
195 "trust is kSecTrustResultRecoverableTrustFailure");
196
197 CFReleaseNull(trust);
198 CFReleaseNull(policy);
199 server = true;
200 policy = SecPolicyCreateIPSec(server, CFSTR("www.google.com"));
201 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
202 "create trust for ip server www.google.com");
203 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
204 ok_status(SecTrustSetVerifyDate(trust, date), "set www.apple.com trust date to May 23, 2018");
205 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate www.google.com trust");
206 #if 0
207 /* Although this shouldn't be a valid ipsec cert, since we no longer
208 check for ekus in the ipsec policy it is. */
209 is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
210 "trust is kSecTrustResultRecoverableTrustFailure");
211 #else
212 is_status(trustResult, kSecTrustResultUnspecified,
213 "trust is kSecTrustResultUnspecified");
214 #endif
215
216 CFReleaseNull(trust);
217 CFReleaseNull(policy);
218 server = true;
219 policy = SecPolicyCreateSSL(server, CFSTR("nowhere.com"));
220 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
221 "create trust for ssl server nowhere.com");
222 replacementPolicy = SecPolicyCreateSSL(server, CFSTR("www.google.com"));
223 SecTrustSetPolicies(trust, replacementPolicy);
224 CFReleaseNull(replacementPolicy);
225 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
226 ok_status(SecTrustSetVerifyDate(trust, date), "set www.google.com trust date to May 23, 2018");
227 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate www.google.com trust");
228 is_status(trustResult, kSecTrustResultUnspecified,
229 "trust is kSecTrustResultUnspecified");
230
231 CFReleaseNull(trust);
232 CFReleaseNull(policy);
233 server = true;
234 policy = SecPolicyCreateSSL(server, CFSTR("nowhere.com"));
235 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
236 "create trust for ssl server nowhere.com");
237 replacementPolicy2 = SecPolicyCreateSSL(server, CFSTR("www.google.com"));
238 replacementPolicies = CFArrayCreate(kCFAllocatorDefault, (CFTypeRef*)&replacementPolicy2, 1, &kCFTypeArrayCallBacks);
239 SecTrustSetPolicies(trust, replacementPolicies);
240 CFReleaseNull(replacementPolicy2);
241 CFReleaseNull(replacementPolicies);
242 ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
243 ok_status(SecTrustSetVerifyDate(trust, date), "set www.google.com trust date to May 23, 2018");
244 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate www.google.com trust");
245 is_status(trustResult, kSecTrustResultUnspecified,
246 "trust is kSecTrustResultUnspecified");
247
248 /* Test self signed ssl cert with cert itself set as anchor. */
249 CFReleaseNull(trust);
250 CFReleaseNull(policy);
251 CFReleaseNull(certs);
252 CFReleaseNull(date);
253 server = true;
254 isnt(garthc2 = SecCertificateCreateWithBytes(NULL, garthc2_certificate,
255 sizeof(garthc2_certificate)), NULL, "create garthc2");
256 certs = CFArrayCreate(NULL, (const void **)&garthc2, 1, &kCFTypeArrayCallBacks);
257 policy = SecPolicyCreateSSL(server, NULL);
258 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
259 "create trust for ip server garthc2.apple.com");
260 date = CFDateCreate(NULL, 269568000.0);
261 ok_status(SecTrustSetVerifyDate(trust, date),
262 "set garthc2 trust date to Aug 2009");
263 ok_status(SecTrustSetAnchorCertificates(trust, certs),
264 "set garthc2 as anchor");
265 ok_status(SecTrustEvaluate(trust, &trustResult),
266 "evaluate self signed cert with cert as anchor");
267 is_status(trustResult, kSecTrustResultUnspecified,
268 "trust is kSecTrustResultUnspecified");
269
270
271 errOut:
272 CFReleaseSafe(garthc2);
273 CFReleaseSafe(cert_google);
274 CFReleaseSafe(anchors);
275 CFReleaseSafe(trust);
276 CFReleaseSafe(serial);
277 CFReleaseSafe(c0_serial);
278 CFReleaseSafe(policy);
279 CFReleaseSafe(certs);
280 CFReleaseSafe(cert0);
281 CFReleaseSafe(cert1);
282 CFReleaseSafe(date);
283
284 CFReleaseSafe(_anchor);
285 CFReleaseSafe(_anchors);
286 }
287
288 static void negative_integer_tests(void)
289 {
290 /* Test that we can handle and fix up negative integer value(s) in ECDSA signature */
291 const void *negIntSigLeaf;
292 isnt(negIntSigLeaf = SecCertificateCreateWithBytes(NULL, _leaf_NegativeIntInSig,
293 sizeof(_leaf_NegativeIntInSig)), NULL, "create negIntSigLeaf");
294 CFArrayRef certs = NULL;
295 isnt(certs = CFArrayCreate(NULL, &negIntSigLeaf, 1, &kCFTypeArrayCallBacks), NULL, "failed to create certs array");
296 SecPolicyRef policy = NULL;
297 isnt(policy = SecPolicyCreateiAP(), NULL, "failed to create policy");
298 SecTrustRef trust = NULL;
299 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
300 "create trust for negIntSigLeaf");
301
302 const void *rootAACA2;
303 isnt(rootAACA2 = SecCertificateCreateWithBytes(NULL, _root_AACA2,
304 sizeof(_root_AACA2)), NULL, "create rootAACA2");
305 CFArrayRef anchors = NULL;
306 isnt(anchors = CFArrayCreate(NULL, &rootAACA2, 1, &kCFTypeArrayCallBacks), NULL, "failed to create anchors array");
307 if (!anchors) { goto errOut; }
308 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchor certificates");
309
310 SecTrustResultType trustResult;
311 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
312 is_status(trustResult, kSecTrustResultUnspecified, "expected kSecTrustResultUnspecified");
313
314 errOut:
315 CFReleaseNull(trust);
316 CFReleaseNull(certs);
317 CFReleaseNull(anchors);
318 CFReleaseNull(negIntSigLeaf);
319 CFReleaseNull(rootAACA2);
320 CFReleaseNull(policy);
321 }
322
323 static void rsa8k_tests(void)
324 {
325 /* Test prt_forest_fi that have a 8k RSA key */
326 const void *prt_forest_fi;
327 isnt(prt_forest_fi = SecCertificateCreateWithBytes(NULL, prt_forest_fi_certificate,
328 sizeof(prt_forest_fi_certificate)), NULL, "create prt_forest_fi");
329 CFArrayRef certs = NULL;
330 isnt(certs = CFArrayCreate(NULL, &prt_forest_fi, 1, &kCFTypeArrayCallBacks), NULL, "failed to create cert array");
331 SecPolicyRef policy = NULL;
332 isnt(policy = SecPolicyCreateSSL(true, CFSTR("owa.prt-forest.fi")), NULL, "failed to create policy");
333 SecTrustRef trust = NULL;
334 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
335 "create trust for ip client owa.prt-forest.fi");
336 CFDateRef date = CFDateCreate(NULL, 391578321.0);
337 ok_status(SecTrustSetVerifyDate(trust, date),
338 "set owa.prt-forest.fi trust date to May 2013");
339
340 SecKeyRef pubkey = SecTrustCopyPublicKey(trust);
341 isnt(pubkey, NULL, "pubkey returned");
342
343 CFReleaseNull(certs);
344 CFReleaseNull(prt_forest_fi);
345 CFReleaseNull(policy);
346 CFReleaseNull(trust);
347 CFReleaseNull(pubkey);
348 CFReleaseNull(date);
349 }
350
351 static void date_tests(void)
352 {
353 /* Test long-lived cert chain that expires in 9999 */
354 CFDateRef date = NULL;
355 const void *leaf, *root;
356 isnt(leaf = SecCertificateCreateWithBytes(NULL, longleaf, sizeof(longleaf)), NULL, "create leaf");
357 isnt(root = SecCertificateCreateWithBytes(NULL, longroot, sizeof(longroot)), NULL, "create root");
358
359 CFArrayRef certs = NULL;
360 isnt(certs = CFArrayCreate(NULL, &leaf, 1, &kCFTypeArrayCallBacks), NULL, "failed to create cert array");
361 CFArrayRef anchors = NULL;
362 isnt(anchors = CFArrayCreate(NULL, &root, 1, &kCFTypeArrayCallBacks), NULL, "failed to create anchors array");
363
364 SecPolicyRef policy = NULL;
365 isnt(policy = SecPolicyCreateBasicX509(), NULL, "failed to create policy");
366 SecTrustRef trust = NULL;
367 SecTrustResultType trustResult;
368 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
369 if (!anchors) { goto errOut; }
370 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
371
372 /* September 4, 2013 (prior to "notBefore" date of 2 April 2014, should fail) */
373 isnt(date = CFDateCreate(NULL, 400000000), NULL, "failed to create date");
374 if (!date) { goto errOut; }
375 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 23 Sep 2013");
376 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 23 Sep 2013");
377 is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "expected kSecTrustResultRecoverableTrustFailure");
378 CFReleaseNull(date);
379
380 /* January 17, 2016 (recent date within validity period, should succeed) */
381 isnt(date = CFDateCreate(NULL, 474747474), NULL, "failed to create date");
382 if (!date) { goto errOut; }
383 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 17 Jan 2016");
384 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 17 Jan 2016");
385 is_status(trustResult, kSecTrustResultUnspecified, "expected kSecTrustResultUnspecified");
386 CFReleaseNull(date);
387
388 /* December 20, 9999 (far-future date within validity period, should succeed) */
389 isnt(date = CFDateCreate(NULL, 252423000000), NULL, "failed to create date");
390 if (!date) { goto errOut; }
391 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 20 Dec 9999");
392 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 20 Dec 9999");
393 is_status(trustResult, kSecTrustResultUnspecified, "expected kSecTrustResultUnspecified");
394 CFReleaseNull(date);
395
396 /* January 12, 10000 (after the "notAfter" date of 31 Dec 9999, should fail) */
397 isnt(date = CFDateCreate(NULL, 252425000000), NULL, "failed to create date");
398 if (!date) { goto errOut; }
399 ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 12 Jan 10000");
400 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 12 Jan 10000");
401 is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "expected kSecTrustResultRecoverableTrustFailure");
402 CFReleaseNull(date);
403
404 errOut:
405 CFReleaseNull(trust);
406 CFReleaseNull(policy);
407 CFReleaseNull(anchors);
408 CFReleaseNull(certs);
409 CFReleaseNull(root);
410 CFReleaseNull(leaf);
411 }
412
413 static bool test_chain_of_three(uint8_t *cert0, size_t cert0len,
414 uint8_t *cert1, size_t cert1len,
415 uint8_t *root, size_t rootlen,
416 bool should_succeed, CF_RETURNS_RETAINED CFStringRef *failureReason)
417 {
418 bool ok = false;
419
420 const void *secCert0, *secCert1, *secRoot;
421 isnt(secCert0 = SecCertificateCreateWithBytes(NULL, cert0, cert0len), NULL, "create leaf");
422 isnt(secCert1 = SecCertificateCreateWithBytes(NULL, cert1, cert1len), NULL, "create subCA");
423 isnt(secRoot = SecCertificateCreateWithBytes(NULL, root, rootlen), NULL, "create root");
424
425 const void *v_certs[] = { secCert0, secCert1 };
426 CFArrayRef certs = NULL;
427 isnt(certs = CFArrayCreate(NULL, v_certs, sizeof(v_certs)/sizeof(*v_certs), &kCFTypeArrayCallBacks),
428 NULL, "failed to create cert array");
429 CFArrayRef anchors = NULL;
430 isnt(anchors = CFArrayCreate(NULL, &secRoot, 1, &kCFTypeArrayCallBacks), NULL, "failed to create anchors array");
431
432 SecPolicyRef policy = NULL;
433 isnt(policy = SecPolicyCreateBasicX509(), NULL, "failed to create policy");
434 CFDateRef date = NULL;
435 isnt(date = CFDateCreate(NULL, 472100000.0), NULL, "failed to create date"); // 17 Dec 2015
436
437 SecTrustRef trust = NULL;
438 SecTrustResultType trustResult;
439 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "failed to create trust");
440 if (!date) { goto errOut; }
441 ok_status(SecTrustSetVerifyDate(trust, date), "failed to set verify date");
442 if (!anchors) { goto errOut; }
443 ok_status(SecTrustSetAnchorCertificates(trust, anchors), "failed to set anchors");
444
445 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate chain");
446 is(SecTrustGetCertificateCount(trust), 3, "expected chain of 3");
447 bool did_succeed = (trustResult == kSecTrustResultUnspecified || trustResult == kSecTrustResultProceed);
448
449 if (failureReason && should_succeed && !did_succeed) {
450 *failureReason = SecTrustCopyFailureDescription(trust);
451 } else if (failureReason && !should_succeed && did_succeed) {
452 *failureReason = CFSTR("expected kSecTrustResultFatalTrustFailure");
453 }
454
455 if ((should_succeed && did_succeed) || (!should_succeed && !did_succeed)) {
456 ok = true;
457 }
458
459 errOut:
460 CFReleaseNull(secCert0);
461 CFReleaseNull(secCert1);
462 CFReleaseNull(secRoot);
463 CFReleaseNull(certs);
464 CFReleaseNull(anchors);
465 CFReleaseNull(date);
466 CFReleaseNull(policy);
467 CFReleaseNull(trust);
468
469 return ok;
470 }
471
472 static void rsa_key_size_tests() {
473
474 ok(test_chain_of_three(_leaf2048A, sizeof(_leaf2048A),_int2048A, sizeof(_int2048A), _root512, sizeof(_root512),
475 false, NULL), "SECURITY: failed to detect weak root");
476 ok(test_chain_of_three(_leaf2048B, sizeof(_leaf2048B), _int512, sizeof(_int512), _root2048, sizeof(_root2048),
477 false, NULL), "SECURITY: failed to detect weak intermediate");
478 ok(test_chain_of_three(_leaf512, sizeof(_leaf512), _int2048B, sizeof(_int2048B), _root2048, sizeof(_root2048),
479 false, NULL), "SECURITY: failed to detect weak leaf");
480
481 CFStringRef failureReason = NULL;
482 ok(test_chain_of_three(_leaf1024, sizeof(_leaf1024), _int2048B, sizeof(_int2048B), _root2048, sizeof(_root2048),
483 true, &failureReason), "REGRESSION: key size test 1024-bit leaf: %@", failureReason);
484 CFReleaseNull(failureReason);
485 ok(test_chain_of_three(_leaf2048C, sizeof(_leaf2048C), _int2048B, sizeof(_int2048B), _root2048, sizeof(_root2048),
486 true, &failureReason), "REGRESSION: key size test 2048-bit leaf: %@", failureReason);
487 CFReleaseNull(failureReason);
488
489 }
490
491 static void ec_key_size_tests() {
492
493 /* Because CoreCrypto does not support P128, we fail to chain if any CAs use weakly sized curves */
494 ok(test_chain_of_three(_leaf128, sizeof(_leaf128), _int384B, sizeof(_int384B), _root384, sizeof(_root384),
495 false, NULL), "SECURITY: failed to detect weak leaf");
496
497 CFStringRef failureReason = NULL;
498 ok(test_chain_of_three(_leaf192, sizeof(_leaf192), _int384B, sizeof(_int384B), _root384, sizeof(_root384),
499 true, &failureReason), "REGRESSION: key size test 192-bit leaf: %@", failureReason);
500 CFReleaseNull(failureReason);
501 ok(test_chain_of_three(_leaf384C, sizeof(_leaf384C), _int384B, sizeof(_int384B), _root384, sizeof(_root384),
502 true, &failureReason), "REGRESSION: key size test 384-bit leaf: %@", failureReason);
503 CFReleaseNull(failureReason);
504
505 }
506
507 static void test_input_certificates() {
508 SecCertificateRef cert0 = NULL, cert1 = NULL;
509 SecPolicyRef policy = NULL;
510 SecTrustRef trust = NULL;
511 CFArrayRef certificates = NULL;
512
513 require(cert0 = SecCertificateCreateWithBytes(NULL, _c0, sizeof(_c0)), errOut);
514 require(cert1 = SecCertificateCreateWithBytes(NULL, _c1, sizeof(_c1)), errOut);
515 require(policy = SecPolicyCreateBasicX509(), errOut);
516 require_noerr(SecTrustCreateWithCertificates(cert0, policy, &trust), errOut);
517
518 ok_status(SecTrustCopyInputCertificates(trust, &certificates), "SecTrustCopyInputCertificates failed");
519 is(CFArrayGetCount(certificates), 1, "got too many input certs back");
520 is(CFArrayGetValueAtIndex(certificates, 0), cert0, "wrong input cert");
521 CFReleaseNull(certificates);
522
523 ok_status(SecTrustAddToInputCertificates(trust, cert1), "SecTrustAddToInputCertificates failed");
524 ok_status(SecTrustCopyInputCertificates(trust, &certificates), "SecTrustCopyInputCertificates failed");
525 is(CFArrayGetCount(certificates), 2, "got wrong number of input certs back");
526 is(CFArrayGetValueAtIndex(certificates, 0), cert0, "wrong input cert0");
527 is(CFArrayGetValueAtIndex(certificates, 1), cert1, "wrong input cert1");
528 is(SecTrustGetCertificateCount(trust), 3, "output number of certs is 3");
529
530 errOut:
531 CFReleaseNull(cert0);
532 CFReleaseNull(cert1);
533 CFReleaseNull(policy);
534 CFReleaseNull(trust);
535 CFReleaseNull(certificates);
536 }
537
538 static void test_async_trust() {
539 SecCertificateRef cert0 = NULL, cert1 = NULL;
540 SecPolicyRef policy = NULL;
541 SecTrustRef trust = NULL;
542 CFArrayRef certificates = NULL;
543 CFDateRef date = NULL;
544
545 require(cert0 = SecCertificateCreateWithBytes(NULL, _c0, sizeof(_c0)), errOut);
546 require(cert1 = SecCertificateCreateWithBytes(NULL, _c1, sizeof(_c1)), errOut);
547 const void *v_certs[] = {
548 cert0,
549 cert1
550 };
551 certificates = CFArrayCreate(NULL, v_certs,
552 array_size(v_certs),
553 &kCFTypeArrayCallBacks);
554
555 require(policy = SecPolicyCreateBasicX509(), errOut);
556 require_noerr(SecTrustCreateWithCertificates(certificates, policy, &trust), errOut);
557
558 /* Jul 30 2014. */
559 require(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 7, 30, 12, 0, 0), errOut);
560 require_noerr(SecTrustSetVerifyDate(trust, date), errOut);
561
562 /* This shouldn't crash. */
563 ok_status(SecTrustEvaluateAsync(trust, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0),
564 ^(SecTrustRef _Nonnull trustRef, SecTrustResultType trustResult) {
565 if ((trustResult == kSecTrustResultProceed) ||
566 (trustResult == kSecTrustResultUnspecified))
567 {
568 // Evaluation succeeded!
569 SecKeyRef publicKey = SecTrustCopyPublicKey(trustRef);
570
571 CFReleaseSafe(publicKey);
572
573 } else if (trustResult == kSecTrustResultRecoverableTrustFailure) {
574 // Evaluation failed, but may be able to recover . . .
575 } else {
576 // Evaluation failed
577 }
578 }), "evaluate trust asynchronously");
579 CFReleaseNull(trust);
580
581 errOut:
582 CFReleaseNull(cert0);
583 CFReleaseNull(cert1);
584 CFReleaseNull(policy);
585 CFReleaseNull(certificates);
586 CFReleaseNull(date);
587 }
588
589 static void test_expired_only() {
590 SecCertificateRef cert0 = NULL, cert1 = NULL, cert2 = NULL;
591 SecPolicyRef policy = NULL;
592 SecTrustRef trust = NULL;
593 CFArrayRef certificates = NULL, roots = NULL;
594 CFDateRef date = NULL;
595
596 require(cert0 = SecCertificateCreateWithBytes(NULL, _expired_badssl, sizeof(_expired_badssl)), errOut);
597 require(cert1 = SecCertificateCreateWithBytes(NULL, _comodo_rsa_dvss, sizeof(_comodo_rsa_dvss)), errOut);
598 require(cert2 = SecCertificateCreateWithBytes(NULL, _comodo_rsa_root, sizeof(_comodo_rsa_root)), errOut);
599
600 const void *v_certs[] = {
601 cert0,
602 cert1
603 };
604 certificates = CFArrayCreate(NULL, v_certs,
605 array_size(v_certs),
606 &kCFTypeArrayCallBacks);
607
608 const void *v_roots[] = {
609 cert2
610 };
611 roots = CFArrayCreate(NULL, v_roots,
612 array_size(v_roots),
613 &kCFTypeArrayCallBacks);
614
615 require(policy = SecPolicyCreateSSL(true, CFSTR("expired.badssl.com")), errOut);
616 require_noerr(SecTrustCreateWithCertificates(certificates, policy, &trust), errOut);
617 require_noerr(SecTrustSetAnchorCertificates(trust, roots), errOut);
618
619 /* Mar 21 2017 (cert expired in 2015, so this will cause a validity error.) */
620 require(date = CFDateCreateForGregorianZuluMoment(NULL, 2017, 3, 21, 12, 0, 0), errOut);
621 require_noerr(SecTrustSetVerifyDate(trust, date), errOut);
622
623 /* SecTrustIsExpiredOnly implicitly evaluates the trust */
624 ok(SecTrustIsExpiredOnly(trust), "REGRESSION: has new error as well as expiration");
625
626 CFReleaseNull(policy);
627 require(policy = SecPolicyCreateSSL(true, CFSTR("expired.terriblessl.com")), errOut);
628 require_noerr(SecTrustSetPolicies(trust, policy), errOut);
629 /* expect a hostname mismatch as well as expiration */
630 ok(!SecTrustIsExpiredOnly(trust), "REGRESSION: should have found multiple errors");
631
632 errOut:
633 CFReleaseNull(trust);
634 CFReleaseNull(cert0);
635 CFReleaseNull(cert1);
636 CFReleaseNull(cert2);
637 CFReleaseNull(policy);
638 CFReleaseNull(certificates);
639 CFReleaseNull(roots);
640 CFReleaseNull(date);
641 }
642
643 static void test_evaluate_with_error(void) {
644 #pragma clang diagnostic push
645 #pragma clang diagnostic ignored "-Wunguarded-availability-new"
646
647 SecCertificateRef cert0 = NULL, cert1 = NULL, cert2 = NULL;
648 SecPolicyRef policy = NULL;
649 SecTrustRef trust = NULL;
650 CFArrayRef certificates = NULL, roots = NULL;
651 CFDateRef date = NULL, validDate = NULL;
652 CFErrorRef error = NULL;
653
654 require(cert0 = SecCertificateCreateWithBytes(NULL, _expired_badssl, sizeof(_expired_badssl)), errOut);
655 require(cert1 = SecCertificateCreateWithBytes(NULL, _comodo_rsa_dvss, sizeof(_comodo_rsa_dvss)), errOut);
656 require(cert2 = SecCertificateCreateWithBytes(NULL, _comodo_rsa_root, sizeof(_comodo_rsa_root)), errOut);
657
658 const void *v_certs[] = {
659 cert0,
660 cert1
661 };
662 certificates = CFArrayCreate(NULL, v_certs,
663 array_size(v_certs),
664 &kCFTypeArrayCallBacks);
665
666 const void *v_roots[] = {
667 cert2
668 };
669 roots = CFArrayCreate(NULL, v_roots,
670 array_size(v_roots),
671 &kCFTypeArrayCallBacks);
672
673 require(policy = SecPolicyCreateSSL(true, CFSTR("expired.badssl.com")), errOut);
674 require_noerr(SecTrustCreateWithCertificates(certificates, policy, &trust), errOut);
675 require_noerr(SecTrustSetAnchorCertificates(trust, roots), errOut);
676
677 /* April 10 2015 (cert expired in 2015) */
678 require(validDate = CFDateCreateForGregorianZuluMoment(NULL, 2015, 4, 10, 12, 0, 0), errOut);
679 require_noerr(SecTrustSetVerifyDate(trust, validDate), errOut);
680
681 is(SecTrustEvaluateWithError(trust, &error), true, "wrong result for valid cert");
682 is(error, NULL, "set error for passing trust evaluation");
683 CFReleaseNull(error);
684
685 /* Mar 21 2017 (cert expired in 2015, so this will cause a validity error.) */
686 require(date = CFDateCreateForGregorianZuluMoment(NULL, 2017, 3, 21, 12, 0, 0), errOut);
687 require_noerr(SecTrustSetVerifyDate(trust, date), errOut);
688
689 /* expect expiration error */
690 is(SecTrustEvaluateWithError(trust, &error), false, "wrong result for expired cert");
691 isnt(error, NULL, "failed to set error for failing trust evaluation");
692 is(CFErrorGetCode(error), errSecCertificateExpired, "Got wrong error code for evaluation");
693 CFReleaseNull(error);
694
695 CFReleaseNull(policy);
696 require(policy = SecPolicyCreateSSL(true, CFSTR("expired.terriblessl.com")), errOut);
697 require_noerr(SecTrustSetPolicies(trust, policy), errOut);
698
699 /* expect a hostname mismatch as well as expiration; hostname mismatch must be a higher priority */
700 is(SecTrustEvaluateWithError(trust, &error), false, "wrong result for expired cert with hostname mismatch");
701 isnt(error, NULL, "failed to set error for failing trust evaluation");
702 is(CFErrorGetCode(error), errSecHostNameMismatch, "Got wrong error code for evaluation");
703 CFReleaseNull(error);
704
705 /* expect only a hostname mismatch*/
706 require_noerr(SecTrustSetVerifyDate(trust, validDate), errOut);
707 is(SecTrustEvaluateWithError(trust, &error), false, "wrong result for valid cert with hostname mismatch");
708 isnt(error, NULL, "failed to set error for failing trust evaluation");
709 is(CFErrorGetCode(error), errSecHostNameMismatch, "Got wrong error code for evaluation");
710 CFReleaseNull(error);
711
712 /* pinning failure */
713 CFReleaseNull(policy);
714 require(policy = SecPolicyCreateAppleSSLPinned(CFSTR("test"), CFSTR("expired.badssl.com"),
715 NULL, CFSTR("1.2.840.113635.100.6.27.1")), errOut);
716 require_noerr(SecTrustSetPolicies(trust, policy), errOut);
717
718 is(SecTrustEvaluateWithError(trust, &error), false, "wrong result for valid cert with pinning failure");
719 isnt(error, NULL, "failed to set error for failing trust evaluation");
720 CFIndex errorCode = CFErrorGetCode(error);
721 // failed checks: AnchorApple, LeafMarkerOid, or IntermediateMarkerOid
722 ok(errorCode == errSecMissingRequiredExtension || errorCode == errSecInvalidRoot, "Got wrong error code for evaluation");
723 CFReleaseNull(error);
724
725 /* trust nothing, trust errors higher priority than hostname mismatch */
726 CFReleaseNull(policy);
727 require(policy = SecPolicyCreateSSL(true, CFSTR("expired.terriblessl.com")), errOut);
728 require_noerr(SecTrustSetPolicies(trust, policy), errOut);
729
730 CFReleaseNull(roots);
731 roots = CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks);
732 require_noerr(SecTrustSetAnchorCertificates(trust, roots), errOut);
733 is(SecTrustEvaluateWithError(trust, &error), false, "wrong result for expired cert with hostname mismatch");
734 isnt(error, NULL, "failed to set error for failing trust evaluation");
735 is(CFErrorGetCode(error), errSecNotTrusted, "Got wrong error code for evaluation");
736 CFReleaseNull(error);
737
738 errOut:
739 CFReleaseNull(trust);
740 CFReleaseNull(cert0);
741 CFReleaseNull(cert1);
742 CFReleaseNull(cert2);
743 CFReleaseNull(policy);
744 CFReleaseNull(certificates);
745 CFReleaseNull(roots);
746 CFReleaseNull(date);
747 CFReleaseNull(validDate);
748 CFReleaseNull(error);
749
750 #pragma clang diagnostic pop
751 }
752
753 static void test_optional_policy_check(void) {
754 SecCertificateRef cert0 = NULL, cert1 = NULL, root = NULL;
755 SecTrustRef trust = NULL;
756 SecPolicyRef policy = NULL;
757 CFArrayRef certs = NULL, anchors = NULL;
758 CFDateRef date = NULL;
759
760 require_action(cert0 = SecCertificateCreateWithBytes(NULL, _leaf384C, sizeof(_leaf384C)), errOut,
761 fail("unable to create cert"));
762 require_action(cert1 = SecCertificateCreateWithBytes(NULL, _int384B, sizeof(_int384B)), errOut,
763 fail("unable to create cert"));
764 require_action(root = SecCertificateCreateWithBytes(NULL, _root384, sizeof(_root384)), errOut,
765 fail("unable to create cert"));
766
767 const void *v_certs[] = { cert0, cert1 };
768 require_action(certs = CFArrayCreate(NULL, v_certs, array_size(v_certs), &kCFTypeArrayCallBacks), errOut,
769 fail("unable to create array"));
770 require_action(anchors = CFArrayCreate(NULL, (const void **)&root, 1, &kCFTypeArrayCallBacks), errOut,
771 fail("unable to create anchors array"));
772 require_action(date = CFDateCreate(NULL, 472100000.0), errOut, fail("unable to create date"));
773
774 require_action(policy = SecPolicyCreateBasicX509(), errOut, fail("unable to create policy"));
775 SecPolicySetOptionsValue(policy, CFSTR("not-a-policy-check"), kCFBooleanTrue);
776
777 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "failed to create trust");
778 require_noerr_action(SecTrustSetAnchorCertificates(trust, anchors), errOut,
779 fail("unable to set anchors"));
780 require_noerr_action(SecTrustSetVerifyDate(trust, date), errOut, fail("unable to set verify date"));
781
782 #pragma clang diagnostic push
783 #pragma clang diagnostic ignored "-Wunguarded-availability-new"
784 #if NDEBUG
785 ok(SecTrustEvaluateWithError(trust, NULL), "Trust evaluation failed");
786 #else
787 is(SecTrustEvaluateWithError(trust, NULL), false, "Expect failure in Debug config");
788 #endif
789 #pragma clang diagnostic pop
790
791 errOut:
792 CFReleaseNull(cert0);
793 CFReleaseNull(cert1);
794 CFReleaseNull(root);
795 CFReleaseNull(certs);
796 CFReleaseNull(anchors);
797 CFReleaseNull(date);
798 CFReleaseNull(policy);
799 CFReleaseNull(trust);
800 }
801
802 static void test_serialization(void) {
803 SecCertificateRef cert0 = NULL, cert1 = NULL, root = NULL;
804 SecTrustRef trust = NULL, deserializedTrust = NULL;
805 SecPolicyRef policy = NULL;
806 CFArrayRef certs = NULL, anchors = NULL, deserializedCerts = NULL;
807 CFDateRef date = NULL;
808 CFDataRef serializedTrust = NULL;
809 CFErrorRef error = NULL;
810
811 require_action(cert0 = SecCertificateCreateWithBytes(NULL, _leaf384C, sizeof(_leaf384C)), errOut,
812 fail("unable to create cert"));
813 require_action(cert1 = SecCertificateCreateWithBytes(NULL, _int384B, sizeof(_int384B)), errOut,
814 fail("unable to create cert"));
815 require_action(root = SecCertificateCreateWithBytes(NULL, _root384, sizeof(_root384)), errOut,
816 fail("unable to create cert"));
817
818 const void *v_certs[] = { cert0, cert1 };
819 require_action(certs = CFArrayCreate(NULL, v_certs, array_size(v_certs), &kCFTypeArrayCallBacks), errOut,
820 fail("unable to create array"));
821 require_action(anchors = CFArrayCreate(NULL, (const void **)&root, 1, &kCFTypeArrayCallBacks), errOut,
822 fail("unable to create anchors array"));
823 require_action(date = CFDateCreate(NULL, 472100000.0), errOut, fail("unable to create date"));
824
825 require_action(policy = SecPolicyCreateBasicX509(), errOut, fail("unable to create policy"));
826
827 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "failed to create trust");
828 require_noerr_action(SecTrustSetAnchorCertificates(trust, anchors), errOut,
829 fail("unable to set anchors"));
830 require_noerr_action(SecTrustSetVerifyDate(trust, date), errOut, fail("unable to set verify date"));
831
832 ok(serializedTrust = SecTrustSerialize(trust, NULL), "failed to serialize trust");
833 ok(deserializedTrust = SecTrustDeserialize(serializedTrust, NULL), "Failed to deserialize trust");
834 CFReleaseNull(serializedTrust);
835
836 require_noerr_action(SecTrustCopyCustomAnchorCertificates(deserializedTrust, &deserializedCerts), errOut,
837 fail("unable to get anchors from deserialized trust"));
838 ok(CFEqual(anchors, deserializedCerts), "Failed to get the same anchors after serialization/deserialization");
839 CFReleaseNull(deserializedCerts);
840
841 require_noerr_action(SecTrustCopyInputCertificates(trust, &deserializedCerts), errOut,
842 fail("unable to get input certificates from deserialized trust"));
843 ok(CFEqual(certs, deserializedCerts), "Failed to get same input certificates after serialization/deserialization");
844 CFReleaseNull(deserializedCerts);
845
846 /* correct API behavior */
847 #pragma clang diagnostic push
848 #pragma clang diagnostic ignored "-Wnonnull"
849 is(SecTrustSerialize(NULL, &error), NULL, "serialize succeeded with null input");
850 is(CFErrorGetCode(error), errSecParam, "Incorrect error code for bad serialization input");
851 CFReleaseNull(error);
852 is(SecTrustDeserialize(NULL, &error), NULL, "deserialize succeeded with null input");
853 is(CFErrorGetCode(error), errSecParam, "Incorrect error code for bad deserialization input");
854 CFReleaseNull(error);
855 #pragma clang diagnostic pop
856
857 errOut:
858 CFReleaseNull(cert0);
859 CFReleaseNull(cert1);
860 CFReleaseNull(root);
861 CFReleaseNull(certs);
862 CFReleaseNull(anchors);
863 CFReleaseNull(date);
864 CFReleaseNull(policy);
865 CFReleaseNull(trust);
866 CFReleaseNull(deserializedTrust);
867 }
868
869 static void test_tls_analytics_report(void)
870 {
871 xpc_object_t metric = xpc_dictionary_create(NULL, NULL, 0);
872 ok(metric != NULL);
873
874 const char *TLS_METRIC_PROCESS_IDENTIFIER = "process";
875 const char *TLS_METRIC_CIPHERSUITE = "cipher_name";
876 const char *TLS_METRIC_PROTOCOL_VERSION = "version";
877 const char *TLS_METRIC_SESSION_RESUMED = "resumed";
878
879 xpc_dictionary_set_string(metric, TLS_METRIC_PROCESS_IDENTIFIER, "super awesome unit tester");
880 xpc_dictionary_set_uint64(metric, TLS_METRIC_CIPHERSUITE, 0x0304);
881 xpc_dictionary_set_uint64(metric, TLS_METRIC_PROTOCOL_VERSION, 0x0304);
882 xpc_dictionary_set_bool(metric, TLS_METRIC_SESSION_RESUMED, false);
883 // ... TLS would fill in the rest
884
885 // Invoke the callback
886 CFErrorRef error = NULL;
887 bool reported = SecTrustReportTLSAnalytics(CFSTR("TLSConnectionEvent"), metric, &error);
888 ok(reported, "Failed to report analytics with error %@", error);
889 xpc_release(metric);
890 }
891
892 static void test_weak_signature(void) {
893 SecCertificateRef md5_root = NULL, md5_leaf = NULL, sha256_root = NULL;
894 SecPolicyRef policy = NULL;
895 SecTrustRef trust = NULL;
896 CFArrayRef certs = NULL, anchors = NULL;
897 CFDateRef verifyDate = NULL;
898 CFErrorRef error = NULL;
899
900 require_action(md5_root = SecCertificateCreateWithBytes(NULL, _md5_root, sizeof(_md5_root)), errOut,
901 fail("failed to create md5 root cert"));
902 require_action(md5_leaf = SecCertificateCreateWithBytes(NULL, _md5_leaf, sizeof(_md5_leaf)), errOut,
903 fail("failed to create md5 leaf cert"));
904 require_action(sha256_root = SecCertificateCreateWithBytes(NULL, _sha256_root, sizeof(_sha256_root)), errOut,
905 fail("failed to create sha256 root cert"));
906
907 require_action(certs = CFArrayCreate(NULL, (const void **)&md5_root, 1, &kCFTypeArrayCallBacks), errOut,
908 fail("failed to create certs array"));
909 require_action(anchors = CFArrayCreate(NULL, (const void **)&md5_root, 1, &kCFTypeArrayCallBacks), errOut,
910 fail("failed to create anchors array"));
911 require_action(policy = SecPolicyCreateBasicX509(), errOut, fail("failed to make policy"));
912 require_action(verifyDate = CFDateCreate(NULL, 550600000), errOut, fail("failed to make verification date")); // June 13, 2018
913
914 /* Test self-signed MD5 cert. Should work since cert is a trusted anchor - rdar://39152516 */
915 require_noerr_action(SecTrustCreateWithCertificates(certs, policy, &trust), errOut,
916 fail("failed to create trust object"));
917 require_noerr_action(SecTrustSetAnchorCertificates(trust, anchors), errOut,
918 fail("faild to set anchors"));
919 require_noerr_action(SecTrustSetVerifyDate(trust, verifyDate), errOut,
920 fail("failed to set verify date"));
921 ok(SecTrustEvaluateWithError(trust, &error), "self-signed MD5 cert failed");
922 is(error, NULL, "got a trust error for self-signed MD5 cert: %@", error);
923
924 /* clean up and set up for next test */
925 CFReleaseNull(error);
926 CFReleaseNull(trust);
927 CFReleaseNull(anchors);
928 CFReleaseNull(certs);
929
930 require_action(certs = CFArrayCreate(NULL, (const void **)&md5_leaf, 1, &kCFTypeArrayCallBacks), errOut,
931 fail("failed to create certs array"));
932 require_action(anchors = CFArrayCreate(NULL, (const void **)&sha256_root, 1, &kCFTypeArrayCallBacks), errOut,
933 fail("failed to create anchors array"));
934
935
936 /* Test non-self-signed MD5 cert. Should fail. */
937 require_noerr_action(SecTrustCreateWithCertificates(certs, policy, &trust), errOut,
938 fail("failed to create trust object"));
939 require_noerr_action(SecTrustSetAnchorCertificates(trust, anchors), errOut,
940 fail("faild to set anchors"));
941 require_noerr_action(SecTrustSetVerifyDate(trust, verifyDate), errOut,
942 fail("failed to set verify date"));
943 is(SecTrustEvaluateWithError(trust, &error), false, "non-self-signed MD5 cert succeeded");
944 if (error) {
945 is(CFErrorGetCode(error), errSecInvalidDigestAlgorithm, "got wrong error code for MD5 leaf cert, got %ld, expected %d",
946 (long)CFErrorGetCode(error), errSecInvalidDigestAlgorithm);
947 } else {
948 fail("expected trust evaluation to fail and it did not.");
949 }
950
951 errOut:
952 CFReleaseNull(md5_root);
953 CFReleaseNull(md5_leaf);
954 CFReleaseNull(sha256_root);
955 CFReleaseNull(certs);
956 CFReleaseNull(anchors);
957 CFReleaseNull(policy);
958 CFReleaseNull(verifyDate);
959 CFReleaseNull(trust);
960 CFReleaseNull(error);
961 }
962
963 int si_20_sectrust(int argc, char *const *argv)
964 {
965 #if TARGET_OS_IPHONE
966 plan_tests(101+9+(8*13)+9+1+2+17+2+9+2+4);
967 #else
968 plan_tests(97+9+(8*13)+9+1+2+2+17+2+9+2+4);
969 #endif
970
971 basic_tests();
972 negative_integer_tests();
973 rsa8k_tests();
974 date_tests();
975 rsa_key_size_tests();
976 ec_key_size_tests();
977 test_input_certificates();
978 test_async_trust();
979 test_expired_only();
980 test_evaluate_with_error();
981 test_optional_policy_check();
982 test_serialization();
983 test_tls_analytics_report();
984 test_weak_signature();
985
986 return 0;
987 }
mirror of Security