]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/Regressions/secitem/si-67-sectrust-blacklist.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57336.10.29.tar.gz
[apple/security.git] / OSX / sec / Security / Regressions / secitem / si-67-sectrust-blacklist.c
1 /*
2 * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 #include <CoreFoundation/CoreFoundation.h>
26 #include <Security/SecCertificate.h>
27 #include <Security/SecCertificatePriv.h>
28 #include <Security/SecInternal.h>
29 #include <Security/SecPolicyPriv.h>
30 #include <Security/SecTrust.h>
31 #include <stdlib.h>
32 #include <sys/socket.h>
33 #include <sys/types.h>
34 #include <netinet/in.h>
35 #include <arpa/inet.h>
36 #include <netdb.h>
37 #include <unistd.h>
38 #include <string.h>
39
40 #include "si-67-sectrust-blacklist/Global Trustee.cer.h"
41 #include "si-67-sectrust-blacklist/login.yahoo.com.1.cer.h"
42 #include "si-67-sectrust-blacklist/UTN-USERFirst-Hardware.cer.h"
43 #include "si-67-sectrust-blacklist/login.yahoo.com.2.cer.h"
44 #include "si-67-sectrust-blacklist/addons.mozilla.org.cer.h"
45 #include "si-67-sectrust-blacklist/login.yahoo.com.cer.h"
46 #include "si-67-sectrust-blacklist/login.live.com.cer.h"
47 #include "si-67-sectrust-blacklist/mail.google.com.cer.h"
48 #include "si-67-sectrust-blacklist/login.skype.com.cer.h"
49 #include "si-67-sectrust-blacklist/www.google.com.cer.h"
50
51 #include "Security_regressions.h"
52
53 static void validate_one_cert(uint8_t *data, size_t len, int chain_length, SecTrustResultType trust_result)
54 {
55 SecTrustRef trust;
56 SecCertificateRef cert;
57 SecPolicyRef policy = SecPolicyCreateSSL(false, NULL);
58 CFArrayRef certs;
59
60 isnt(cert = SecCertificateCreateWithBytes(NULL, data, len),
61 NULL, "create cert");
62 certs = CFArrayCreate(NULL, (const void **)&cert, 1, NULL);
63 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
64 "create trust with single cert");
65 //CFDateRef date = CFDateCreate(NULL, 1301008576);
66 //ok_status(SecTrustSetVerifyDate(trust, date), "set date");
67 //CFRelease(date);
68
69 SecTrustResultType trustResult;
70 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
71 is(SecTrustGetCertificateCount(trust), chain_length, "cert count");
72 is_status(trustResult, trust_result, "correct trustResult");
73 CFRelease(trust);
74 CFRelease(policy);
75 CFRelease(certs);
76 CFRelease(cert);
77 }
78
79 static void tests(void)
80 {
81 validate_one_cert(Global_Trustee_cer, sizeof(Global_Trustee_cer), 3, kSecTrustResultFatalTrustFailure);
82 validate_one_cert(login_yahoo_com_1_cer, sizeof(login_yahoo_com_1_cer), 3, kSecTrustResultFatalTrustFailure);
83 /* this is the root, which isn't ok for ssl and fails here, but at the
84 same time it proves that kSecTrustResultFatalTrustFailure isn't
85 returned for policy failures that aren't blacklisting */
86 validate_one_cert(login_yahoo_com_2_cer, sizeof(login_yahoo_com_2_cer), 3, kSecTrustResultFatalTrustFailure);
87 validate_one_cert(addons_mozilla_org_cer, sizeof(addons_mozilla_org_cer), 3, kSecTrustResultFatalTrustFailure);
88 validate_one_cert(login_yahoo_com_cer, sizeof(login_yahoo_com_cer), 3, kSecTrustResultFatalTrustFailure);
89 validate_one_cert(login_live_com_cer, sizeof(login_live_com_cer), 3, kSecTrustResultFatalTrustFailure);
90 validate_one_cert(mail_google_com_cer, sizeof(mail_google_com_cer), 3, kSecTrustResultFatalTrustFailure);
91 validate_one_cert(login_skype_com_cer, sizeof(login_skype_com_cer), 3, kSecTrustResultFatalTrustFailure);
92 validate_one_cert(www_google_com_cer, sizeof(www_google_com_cer), 3, kSecTrustResultFatalTrustFailure);
93 }
94
95 static int ping_host(char *host_name){
96
97 struct sockaddr_in pin;
98 struct hostent *nlp_host;
99 int sd;
100 int port;
101 int retries = 5;
102
103 port=80;
104
105 while ((nlp_host=gethostbyname(host_name))==0 && retries--){
106 printf("Resolve Error! (%s) %d\n", host_name, h_errno);
107 sleep(1);
108 }
109
110 if(nlp_host==0)
111 return 0;
112
113 bzero(&pin,sizeof(pin));
114 pin.sin_family=AF_INET;
115 pin.sin_addr.s_addr=htonl(INADDR_ANY);
116 pin.sin_addr.s_addr=((struct in_addr *)(nlp_host->h_addr))->s_addr;
117 pin.sin_port=htons(port);
118
119 sd=socket(AF_INET,SOCK_STREAM,0);
120
121 if (connect(sd,(struct sockaddr*)&pin,sizeof(pin))==-1){
122 printf("connect error! (%s) %d\n", host_name, errno);
123 close(sd);
124 return 0;
125 }
126 else{
127 close(sd);
128 return 1;
129 }
130 }
131
132 int si_67_sectrust_blacklist(int argc, char *const *argv)
133 {
134 char *hosts[] = {
135 "EVSecure-ocsp.verisign.com",
136 "EVIntl-ocsp.verisign.com",
137 "EVIntl-aia.verisign.com",
138 "ocsp.comodoca.com",
139 "crt.comodoca.com",
140 };
141
142 unsigned host_cnt = 0;
143
144 plan_tests(45);
145
146 for (host_cnt = 0; host_cnt < sizeof(hosts)/sizeof(hosts[0]); host_cnt ++)
147 if(ping_host(hosts[host_cnt]) == 0){
148 printf("Accessing specific server (%s) failed, check the network!\n", hosts[host_cnt]);
149 return 0;
150 }
151
152 tests();
153
154 return 0;
155 }
mirror of Security