OSX/sec/Security/Regressions/secitem/si-18-certificate-parse.m

   1 /*
   2  * Copyright (c) 2017 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #include "shared_regressions.h"
  25
  26 #include <AssertMacros.h>
  27 #import <Foundation/Foundation.h>
  28
  29 #include <utilities/SecInternalReleasePriv.h>
  30 #include <utilities/SecCFRelease.h>
  31 #include <Security/SecCertificate.h>
  32 #include <Security/SecCertificatePriv.h>
  33 #include <Security/SecCertificateInternal.h>
  34
  35 const NSString *kSecTestParseFailureResources = @"si-18-certificate-parse/ParseFailureCerts";
  36 const NSString *kSecTestParseSuccessResources = @"si-18-certificate-parse/ParseSuccessCerts";
  37 const NSString *kSecTestKeyFailureResources = @"si-18-certificate-parse/KeyFailureCerts";
  38 const NSString *kSecTestPathFailureResources = @"si-18-certificate-parse/PathFailureCerts";
  39 const NSString *kSecTestTODOFailureResources = @"si-18-certificate-parse/TODOFailureCerts";
  40
  41 static uint64_t num_certs() {
  42     uint64_t num_certs = 0;
  43     NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestParseFailureResources];
  44     num_certs += [certURLs count];
  45     certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestParseSuccessResources];
  46     num_certs += [certURLs count];
  47     certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestKeyFailureResources];
  48     num_certs += [certURLs count];
  49     certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestPathFailureResources];
  50     num_certs += [certURLs count];
  51     certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestTODOFailureResources];
  52     num_certs += [certURLs count];
  53
  54     return num_certs;
  55 }
  56
  57 static void test_parse_failure(void) {
  58     /* A bunch of certificates with different parsing errors */
  59     NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestParseFailureResources];
  60     require_action([certURLs count] > 0, testOut,
  61                    fail("Unable to find parse test failure certs in bundle."));
  62
  63     [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
  64         NSData *certData = [NSData dataWithContentsOfURL:url];
  65         SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
  66         is(cert, NULL, "Successfully parsed bad cert: %@", url);
  67         CFReleaseNull(cert);
  68     }];
  69
  70 testOut:
  71     return;
  72 }
  73
  74 static void test_parse_success(void) {
  75     /* A bunch of certificates with different parsing variations */
  76     NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestParseSuccessResources];
  77     require_action([certURLs count] > 0, testOut,
  78                    fail("Unable to find parse test failure certs in bundle."));
  79
  80     [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
  81         NSData *certData = [NSData dataWithContentsOfURL:url];
  82         SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
  83         isnt(cert, NULL, "Failed to parse good cert: %@", url);
  84         CFReleaseNull(cert);
  85     }];
  86
  87 testOut:
  88     return;
  89 }
  90
  91 static void test_key_failure(void) {
  92     /* Parse failures that require public key extraction */
  93     NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestKeyFailureResources];
  94     require_action([certURLs count] > 0, testOut,
  95                    fail("Unable to find parse test failure certs in bundle."));
  96
  97     [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
  98         NSData *certData = [NSData dataWithContentsOfURL:url];
  99         SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
 100         SecKeyRef pubkey = NULL;
 101         require_action(cert, blockOut,
 102                        fail("Failed to parse cert with SPKI error: %@", url));
 103 #if TARGET_OS_OSX
 104         pubkey = SecCertificateCopyPublicKey_ios(cert);
 105 #else
 106         pubkey = SecCertificateCopyPublicKey(cert);
 107 #endif
 108         is(pubkey, NULL, "Successfully parsed bad SPKI: %@", url);
 109
 110     blockOut:
 111         CFReleaseNull(cert);
 112         CFReleaseNull(pubkey);
 113     }];
 114
 115 testOut:
 116     return;
 117 }
 118
 119 static void test_path_parse_failure(void) {
 120     NSArray <NSURL *>* certURLs = nil;
 121     SecCertificateRef root = nil;
 122
 123     NSURL *rootURL = [[NSBundle mainBundle] URLForResource:@"root" withExtension:@".cer" subdirectory:@"si-18-certificate-parse"];
 124     root = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)[NSData dataWithContentsOfURL:rootURL]);
 125     require_action(root, testOut,
 126                    fail("Unable to create root cert"));
 127     certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestPathFailureResources];
 128     require_action([certURLs count] > 0, testOut,
 129                    fail("Unable to find parse test failure certs in bundle."));
 130
 131     [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
 132         NSData *certData = [NSData dataWithContentsOfURL:url];
 133         SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
 134         SecTrustRef trust = NULL;
 135         SecPolicyRef policy = SecPolicyCreateBasicX509();
 136         SecTrustResultType trustResult = kSecTrustResultInvalid;
 137
 138         require_noerr_action(SecTrustCreateWithCertificates(cert, policy, &trust), blockOut,
 139                              fail("Unable to create trust with certificate: %@", url));
 140         require_noerr_action(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)[NSArray arrayWithObject:(__bridge id)root]),
 141                              blockOut, fail("Unable to set trust in root cert: %@", url));
 142         require_noerr_action(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)[NSDate dateWithTimeIntervalSinceReferenceDate:507200000.0]),
 143                              blockOut, fail("Unable to set verify date: %@", url));
 144         require_noerr_action(SecTrustEvaluate(trust, &trustResult), blockOut,
 145                              fail("Failed ot evaluate trust with error: %@", url));
 146         is(trustResult, kSecTrustResultRecoverableTrustFailure, "Got wrong trust result (%d) for %@", trustResult, url);
 147
 148         require_action(cert, blockOut,
 149                        fail("Failed to parse cert with SPKI error: %@", url));
 150
 151     blockOut:
 152         CFReleaseNull(cert);
 153         CFReleaseNull(trust);
 154         CFReleaseNull(policy);
 155     }];
 156
 157
 158 testOut:
 159     CFReleaseNull(root);
 160 }
 161
 162 static void test_todo_failures(void) {
 163     /* A bunch of certificates with different parsing errors that currently succeed. */
 164     NSArray <NSURL *>* certURLs = [[NSBundle mainBundle] URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestTODOFailureResources];
 165     require_action([certURLs count] > 0, testOut,
 166                    fail("Unable to find parse test failure certs in bundle."));
 167
 168     [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
 169         NSData *certData = [NSData dataWithContentsOfURL:url];
 170         SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
 171         {
 172             NSString *reason = [NSString stringWithFormat:@"Bad cert succeeds: %@",url];
 173             todo([reason UTF8String]);
 174             is(cert, NULL, "Successfully parsed bad cert: %@", url);
 175         }
 176         CFReleaseNull(cert);
 177     }];
 178
 179 testOut:
 180     return;
 181 }
 182
 183 int si_18_certificate_parse(int argc, char *const *argv)
 184 {
 185
 186     plan_tests((int)num_certs());
 187
 188     test_parse_failure();
 189     test_parse_success();
 190     test_key_failure();
 191     test_path_parse_failure();
 192     test_todo_failures();
 193
 194     return 0;
 195 }