OSX/sec/Security/Regressions/secitem/si-22-sectrust-iap.c

   1 /*
   2  * Copyright (c) 2006-2017 Apple Inc. All Rights Reserved.
   3  */
   4
   5 #include <AssertMacros.h>
   6 #include <CoreFoundation/CoreFoundation.h>
   7 #include <Security/SecCertificate.h>
   8 #include <Security/SecCertificatePriv.h>
   9 #include <Security/SecPolicyPriv.h>
  10 #include <Security/SecTrust.h>
  11 #include <utilities/array_size.h>
  12 #include <utilities/SecCFRelease.h>
  13 #include <stdlib.h>
  14 #include <unistd.h>
  15
  16 #include "shared_regressions.h"
  17
  18 #include "si-22-sectrust-iap.h"
  19
  20 static void test_v1(void)
  21 {
  22     SecTrustRef trust;
  23         SecCertificateRef iAP1CA, iAP2CA, leaf0, leaf1;
  24         isnt(iAP1CA = SecCertificateCreateWithBytes(NULL, _iAP1CA, sizeof(_iAP1CA)),
  25                 NULL, "create iAP1CA");
  26         isnt(iAP2CA = SecCertificateCreateWithBytes(NULL, _iAP2CA, sizeof(_iAP2CA)),
  27                 NULL, "create iAP2CA");
  28         isnt(leaf0 = SecCertificateCreateWithBytes(NULL, _leaf0, sizeof(_leaf0)),
  29                 NULL, "create leaf0");
  30         isnt(leaf1 = SecCertificateCreateWithBytes(NULL, _leaf1, sizeof(_leaf1)),
  31                 NULL, "create leaf1");
  32     {
  33         // temporarily grab some stack space and fill it with 0xFF;
  34         // when we exit this scope, the stack pointer should shrink but leave the memory filled.
  35         // this tests for a stack overflow bug inside SecPolicyCreateiAP (rdar://16056248)
  36         char buf[2048];
  37         memset(buf, 0xFF, sizeof(buf));
  38     }
  39     SecPolicyRef policy = SecPolicyCreateiAP();
  40         const void *v_anchors[] = {
  41                 iAP1CA,
  42                 iAP2CA
  43         };
  44     CFArrayRef anchors = CFArrayCreate(NULL, v_anchors,
  45                 array_size(v_anchors), NULL);
  46     CFArrayRef certs0 = CFArrayCreate(NULL, (const void **)&leaf0, 1, &kCFTypeArrayCallBacks);
  47     CFArrayRef certs1 = CFArrayCreate(NULL, (const void **)&leaf1, 1, &kCFTypeArrayCallBacks);
  48     ok_status(SecTrustCreateWithCertificates(certs0, policy, &trust), "create trust for leaf0");
  49         ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
  50
  51         /* Jan 1st 2008. */
  52         CFDateRef date = CFDateCreate(NULL, 220752000.0);
  53     ok_status(SecTrustSetVerifyDate(trust, date), "set date");
  54
  55         SecTrustResultType trustResult;
  56     ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
  57     is_status(trustResult, kSecTrustResultUnspecified,
  58                 "trust is kSecTrustResultUnspecified");
  59
  60         is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
  61
  62         CFReleaseSafe(trust);
  63     ok_status(SecTrustCreateWithCertificates(certs1, policy, &trust), "create trust for leaf1");
  64         ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
  65     ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
  66     is_status(trustResult, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");
  67
  68         CFReleaseSafe(anchors);
  69         CFReleaseSafe(certs1);
  70         CFReleaseSafe(certs0);
  71         CFReleaseSafe(trust);
  72         CFReleaseSafe(policy);
  73         CFReleaseSafe(leaf0);
  74         CFReleaseSafe(leaf1);
  75         CFReleaseSafe(iAP1CA);
  76         CFReleaseSafe(iAP2CA);
  77         CFReleaseSafe(date);
  78 }
  79
  80 static void test_v3(void) {
  81     SecCertificateRef v3CA = NULL, v3leaf = NULL;
  82     isnt(v3CA = SecCertificateCreateWithBytes(NULL, _v3ca, sizeof(_v3ca)),
  83          NULL, "create v3 CA");
  84     isnt(v3leaf = SecCertificateCreateWithBytes(NULL, _v3leaf, sizeof(_v3leaf)),
  85          NULL, "create v3leaf");
  86
  87     /* Test v3 certs meet iAP policy */
  88     SecPolicyRef policy = NULL;
  89     SecTrustRef trust = NULL;
  90     CFArrayRef certs = NULL, anchors = NULL;
  91     CFDateRef date = NULL;
  92     SecTrustResultType trustResult;
  93
  94     certs = CFArrayCreate(NULL, (const void **)&v3leaf, 1, &kCFTypeArrayCallBacks);
  95     anchors = CFArrayCreate(NULL, (const void **)&v3CA, 1, &kCFTypeArrayCallBacks);
  96     policy = SecPolicyCreateiAP();
  97     ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust ref");
  98     ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchor");
  99     ok(date = CFDateCreate(NULL, 484000000.0), "create date");  /* 3 May 2016 */
 100     if (!date) { goto trustFail; }
 101     ok_status(SecTrustSetVerifyDate(trust, date), "set verify date");
 102     ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate");
 103     is_status(trustResult, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");
 104
 105 trustFail:
 106     CFReleaseSafe(policy);
 107     CFReleaseSafe(trust);
 108     CFReleaseSafe(certs);
 109     CFReleaseSafe(anchors);
 110     CFReleaseSafe(date);
 111
 112     /* Test interface for determining iAuth version */
 113     SecCertificateRef leaf0 = NULL, leaf1 = NULL;
 114     isnt(leaf0 = SecCertificateCreateWithBytes(NULL, _leaf0, sizeof(_leaf0)),
 115          NULL, "create leaf0");
 116     isnt(leaf1 = SecCertificateCreateWithBytes(NULL, _leaf1, sizeof(_leaf1)),
 117          NULL, "create leaf1");
 118
 119     is_status(SecCertificateGetiAuthVersion(leaf0), kSeciAuthVersion2, "v2 certificate");
 120     is_status(SecCertificateGetiAuthVersion(leaf1), kSeciAuthVersion2, "v2 certificate");
 121     is_status(SecCertificateGetiAuthVersion(v3leaf), kSeciAuthVersion3, "v3 certificate");
 122
 123     CFReleaseSafe(leaf0);
 124     CFReleaseSafe(leaf1);
 125
 126     /* Test the extension-copying interface */
 127     CFDataRef extensionData = NULL;
 128     uint8_t extensionValue[32] = {
 129         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
 130         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0A,
 131     };
 132     ok(extensionData = SecCertificateCopyiAPAuthCapabilities(v3leaf),
 133        "copy iAuthv3 extension data");
 134     is(CFDataGetLength(extensionData), 32, "compare expected size");
 135     is(memcmp(extensionValue, CFDataGetBytePtr(extensionData), 32), 0,
 136        "compare expected output");
 137     CFReleaseNull(extensionData);
 138
 139     /* Test extension-copying interface with a malformed extension. */
 140     uint8_t extensionValue2[32] = {
 141         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
 142         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,
 143     };
 144     SecCertificateRef malformedV3leaf = NULL;
 145     isnt(malformedV3leaf = SecCertificateCreateWithBytes(NULL, _malformedV3Leaf, sizeof(_malformedV3Leaf)),
 146          NULL, "create malformed v3 leaf");
 147     ok(extensionData = SecCertificateCopyiAPAuthCapabilities(malformedV3leaf),
 148        "copy iAuthv3 extension data for malformed leaf");
 149     is(CFDataGetLength(extensionData), 32, "compare expected size");
 150     is(memcmp(extensionValue2, CFDataGetBytePtr(extensionData), 32), 0,
 151        "compare expected output");
 152     CFReleaseNull(extensionData);
 153     CFReleaseNull(malformedV3leaf);
 154     CFReleaseSafe(v3leaf);
 155     CFReleaseSafe(v3CA);
 156 }
 157
 158 int si_22_sectrust_iap(int argc, char *const *argv)
 159 {
 160         plan_tests(14+20);
 161
 162         test_v1();
 163     test_v3();
 164
 165         return 0;
 166 }