]> git.saurik.com Git - apple/security.git/blob - tests/TrustTests/EvaluationTests/TrustEvaluationTestCase.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-59306.140.5.tar.gz
[apple/security.git] / tests / TrustTests / EvaluationTests / TrustEvaluationTestCase.m
1 /*
2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 */
24 #import <XCTest/XCTest.h>
25 #include "trust/trustd/trustd_spi.h"
26 #include "trust/trustd/SecRevocationDb.h"
27 #include <Security/SecCertificatePriv.h>
28 #include <Security/SecTrustPriv.h>
29 #include <Security/SecPolicy.h>
30 #include <Security/SecTrustSettings.h>
31 #include <Security/SecTrustSettingsPriv.h>
32 #include "OSX/utilities/SecCFWrappers.h"
33 #include <dispatch/dispatch.h>
34 #include <dlfcn.h>
35
36 #if TARGET_OS_IPHONE
37 #include <Security/SecTrustStore.h>
38 #else
39 #define kSystemLoginKeychainPath "/Library/Keychains/System.keychain"
40 #include <Security/SecKeychain.h>
41 #endif
42
43 #import "../TestMacroConversions.h"
44 #import "TrustEvaluationTestCase.h"
45
46 @implementation TrustEvaluationTestCase
47
48 static int current_dir = -1;
49 static char *home_var = NULL;
50
51 /* Build in trustd functionality to the tests */
52 + (void) setUp {
53 /* Set up TMP directory for trustd's files */
54 int ok = 0;
55 NSError* error = nil;
56 NSString* pid = [NSString stringWithFormat: @"tst-%d", [[NSProcessInfo processInfo] processIdentifier]];
57 NSURL* tmpDirURL = [[NSURL fileURLWithPath:NSTemporaryDirectory() isDirectory:YES] URLByAppendingPathComponent:pid];
58 ok = (bool)tmpDirURL;
59
60 if (current_dir == -1 && home_var == NULL) {
61 ok = ok && [[NSFileManager defaultManager] createDirectoryAtURL:tmpDirURL
62 withIntermediateDirectories:NO
63 attributes:NULL
64 error:&error];
65
66 NSURL* libraryURL = [tmpDirURL URLByAppendingPathComponent:@"Library"];
67 NSURL* preferencesURL = [tmpDirURL URLByAppendingPathComponent:@"Preferences"];
68
69 ok = (ok && (current_dir = open(".", O_RDONLY) >= 0)
70 && (chdir([tmpDirURL fileSystemRepresentation]) >= 0)
71 && (setenv("HOME", [tmpDirURL fileSystemRepresentation], 1) >= 0)
72 && (bool)(home_var = getenv("HOME")));
73
74 ok = ok && [[NSFileManager defaultManager] createDirectoryAtURL:libraryURL
75 withIntermediateDirectories:NO
76 attributes:NULL
77 error:&error];
78
79 ok = ok && [[NSFileManager defaultManager] createDirectoryAtURL:preferencesURL
80 withIntermediateDirectories:NO
81 attributes:NULL
82 error:&error];
83 }
84
85 /* Use the production Valid DB by default (so we'll have data to test against) */
86 CFPreferencesSetAppValue(CFSTR("ValidUpdateServer"), kValidUpdateProdServer, kSecurityPreferencesDomain);
87 CFPreferencesAppSynchronize(kSecurityPreferencesDomain);
88
89 if (ok > 0) {
90 /* Be trustd */
91 trustd_init((__bridge CFURLRef) tmpDirURL);
92 }
93 }
94
95 - (id)addTrustSettingsForCert:(SecCertificateRef)cert trustSettings:(id)trustSettings
96 {
97 #if TARGET_OS_IPHONE
98 SecTrustStoreRef defaultStore = SecTrustStoreForDomain(kSecTrustStoreDomainUser);
99 OSStatus status = SecTrustStoreSetTrustSettings(defaultStore, cert, (__bridge CFTypeRef)trustSettings);
100 XCTAssert(errSecSuccess == status, "failed to set trust settings: %d", (int)status);
101 return nil;
102 #else
103 /* Since we're putting trust settings in the admin domain,
104 * we need to add the certs to the system keychain. */
105 SecKeychainRef kcRef = NULL;
106 CFArrayRef certRef = NULL;
107 NSDictionary *attrs = nil;
108
109 SecKeychainOpen(kSystemLoginKeychainPath, &kcRef);
110 if (!kcRef) {
111 return nil;
112 }
113
114 /* Since we're interacting with the keychain we need a framework cert */
115 SecCertificateRef frameworkCert = SecFrameworkCertificateCreateFromTestCert(cert);
116 attrs = @{(__bridge NSString*)kSecValueRef: (__bridge id)frameworkCert,
117 (__bridge NSString*)kSecUseKeychain: (__bridge id)kcRef,
118 (__bridge NSString*)kSecReturnPersistentRef: @YES};
119 OSStatus status = SecItemAdd((CFDictionaryRef)attrs, (void *)&certRef);
120 XCTAssert(errSecSuccess == status, "failed to add cert to keychain: %d", status);
121 id result = ((__bridge NSArray*)certRef)[0];
122 CFReleaseNull(kcRef);
123 CFReleaseNull(certRef);
124
125 status = SecTrustSettingsSetTrustSettings(frameworkCert, kSecTrustSettingsDomainAdmin,
126 (__bridge CFTypeRef)trustSettings);
127 XCTAssert(errSecSuccess == status, "failed to set trust settings: %d", status);
128 usleep(20000);
129
130 CFReleaseNull(frameworkCert);
131 return result;
132 #endif
133 }
134
135
136 - (id)addTrustSettingsForCert:(SecCertificateRef)cert
137 {
138 NSDictionary *trustSettings = @{ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustRoot)};
139 Boolean isSelfSigned = false;
140 XCTAssert(errSecSuccess == SecCertificateIsSelfSigned(cert, &isSelfSigned));
141 if (!isSelfSigned) {
142 trustSettings = @{ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustAsRoot)};
143 }
144
145 return [self addTrustSettingsForCert:cert trustSettings:trustSettings];
146 }
147
148 - (void)removeTrustSettingsForCert:(SecCertificateRef)cert persistentRef:(id)persistentRef
149 {
150 #if TARGET_OS_IPHONE
151 SecTrustStoreRef defaultStore = SecTrustStoreForDomain(kSecTrustStoreDomainUser);
152 XCTAssert(errSecSuccess == SecTrustStoreRemoveCertificate(defaultStore, cert), "failed to remove trust settings");
153 #else
154 SecCertificateRef frameworkCert = SecFrameworkCertificateCreateFromTestCert(cert);
155 XCTAssert(errSecSuccess == SecTrustSettingsRemoveTrustSettings(frameworkCert, kSecTrustSettingsDomainAdmin),
156 "failed to remove trust settings");
157 XCTAssert(errSecSuccess == SecItemDelete((CFDictionaryRef)@{ (__bridge NSString*)kSecValuePersistentRef: persistentRef}),
158 "failed to remove item from keychain");
159 CFReleaseNull(frameworkCert);
160 #endif
161 }
162
163 const CFStringRef kSecurityPreferencesDomain = CFSTR("com.apple.security");
164 const CFStringRef kTestSystemRootKey = CFSTR("TestSystemRoot");
165
166 - (void)setTestRootAsSystem:(const uint8_t *)sha256hash
167 {
168 NSData *rootHash = [NSData dataWithBytes:sha256hash length:32];
169 CFPreferencesSetAppValue(kTestSystemRootKey, (__bridge CFDataRef)rootHash, kSecurityPreferencesDomain);
170 CFPreferencesAppSynchronize(kSecurityPreferencesDomain);
171 }
172
173 - (void)removeTestRootAsSystem
174 {
175 CFPreferencesSetAppValue(kTestSystemRootKey, NULL, kSecurityPreferencesDomain);
176 CFPreferencesAppSynchronize(kSecurityPreferencesDomain);
177 }
178
179 - (id _Nullable) CF_RETURNS_RETAINED SecCertificateCreateFromResource:(NSString *)name
180 subdirectory:(NSString *)dir
181 {
182 NSURL *url = [[NSBundle bundleForClass:[self class]] URLForResource:name withExtension:@".cer"
183 subdirectory:dir];
184 if (!url) {
185 url = [[NSBundle bundleForClass:[self class]] URLForResource:name withExtension:@".crt"
186 subdirectory:dir];
187 }
188 NSData *certData = [NSData dataWithContentsOfURL:url];
189 if (!certData) {
190 return nil;
191 }
192 SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)certData);
193 return (__bridge id)cert;
194 }
195
196 - (id _Nullable) CF_RETURNS_RETAINED SecCertificateCreateFromPEMResource:(NSString *)name
197 subdirectory:(NSString *)dir
198 {
199 NSURL *url = [[NSBundle bundleForClass:[self class]] URLForResource:name withExtension:@".pem"
200 subdirectory:dir];
201 NSData *certData = [NSData dataWithContentsOfURL:url];
202 if (!certData) {
203 return nil;
204 }
205
206 SecCertificateRef cert = SecCertificateCreateWithPEM(kCFAllocatorDefault, (__bridge CFDataRef)certData);
207 return (__bridge id)cert;
208 }
209
210 /* MARK: run test methods from regressionBase */
211 - (void)runOneLeafTest:(SecPolicyRef)policy
212 anchors:(NSArray *)anchors
213 intermediates:(NSArray *)intermediates
214 leafPath:(NSString *)path
215 expectedResult:(bool)expectedResult
216 expectations:(NSObject *)expectations
217 verifyDate:(NSDate *)date
218 {
219 NSString* fileName = [path lastPathComponent];
220 NSString *reason = NULL;
221 SecTrustRef trustRef = NULL;
222 NSMutableArray* certArray = NULL;
223 SecCertificateRef certRef = NULL;
224 CFErrorRef error = NULL;
225
226 if (expectations) {
227 if ([expectations isKindOfClass: [NSString class]]) {
228 reason = (NSString *)expectations;
229 } else if ([expectations isKindOfClass: [NSDictionary class]]) {
230 NSDictionary *dict = (NSDictionary *)expectations;
231 NSObject *value = [dict valueForKey:@"valid"];
232 if (value) {
233 if ([value isKindOfClass: [NSNumber class]]) {
234 expectedResult = [(NSNumber *)value boolValue];
235 } else {
236 NSLog(@"Unexpected valid value %@ in dict for key %@", value, fileName);
237 }
238 }
239 value = [dict valueForKey:@"reason"];
240 if (value) {
241 if ([value isKindOfClass: [NSString class]]) {
242 reason = (NSString *)value;
243 } else {
244 NSLog(@"Unexpected reason value %@ in dict for key %@", value, fileName);
245 }
246 }
247 } else if ([expectations isKindOfClass: [NSNumber class]]) {
248 expectedResult = [(NSNumber *)expectations boolValue];
249 } else {
250 NSLog(@"Unexpected class %@ value %@ for key %@", [expectations class], expectations, fileName);
251 }
252 }
253
254 certRef = SecCertificateCreateWithData(NULL, (CFDataRef)[NSData dataWithContentsOfFile:path]);
255 if (!certRef) {
256 if (reason) {
257 fail("TODO test: %@ unable to create certificate, %@", fileName, reason);
258 } else {
259 fail("PARSE %@ unable to create certificate", fileName);
260 }
261 goto exit;
262 }
263
264 certArray = [NSMutableArray arrayWithArray:intermediates];
265 [certArray insertObject:(__bridge id)certRef atIndex:0]; //The certificate to be verified must be the first in the array.
266
267 OSStatus err;
268 err = SecTrustCreateWithCertificates((__bridge CFTypeRef _Nonnull)(certArray), policy, &trustRef);
269 if (err) {
270 ok_status(err, "SecTrustCreateWithCertificates");
271 goto exit;
272 }
273 if ([anchors count])
274 SecTrustSetAnchorCertificates(trustRef, (CFArrayRef)anchors);
275
276 SecTrustSetVerifyDate(trustRef, (__bridge CFDateRef)date);
277
278 BOOL isValid = SecTrustEvaluateWithError(trustRef, &error);
279 if (reason) {
280 XCTAssertFalse(isValid == expectedResult, "TODO test: %@%@", fileName, error);
281 } else {
282 ok(isValid == expectedResult, "%s %@%@", expectedResult ? "REGRESSION" : "SECURITY", fileName, error);
283 }
284
285 exit:
286 CFReleaseSafe(trustRef);
287 CFReleaseSafe(certRef);
288 CFReleaseSafe(error);
289 }
290
291 - (void)runCertificateTestFor:(SecPolicyRef)policy
292 anchors:(NSArray *)anchors
293 intermediates:(NSArray *)intermediates
294 leafPaths:(NSMutableArray *)leafPaths
295 expectations:(NSDictionary *)expect
296 verifyDate:(NSDate *)date
297 {
298 /* Sort the tests by name. */
299 [leafPaths sortUsingSelector:@selector(compare:)];
300
301 for (NSString* path in leafPaths) {
302 NSString* fileName = [path lastPathComponent];
303 [self runOneLeafTest:policy anchors:anchors intermediates:intermediates leafPath:path expectedResult:![fileName hasPrefix:@"Invalid"] expectations:[expect objectForKey:fileName] verifyDate:date];
304 }
305 }
306
307
308 - (void)runCertificateTestForDirectory:(SecPolicyRef)policy subDirectory:(NSString *)resourceSubDirectory verifyDate:(NSDate*)date
309 {
310 NSMutableArray* allRoots = [NSMutableArray array];
311 NSMutableArray* allCAs = [NSMutableArray array];
312 NSMutableArray* certTests = [NSMutableArray array];
313 NSDictionary* expect = NULL;
314
315 NSURL* filesDirectory = [[[NSBundle bundleForClass:[self class]] resourceURL] URLByAppendingPathComponent:resourceSubDirectory];
316 for (NSURL* fileURL in [[NSFileManager defaultManager] contentsOfDirectoryAtURL:filesDirectory includingPropertiesForKeys:[NSArray array] options:NSDirectoryEnumerationSkipsSubdirectoryDescendants error:nil]) {
317 NSString* path = [fileURL path];
318 if ([path hasSuffix:@"Cert.crt"]) {
319 SecCertificateRef certRef = SecCertificateCreateWithData(NULL, (CFDataRef)[NSData dataWithContentsOfFile:path]);
320 [allCAs addObject:(__bridge id)certRef];
321 CFReleaseNull(certRef);
322 } else if ([path hasSuffix:@"RootCertificate.crt"]) {
323 SecCertificateRef certRef = SecCertificateCreateWithData(NULL, (CFDataRef)[NSData dataWithContentsOfFile:path]);
324 [allRoots addObject:(__bridge id)certRef];
325 CFReleaseNull(certRef);
326 } else if ([path hasSuffix:@".crt"]) {
327 [certTests addObject:path];
328 } else if ([path hasSuffix:@".plist"]) {
329 if (expect) {
330 fail("Multiple .plist files found in %@", filesDirectory);
331 } else {
332 expect = [NSDictionary dictionaryWithContentsOfFile:path];
333 }
334 }
335 }
336
337 [self runCertificateTestFor:policy anchors:allRoots intermediates:allCAs leafPaths:certTests expectations:expect verifyDate:date];
338 }
339
340 @end
341
342 typedef SecCertificateRef (*create_f)(CFAllocatorRef allocator,
343 const UInt8 *der_bytes, CFIndex der_length);
344 CF_RETURNS_RETAINED _Nullable
345 SecCertificateRef SecFrameworkCertificateCreate(const uint8_t * _Nonnull der_bytes, CFIndex der_length) {
346 static create_f FrameworkCertCreateFunctionPtr = NULL;
347 static dispatch_once_t onceToken;
348
349 dispatch_once(&onceToken, ^{
350 void *framework = dlopen("/System/Library/Frameworks/Security.framework/Security", RTLD_LAZY);
351 if (framework) {
352 FrameworkCertCreateFunctionPtr = dlsym(framework, "SecCertificateCreateWithBytes");
353 }
354 });
355
356 if (FrameworkCertCreateFunctionPtr) {
357 return FrameworkCertCreateFunctionPtr(NULL, der_bytes, der_length);
358 } else {
359 NSLog(@"WARNING: not using Security framework certificate");
360 return SecCertificateCreateWithBytes(NULL, der_bytes, der_length);
361 }
362 }
363
364 SecCertificateRef SecFrameworkCertificateCreateFromTestCert(SecCertificateRef cert) {
365 return SecFrameworkCertificateCreate(SecCertificateGetBytePtr(cert), SecCertificateGetLength(cert));
366 }
mirror of Security