]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/Regressions/secitem/si-67-sectrust-blocklist.c
Security-58286.251.4.tar.gz
[apple/security.git] / OSX / sec / Security / Regressions / secitem / si-67-sectrust-blocklist.c
1 /*
2 * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 #include <CoreFoundation/CoreFoundation.h>
26 #include <Security/SecCertificate.h>
27 #include <Security/SecCertificatePriv.h>
28 #include <Security/SecPolicyPriv.h>
29 #include <Security/SecTrust.h>
30 #include <stdlib.h>
31 #include <sys/socket.h>
32 #include <sys/types.h>
33 #include <netinet/in.h>
34 #include <arpa/inet.h>
35 #include <netdb.h>
36 #include <unistd.h>
37 #include <string.h>
38
39 #include "si-67-sectrust-blocklist/Global Trustee.cer.h"
40 #include "si-67-sectrust-blocklist/login.yahoo.com.1.cer.h"
41 #include "si-67-sectrust-blocklist/UTN-USERFirst-Hardware.cer.h"
42 #include "si-67-sectrust-blocklist/login.yahoo.com.2.cer.h"
43 #include "si-67-sectrust-blocklist/addons.mozilla.org.cer.h"
44 #include "si-67-sectrust-blocklist/login.yahoo.com.cer.h"
45 #include "si-67-sectrust-blocklist/login.live.com.cer.h"
46 #include "si-67-sectrust-blocklist/mail.google.com.cer.h"
47 #include "si-67-sectrust-blocklist/login.skype.com.cer.h"
48 #include "si-67-sectrust-blocklist/www.google.com.cer.h"
49
50 #include "shared_regressions.h"
51
52 static void validate_one_cert(uint8_t *data, size_t len, int chain_length, SecTrustResultType trust_result)
53 {
54 SecTrustRef trust;
55 SecCertificateRef cert;
56 SecPolicyRef policy = SecPolicyCreateSSL(false, NULL);
57 CFArrayRef certs;
58
59 isnt(cert = SecCertificateCreateWithBytes(NULL, data, len),
60 NULL, "create cert");
61 certs = CFArrayCreate(NULL, (const void **)&cert, 1, NULL);
62 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
63 "create trust with single cert");
64 //CFDateRef date = CFDateCreate(NULL, 1301008576);
65 //ok_status(SecTrustSetVerifyDate(trust, date), "set date");
66 //CFRelease(date);
67
68 SecTrustResultType trustResult;
69 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
70 is(SecTrustGetCertificateCount(trust), chain_length, "cert count");
71 is_status(trustResult, trust_result, "correct trustResult");
72 CFRelease(trust);
73 CFRelease(policy);
74 CFRelease(certs);
75 CFRelease(cert);
76 }
77
78 static void tests(void)
79 {
80 validate_one_cert(Global_Trustee_cer, sizeof(Global_Trustee_cer), 2, kSecTrustResultFatalTrustFailure);
81 validate_one_cert(login_yahoo_com_1_cer, sizeof(login_yahoo_com_1_cer), 2, kSecTrustResultFatalTrustFailure);
82 /* this is the root, which isn't ok for ssl and fails here, but at the
83 same time it proves that kSecTrustResultFatalTrustFailure isn't
84 returned for policy failures that aren't blocklisting */
85 validate_one_cert(login_yahoo_com_2_cer, sizeof(login_yahoo_com_2_cer), 2, kSecTrustResultFatalTrustFailure);
86 validate_one_cert(addons_mozilla_org_cer, sizeof(addons_mozilla_org_cer), 2, kSecTrustResultFatalTrustFailure);
87 validate_one_cert(login_yahoo_com_cer, sizeof(login_yahoo_com_cer), 2, kSecTrustResultFatalTrustFailure);
88 validate_one_cert(login_live_com_cer, sizeof(login_live_com_cer), 2, kSecTrustResultFatalTrustFailure);
89 validate_one_cert(mail_google_com_cer, sizeof(mail_google_com_cer), 2, kSecTrustResultFatalTrustFailure);
90 validate_one_cert(login_skype_com_cer, sizeof(login_skype_com_cer), 2, kSecTrustResultFatalTrustFailure);
91 validate_one_cert(www_google_com_cer, sizeof(www_google_com_cer), 2, kSecTrustResultFatalTrustFailure);
92 }
93
94 static int ping_host(char *host_name){
95
96 struct sockaddr_in pin;
97 struct hostent *nlp_host;
98 int sd;
99 int port;
100 int retries = 5;
101
102 port=80;
103
104 while ((nlp_host=gethostbyname(host_name))==0 && retries--){
105 printf("Resolve Error! (%s) %d\n", host_name, h_errno);
106 sleep(1);
107 }
108
109 if(nlp_host==0)
110 return 0;
111
112 bzero(&pin,sizeof(pin));
113 pin.sin_family=AF_INET;
114 pin.sin_addr.s_addr=htonl(INADDR_ANY);
115 pin.sin_addr.s_addr=((struct in_addr *)(nlp_host->h_addr))->s_addr;
116 pin.sin_port=htons(port);
117
118 sd=socket(AF_INET,SOCK_STREAM,0);
119
120 if (connect(sd,(struct sockaddr*)&pin,sizeof(pin))==-1){
121 printf("connect error! (%s) %d\n", host_name, errno);
122 close(sd);
123 return 0;
124 }
125 else{
126 close(sd);
127 return 1;
128 }
129 }
130
131 int si_67_sectrust_blocklist(int argc, char *const *argv)
132 {
133 char *hosts[] = {
134 "EVSecure-ocsp.verisign.com",
135 "EVIntl-ocsp.verisign.com",
136 "EVIntl-aia.verisign.com",
137 "ocsp.comodoca.com",
138 "crt.comodoca.com",
139 };
140
141 unsigned host_cnt = 0;
142
143 plan_tests(45);
144
145 for (host_cnt = 0; host_cnt < sizeof(hosts)/sizeof(hosts[0]); host_cnt ++)
146 if(ping_host(hosts[host_cnt]) == 0){
147 printf("Accessing specific server (%s) failed, check the network!\n", hosts[host_cnt]);
148 return 0;
149 }
150
151 tests();
152
153 return 0;
154 }