]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_keychain/regressions/kc-05-find-existing-items-locked.c
Security-57740.1.18.tar.gz
[apple/security.git] / OSX / libsecurity_keychain / regressions / kc-05-find-existing-items-locked.c
1 /*
2 * Copyright (c) 2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the xLicense.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #import <Security/Security.h>
25 #import <Security/SecCertificatePriv.h>
26
27 #include "keychain_regressions.h"
28 #include "kc-helpers.h"
29 #include "kc-item-helpers.h"
30 #include "kc-key-helpers.h"
31
32 static void tests()
33 {
34 SecKeychainRef kc = getPopulatedTestKeychain();
35
36 CFMutableDictionaryRef query = NULL;
37 SecKeychainItemRef item = NULL;
38
39 // Perform keychain upgrade so future calls will check integrity, then lock keychain
40 query = makeQueryCustomItemDictionaryWithService(kc, kSecClassInternetPassword, CFSTR("test_service"), CFSTR("test_service"));
41 item = checkN(testName, query, 1);
42
43 ok_status(SecKeychainLock(kc), "%s: SecKeychainLock", testName);
44
45 // Find passwords
46 query = makeQueryCustomItemDictionaryWithService(kc, kSecClassInternetPassword, CFSTR("test_service"), CFSTR("test_service"));
47 item = checkN(testName, query, 1);
48 readPasswordContentsWithResult(item, errSecAuthFailed, NULL); // keychain is locked; AuthFailed is what securityd throws if UI access is not allowed
49 CFReleaseNull(item);
50 checkPrompts(0, "after reading a password in locked keychain without UI"); // this should be 1, but is 0 due to how denying UI access works in Credentials
51
52 query = makeQueryCustomItemDictionaryWithService(kc, kSecClassInternetPassword, CFSTR("test_service_restrictive_acl"), CFSTR("test_service_restrictive_acl"));
53 item = checkN(testName, query, 1);
54 readPasswordContentsWithResult(item, errSecAuthFailed, NULL);
55 CFReleaseNull(item);
56 checkPrompts(0, "trying to read password in locked keychain without UI");
57
58 query = makeQueryCustomItemDictionaryWithService(kc, kSecClassGenericPassword, CFSTR("test_service"), CFSTR("test_service"));
59 item = checkN(testName, query, 1);
60 readPasswordContentsWithResult(item, errSecAuthFailed, NULL); // keychain is locked
61 CFReleaseNull(item);
62 checkPrompts(0, "after reading a password in locked keychain without UI");
63
64 query = makeQueryCustomItemDictionaryWithService(kc, kSecClassGenericPassword, CFSTR("test_service_restrictive_acl"), CFSTR("test_service_restrictive_acl"));
65 item = checkN(testName, query, 1);
66 readPasswordContentsWithResult(item, errSecAuthFailed, NULL); // we don't expect to be able to read this
67 CFReleaseNull(item);
68 checkPrompts(0, "trying to read password in locked keychain without UI");
69
70 // Find symmetric keys
71 query = makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric);
72 item = checkN(testName, query, 2);
73 CFReleaseNull(item);
74
75 // Find asymmetric keys
76 query = makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic);
77 item = checkN(testName, query, 2);
78 CFReleaseNull(item);
79
80 query = makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate);
81 item = checkN(testName, query, 2);
82 CFReleaseNull(item);
83
84 // Find certificates
85 query = makeBaseQueryDictionary(kc, kSecClassCertificate);
86 item = checkN(testName, query, 3);
87 CFReleaseNull(item);
88
89 // ensure we can pull data from a certificate
90 query = makeBaseQueryDictionary(kc, kSecClassCertificate);
91 CFDictionarySetValue(query, kSecMatchSubjectWholeString, CFSTR("test_codesigning"));
92 item = checkN(testName, query, 1);
93 const unsigned char expectedSHA1[] = { 0x94, 0xdf, 0x22, 0x4a, 0x4d, 0x49, 0x33, 0x27, 0x9e, 0xc5, 0x7e, 0x91, 0x95, 0xcc, 0xbd, 0x51, 0x3d, 0x59, 0xae, 0x34 };
94 CFDataRef expectedSHAData = CFDataCreateWithBytesNoCopy(NULL, expectedSHA1, sizeof(expectedSHA1), kCFAllocatorNull);
95 eq_cf(SecCertificateGetSHA1Digest((SecCertificateRef) item), expectedSHAData, "%s: expected SHA1 of certificate does not match", testName);
96 CFReleaseNull(item);
97 CFReleaseNull(expectedSHAData);
98
99 checkPrompts(0, "searching keys and certificates");
100
101 ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
102 CFReleaseNull(kc);
103 }
104 #define nTests (getPopulatedTestKeychainTests + checkNTests + 1 + \
105 checkNTests + readPasswordContentsWithResultTests + checkPromptsTests + \
106 checkNTests + readPasswordContentsWithResultTests + checkPromptsTests + \
107 checkNTests + readPasswordContentsWithResultTests + checkPromptsTests + \
108 checkNTests + readPasswordContentsWithResultTests + checkPromptsTests + \
109 checkNTests + \
110 checkNTests + \
111 checkNTests + \
112 checkNTests + \
113 checkNTests + 1 + \
114 checkPromptsTests + 1)
115
116 int kc_05_find_existing_items_locked(int argc, char *const *argv)
117 {
118 plan_tests(nTests);
119 initializeKeychainTests(__FUNCTION__);
120
121 tests();
122
123 deleteTestFiles();
124
125 return 0;
126 }