2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 #include <AssertMacros.h>
26 #import <XCTest/XCTest.h>
27 #import <Foundation/Foundation.h>
29 #include <Security/SecCertificate.h>
30 #include <Security/SecCertificatePriv.h>
31 #include <Security/SecPolicyPriv.h>
32 #include <Security/SecTrustPriv.h>
33 #include <utilities/SecCFWrappers.h>
35 #import "TrustEvaluationTestCase.h"
37 @interface NISTTests : TrustEvaluationTestCase
40 @implementation NISTTests
42 - (void)testPKITSCerts {
43 SecPolicyRef basicPolicy = SecPolicyCreateBasicX509();
44 NSDate *testDate = CFBridgingRelease(CFDateCreateForGregorianZuluDay(NULL, 2011, 9, 1));
47 [self runCertificateTestForDirectory:basicPolicy subDirectory:@"nist-certs" verifyDate:testDate];
49 CFReleaseSafe(basicPolicy);
52 - (void)testNoBasicConstraintsAnchor_UserTrusted {
53 SecCertificateRef leaf = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"InvalidMissingbasicConstraintsTest1EE"
54 subdirectory:@"nist-certs"];
55 SecCertificateRef ca = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"MissingbasicConstraintsCACert"
56 subdirectory:@"nist-certs"];
57 SecTrustRef trust = NULL;
58 NSArray *certs = @[(__bridge id)leaf, (__bridge id)ca];
60 XCTAssertEqual(errSecSuccess, SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, NULL, &trust));
61 NSDate *testDate = CFBridgingRelease(CFDateCreateForGregorianZuluDay(NULL, 2011, 9, 1));
62 XCTAssertEqual(errSecSuccess, SecTrustSetVerifyDate(trust, (__bridge CFDateRef)testDate));
64 id persistentRef = [self addTrustSettingsForCert:ca];
65 CFErrorRef error = nil;
66 XCTAssertFalse(SecTrustEvaluateWithError(trust, &error));
67 XCTAssertNotEqual(error, NULL);
69 XCTAssertEqual(CFErrorGetCode(error), errSecNoBasicConstraints);
72 [self removeTrustSettingsForCert:ca persistentRef:persistentRef];
78 - (void)testNoBasicConstraintsAnchor_AppTrusted {
79 SecCertificateRef leaf = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"InvalidMissingbasicConstraintsTest1EE"
80 subdirectory:@"nist-certs"];
81 SecCertificateRef ca = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"MissingbasicConstraintsCACert"
82 subdirectory:@"nist-certs"];
83 SecTrustRef trust = NULL;
84 NSArray *certs = @[(__bridge id)leaf, (__bridge id)ca];
85 NSArray *anchor = @[(__bridge id)ca];
87 XCTAssertEqual(errSecSuccess, SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, NULL, &trust));
88 NSDate *testDate = CFBridgingRelease(CFDateCreateForGregorianZuluDay(NULL, 2011, 9, 1));
89 XCTAssertEqual(errSecSuccess, SecTrustSetVerifyDate(trust, (__bridge CFDateRef)testDate));
90 XCTAssertEqual(errSecSuccess, SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchor));
92 CFErrorRef error = nil;
93 XCTAssertFalse(SecTrustEvaluateWithError(trust, &error));
94 XCTAssertNotEqual(error, NULL);
96 XCTAssertEqual(CFErrorGetCode(error), errSecNoBasicConstraints);
101 CFReleaseNull(error);
104 - (void)testNotCABasicConstraintsAnchor_UserTrusted {
105 SecCertificateRef leaf = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"InvalidcAFalseTest2EE"
106 subdirectory:@"nist-certs"];
107 SecCertificateRef ca = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"basicConstraintsCriticalcAFalseCACert"
108 subdirectory:@"nist-certs"];
109 SecTrustRef trust = NULL;
110 NSArray *certs = @[(__bridge id)leaf, (__bridge id)ca];
112 XCTAssertEqual(errSecSuccess, SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, NULL, &trust));
113 NSDate *testDate = CFBridgingRelease(CFDateCreateForGregorianZuluDay(NULL, 2011, 9, 1));
114 XCTAssertEqual(errSecSuccess, SecTrustSetVerifyDate(trust, (__bridge CFDateRef)testDate));
116 id persistentRef = [self addTrustSettingsForCert:ca];
117 CFErrorRef error = nil;
118 XCTAssertFalse(SecTrustEvaluateWithError(trust, &error));
119 XCTAssertNotEqual(error, NULL);
121 XCTAssertEqual(CFErrorGetCode(error), errSecNoBasicConstraintsCA);
124 [self removeTrustSettingsForCert:ca persistentRef:persistentRef];
127 CFReleaseNull(error);
130 - (void)testNotCABasicConstraintsAnchor_AppTrusted {
131 SecCertificateRef leaf = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"InvalidcAFalseTest2EE"
132 subdirectory:@"nist-certs"];
133 SecCertificateRef ca = (__bridge SecCertificateRef)[self SecCertificateCreateFromResource:@"basicConstraintsCriticalcAFalseCACert"
134 subdirectory:@"nist-certs"];
135 SecTrustRef trust = NULL;
136 NSArray *certs = @[(__bridge id)leaf, (__bridge id)ca];
137 NSArray *anchor = @[(__bridge id)ca];
139 XCTAssertEqual(errSecSuccess, SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, NULL, &trust));
140 NSDate *testDate = CFBridgingRelease(CFDateCreateForGregorianZuluDay(NULL, 2011, 9, 1));
141 XCTAssertEqual(errSecSuccess, SecTrustSetVerifyDate(trust, (__bridge CFDateRef)testDate));
142 XCTAssertEqual(errSecSuccess, SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchor));
144 CFErrorRef error = nil;
145 XCTAssertFalse(SecTrustEvaluateWithError(trust, &error));
146 XCTAssertNotEqual(error, NULL);
148 XCTAssertEqual(CFErrorGetCode(error), errSecNoBasicConstraintsCA);
153 CFReleaseNull(error);