2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 #include <AssertMacros.h>
26 #import <XCTest/XCTest.h>
27 #include <Security/SecCertificatePriv.h>
28 #include <utilities/SecCFRelease.h>
29 #include "../TestMacroConversions.h"
31 #include "TrustEvaluationTestCase.h"
32 #include "PathParseTests_data.h"
34 const NSString *kSecTestPathFailureResources = @"si-18-certificate-parse/PathFailureCerts";
36 @interface PathParseTests : TrustEvaluationTestCase
40 @implementation PathParseTests
42 - (void)testPathParseFailure {
43 NSArray <NSURL *>* certURLs = nil;
44 SecCertificateRef root = nil;
46 NSURL *rootURL = [[NSBundle bundleForClass:[self class]]URLForResource:@"root" withExtension:@".cer" subdirectory:@"si-18-certificate-parse"];
47 XCTAssert(root = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)[NSData dataWithContentsOfURL:rootURL]), "Unable to create root cert");
48 certURLs = [[NSBundle bundleForClass:[self class]]URLsForResourcesWithExtension:@".cer" subdirectory:(NSString *)kSecTestPathFailureResources];
49 XCTAssertTrue([certURLs count] > 0, "Unable to find parse test failure certs in bundle.");
51 if (root && [certURLs count] > 0) {
52 [certURLs enumerateObjectsUsingBlock:^(NSURL *url, __unused NSUInteger idx, __unused BOOL *stop) {
53 NSData *certData = [NSData dataWithContentsOfURL:url];
54 SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
55 SecTrustRef trust = NULL;
56 SecPolicyRef policy = SecPolicyCreateBasicX509();
58 require_noerr_action(SecTrustCreateWithCertificates(cert, policy, &trust), blockOut,
59 fail("Unable to create trust with certificate: %@", url));
60 require_noerr_action(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)[NSArray arrayWithObject:(__bridge id)root]),
61 blockOut, fail("Unable to set trust in root cert: %@", url));
62 require_noerr_action(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)[NSDate dateWithTimeIntervalSinceReferenceDate:507200000.0]),
63 blockOut, fail("Unable to set verify date: %@", url));
64 XCTAssertFalse(SecTrustEvaluateWithError(trust, NULL), "Got wrong trust result for %@", url);
66 require_action(cert, blockOut,
67 fail("Failed to parse cert with SPKI error: %@", url));
72 CFReleaseNull(policy);
77 - (void)testUnparseableExtensions {
78 SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _bad_extension_leaf, sizeof(_bad_extension_leaf));
79 SecCertificateRef root = NULL;
80 SecTrustRef trust = NULL;
81 SecPolicyRef policy = SecPolicyCreateBasicX509();
82 CFErrorRef error = NULL;
84 NSURL *rootURL = [[NSBundle bundleForClass:[self class]]URLForResource:@"root" withExtension:@".cer" subdirectory:@"si-18-certificate-parse"];
85 XCTAssert(root = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)[NSData dataWithContentsOfURL:rootURL]), "Unable to create root cert");
86 NSArray *anchors = @[(__bridge id)root];
88 require_noerr_action(SecTrustCreateWithCertificates(leaf, policy, &trust), errOut,
89 fail("Unable to create trust with certificate with unparseable extension"));
90 require_noerr_action(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors),
91 errOut, fail("Unable to set trust anchors"));
92 require_noerr_action(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)[NSDate dateWithTimeIntervalSinceReferenceDate:507200000.0]),
93 errOut, fail("Unable to set verify date"));
94 XCTAssertFalse(SecTrustEvaluateWithError(trust, &error), "Got wrong trust result cert");
95 XCTAssert(error != NULL);
96 XCTAssert(CFErrorGetCode(error) == errSecUnknownCertExtension);
100 CFReleaseNull(policy);
101 CFReleaseNull(trust);
102 CFReleaseNull(error);