tests/TrustTests/EvaluationTests/NISTTests.m

   1 /*
   2  * Copyright (c) 2018 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  *
  23  */
  24
  25 #include <AssertMacros.h>
  26 #import <XCTest/XCTest.h>
  27 #import <Foundation/Foundation.h>
  28
  29 #include <Security/SecCertificate.h>
  30 #include <Security/SecCertificatePriv.h>
  31 #include <Security/SecPolicyPriv.h>
  32 #include <Security/SecTrustPriv.h>
  33 #include <utilities/SecCFWrappers.h>
  34
  35 #import "TrustEvaluationTestCase.h"
  36
  37 @interface NISTTests : TrustEvaluationTestCase
  38 @end
  39
  40 @implementation NISTTests
  41
  42 - (void)testPKITSCerts {
  43     SecPolicyRef basicPolicy = SecPolicyCreateBasicX509();
  44     NSDate *testDate = CFBridgingRelease(CFDateCreateForGregorianZuluDay(NULL, 2011, 9, 1));
  45
  46     /* Run the tests. */
  47     [self runCertificateTestForDirectory:basicPolicy subDirectory:@"nist-certs" verifyDate:testDate];
  48
  49     CFReleaseSafe(basicPolicy);
  50 }
  51
  52 - (void)testNoBasicConstraintsAnchor_UserTrusted {
  53     SecCertificateRef leaf = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"InvalidMissingbasicConstraintsTest1EE"
  54                                                                                    subdirectory:@"nist-certs"];
  55     SecCertificateRef ca = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"MissingbasicConstraintsCACert"
  56                                                                                  subdirectory:@"nist-certs"];
  57     SecTrustRef trust = NULL;
  58     NSArray *certs = @[(__bridge id)leaf, (__bridge id)ca];
  59
  60     XCTAssertEqual(errSecSuccess, SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, NULL, &trust));
  61     NSDate *testDate = CFBridgingRelease(CFDateCreateForGregorianZuluDay(NULL, 2011, 9, 1));
  62     XCTAssertEqual(errSecSuccess, SecTrustSetVerifyDate(trust, (__bridge CFDateRef)testDate));
  63
  64     id persistentRef = [self addTrustSettingsForCert:ca];
  65     CFErrorRef error = nil;
  66     XCTAssertFalse(SecTrustEvaluateWithError(trust, &error));
  67     XCTAssertNotEqual(error, NULL);
  68     if (error) {
  69         XCTAssertEqual(CFErrorGetCode(error), errSecNoBasicConstraints);
  70     }
  71
  72     [self removeTrustSettingsForCert:ca persistentRef:persistentRef];
  73     CFReleaseNull(leaf);
  74     CFReleaseNull(ca);
  75     CFReleaseNull(error);
  76 }
  77
  78 - (void)testNoBasicConstraintsAnchor_AppTrusted {
  79     SecCertificateRef leaf = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"InvalidMissingbasicConstraintsTest1EE"
  80                                                                                    subdirectory:@"nist-certs"];
  81     SecCertificateRef ca = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"MissingbasicConstraintsCACert"
  82                                                                                  subdirectory:@"nist-certs"];
  83     SecTrustRef trust = NULL;
  84     NSArray *certs = @[(__bridge id)leaf, (__bridge id)ca];
  85     NSArray *anchor = @[(__bridge id)ca];
  86
  87     XCTAssertEqual(errSecSuccess, SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, NULL, &trust));
  88     NSDate *testDate = CFBridgingRelease(CFDateCreateForGregorianZuluDay(NULL, 2011, 9, 1));
  89     XCTAssertEqual(errSecSuccess, SecTrustSetVerifyDate(trust, (__bridge CFDateRef)testDate));
  90     XCTAssertEqual(errSecSuccess, SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchor));
  91
  92     CFErrorRef error = nil;
  93     XCTAssertFalse(SecTrustEvaluateWithError(trust, &error));
  94     XCTAssertNotEqual(error, NULL);
  95     if (error) {
  96         XCTAssertEqual(CFErrorGetCode(error), errSecNoBasicConstraints);
  97     }
  98
  99     CFReleaseNull(leaf);
 100     CFReleaseNull(ca);
 101     CFReleaseNull(error);
 102 }
 103
 104 - (void)testNotCABasicConstraintsAnchor_UserTrusted {
 105     SecCertificateRef leaf = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"InvalidcAFalseTest2EE"
 106                                                                                    subdirectory:@"nist-certs"];
 107     SecCertificateRef ca = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"basicConstraintsCriticalcAFalseCACert"
 108                                                                                  subdirectory:@"nist-certs"];
 109     SecTrustRef trust = NULL;
 110     NSArray *certs = @[(__bridge id)leaf, (__bridge id)ca];
 111
 112     XCTAssertEqual(errSecSuccess, SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, NULL, &trust));
 113     NSDate *testDate = CFBridgingRelease(CFDateCreateForGregorianZuluDay(NULL, 2011, 9, 1));
 114     XCTAssertEqual(errSecSuccess, SecTrustSetVerifyDate(trust, (__bridge CFDateRef)testDate));
 115
 116     id persistentRef = [self addTrustSettingsForCert:ca];
 117     CFErrorRef error = nil;
 118     XCTAssertFalse(SecTrustEvaluateWithError(trust, &error));
 119     XCTAssertNotEqual(error, NULL);
 120     if (error) {
 121         XCTAssertEqual(CFErrorGetCode(error), errSecNoBasicConstraintsCA);
 122     }
 123
 124     [self removeTrustSettingsForCert:ca persistentRef:persistentRef];
 125     CFReleaseNull(leaf);
 126     CFReleaseNull(ca);
 127     CFReleaseNull(error);
 128 }
 129
 130 - (void)testNotCABasicConstraintsAnchor_AppTrusted {
 131     SecCertificateRef leaf = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"InvalidcAFalseTest2EE"
 132                                                                                    subdirectory:@"nist-certs"];
 133     SecCertificateRef ca = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"basicConstraintsCriticalcAFalseCACert"
 134                                                                                  subdirectory:@"nist-certs"];
 135     SecTrustRef trust = NULL;
 136     NSArray *certs = @[(__bridge id)leaf, (__bridge id)ca];
 137     NSArray *anchor = @[(__bridge id)ca];
 138
 139     XCTAssertEqual(errSecSuccess, SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, NULL, &trust));
 140     NSDate *testDate = CFBridgingRelease(CFDateCreateForGregorianZuluDay(NULL, 2011, 9, 1));
 141     XCTAssertEqual(errSecSuccess, SecTrustSetVerifyDate(trust, (__bridge CFDateRef)testDate));
 142     XCTAssertEqual(errSecSuccess, SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchor));
 143
 144     CFErrorRef error = nil;
 145     XCTAssertFalse(SecTrustEvaluateWithError(trust, &error));
 146     XCTAssertNotEqual(error, NULL);
 147     if (error) {
 148         XCTAssertEqual(CFErrorGetCode(error), errSecNoBasicConstraintsCA);
 149     }
 150
 151     CFReleaseNull(leaf);
 152     CFReleaseNull(ca);
 153     CFReleaseNull(error);
 154 }
 155
 156 @end