OSX/libsecurity_cms/regressions/cms-trust-settings-test.c

   1 /*
   2  * Copyright (c) 2016 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #include <AssertMacros.h>
  25
  26 #include <utilities/SecCFRelease.h>
  27
  28 #include <Security/SecBase.h>
  29 #include <Security/SecImportExport.h>
  30 #include <Security/SecKeychain.h>
  31 #include <Security/SecCertificatePriv.h>
  32 #include <Security/SecTrustSettings.h>
  33 #include <Security/SecItem.h>
  34 #include <Security/SecTrust.h>
  35 #include <Security/SecPolicy.h>
  36 #include <Security/CMSDecoder.h>
  37
  38 #define kSystemLoginKeychainPath "/Library/Keychains/System.keychain"
  39
  40 #include <test/testmore.h>
  41 #include "cms-trust-settings-test.h"
  42
  43 // See <rdar://problem/8115188>
  44 static void test(void) {
  45     SecCertificateRef cert = NULL;
  46     SecKeychainRef kcRef = NULL;
  47     CFMutableDictionaryRef query = NULL;
  48     CFDictionaryRef trustSettings = NULL;
  49     CFArrayRef persistentRef = NULL;
  50     CMSDecoderRef decoder = NULL;
  51     SecPolicyRef policy = NULL;
  52     SecTrustRef trust = NULL;
  53     CMSSignerStatus signerStatus = kCMSSignerInvalidIndex;
  54     SecTrustResultType trustResult = kSecTrustResultInvalid;
  55
  56     /* Add cert to keychain */
  57     ok(cert = SecCertificateCreateWithBytes(NULL, _cert, sizeof(_cert)), "Create cert");
  58     ok_status(SecKeychainOpen(kSystemLoginKeychainPath, &kcRef), "Open system keychain");
  59     if (!kcRef) {
  60         goto out;
  61     }
  62     ok(query = CFDictionaryCreateMutable(NULL, 3, &kCFTypeDictionaryKeyCallBacks,
  63                                          &kCFTypeDictionaryValueCallBacks),
  64        "Create SecItem dictionary");
  65     CFDictionaryAddValue(query, kSecValueRef, cert);
  66     CFDictionaryAddValue(query, kSecUseKeychain, kcRef);
  67     CFDictionaryAddValue(query, kSecReturnPersistentRef, kCFBooleanTrue);
  68     ok_status(SecItemAdd(query, (void *)&persistentRef),
  69               "Add cert to system keychain");
  70
  71     /* Set trust settings */
  72     CFStringRef temp = kSecTrustSettingsResult;
  73     uint32_t otherTemp = kSecTrustSettingsResultDeny;
  74     CFNumberRef deny = CFNumberCreate(NULL, kCFNumberSInt32Type, &otherTemp);
  75     trustSettings = CFDictionaryCreate(NULL, (const void **)&temp, (const void **)&deny, 1,
  76                                        &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
  77     CFReleaseNull(deny);
  78     ok_status(SecTrustSettingsSetTrustSettings(cert, kSecTrustSettingsDomainAdmin, trustSettings),
  79               "Set cert as denied");
  80     // Wait for trustd to get the message
  81     sleep(1);
  82
  83     /* Create the Decoder */
  84     ok_status(CMSDecoderCreate(&decoder), "Create CMS decoder");
  85     ok_status(CMSDecoderUpdateMessage(decoder, _signed_message, sizeof(_signed_message)),
  86               "Update decoder with CMS message");
  87     ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder");
  88
  89     /* Evaluate trust */
  90     ok(policy = SecPolicyCreateBasicX509(), "Create policy");
  91     ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, true, &signerStatus, &trust, NULL),
  92               "Copy Signer status");
  93     ok_status(SecTrustGetTrustResult(trust, &trustResult), "Get trust result");
  94     is(trustResult, kSecTrustResultDeny, "Not denied");
  95
  96 out:
  97     if (persistentRef) {
  98         CFTypeRef item = CFArrayGetValueAtIndex(persistentRef, 0);
  99         CFDictionaryRef del = CFDictionaryCreate(NULL, (const void **)&kSecValuePersistentRef, &item, 1,
 100                                    &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
 101         SecItemDelete(del);
 102         CFReleaseNull(del);
 103     }
 104     CFReleaseNull(cert);
 105     CFReleaseNull(kcRef);
 106     CFReleaseNull(query);
 107     CFReleaseNull(persistentRef);
 108     CFReleaseNull(trustSettings);
 109     CFReleaseNull(decoder);
 110     CFReleaseNull(policy);
 111     CFReleaseNull(trust);
 112 }
 113
 114 int cms_trust_settings_test(int argc, char *const *argv) {
 115     plan_tests(12);
 116
 117 #if !TARGET_OS_IPHONE
 118     if (getuid() != 0) {
 119         printf("Test must be run as root on OS X");
 120         return 0;
 121     }
 122 #endif
 123
 124     test();
 125
 126     return 0;
 127 }