--- /dev/null
+/*
+ * Copyright (c) 2010 Apple Inc. All rights reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+
+#import "SecTransform.h"
+#import "SecCustomTransform.h"
+#import "SecDigestTransform.h"
+#import "SecEncryptTransform.h"
+#import "SecEncodeTransform.h"
+#import "SecDecodeTransform.h"
+#import "SecSignVerifyTransform.h"
+#import "SecNullTransform.h"
+#import "SecExternalSourceTransform.h"
+#import <Security/SecItem.h>
+#import "misc.h"
+#import "Utilities.h"
+#import "SecNullTransform.h"
+#include "regex.h"
+#include <dispatch/dispatch.h>
+#import "SecMaskGenerationFunctionTransform.h"
+#import "SecTransformInternal.h"
+#import "custom.h"
+#include "SecTransformReadTransform.h"
+#import "SecTransformValidator.h"
+#include <sys/types.h>
+#include <sys/sysctl.h>
+#include <ctype.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <CommonCrypto/CommonCryptor.h>
+#include <sys/stat.h>
+#import "NSData+HexString.h"
+#include <CoreFoundation/CFBase.h>
+#include <CoreFoundation/CFData.h>
+#include <CoreFoundation/CFRuntime.h>
+
+// compatibility layer
+struct SecTransformCreateBlockParameters {
+ CFTypeRef (^send)(SecTransformStringOrAttributeRef attribute, SecTransformMetaAttributeType type, CFTypeRef value);
+ CFTypeRef (^get)(SecTransformStringOrAttributeRef attribute, SecTransformMetaAttributeType type);
+ CFTypeRef (^pushback)(SecTransformStringOrAttributeRef attribute, CFTypeRef value);
+ CFErrorRef (^overrideTransform)(CFStringRef action, SecTransformActionBlock newAction);
+ CFErrorRef (^overrideAttribute)(CFStringRef action, SecTransformStringOrAttributeRef attribute, SecTransformAttributeActionBlock newAction);
+};
+
+typedef void (^SecTransformCreateBlock)(CFStringRef name, SecTransformRef new_transform, const SecTransformCreateBlockParameters *params);
+
+SecTransformCreateBlock global_create_block;
+
+static SecTransformInstanceBlock block_for_custom_transform(CFStringRef name, SecTransformRef tr, SecTransformImplementationRef ir)
+{
+ SecTransformInstanceBlock b = ^{
+ // XXX: leak, need to override Finalize and clean up… (and need to handle caller overriding finalize…)
+ SecTransformCreateBlockParameters *params = static_cast<SecTransformCreateBlockParameters *>(malloc(sizeof(SecTransformCreateBlockParameters)));
+
+ params->overrideAttribute = ^(CFStringRef action, SecTransformStringOrAttributeRef attribute, SecTransformAttributeActionBlock newAction) {
+ // We don't need to special case ProcessData to call SecTransformSetDataAction as there are no longer any uses of it
+ return SecTransformSetAttributeAction(ir, action, attribute, newAction);
+ };
+
+ params->overrideTransform = ^(CFStringRef action, SecTransformActionBlock newAction) {
+ return SecTransformSetTransformAction(ir, action, newAction);
+ };
+
+ params->get = ^(SecTransformStringOrAttributeRef attribute, SecTransformMetaAttributeType type) {
+ return SecTranformCustomGetAttribute(ir, attribute, type);
+ };
+
+ params->send = ^(SecTransformStringOrAttributeRef attribute, SecTransformMetaAttributeType type, CFTypeRef value) {
+ return SecTransformCustomSetAttribute(ir, attribute, type, value);
+ };
+
+ params->pushback = ^(SecTransformStringOrAttributeRef attribute, CFTypeRef value) {
+ return SecTransformPushbackAttribute(ir, attribute, value);
+ };
+
+ params->overrideAttribute = Block_copy(params->overrideAttribute);
+ params->overrideTransform = Block_copy(params->overrideTransform);
+ params->get = Block_copy(params->get);
+ params->send = Block_copy(params->send);
+ params->pushback = Block_copy(params->pushback);
+
+ global_create_block(name, tr, params);
+
+ return (CFErrorRef)NULL;
+ };
+
+ return Block_copy(b);
+}
+
+// Sort of a bridge from the old Custom SPI to the new API, but is also
+// useful when you REALLY need to access stack locals as __block variables,
+// but don't need multithreading, or generic internalizing.
+static SecTransformRef custom_transform(CFStringRef base_name, SecTransformCreateBlock cb)
+{
+ static int ct_cnt = 0;
+ static dispatch_queue_t cnt_q = dispatch_queue_create("com.apple.security.custom_trasnform-cnt", 0);
+ __block CFStringRef name = NULL;
+ __block SecTransformRef ret = NULL;
+
+ dispatch_sync(cnt_q, ^{
+ CFErrorRef err = NULL;
+
+ name = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@.%d"), base_name, ct_cnt++);
+ global_create_block = cb;
+ if (SecTransformRegister(name, block_for_custom_transform, &err)) {
+ ret = SecTransformCreate(name, &err);
+ if (err) {
+ CFfprintf(stderr, "Error %@ creating %@\n", err, base_name);
+ CFRelease(err);
+ }
+ } else {
+ CFfprintf(stderr, "Error %@ registering %@\n", err, base_name);
+ CFRelease(err);
+ }
+ global_create_block = NULL;
+ CFRelease(name);
+ });
+
+ return ret;
+}
+
+
+#define STAssertErrorHas(err, rx, msg...) STAssertTrue(ErrorHas(err, rx), ##msg);
+
+static BOOL ErrorHas(NSError *error, NSString *rx) {
+ if (!error) {
+ return NO;
+ }
+ if (![error isKindOfClass:[NSError class]]) {
+ return NO;
+ }
+
+ NSString *es = [error description];
+ if (!es) {
+ return NO;
+ }
+ return [es rangeOfString:rx options:NSRegularExpressionSearch].location != NSNotFound;
+}
+
+
+static SecTransformInstanceBlock DelayTransformBlock(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+
+
+ SecTransformSetDataAction(ref, kSecTransformActionProcessData,
+ ^(CFTypeRef value)
+ {
+
+ if (NULL != value && CFNumberGetTypeID() == CFGetTypeID(value))
+ {
+ long long n;
+ CFNumberGetValue((CFNumberRef)value, kCFNumberLongLongType, &n);
+ usleep((useconds_t)(n / NSEC_PER_USEC));
+ }
+
+ return value;
+ });
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+static SecTransformRef delay_transform(long long nsec) {
+ CFStringRef name = CFSTR("com.apple.security.unit-test.delay");
+
+
+
+ static dispatch_once_t once;
+ __block Boolean ok = TRUE;
+
+ dispatch_block_t aBlock = ^
+ {
+ ok = SecTransformRegister(name, &DelayTransformBlock, NULL);
+ };
+
+ dispatch_once(&once, aBlock);
+
+ if (!ok)
+ {
+ return NULL;
+ }
+
+ SecTransformRef ct = SecTransformCreate(name, NULL);
+ CFNumberRef nr = CFNumberCreate(NULL, kCFNumberLongLongType, &nsec);
+ SecTransformSetAttribute(ct, CFSTR("DELAY"), nr, NULL);
+ CFRelease(nr);
+
+ return ct;
+}
+
+@implementation custom
+
+class BufferStream
+{
+protected:
+ const char* mBuffer;
+ size_t mLength;
+ size_t mStringLength;
+ size_t mPos;
+
+ char *mCurrentString;
+
+public:
+ BufferStream(const char* buffer, size_t length) : mBuffer(buffer), mLength(length), mStringLength(0), mPos(0), mCurrentString(NULL) {}
+ ~BufferStream();
+
+ const char* GetNextString();
+ void SplitString(const char*& stringA, const char*& stringB);
+};
+
+
+
+BufferStream::~BufferStream()
+{
+ if (NULL != mCurrentString)
+ {
+ free(mCurrentString);
+ }
+}
+
+
+
+const char* BufferStream::GetNextString()
+{
+ size_t p = mPos;
+ if (p >= mLength)
+ {
+ return NULL; // eof
+ }
+
+ // run to either the end of the buffer or a return
+ while (p < mLength && mBuffer[p] != '\n')
+ {
+ p += 1;
+ }
+
+ if (p != mLength)
+ {
+ // handle the end of the buffer specially, since it doesn't point
+ // to valid space
+ p -= 1;
+ }
+
+ // p now points to the last character in the string
+ // allocate memory for our buffer
+ mStringLength = p - mPos + 1;
+ mCurrentString = (char*) realloc(mCurrentString, mStringLength + 1);
+ memmove(mCurrentString, mBuffer + mPos, mStringLength);
+ mCurrentString[mStringLength] = 0;
+ mPos = p + 2;
+
+ return mCurrentString;
+}
+
+
+
+void BufferStream::SplitString(const char*& a, const char*& b)
+{
+ // scan the buffer, looking for a ':'
+ size_t p = 0;
+ while (mCurrentString[p] != 0 && mCurrentString[p] != ':')
+ {
+ p += 1;
+ }
+
+ // the first string is always our buffer pointer
+ a = mCurrentString;
+
+ if (mCurrentString[p] == ':')
+ {
+ mCurrentString[p] = 0;
+
+ // look for the beginning of the next string
+ p += 1;
+ while (p < mLength && isspace(mCurrentString[p]))
+ {
+ p += 1;
+ }
+
+ b = mCurrentString + p;
+ }
+ else
+ {
+ b = NULL;
+ }
+}
+
+
+
+-(void)disabledtestzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
+{
+ // open leaks and make a connection to it.
+ char* name;
+
+ const int kChunkSize = 16384;
+ char buffer[kChunkSize];
+ pid_t thePid = getpid();
+ asprintf(&name, "/tmp/leaks%d.txt", thePid);
+ sprintf(buffer, "/usr/bin/leaks %d >%s", thePid, name);
+ system(buffer);
+
+ struct stat st;
+ stat(name, &st);
+
+ char* rBuffer = (char*) malloc((size_t)st.st_size);
+ FILE* f = fopen(name, "r");
+ fread(rBuffer, 1, (size_t)st.st_size, f);
+ fclose(f);
+
+ // set up our output parser
+ BufferStream bStream(rBuffer, (size_t)st.st_size);
+ const char* s = bStream.GetNextString();
+
+ bool didError = true;
+
+ if (NULL != s)
+ {
+ // we have our string, split it and see what it means
+ const char* key;
+ const char* value;
+
+ bStream.SplitString(key, value);
+ if (strcmp(key, "leaks Report Version") != 0 || strcmp(value, "2.0") != 0)
+ {
+ didError = true;
+ }
+ else
+ {
+ didError = false;
+ }
+ }
+
+ if (!didError)
+ {
+ const char* key;
+ const char* value;
+
+ // figure out what our target line will look like
+ char* target;
+ asprintf(&target, "Process %d", thePid);
+
+ const char* nextString = bStream.GetNextString();
+ while (nextString)
+ {
+ bStream.SplitString(key, value);
+ if (strcmp(key, target) == 0) // we found our target!!!
+ {
+ // do it again
+ bStream.GetNextString();
+ bStream.SplitString(key, value);
+
+ if (value[0] != '0') // we have a non-zero result... :(
+ {
+ didError = true;
+ }
+ }
+
+ nextString = bStream.GetNextString();
+ }
+
+ free(target);
+ }
+
+ STAssertFalse(didError, @"You have leaks!");
+
+ if (didError)
+ {
+ // dump to our output file
+ // make a file name for the leaks output
+ FILE* f = fopen(name, "w");
+ fwrite(rBuffer, 1, (size_t)st.st_size, f);
+ fclose(f);
+ }
+ else
+ {
+ unlink(name);
+ }
+
+ free(name);
+}
+
+
+
+static const char* gHMACText = "The judicial Power shall extend to all Cases, in "
+ "Law and Equity, arising under this Constitution, "
+ "the Laws of the United States, and Treaties made, "
+ "or which shall be made, under their Authority;--to "
+ "all Cases affecting Ambassadors, other public "
+ "Ministers and Consuls;--to all Cases of admiralty "
+ "and maritime Jurisdiction;--to Controversies to "
+ "which the United States shall be a Party;--to "
+ "Controversies between two or more States;-- "
+ "between a State and Citizens of another State, "
+ "--between Citizens of different States,-- "
+ "between Citizens of the same State claiming Lands "
+ "under Grants of different States, and between a "
+ "State, or the Citizens thereof, and foreign "
+ "States, Citizens or Subjects";
+
+const NSString* gAbortTransformName = (NSString*) kSecTransformAbortAttributeName;
+
+static const char* gHMACKey = "No person shall be held to answer for a capital, or "
+ "otherwise infamous crime, unless on a presentment "
+ "or indictment of a Grand Jury, except in cases "
+ "arising in the land or naval forces, or in the "
+ "Militia, when in actual service in time of War or "
+ "public danger; nor shall any person be subject for "
+ "the same offence to be twice put in jeopardy of life "
+ "or limb; nor shall be compelled in any criminal case "
+ "to be a witness against himself, nor be deprived of "
+ "life, liberty, or property, without due process of "
+ "law; nor shall private property be taken for public "
+ "use, without just compensation.";
+
+static const u_int8_t gSHA1HMAC[] = {0x2f, 0x68, 0x4b, 0x6b, 0x4f,
+ 0xf7, 0x41, 0xc3, 0x76, 0x3d,
+ 0x0b, 0xc3, 0x25, 0x02, 0x99,
+ 0x03, 0xfa, 0xa5, 0xe9, 0xde};
+
+static const u_int8_t gSHA256HMAC[] = {0xc2, 0x5c, 0x9a, 0x65, 0x08, 0x9e, 0x61, 0xb5,
+ 0x03, 0xfe, 0xcb, 0x57, 0xb7, 0x55, 0x4f, 0x69,
+ 0xdb, 0xef, 0xdb, 0xe7, 0x0d, 0xe2, 0x78, 0x2e,
+ 0xf9, 0x48, 0xbd, 0xf6, 0x4f, 0x4b, 0x94, 0x0c};
+-(void)testPaddings
+{
+ CFStringRef paddings[] = {kSecPaddingNoneKey, kSecPaddingPKCS7Key, kSecPaddingPKCS5Key, kSecPaddingPKCS1Key};
+
+ for(int i = 0; i < sizeof(paddings) / sizeof(*paddings); i++) {
+ CFErrorRef error = NULL;
+ SecKeyRef cryptokey = NULL;
+ SecTransformRef encrypt = NULL, decrypt = NULL;
+ CFDataRef cfdatacryptokey = NULL, sourceData = NULL, encryptedData = NULL, decryptedData = NULL;
+ const uint8_t rawcryptokey[16] = { 63, 17, 27, 99, 185, 231, 1, 191, 217, 74, 141, 16, 12, 99, 253, 41 }; // 128-bit AES key.
+ const char *sourceCString = "All these worlds are yours except Europa."; // I'm not so sure about that Earth one either
+
+ CFMutableDictionaryRef parameters = CFDictionaryCreateMutable(
+ kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+
+ CFDictionarySetValue(parameters, kSecAttrKeyType, kSecAttrKeyTypeAES);
+
+ cfdatacryptokey = CFDataCreate(kCFAllocatorDefault, rawcryptokey,
+ sizeof(rawcryptokey));
+ cryptokey = SecKeyCreateFromData(parameters,
+ cfdatacryptokey, &error);
+ STAssertNil((id)error, @"Unexpected SecKeyCreateFromData error: %@", error);
+
+ size_t len = strlen(sourceCString) +1;
+ if (paddings[i] == kSecPaddingNoneKey) {
+ STAssertTrue(len >= kCCBlockSizeAES128, @"Had at least one block");
+ // Get to an AES block multiple, discarding bytes wildly.
+ len -= len % kCCBlockSizeAES128;
+ }
+ sourceData = (CFDataRef)[NSData dataWithBytes:sourceCString length:len];
+
+ encrypt = SecEncryptTransformCreate(cryptokey, &error);
+ STAssertNil((id)error, @"Unexpected error creating encrypt transform: %@", error);
+ decrypt = SecDecryptTransformCreate(cryptokey, &error);
+ STAssertNil((id)error, @"Unexpected error creating decrypt transform: %@", error);
+
+ /* Set the padding on the transforms */
+ SecTransformSetAttribute(encrypt, kSecPaddingKey, paddings[i], &error);
+ STAssertNil((id)error, @"Couldn't set encrypt padding to %@: %@", paddings[i], error);
+ SecTransformSetAttribute(decrypt, kSecPaddingKey, paddings[i], &error);
+ STAssertNil((id)error, @"Couldn't set decrypt padding to %@: %@", paddings[i], error);
+
+ SecTransformSetAttribute(encrypt, kSecTransformInputAttributeName, sourceData, &error);
+ STAssertNil((id)error, @"Couldn't set encrypt transform input: %@", error);
+
+ encryptedData = (CFDataRef)SecTransformExecute(encrypt, &error);
+ STAssertNil((id)error, @"Couldn't execute encrypt: %@ (padding %@)", paddings[i], error);
+ STAssertNotNil((id)encryptedData, @"Didn't get encrypted data");
+
+ SecTransformSetAttribute(decrypt, kSecTransformInputAttributeName, encryptedData, &error);
+ STAssertNil((id)error, @"Couldn't set decrypt transform input: %@", error);
+
+ decryptedData = (CFDataRef)SecTransformExecute(decrypt, &error);
+ STAssertNil((id)error, @"Couldn't execute decrypt: %@", error);
+ STAssertNotNil((id)decryptedData, @"Didn't get decrypt data");
+
+ STAssertEqualObjects((id)decryptedData, (id)sourceData, @"Decrypt output didn't match encrypt input for padding %@", paddings[i]);
+ }
+}
+
+static SecTransformInstanceBlock nopInstance(CFStringRef name, SecTransformRef newTransform, SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock = ^{
+ return (CFErrorRef)NULL;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+
+-(void)test_manyregister
+{
+ dispatch_apply(4000, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, NULL), ^(size_t i) {
+ NSString *name = [NSString stringWithFormat:@"many%luregister", i];
+ CFErrorRef err = NULL;
+ BOOL ok = SecTransformRegister((CFStringRef)name, nopInstance, &err);
+ STAssertTrue(ok, @"register not ok");
+ STAssertNil((id)err, @"register error: %@", err);
+ });
+}
+
+-(void)test_emptyOAEP
+{
+ SecKeychainRef tmp_keychain = NULL;
+ char *kcfname;
+ asprintf(&kcfname, "%s-OAEP-XXXXXXXXXX", "/tmp/");
+ const char *passwd = "sekret";
+ // NOTE: "mktemp" isn't as safe as you might think...but this is test code and doesn't have to be, but
+ // if you copy it elsewhere you may well need to rewrite it. (use mkstemp)
+ mktemp(kcfname);
+ OSStatus status = SecKeychainCreate(kcfname, (UInt32)strlen(passwd), passwd, NO, NULL, &tmp_keychain);
+ STAssertTrue(status == 0, @"Expected to make keychain, but got error 0x%x", status);
+
+ const char *pem_key_bytes[] = {
+ // From the spec
+ "-----BEGIN PUBLIC KEY-----\nMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC7+C8JBoLOnCM4rCudqHH3No0H\n7tQQQ6RA1rbwdFT1H7jfuq8DXAKrYepIzutvzUh27VINYOHsRhlxnYpbi4B/r7jg\no9/HN3I+5rS32TolhO5qZJ0GCVN0iDSyRUWYOU7gqrEte2GlH1J6mkH2wWh/4lNy\nmMoqj1lG+OX9CR29ywIBEQ==\n-----END PUBLIC KEY-----\n-----BEGIN RSA PRIVATE KEY-----\nMIICWwIBAAKBgQC7+C8JBoLOnCM4rCudqHH3No0H7tQQQ6RA1rbwdFT1H7jfuq8D\nXAKrYepIzutvzUh27VINYOHsRhlxnYpbi4B/r7jgo9/HN3I+5rS32TolhO5qZJ0G\nCVN0iDSyRUWYOU7gqrEte2GlH1J6mkH2wWh/4lNymMoqj1lG+OX9CR29ywIBEQKB\ngQCl2vxTQfryicS5iNswwc34PzElHgZotCeEgTgBV5ZBspQQs8eZjWvEZXReXDkm\nadaHDaLAgqk543/cuC7JPtrJf/OtWVCsz7wRHHbxqVKUROVqr2jFbAks043DvvXS\nCpOZJu1PdKE+3fvhoc7MSJSvlCjCt7iIP+RGOkvIWxyzwQJBAO7ProGxubPJCIEL\nEKG1YAGZ659ErvT9pJO4Gp49hPYyEk7wI25dHjt+KPrnqgQKLVslIXZFnR85dUG6\nKlj7ZZkCQQDJf7HwJ/RT9jQSM+qq0dk1P2xC0IhmsdBaDyA1AoudhphAtBZmtC6S\n6g2jtDIEtc/OM1JSTQQWpaRB5wCvRhUDAkBUSUymProDN+TiQCP81ppa6wfd3AGD\npNCsm1SwUfKxPtlJCXXqt3QU/1nB92kumi4gKzj8kQpHQXStyTwfZ8mBAkBHHgKQ\n/wrwdQNRt/h4hkypYa29Oop+mRxcBVapTDFGp/mAP49viuNC6TH9iuR6Ig0bmaSV\nhJgH/jn5JFqYNto9AkEAsGxP2rtjARmNJlvbrpQjs4Dycfc0U4hQkwd/zTniEZ/J\nhjIVT1iDsWepZ79AK06eLg+WVuaY6jZm7fsleYA59w==\n-----END RSA PRIVATE KEY-----\n",
+ NULL,
+ };
+ struct key_pair {
+ SecKeyRef pubKey, privKey;
+ };
+ key_pair keys[1];
+
+ int i;
+ for(i = 0; i < sizeof(keys)/sizeof(key_pair); i++) {
+ NSAssert(pem_key_bytes[i] != NULL, @"Expected a key");
+ NSLog(@"Importing: %s", pem_key_bytes[i]);
+ CFDataRef pem_data = CFDataCreate(NULL, (UInt8*)(pem_key_bytes[i]), strlen(pem_key_bytes[i]));
+ SecKeyImportExportParameters import_params;
+ bzero(&import_params, sizeof(import_params));
+
+ import_params.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
+ import_params.keyUsage = CSSM_KEYUSE_ANY;
+ import_params.keyAttributes = CSSM_KEYATTR_PERMANENT|CSSM_KEYATTR_SENSITIVE;
+ import_params.accessRef = NULL;
+ import_params.passphrase = CFSTR("");
+ import_params.alertPrompt = CFSTR("");
+
+ CFArrayRef keypair = NULL;
+ SecExternalFormat key_format = kSecFormatOpenSSL;
+ SecExternalItemType itemType = kSecItemTypeUnknown;
+ status = SecKeychainItemImport(pem_data, CFSTR(".pem"), &key_format, &itemType, 0, &import_params, tmp_keychain, &keypair);
+ STAssertTrue(status == 0, @"Expected pubkey import to be ok, got err=0x%x", status);
+ NSAssert(keypair != NULL, @"Expected to get some keys back");
+ STAssertNotNil((id)keypair, @"Expected to get some keys back");
+ STAssertTrue(CFArrayGetCount(keypair) == 2, @"Expected 2 keys, got %@", keypair);
+ keys[i].pubKey = (SecKeyRef)CFArrayGetValueAtIndex(keypair, 0);
+ keys[i].privKey = (SecKeyRef)CFArrayGetValueAtIndex(keypair, 1);
+ }
+ STAssertNil((id)pem_key_bytes[i], @"Expected to convert all pem keys, but found at least: %s", pem_key_bytes[i]);
+ CFDataRef encoding_parameters = CFDataCreate(NULL, NULL, 0);
+
+
+ CFErrorRef err = NULL;
+
+ SecTransformRef encryptor = SecEncryptTransformCreate(keys[0].pubKey, &err);
+
+ CFReadStreamRef empty_stream = CFReadStreamCreateWithBytesNoCopy(NULL, (UInt8*)"", 0, kCFAllocatorNull);
+ SecTransformSetAttribute(encryptor, kSecTransformInputAttributeName, empty_stream, &err);
+ SecTransformSetAttribute(encryptor, kSecPaddingKey, kSecPaddingOAEPKey, &err);
+ SecTransformSetAttribute(encryptor, kSecOAEPEncodingParametersAttributeName, encoding_parameters, &err);
+
+ CFTypeRef encryptedData = SecTransformExecute(encryptor, &err);
+ STAssertNotNil((id)encryptedData, @"Expected to get encrypted data");
+ STAssertNil((NSError*)err, @"Expected no error, got err=%@", err);
+ // Can't support "seed" with commoncrypto, just check round trip.
+ //STAssertEqualObjects((id)encryptedData, (id)tests[i].encryptedMessage, @"encrypted data should have matched test vector (%@) data", tests[i].label);
+ CFRelease(encryptor);
+
+ SecTransformRef decryptor = SecDecryptTransformCreate(keys[0].privKey, NULL);
+ // XXX: totally round trip, not even partial KAT (KAT can't really be done on OAEP
+ // without supporitng settign the seed externally)
+ SecTransformSetAttribute(decryptor, kSecTransformInputAttributeName, encryptedData, NULL);
+ SecTransformSetAttribute(decryptor, kSecPaddingKey, kSecPaddingOAEPKey, NULL);
+ SecTransformSetAttribute(decryptor, kSecOAEPEncodingParametersAttributeName, encoding_parameters, NULL);
+ CFTypeRef decryptedData = SecTransformExecute(decryptor, &err);
+ STAssertNil((id)err, @"Expected no error, got: %@", err);
+ STAssertNotNil((id)decryptedData, @"Expected to get decrypted data");
+ // What do we expect an empty enc/dec to look like? Mostly "not a crash"
+ CFDataRef empty_data = CFDataCreate(NULL, (UInt8*)"", 0);
+ STAssertEqualObjects((id)decryptedData, (id)empty_data, @"Expected decrypted data to match original message");
+ CFRelease(decryptor);
+ sleep(5);
+
+ return;
+}
+
+-(void)testzzzzZZZZ
+{
+ // Give xcode a little time to parse all the output before the unit tests exit
+ sleep(2);
+}
+
+-(void)test_multiOAEP
+{
+ SecKeychainRef tmp_keychain = NULL;
+ char *kcfname;
+ asprintf(&kcfname, "%s-OAEP-XXXXXXXXXX", "/tmp/");
+ const char *passwd = "sekret";
+ // NOTE: "mktemp" isn't as safe as you might think...but this is test code and doesn't have to be, but
+ // if you copy it elsewhere you may well need to rewrite it. (use mkstemp)
+ mktemp(kcfname);
+ OSStatus status = SecKeychainCreate(kcfname, (UInt32)strlen(passwd), passwd, NO, NULL, &tmp_keychain);
+ STAssertTrue(status == 0, @"Expected to make keychain, but got error 0x%x", status);
+
+ const char *pem_key_bytes[] = {
+ // From the spec
+ "-----BEGIN PUBLIC KEY-----\nMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC7+C8JBoLOnCM4rCudqHH3No0H\n7tQQQ6RA1rbwdFT1H7jfuq8DXAKrYepIzutvzUh27VINYOHsRhlxnYpbi4B/r7jg\no9/HN3I+5rS32TolhO5qZJ0GCVN0iDSyRUWYOU7gqrEte2GlH1J6mkH2wWh/4lNy\nmMoqj1lG+OX9CR29ywIBEQ==\n-----END PUBLIC KEY-----\n-----BEGIN RSA PRIVATE KEY-----\nMIICWwIBAAKBgQC7+C8JBoLOnCM4rCudqHH3No0H7tQQQ6RA1rbwdFT1H7jfuq8D\nXAKrYepIzutvzUh27VINYOHsRhlxnYpbi4B/r7jgo9/HN3I+5rS32TolhO5qZJ0G\nCVN0iDSyRUWYOU7gqrEte2GlH1J6mkH2wWh/4lNymMoqj1lG+OX9CR29ywIBEQKB\ngQCl2vxTQfryicS5iNswwc34PzElHgZotCeEgTgBV5ZBspQQs8eZjWvEZXReXDkm\nadaHDaLAgqk543/cuC7JPtrJf/OtWVCsz7wRHHbxqVKUROVqr2jFbAks043DvvXS\nCpOZJu1PdKE+3fvhoc7MSJSvlCjCt7iIP+RGOkvIWxyzwQJBAO7ProGxubPJCIEL\nEKG1YAGZ659ErvT9pJO4Gp49hPYyEk7wI25dHjt+KPrnqgQKLVslIXZFnR85dUG6\nKlj7ZZkCQQDJf7HwJ/RT9jQSM+qq0dk1P2xC0IhmsdBaDyA1AoudhphAtBZmtC6S\n6g2jtDIEtc/OM1JSTQQWpaRB5wCvRhUDAkBUSUymProDN+TiQCP81ppa6wfd3AGD\npNCsm1SwUfKxPtlJCXXqt3QU/1nB92kumi4gKzj8kQpHQXStyTwfZ8mBAkBHHgKQ\n/wrwdQNRt/h4hkypYa29Oop+mRxcBVapTDFGp/mAP49viuNC6TH9iuR6Ig0bmaSV\nhJgH/jn5JFqYNto9AkEAsGxP2rtjARmNJlvbrpQjs4Dycfc0U4hQkwd/zTniEZ/J\nhjIVT1iDsWepZ79AK06eLg+WVuaY6jZm7fsleYA59w==\n-----END RSA PRIVATE KEY-----\n",
+ // The next 10 are from oaep-vect.txt (via a lot of OpenSSL higgerdy-jiggerdey)
+ "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCos7KEr461CzhwNKhg8UbEkZ8x\nh2PNbFWYyK5IEaHgq8TH4LCC1pOl5/ztZ1z0ZoUSdywMvGSnQsbGMPUzyMxy9iro\nM8QL8lhC6YS7eL2/l8AQfVW9tmL1xOD6uYRctRSO9zkt06r/k64ea2Z7s9QkdhbU\n9boQ1M/SJt6I058W+wIDAQAB\n-----END PUBLIC KEY-----\n-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQCos7KEr461CzhwNKhg8UbEkZ8xh2PNbFWYyK5IEaHgq8TH4LCC\n1pOl5/ztZ1z0ZoUSdywMvGSnQsbGMPUzyMxy9iroM8QL8lhC6YS7eL2/l8AQfVW9\ntmL1xOD6uYRctRSO9zkt06r/k64ea2Z7s9QkdhbU9boQ1M/SJt6I058W+wIDAQAB\nAoGAUzOc/befyEZqZVxzFqyoXFX9j23YmP2vEZUX709S6P2OJY35P+4YD6Dkqylp\nPNg7FSpVPUrE0YEri5+lrw5/Vf5zBN9BVwkm8zEfFcTWWnMsSDEW7j09LQrzVJrZ\nv3y/t4rYhPhNW+sEck3HNpsx3vN9DPU56c/N095lNynq1dECQQDTJzfnJn/+E0Gy\n1cDRUKgbWG+zEyvtL41SYoZKnLnzCvOL5EhZjUE6Fy77gCwhrPHBHFIMLyakcdyt\nIS6sfKOdAkEAzIhT0dVNpjD6wAT0cfKBx7iYLYIkpJDtvrM9Pj1cyTxHZXA9HdeR\nZC8fEWoN2FK+JBmyr3K/6aAw6GCwKItddwJADhK/FxjpzvVZm6HDiC/oBGqQh07v\nzo8szCDk8nQfsKM6OEiuyckwX77L0tdoGZZ9RnGsxkMeQDeWjbN4eOaVwQJBAJUp\new+Vovpn0AcH1gnf1PwFyJ2vwu9tbqVb7HceozNzTZJR55CC7NqGbv7xPEWeGmMT\nhrfjVMiZ9fESyoXXFYMCQE9FbFAkk73A7Sq3VqOm7U1nNSppfUIW6TISsSemPVQR\nzm+pjV2+/XMmPjcoFCdDgYFm7X3WNofdKoyh0vT72OE=\n-----END RSA PRIVATE KEY-----\n",
+ "RSA key ok\n-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQGUfH/OkEJfRyeecIUfJdXmIxb+\nih3xk3Hj5ijiYFQ+SQHvYIH2jAuBQRkNKujaun0SUOxttjbpROw3Iod8fB0KZ/FL\nFpTF8DeUUaQ+SaMt3oNnC3PakaHJm8I7Q2pgBVxhDwuvmcGgeVZblaPxUmYy0dTa\nYPIO2iXmU8TwAnZvRQIDAQAB\n-----END PUBLIC KEY-----\n-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQGUfH/OkEJfRyeecIUfJdXmIxb+ih3xk3Hj5ijiYFQ+SQHvYIH2\njAuBQRkNKujaun0SUOxttjbpROw3Iod8fB0KZ/FLFpTF8DeUUaQ+SaMt3oNnC3Pa\nkaHJm8I7Q2pgBVxhDwuvmcGgeVZblaPxUmYy0dTaYPIO2iXmU8TwAnZvRQIDAQAB\nAoGAaHJZomJX8Thzf5M4nNltSXcIKgRKRSY4w4ucRRBw0ICTslduV9bD5cWEjYTm\nCg0b3M3ur0ndFhFJGdedusRlzrJ3phMQcCvg8AygYOPN4gqYbIqz7xshfRxwQoGT\nGwFbOc4FQzlmlGna+VJDZ8sxykucXXKZh+wfN0vR7xXmj6UCQQFZ294Eoz7wb7YI\nuAsZD00+IrzBOsjkoIEDOr+kFu2wsziqCLVzCepaUkDn3G5UN4xpQUwx2X3bH0Bt\ns3acxBpDAkEBK2UvMEA7OLQJlf1v9BoazIracDcyNrcgLTmy7jDPtG2wlRH28wfM\nYcwhYGwYp1uKYvgi3wMboN8Nr9VQb1aL1wJAQ271CN5zZRnC2kxYDZjILLdFKj+1\n763Ducd4mhvGWE95Wt270yQ5x0aGVS7LbCwwek069/U57sFXJIx7MfGiVQJBASsV\nqJ89+ys5Bz5z8CvdDBp7N53UNfBc3eLv+eRilIt87GLukFDV4IFuB4WoVrSRCNy3\nXzaDh00cpjKaGQEwZv8CQAJw2xfVkUsBjXYRiyQ4mnNQ7INrAGOiFyEjb9jtttib\nUefuuHthG3Eyy36nNWwjFRwed1FQfHhtnuF5QXCoyOg=\n-----END RSA PRIVATE KEY-----\n",
+ "RSA key ok\n-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQK1j+wDmoYHAKTXtkYvk+bN1JEW\nHd109OgQtA48FlIAalwneyd0wRMFpMurWnjvpX4XqG33o/o2/EsdIknyLsfC3WpG\nMjKszqkG1m6+gLVwSxBynab4MyNKu1791KKSy/rTO00z+noUuMOXtW46zSEgNCi3\nfN+jOm2nBrPYsPxD6QIDAQAB\n-----END PUBLIC KEY-----\n-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQK1j+wDmoYHAKTXtkYvk+bN1JEWHd109OgQtA48FlIAalwneyd0\nwRMFpMurWnjvpX4XqG33o/o2/EsdIknyLsfC3WpGMjKszqkG1m6+gLVwSxBynab4\nMyNKu1791KKSy/rTO00z+noUuMOXtW46zSEgNCi3fN+jOm2nBrPYsPxD6QIDAQAB\nAoGAFbSKW1aDqUZw4jtXGPgU+g4T+FA49QcRGCy6YVEFgfPSLH4jLvk34i5VHWi4\nbi+MsarYvi5Ij13379J54/Vo1Orzb4DPcUGs5g/MkRP7bEqEH9ULvHxRL/y+/yFI\neqgR6zyoxiAFNGqG3oa/odipSP0/NIwi6q3zM8PObOEyCP0CQQG/AdIW1zWVzwJw\nwr63jUCg2ER9MdqRmpg/fup4G3fYX+Nxs+k3PntpIX0xUKAtiVjef62dVVFglYtE\nVBJ+Dn6vAkEBjTOZZYFm2zgpgW17KVQWdZ6ckZh/Wy2K7NY7BLSL17L88im7f4pt\nyIuhPdLjmtVbbRoGFgcI+XAL6AuP03RM5wJABsCiSdIKby7nXIi0lNU/aq6ZqkJ8\niMKLFjp2lEXl85DPQMJ0/W6mMppc58fOA6IVg5buKnhFeG4J4ohalyjk5QJBANHS\nfCn+3ZLYbDSO3QzL+sFPdG4FHOHRgR3zXWHy7hyX1L8oBIAvZCcYe6jpCor0QkO0\nB5sDRF5gLin6UZPmT+kCQQCMsvdWvYlBsdO3cOWtMe43Oyis2mn/m29A/leLnxr7\nhYNvlifTes/3PCd55jS7JgEcLI9/M2GuKp6mXtaJ42Oa\n-----END RSA PRIVATE KEY-----\n",
+ "RSA key ok\n-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQUSQLbMAAT6SNATRnHAeMfI3sOz\n4vJbwlZEZzOds4hT0GuF7qWy3jU7/0KsLka8l/rmrJYY2pU3pcj1U8HjV2JZkdYQ\njc14hfs6JUE/U+/K2UjLNc2bmunBxnYm0RPVfd5MW+p2u1u33pbADQc3LpaFptdc\n+dI5+hSNcJMbXz+wOQIDAQAB\n-----END PUBLIC KEY-----\n-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQUSQLbMAAT6SNATRnHAeMfI3sOz4vJbwlZEZzOds4hT0GuF7qWy\n3jU7/0KsLka8l/rmrJYY2pU3pcj1U8HjV2JZkdYQjc14hfs6JUE/U+/K2UjLNc2b\nmunBxnYm0RPVfd5MW+p2u1u33pbADQc3LpaFptdc+dI5+hSNcJMbXz+wOQIDAQAB\nAoGBAQs6yuW+80dZiYsOKwgFVIpiYEI86so8fGlkHNnPRLaL5jYRY4Yn+yk4Z87t\nT54uYnTs/ZBsHd7wfycQcI6NRC5hgVY5sbQKDJDJIHgDPvxewvmE+mgbRFo7v4RH\nGGacGivrZVhXdDMpOm3KyxRfToWUJIq6IhT0AeURYrezGJABAkECdFjBnsFjaRnn\nNsmvJdYJpRuPVh0Zxr9pQ90e4auKSj8jIQC9QLiN7Ma6I1VItu95KhHJ3oI9Cnki\nxwlbbrpXAQJBAhDumzOrYXFuJ9JRvUZfSzWhojLi2gCQHClL8iNQzkkNCZ9kK1N1\nYS22O6HyA4ZJK/BNNLPCK865CdE0QbU7UTkCQDn6AouCbojBEht1CoskL6mjXFtm\nvf0fpjfTzEioSk9FehlOdyfkn3vMblpaQSZX/EcMcyLrw3QW70WMMHqMCQECQQFd\nmahBlZQ5efqeG+LDwbafQy9G/QPkfVvvu7/WsdE3HYPvszCj4CCUKy/tEV5dAr4k\n/ZLJAZ0c7NbdTPHlTMiZAkEB8LcBUXCz9eQiI7owMBxBpth8u3DjDLfTxn0lRz2x\n9svwPj+RJuPpeWgnmoZbLCtCZSTPxSpoPTHtMOuYS+QSug==\n-----END RSA PRIVATE KEY-----\n",
+ "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQqt8/nBJeXYkfMaxEjpk97+WA+A\nK0X51/IrpQIenEdXa1oeaAMbqdtObavk2Wodbz0mcmjP9AgAXxGO/K25mIjRwjRG\ncWayorhJoFqInAYKwNoMX66LVfMJumLnA3QvoDJvLRCwEQIUif9Jd3AZDYlf059S\nKTw579c6aYvaufEO2QIDAQAB\n-----END PUBLIC KEY-----\n-----BEGIN RSA PRIVATE KEY-----\nMIICXwIBAAKBgQqt8/nBJeXYkfMaxEjpk97+WA+AK0X51/IrpQIenEdXa1oeaAMb\nqdtObavk2Wodbz0mcmjP9AgAXxGO/K25mIjRwjRGcWayorhJoFqInAYKwNoMX66L\nVfMJumLnA3QvoDJvLRCwEQIUif9Jd3AZDYlf059SKTw579c6aYvaufEO2QIDAQAB\nAoGBAlbrTLpwZ/LSvlQNzf9FgqNrfTHRyQmbshS3mEhGaiaPgPWKSawEwONkiTSg\nIGwEU3wZsjZkOmCCcyFE33X6IXWI95RoK+iRaCdtxybFwMvbhNMbvybQpDr0lXF/\nfVKKz+40FWH2/zyuBcV4+EcNloL5wNBy+fYGi1bViA9oK+LFAkEDsNOWL20XVJy/\nyhEpQ0jc8Ofjn4wrxoJPIWS2BtaHhg2uHmMjk8/t9RMigikGni9g5KzX5jOkNgY/\ngjhfSJk3BwJBAuTDLi9Rcmm3ByMJ8AwOMTZffOKLI2uCkS3yOavzlXLPDtYEsCmC\n5TVkxS1qBTl95cBSov3cFB73GJg2NGrrMx8CQQHoSxGdJRYfpnsAJWpb2bZF0rIy\n7LBbAVGAApqIYircPwmzrqzeYWGrfN4iwq0m53l99U4HLL07JnOACz5DONvVAkEA\n65CqGkATW0zqBxl87ciBm+Hny/8lR2YhFvRlpKn0h6sS87pP7xOCImWmUpfZi3ve\n2TcuP/6Bo4s+lgD+0FV1TwJBAS9/gTj5QEBi64WkKSRSCzj1u4hqAZb0i7jc6mD9\nkswCfxjngVijSlxdX4YKD2wEBxp9ATEsBlBi8etIt50cg8s=\n-----END RSA PRIVATE KEY-----\n",
+ "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgRKxf22tLs0Z/0bcE/eGDwng4M+2\nd7OKUlkjBc6vAiwWbbkNBKwp4z990S2fr2bggWu2Pq0mfMfUbBfDe+IUvKKiLXI6\nZOREB0Nrb8llcprvwlVPN2zV3OpoKTeApivznQApSFoWC7ueXcCXLSGlBPUuXuAo\nqkFjMvUQsunP9fcirwIDAQAB\n-----END PUBLIC KEY-----\n-----BEGIN RSA PRIVATE KEY-----\nMIICXwIBAAKBgRKxf22tLs0Z/0bcE/eGDwng4M+2d7OKUlkjBc6vAiwWbbkNBKwp\n4z990S2fr2bggWu2Pq0mfMfUbBfDe+IUvKKiLXI6ZOREB0Nrb8llcprvwlVPN2zV\n3OpoKTeApivznQApSFoWC7ueXcCXLSGlBPUuXuAoqkFjMvUQsunP9fcirwIDAQAB\nAoGBApXso1YGGDaVWc7NMDqpz9r8HZ8GlZ33X/75KaqJaWG80ZDcaZftp/WWPnJN\nB7TcEfMGXlrpfZaDURIoC5CEuxTyoh69ToidQbnEEy7BlW/KuLsv7QV1iEk2Uixf\n99MyYZBIJOfK3uTguzctJFfPeOK9EoYij/g/EHMc5jyQz/P5AkEEps6Lc1jfppvc\n90JhcAWvtThfXzpYok73SiKowFy3zDjr1Mydmp14mmLND2Dwy5QdNCPJaS76T+Ot\n/ykMR0mjiwJBBATJqAM3H+20xb4588ALAJ5eCKY74eQANc2spQEcxwHPfuvLmfD/\n4Xz9Ckv3vv0t1TaslG23l/28Sr6PKTSbke0CQQOWHI92CqK9UVTHqv13Ils7rNAT\nmue1lI6jMR/M2G+5XHWvp2coS5st5VlXLxXY0ETH64Ohvl+t8sw3fA2EdSlLAkEC\nIZfgZnQhlqq8A/ov7rTnCxXLeH1hes0xu3XHvCNK1wb3xI0hgtHw/5wijc9Blnts\nC6bSwK0RChuFeDHsJF4ssQJBBAHEwMU9RdvbXp2W0P7PQnXfCXS8Sgc2tKdMMmkF\nPvtoas4kBuIsngWN20rlQGJ64v2wgmHo5+S8vJlNqvowXEU=\n-----END RSA PRIVATE KEY-----\n",
+ "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgTERefC8/JudPKMV0A7zDXvdOiz6\n6ZEb/ty5SLOkeC0HMrarRKpL8DdBpkTcAb7D5psBoDPmddis18SSXGsa7DEZBR39\niXYtIV1FR1/8tZ+QgUhiPzcXcVb2robdenxfQ9weH5CCVAWKKEpfBsACF5OofxrF\n/v99yu5pxeUaN4njcwIDAQAB\n-----END PUBLIC KEY-----\n-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgTERefC8/JudPKMV0A7zDXvdOiz66ZEb/ty5SLOkeC0HMrarRKpL\n8DdBpkTcAb7D5psBoDPmddis18SSXGsa7DEZBR39iXYtIV1FR1/8tZ+QgUhiPzcX\ncVb2robdenxfQ9weH5CCVAWKKEpfBsACF5OofxrF/v99yu5pxeUaN4njcwIDAQAB\nAoGBDzqRUfoVnGZsj2ERtdIReUPr7lHhc7vwmaiXu8lr0u3M+4ykPwZag4vIgs6V\nbBN42triUblREfJy9PtH26X7cC0twt93fImTyuAcrKSNXKQIizI0XrhyB/9ewQv8\nkuI8dQugKhVIO+A1Ii2HPT7q9BC1DS9aYZ/PUzUQ68WM7b2BAkEHSSYsERzUcOwl\nZuazcy/AkylGmqGQcdO5wBkGUUxvHSa6oUvqsJcci35hGk95AJ1v6ndpKMolKFsN\n42Q9Gj+McQJBBrweUOlsAr9jbp7qi4mbvr92Ud533UdMPpvCO62BgrYZBMfZffvr\n+x4AEIh4tuZ+QVOR1nlCwrK/m0Q1+IsMsCMCQQO8fqfwqrFDq8bOi5cRhjajAXLk\nz+Asj6Ddo7e6r5D4CSmCmFUl9Ii9/LS9cm4iY5rGSjCSq3/8vx1TNM+lC1vxAkEC\nYqaqKcKjxn3FNGwGOBr9mHqjzJPPv+z1T92fnXh9f1mlI9OYl52hN6L2OB/pSAH3\nyU2iFRjcNMtAhwxGl5lK2QJAZJ1MF7buFyHnctA4mlWcPTzflVDUV8RrA3t0ZBsd\nUhZq+KITyDliBs37pEIvGNb2Hby10hTJcb9IKuuXanNwwg==\n-----END RSA PRIVATE KEY-----\n",
+ "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgVvfDjDTId2lFH+IJAj6aRlUgN+P\ngNP26L9YGFBPNkJ8qbH1VAucZaj2l0z4RHokTZKAIBu0n8u+Y3jRlEzSJ+Iw+W49\nEPgZ3O8nbGSgCypLZwHn0B3l+r3jsemg34L0YxNZzSJmlkf7sXFyRhNO17SXz/+9\nxCtZxzqW7ZAWYhLf9wIDAQAB\n-----END PUBLIC KEY-----\n-----BEGIN RSA PRIVATE KEY-----\nMIICXwIBAAKBgVvfDjDTId2lFH+IJAj6aRlUgN+PgNP26L9YGFBPNkJ8qbH1VAuc\nZaj2l0z4RHokTZKAIBu0n8u+Y3jRlEzSJ+Iw+W49EPgZ3O8nbGSgCypLZwHn0B3l\n+r3jsemg34L0YxNZzSJmlkf7sXFyRhNO17SXz/+9xCtZxzqW7ZAWYhLf9wIDAQAB\nAoGBD30enlqqJf0T5KBmOuFE4NFfXNGLzbCd8sx+ZOPF6RWtYmRTBBYdCYxxW7er\ni9AdB+rz/tfH7QivKopi70SrFrMg4Ur3Kkj5av4mKgrkz2XmNekQeQzU7lzqdopL\nJjn35vZ3s/C7a+MrdXR9iQkDbwJk9Y1AHNuhMXFhV6dez2MxAkEKAu+ESNn62LvQ\n0ATIwqqXUe+XIcGw0DI2pUsN+UfLrtWiVe6ejiDUkeoXI/4JRwSpdi6Ir9Fuu1mU\nQSypZtxPnwJBCS02Ln7ToL/Z6f0ObAMBtt8pFZz1DMg7mwz01u6nGmHgArRuCuny\n3mLSW110UtSYuByaxvxYWT1MP7T11y37sKkCQQfHFBCvEDli2zZ0BON66FC6pOnC\nndkhRYFSlKZ8fRxt7SY6oDCptjOuUDA+FANdGvAUEj66aHggMI2OvIW2lX19AkEA\nrix1OAwCwBatBYkbMwHeiB8orhFxGCtrLIO+p8UV7KnKKYx7HKtYF6WXBo/IUGDe\nTaigFjeKrkPH+We8w3kEuQJBBZjRBZ462k9jIHUsCdgF/30fGuDQF67u6c76DX3X\n/3deRLV4Mi9kBdYhHaGVGWZqqH/cTNjIj2tuPWfpYdy7o9A=\n-----END RSA PRIVATE KEY-----\n",
+ "-----BEGIN PUBLIC KEY-----\nMIHfMA0GCSqGSIb3DQEBAQUAA4HNADCByQKBwQDPLNQeNMo6co6ly4r/ZMNtJ73v\nU2TjNv1o0xI8WhlqjChwE+hT1RVtWNFRlUUg+09texertoF3ZZCcV2EZZZ2QKxkG\n7YorEMFVwk0SRSjaue6uN5vqxm5KQReG3Lj9AGLrwDDeEhmgTCqMG33TEx5Na2yu\n4uMaXtQawVCbLvHuKrGDZL5WjKlBwl7MhP+dZDtewaquECog1z9Hm3gP1tqRB1IS\n2erAOgZ02JnrouQx9MRLYVtroiMr1LM7rtc9Yl0CAwEAAQ==\n-----END PUBLIC KEY-----\n-----BEGIN RSA PRIVATE KEY-----\nMIIDfgIBAAKBwQDPLNQeNMo6co6ly4r/ZMNtJ73vU2TjNv1o0xI8WhlqjChwE+hT\n1RVtWNFRlUUg+09texertoF3ZZCcV2EZZZ2QKxkG7YorEMFVwk0SRSjaue6uN5vq\nxm5KQReG3Lj9AGLrwDDeEhmgTCqMG33TEx5Na2yu4uMaXtQawVCbLvHuKrGDZL5W\njKlBwl7MhP+dZDtewaquECog1z9Hm3gP1tqRB1IS2erAOgZ02JnrouQx9MRLYVtr\noiMr1LM7rtc9Yl0CAwEAAQKBwQCBIn4tPdZ3zAQiT9caDiLKHSWE0cRm5FXcSwRo\n3fhNs4NZKO99oaozeFMwuQxX3I3LvhgpDh9w3rve15BMlkw6GsME0Hd5FH6OCAim\nRLmMbKzbpwnmszz3x870Xwxnlx7xZblxuoKHiq4tjuoOK2FETNi979bB1jGO0xrA\nd8Oap2AMKBju4OmNpRdzjTKaMVyFavjn7HKHZ2Pp2Y45K/X+hIv0Kx8xx7kkaix7\nyxQLIVKMPjoanViwHTxWls9mUQECYQD8jWwEvsTrmoGSynkAy+U24ui1Gd7PM7JF\nl5jGkJ308XbbfSMZD8criGWnGK+JXxvNkUUpgCdCO2BecKR89YOQqMPoj8jEjosy\n49ohDfvj6IHqVnS2o0jCHpP55V6mXv0CYQDSANReeIqs6mBqQB0EYPh91cECfhLc\nGg11huiTnZz3ibQPUawEQpYd59Icwh4FyDFVwfKqkZM4fP35VstI0VO6JwQG+bu6\nU31Jh9ni+ZQtehTL//6nT+zdqSjSPiWfXuECYQDbFoAveaLw1F81jWn9M+RLgfro\nKGIuk6VCU+mX0BsHQ3WdoOgStKpObIvqsjKNVDGVWkGKZ/8mqMXIB6XaNU4F7zHM\njPdY9GNzKVCwPiZXJvuU451qVyomJEqwjbdXUq0CYQCgoxfP598UI/h6be6EUfTi\ntKZ+VJfym08eToMLn63ZQBFnAm9VluWjnJeBfg9fFuJ+GeyZAuAdfqb7mqPHYK/u\nHjgbad5qycB1haBq2cS6AL91yK0vqJikeegK4pT+0qECYAsh8zXDUzQutEw6okRF\neAwtZVuUAXTK44x8ik5kk8C6n9MDdIJnsIO5p6bLYeQts2K4yYlttwZOAq1a5hWH\n2hW0ZJyQWUkJ/rN9vLZUvrcmjsgB5ai0qjkRvr2IVC8Fvg==\n-----END RSA PRIVATE KEY-----\n",
+ "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArkXtVgHOxrjMBfgDk1xn\nTdvg11xMCf15UfxrDK7DE6jfOZcMUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn\n9UBLVp5O4b3PPB+wPvETgC1PhV65tRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4j\nwSrZK5gIhMZB9aj6wmva1KAzgaIv4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2\nAMKu6uVuAvfPefwUzzvcfNhP67v5UMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQ\ndle5V4V+/eYBCYirfeQX/IjY84TE5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muD\nuwIDAQAB\n-----END PUBLIC KEY-----\n-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEArkXtVgHOxrjMBfgDk1xnTdvg11xMCf15UfxrDK7DE6jfOZcM\nUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn9UBLVp5O4b3PPB+wPvETgC1PhV65\ntRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4jwSrZK5gIhMZB9aj6wmva1KAzgaIv\n4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2AMKu6uVuAvfPefwUzzvcfNhP67v5\nUMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQdle5V4V+/eYBCYirfeQX/IjY84TE\n5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muDuwIDAQABAoIBAFyN+sxwzVaxEnoh\nDBUZQCwTmMgH1sJ/gg1O17O2pRgt2dAGLp6okbpzX9RYElzxEtXompxfM9chDw+R\niYVLgIe6C8kG7rHpUsSFt97VvhuW9OLKOiq3ApAeC0vzzwz41o7379DzXD4RWWcF\n8f9XbvnKPehvKCcL/D/x7KuRCHlfcePoXxNqn5d8sTvh6/sn+8FRT63/A5FYxhQX\nMt8loVGw8ezKX5U98U/gvoSWCK6lJ4YEcBgdlIewIj0ueWehA7cLMzzPpVxtqp1J\nFEw1ruWhwGiIIPHEgj8tnyAq17lDs6I/Drx0MGJ9eWQNpn0RVRDluALBIuf5RjU1\ntCRJU+ECgYEA7PWuzR5VFf/6y9daKBbG6/SQGM37RjjhhdZqc5a2+AkPgBjH/ZXM\nNLhX3BfwzGUWuxNGq01YLK2te0EDNSOHtwM40IQEfJ2VObZJYgSz3W6kQkmSB77A\nH5ZCh/9jNsOYRlgzaEb1bkaGGIHBAjPSF2vxWl6W3ceAvIaKp30852kCgYEAvEbE\nZPxqxMp4Ow6wijyEG3cvfpsvKLq9WIroheGgxh5IWKD7JawpmZDzW+hRZMJZuhF1\nzdcZJwcTUYSZK2wpt0bdDSyr4UKDX30UjMFhUktKCZRtSLgoRz8c52tstohsNFwD\n4F9B1RtcOpCj8kBzx9dKT+JdnPIcdZYPP8OGMYMCgYEAxzVkVx0A+xXQij3plXpQ\nkV1xJulELaz0K8guhi5Wc/9qAI7U0uN0YX34nxehYLQ7f9qctra3QhhgmBX31Fyi\nY8FZqjLSctEn+vS8jKLXc3jorrGbCtfaPLPeCucxSYD2K21LCoddHfA8G645zNgz\n72zX4tlSi/CE0flp55Tp9sECgYAmWLN/bfnBAwvh22gRf6nYfjnqK2k7fm06L3CU\ndBPuxhQuGPuN/LasVF18hqCtSPhFcXDw77JrxIEmxT79HRaSAZjcKhEH3CgttqgM\n0wYjYLo/oT9w5DEv8abNa4/EzZxcPbF8bWpXIS9zrin2GTJ7rVmxU4WFhbpOKLYK\nYqReSQKBgG84Ums5JQhVNO8+QVqDbt6LhhWKLHy/7MsL2DQwT+xoO6jU9HnEM9Q0\nFuYyaWI86hAHdtha/0AdP/9hDuZUEc47E2PWOpcJ7t5CZHzqVhST1UVwqHnBhoLN\nl3ELliBewxEX1ztfNiI/rdboupDdfA7mHUThYyUeIMf2brMFEXy4\n-----END RSA PRIVATE KEY-----\n",
+ NULL,
+ };
+ struct key_pair {
+ SecKeyRef pubKey, privKey;
+ };
+ key_pair keys[11];
+
+ int i;
+ for(i = 0; i < sizeof(keys)/sizeof(key_pair); i++) {
+ NSAssert(pem_key_bytes[i] != NULL, @"Expected a key");
+ NSLog(@"Importing: %s", pem_key_bytes[i]);
+ CFDataRef pem_data = CFDataCreate(NULL, (UInt8*)(pem_key_bytes[i]), strlen(pem_key_bytes[i]));
+ SecKeyImportExportParameters import_params;
+ bzero(&import_params, sizeof(import_params));
+
+ import_params.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
+ import_params.keyUsage = CSSM_KEYUSE_ANY;
+ import_params.keyAttributes = CSSM_KEYATTR_PERMANENT|CSSM_KEYATTR_SENSITIVE;
+ import_params.accessRef = NULL;
+ import_params.passphrase = CFSTR("");
+ import_params.alertPrompt = CFSTR("");
+
+ CFArrayRef keypair = NULL;
+ SecExternalFormat key_format = kSecFormatOpenSSL;
+ SecExternalItemType itemType = kSecItemTypeUnknown;
+ status = SecKeychainItemImport(pem_data, CFSTR(".pem"), &key_format, &itemType, 0, &import_params, tmp_keychain, &keypair);
+ STAssertTrue(status == 0, @"Expected pubkey import to be ok, got err=0x%x", status);
+ NSAssert(keypair != NULL, @"Expected to get some keys back");
+ STAssertNotNil((id)keypair, @"Expected to get some keys back");
+ STAssertTrue(CFArrayGetCount(keypair) == 2, @"Expected 2 keys, got %@", keypair);
+ keys[i].pubKey = (SecKeyRef)CFArrayGetValueAtIndex(keypair, 0);
+ keys[i].privKey = (SecKeyRef)CFArrayGetValueAtIndex(keypair, 1);
+ }
+ STAssertNil((id)pem_key_bytes[i], @"Expected to convert all pem keys, but found at least: %s", pem_key_bytes[i]);
+ CFDataRef encoding_parameters = CFDataCreate(NULL, NULL, 0);
+
+ struct KAT {
+ NSData *message, *seed, *encryptedMessage;
+ NSString *label;
+ key_pair keys;
+ };
+ KAT tests[] = {
+ // This first one is from the spec
+ {
+ .message = [NSData dataWithHexString:@"d436e99569fd32a7c8a05bbc90d32c49"],
+ .seed = [NSData dataWithHexString:@"aafd12f659cae63489b479e5076ddec2f06cb58f"],
+ .encryptedMessage = [NSData dataWithHexString:@"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0955"],
+ .keys = keys[0],
+ .label = @"From spec",
+ },
+ // The next 60 are from oaep-vect.txt
+ {
+ .message = [NSData dataWithHexString:@"6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34"],
+ .seed = [NSData dataWithHexString:@"18b776ea21069d69776a33e96bad48e1dda0a5ef"],
+ .encryptedMessage = [NSData dataWithHexString:@"354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a"],
+ .keys = keys[1],
+ .label = @"1-1",
+ },
+ {
+ .message = [NSData dataWithHexString:@"750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5"],
+ .seed = [NSData dataWithHexString:@"0cc742ce4a9b7f32f951bcb251efd925fe4fe35f"],
+ .encryptedMessage = [NSData dataWithHexString:@"640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44"],
+ .keys = keys[1],
+ .label = @"1-2",
+ },
+ {
+ .message = [NSData dataWithHexString:@"d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051"],
+ .seed = [NSData dataWithHexString:@"2514df4695755a67b288eaf4905c36eec66fd2fd"],
+ .encryptedMessage = [NSData dataWithHexString:@"423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb"],
+ .keys = keys[1],
+ .label = @"1-3",
+ },
+ {
+ .message = [NSData dataWithHexString:@"52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85"],
+ .seed = [NSData dataWithHexString:@"c4435a3e1a18a68b6820436290a37cefb85db3fb"],
+ .encryptedMessage = [NSData dataWithHexString:@"45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755"],
+ .keys = keys[1],
+ .label = @"1-4",
+ },
+ {
+ .message = [NSData dataWithHexString:@"8da89fd9e5f974a29feffb462b49180f6cf9e802"],
+ .seed = [NSData dataWithHexString:@"b318c42df3be0f83fea823f5a7b47ed5e425a3b5"],
+ .encryptedMessage = [NSData dataWithHexString:@"36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439"],
+ .keys = keys[1],
+ .label = @"1-5",
+ },
+ {
+ .message = [NSData dataWithHexString:@"26521050844271"],
+ .seed = [NSData dataWithHexString:@"e4ec0982c2336f3a677f6a356174eb0ce887abc2"],
+ .encryptedMessage = [NSData dataWithHexString:@"42cee2617b1ecea4db3f4829386fbd61dafbf038e180d837c96366df24c097b4ab0fac6bdf590d821c9f10642e681ad05b8d78b378c0f46ce2fad63f74e0ad3df06b075d7eb5f5636f8d403b9059ca761b5c62bb52aa45002ea70baace08ded243b9d8cbd62a68ade265832b56564e43a6fa42ed199a099769742df1539e8255"],
+ .keys = keys[1],
+ .label = @"1-6",
+ },
+
+ {
+ .message = [NSData dataWithHexString:@"8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7"],
+ .seed = [NSData dataWithHexString:@"8c407b5ec2899e5099c53e8ce793bf94e71b1782"],
+ .encryptedMessage = [NSData dataWithHexString:@"0181af8922b9fcb4d79d92ebe19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e"],
+ .keys = keys[2],
+ .label = @"2-1",
+ },
+ {
+ .message = [NSData dataWithHexString:@"2d"],
+ .seed = [NSData dataWithHexString:@"b600cf3c2e506d7f16778c910d3a8b003eee61d5"],
+ .encryptedMessage = [NSData dataWithHexString:@"018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245"],
+ .keys = keys[2],
+ .label = @"2-2",
+ },
+ {
+ .message = [NSData dataWithHexString:@"74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e"],
+ .seed = [NSData dataWithHexString:@"a73768aeeaa91f9d8c1ed6f9d2b63467f07ccae3"],
+ .encryptedMessage = [NSData dataWithHexString:@"018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053"],
+ .keys = keys[2],
+ .label = @"2-3",
+ },
+ {
+ .message = [NSData dataWithHexString:@"a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a"],
+ .seed = [NSData dataWithHexString:@"9a7b3b0e708bd96f8190ecab4fb9b2b3805a8156"],
+ .encryptedMessage = [NSData dataWithHexString:@"00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641"],
+ .keys = keys[2],
+ .label = @"2-4",
+ },
+ {
+ .message = [NSData dataWithHexString:@"2ef2b066f854c33f3bdcbb5994a435e73d6c6c"],
+ .seed = [NSData dataWithHexString:@"eb3cebbc4adc16bb48e88c8aec0e34af7f427fd3"],
+ .encryptedMessage = [NSData dataWithHexString:@"00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec"],
+ .keys = keys[2],
+ .label = @"2-5",
+ },
+ {
+ .message = [NSData dataWithHexString:@"8a7fb344c8b6cb2cf2ef1f643f9a3218f6e19bba89c0"],
+ .seed = [NSData dataWithHexString:@"4c45cf4d57c98e3d6d2095adc51c489eb50dff84"],
+ .encryptedMessage = [NSData dataWithHexString:@"010839ec20c27b9052e55befb9b77e6fc26e9075d7a54378c646abdf51e445bd5715de81789f56f1803d9170764a9e93cb78798694023ee7393ce04bc5d8f8c5a52c171d43837e3aca62f609eb0aa5ffb0960ef04198dd754f57f7fbe6abf765cf118b4ca443b23b5aab266f952326ac4581100644325f8b721acd5d04ff14ef3a"],
+ .keys = keys[2],
+ .label = @"2-6",
+ },
+
+ {
+ .message = [NSData dataWithHexString:@"087820b569e8fa8d"],
+ .seed = [NSData dataWithHexString:@"8ced6b196290805790e909074015e6a20b0c4894"],
+ .encryptedMessage = [NSData dataWithHexString:@"026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80"],
+ .keys = keys[3],
+ .label = @"3-1",
+ },
+ {
+ .message = [NSData dataWithHexString:@"4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04"],
+ .seed = [NSData dataWithHexString:@"b4291d6567550848cc156967c809baab6ca507f0"],
+ .encryptedMessage = [NSData dataWithHexString:@"024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5"],
+ .keys = keys[3],
+ .label = @"3-2",
+ },
+ {
+ .message = [NSData dataWithHexString:@"d94cd0e08fa404ed89"],
+ .seed = [NSData dataWithHexString:@"ce8928f6059558254008badd9794fadcd2fd1f65"],
+ .encryptedMessage = [NSData dataWithHexString:@"0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a"],
+ .keys = keys[3],
+ .label = @"3-3",
+ },
+ {
+ .message = [NSData dataWithHexString:@"6cc641b6b61e6f963974dad23a9013284ef1"],
+ .seed = [NSData dataWithHexString:@"6e2979f52d6814a57d83b090054888f119a5b9a3"],
+ .encryptedMessage = [NSData dataWithHexString:@"02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0"],
+ .keys = keys[3],
+ .label = @"3-4",
+ },
+ {
+ .message = [NSData dataWithHexString:@"df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223"],
+ .seed = [NSData dataWithHexString:@"2d760bfe38c59de34cdc8b8c78a38e66284a2d27"],
+ .encryptedMessage = [NSData dataWithHexString:@"0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60"],
+ .keys = keys[3],
+ .label = @"3-5",
+ },
+ {
+ .message = [NSData dataWithHexString:@"3c3bad893c544a6d520ab022319188c8d504b7a788b850903b85972eaa18552e1134a7ad6098826254ff7ab672b3d8eb3158fac6d4cbaef1"],
+ .seed = [NSData dataWithHexString:@"f174779c5fd3cfe007badcb7a36c9b55bfcfbf0e"],
+ .encryptedMessage = [NSData dataWithHexString:@"00112051e75d064943bc4478075e43482fd59cee0679de6893eec3a943daa490b9691c93dfc0464b6623b9f3dbd3e70083264f034b374f74164e1a00763725e574744ba0b9db83434f31df96f6e2a26f6d8eba348bd4686c2238ac07c37aac3785d1c7eea2f819fd91491798ed8e9cef5e43b781b0e0276e37c43ff9492d005730"],
+ .label = @"3-6",
+ .keys = keys[3],
+ },
+
+ {
+ .message = [NSData dataWithHexString:@"4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2"],
+ .seed = [NSData dataWithHexString:@"1cac19ce993def55f98203f6852896c95ccca1f3"],
+ .encryptedMessage = [NSData dataWithHexString:@"04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8"],
+ .keys = keys[4],
+ .label = @"4-1",
+ },
+ {
+ .message = [NSData dataWithHexString:@"b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8"],
+ .seed = [NSData dataWithHexString:@"f545d5897585e3db71aa0cb8da76c51d032ae963"],
+ .encryptedMessage = [NSData dataWithHexString:@"0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e"],
+ .keys = keys[4],
+ .label = @"4-2",
+ },
+ {
+ .message = [NSData dataWithHexString:@"bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99"],
+ .seed = [NSData dataWithHexString:@"ad997feef730d6ea7be60d0dc52e72eacbfdd275"],
+ .encryptedMessage = [NSData dataWithHexString:@"0301f935e9c47abcb48acbbe09895d9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065"],
+ .keys = keys[4],
+ .label = @"4-3",
+ },
+ {
+ .message = [NSData dataWithHexString:@"fb2ef112f5e766eb94019297934794f7be2f6fc1c58e"],
+ .seed = [NSData dataWithHexString:@"136454df5730f73c807a7e40d8c1a312ac5b9dd3"],
+ .encryptedMessage = [NSData dataWithHexString:@"02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4"],
+ .keys = keys[4],
+ .label = @"4-4",
+ },
+ {
+ .message = [NSData dataWithHexString:@"28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284"],
+ .seed = [NSData dataWithHexString:@"bca8057f824b2ea257f2861407eef63d33208681"],
+ .encryptedMessage = [NSData dataWithHexString:@"00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2"],
+ .keys = keys[4],
+ .label = @"4-5",
+ },
+ {
+ .message = [NSData dataWithHexString:@"f22242751ec6b1"],
+ .seed = [NSData dataWithHexString:@"2e7e1e17f647b5ddd033e15472f90f6812f3ac4e"],
+ .encryptedMessage = [NSData dataWithHexString:@"00a5ffa4768c8bbecaee2db77e8f2eec99595933545520835e5ba7db9493d3e17cddefe6a5f567624471908db4e2d83a0fbee60608fc84049503b2234a07dc83b27b22847ad8920ff42f674ef79b76280b00233d2b51b8cb2703a9d42bfbc8250c96ec32c051e57f1b4ba528db89c37e4c54e27e6e64ac69635ae887d9541619a9"],
+ .keys = keys[4],
+ .label = @"4-6",
+ },
+
+ {
+ .message = [NSData dataWithHexString:@"af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8"],
+ .seed = [NSData dataWithHexString:@"44c92e283f77b9499c603d963660c87d2f939461"],
+ .encryptedMessage = [NSData dataWithHexString:@"036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5"],
+ .keys = keys[5],
+ .label = @"5-1",
+ },
+ {
+ .message = [NSData dataWithHexString:@"a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399"],
+ .seed = [NSData dataWithHexString:@"cb28f5860659fceee49c3eeafce625a70803bd32"],
+ .encryptedMessage = [NSData dataWithHexString:@"03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad"],
+ .keys = keys[5],
+ .label = @"5-2",
+ },
+ {
+ .message = [NSData dataWithHexString:@"308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7"],
+ .seed = [NSData dataWithHexString:@"2285f40d770482f9a9efa2c72cb3ac55716dc0ca"],
+ .encryptedMessage = [NSData dataWithHexString:@"0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967"],
+ .keys = keys[5],
+ .label = @"5-3",
+ },
+ {
+ .message = [NSData dataWithHexString:@"15c5b9ee1185"],
+ .seed = [NSData dataWithHexString:@"49fa45d3a78dd10dfd577399d1eb00af7eed5513"],
+ .encryptedMessage = [NSData dataWithHexString:@"0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf"],
+ .keys = keys[5],
+ .label = @"5-4",
+ },
+ {
+ .message = [NSData dataWithHexString:@"21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a"],
+ .seed = [NSData dataWithHexString:@"f0287413234cc5034724a094c4586b87aff133fc"],
+ .encryptedMessage = [NSData dataWithHexString:@"07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723"],
+ .keys = keys[5],
+ .label = @"5-5",
+ },
+ {
+ .message = [NSData dataWithHexString:@"541e37b68b6c8872b84c02"],
+ .seed = [NSData dataWithHexString:@"d9fba45c96f21e6e26d29eb2cdcb6585be9cb341"],
+ .encryptedMessage = [NSData dataWithHexString:@"08c36d4dda33423b2ed6830d85f6411ba1dcf470a1fae0ebefee7c089f256cef74cb96ea69c38f60f39abee44129bcb4c92de7f797623b20074e3d9c2899701ed9071e1efa0bdd84d4c3e5130302d8f0240baba4b84a71cc032f2235a5ff0fae277c3e8f9112bef44c9ae20d175fc9a4058bfc930ba31b02e2e4f444483710f24a"],
+ .keys = keys[5],
+ .label = @"5-6",
+ },
+ {
+ .label = @"6-1",
+ .keys = keys[6],
+ .message = [NSData dataWithHexString:@"4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4"],
+ .seed = [NSData dataWithHexString:@"dd0f6cfe415e88e5a469a51fbba6dfd40adb4384"],
+ .encryptedMessage = [NSData dataWithHexString:@"0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3"],
+ },
+ {
+ .label = @"6-2",
+ .keys = keys[6],
+ .message = [NSData dataWithHexString:@"5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7"],
+ .seed = [NSData dataWithHexString:@"8d14bd946a1351148f5cae2ed9a0c653e85ebd85"],
+ .encryptedMessage = [NSData dataWithHexString:@"0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f"],
+ },
+ {
+ .label = @"6-3",
+ .keys = keys[6],
+ .message = [NSData dataWithHexString:@"b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c"],
+ .seed = [NSData dataWithHexString:@"6c075bc45520f165c0bf5ea4c5df191bc9ef0e44"],
+ .encryptedMessage = [NSData dataWithHexString:@"0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65"],
+ },
+ {
+ .label = @"6-4",
+ .keys = keys[6],
+ .message = [NSData dataWithHexString:@"684e3038c5c041f7"],
+ .seed = [NSData dataWithHexString:@"3bbc3bd6637dfe12846901029bf5b0c07103439c"],
+ .encryptedMessage = [NSData dataWithHexString:@"008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8"],
+ },
+ {
+ .label = @"6-5",
+ .keys = keys[6],
+ .message = [NSData dataWithHexString:@"32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693"],
+ .seed = [NSData dataWithHexString:@"b46b41893e8bef326f6759383a83071dae7fcabc"],
+ .encryptedMessage = [NSData dataWithHexString:@"00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab"],
+ },
+ {
+ .label = @"6-6",
+ .keys = keys[6],
+ .message = [NSData dataWithHexString:@"50ba14be8462720279c306ba"],
+ .seed = [NSData dataWithHexString:@"0a2403312a41e3d52f060fbc13a67de5cf7609a7"],
+ .encryptedMessage = [NSData dataWithHexString:@"0a026dda5fc8785f7bd9bf75327b63e85e2c0fdee5dadb65ebdcac9ae1de95c92c672ab433aa7a8e69ce6a6d8897fac4ac4a54de841ae5e5bbce7687879d79634cea7a30684065c714d52409b928256bbf53eabcd5231eb7259504537399bd29164b726d33a46da701360a4168a091ccab72d44a62fed246c0ffea5b1348ab5470"],
+ },
+ {
+ .label = @"7-1",
+ .keys = keys[7],
+ .message = [NSData dataWithHexString:@"47aae909"],
+ .seed = [NSData dataWithHexString:@"43dd09a07ff4cac71caa4632ee5e1c1daee4cd8f"],
+ .encryptedMessage = [NSData dataWithHexString:@"1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1"],
+ },
+ {
+ .label = @"7-2",
+ .keys = keys[7],
+ .message = [NSData dataWithHexString:@"1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7"],
+ .seed = [NSData dataWithHexString:@"3a9c3cec7b84f9bd3adecbc673ec99d54b22bc9b"],
+ .encryptedMessage = [NSData dataWithHexString:@"1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6"],
+ },
+ {
+ .label = @"7-3",
+ .keys = keys[7],
+ .message = [NSData dataWithHexString:@"d976fc"],
+ .seed = [NSData dataWithHexString:@"76a75e5b6157a556cf8884bb2e45c293dd545cf5"],
+ .encryptedMessage = [NSData dataWithHexString:@"2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b"],
+ },
+ {
+ .label = @"7-4",
+ .keys = keys[7],
+ .message = [NSData dataWithHexString:@"d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb"],
+ .seed = [NSData dataWithHexString:@"7866314a6ad6f2b250a35941db28f5864b585859"],
+ .encryptedMessage = [NSData dataWithHexString:@"0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac"],
+ },
+ {
+ .label = @"7-5",
+ .keys = keys[7],
+ .message = [NSData dataWithHexString:@"bb47231ca5ea1d3ad46c99345d9a8a61"],
+ .seed = [NSData dataWithHexString:@"b2166ed472d58db10cab2c6b000cccf10a7dc509"],
+ .encryptedMessage = [NSData dataWithHexString:@"028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478"],
+ },
+ {
+ .label = @"7-6",
+ .keys = keys[7],
+ .message = [NSData dataWithHexString:@"2184827095d35c3f86f600e8e59754013296"],
+ .seed = [NSData dataWithHexString:@"52673bde2ca166c2aa46131ac1dc808d67d7d3b1"],
+ .encryptedMessage = [NSData dataWithHexString:@"14c678a94ad60525ef39e959b2f3ba5c097a94ff912b67dbace80535c187abd47d075420b1872152bba08f7fc31f313bbf9273c912fc4c0149a9b0cfb79807e346eb332069611bec0ff9bcd168f1f7c33e77313cea454b94e2549eecf002e2acf7f6f2d2845d4fe0aab2e5a92ddf68c480ae11247935d1f62574842216ae674115"],
+ },
+ {
+ .label = @"8-1",
+ .keys = keys[8],
+ .message = [NSData dataWithHexString:@"050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967"],
+ .seed = [NSData dataWithHexString:@"7706ffca1ecfb1ebee2a55e5c6e24cd2797a4125"],
+ .encryptedMessage = [NSData dataWithHexString:@"09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61"],
+ },
+ {
+ .label = @"8-2",
+ .keys = keys[8],
+ .message = [NSData dataWithHexString:@"4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc"],
+ .seed = [NSData dataWithHexString:@"a3717da143b4dcffbc742665a8fa950585548343"],
+ .encryptedMessage = [NSData dataWithHexString:@"2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d"],
+ },
+ {
+ .label = @"8-3",
+ .keys = keys[8],
+ .message = [NSData dataWithHexString:@"8604ac56328c1ab5ad917861"],
+ .seed = [NSData dataWithHexString:@"ee06209073cca026bb264e5185bf8c68b7739f86"],
+ .encryptedMessage = [NSData dataWithHexString:@"4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f"],
+ },
+ {
+ .label = @"8-4",
+ .keys = keys[8],
+ .message = [NSData dataWithHexString:@"fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc"],
+ .seed = [NSData dataWithHexString:@"990ad573dc48a973235b6d82543618f2e955105d"],
+ .encryptedMessage = [NSData dataWithHexString:@"2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0"],
+ },
+ {
+ .label = @"8-5",
+ .keys = keys[8],
+ .message = [NSData dataWithHexString:@"4a5f4914bee25de3c69341de07"],
+ .seed = [NSData dataWithHexString:@"ecc63b28f0756f22f52ac8e6ec1251a6ec304718"],
+ .encryptedMessage = [NSData dataWithHexString:@"1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2"],
+ },
+ {
+ .label = @"8-6",
+ .keys = keys[8],
+ .message = [NSData dataWithHexString:@"8e07d66f7b880a72563abcd3f35092bc33409fb7f88f2472be"],
+ .seed = [NSData dataWithHexString:@"3925c71b362d40a0a6de42145579ba1e7dd459fc"],
+ .encryptedMessage = [NSData dataWithHexString:@"3afd9c6600147b21798d818c655a0f4c9212db26d0b0dfdc2a7594ccb3d22f5bf1d7c3e112cd73fc7d509c7a8bafdd3c274d1399009f9609ec4be6477e453f075aa33db382870c1c3409aef392d7386ae3a696b99a94b4da0589447e955d16c98b17602a59bd736279fcd8fb280c4462d590bfa9bf13fed570eafde97330a2c210"],
+ },
+ {
+ .label = @"9-1",
+ .keys = keys[9],
+ .message = [NSData dataWithHexString:@"f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6"],
+ .seed = [NSData dataWithHexString:@"8ec965f134a3ec9931e92a1ca0dc8169d5ea705c"],
+ .encryptedMessage = [NSData dataWithHexString:@"267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72"],
+ },
+ {
+ .label = @"9-2",
+ .keys = keys[9],
+ .message = [NSData dataWithHexString:@"81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659"],
+ .seed = [NSData dataWithHexString:@"ecb1b8b25fa50cdab08e56042867f4af5826d16c"],
+ .encryptedMessage = [NSData dataWithHexString:@"93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8"],
+ },
+ {
+ .label = @"9-3",
+ .keys = keys[9],
+ .message = [NSData dataWithHexString:@"fd326429df9b890e09b54b18b8f34f1e24"],
+ .seed = [NSData dataWithHexString:@"e89bb032c6ce622cbdb53bc9466014ea77f777c0"],
+ .encryptedMessage = [NSData dataWithHexString:@"81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3"],
+ },
+ {
+ .label = @"9-4",
+ .keys = keys[9],
+ .message = [NSData dataWithHexString:@"f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e"],
+ .seed = [NSData dataWithHexString:@"606f3b99c0b9ccd771eaa29ea0e4c884f3189ccc"],
+ .encryptedMessage = [NSData dataWithHexString:@"bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858"],
+ },
+ {
+ .label = @"9-5",
+ .keys = keys[9],
+ .message = [NSData dataWithHexString:@"53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d"],
+ .seed = [NSData dataWithHexString:@"fcbc421402e9ecabc6082afa40ba5f26522c840e"],
+ .encryptedMessage = [NSData dataWithHexString:@"232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e"],
+ },
+ {
+ .label = @"9-6",
+ .keys = keys[9],
+ .message = [NSData dataWithHexString:@"b6b28ea2198d0c1008bc64"],
+ .seed = [NSData dataWithHexString:@"23aade0e1e08bb9b9a78d2302a52f9c21b2e1ba2"],
+ .encryptedMessage = [NSData dataWithHexString:@"438cc7dc08a68da249e42505f8573ba60e2c2773d5b290f4cf9dff718e842081c383e67024a0f29594ea987b9d25e4b738f285970d195abb3a8c8054e3d79d6b9c9a8327ba596f1259e27126674766907d8d582ff3a8476154929adb1e6d1235b2ccb4ec8f663ba9cc670a92bebd853c8dbf69c6436d016f61add836e94732450434207f9fd4c43dec2a12a958efa01efe2669899b5e604c255c55fb7166de5589e369597bb09168c06dd5db177e06a1740eb2d5c82faeca6d92fcee9931ba9f"],
+ },
+ {
+ .label = @"10-1",
+ .keys = keys[10],
+ .message = [NSData dataWithHexString:@"8bba6bf82a6c0f86d5f1756e97956870b08953b06b4eb205bc1694ee"],
+ .seed = [NSData dataWithHexString:@"47e1ab7119fee56c95ee5eaad86f40d0aa63bd33"],
+ .encryptedMessage = [NSData dataWithHexString:@"53ea5dc08cd260fb3b858567287fa91552c30b2febfba213f0ae87702d068d19bab07fe574523dfb42139d68c3c5afeee0bfe4cb7969cbf382b804d6e61396144e2d0e60741f8993c3014b58b9b1957a8babcd23af854f4c356fb1662aa72bfcc7e586559dc4280d160c126785a723ebeebeff71f11594440aaef87d10793a8774a239d4a04c87fe1467b9daf85208ec6c7255794a96cc29142f9a8bd418e3c1fd67344b0cd0829df3b2bec60253196293c6b34d3f75d32f213dd45c6273d505adf4cced1057cb758fc26aeefa441255ed4e64c199ee075e7f16646182fdb464739b68ab5daff0e63e9552016824f054bf4d3c8c90a97bb6b6553284eb429fcc"],
+ },
+ {
+ .label = @"10-2",
+ .keys = keys[10],
+ .message = [NSData dataWithHexString:@"e6ad181f053b58a904f2457510373e57"],
+ .seed = [NSData dataWithHexString:@"6d17f5b4c1ffac351d195bf7b09d09f09a4079cf"],
+ .encryptedMessage = [NSData dataWithHexString:@"a2b1a430a9d657e2fa1c2bb5ed43ffb25c05a308fe9093c01031795f5874400110828ae58fb9b581ce9dddd3e549ae04a0985459bde6c626594e7b05dc4278b2a1465c1368408823c85e96dc66c3a30983c639664fc4569a37fe21e5a195b5776eed2df8d8d361af686e750229bbd663f161868a50615e0c337bec0ca35fec0bb19c36eb2e0bbcc0582fa1d93aacdb061063f59f2ce1ee43605e5d89eca183d2acdfe9f81011022ad3b43a3dd417dac94b4e11ea81b192966e966b182082e71964607b4f8002f36299844a11f2ae0faeac2eae70f8f4f98088acdcd0ac556e9fccc511521908fad26f04c64201450305778758b0538bf8b5bb144a828e629795"],
+ },
+ {
+ .label = @"10-3",
+ .keys = keys[10],
+ .message = [NSData dataWithHexString:@"510a2cf60e866fa2340553c94ea39fbc256311e83e94454b4124"],
+ .seed = [NSData dataWithHexString:@"385387514deccc7c740dd8cdf9daee49a1cbfd54"],
+ .encryptedMessage = [NSData dataWithHexString:@"9886c3e6764a8b9a84e84148ebd8c3b1aa8050381a78f668714c16d9cfd2a6edc56979c535d9dee3b44b85c18be8928992371711472216d95dda98d2ee8347c9b14dffdff84aa48d25ac06f7d7e65398ac967b1ce90925f67dce049b7f812db0742997a74d44fe81dbe0e7a3feaf2e5c40af888d550ddbbe3bc20657a29543f8fc2913b9bd1a61b2ab2256ec409bbd7dc0d17717ea25c43f42ed27df8738bf4afc6766ff7aff0859555ee283920f4c8a63c4a7340cbafddc339ecdb4b0515002f96c932b5b79167af699c0ad3fccfdf0f44e85a70262bf2e18fe34b850589975e867ff969d48eabf212271546cdc05a69ecb526e52870c836f307bd798780ede"],
+ },
+ {
+ .label = @"10-4",
+ .keys = keys[10],
+ .message = [NSData dataWithHexString:@"bcdd190da3b7d300df9a06e22caae2a75f10c91ff667b7c16bde8b53064a2649a94045c9"],
+ .seed = [NSData dataWithHexString:@"5caca6a0f764161a9684f85d92b6e0ef37ca8b65"],
+ .encryptedMessage = [NSData dataWithHexString:@"6318e9fb5c0d05e5307e1683436e903293ac4642358aaa223d7163013aba87e2dfda8e60c6860e29a1e92686163ea0b9175f329ca3b131a1edd3a77759a8b97bad6a4f8f4396f28cf6f39ca58112e48160d6e203daa5856f3aca5ffed577af499408e3dfd233e3e604dbe34a9c4c9082de65527cac6331d29dc80e0508a0fa7122e7f329f6cca5cfa34d4d1da417805457e008bec549e478ff9e12a763c477d15bbb78f5b69bd57830fc2c4ed686d79bc72a95d85f88134c6b0afe56a8ccfbc855828bb339bd17909cf1d70de3335ae07039093e606d655365de6550b872cd6de1d440ee031b61945f629ad8a353b0d40939e96a3c450d2a8d5eee9f678093c8"],
+ },
+ {
+ .label = @"10-5",
+ .keys = keys[10],
+ .message = [NSData dataWithHexString:@"a7dd6c7dc24b46f9dd5f1e91ada4c3b3df947e877232a9"],
+ .seed = [NSData dataWithHexString:@"95bca9e3859894b3dd869fa7ecd5bbc6401bf3e4"],
+ .encryptedMessage = [NSData dataWithHexString:@"75290872ccfd4a4505660d651f56da6daa09ca1301d890632f6a992f3d565cee464afded40ed3b5be9356714ea5aa7655f4a1366c2f17c728f6f2c5a5d1f8e28429bc4e6f8f2cff8da8dc0e0a9808e45fd09ea2fa40cb2b6ce6ffff5c0e159d11b68d90a85f7b84e103b09e682666480c657505c0929259468a314786d74eab131573cf234bf57db7d9e66cc6748192e002dc0deea930585f0831fdcd9bc33d51f79ed2ffc16bcf4d59812fcebcaa3f9069b0e445686d644c25ccf63b456ee5fa6ffe96f19cdf751fed9eaf35957754dbf4bfea5216aa1844dc507cb2d080e722eba150308c2b5ff1193620f1766ecf4481bafb943bd292877f2136ca494aba0"],
+ },
+ {
+ .label = @"10-6",
+ .keys = keys[10],
+ .message = [NSData dataWithHexString:@"eaf1a73a1b0c4609537de69cd9228bbcfb9a8ca8c6c3efaf056fe4a7f4634ed00b7c39ec6922d7b8ea2c04ebac"],
+ .seed = [NSData dataWithHexString:@"9f47ddf42e97eea856a9bdbc714eb3ac22f6eb32"],
+ .encryptedMessage = [NSData dataWithHexString:@"2d207a73432a8fb4c03051b3f73b28a61764098dfa34c47a20995f8115aa6816679b557e82dbee584908c6e69782d7deb34dbd65af063d57fca76a5fd069492fd6068d9984d209350565a62e5c77f23038c12cb10c6634709b547c46f6b4a709bd85ca122d74465ef97762c29763e06dbc7a9e738c78bfca0102dc5e79d65b973f28240caab2e161a78b57d262457ed8195d53e3c7ae9da021883c6db7c24afdd2322eac972ad3c354c5fcef1e146c3a0290fb67adf007066e00428d2cec18ce58f9328698defef4b2eb5ec76918fde1c198cbb38b7afc67626a9aefec4322bfd90d2563481c9a221f78c8272c82d1b62ab914e1c69f6af6ef30ca5260db4a46"],
+ },
+
+ };
+
+ int max_cycles = 100;
+ if (!getenv("SUBMISSION_TEST")) {
+ max_cycles = 10;
+ CFfprintf(stderr, "Running the far faster but far less reliable fast test.\nSet the SUBMISSION_TEST environment variable for full testing\n");
+ }
+
+ for (int j = 0; j < max_cycles; j++) {
+ NSLog(@"Cycle %d", j);
+ for (i = 0; i < sizeof(tests)/sizeof(KAT); i++) {
+ NSLog(@"test#%d %@ L(IN)=%lu, L(OUT)=%lu", i, tests[i].label, (unsigned long)[tests[i].message length], (unsigned long)[tests[i].encryptedMessage length]);
+ CFErrorRef err = NULL;
+
+ SecTransformRef encryptor = SecEncryptTransformCreate(tests[i].keys.pubKey, &err);
+
+ SecTransformSetAttribute(encryptor, kSecTransformInputAttributeName, tests[i].message, &err);
+ SecTransformSetAttribute(encryptor, kSecPaddingKey, kSecPaddingOAEPKey, &err);
+ SecTransformSetAttribute(encryptor, kSecOAEPEncodingParametersAttributeName, encoding_parameters, &err);
+ SecTransformSetAttribute(encryptor, CFSTR("FixedSeedForOAEPTesting"), tests[i].seed, &err);
+
+ CFTypeRef encryptedData = SecTransformExecute(encryptor, &err);
+ STAssertNotNil((id)encryptedData, @"Expected to get encrypted data");
+ STAssertNil((NSError*)err, @"Expected no error, got err=%@", err);
+ // Can't support "seed" with commoncrypto, just check round trip.
+ //STAssertEqualObjects((id)encryptedData, (id)tests[i].encryptedMessage, @"encrypted data should have matched test vector (%@) data", tests[i].label);
+ CFRelease(encryptor);
+
+ SecTransformRef decryptor = SecDecryptTransformCreate(tests[i].keys.privKey, NULL);
+ SecTransformSetAttribute(decryptor, kSecTransformInputAttributeName, tests[i].encryptedMessage, NULL);
+ // XXX: totally round trip, not even partial KAT (KAT can't really be done on OAEP
+ // without supporitng settign the seed externally)
+ SecTransformSetAttribute(decryptor, kSecTransformInputAttributeName, encryptedData, NULL);
+ SecTransformSetAttribute(decryptor, kSecPaddingKey, kSecPaddingOAEPKey, NULL);
+ SecTransformSetAttribute(decryptor, kSecOAEPEncodingParametersAttributeName, encoding_parameters, NULL);
+ CFTypeRef decryptedData = SecTransformExecute(decryptor, &err);
+ STAssertNil((id)err, @"Expected no error, got: %@", err);
+ STAssertNotNil((id)decryptedData, @"Expected to get decrypted data");
+ STAssertEqualObjects((id)decryptedData, tests[i].message, @"Expected decrypted data to match original message (%@)", tests[i].label);
+ CFRelease(decryptor);
+ }
+ }
+
+ return;
+}
+
+-(void)testNoSignKeyMakesError
+{
+ NSData *data = [NSData dataWithBytes:"" length:1];
+
+ struct test_case {
+ NSString *name;
+ CFErrorRef createError;
+ SecTransformRef transform;
+ } test_cases[] = {
+ {
+ .name = @"Sign",
+ .createError = NULL,
+ .transform = SecSignTransformCreate(NULL, &(test_cases[0].createError))
+ },
+ {
+ .name = @"Verify",
+ .createError = NULL,
+ .transform = SecVerifyTransformCreate(NULL, (CFDataRef)data, &(test_cases[1].createError))
+ }
+ };
+
+ for(int i = 0; i < sizeof(test_cases) / sizeof(test_case); i++) {
+ struct test_case *test = test_cases + i;
+ STAssertNil((id)test->createError, @"Testing %@, unexpected error: %@", test->name, test->createError);
+ STAssertNotNil((id)test->transform, @"Didn't manage to create transform for %@", test->name);
+ if (!test->transform) {
+ continue;
+ }
+
+ __block CFErrorRef err = NULL;
+ SecTransformSetAttribute(test->transform, kSecTransformInputAttributeName, data, &err);
+ STAssertNil((id)err, @"Error setting input for %@: %@", test->name, err);
+
+ dispatch_group_t execute_done = dispatch_group_create();
+ dispatch_group_enter(execute_done);
+
+ SecTransformExecuteAsync(test->transform, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, NULL), ^(CFTypeRef message, CFErrorRef error, Boolean isFinal) {
+ if (error) {
+ err = error;
+ }
+ if (isFinal) {
+ dispatch_group_leave(execute_done);
+ }
+ });
+
+ STAssertFalse(dispatch_group_wait(execute_done, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 5)), @"Timeout waiting for %@ transform", test->name);
+ STAssertErrorHas((id)err, @"missing required attributes?:.*KEY", @"Unexpected error during %@ test, expected one about missing keys: %@", test->name, err);
+ dispatch_group_notify(execute_done, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, NULL), ^(void) {
+ dispatch_release(execute_done);
+ });
+ }
+}
+
+-(void)testHMAC
+{
+ // make the data for the key and the data to be HMAC'd
+ CFDataRef hmacData = CFDataCreate(NULL, (u_int8_t*) gHMACText, strlen(gHMACText));
+ CFDataRef hmacKey = CFDataCreate(NULL, (u_int8_t*) gHMACKey, strlen(gHMACKey));
+ SecTransformRef hmacRef;
+ CFErrorRef error = NULL;
+ CFDataRef result;
+ CFDataRef rightAnswer;
+ CFComparisonResult ok;
+
+ // create the object
+ hmacRef = SecDigestTransformCreate(kSecDigestHMACSHA1, 20, &error);
+ STAssertNil((id) error, @"Unexpected error returned.");
+
+ // set the key
+ SecTransformSetAttribute(hmacRef, kSecDigestHMACKeyAttribute, hmacKey, &error);
+ STAssertNil((id) error, @"Unexpected error returned.");
+
+ // digest the data
+ SecTransformSetAttribute(hmacRef, kSecTransformInputAttributeName, hmacData, &error);
+ STAssertNil((id) error, @"Unexpected error returned.");
+
+ result = (CFDataRef) SecTransformExecute(hmacRef, &error);
+ if (error)
+ {
+ CFShow(error);
+ STAssertNil((id) error, @"Unexpected error returned.");
+ CFRelease(error);
+ }
+
+ STAssertNotNil((id) result, @"No data returned for SHA1");
+
+ // check to make sure we got the right answer
+ rightAnswer = CFDataCreate(NULL, gSHA1HMAC, sizeof(gSHA1HMAC));
+ ok = CFEqual(rightAnswer, result);
+ CFRelease(rightAnswer);
+ CFRelease(hmacRef);
+ CFRelease(result);
+
+ if (error)
+ {
+ CFRelease(error);
+ }
+
+ STAssertTrue(ok, @"Digest returned incorrect HMACSHA1 result.");
+
+ //+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+
+
+ // create the object
+ hmacRef = SecDigestTransformCreate(kSecDigestHMACSHA2, 256, &error);
+ STAssertNil((id) error, @"Unexpected error returned.");
+
+ // set the key
+ SecTransformSetAttribute(hmacRef, kSecDigestHMACKeyAttribute, hmacKey, &error);
+ STAssertNil((id) error, @"Unexpected error returned.");
+
+ // digest the data
+ SecTransformSetAttribute(hmacRef, kSecTransformInputAttributeName, hmacData, &error);
+ STAssertNil((id) error, @"Unexpected error returned.");
+
+ result = (CFDataRef) SecTransformExecute(hmacRef, &error);
+ if (error != nil)
+ {
+ CFShow(error);
+ STAssertNil((id) error, @"Unexpected error returned.");
+ CFRelease(error);
+ }
+
+ STAssertNotNil((id) result, @"No data returned for SHA256");
+
+ rightAnswer = CFDataCreate(NULL, gSHA256HMAC, sizeof(gSHA256HMAC));
+ ok = CFEqual(result, rightAnswer);
+
+ CFRelease(rightAnswer);
+ CFRelease(hmacRef);
+
+ CFRelease(hmacData);
+ CFRelease(hmacKey);
+ CFRelease(result);
+
+ STAssertTrue(ok, @"Digest returned incorrect HMACSHA256 result.");
+}
+
+
+
+-(void)echoParams:(NSString*)p1 p2:(NSString*)p2
+{
+}
+
+-(void)testReadStreamTransform
+{
+ // point to our test data
+ CFURLRef url = CFURLCreateWithFileSystemPath(NULL, CFSTR("/usr/share/dict/words"), kCFURLPOSIXPathStyle, false);
+ FSRef force_resolve;
+ STAssertTrue(CFURLGetFSRef(url, &force_resolve), @"Expected to create FSRef from %@", url);
+ CFURLRef resolved_url = CFURLCreateFromFSRef(NULL, &force_resolve);
+ CFNumberRef size_on_disk = NULL;
+ CFURLCopyResourcePropertyForKey(resolved_url, kCFURLFileSizeKey, &size_on_disk, NULL);
+ STAssertNotNil((id)size_on_disk, @"Expected to fetch size");
+
+ CFReadStreamRef readStreamRef = CFReadStreamCreateWithFile(NULL, url);
+ SecTransformRef transform = SecTransformCreateReadTransformWithReadStream(readStreamRef);
+ STAssertNotNil((id) transform, @"Returned transform should not be nil.");
+
+ dispatch_semaphore_t waitSemaphore = dispatch_semaphore_create(0);
+ dispatch_queue_t queue = dispatch_queue_create("ReadStream queue", NULL);
+ __block ssize_t bytes_presented = 0;
+
+ SecTransformExecuteAsync(transform, queue,
+ ^(CFTypeRef message, CFErrorRef error, Boolean isFinal)
+ {
+ if (message)
+ {
+ bytes_presented += CFDataGetLength((CFDataRef)message);
+ }
+ if (isFinal)
+ {
+ STAssertNil((id)error, @"Unexpected error!");
+ dispatch_semaphore_signal(waitSemaphore);
+ }
+ });
+
+ dispatch_semaphore_wait(waitSemaphore, DISPATCH_TIME_FOREVER);
+ NSNumber *size_via_stream = [NSNumber numberWithLongLong:bytes_presented];
+ STAssertEqualObjects(size_via_stream, (NSNumber*)size_on_disk, @"Expected sizes to match");
+ CFRelease(size_on_disk);
+
+ dispatch_release(queue);
+ dispatch_release(waitSemaphore);
+ CFRelease(transform);
+ CFRelease(readStreamRef);
+ CFRelease(url);
+ CFRelease(resolved_url);
+}
+
+-(void)testMGF
+{
+ UInt8 raw_seed[] = {0xaa, 0xfd, 0x12, 0xf6, 0x59, 0xca, 0xe6, 0x34, 0x89, 0xb4, 0x79, 0xe5, 0x07, 0x6d, 0xde, 0xc2, 0xf0, 0x6c, 0xb5, 0x8f};
+ UInt8 raw_mgf107[] = {0x06, 0xe1, 0xde, 0xb2, 0x36, 0x9a, 0xa5, 0xa5, 0xc7, 0x07, 0xd8, 0x2c, 0x8e, 0x4e, 0x93, 0x24, 0x8a, 0xc7, 0x83, 0xde, 0xe0, 0xb2, 0xc0, 0x46, 0x26, 0xf5, 0xaf, 0xf9, 0x3e, 0xdc, 0xfb, 0x25, 0xc9, 0xc2, 0xb3, 0xff, 0x8a, 0xe1, 0x0e, 0x83, 0x9a, 0x2d, 0xdb, 0x4c, 0xdc, 0xfe, 0x4f, 0xf4, 0x77, 0x28, 0xb4, 0xa1, 0xb7, 0xc1, 0x36, 0x2b, 0xaa, 0xd2, 0x9a, 0xb4, 0x8d, 0x28, 0x69, 0xd5, 0x02, 0x41, 0x21, 0x43, 0x58, 0x11, 0x59, 0x1b, 0xe3, 0x92, 0xf9, 0x82, 0xfb, 0x3e, 0x87, 0xd0, 0x95, 0xae, 0xb4, 0x04, 0x48, 0xdb, 0x97, 0x2f, 0x3a, 0xc1, 0x4e, 0xaf, 0xf4, 0x9c, 0x8c, 0x3b, 0x7c, 0xfc, 0x95, 0x1a, 0x51, 0xec, 0xd1, 0xdd, 0xe6, 0x12, 0x64};
+ CFDataRef seed = CFDataCreate(NULL, raw_seed, sizeof(raw_seed));
+ CFDataRef mgf107 = CFDataCreate(NULL, raw_mgf107, sizeof(raw_mgf107));
+ CFErrorRef err = NULL;
+
+ SecTransformRef mgfTransform = SecCreateMaskGenerationFunctionTransform(NULL, 107, &err);
+ STAssertNotNil((id)mgfTransform, @"Expected to create a MGF transform e=%@", err);
+ err = NULL;
+ SecTransformSetAttribute(mgfTransform, kSecTransformInputAttributeName, seed, &err);
+ STAssertNil((id)err, @"Expected no error setting MGF's input, got %@", err);
+ err = NULL;
+ CFDataRef mgfOutput = (CFDataRef)SecTransformExecute(mgfTransform, &err);
+ STAssertNotNil((id)mgfOutput, @"Expected output from mgf, got error %@", err);
+ STAssertEqualObjects((id)mgfOutput, (id)mgf107, @"Expected matching output");
+
+ CFRelease(mgfTransform);
+ // XXX: leak test??
+
+ UInt8 raw_maskedDB[] = {0xdc, 0xd8, 0x7d, 0x5c, 0x68, 0xf1, 0xee, 0xa8, 0xf5, 0x52, 0x67, 0xc3, 0x1b, 0x2e, 0x8b, 0xb4, 0x25, 0x1f, 0x84, 0xd7, 0xe0, 0xb2, 0xc0, 0x46, 0x26, 0xf5, 0xaf, 0xf9, 0x3e, 0xdc, 0xfb, 0x25, 0xc9, 0xc2, 0xb3, 0xff, 0x8a, 0xe1, 0x0e, 0x83, 0x9a, 0x2d, 0xdb, 0x4c, 0xdc, 0xfe, 0x4f, 0xf4, 0x77, 0x28, 0xb4, 0xa1, 0xb7, 0xc1, 0x36, 0x2b, 0xaa, 0xd2, 0x9a, 0xb4, 0x8d, 0x28, 0x69, 0xd5, 0x02, 0x41, 0x21, 0x43, 0x58, 0x11, 0x59, 0x1b, 0xe3, 0x92, 0xf9, 0x82, 0xfb, 0x3e, 0x87, 0xd0, 0x95, 0xae, 0xb4, 0x04, 0x48, 0xdb, 0x97, 0x2f, 0x3a, 0xc1, 0x4f, 0x7b, 0xc2, 0x75, 0x19, 0x52, 0x81, 0xce, 0x32, 0xd2, 0xf1, 0xb7, 0x6d, 0x4d, 0x35, 0x3e, 0x2d};
+
+ UInt8 raw_mgf20[] = {0x41, 0x87, 0x0b, 0x5a, 0xb0, 0x29, 0xe6, 0x57, 0xd9, 0x57, 0x50, 0xb5, 0x4c, 0x28, 0x3c, 0x08, 0x72, 0x5d, 0xbe, 0xa9};
+ CFDataRef maskedDB = CFDataCreate(NULL, raw_maskedDB, sizeof(raw_maskedDB));
+ CFDataRef mgf20 = CFDataCreate(NULL, raw_mgf20, sizeof(raw_mgf20));
+ err = NULL;
+
+ mgfTransform = SecCreateMaskGenerationFunctionTransform(kSecDigestSHA1, 20, &err);
+ STAssertNotNil((id)mgfTransform, @"Expected to create a MGF transform e=%@", err);
+ err = NULL;
+ SecTransformSetAttribute(mgfTransform, kSecTransformInputAttributeName, maskedDB, &err);
+ STAssertNil((id)err, @"Expected no error setting MGF's input, got %@", err);
+ err = NULL;
+ mgfOutput = (CFDataRef)SecTransformExecute(mgfTransform, &err);
+ STAssertNotNil((id)mgfOutput, @"Expected output from mgf, got error %@", err);
+ STAssertEqualObjects((id)mgfOutput, (id)mgf20, @"Expected matching output");
+}
+
+-(void)testAbortParams
+{
+ // make a simple transform
+ SecTransformRef a = SecNullTransformCreate();
+
+ // try to abort the transform
+ CFErrorRef errorRef = NULL;
+ STAssertFalse(SecTransformSetAttribute(a, CFSTR("ABORT"), NULL, &errorRef), @"SecTransformSetAttribute should have returned FALSE");
+ STAssertNotNil((id) errorRef, @"SecTransformSetAttribute should have had an error.");
+ if (errorRef != NULL)
+ {
+ CFRelease(errorRef);
+ }
+
+ CFRelease(a);
+
+ // We have instant end of stream, it is wired directly to null_abort's ABORT. It is wired to the final drain via a delay and some other
+ // things. If the end of stream makes it to the final drain we get an empty CFData. If the abort triggers then abort has invalidly
+ // triggered off of a NULL value.
+ SecGroupTransformRef test_null_abort_via_connection = SecTransformCreateGroupTransform();
+ SecTransformRef pass_through = SecNullTransformCreate();
+ SecTransformRef null_abort = SecNullTransformCreate();
+
+ CFURLRef dev_null_url = CFURLCreateWithFileSystemPath(NULL, CFSTR("/dev/null"), kCFURLPOSIXPathStyle, NO);
+ CFReadStreamRef dev_null_stream = CFReadStreamCreateWithFile(NULL, dev_null_url);
+ CFReadStreamOpen(dev_null_stream);
+ CFRelease(dev_null_url);
+
+ SecTransformSetAttribute(pass_through, kSecTransformInputAttributeName, dev_null_stream, NULL);
+ SecTransformConnectTransforms(pass_through, kSecTransformOutputAttributeName, null_abort, kSecTransformAbortAttributeName, test_null_abort_via_connection, NULL);
+
+ SecTransformRef delay_null = delay_transform(NSEC_PER_SEC / 10);
+ SecTransformConnectTransforms(pass_through, kSecTransformOutputAttributeName, delay_null, kSecTransformInputAttributeName, test_null_abort_via_connection, NULL);
+ SecTransformConnectTransforms(delay_null, kSecTransformOutputAttributeName, null_abort, kSecTransformInputAttributeName, test_null_abort_via_connection, NULL);
+
+
+ CFErrorRef err = NULL;
+ CFTypeRef not_null = SecTransformExecute(test_null_abort_via_connection, &err);
+
+ STAssertNotNil((id)not_null, @"aborted via a NULL from a connection? err=%@", err);
+
+ if (err)
+ {
+ CFRelease(err);
+ }
+
+ CFRelease(test_null_abort_via_connection);
+ CFRelease(pass_through);
+ CFRelease(null_abort);
+ CFRelease(delay_null);
+
+ CFReadStreamClose(dev_null_stream);
+ CFRelease(dev_null_stream);
+}
+
+
+-(void)testDisconnect
+{
+ SecTransformRef a = SecNullTransformCreate();
+ SecTransformRef b = SecNullTransformCreate();
+ SecTransformRef c = SecNullTransformCreate();
+ SecGroupTransformRef g = SecTransformCreateGroupTransform();
+
+ SecTransformConnectTransforms(a, kSecTransformOutputAttributeName, b, kSecTransformInputAttributeName, g, NULL);
+ SecTransformConnectTransforms(a, kSecTransformOutputAttributeName, c, kSecTransformInputAttributeName, g, NULL);
+
+ SecTransformDisconnectTransforms(a, kSecTransformOutputAttributeName, b, kSecTransformInputAttributeName);
+ STAssertTrue(SecGroupTransformHasMember(g, a), @"A should still be in the group, but isn't");
+
+ SecTransformDisconnectTransforms(a, kSecTransformOutputAttributeName, c, kSecTransformInputAttributeName);
+ STAssertFalse(SecGroupTransformHasMember(g, a), @"A should no longer be in the group, but is");
+
+ CFRelease(g);
+ CFRelease(c);
+ CFRelease(b);
+ CFRelease(a);
+}
+
+
+-(void)testAbort
+{
+ CFStringRef abort_test_name = CFSTR("com.apple.security.unit-test.abortTest");
+
+ SecTransformCreateBlock setupBlock =
+ ^(CFStringRef name, SecTransformRef new_transform, const SecTransformCreateBlockParameters *params)
+ {
+ params->send(kSecTransformInputAttributeName, kSecTransformMetaAttributeDeferred, kCFBooleanTrue);
+
+ params->overrideAttribute(kSecTransformActionAttributeNotification, CFSTR("PB"), ^(SecTransformAttributeRef ah, CFTypeRef value) {
+ // Makes sure we can shut down (via ABORT) a transform that has a pending pushback
+ params->pushback(ah, value);
+ return (CFTypeRef)NULL;
+ });
+ };
+
+
+ SecTransformRef a;
+ SecTransformRef dt;
+ SecGroupTransformRef group = SecTransformCreateGroupTransform();
+
+ // make two of these transforms and link them together
+ a = custom_transform(abort_test_name, setupBlock);
+ STAssertNotNil((id) a, @"SecCustomTransformCreate failed");
+
+ dt = delay_transform(NSEC_PER_SEC / 10);
+ STAssertNotNil((id) dt, @"SecCustomTransformCreate failed");
+
+ // connect the two transforms
+ CFErrorRef error;
+
+ // hook the output up so that the abort automatically fires.
+ SecTransformConnectTransforms(dt, kSecTransformOutputAttributeName, a, CFSTR("ABORT"), group, &error);
+ STAssertNil((id) error, @"SecTransformConnectTransforms failed.");
+
+ // also hook it up to the input because the input attribute is required on a null transform
+ SecTransformConnectTransforms(dt, CFSTR("NOVALUES"), a, kSecTransformInputAttributeName, group, &error);
+ STAssertNil((id) error, @"SecTransformConnectTransforms failed.");
+
+ // pass a plain piece of data down the transform just for fun...
+ const u_int8_t data[] = {3, 1, 4, 1, 5, 9, 2, 6, 5, 4};
+
+ CFDataRef dataRef = CFDataCreateWithBytesNoCopy(NULL, data, sizeof(data), kCFAllocatorNull);
+ SecTransformSetAttribute(dt, kSecTransformInputAttributeName, dataRef, NULL);
+
+ CFStringRef str = CFStringCreateMutable(NULL, 0);
+ SecTransformSetAttribute(a, CFSTR("PB"), str, NULL);
+
+ CFTypeRef er = SecTransformExecute(a, &error);
+
+ STAssertNil((id)er, @"Didn't expect an result from aborted transform");
+ STAssertNotNil((id)error, @"Expected error from execute");
+
+ if (error)
+ {
+ CFShow(error);
+
+ // while we are at it, make sure that the user dictionary has the originating transform
+ CFDictionaryRef userDictionary = CFErrorCopyUserInfo(error);
+ STAssertNotNil((id) CFDictionaryGetValue(userDictionary, kSecTransformAbortOriginatorKey), @"Originating transform not listed.");
+ CFRelease(error);
+ }
+
+ CFRelease(a);
+ CFRelease(dt);
+ CFRelease(group);
+ CFRelease(dataRef);
+
+/*
+ // XXX: these should both be 1, not 3 or 4. WTF? Is this an abort issue, or a generic leak?
+ // STAssertEquals(rc0, CFGetRetainCount(str), @"The value we sent to PB hasn't been released (value retained by pushback)");
+ // STAssertEquals(rc0, CFGetRetainCount(dataRef), @"The value we sent to INPUT hasn't been released");
+*/
+}
+
+-(void)testPreAbort {
+ CFErrorRef error = NULL;
+ SecTransformRef prebort = SecNullTransformCreate();
+ SecTransformSetAttribute(prebort, kSecTransformInputAttributeName, CFSTR("quux"), NULL);
+ SecTransformSetAttribute(prebort, CFSTR("ABORT"), CFSTR("OOPS"), NULL);
+ CFTypeRef er = SecTransformExecute(prebort, &error);
+ STAssertNil((id)er, @"Didn't expect an result from pre-aborted transform");
+ STAssertNotNil((id)error, @"Expected error from execute of pre-aborted transform");
+ CFRelease(error);
+}
+
+#ifdef DEBUG
+-(void)testFireAndForget
+{
+ bool isGC = false;
+ NSGarbageCollector* gc = [NSGarbageCollector defaultCollector];
+ if (gc)
+ {
+ isGC = [gc isEnabled];
+ }
+
+ CFIndex retCount = 0;
+
+ // make transforms
+ SecNullTransformRef a = SecNullTransformCreate();
+ SecNullTransformRef b = SecNullTransformCreate();
+ SecGroupTransformRef group = SecTransformCreateGroupTransform();
+ SecTransformConnectTransforms(a, kSecTransformOutputAttributeName, b, kSecTransformInputAttributeName, group, NULL);
+
+ if (!isGC)
+ {
+ retCount = CFGetRetainCount(group);
+ }
+
+ // set up a blob of data to fire
+ const u_int8_t data[] = {3, 1, 4, 1, 5, 9, 2, 6, 5, 4};
+ CFDataRef dataRef = CFDataCreateWithBytesNoCopy(NULL, data, sizeof(data), kCFAllocatorNull);
+ SecTransformSetAttribute(a, kSecTransformInputAttributeName, dataRef, NULL);
+ CFRelease(dataRef);
+
+ // make dispatch related stuff
+ dispatch_queue_t queue = dispatch_queue_create("ffqueue", NULL);
+ // semaphore0's job is to be signaled when we know ExecuteAsync is actually executing (so we don't sample the retain
+ // count too soone), semaphore signals when we are about done with ExecuteAsync (I'm not sure why we need to know),
+ // and semaphore2 is signaled to let the execute block know we are done sampling retain counts.
+ dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
+ dispatch_semaphore_t semaphore2 = dispatch_semaphore_create(0);
+
+ // launch the chain
+ SecTransformExecuteAsync(group, queue,
+ ^(CFTypeRef message, CFErrorRef error, Boolean isFinal)
+ {
+ CFfprintf(stderr, "message %p, final %d\n", message, isFinal ? 1 : 0);
+ STAssertEquals(queue, const_cast<const dispatch_queue_t>(dispatch_get_current_queue()), @"Expected to be executing on own queue, got %s", dispatch_queue_get_label(dispatch_get_current_queue()));
+ if (isFinal)
+ {
+ fprintf(stderr, "Final message received.\n");
+ dispatch_semaphore_wait(semaphore2, DISPATCH_TIME_FOREVER); // make sure that the other chain has released its material
+ dispatch_semaphore_signal(semaphore);
+ }
+ });
+ CFRelease(a);
+ CFRelease(b);
+ CFRelease(group);
+ dispatch_semaphore_signal(semaphore2);
+ dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER);
+
+ // no crash? Life is good.
+}
+#endif
+
+-(void)testExternalSource
+{
+ CFErrorRef err = NULL;
+ SecTransformRef xs = SecExternalSourceTransformCreate(&err);
+ SecTransformRef tee = SecNullTransformCreate();
+ SecTransformRef group = SecTransformCreateGroupTransform();
+
+ SecTransformConnectTransforms(xs, kSecTransformOutputAttributeName, tee, kSecTransformInputAttributeName, group, &err);
+
+ dispatch_queue_t q = dispatch_queue_create("com.apple.security.unit-tests.test-external-source", 0);
+ dispatch_group_t dg = dispatch_group_create();
+ dispatch_group_enter(dg);
+ __block bool got_ping = false;
+
+ SecTransformExecuteAsync(group, q, ^(CFTypeRef message, CFErrorRef error, Boolean isFinal) {
+ CFfprintf(stderr, "B: message %@, e %p, f %d\n", message ? message : (CFTypeRef)CFSTR("(NULL)"), error, isFinal);
+
+ if (message) {
+ if (CFEqual(message, CFSTR("PING"))) {
+ got_ping = true;
+ } else {
+ STFail(@"expected ping, got: %@", message);
+ }
+ }
+
+ if (error) {
+ STFail(@"unexpected error: %@", error);
+ }
+
+ if (isFinal) {
+ if (!got_ping) {
+ STFail(@"never got ping");
+ }
+ dispatch_group_leave(dg);
+ }
+ });
+
+ SecExternalSourceSetValue(tee, CFSTR("PONG"), &err);
+ STAssertNotNil((id)err, @"Expected error setting tee");
+ STAssertErrorHas((id)err, @"ExternalSource", @"Error should note what should be passed in: %@", err);
+ CFRelease(err);
+ err = NULL;
+ SecExternalSourceSetValue(xs, CFSTR("PING"), &err);
+ STAssertNil((id)err, @"unexpected error setting xs: %@", err);
+ SecExternalSourceSetValue(xs, NULL, &err);
+ STAssertNil((id)err, @"unexpected error setting xs: %@", err);
+ dispatch_group_wait(dg, DISPATCH_TIME_FOREVER);
+
+ dispatch_release(dg);
+ dispatch_release(q);
+ CFRelease(xs);
+ CFRelease(tee);
+ CFRelease(group);
+}
+
+-(void)testFindLastAndMonitor
+{
+ SecNullTransformRef a = delay_transform(NSEC_PER_SEC / 10);
+ SecNullTransformRef b = SecNullTransformCreate();
+
+ SecGroupTransformRef groupRef = SecTransformCreateGroupTransform();
+ CFErrorRef error = NULL;
+ SecTransformConnectTransforms(a, kSecTransformOutputAttributeName, b, kSecTransformInputAttributeName, groupRef, &error);
+ STAssertNil((id)error, @"An error was returned when none was expected.");
+ SecTransformSetAttribute(a, kSecTransformInputAttributeName, kCFNull, &error);
+ STAssertNil((id)error, @"An error was returned when none was expected.");
+
+
+ // get the last transform in the chain (unexecuted). It had better be b...
+ SecTransformRef tr = SecGroupTransformFindLastTransform(groupRef);
+ STAssertNotNil((id)tr, @"FindLastTransform returned NULL");
+ STAssertTrue(tr == b, @"FindLastTransform returned incorrect result");
+ STAssertFalse(tr == a, @"FindLastTransform returned the head of the chain");
+
+ // execute the transform. This should attach an output monitor
+ dispatch_queue_t queue = dispatch_queue_create("test delivery queue", NULL);
+ dispatch_semaphore_t last_block_run = dispatch_semaphore_create(0L);
+ dispatch_semaphore_t last_assert_run = dispatch_semaphore_create(0L);
+ SecTransformExecuteAsync(groupRef, queue,
+ ^(CFTypeRef message, CFErrorRef error, Boolean isFinal)
+ {
+ if (isFinal)
+ {
+ dispatch_semaphore_signal(last_block_run);
+ dispatch_semaphore_wait(last_assert_run, DISPATCH_TIME_FOREVER);
+ dispatch_release(last_assert_run);
+ }
+
+ });
+
+ dispatch_semaphore_wait(last_block_run, DISPATCH_TIME_FOREVER);
+
+ // see if the returned transform is the same now
+ tr = SecGroupTransformFindLastTransform(groupRef);
+ STAssertNotNil((id) tr, @"FindLastTransform returned NULL");
+ STAssertTrue(tr == b, @"FindLastTransform returned incorrect result");
+ STAssertFalse(tr == a, @"FindLastTransform returned the head of the chain");
+
+ // get the monitor, it had better not be a or b
+ tr = SecGroupTransformFindMonitor(groupRef);
+ STAssertNotNil((id) tr, @"FindMonitor returned NULL");
+ STAssertFalse(tr == a, @"FindLastTransform returned the head of the chain");
+ STAssertFalse(tr == b, @"FindLastTransform returned the head of the chain");
+
+ dispatch_semaphore_signal(last_assert_run);
+ dispatch_release(queue);
+ dispatch_release(last_block_run);
+ CFRelease(a);
+ CFRelease(b);
+ CFRelease(groupRef);
+}
+
+
+-(void)testConnectUnsetAttributes /* <rdar://problem/7769955> Can't connect transform attributes with no setting */
+{
+ SecNullTransformRef a = SecNullTransformCreate();
+ SecNullTransformRef b = SecNullTransformCreate();
+
+ SecGroupTransformRef group = SecTransformCreateGroupTransform();
+ CFErrorRef error = NULL;
+ SecTransformConnectTransforms(a, CFSTR("RANDOM_NAME"), b, CFSTR("RANDOM_DESTINATION"), group, &error);
+ CFRelease(group);
+ CFRelease(b);
+ CFRelease(a);
+ STAssertNil((id) error, @"An error was returned when none was expected.");
+}
+
+-(void)testNoDataFlowPriorToInit /* <rdar://problem/8163542> Monitor must be attached before the data flow becomes active */
+{
+ CFStringRef name = CFSTR("com.apple.security.unit-test.flow-check");
+ SecTransformCreateBlock cb = ^(CFStringRef name, SecTransformRef new_transform, const SecTransformCreateBlockParameters *params) {
+ __block bool inited = false;
+ __block bool saw_x_start = false;
+ __block bool saw_null = false;
+ __block int post_send_left = 8;
+ SecTransformAttributeRef out_ah = params->get(kSecTransformOutputAttributeName, kSecTransformMetaAttributeRef);
+ params->send(out_ah, kSecTransformMetaAttributeValue, CFSTR("create"));
+
+ params->overrideTransform(kSecTransformActionStartingExecution, ^{
+ params->send(out_ah, kSecTransformMetaAttributeValue, CFSTR("x-start"));
+ inited = true;
+ return (CFTypeRef)NULL;
+ });
+
+ params->overrideTransform(kSecTransformActionCanExecute, ^{
+ params->send(out_ah, kSecTransformMetaAttributeValue, CFSTR("can-x"));
+ return (CFTypeRef)NULL;
+ });
+
+ params->overrideAttribute(kSecTransformActionAttributeNotification, kSecTransformInputAttributeName, ^(SecTransformAttributeRef ah, CFTypeRef value) {
+ if (inited) {
+ if (value) {
+ if (!saw_x_start) {
+ saw_x_start = CFStringHasPrefix((CFStringRef)value, CFSTR("x-start"));
+ }
+ if (saw_null) {
+ params->send(kSecTransformAbortAttributeName, kSecTransformMetaAttributeValue, CreateGenericErrorRef(name, 88, "saw %@ after NULL", value));
+ }
+ if (post_send_left--) {
+ params->send(out_ah, kSecTransformMetaAttributeValue, CFSTR("post-init"));
+ }
+ } else {
+ saw_null = true;
+ // The FIRST flow transform should not see x-start (it is the OUTPUT of the flow transform
+ // before you in the chain), but all the other transforms should see it.
+ if (params->get(CFSTR("FIRST"), kSecTransformMetaAttributeValue)) {
+ if (saw_x_start) {
+ params->send(kSecTransformAbortAttributeName, kSecTransformMetaAttributeValue, CreateGenericErrorRef(name, 42, "saw bogus x-start on FIRST flow transform"));
+ } else {
+ params->send(out_ah, kSecTransformMetaAttributeValue, value);
+ }
+ } else {
+ if (saw_x_start) {
+ params->send(out_ah, kSecTransformMetaAttributeValue, value);
+ } else {
+ params->send(kSecTransformAbortAttributeName, kSecTransformMetaAttributeValue, CreateGenericErrorRef(name, 42, "never saw x-start before EOS"));
+ return (CFTypeRef)kCFNull;
+ }
+ }
+ }
+ } else {
+ // attempting to put the value in the error string sometimes blows up, so I've left it out.
+ params->send(kSecTransformAbortAttributeName, kSecTransformMetaAttributeValue, CreateGenericErrorRef(name, 42, "got: value before init"));
+ return (CFTypeRef)kCFNull;
+ }
+ return (CFTypeRef)value;
+ });
+ };
+
+ // Reliably reproduces with 100000 transforms in our group, but
+ // not at 1000...doesn't even seem to do it at 50000.
+ // Likely a timing issue triggered by heavy swapping.
+ int n_transforms = 100000;
+
+ if (!getenv("SUBMISSION_TEST")) {
+ n_transforms = 10000;
+ CFfprintf(stderr, "Running the far faster but far less reliable fast test.\nSet the SUBMISSION_TEST environment variable for full testing\n");
+ }
+
+ int i;
+ CFMutableArrayRef ta = CFArrayCreateMutable(NULL, n_transforms, &kCFTypeArrayCallBacks);
+ CFErrorRef err = NULL;
+
+ for(i = 0; i < n_transforms; ++i) {
+ SecTransformRef tr = custom_transform(name, cb);
+ STAssertNil((id)err, @"Failure %@ creating %@ transform", err, name);
+ CFStringRef l = CFStringCreateWithFormat(NULL, NULL, CFSTR("flow-%d"), i);
+ SecTransformSetAttribute(tr, kSecTransformTransformName, l, &err);
+ if (0 == i % 1000) {
+ CFfprintf(stderr, "Created %@ of %d\n", l, n_transforms);
+ }
+ CFRelease(l);
+ STAssertNil((id)err, @"Can't set name %@", err);
+ CFArrayAppendValue(ta, tr);
+ assert(CFArrayGetCount(ta));
+ assert(CFArrayGetCount(ta) == i+1);
+ }
+
+ SecTransformRef prev_tr = NULL;
+ SecTransformRef group = SecTransformCreateGroupTransform();
+ CFIndex cnt;
+
+ while ((cnt = CFArrayGetCount(ta))) {
+ CFIndex r = arc4random() % cnt;
+ SecTransformRef tr = CFArrayGetValueAtIndex(ta, r);
+ if (prev_tr) {
+ SecTransformConnectTransforms(tr, kSecTransformOutputAttributeName, prev_tr, kSecTransformInputAttributeName, group, &err);
+ STAssertNil((id)err, @"Can't connect %@ to %@", tr, prev_tr);
+ STAssertNotNil((id)group, @"nil group after connect");
+ CFRelease(prev_tr);
+ }
+ prev_tr = tr;
+ CFArrayRemoveValueAtIndex(ta, r);
+
+ if (0 == cnt % 1000) {
+ CFfprintf(stderr, "%d left to hook up\n", cnt);
+ }
+ }
+
+ CFTypeRef ptl = SecTransformGetAttribute(prev_tr, kSecTransformTransformName);
+ CFfprintf(stderr, "Setting INPUT for %@\n", ptl);
+ SecTransformSetAttribute(prev_tr, kSecTransformInputAttributeName, CFSTR("First!"), &err);
+ STAssertNil((id)err, @"Can't set first's input? %@", err);
+ SecTransformSetAttribute(prev_tr, CFSTR("FIRST"), kCFBooleanTrue, &err);
+ STAssertNil((id)err, @"Can't set FIRST? %@", err);
+ CFTypeRef r = SecTransformExecute(group, &err);
+ STAssertNil((id)err, @"execution error: %@", err);
+ STAssertNotNil((id)r, @"result expected from execute");
+ CFRelease(group);
+ CFRelease(prev_tr);
+}
+
+-(void)testNoDataDescription /* <rdar://problem/7791122> CFShow(SecCustomTransformNoData()) crashes */
+{
+ CFStringRef result = CFCopyDescription(SecTransformNoData()); // this is called under the hood in CFShow, and it doesn't dump output
+ STAssertNotNil((id)result, @"SecTransformNoData can be formatted");
+ CFRelease(result);
+}
+
+static SecTransformInstanceBlock KnownProblemPlumbing(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+ // At the moment fully disconnecting a transform from a group leaves it in the group, so it can't have any
+ // kSecTransformMetaAttributeRequiresOutboundConnection=TRUE attributes (by default OUTPUT requires an outbound connection)
+ SecTransformCustomSetAttribute(ref, kSecTransformOutputAttributeName,
+ kSecTransformMetaAttributeRequiresOutboundConnection, kCFBooleanFalse);
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, kSecTransformInputAttributeName,
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ return (CFTypeRef)CFErrorCreate(NULL, kCFErrorDomainPOSIX, EOPNOTSUPP, NULL);
+ });
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+-(void)knownProblemPlumbing // note, this test has been disconnected!
+{
+ SecNullTransformRef a = SecNullTransformCreate();
+ CFStringRef name = CFSTR("com.apple.security.unit-test.error+outputless");
+ CFErrorRef err = NULL;
+
+ SecTransformRegister(name, &KnownProblemPlumbing, &err);
+
+ SecTransformRef b = SecTransformCreate(name, NULL);
+ SecGroupTransformRef group = SecTransformCreateGroupTransform();
+
+ SecTransformConnectTransforms(a, kSecTransformOutputAttributeName, b, kSecTransformInputAttributeName, group, NULL);
+ SecTransformDisconnectTransforms(a, kSecTransformOutputAttributeName, b, kSecTransformInputAttributeName);
+
+
+ CFStringRef data = CFSTR("Test");
+
+ SecTransformSetAttribute(a, kSecTransformInputAttributeName, data, NULL);
+ CFTypeRef result = SecTransformExecute(a, &err);
+
+ STAssertEqualObjects((id)data, (id)result, @"Plumbing disconnect failed.");
+ STAssertNil((id)err, @"Unexpected error=%@", err);
+ CFRelease(a);
+ CFRelease(b);
+ CFRelease(group);
+}
+
+-(void)testUnknownEncodeType {
+ CFErrorRef err1 = NULL;
+ CFStringRef invalid_encode_type = CFSTR("no such encoding type ☃✪");
+ SecTransformRef not_created = SecEncodeTransformCreate(invalid_encode_type, &err1);
+ STAssertNil((id)not_created, @"Created encode transform with bad type");
+ STAssertErrorHas((NSError*)err1, @"☃✪", @"Error mentions bad encoding type: %@", err1);
+ fprintf(stderr, "Err1 = %p\n", err1);
+ if (err1) CFRelease(err1);
+ err1 = NULL;
+
+ CFErrorRef err2 = NULL;
+ SecTransformRef no_type_at_create = SecEncodeTransformCreate(NULL, &err2);
+ fprintf(stderr, "Err2 = %p\n", err2);
+ STAssertNotNil((id)no_type_at_create, @"should be able to create encoder with unset type, but got error %@", err2);
+
+ if (no_type_at_create) {
+ CFErrorRef err3 = NULL;
+ SecTransformSetAttribute(no_type_at_create, kSecTransformInputAttributeName, NULL, &err3);
+ STAssertNil((id)err3, @"Can't set INPUT: %@", err3);
+ if (err3) {
+ CFRelease(err3);
+ err3 = NULL;
+ }
+ STAssertTrue(SecTransformSetAttribute(no_type_at_create, kSecEncodeTypeAttribute, kSecBase32Encoding, &err3), @"Can't set encode to valid type error: %@", err3);
+ STAssertFalse(SecTransformSetAttribute(no_type_at_create, kSecEncodeTypeAttribute, invalid_encode_type, &err3), @"Set encode to invalid type, no error signaled", err3);
+ fprintf(stderr, "Err3 = %p\n", err3);
+ if (err3) CFRelease(err3);
+
+ CFErrorRef err4 = NULL;
+ CFTypeRef no_result = SecTransformExecute(no_type_at_create, &err4);
+ STAssertNil((id)no_result, @"Got result when none expected %@");
+ STAssertNotNil((id)err4, @"No error when one expected");
+ fprintf(stderr, "Err4 = %p\n", err4);
+ if (err4) CFRelease(err4);
+ } else {
+ STFail(@"Unable to run some tests");
+ }
+
+ CFRelease(no_type_at_create);
+ CFRelease(invalid_encode_type);
+}
+
+-(void)testNoUnderscores
+{
+ SecTransformRef zt = SecEncodeTransformCreate(kSecZLibEncoding, NULL);
+ CFErrorRef err = NULL;
+ SecTransformSetAttribute(zt, CFSTR("_FAIL"), kCFBooleanTrue, &err);
+ STAssertNotNil((id)err, @"Expeced an error setting _FAIL");
+ STAssertErrorHas((id)err, @"_FAIL", @"Expected error to contain _FAIL");
+ STAssertErrorHas((id)err, @"Encoder", @"Expecting error to name offending transform", err);
+ CFTypeRef v = SecTransformGetAttribute(zt, CFSTR("_FAIL"));
+ STAssertNil((id)v, @"Expected nil result, got v=%p", v);
+ CFRelease(err);
+ CFRelease(zt);
+}
+
+-(void)testCanFetchDigestSizes
+{
+ NSDictionary *digests = [NSDictionary dictionaryWithObjectsAndKeys:
+ [NSNumber numberWithInt:128/8], kSecDigestMD2,
+ [NSNumber numberWithInt:128/8], kSecDigestMD4,
+ [NSNumber numberWithInt:128/8], kSecDigestMD5,
+ [NSNumber numberWithInt:160/8], kSecDigestSHA1,
+ [NSNumber numberWithInt:512/8], kSecDigestSHA2,
+ nil];
+ NSData *zero = [NSData dataWithBytes:"" length:1];
+
+ for (NSString *digestType in digests) {
+ CFErrorRef err = NULL;
+ SecTransformRef digest = SecDigestTransformCreate(digestType, 0, &err);
+ STAssertNotNil((id)digest, @"Expected to make digest (err=%@)", err);
+ STAssertNil((id)err, @"Unexpected error: %@", err);
+ NSNumber *actualLength = (NSNumber*)SecTransformGetAttribute(digest, kSecDigestLengthAttribute);
+ STAssertTrue([actualLength intValue] != 0, @"Got zero length back");
+ STAssertNotNil(actualLength, @"Expected to get a length");
+ STAssertEqualObjects(actualLength, [digests objectForKey:digestType], @"Expected lengths to match for %@", digestType);
+
+ SecTransformSetAttribute(digest, kSecTransformInputAttributeName, zero, &err);
+ STAssertNil((id)err, @"Unexpected error: %@", err);
+
+ NSData *output = (NSData *)SecTransformExecute(digest, &err);
+ STAssertNil((id)err, @"Unexpected error: %@", err);
+ STAssertNotNil((id)output, @"No output");
+
+ STAssertEquals([actualLength intValue], (int)[output length], @"Actual output not expected length");
+
+ [output release];
+ CFRelease(digest);
+ }
+}
+
+-(void)testBadTransformTypeNames
+{
+ CFErrorRef error = NULL;
+ Boolean ok = SecTransformRegister(CFSTR("Not valid: has a col..co...double dot thing"), DelayTransformBlock, &error);
+ STAssertFalse(ok, @"Register of name with : fails");
+ STAssertErrorHas((id)error, @":", @"Error mentions invalid character (error=%@)", error);
+
+ ok = SecTransformRegister(CFSTR("Not/valid has a slash"), DelayTransformBlock, &error);
+ STAssertFalse(ok, @"Register of name with / fails");
+ STAssertErrorHas((id)error, @"/", @"Error mentions invalid character (error=%@)", error);
+
+ ok = SecTransformRegister(CFSTR("https://NOT/VALID"), DelayTransformBlock, &error);
+ STAssertFalse(ok, @"Register of name with : and / fails");
+ STAssertErrorHas((id)error, @"[:/]", @"Error mentions invalid character (error=%@)", error);
+
+ ok = SecTransformRegister(CFSTR("_not valid at start"), DelayTransformBlock, &error);
+ STAssertFalse(ok, @"Register of _name fails");
+ STAssertErrorHas((id)error, @"_", @"Error mentions invalid character (error=%@)", error);
+
+ ok = SecTransformRegister(CFSTR("it is ok to have a _ after start"), DelayTransformBlock, &error);
+ STAssertTrue(ok, @"Register of _ IN should have worked (error=%@)", error);
+}
+
+-(void)testExecuteBlock {
+ unsigned char *raw_data = (unsigned char *)"Just some bytes, you know";
+ //NSData *empty = [NSData dataWithBytes:NULL length:0];
+ NSData *data = [NSData dataWithBytes:raw_data length:strlen((const char *)raw_data)];
+ //NSUInteger ecnt = [empty retainCount];
+
+ SecTransformRef zt = SecEncodeTransformCreate(kSecZLibEncoding, NULL);
+ SecTransformSetAttribute(zt, kSecTransformInputAttributeName, data, NULL);
+ dispatch_queue_t q = dispatch_queue_create("com.apple.security.testingQ", NULL);
+ dispatch_queue_t q_sync = dispatch_queue_create("com.apple.security.testingQ_sync", NULL);
+ dispatch_suspend((dispatch_object_t)q_sync);
+ __block BOOL ran_block = NO;
+
+ SecTransformExecuteAsync(zt, q, ^(CFTypeRef message, CFErrorRef error, Boolean isFinal) {
+// if ([empty length]) {
+// NSLog(@"Empty data not so empty");
+// }
+ STAssertTrue(dispatch_get_current_queue() == q, @"block dispatched to proper queue");
+
+ if (!ran_block) {
+ usleep(200);
+ ran_block = YES;
+ }
+
+ if (message == NULL) {
+ dispatch_resume((dispatch_object_t)q_sync);
+ }
+ });
+
+ //STAssertTrue(ecnt < [empty retainCount], @"SecTransformExecute retained block");
+ dispatch_sync(q_sync, ^{ });
+ STAssertTrue(ran_block, @"Block executed");
+
+ dispatch_release(q_sync);
+ dispatch_release(q);
+ CFRelease(zt);
+
+ // test for 7735698
+ // STAssertTrue(ecnt == [empty retainCount], @"SecTransformExecute released block");
+}
+
+static SecTransformInstanceBlock ConnectionCheck(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+ __block SecTransformMetaAttributeType dir = kSecTransformMetaAttributeValue;
+
+ SecTransformAttributeRef out_ah =
+ SecTranformCustomGetAttribute(ref, CFSTR("OUTPUT"), kSecTransformMetaAttributeRef);
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("DIRECTION"),
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ if (CFEqual(value, CFSTR("<")))
+ {
+ dir = kSecTransformMetaAttributeHasInboundConnection;
+ }
+ else if (CFEqual(value, CFSTR(">")))
+ {
+ dir = kSecTransformMetaAttributeHasOutboundConnections;
+ }
+ else
+ {
+ return (CFTypeRef)CreateSecTransformErrorRef(kSecTransformErrorInvalidInput, "Unsupported direction %@, expected < or >", value);
+ }
+ return value;
+ });
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("INPUT"),
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ if (dir != kSecTransformMetaAttributeValue)
+ {
+ if (value)
+ {
+ SecTransformCustomSetAttribute(ref, out_ah, kSecTransformMetaAttributeValue,
+ SecTranformCustomGetAttribute(ref, value, dir));
+ }
+ else
+ {
+ SecTransformCustomSetAttribute(ref, out_ah, kSecTransformMetaAttributeValue, NULL);
+ }
+ }
+ else
+ {
+ SecTransformPushbackAttribute(ref, ah, value);
+ }
+
+ return value;
+ });
+
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+-(void)testConnectionChecks {
+
+ CFStringRef name = CFSTR("com.apple.security.unit-test.connection-checks");
+ CFErrorRef error = NULL;
+ SecTransformRegister(name, &*ConnectionCheck, &error);
+
+ struct test_case {
+ NSString *attr, *dir;
+ CFBooleanRef expect;
+ } cases[] = {
+ {@"INPUT", @"<", kCFBooleanTrue},
+ {@"OUTPUT", @">", kCFBooleanTrue},
+ {@"INPUT", @">", kCFBooleanFalse},
+ {@"OUTPUT", @"<", kCFBooleanFalse},
+ {@"DIRECTION", @"<", kCFBooleanFalse},
+ {@"DIRECTION", @">", kCFBooleanFalse},
+ };
+
+ CFIndex i, n = sizeof(cases)/sizeof(test_case);
+ for(i = 0; i < n; ++i)
+ {
+ test_case *t = cases + i;
+
+ SecTransformRef cct = SecTransformCreate(name, NULL);
+ SecTransformRef tee0 = SecNullTransformCreate();
+ SecTransformRef tee1 = SecNullTransformCreate();
+ SecTransformRef group = SecTransformCreateGroupTransform();
+
+ SecTransformSetAttribute(cct, CFSTR("DEBUG"), kCFBooleanTrue, NULL);
+ SecTransformSetAttribute(tee0, CFSTR("DEBUG"), kCFBooleanTrue, NULL);
+ SecTransformSetAttribute(tee1, CFSTR("DEBUG"), kCFBooleanTrue, NULL);
+
+ SecTransformSetAttribute(tee0, CFSTR("NAME"), CFSTR("tee0"), NULL);
+ SecTransformSetAttribute(tee1, CFSTR("NAME"), CFSTR("tee1"), NULL);
+
+ SecTransformConnectTransforms(cct, CFSTR("OUTPUT"), tee1, CFSTR("INPUT"), group, NULL);
+ SecTransformConnectTransforms(tee0, CFSTR("OUTPUT"), cct, CFSTR("INPUT"), group, NULL);
+
+ SecTransformSetAttribute(cct, CFSTR("DIRECTION"), t->dir, NULL);
+ SecTransformSetAttribute(tee0, CFSTR("INPUT"), t->attr, NULL);
+ CFErrorRef err = NULL;
+ CFTypeRef r = SecTransformExecute(group, &err);
+ STAssertNil((id)err, @"Error=%@ for case#%d", err, i);
+ STAssertNotNil((id)r, @"Nil result for case#%d", i);
+ STAssertEqualObjects((id)(t->expect), (id)r, @"Expected result for case#%d %@%@", i, t->dir, t->attr);
+
+ CFRelease(cct);
+ CFRelease(tee0);
+ CFRelease(tee1);
+ CFRelease(group);
+ }
+
+}
+
+static SecTransformInstanceBlock PushBackTest(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+ __block CFStringRef input_d = NULL;
+ __block CFStringRef data_d = NULL;
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("DATA"),
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ if (!input_d)
+ {
+ SecTransformPushbackAttribute(ref, ah, value);
+ }
+ else
+ {
+ if (data_d)
+ {
+ CFRelease(data_d);
+ }
+ data_d = (CFStringRef)CFRetain(value);
+ }
+ return value;
+ });
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("INPUT"),
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ if (value)
+ {
+ if (input_d)
+ {
+ CFRelease(input_d);
+ }
+ input_d = (CFStringRef)CFRetain(value);
+ if (!data_d)
+ {
+ SecTransformPushbackAttribute(ref, ah, value);
+ return value;
+ }
+ }
+ else
+ {
+ if (data_d)
+ {
+ SecTransformPushbackAttribute(ref, ah, NULL);
+ value = data_d;
+ data_d = NULL;
+ }
+ }
+ SecTransformCustomSetAttribute(ref, CFSTR("OUTPUT"), kSecTransformMetaAttributeValue, value);
+ return value;
+ });
+
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+-(void)testPushback {
+
+ CFStringRef name = CFSTR("com.apple.security.unit-test.basic-pushback");
+ CFStringRef one = CFSTR("1");
+ CFStringRef two = CFSTR("2");
+ CFStringRef expect = CFSTR("12");
+
+ // This unit test makes pushback look very complex, but that is because we are abusing it for test purposes.
+ // normally it is a simple "if I need X before I can go on, and X isn't here yet pushback". Here we attempt
+ // to carefully sequence 2 attributes to be the inverse of the normal order AND test pushback of NULL as well
+ // as normal values.
+
+ CFErrorRef error = NULL;
+ SecTransformRegister(name, &PushBackTest, &error);
+
+ SecTransformRef pt = SecTransformCreate(name, NULL);
+
+ SecTransformSetAttribute(pt, CFSTR("DATA"), two, NULL);
+ SecTransformSetAttribute(pt, CFSTR("INPUT"), one, NULL);
+
+ CFTypeRef result = SecTransformExecute(pt, NULL);
+
+ STAssertEqualObjects((id)result, (id)expect, @"Testing pushback");
+
+ CFRelease(pt);
+
+ // NOTE: we want to test doing a double pushback, but that sets the Abort attribute which currently causes an abort not an orderly shutdown
+
+}
+
+static SecTransformInstanceBlock CustomExternalization(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+ // Create a non-attribute 'instance' variable which will contain
+ // the version number of this class
+
+ __block float versionNumber = 1.0;
+
+ // Register the custom externalize override
+ SecTransformActionBlock ExternalizeExtraDataOverride =
+ ^{
+ CFStringRef key = CFSTR("VersionNumber");
+ CFNumberRef value = CFNumberCreate(kCFAllocatorDefault, kCFNumberFloatType, &versionNumber);
+
+ CFDictionaryRef result = CFDictionaryCreate(kCFAllocatorDefault,
+ (const void **)&key, (const void **)&value,
+ 1, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+
+ CFRelease(value);
+
+
+ return (CFTypeRef)result;
+
+ };
+ SecTransformSetTransformAction(ref, kSecTransformActionExternalizeExtraData, ExternalizeExtraDataOverride);
+
+ // Register the custom internalize override
+ SecTransformDataBlock InternalizeExtraDataOverride =
+ ^(CFTypeRef d)
+ {
+ CFTypeRef internalizeResult = NULL;
+ //id testObj = (id)d;
+
+ //STAssertNotNil(testObj, @"Internalize did NOT get a dictionary!");
+
+ if (CFDictionaryGetTypeID() == CFGetTypeID(d))
+ {
+ CFStringRef key = CFSTR("VersionNumber");
+ CFDictionaryRef dict = (CFDictionaryRef)d;
+ CFNumberRef varsNum = (CFNumberRef)CFDictionaryGetValue(dict, key);
+ // STAssertNotNil((NSNumber *)varsNum,
+ // @"Unable to retrieve the dictionary when the internalized data override");
+ if (NULL != varsNum)
+ {
+ Boolean numResult = CFNumberGetValue(varsNum, kCFNumberFloatType, &versionNumber);
+ // STAssertTrue(numResult, @"Could not get the version number from the CFNumberRef");
+ if (numResult)
+ {
+ //float knownVersion = 1.0;
+ // STAssertTrue(knownVersion == versionNumber, @"Versions do not Match!");
+ }
+ }
+ }
+ return internalizeResult;
+ };
+ SecTransformSetDataAction(ref, kSecTransformActionInternalizeExtraData,
+ InternalizeExtraDataOverride);
+
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+/* --------------------------------------------------------------------------
+ method: testCustomExternalization
+ description: Test the ability to write out custom external data
+ -------------------------------------------------------------------------- */
+- (void)testCustomExternalization
+{
+ NSString* ctName = @"com.apple.security.unit-test-customExternalization";
+ NSError* error = nil;
+
+ CFStringRef aName = (CFStringRef)ctName;
+ CFErrorRef* anError = (CFErrorRef *)&error;
+
+ Boolean registerResult = SecTransformRegister(aName, &CustomExternalization, anError);
+ STAssertTrue(registerResult, @"Unable to register the custom externalization transform");
+
+ SecTransformRef externalTrans = SecTransformCreate((CFStringRef)ctName,
+ (CFErrorRef *)&error);
+
+ STAssertNotNil((id)externalTrans, @"Could not create the custom externalization transform");
+
+ CFDictionaryRef externalData = SecTransformCopyExternalRepresentation(externalTrans);
+ STAssertNotNil((NSDictionary *)externalData, @"Did not get a dictionary from SecTransformCopyExternalRepresentation");
+
+ CFRelease(externalTrans);
+
+ externalTrans = NULL;
+ externalTrans = SecTransformCreateFromExternalRepresentation(externalData, (CFErrorRef *)&error);
+ STAssertNotNil((id)externalTrans, @"Could not create the custom external representation");
+ CFRelease(externalData);
+ if (NULL != externalTrans)
+ {
+ CFRelease(externalTrans);
+ }
+}
+
+static SecTransformInstanceBlock TestString(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+ SecTransformSetDataAction(ref, kSecTransformActionProcessData,
+ ^(CFTypeRef value)
+ {
+ CFDataRef d = (CFDataRef)value;
+ if (d) {
+ return (CFTypeRef)CFStringCreateWithBytes(NULL, CFDataGetBytePtr(d), CFDataGetLength(d), kCFStringEncodingMacRoman, FALSE);
+ } else {
+ return (CFTypeRef)d;
+ }
+ });
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+-(void)testStringResults {
+ CFStringRef name = CFSTR("com.apple.security.unit-test.string-converter");
+ CFErrorRef error = NULL;
+ SecTransformRegister(name, &TestString, &error);
+
+ SecTransformRef sr = SecTransformCreate(name, NULL);
+
+ unsigned char *msg = (unsigned char *)"This is a test message, it isn't large, but it will get broken into parts by the encode/decode transforms...";
+ CFDataRef data = CFDataCreate(NULL, msg, strlen((const char *)msg));
+ NSString *ns_msg = [NSString stringWithCString:(const char *)msg encoding:NSMacOSRomanStringEncoding];
+
+ SecTransformRef er = SecEncodeTransformCreate(kSecBase32Encoding, NULL);
+ SecTransformRef dr = SecDecodeTransformCreate(kSecBase32Encoding, NULL);
+
+ SecTransformSetAttribute(er, kSecTransformInputAttributeName, data, NULL);
+
+ SecGroupTransformRef group = SecTransformCreateGroupTransform();
+ SecTransformConnectTransforms(er, kSecTransformOutputAttributeName, dr, kSecTransformInputAttributeName, group, NULL);
+ SecTransformConnectTransforms(dr, kSecTransformOutputAttributeName, sr, kSecTransformInputAttributeName, group, NULL);
+
+
+ CFStringRef result = (CFStringRef)SecTransformExecute(sr, NULL);
+ STAssertEqualObjects(ns_msg, (NSString *)result, @"string results");
+
+ CFRelease(result);
+ CFRelease(group);
+ CFRelease(dr);
+ CFRelease(er);
+ CFRelease(sr);
+ if (error)
+ {
+ CFRelease(error);
+ }
+}
+
+static CFNumberRef MakeNumber1(long n)
+{
+ return CFNumberCreate(NULL, kCFNumberLongType, &n);
+}
+
+
+
+static SecTransformInstanceBlock TestRegisterCreate(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+
+
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ __block long count = 0;
+
+ __block CFNumberRef countNum = MakeNumber1(count);;
+ SecTransformCustomSetAttribute(ref, CFSTR("Count"), kSecTransformMetaAttributeValue, countNum);
+ CFRelease(countNum);
+ fprintf(stderr, "countNum = %p\n", countNum);
+
+ CFErrorRef result = NULL;
+ SecTransformSetDataAction(ref, kSecTransformActionProcessData,
+ ^(CFTypeRef value)
+ {
+ CFDataRef d = (CFDataRef)value;
+ if (d)
+ {
+ count += CFDataGetLength(d);
+
+ CFNumberRef countNum2 = CFNumberCreate(kCFAllocatorDefault, kCFNumberLongType, &count);
+ SecTransformCustomSetAttribute(ref, CFSTR("Count"), kSecTransformMetaAttributeValue, countNum2);
+ CFRelease(countNum2);
+ fprintf(stderr, "countNum = %p\n", countNum);
+
+ } else
+ {
+ SecTransformCustomSetAttribute(ref, CFSTR("Count"), kSecTransformMetaAttributeValue, NULL);
+ }
+ return value;
+ });
+
+
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+- (void)testRegisterCreate
+{
+ CFStringRef name = CFSTR("com.apple.security.unit-test.novel-unique-at-least-unusual-name");
+ long count = 0;
+ CFNumberRef countNum = NULL;
+ CFErrorRef error = NULL;
+ Boolean ok = SecTransformRegister(name, &TestRegisterCreate, &error);
+ STAssertTrue(ok, @"Successful register");
+
+ SecTransformRef tr = SecTransformCreate(name, NULL);
+ STAssertNotNil((NSObject *)tr, @"newly created custom transform");
+ SecTransformSetAttribute(tr, CFSTR("DEBUG"), kCFBooleanTrue, NULL);
+
+ char *data_bytes = (char *)"It was the best of transforms, it was the worst of transforms.";
+ CFDataRef data = CFDataCreate(NULL, (const UInt8 *)data_bytes, strlen(data_bytes));
+
+ SecTransformSetAttribute(tr, kSecTransformInputAttributeName, data, NULL);
+
+ SecTransformRef nt = SecNullTransformCreate();
+ SecTransformRef tg = SecTransformCreateGroupTransform();
+ SecTransformConnectTransforms(tr, CFSTR("OUTPUT"), nt, CFSTR("DISCARD"), tg, &error);
+ STAssertNil((id)error, @"Connected tr's output to nt's discard: %@", error);
+ SecTransformConnectTransforms(tr, CFSTR("Count"), nt, CFSTR("INPUT"), tg, &error);
+ STAssertNil((id)error, @"Connected tr's count to nt's input: %@", error);
+
+ SecTransformSetAttribute(nt, CFSTR("DEBUG"), kCFBooleanTrue, NULL);
+
+ usleep(100);
+ countNum = (CFNumberRef)SecTransformGetAttribute(tr, CFSTR("Count"));
+ CFNumberGetValue(countNum, kCFNumberLongType, &count);
+ CFRelease(countNum);
+ STAssertTrue(count == 0, @"length unchanged before execute");
+
+ countNum = (CFNumberRef)SecTransformExecute(tg, NULL);
+ STAssertNotNil((id)countNum, @"Got result from execute");
+ STAssertEquals(CFGetTypeID(countNum), CFNumberGetTypeID(), @"expected a number from execute");
+ CFNumberGetValue(countNum, kCFNumberLongType, &count);
+ CFRelease(countNum);
+
+ STAssertTrue(count == CFDataGetLength(data), @"Wrong data length");
+
+ CFRelease(tg);
+ CFRelease(nt);
+ CFRelease(tr);
+ CFRelease(data);
+}
+
+
+static SecTransformInstanceBlock CountTransformTest(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+ SecTransformSetAttributeAction(ref,kSecTransformActionAttributeNotification, CFSTR("INPUT"),
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ if (value) {
+ if (CFGetTypeID(value) != CFNumberGetTypeID()) {
+ SecTransformCustomSetAttribute(ref, CFSTR("ABORT"), kSecTransformMetaAttributeValue, CFSTR("Bad type"));
+ return value;
+ }
+ CFNumberRef nr = (CFNumberRef)value;
+ int max, i;
+ CFNumberGetValue(nr, kCFNumberIntType, &max);
+ for(i = 0; i < max; ++i) {
+ nr = CFNumberCreate(NULL, kCFNumberIntType, &i);
+ SecTransformCustomSetAttribute(ref, CFSTR("OUTPUT"), kSecTransformMetaAttributeValue, nr);
+ CFRelease(nr);
+ }
+ } else {
+ SecTransformCustomSetAttribute(ref, CFSTR("OUTPUT"), kSecTransformMetaAttributeValue, value);
+ }
+
+ return value;
+ });
+
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+static SecTransformRef count_transform(int n) {
+ CFStringRef name = CFSTR("com.apple.security.unit-test.count");
+ static dispatch_once_t once;
+
+ dispatch_once(&once,
+ ^{
+ SecTransformRegister(name, &CountTransformTest, NULL);
+ });
+
+ SecTransformRef ct = SecTransformCreate(name, NULL);
+ CFNumberRef num = CFNumberCreate(NULL, kCFNumberIntType, &n);
+ SecTransformSetAttribute(ct, CFSTR("INPUT"), num, NULL);
+ CFRelease(num);
+
+ return ct;
+}
+
+
+static SecTransformInstanceBlock StallTest(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+ __block bool go = false;
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("GO"),
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ go = true;
+ return value;
+ });
+
+ SecTransformAttributeRef in_ah = SecTransformCustomGetAttribute(ref, CFSTR("INPUT"), kSecTransformMetaAttributeRef);
+ SecTransformAttributeRef out_ah = SecTransformCustomGetAttribute(ref, CFSTR("OUTPUT"), kSecTransformMetaAttributeRef);
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, NULL,
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ if (!go) {
+ SecTransformPushbackAttribute(ref, ah, value);
+ } else {
+ if (ah == in_ah) {
+ SecTransformCustomSetAttribute(ref, out_ah, kSecTransformMetaAttributeValue, value);
+ }
+ }
+ return value;
+ });
+
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+-(void)testStall {
+ CFStringRef name = CFSTR("com.apple.security.unit-test.stall");
+
+ (void)SecTransformRegister(name, &StallTest, NULL);
+
+ SecTransformRef stall = SecTransformCreate(name, NULL);
+ SecTransformRef seven = count_transform(7);
+ SecTransformRef group = SecTransformCreateGroupTransform();
+ SecTransformRef delay = delay_transform(NSEC_PER_SEC / 10);
+
+ SecTransformConnectTransforms(seven, CFSTR("OUTPUT"), stall, CFSTR("FOO"), group, NULL);
+ SecTransformConnectTransforms(seven, CFSTR("OUTPUT"), stall, CFSTR("BAR"), group, NULL);
+ SecTransformConnectTransforms(seven, CFSTR("OUTPUT"), stall, CFSTR("BAZ"), group, NULL);
+ SecTransformConnectTransforms(seven, CFSTR("OUTPUT"), stall, CFSTR("INPUT"), group, NULL);
+ SecTransformConnectTransforms(delay, CFSTR("OUTPUT"), stall, CFSTR("GO"), group, NULL);
+
+ SecTransformSetAttribute(delay, CFSTR("INPUT"), (CFNumberRef)[NSNumber numberWithInt:42], NULL);
+
+ CFErrorRef err = NULL;
+ CFTypeRef r = SecTransformExecute(group, &err);
+
+ STAssertNotNil((id)r, @"Results from testStall");
+ STAssertNil((id)err, @"Got %@ error from testStall", err);
+ NSArray *array_seven = [NSArray arrayWithObjects:[NSNumber numberWithInt:0], [NSNumber numberWithInt:1], [NSNumber numberWithInt:2], [NSNumber numberWithInt:3], [NSNumber numberWithInt:4], [NSNumber numberWithInt:5], [NSNumber numberWithInt:6], NULL];
+ STAssertEqualObjects((id)r, array_seven, @"Correct stall test results");
+
+ CFRelease(delay);
+ CFRelease(group);
+ CFRelease(seven);
+ CFRelease(stall);
+}
+
+-(void)testInappropriateExecution
+{
+ // We want to have more then enough work for all the CPUs to help force a race, so twice
+ // the number of logical CPUs should do it. NOTE: the completion blocks got to a low
+ // priority concurrent queue to encourage them to finish out of order and put more
+ // stress on the system we are testing.
+
+ int logical_cpus = 1;
+ size_t int_size = sizeof(logical_cpus);
+ int return_code = sysctlbyname("hw.logicalcpu_max", &logical_cpus, &int_size, NULL, 0);
+ int e = errno; // Save this value so it doesn't get trashed by any subsequent syscalls
+ STAssertEquals(return_code, 0, @"sysctlbyname failed %s (%d), assuming 1 CPU", strerror(e), e);
+
+ SecTransformRef count_a_bunch = count_transform(logical_cpus * 2);
+ CFErrorRef err = NULL;
+ dispatch_group_t wait_for_async_to_complete = dispatch_group_create();
+ dispatch_group_t outstanding_executions = dispatch_group_create();
+ SecTransformRef count_group = SecTransformCreateGroupTransform();
+
+ SecTransformConnectTransforms(count_a_bunch, CFSTR("kludge1"), count_a_bunch, CFSTR("kludge2"), count_group, &err);
+ STAssertNil((id)err, @"Error (%@) connecting count transform to itself", err);
+
+ dispatch_group_enter(wait_for_async_to_complete);
+ SecTransformExecuteAsync(count_a_bunch, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_LOW, 0), ^(CFTypeRef message, CFErrorRef error, Boolean isFinal)
+ {
+ dispatch_group_enter(outstanding_executions);
+
+ CFErrorRef err = NULL;
+ CFTypeRef no_result = SecTransformExecute(count_a_bunch, &err);
+ STAssertNil((id)no_result, @"Attempting to execute an already executing transform should fail, not provide results: %@", no_result);
+ STAssertNotNil((id)err, @"Attempting to execute an already executing transform should produce some sort of error");
+ CFRelease(err);
+
+ dispatch_group_leave(outstanding_executions);
+
+ if (isFinal)
+ {
+ // Give any pending executions time to get to the group_enter
+ usleep(100);
+ dispatch_group_wait(outstanding_executions, DISPATCH_TIME_FOREVER);
+ dispatch_release(outstanding_executions);
+ dispatch_group_leave(wait_for_async_to_complete);
+ }
+ });
+
+ // Before that SecTransformExecuteAsync completes, we do some more work at >low priority to help
+ // keep the completion blocks landing out of order. In particular we run a transform to
+ // completion, and then confirm that we can't run it again.
+
+ SecTransformRef no_work = SecNullTransformCreate();
+ SecTransformRef no_work_group = SecTransformCreateGroupTransform();
+ SecTransformConnectTransforms(no_work, CFSTR("kludge1"), no_work, CFSTR("kludge2"), no_work_group, &err);
+ STAssertNil((id)err, @"Can't connect no_work to itself (to make no_work_group), err=%@", err);
+
+ SecTransformSetAttribute(no_work, CFSTR("INPUT"), CFSTR("value"), NULL);
+ CFTypeRef no_result = SecTransformExecute(no_work_group, &err);
+ STAssertNil((id)err, @"First execute of Null Transform should be ok, got e=%@", err);
+ STAssertNotNil((id)no_result, @"First execute of Null Transform should produce a value");
+
+ no_result = SecTransformExecute(no_work_group, &err);
+
+ STAssertNotNil((id)err, @"Second execute of Null Transform should fail!");
+ STAssertNil((id)no_result, @"Second execute of Null Transform shouldn't produce a value, got r=%@", no_result);
+ CFRelease(err);
+
+ // Now we wait for that first batch of tests to finish, we don't want to call STFail after self goes away.
+
+ dispatch_group_wait(wait_for_async_to_complete, DISPATCH_TIME_FOREVER);
+ dispatch_release(wait_for_async_to_complete);
+
+ if (no_result) CFRelease(no_result);
+ if (no_work) CFRelease(no_work);
+ if (no_work_group) CFRelease(no_work_group);
+ if (count_group) CFRelease(count_group);
+ if (count_a_bunch) CFRelease(count_a_bunch);
+}
+
+static SecTransformInstanceBlock ConnectionReqTest(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+ SecTransformAttributeRef xah =
+ (SecTransformAttributeRef)SecTranformCustomGetAttribute(ref, CFSTR("XYZZY"), kSecTransformMetaAttributeRef);
+
+ SecTransformCustomSetAttribute(ref, xah, kSecTransformMetaAttributeRequiresOutboundConnection, kCFBooleanTrue);
+ SecTransformCustomSetAttribute(ref, CFSTR("OUTPUT"), kSecTransformMetaAttributeRequiresOutboundConnection, kCFBooleanFalse);
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("INPUT"),
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ SecTransformCustomSetAttribute(ref, xah, kSecTransformMetaAttributeValue, value);
+ return value;
+ });
+
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+
+-(void)testConnectionReq {
+
+ CFStringRef req_xyzzy_name = CFSTR("com.apple.security.unit-test.req_xyzzy");
+
+ (void)SecTransformRegister(req_xyzzy_name, &ConnectionReqTest, NULL);
+
+ SecTransformRef tr_req_xyzzy = SecTransformCreate(req_xyzzy_name, NULL);
+
+ CFTypeRef in_value = (CFTypeRef)@"Fnord";
+ SecTransformSetAttribute(tr_req_xyzzy, CFSTR("INPUT"), in_value, NULL);
+
+ CFErrorRef err = NULL;
+ CFTypeRef r = SecTransformExecute(tr_req_xyzzy, &err);
+
+ STAssertNil((id)r, @"Execute of tr_req_xyzzy with no xyzzy r=%@", r);
+ STAssertErrorHas((id)err, @"req_xyzzy", @"Error failed to refer to the transform by name (%@)", err);
+ STAssertErrorHas((id)err, @"XYZZY", @"Error failed to refer to missing attribute by name (%@)", err);
+ STAssertErrorHas((id)err, @"requires.*outbound connection", @"Error failed to diagnose invalid condition (%@)", err);
+
+ CFRelease(err);
+ CFRelease(tr_req_xyzzy);
+ if (r) CFRelease(r);
+
+ /*
+
+ Note For Josh:
+
+ To make this work we need Josh's fix for FindLastTransform!
+
+ CFRelease(tr_req_xyzzy);
+ tr_req_xyzzy = SecTransformCreate(req_xyzzy_name, NULL);
+ SecTransformSetAttribute(tr_req_xyzzy, CFSTR("INPUT"), in_value, NULL);
+
+ SecTransformRef group = SecTransformCreateGroupTransform();
+ SecTransformRef tee = SecNullTransformCreate();
+ SecTransformConnectTransforms(tr_req_xyzzy, CFSTR("XYZZY"), tee, kSecTransformInputAttributeName, group, &err);
+ STAssertNil((id)err, @"err=%@ from connect", err);
+ STAssertNotNil((id)group, @"No group after connect");
+ r = SecTransformExecute(group, &err);
+ STAssertNil((id)err, @"Execute err=%@");
+ STAssertEqualObjects((id)in_value, (id)r, @"Execution Result");
+
+ */
+}
+
+static SecTransformInstanceBlock DeferredTest(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+ SecTransformCustomSetAttribute(ref, CFSTR("LATE"), kSecTransformMetaAttributeDeferred, kCFBooleanTrue);
+ SecTransformCustomSetAttribute(ref, CFSTR("INPUT"), kSecTransformMetaAttributeDeferred, kCFBooleanFalse);
+
+ __block CFTypeRef in_v = NULL, late_v = NULL;
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("INPUT"),
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ if (NULL != late_v) {
+ SecTransformCustomSetAttribute(ref, kSecTransformAbortAttributeName, kSecTransformMetaAttributeValue,
+ CreateGenericErrorRef(CFSTR("FAIL"), 1, "LATE (%@) should process after INPUT (%@)", late_v, value));
+ }
+ in_v = value;
+ return value;
+ });
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("LATE"),
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ if (NULL == in_v) {
+ SecTransformCustomSetAttribute(ref, kSecTransformAbortAttributeName, kSecTransformMetaAttributeValue,
+ CreateGenericErrorRef(CFSTR("FAIL"), 1, "INPUT (%@) should process before LATE (%@)", in_v, value));
+ }
+
+ late_v = value;
+ SecTransformCustomSetAttribute(ref, CFSTR("OUTPUT"), kSecTransformMetaAttributeValue, NULL);
+ return value;
+ });
+
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+
+-(void)testDeferred {
+ CFStringRef deferred_name = CFSTR("com.apple.security.unit-test.deferred");
+
+ (void)SecTransformRegister(deferred_name, &DeferredTest, NULL);
+
+ SecTransformRef dt = SecTransformCreate(deferred_name, NULL);
+
+ // these set attribute calls are failing, but we're ignoring the failures
+ SecTransformSetAttribute(dt, CFSTR("INPUT"), (CFTypeRef)CFSTR("BLAH"), NULL);
+ SecTransformSetAttribute(dt, CFSTR("LATE"), (CFTypeRef)CFSTR("QUUX"), NULL);
+ CFErrorRef err = NULL;
+ SecTransformExecute(dt, &err);
+ STAssertNil((id)err, @"Error from execute err=%@", err);
+
+ if (err) CFRelease(err);
+ // CFRelease(dt);
+}
+
+static SecTransformInstanceBlock SaveRestoreTest(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+ SecTransformCustomSetAttribute(ref, CFSTR("Needed"), kSecTransformMetaAttributeRequired, kCFBooleanTrue);
+ SecTransformCustomSetAttribute(ref, CFSTR("NoSaves"), kSecTransformMetaAttributeExternalize, kCFBooleanFalse);
+
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+-(void)testSaveRestore
+{
+
+ unsigned char raw_data[] = "Val-U-Sav, nw wth lss vwls!";
+ CFDataRef data = CFDataCreate(NULL, (const UInt8*)&raw_data, sizeof(raw_data));
+ CFErrorRef err = NULL;
+
+ CFStringRef name = CFSTR("com.apple.security.unit-test.SaveRestoreTest");
+
+ (void)SecTransformRegister(name, &SaveRestoreTest, NULL);
+
+ SecTransformRef tr1 = SecTransformCreate(name, NULL);
+
+ SecTransformSetAttribute(tr1, CFSTR("Optional"), CFSTR("42"), NULL);
+ SecTransformSetAttribute(tr1, CFSTR("Needed"), CFSTR("and provided"), NULL);
+ SecTransformSetAttribute(tr1, CFSTR("NoSaves"), CFSTR("42"), NULL);
+
+ CFDictionaryRef xr = SecTransformCopyExternalRepresentation(tr1);
+ STAssertNotNil((NSDictionary *)xr, @"external rep");
+ SecTransformRef tr2 = SecTransformCreateFromExternalRepresentation(xr, NULL);
+ SecTransformSetAttribute(tr2, kSecTransformInputAttributeName, data, NULL);
+ CFTypeRef none = SecTransformGetAttribute(tr2, CFSTR("NoSaves"));
+ STAssertNil((id)none, @"Expected %@ to be nil", none);
+ CFTypeRef forty_two = SecTransformGetAttribute(tr2, CFSTR("Optional"));
+ STAssertEqualObjects((id)forty_two, @"42", @"restored incorrect value");
+
+ CFDataRef d = (CFDataRef)SecTransformExecute((NSObject *)tr2, &err);
+
+ STAssertNotNil((NSData * )d, @"execute result (err=%@)", err);
+
+ if (err) {
+ CFRelease(err);
+ }
+
+ CFRelease(tr1);
+ CFRelease(tr2);
+ CFRelease(xr);
+
+ tr1 = SecTransformCreate(name, NULL);
+ SecTransformSetAttribute(tr1, CFSTR("Needed"), CFSTR("and provided"), NULL);
+ SecTransformSetAttribute(tr1, CFSTR("NoSaves"), CFSTR("42"), NULL);
+ xr = SecTransformCopyExternalRepresentation(tr1);
+ tr2 = SecTransformCreateFromExternalRepresentation(xr, NULL);
+
+
+
+ //tr2 = SecTransformCreateFromExternalRepresentation(xr, NULL);
+ SecTransformRef tga = SecTransformCreateGroupTransform();
+ SecTransformSetAttribute(tr1, kSecTransformInputAttributeName, data, NULL);
+
+ // XXX did not swap
+ SecTransformConnectTransforms(tr1, CFSTR("OUTPUT"), tr2, CFSTR("INPUT"), tga, NULL);
+ CFStringRef has1 = CFSTR("I has one!");
+ CFStringRef has2 = CFSTR("I has two of them!");
+ SecTransformSetAttribute(tr1, CFSTR("Needed"), has1, NULL);
+ SecTransformSetAttribute(tr2, CFSTR("Needed"), has2, NULL);
+ xr = SecTransformCopyExternalRepresentation(tr1);
+ STAssertNotNil((NSDictionary *)xr, @"external rep for 2");
+ NSLog(@"xr=%@", xr);
+
+ SecTransformRef tgb = SecTransformCreateFromExternalRepresentation(xr, &err);
+ STAssertNil((id)tgb, @"made transform group with duplicate labels");
+ STAssertErrorHas((id)err, (NSString*)name, @"Error failed to identify the transform (%@)", err);
+ STAssertErrorHas((id)err, @"damage|duplicate", @"Error failed to diagnose the invalid condition (%@)", err);
+
+ CFStringRef new_name2 = CFSTR("SaveRestoreTestThingie#2");
+ CFStringRef fetched_name;
+ int attempts;
+
+ for(attempts = 0; attempts < 20; ++attempts)
+ {
+ SecTransformSetAttribute(tr2, CFSTR("NAME"), new_name2, &err);
+ fetched_name = (CFStringRef)SecTransformGetAttribute(tr2, CFSTR("NAME"));
+
+ STAssertNil((id)err, @"Error from setting tr2's name: %@", err);
+ STAssertEqualObjects((id)fetched_name, (id)new_name2, @"Set tr2's name, attempt %d", attempts);
+ if (CFEqual(fetched_name, new_name2))
+ {
+ break;
+ }
+ if (attempts > 10)
+ {
+ usleep(1000);
+ }
+ }
+
+ xr = SecTransformCopyExternalRepresentation(tr1);
+ STAssertNotNil((NSDictionary *)xr, @"external rep for 2, take 2");
+ NSLog(@"xr=%@", xr);
+
+ tgb = SecTransformCreateFromExternalRepresentation(xr, &err);
+ STAssertNotNil((id)tgb, @"made transform group (take 2)");
+ STAssertNil((id)err, @"error from make 2 take 2 (err=%@)", err);
+
+ SecTransformRef tr1b = SecTransformFindByName(tgb, (CFStringRef)SecTransformGetAttribute(tr1, CFSTR("NAME")));
+ STAssertNotNil((id)tr1b, @"Found tr1b");
+ SecTransformRef tr2b = SecTransformFindByName(tgb, (CFStringRef)SecTransformGetAttribute(tr2, CFSTR("NAME")));
+ STAssertNotNil((id)tr2b, @"Found tr2b");
+
+ CFStringRef has1b = (CFStringRef)SecTransformGetAttribute(tr1b, CFSTR("Needed"));
+ STAssertNotNil((id)tr1b, @"tr1b's name");
+ CFStringRef has2b = (CFStringRef)SecTransformGetAttribute(tr2b, CFSTR("Needed"));
+ STAssertNotNil((id)tr2b, @"tr1b's name");
+
+ STAssertEqualObjects((id)has1, (id)has1b, @"has1 == has1b");
+ STAssertEqualObjects((id)has2, (id)has2b, @"has2 == has2b");
+
+}
+
+-(void)testRequiredAttributes
+{
+ CFStringRef name = CFSTR("com.apple.security.unit-test.requiresStuffThings");
+ CFErrorRef error;
+ // In addition to testing required attributes, this also does a partial "lifecycle" test, making sure we
+ // pass through the stages, don't regress stages, and don't receive the wrong events in the wrong stages.
+ typedef enum { S_INITED = 0, S_STARTED, S_RUN, S_EOS, S_GONE } state_t;
+
+ __block state_t state = S_INITED;
+ dispatch_group_t leave_on_finalize = dispatch_group_create();
+
+ SecTransformCreateBlock required_attributes_create_block = ^(CFStringRef name, SecTransformRef new_transform, const SecTransformCreateBlockParameters *params) {
+ params->overrideAttribute(kSecTransformActionAttributeNotification, kSecTransformInputAttributeName, ^(SecTransformAttributeRef attribute, CFTypeRef value) {
+ // NOTE: this is for testing with a single data value, not a series.
+ if (value)
+ {
+ STAssertTrue(state == S_STARTED, @"Init'ed for data (state=%d)", state);
+ state = S_RUN;
+ } else {
+ STAssertTrue(state == S_RUN, @"In run state at EOS (state=%d)", state);
+ state = S_EOS;
+ }
+ params->send(kSecTransformOutputAttributeName, kSecTransformMetaAttributeValue, value);
+ return value;
+ });
+
+ params->send(CFSTR("Stuff"), kSecTransformMetaAttributeRequired, kCFBooleanTrue);
+ params->send(CFSTR("Things"), kSecTransformMetaAttributeRequired, kCFBooleanTrue);
+
+ params->overrideTransform(kSecTransformActionStartingExecution, ^{
+ STAssertTrue(state == S_INITED, @"Inited (state=%d)");
+ state = S_STARTED;
+ return (CFTypeRef)NULL;
+ });
+
+ params->overrideTransform(kSecTransformActionFinalize, ^{
+ state = S_GONE;
+ dispatch_group_leave(leave_on_finalize);
+ return (CFTypeRef)NULL;
+ });
+ };
+
+ dispatch_group_enter(leave_on_finalize);
+ SecTransformRef tr = custom_transform(name, required_attributes_create_block);
+ STAssertNotNil((NSObject *)tr, @"newly created custom transform");
+
+ char *data_bytes = (char *)"It was the best of transforms, it was the worst of transforms.";
+ CFDataRef data = CFDataCreate(NULL, (const UInt8*)data_bytes, strlen(data_bytes));
+ SecTransformSetAttribute(tr, kSecTransformInputAttributeName, data, NULL);
+ usleep(100);
+ STAssertTrue(state == S_INITED, @"not run yet");
+ CFDataRef rdata = (CFDataRef)SecTransformExecute((NSObject *)tr, &error);
+
+ STAssertTrue(rdata == NULL, @"Expected no result, but got: %@", rdata);
+ STAssertErrorHas((id)error, @"missing required attributes?", @"Error describes condition (%@)", error);
+ STAssertErrorHas((id)error, @" Things[ ,)]", @"Missing attributes named (%@)", error);
+ STAssertErrorHas((id)error, @" Stuff[ ,)]", @"Missing attributes named (%@)", error);
+ STAssertErrorHas((id)error, @"requiresStuffThings", @"Name of erroring Transform in message (%@)", error);
+
+ if (error) {
+ CFRelease(error);
+ }
+ CFRelease(tr);
+
+ STAssertFalse(dispatch_group_wait(leave_on_finalize, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC)), @"group was ready");
+ STAssertTrue(state == S_GONE, @"Transform should be gone, state=%d", state);
+
+ dispatch_group_enter(leave_on_finalize);
+ state = S_INITED;
+ tr = custom_transform(name, required_attributes_create_block);
+ STAssertNotNil((NSObject *)tr, @"newly created custom transform");
+
+ error = NULL;
+ SecTransformSetAttribute(tr, kSecTransformInputAttributeName, data, NULL);
+ SecTransformSetAttribute(tr, CFSTR("Things"), CFSTR("grubby things"), NULL);
+ SecTransformSetAttribute(tr, CFSTR("Stuff"), CFSTR("Cool stuff"), NULL);
+ rdata = (CFDataRef)SecTransformExecute(tr, &error);
+
+ STAssertNotNil((NSData *)rdata, @"Got data back");
+ STAssertEqualObjects((NSData *)rdata, (NSData *)data, @"Data unchanged");
+ STAssertTrue(state == S_EOS, @"Transform hit EOS");
+ STAssertTrue(error == NULL, @"Error not set");
+
+ CFRelease(tr);
+ STAssertFalse(dispatch_group_wait(leave_on_finalize, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC)), @"group was ready");
+ STAssertTrue(state == S_GONE, @"Transform gone (state=%d)", state);
+ dispatch_group_notify(leave_on_finalize, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_LOW, 0), ^{
+ dispatch_release(leave_on_finalize);
+ });
+}
+
+static SecTransformInstanceBlock AttributeNotificationTest(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, NULL,
+ ^(SecTransformStringOrAttributeRef ah, CFTypeRef value)
+ {
+ SecTransformCustomSetAttribute(ref, CFSTR("Generic"), kSecTransformMetaAttributeValue, kCFBooleanTrue);
+ return value;
+ });
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("Specific"),
+ ^(SecTransformStringOrAttributeRef ah, CFTypeRef value)
+ {
+ SecTransformCustomSetAttribute(ref, CFSTR("Specific"), kSecTransformMetaAttributeValue, kCFBooleanTrue);
+ return value;
+
+ });
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("AlsoSpecific"),
+ ^(SecTransformStringOrAttributeRef ah, CFTypeRef value)
+ {
+ SecTransformCustomSetAttribute(ref, CFSTR("AlsoSpecific"), kSecTransformMetaAttributeValue, kCFBooleanTrue);
+
+ return value;
+ });
+
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+-(void)testAttributeNotifications
+{
+ NSString *name = @"com.apple.security.unit-test.testAttributeNotifications";
+ Boolean generic_called = NO;
+ Boolean specific_called = NO;
+ Boolean also_specific_called = NO;
+
+ Boolean ok = SecTransformRegister((CFStringRef)name, &AttributeNotificationTest, NULL);
+
+ STAssertTrue(ok, @"Successful register");
+
+ SecTransformRef tr = SecTransformCreate((CFStringRef)name, NULL);
+
+ CFStringRef aNameStr = ((CFStringRef)name);
+ SecTransformSetAttribute(tr, CFSTR("Generic"), aNameStr, NULL);
+ SecTransformSetAttribute(tr, CFSTR("Specific"), aNameStr, NULL);
+ SecTransformSetAttribute(tr, CFSTR("AlsoSpecific"), aNameStr, NULL);
+
+ generic_called = (kCFBooleanTrue == (CFBooleanRef)SecTransformGetAttribute(tr, CFSTR("Generic")));
+ specific_called = (kCFBooleanTrue == (CFBooleanRef)SecTransformGetAttribute(tr, CFSTR("Specific")));
+ also_specific_called = (kCFBooleanTrue == (CFBooleanRef)SecTransformGetAttribute(tr, CFSTR("AlsoSpecific")));
+
+
+ STAssertTrue(generic_called, @"generic called");
+ STAssertTrue(specific_called, @"specific called");
+ STAssertTrue(also_specific_called, @"also specific called");
+
+ CFRelease(tr);
+}
+
+-(void)testEncryptAndDecryptTransforms
+{
+ NSAutoreleasePool *pool = [NSAutoreleasePool new];
+
+ // generate a symmetrical key for testing
+ OSStatus err = errSecSuccess;
+
+ NSString* algNames[] =
+ {
+ @"AES 128",
+ @"AES 192",
+ @"AES 256",
+ @"DES",
+ @"3DES",
+ @"CAST",
+ @"RC4"
+ };
+
+ CSSM_ALGORITHMS symmetricalAlgos[] =
+ {
+ CSSM_ALGID_AES,
+ CSSM_ALGID_AES,
+ CSSM_ALGID_AES,
+ CSSM_ALGID_DES,
+ CSSM_ALGID_3DES_3KEY_EDE,
+ CSSM_ALGID_CAST,
+ CSSM_ALGID_RC4
+ };
+
+ uint32 keySizes[] =
+ {
+ 128,
+ 192,
+ 256,
+ 64,
+ 192,
+ 40,
+ 8
+ };
+
+ CSSM_KEYUSE keyUse = CSSM_KEYUSE_ANY;
+ CSSM_KEYATTR_FLAGS keyAttrFlags = CSSM_KEYATTR_RETURN_DEFAULT;
+ SecAccessRef accessRef = NULL;
+ CSSM_CC_HANDLE handle = ((CSSM_CC_HANDLE)0);
+
+ NSString* dataStr = @"At the round earth's imagined corners blow\
+ Your trumpets, angels, and arise, arise\
+ From death, you numberless infinities\
+ Of souls, and to your scattered bodies go,\
+ All whom the flood did, and fire shall, overthrow,\
+ All whom war, dearth, age, agues, tyrannies,\
+ Despair, law, chance, hath slain, and you whose eyes\
+ Shall behold God, and never taste death's woe.\
+ But let them sleep, Lord, and me mourn a space,\
+ For, if above all these my sins abound,\
+ 'Tis late to ask abundance of Thy grace,\
+ When we are there. Here on this lowly ground\
+ Teach me how to repent; for that's as good\
+ As if Thou'dst sealed my pardon, with Thy blood.";
+
+ NSData* testData = [dataStr dataUsingEncoding:NSUTF8StringEncoding];
+ int numItems = (sizeof(symmetricalAlgos) / sizeof(CSSM_ALGORITHMS));
+ int iCnt = 0;
+
+ for (iCnt = 0; iCnt < numItems; iCnt++)
+ {
+ SecKeyRef testKey = NULL;
+ CSSM_ALGORITHMS algoToUse = symmetricalAlgos[iCnt];
+ uint32 keySizeInBits = keySizes[iCnt];
+
+ err = SecKeyGenerate(NULL, algoToUse, keySizeInBits, handle, keyUse, keyAttrFlags, accessRef, &testKey);
+ STAssertTrue(err == errSecSuccess, [NSString stringWithFormat:@"Unable to create a symmetrical key %@", algNames[iCnt]]);
+ if (errSecSuccess != err)
+ {
+ continue;
+ }
+ __block CFErrorRef error = NULL;
+
+ SecTransformRef encryptSymRef = NULL;
+ encryptSymRef = SecEncryptTransformCreate(testKey, &error);
+ if (NULL != error)
+ {
+ CFRelease(testKey);
+ STAssertTrue(NO, [NSString stringWithFormat:@"Unable to create the encrypt transform for key %@", algNames[iCnt]]);
+ continue;
+ }
+
+ SecTransformRef decryptSymRef = SecDecryptTransformCreate(testKey, &error);
+ if (NULL != error)
+ {
+ CFRelease(testKey);
+ CFRelease(encryptSymRef);
+ STAssertTrue(NO, [NSString stringWithFormat:@"Unable to create the decrypt transform for key %@", algNames[iCnt]]);
+ continue;
+ }
+
+ // connect the output of the encryption to the input of the decryption transform
+
+ SecGroupTransformRef group = SecTransformCreateGroupTransform();
+ (void)SecTransformConnectTransforms(encryptSymRef, kSecTransformOutputAttributeName,
+ decryptSymRef, kSecTransformInputAttributeName,
+ group, &error);
+ if (NULL != error)
+ {
+ CFRelease(testKey);
+ CFRelease(encryptSymRef);
+ CFRelease(decryptSymRef);
+ STAssertTrue(NO, [NSString stringWithFormat:@"Unable to connect transforms for key %@", algNames[iCnt]]);
+ continue;
+ }
+
+
+ NSInputStream* dataStream = [NSInputStream inputStreamWithData:testData];
+ [dataStream open];
+
+ SecTransformSetAttribute(encryptSymRef, kSecTransformInputAttributeName, (CFTypeRef)dataStream, &error);
+ if (NULL != error)
+ {
+ CFRelease(testKey);
+ CFRelease(encryptSymRef);
+ CFRelease(decryptSymRef);
+ STAssertTrue(NO, [NSString stringWithFormat:@"Unable to set the input for key %@", algNames[iCnt]]);
+ continue;
+ }
+
+ CFTypeRef transformResult = SecTransformExecute(encryptSymRef, &error);
+ CFRelease(group);
+ CFRelease(encryptSymRef);
+ CFRelease(decryptSymRef);
+
+ if (NULL != error)
+ {
+ STAssertTrue(NO, [NSString stringWithFormat:@"returned an error for algo %@", algNames[iCnt]]);
+ continue;
+ CFRelease(error);
+ }
+
+ if (NULL == transformResult || 0 == [(NSData*)transformResult length])
+ {
+ STAssertTrue(NO, [NSString stringWithFormat:@"transformResult was NULL or empty for %@", algNames[iCnt]]);
+ continue;
+ }
+
+ NSData* resultData = nil;
+ if (CFGetTypeID(transformResult) == CFDataGetTypeID())
+ {
+ resultData = (NSData*)transformResult;
+ [resultData autorelease];
+ }
+
+ CFRelease(testKey);
+
+ STAssertTrue([testData isEqualToData:resultData], @"The output of the decrypt transform does NOT match the original input!");
+ }
+
+
+ SecKeyRef publicKey = NULL;
+ SecKeyRef privateKey = NULL;
+
+ keyAttrFlags = CSSM_KEYATTR_RETURN_REF;
+
+ const uint32 publicKeyAttributes = CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_RETURN_REF;
+ const uint32 privateKeyAttributes = CSSM_KEYATTR_SENSITIVE | CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_EXTRACTABLE;
+
+ CSSM_KEYUSE pubKeyUse = CSSM_KEYUSE_VERIFY | CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_WRAP;
+ CSSM_KEYUSE privKeyUse = CSSM_KEYUSE_SIGN | CSSM_KEYUSE_DECRYPT | CSSM_KEYUSE_UNWRAP;
+
+
+ err = SecKeyCreatePair(NULL, CSSM_ALGID_RSA, 2048, ((CSSM_CC_HANDLE)0),
+ pubKeyUse, publicKeyAttributes,
+ privKeyUse, privateKeyAttributes,
+ NULL, &publicKey, &privateKey);
+
+ STAssertTrue(errSecSuccess == err, @"Unable to create a key pair");
+ if (errSecSuccess != err)
+ {
+ cssmPerror(NULL, err);
+ return;
+ }
+
+ CFErrorRef error = NULL;
+ SecTransformRef encryptSymRef = SecEncryptTransformCreate(publicKey , &error);
+ if (NULL != error)
+ {
+ CFRelease(publicKey);
+ CFRelease(privateKey);
+ STAssertTrue(NO, [NSString stringWithFormat:@"Unable to create the encrypt transform for key RSA"]);
+ return;
+ }
+
+ SecTransformRef decryptSymRef = SecDecryptTransformCreate(privateKey, &error);
+ if (NULL != error)
+ {
+ CFRelease(publicKey);
+ CFRelease(privateKey);
+ CFRelease(encryptSymRef);
+ STAssertTrue(NO, [NSString stringWithFormat:@"Unable to create the decrypt transform for key RSA"]);
+ return;
+ }
+
+ // connect the output of the encryption to the input of the decryption transform
+
+ SecGroupTransformRef group = SecTransformCreateGroupTransform();
+ (void)SecTransformConnectTransforms( encryptSymRef, kSecTransformOutputAttributeName,
+ decryptSymRef, kSecTransformInputAttributeName,
+ group, &error);
+ if (NULL != error)
+ {
+ CFRelease(publicKey);
+ CFRelease(privateKey);
+ CFRelease(encryptSymRef);
+ CFRelease(decryptSymRef);
+ STAssertTrue(NO, [NSString stringWithFormat:@"Unable to connect transforms for key RSA"]);
+ return;
+ }
+
+ NSInputStream* dataStream = [NSInputStream inputStreamWithData:testData];
+ [dataStream open];
+
+ SecTransformSetAttribute(encryptSymRef, kSecTransformInputAttributeName, (CFTypeRef)dataStream, &error);
+ if (NULL != error)
+ {
+ CFRelease(publicKey);
+ CFRelease(privateKey);
+ CFRelease(encryptSymRef);
+ CFRelease(decryptSymRef);
+ STAssertTrue(NO, [NSString stringWithFormat:@"Unable to set the input for key RSA"]);
+ return;
+ }
+ CFTypeRef transformResult = SecTransformExecute(encryptSymRef, &error);
+ if (NULL != error)
+ {
+ STAssertTrue(NO, [NSString stringWithFormat:@"returned an error for RSA"]);
+ CFRelease(error);
+ return;
+ }
+
+ if (NULL == transformResult || 0 == [(NSData*)transformResult length])
+ {
+ STAssertTrue(NO, [NSString stringWithFormat:@"transformResult was NULL or empty for RSA"]);
+ return;
+ }
+
+ NSData* resultData = nil;
+ if (CFGetTypeID(transformResult) == CFDataGetTypeID())
+ {
+ resultData = (NSData*)transformResult;
+ [resultData autorelease];
+ }
+
+ CFRelease(publicKey);
+ CFRelease(privateKey);
+ CFRelease(encryptSymRef);
+ CFRelease(decryptSymRef);
+
+ STAssertTrue([testData isEqualToData:resultData], @"(RSA)The output of the decrypt transform does NOT match the original input!");
+
+ [pool drain];
+}
+
+// NOTE: this test is largely the same as testEncryptAndDecryptTransforms, but
+// we make a single key and use it from many threads at once. This uncovered
+// some locking issues, so makes a good regression test.
+-(void)testMultiEncryptWithSameKey {
+ // generate a symmetrical key for testing
+ CSSM_KEYUSE keyUse = CSSM_KEYUSE_ANY;
+ CSSM_KEYATTR_FLAGS keyAttrFlags = CSSM_KEYATTR_RETURN_DEFAULT;
+ SecAccessRef accessRef = NULL;
+ CSSM_CC_HANDLE handle = ((CSSM_CC_HANDLE)0);
+
+ NSString* dataStr = @"Reduce, reuse, recycle. No crashes please.";
+ NSData* testData = [dataStr dataUsingEncoding:NSUTF8StringEncoding];
+
+ SecKeyRef testKey = NULL;
+ {
+ OSStatus err;
+ err = SecKeyGenerate(NULL, CSSM_ALGID_AES, 256, handle, keyUse, keyAttrFlags, accessRef, &testKey);
+ STAssertTrue(err == errSecSuccess, @"Unable to create a symmetrical key err=%x", err);
+ }
+
+ // The number of iterations is somewhat arbitrary. When we use to have failures they were
+ // within 2*#logicalCPUs iterations, but nothing says we won't have a regression that happens
+ // outside that window.
+ dispatch_apply(128, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(size_t i) {
+ __block CFErrorRef error = NULL;
+
+ SecTransformRef encryptSymRef = NULL;
+ encryptSymRef = SecEncryptTransformCreate(testKey, &error);
+ if (NULL != error)
+ {
+ STFail(@"Unable to create the encrypt transform iteration#%d error=%@", i, error);
+ return;
+ }
+ if (NULL == encryptSymRef) {
+ STFail(@"Unable to create the encrypt transform iteration#%d, error=NULL", i);
+ return;
+ }
+
+ SecTransformRef decryptSymRef = SecDecryptTransformCreate(testKey, &error);
+ if (NULL != error)
+ {
+ CFRelease(encryptSymRef);
+ STFail(@"Unable to create the decrypt transform iteration#%d error=%@", i, error);
+ return;
+ }
+ if (NULL == decryptSymRef) {
+ CFRelease(encryptSymRef);
+ STFail(@"Unable to create the decrypt transform iteration#%d, error=NULL", i);
+ return;
+ }
+
+ // connect the output of the encryption to the input of the decryption transform
+
+ SecGroupTransformRef group = SecTransformCreateGroupTransform();
+ (void)SecTransformConnectTransforms(encryptSymRef, kSecTransformOutputAttributeName,
+ decryptSymRef, kSecTransformInputAttributeName,
+ group, &error);
+ if (NULL != error)
+ {
+ CFRelease(encryptSymRef);
+ CFRelease(decryptSymRef);
+ STFail(@"Unable to connect transforms on iteration %d error=%@", i, error);
+ return;
+ }
+
+
+ NSInputStream* dataStream = [NSInputStream inputStreamWithData:testData];
+ [dataStream open];
+
+ SecTransformSetAttribute(encryptSymRef, kSecTransformInputAttributeName, (CFTypeRef)dataStream, &error);
+ if (NULL != error)
+ {
+ CFRelease(encryptSymRef);
+ CFRelease(decryptSymRef);
+ STFail(@"Unable to set the input on iteration %d error=%@", i, error);
+ return;
+ }
+
+ CFTypeRef transformResult = SecTransformExecute(encryptSymRef, &error);
+ CFRelease(group);
+
+ if (NULL != error)
+ {
+ STFail(@"returned an error on iteration %d error=%@", i, error);
+ CFRelease(error);
+ return;
+ }
+
+ if (NULL == transformResult || 0 == [(NSData*)transformResult length])
+ {
+ STFail(@"transformResult was NULL or empty for iteration %d", i);
+ return;
+ }
+
+ NSData* resultData = nil;
+ if (CFGetTypeID(transformResult) == CFDataGetTypeID())
+ {
+ resultData = (NSData*)transformResult;
+ [resultData autorelease];
+ }
+
+ CFRelease(encryptSymRef);
+ CFRelease(decryptSymRef);
+
+ STAssertEqualObjects(testData, resultData, @"The output of the decrypt transform does NOT match the original input iteration %d", i);
+ });
+
+ CFRelease(testKey);
+}
+
+static SecTransformInstanceBlock RoundTripCheck(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+ __block CFDataRef remainder = NULL;
+ __block SecTransformStringOrAttributeRef ahead = NULL;
+ __block int eof_count = 0;
+ __block bool drain = false;
+
+ SecTransformCustomSetAttribute(ref, CFSTR("INPUT2"), kSecTransformMetaAttributeDeferred, kCFBooleanTrue);
+ SecTransformCustomSetAttribute(ref, CFSTR("INPUT2"), kSecTransformMetaAttributeStream, kCFBooleanTrue);
+
+ dispatch_block_t not_equal =
+ ^{
+ // not equal
+ SecTransformCustomSetAttribute(ref, kSecTransformOutputAttributeName, kSecTransformMetaAttributeValue, kCFBooleanFalse);
+ SecTransformCustomSetAttribute(ref, kSecTransformOutputAttributeName, kSecTransformMetaAttributeValue, NULL);
+ drain = true;
+ };
+
+ SecTransformAttributeActionBlock action =
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ if (drain)
+ {
+ return (CFTypeRef)NULL;
+ }
+
+ if (ahead == ah)
+ {
+ SecTransformPushbackAttribute(ref, ah, value);
+ }
+ else if (value)
+ {
+ CFDataRef d = (CFDataRef)value;
+ if (remainder)
+ {
+ CFIndex compare_length;
+ CFIndex remainder_length = CFDataGetLength(remainder);
+ CFIndex d_length = CFDataGetLength(d);
+ CFDataRef new_remainder = NULL;
+ SecTransformAttributeRef new_ahead = NULL;
+
+ if (remainder_length == d_length)
+ {
+ compare_length = d_length;
+ }
+ else if (remainder_length < d_length)
+ {
+ new_remainder = CFDataCreate(NULL, CFDataGetBytePtr(d) + remainder_length, d_length - remainder_length);
+ compare_length = remainder_length;
+ new_ahead = ah;
+ } else
+ {
+ new_remainder = CFDataCreate(NULL, CFDataGetBytePtr(remainder) + d_length, remainder_length - d_length);
+ compare_length = d_length;
+ new_ahead = ahead;
+ }
+
+ if (bcmp(CFDataGetBytePtr(d), CFDataGetBytePtr(remainder), compare_length)) {
+ not_equal();
+ } else
+ {
+ // same, keep going
+ CFRelease(remainder);
+ remainder = new_remainder;
+ ahead = new_ahead;
+ }
+ }
+ else
+ {
+ if (!eof_count)
+ {
+ ahead = ah;
+ remainder = CFDataCreateCopy(NULL, d);
+ }
+ else
+ {
+ if (CFDataGetLength(d))
+ {
+ not_equal();
+ }
+ }
+ }
+ }
+ else
+ { // EOF case
+ ahead = NULL;
+ if (++eof_count == 2)
+ {
+ if (remainder)
+ {
+ SecTransformCustomSetAttribute(ref, kSecTransformOutputAttributeName,
+ kSecTransformMetaAttributeValue,
+ CFDataGetLength(remainder) ? kCFBooleanFalse : kCFBooleanTrue);
+
+ CFRelease(remainder);
+ }
+ else
+ {
+ SecTransformCustomSetAttribute(ref, kSecTransformOutputAttributeName,
+ kSecTransformMetaAttributeValue, kCFBooleanTrue);
+ }
+
+ SecTransformCustomSetAttribute(ref, kSecTransformOutputAttributeName,
+ kSecTransformMetaAttributeValue, NULL);
+ }
+ }
+
+ return (CFTypeRef)NULL;
+ };
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("INPUT2"), action);
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, kSecTransformInputAttributeName, action);
+
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+static BOOL RoundTrip(CFStringRef fname, SecTransformRef in, SecTransformRef out, BOOL share)
+{
+ static dispatch_once_t once;
+ CFStringRef name = CFSTR("com.apple.examples.cmp");
+ // concepts: pushback, SecTransformSetAttributeAction vs. ProcessData, ah==, & send value to output
+
+ dispatch_once(&once,
+ ^{
+ SecTransformRegister(name, &RoundTripCheck, NULL);
+ });
+
+ SecTransformRef cmp = SecTransformCreate(name, NULL);
+ SecTransformRef group = SecTransformCreateGroupTransform();
+ CFErrorRef err = NULL;
+ SecTransformConnectTransforms(in, kSecTransformOutputAttributeName, out, kSecTransformInputAttributeName, group, NULL);
+ SecTransformConnectTransforms(out, kSecTransformOutputAttributeName, cmp, kSecTransformInputAttributeName, group, NULL);
+ NSInputStream *is = [NSInputStream inputStreamWithFileAtPath:(NSString *)fname];
+ // XXX: failure to do this seem to crash SecTransformExecute when it releases the error, track down & fix or file radar
+ [is open];
+
+ NSInputStream *is2 = nil;
+
+ if (share)
+ {
+ SecTransformRef tee = SecNullTransformCreate();
+ SecTransformConnectTransforms(tee, kSecTransformOutputAttributeName, in, kSecTransformInputAttributeName, group, NULL);
+ SecTransformConnectTransforms(tee, kSecTransformOutputAttributeName, cmp, CFSTR("INPUT2"), group, NULL);
+ SecTransformSetAttribute(tee, kSecTransformInputAttributeName, (CFTypeRef)is, NULL);
+ CFRelease(tee);
+ } else {
+ is2 = [NSInputStream inputStreamWithFileAtPath:(NSString *)fname];
+ [is2 open];
+ SecTransformSetAttribute(in, kSecTransformInputAttributeName, (CFTypeRef)is, &err);
+ SecTransformSetAttribute(cmp, CFSTR("INPUT2"), (CFTypeRef)is2, &err);
+ }
+
+ assert(err == NULL);
+ CFTypeRef r = SecTransformExecute(group, &err);
+
+ if (err)
+ {
+ CFRelease(err);
+ }
+
+ CFRelease(group);
+ CFRelease(cmp);
+
+ if (is2)
+ {
+ [is2 close];
+ }
+
+ if (is)
+ {
+ [is close];
+ }
+
+ if (r)
+ {
+ return r == kCFBooleanTrue;
+ }
+ else
+ {
+ CFfprintf(stderr, "round trip error: %@", err);
+ return NO;
+ }
+}
+
+static SecTransformInstanceBlock LineLengthCheck(CFStringRef name, SecTransformRef newTransform, SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock = ^{
+ CFErrorRef result = NULL;
+ __block int bytesPastLastEOL = 0;
+ __block int max = 0;
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("MAX"), ^(SecTransformAttributeRef ah, CFTypeRef value) {
+ CFNumberGetValue((CFNumberRef)value, kCFNumberIntType, &max);
+ return value;
+ });
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, kSecTransformInputAttributeName, ^(SecTransformAttributeRef ah, CFTypeRef value) {
+ if (NULL != value) {
+ CFDataRef d = (CFDataRef)value;
+ CFIndex len = CFDataGetLength(d);
+ const UInt8 *bytes = CFDataGetBytePtr(d);
+
+ for(int i = 0; i < len; i++) {
+ if (bytes[i] == '\n') {
+ bytesPastLastEOL = 0;
+ } else {
+ bytesPastLastEOL++;
+ if (bytesPastLastEOL > max) {
+ SecTransformCustomSetAttribute(ref, kSecTransformAbortAttributeName, kSecTransformMetaAttributeValue, CreateSecTransformErrorRef(kSecTransformErrorInvalidInput, "MAX line length of %d exceeded", max));
+ break;
+ }
+ }
+ }
+ }
+ SecTransformCustomSetAttribute(ref, kSecTransformOutputAttributeName, kSecTransformMetaAttributeValue, value);
+ return value;
+ });
+
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+-(void)testLargeChunkEncode
+{
+ NSError *err = NULL;
+ NSData *d = [NSData dataWithContentsOfFile:@"/usr/share/dict/web2a" options:NSDataReadingMapped error: &err];
+ STAssertNil(err, @"dataWithContentsOfFile %@", err);
+ CFStringRef types[] = {kSecZLibEncoding, kSecBase64Encoding, kSecBase32Encoding, NULL};
+
+ dispatch_group_t dg = dispatch_group_create();
+
+ CFStringRef lengthCheckName = CFSTR("com.apple.security.unit-test.lineLengthCheck");
+ SecTransformRegister(lengthCheckName, LineLengthCheck, (CFErrorRef *)&err);
+ STAssertNil(err, @"Expected to register %@", lengthCheckName);
+
+ for(int i = 0; types[i]; i++) {
+ int max_j = 80;
+ CFStringRef etype = types[i];
+
+ void (^trial)(NSString *testName, id lineLength, int maxLineLength) = ^(NSString *testName, id lineLength, int maxLineLength) {
+ SecGroupTransformRef group = SecTransformCreateGroupTransform();
+
+ SecTransformRef et = SecEncodeTransformCreate(etype, (CFErrorRef *)&err);
+ SecTransformRef dt = SecDecodeTransformCreate(etype, (CFErrorRef *)&err);
+
+ SecTransformRef lineLengthChecker = (etype == kSecZLibEncoding) ? SecNullTransformCreate() : SecTransformCreate(lengthCheckName, NULL);
+ STAssertNotNil((id)lineLengthChecker, @"Expected to create line length checker");
+ SecTransformSetAttribute(lineLengthChecker, CFSTR("MAX"), [NSNumber numberWithInt:maxLineLength], NULL);
+
+ SecTransformConnectTransforms(et, kSecTransformOutputAttributeName, lineLengthChecker, kSecTransformInputAttributeName, group, (CFErrorRef *)&err);
+ SecTransformConnectTransforms(lineLengthChecker, kSecTransformOutputAttributeName, dt, kSecTransformInputAttributeName, group, (CFErrorRef *)&err);
+
+ SecTransformSetAttribute(et, kSecTransformInputAttributeName, (CFDataRef)d, (CFErrorRef *)&err);
+ SecTransformSetAttribute(et, kSecEncodeLineLengthAttribute, lineLength, (CFErrorRef *)&err);
+ SecTransformSetAttribute(et, CFSTR("NAME"), (CFStringRef)testName, (CFErrorRef *)&err);
+
+ dispatch_group_async(dg, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
+ CFDataRef result = (CFDataRef)SecTransformExecute(group, (CFErrorRef *)&err);
+
+ STAssertNil(err, @"execute for %@ got %@", testName, err);
+ STAssertNotNil((id)result, @"No result from execute of %@", testName);
+
+ if (result) {
+ STAssertEqualObjects(d, (id)result, @"test %@ failed", testName);
+ }
+ });
+ };
+
+ for(int j = max_j; j > 70; --j) {
+ if (etype == kSecZLibEncoding && j != max_j) {
+ break;
+ }
+ trial([NSString stringWithFormat:@"%@-%d", etype, j], [NSNumber numberWithInt:j], j);
+ }
+
+ if (etype != kSecZLibEncoding) {
+ trial([NSString stringWithFormat:@"%@-LL64", etype], (id)kSecLineLength64, 64);
+ trial([NSString stringWithFormat:@"%@-LL76", etype], (id)kSecLineLength76, 76);
+ }
+ }
+
+ dispatch_group_wait(dg, DISPATCH_TIME_FOREVER);
+}
+
+-(void)testZLib {
+ SecTransformRef et = SecEncodeTransformCreate(kSecZLibEncoding, NULL);
+ SecTransformRef dt = SecDecodeTransformCreate(kSecZLibEncoding, NULL);
+
+ // using a tee would require >10 buffered items (we need to buffer about 64K), so we pass share=NO
+ STAssertTrue(RoundTrip((CFStringRef)@"/usr/share/dict/web2a", et, dt, NO), @"Roundtrip /usr/share/dict/web2a");
+
+ CFRelease(et);
+ CFRelease(dt);
+
+ /*
+ If we want this we need a 'new' custom transform that will get receive the ratio data and be able to
+ query that data.
+
+ CFNumberRef r1 = (CFNumberRef)SecTransformGetAttribute(et, kSecCompressionRatio);
+ CFNumberRef r2 = (CFNumberRef)SecTransformGetAttribute(dt, kSecCompressionRatio);
+
+ STAssertNotNil((NSNumber *)r1, @"encode ratio");
+ STAssertNotNil((NSNumber *)r2, @"decode ratio");
+ STAssertEqualObjects((NSNumber *)r1, (NSNumber *)r2, @"same ratios");
+ */
+}
+
+static SecTransformInstanceBlock CycleCheckTest(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+ int zero = 0;
+ __block CFNumberRef feedback = CFNumberCreate(NULL, kCFNumberIntType, &zero);
+
+ SecTransformCustomSetAttribute(ref, CFSTR("FEEDBACK"), kSecTransformMetaAttributeCanCycle, kCFBooleanTrue);
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("INPUT"),
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ if (value == NULL) {
+ SecTransformCustomSetAttribute(ref, CFSTR("OUTPUT"), kSecTransformMetaAttributeValue, value);
+ return value;
+ }
+ if (feedback == NULL) {
+ SecTransformPushbackAttribute(ref, ah, value);
+ return (CFTypeRef)NULL;
+ }
+
+ int x, y;
+ CFNumberGetValue((CFNumberRef)value, kCFNumberIntType, &x);
+ CFNumberGetValue(feedback, kCFNumberIntType, &y);
+ x ^= y;
+ CFNumberRef res = CFNumberCreate(NULL, kCFNumberIntType, &x);
+ SecTransformCustomSetAttribute(ref, CFSTR("OUTPUT"), kSecTransformMetaAttributeValue, res);
+ CFRelease(res);
+ CFRelease(feedback);
+ feedback = NULL;
+ return (CFTypeRef)NULL;
+ });
+
+ SecTransformSetAttributeAction(ref, kSecTransformActionAttributeNotification, CFSTR("FEEDBACK"),
+ ^(SecTransformAttributeRef ah, CFTypeRef value)
+ {
+ if (value) {
+ if (feedback) {
+ SecTransformPushbackAttribute(ref, ah, value);
+ } else {
+ feedback = (CFNumberRef)CFRetain(value);
+ }
+ }
+
+ return (CFTypeRef)NULL;
+ });
+
+ return result;
+
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+-(void)testCycleCheck {
+
+ SecTransformRef cat = SecNullTransformCreate();
+ SecTransformRef group = SecTransformCreateGroupTransform();
+ CFErrorRef err = NULL;
+
+ CFStringRef name = CFSTR("com.apple.examples.unit-test.loop-test");
+
+ SecTransformRegister(name, &CycleCheckTest, NULL);
+
+ SecTransformRef twenty = count_transform(20);
+
+ // this is getting an internal error, but it's being ignored.
+ SecTransformRef xxor = SecTransformCreate(name, &err);
+
+ SecTransformConnectTransforms(xxor, CFSTR("OUTPUT"), cat, CFSTR("INPUT"), group, &err);
+ STAssertNil((id)err, @"xor->cat");
+ SecTransformConnectTransforms(xxor, CFSTR("OUTPUT"), xxor, CFSTR("FEEDBACK"), group, &err);
+ STAssertNil((id)err, @"xor->xor");
+ SecTransformConnectTransforms(twenty, CFSTR("OUTPUT"), xxor, CFSTR("INPUT"), group, &err);
+ STAssertNil((id)err, @"twenty->xor");
+
+ //SecTransformSetAttribute(xxor, CFSTR("DEBUG"), kCFBooleanTrue, &err);
+
+ CFTypeRef r = SecTransformExecute(group, &err);
+ STAssertNil((id)err, @"execute err=%@", err);
+ STAssertNotNil((id)r, @"no results from execute");
+
+ if (r) {
+ CFNumberRef z = (CFNumberRef)[NSNumber numberWithInt:0];
+ CFIndex n = CFArrayGetCountOfValue((CFArrayRef)r, CFRangeMake(0, CFArrayGetCount((CFArrayRef)r)), z);
+ // There should be six zeros in the xor->feedback chain from 0 to 19.
+ STAssertEquals(n, (CFIndex) 6, @"There should be six zeros in %@", r);
+ }
+
+ CFRelease(r);
+ CFRelease(group);
+ CFRelease(twenty);
+ CFRelease(xxor);
+ CFRelease(cat);
+}
+
+-(void)testValidate {
+ SecTransformRef group = SecTransformCreateGroupTransform();
+ CFErrorRef err = NULL;
+
+ CFStringRef data_or_null_name = CFSTR("com.apple.examples.unit-test.data-or-null");
+ SecTransformCreateBlock data_or_null = ^(CFStringRef name, SecTransformRef new_transform, const SecTransformCreateBlockParameters *params) {
+ params->overrideAttribute(kSecTransformActionAttributeValidation, CFSTR("INPUT"), SecTransformCreateValidatorForCFtype(CFDataGetTypeID(), YES));
+ };
+
+
+ SecTransformRef makes_numbers = count_transform(20);
+ SecTransformRef wants_data = custom_transform(data_or_null_name, data_or_null);
+
+ SecTransformConnectTransforms(makes_numbers, CFSTR("OUTPUT"), wants_data, CFSTR("INPUT"), group, NULL);
+ STAssertNil((id)err, @"unexpected connect error: %@", err);
+ CFTypeRef r = SecTransformExecute(group, &err);
+ STAssertNil((id)r, @"Got non-null result (%@) when expecting null!", r);
+ STAssertNotNil((id)err, @"Expected an error!", err);
+ STAssertErrorHas((id)err, @"/INPUT", @"Error indicated attribute that was set incorrectly");
+ STAssertErrorHas((id)err, @" type CFNumber", @"Error indicated provided type");
+ STAssertErrorHas((id)err, @" a CFData", @"Error indicated required type");
+
+ if (err) {
+ CFRelease(err);
+ }
+ err = NULL;
+ CFRelease(wants_data);
+
+ wants_data = custom_transform(data_or_null_name, data_or_null);
+
+ char raw_data[] = "`Twas brillig, and the slithy toves / Did gyre and gimble in the wabe: / All mimsy were the borogoves, / And the mome raths outgrabe.";
+ CFDataRef the_data = CFDataCreate(NULL, (UInt8*)raw_data, strlen(raw_data));
+ SecTransformSetAttribute(wants_data, kSecTransformInputAttributeName, the_data, &err);
+ CFRelease(the_data);
+
+ STAssertNil((id)err, @"unexpected set error: %@", err);
+ r = SecTransformExecute(wants_data, &err);
+ STAssertNotNil((id)r, @"Expected a result, got error: %@", err);
+ if (r) {
+ STAssertEqualObjects((id)the_data, (id)r, @"Invalid result");
+ }
+
+ CFStringRef numbers_only_name = CFSTR("com.apple.examples.unit-test.numbers-only");
+ SecTransformCreateBlock numbers_only = ^(CFStringRef name, SecTransformRef new_transform, const SecTransformCreateBlockParameters *params) {
+ params->overrideAttribute(kSecTransformActionAttributeValidation, CFSTR("INPUT"), SecTransformCreateValidatorForCFtype(CFNumberGetTypeID(), NO));
+ };
+
+ CFRelease(group);
+ CFRelease(makes_numbers);
+ CFRelease(wants_data);
+
+ group = SecTransformCreateGroupTransform();
+ makes_numbers = count_transform(20);
+ SecTransformRef wants_numbers = custom_transform(numbers_only_name, numbers_only);
+
+ SecTransformConnectTransforms(makes_numbers, CFSTR("OUTPUT"), wants_numbers, CFSTR("INPUT"), group, NULL);
+ STAssertNil((id)err, @"unexpected connect error: %@", err);
+ r = SecTransformExecute(group, &err);
+ CFfprintf(stderr, "r=%@; err=%@\n", r, err);
+ STAssertNil((id)r, @"Got non-null result (%@) when expecting null!", r);
+ STAssertNotNil((id)err, @"Expected an error!", err);
+ STAssertErrorHas((id)err, @"/INPUT", @"Error indicated attribute that was set incorrectly");
+ STAssertErrorHas((id)err, @"received NULL value", @"Error indicated provided value is NULL");
+ STAssertErrorHas((id)err, @" a CFNumber", @"Error indicated required type");
+
+ CFRelease(err);
+ CFRelease(group);
+ CFRelease(makes_numbers);
+ CFRelease(wants_numbers);
+}
+
+-(void)testCodeBase32 {
+ struct base32_test_vector {
+ const char *plain_text;
+ const char *base32_rfc4648;
+ const char *base32_fde;
+ };
+
+ // RFC 4648 test vectors
+ static base32_test_vector base32_test_vectors[] = {
+ {"", "", ""},
+ {"f", "MY======", "MY======"},
+ {"fo", "MZXQ====", "MZXQ===="},
+ {"foo", "MZXW6===", "MZXW6==="},
+ {"foob", "MZXW6YQ=", "MZXW6YQ="},
+ {"fooba", "MZXW6YTB", "MZXW6YTB"},
+ {"foobar", "MZXW6YTBOI======", "MZXW6YTBO8======"}};
+
+ void (^test)(NSString *test_name, SecTransformRef transform, const char *input, const char *expected_output, NSString *error_format) =
+ ^(NSString *test_name, SecTransformRef transform, const char *input, const char *expected_output, NSString *error_format)
+ {
+ if (!transform) {
+ STFail(@"No transform for %@", test_name);
+ return;
+ }
+
+ CFErrorRef err = NULL;
+ NSData *input_data = [NSData dataWithBytes:input length:strlen(input)];
+ NSData *expected_output_data = [NSData dataWithBytes:expected_output length:strlen(expected_output)];
+ SecTransformSetAttribute(transform, kSecTransformInputAttributeName, input_data, &err);
+ STAssertNil((NSError *)err, @"unexpected error %@ from SecTransformSetAttribute for %@", err, test_name);
+ NSData *output_data = (NSData *)SecTransformExecute(transform, &err);
+ [output_data autorelease];
+ STAssertNil((NSError *)err, @"Error from %@ execute (in=%s, err=%s)", test_name, input, err);
+ STAssertNotNil(output_data, @"Unexpected nil output from %@ execute (in=%s)", test_name, input);
+ if (output_data) {
+ NSString *output_string = [NSString alloc];
+ output_string = [output_string initWithBytes:[output_data bytes] length:[output_data length] encoding:NSMacOSRomanStringEncoding];
+ [output_string autorelease];
+ NSString *msg = [NSString stringWithFormat:error_format, input, expected_output, output_string];
+ STAssertEqualObjects(expected_output_data, output_data, @"%@ %@", test_name, msg);
+ }
+ CFRelease(transform);
+ };
+
+ for(int idx = 0; idx < sizeof(base32_test_vectors)/sizeof(*base32_test_vectors); idx++)
+ {
+ SecTransformRef base32encoder = SecEncodeTransformCreate(kSecBase32Encoding, NULL);
+ test(@"base32 encode", base32encoder, base32_test_vectors[idx].plain_text, base32_test_vectors[idx].base32_rfc4648, @"B32(\"%1$s\") should be \"%2$s\", got \"%3$@\"");
+
+ SecTransformRef base32decoder = SecDecodeTransformCreate(kSecBase32Encoding, NULL);
+ test(@"base32 decode", base32decoder, base32_test_vectors[idx].base32_rfc4648, base32_test_vectors[idx].plain_text, @"B32dec(\"%1$s\") should be \"%2$s\", got \"%3$@\"");
+
+ SecTransformRef base32FDEencoder = SecEncodeTransformCreate(CFSTR("base32FDE"), NULL);
+ test(@"base32FDE encode", base32FDEencoder, base32_test_vectors[idx].plain_text, base32_test_vectors[idx].base32_fde, @"B32(\"%1$s\") should be \"%2$s\", got \"%3$@\"");
+
+ SecTransformRef base32FDEdecoder = SecDecodeTransformCreate(CFSTR("base32FDE"), NULL);
+ test(@"base32FDE decode", base32FDEdecoder, base32_test_vectors[idx].base32_fde, base32_test_vectors[idx].plain_text, @"B32dec(\"%1$s\") should be \"%2$s\", got \"%3$@\"");
+ }
+
+ SecTransformRef bet = SecEncodeTransformCreate(kSecBase32Encoding, NULL);
+ STAssertNotNil((id)bet, @"got bulk base 32 encoder");
+ SecTransformRef bdt = SecDecodeTransformCreate(kSecBase32Encoding, NULL);
+ STAssertNotNil((id)bdt, @"got bulk base 32 decoder");
+ STAssertTrue(RoundTrip((CFStringRef)@"/usr/share/dict/words", bet, bdt, YES), @"Roundtrip base32 /usr/share/dict/words");
+
+ CFRelease(bet);
+ CFRelease(bdt);
+
+ // FDE uses a modified base32 alphabet, we want to test it here.
+ SecTransformRef FDE_encode_transform = SecEncodeTransformCreate(@"base32FDE", NULL);
+ STAssertNotNil((id)FDE_encode_transform, @"got FDE encoder");
+ SecTransformRef FDE_decode_transform = SecDecodeTransformCreate(@"base32FDE", NULL);
+ STAssertNotNil((id)FDE_decode_transform, @"got bulk base 32 decoder");
+ STAssertTrue(RoundTrip((CFStringRef)@"/usr/share/dict/words", FDE_encode_transform, FDE_decode_transform, YES), @"Roundtrip base32FDE /usr/share/dict/words");
+
+ CFRelease(FDE_encode_transform);
+ CFRelease(FDE_decode_transform);
+}
+
+-(void)testCodeBase64 {
+ CFErrorRef error = NULL;
+
+#if 0
+ SecTransformRef tr = SecDecodeTransformCreate(@"Not a real encoding", &error);
+ // XXX: known failure in Transform::SetAttribute 7707822 -- I would fix on this branch, but I think that code has diverged
+ STAssertTrue(tr == NULL, @"Checks for invalid encodings");
+ NSLog(@"Error: %@", error);
+#endif
+
+ SecTransformRef dt = SecDecodeTransformCreate(kSecBase64Encoding, NULL);
+ STAssertNotNil((id)dt, @"Got decoder");
+
+ const char raw_data0[] = "Tm90IHV1ZW5jb2RlZAo=";
+ const char raw_data1[] = "Not uuencoded\n";
+ CFDataRef data0 = CFDataCreate(NULL, (const UInt8*)raw_data0, strlen(raw_data0));
+ CFDataRef data1 = CFDataCreate(NULL, (const UInt8*)raw_data1, strlen(raw_data1));
+ SecTransformSetAttribute(dt, kSecTransformInputAttributeName, data0, NULL);
+
+ CFDataRef decoded_data = (CFDataRef)SecTransformExecute(dt, &error);
+ STAssertNotNil((NSData *)decoded_data, @"Got a decode result");
+ STAssertEqualObjects((NSData *)decoded_data, (NSData *)data1, @"Proper decode results");
+
+ SecTransformRef et = SecEncodeTransformCreate(kSecBase64Encoding, NULL);
+ STAssertNotNil((id)et, @"Got encoder");
+
+ SecTransformSetAttribute(et, kSecTransformInputAttributeName, data1, NULL);
+
+ CFDataRef encoded_data = (CFDataRef)SecTransformExecute(et, NULL);
+ STAssertNotNil((NSData *)encoded_data, @"Got an encode result");
+
+ STAssertEqualObjects((NSData *)encoded_data, (NSData *)data0, @"Proper encode results");
+
+ // Negative testing, assume the following struct
+ // struct __CFData {
+ // CFRuntimeBase _base;
+ // CFIndex _length; /* number of bytes */
+ // CFIndex _capacity; /* maximum number of bytes */
+ // CFAllocatorRef _bytesDeallocator; /* used only for immutable; if NULL, no deallocation */
+ // uint8_t *_bytes; /* compaction: direct access to _bytes is only valid when data is not inline */
+ // };
+ SecTransformRef et_neg = SecEncodeTransformCreate(kSecBase64Encoding, NULL);
+ STAssertNotNil((id)et_neg, @"Got encoder for negative testing");
+
+ CFIndex *data1_length=(CFIndex*)((unsigned char *)data1 + sizeof(CFRuntimeBase));
+ CFIndex data1_backup=*data1_length;
+ if (sizeof(CFIndex)==8)
+ {
+ *data1_length=0x5ffffffffffffff7;
+ }
+ else if (sizeof(CFIndex)==4)
+ {
+ *data1_length=0x5ffffff7;
+ }
+ else
+ {
+ STAssertTrue(false, @"Test error, representation of CFIndex not supported. Sizeof(CFIndex)=%d. Only support 4 or 8",sizeof(CFIndex));
+ }
+ STAssertTrue(CFDataGetLength(data1)==*data1_length, @"Length not properly set - test bug - reads %lu expect %lu",CFDataGetLength(data1),*data1_length);
+ SecTransformSetAttribute(et_neg, kSecTransformInputAttributeName, data1, NULL);
+ CFDataRef encoded_data2 = (CFDataRef)SecTransformExecute(et_neg, &error);
+ STAssertNil((id)encoded_data2, @"No encoded data for negative testing");
+ STAssertNotNil((id)error, @"Got error for negative testing");
+ *data1_length=data1_backup;
+ if (error!=NULL)
+ {
+ STAssertTrue((CFErrorGetCode(error)==kSecTransformErrorInvalidLength),
+ @"Error for invalid length, got %lu expect %lu",CFErrorGetCode(error),kSecTransformErrorInvalidLength);
+ }
+ // XXX also for general testing we want a "RandomChunkSizer" that copies INPUT to OUTPUT, but makes random size chunks (incl 0) as it goes.
+
+ SecTransformRef dt2 = SecDecodeTransformCreate(kSecBase64Encoding, NULL);
+ SecTransformRef et2 = SecEncodeTransformCreate(kSecBase64Encoding, NULL);
+ int ll = 75;
+ SecTransformSetAttribute(et2, kSecEncodeLineLengthAttribute, CFNumberCreate(NULL, kCFNumberIntType, &ll), NULL);
+
+ STAssertTrue(RoundTrip((CFStringRef)@"/usr/share/dict/words", et2, dt2, YES), @"Roundtrip base64 /usr/share/dict/words");
+
+ CFRelease(et2);
+ CFRelease(dt2);
+ CFRelease(et);
+ CFRelease(et_neg);
+ CFRelease(dt);
+}
+
+static SecTransformInstanceBlock ErrorResultsTest(CFStringRef name,
+ SecTransformRef newTransform,
+ SecTransformImplementationRef ref)
+{
+ SecTransformInstanceBlock instanceBlock =
+ ^{
+ CFErrorRef result = NULL;
+ SecTransformSetDataAction(ref, kSecTransformActionProcessData,
+ ^(CFTypeRef value)
+ {
+ if (value != NULL)
+ {
+ return (CFTypeRef)CFErrorCreate(NULL, CFSTR("expected error"), 42, NULL);
+ }
+ else
+ {
+ return SecTransformNoData();
+ }
+ });
+
+ return result;
+ };
+
+ return Block_copy(instanceBlock);
+}
+
+
+-(void)testErrorResults {
+ CFStringRef name = CFSTR("com.apple.security.unit-test.error-results");
+ SecTransformRegister(name, &ErrorResultsTest, NULL);
+
+ SecTransformRef tr = SecTransformCreate(name, NULL);
+ CFDataRef data = CFDataCreate(NULL, NULL, 0);
+ SecTransformSetAttribute(tr, kSecTransformInputAttributeName, data, NULL);
+
+ CFErrorRef err = NULL;
+ CFTypeRef no_result = SecTransformExecute(tr, &err);
+
+ STAssertErrorHas((id)err, @"expected error", @"Signaled error has original string");
+ STAssertErrorHas((id)err, @"42", @"Signaled error has original error code");
+ STAssertNil((id)no_result, @"No result from erroring transform");
+ CFRelease(data);
+ CFRelease(tr);
+ CFRelease(err);
+}
+
+-(void)testErrorExecutesInRightQueue {
+ // testExecuteBlock checks to see if blocks are generally executed on the proper queue, this specifically checks
+ // for an error while starting (which was originally improperly coded).
+
+ SecTransformRef unassigned_input = SecNullTransformCreate();
+ dispatch_queue_t q = dispatch_queue_create("com.apple.unit-test.ErrorExecutesInRightQueue", NULL);
+ dispatch_group_t got_final = dispatch_group_create();
+ dispatch_group_enter(got_final);
+ __block bool saw_data = false;
+ __block bool saw_error = false;
+
+ SecTransformExecuteAsync(unassigned_input, q, ^(CFTypeRef message, CFErrorRef error, Boolean isFinal) {
+ STAssertEquals(q, const_cast<const dispatch_queue_t>(dispatch_get_current_queue()), @"Should be running on %p, but is running on %p", q, dispatch_get_current_queue());
+ saw_data = saw_data || (message != NULL);
+ saw_error = saw_error || (error != NULL);
+ if (isFinal) {
+ dispatch_group_leave(got_final);
+ }
+ });
+
+ STAssertFalse(dispatch_group_wait(got_final, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC)), @"Execute completed");
+ STAssertFalse(saw_data, @"Should have seen no data (but did)");
+ STAssertTrue(saw_error, @"Should have seen error (but didn't)");
+
+ CFRelease(unassigned_input);
+ dispatch_group_notify(got_final, q, ^{
+ dispatch_release(got_final);
+ dispatch_release(q);
+ });
+
+}
+
+-(void)testSignVerify {
+ unsigned char *raw_message = (unsigned char *)"Controlling complexity is the essence of computer programming. - Brian Kernigan";
+ dispatch_group_t dg = dispatch_group_create();
+ CFErrorRef err = NULL;
+ CFDataRef message = CFDataCreate(NULL, raw_message, strlen((const char *)raw_message));
+ __block SecKeyRef rsa_pub_key = NULL;
+ __block SecKeyRef rsa_priv_key = NULL;
+ __block SecKeyRef ecdsa_pub_key = NULL;
+ __block SecKeyRef ecdsa_priv_key = NULL;
+ __block SecKeyRef dsa_pub_key = NULL;
+ __block SecKeyRef dsa_priv_key = NULL;
+
+ char *tmp_dir;
+ asprintf(&tmp_dir, "%s/sign-verify-test-keychain-", getenv("TMPDIR") ? getenv("TMPDIR") : "/tmp");
+
+ unsigned char *raw_bad_message = (unsigned char *)"Standards are great, there are so many to choose from - Andrew S. Tanenbaum (maybe)";
+ CFDataRef bad_message = CFDataCreate(NULL, raw_bad_message, strlen((const char *)raw_bad_message));
+
+ // when safe replace with a concurrent queue
+ dispatch_queue_t key_q = dispatch_queue_create(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0);
+
+ dispatch_group_async(dg, key_q,
+ ^{
+ NSAutoreleasePool *pool = [NSAutoreleasePool new];
+
+ // (note the key must be bigger then a SHA2-256 signature plus the DER.1 packing of the OID, so 1024 was chosen for that, not speed or safety)
+ NSDictionary *key_opts = [NSDictionary dictionaryWithObjectsAndKeys:
+ (NSString *)kSecAttrKeyTypeRSA, (NSString *)kSecAttrKeyType,
+ [NSNumber numberWithInt:1024], (NSString *)kSecAttrKeySizeInBits,
+ @"RSA transform unit test key", (NSString *)kSecAttrLabel,
+ nil];
+ OSStatus gp_status = SecKeyGeneratePair((CFDictionaryRef)key_opts, &rsa_pub_key, &rsa_priv_key);
+ STAssertTrue(gp_status == 0, @"RSA (gp_status=0x%x)", gp_status);
+ [pool drain];
+ });
+
+ dispatch_group_async(dg, key_q,
+ ^{
+ OSStatus gp_status;
+#if 0
+ // I don't know how "safe" a 512 bit ECDSA key is, but again this is just for testing, not for signing any real data
+ NSDictionary *key_opts = [NSDictionary dictionaryWithObjectsAndKeys:
+ (NSString *)kSecAttrKeyTypeECDSA, (NSString *)kSecAttrKeyType,
+ [NSNumber numberWithInt:512], (NSString *)kSecAttrKeySizeInBits,
+ @"ECDSA transform unit test key", (NSString *)kSecAttrLabel,
+ nil];
+ gp_status = SecKeyGeneratePair((CFDictionaryRef)key_opts, &ecdsa_pub_key, &ecdsa_priv_key);
+#else
+ {
+ SecKeychainRef tmp_keychain = NULL;
+ gp_status = SecKeyCreatePair(tmp_keychain, CSSM_ALGID_ECDSA, 256, NULL,
+ CSSM_KEYUSE_VERIFY,
+ CSSM_KEYATTR_EXTRACTABLE|CSSM_KEYATTR_PERMANENT,
+ CSSM_KEYUSE_SIGN,
+ CSSM_KEYATTR_EXTRACTABLE|CSSM_KEYATTR_PERMANENT,
+ NULL, &ecdsa_pub_key, &ecdsa_priv_key);
+ }
+#endif
+ if (gp_status)
+ {
+ STAssertTrue(gp_status == 0, @"ECDSA (gp_status=0x%x)", gp_status);
+ }
+ });
+
+ dispatch_group_async(dg, key_q,
+ ^{
+ OSStatus gp_status;
+#if 0
+ // I don't know how "safe" a 1024 bit DSA key is, but again this is just for testing, not for signing any real data
+ NSDictionary *key_opts = [NSDictionary dictionaryWithObjectsAndKeys:(NSString *)kSecAttrKeyTypeDSA,
+ (NSString *)kSecAttrKeyType, [NSNumber numberWithInt:512], (NSString *)kSecAttrKeySizeInBits, nil];
+ gp_status = SecKeyGeneratePair((CFDictionaryRef)key_opts, &ecdsa_pub_key, &ecdsa_priv_key);
+#else
+ {
+ const char *passwd = "this is not secret";
+ SecKeychainRef tmp_keychain = NULL;
+ char *kcfname;
+ asprintf(&kcfname, "%s-DSA-XXXXXXXXXX", tmp_dir);
+ // NOTE: "mktemp" isn't as safe as you might think...but this is test code and doesn't have to be, but
+ // if you copy it elsewhere you may well need to rewrite it. (use mkstemp)
+ mktemp(kcfname);
+ gp_status = SecKeychainCreate(kcfname, (UInt32) strlen(passwd), passwd, NO, NULL, &tmp_keychain);
+ STAssertTrue(gp_status == 0, @"SecKeychainCreate (gp_status=0x%x)", gp_status);
+ gp_status = SecKeyCreatePair(tmp_keychain, CSSM_ALGID_DSA, 512, NULL,
+ CSSM_KEYUSE_VERIFY|CSSM_KEYUSE_ENCRYPT|CSSM_KEYUSE_WRAP,
+ CSSM_KEYATTR_EXTRACTABLE|CSSM_KEYATTR_PERMANENT|CSSM_KEYATTR_RETURN_REF,
+ CSSM_KEYUSE_SIGN|CSSM_KEYUSE_DECRYPT|CSSM_KEYUSE_UNWRAP,
+ CSSM_KEYATTR_EXTRACTABLE|CSSM_KEYATTR_PERMANENT|CSSM_KEYATTR_RETURN_REF,
+ NULL, &dsa_pub_key, &dsa_priv_key);
+ free(kcfname);
+ }
+#endif
+ STAssertTrue(gp_status == 0, @"DSA (gp_status=0x%x)", gp_status);
+ });
+
+ struct sv_test {
+ NSString *name;
+ SecKeyRef pub_key, priv_key;
+ CFDataRef msg_sign, msg_verify;
+ CFTypeRef dalgo_sign, dalgo_verify;
+ int dlen_sign, dlen_verify;
+ BOOL pass;
+ };
+
+ dispatch_group_wait(dg, DISPATCH_TIME_FOREVER);
+
+ struct sv_test sv_tests[] =
+ {
+ {@"Basic RSA", rsa_pub_key, rsa_priv_key, message, message, NULL, NULL, 0, 0, YES},
+ {@"Basic RSA (tampered data)", rsa_pub_key, rsa_priv_key, message, bad_message, NULL, NULL, 0, 0, NO},
+ {@"RSA, mismatched digest algos", rsa_pub_key, rsa_priv_key, message, message, kSecDigestSHA2, kSecDigestSHA1, 0, 0, NO},
+
+ {@"RSA SHA1 MD5", rsa_pub_key, rsa_priv_key, message, message, kSecDigestSHA1, kSecDigestSHA1, 0, 0, YES},
+ {@"RSA SHA1 MD5 (tampered data)", rsa_pub_key, rsa_priv_key, message, bad_message, kSecDigestSHA1, kSecDigestSHA1, 0, 0, NO},
+
+ {@"RSA MD5", rsa_pub_key, rsa_priv_key, message, message, kSecDigestMD5, kSecDigestMD5, 0, 0, YES},
+ {@"RSA MD5 (tampered data)", rsa_pub_key, rsa_priv_key, message, bad_message, kSecDigestMD5, kSecDigestMD5, 0, 0, NO},
+
+ {@"RSA MD2", rsa_pub_key, rsa_priv_key, message, message, kSecDigestMD2, kSecDigestMD2, 0, 0, YES},
+ {@"RSA MD2 (tampered data)", rsa_pub_key, rsa_priv_key, message, bad_message, kSecDigestMD2, kSecDigestMD2, 0, 0, NO},
+
+ {@"RSA SHA2 512", rsa_pub_key, rsa_priv_key, message, message, kSecDigestSHA2, kSecDigestSHA2, 512, 512, YES},
+ {@"RSA SHA2 512 (tampered data)", rsa_pub_key, rsa_priv_key, message, bad_message, kSecDigestSHA2, kSecDigestSHA2, 512, 512, NO},
+ {@"RSA SHA2 512 vs. 384", rsa_pub_key, rsa_priv_key, message, message, kSecDigestSHA2, kSecDigestSHA2, 512, 384, NO},
+
+ {@"RSA SHA2 384", rsa_pub_key, rsa_priv_key, message, message, kSecDigestSHA2, kSecDigestSHA2, 384, 384, YES},
+ {@"RSA SHA2 384 (tampered data)", rsa_pub_key, rsa_priv_key, message, bad_message, kSecDigestSHA2, kSecDigestSHA2, 384, 384, NO},
+
+ {@"RSA SHA2 256", rsa_pub_key, rsa_priv_key, message, message, kSecDigestSHA2, kSecDigestSHA2, 256, 256, YES},
+ {@"RSA SHA2 256 (tampered data)", rsa_pub_key, rsa_priv_key, message, bad_message, kSecDigestSHA2, kSecDigestSHA2, 256, 256, NO},
+
+ {@"RSA SHA2 224", rsa_pub_key, rsa_priv_key, message, message, kSecDigestSHA2, kSecDigestSHA2, 224, 224, YES},
+ {@"RSA SHA2 224 (tampered data)", rsa_pub_key, rsa_priv_key, message, bad_message, kSecDigestSHA2, kSecDigestSHA2, 224, 224, NO},
+
+ {@"RSA SHA2 0", rsa_pub_key, rsa_priv_key, message, message, kSecDigestSHA2, kSecDigestSHA2, 0, 0, YES},
+ {@"RSA SHA2 0 (tampered data)", rsa_pub_key, rsa_priv_key, message, bad_message, kSecDigestSHA2, kSecDigestSHA2, 0, 0, NO},
+
+ {@"Basic ECDSA", ecdsa_pub_key, ecdsa_priv_key, message, message, NULL, NULL, 0, 0, YES},
+ {@"Basic ECDSA (tampered data)", ecdsa_pub_key, ecdsa_priv_key, message, bad_message, NULL, NULL, 0, 0, NO},
+ {@"ECDSA (mismatched digest algos)", ecdsa_pub_key, ecdsa_priv_key, message, bad_message, kSecDigestSHA2, kSecDigestSHA1, 0, 0, NO},
+
+ {@"ECDSA SHA1", ecdsa_pub_key, ecdsa_priv_key, message, message, kSecDigestSHA1, kSecDigestSHA1, 0, 0, YES},
+ {@"ECDSA SHA1 (tampered data)", ecdsa_pub_key, ecdsa_priv_key, message, bad_message, kSecDigestSHA1, kSecDigestSHA1, 0, 0, NO},
+
+ {@"ECDSA SHA2 224", ecdsa_pub_key, ecdsa_priv_key, message, message, kSecDigestSHA2, kSecDigestSHA2, 224, 224, YES},
+ {@"ECDSA SHA2 224 (tampered data)", ecdsa_pub_key, ecdsa_priv_key, message, bad_message, kSecDigestSHA2, kSecDigestSHA2, 224, 224, NO},
+
+ {@"ECDSA SHA2 256", ecdsa_pub_key, ecdsa_priv_key, message, message, kSecDigestSHA2, kSecDigestSHA2, 256, 256, YES},
+ {@"ECDSA SHA2 256 (tampered data)", ecdsa_pub_key, ecdsa_priv_key, message, bad_message, kSecDigestSHA2, kSecDigestSHA2, 256, 256, NO},
+
+ {@"ECDSA SHA2 384", ecdsa_pub_key, ecdsa_priv_key, message, message, kSecDigestSHA2, kSecDigestSHA2, 384, 384, YES},
+ {@"ECDSA SHA2 384 (tampered data)", ecdsa_pub_key, ecdsa_priv_key, message, bad_message, kSecDigestSHA2, kSecDigestSHA2, 384, 384, NO},
+
+ {@"ECDSA SHA2 512", ecdsa_pub_key, ecdsa_priv_key, message, message, kSecDigestSHA2, kSecDigestSHA2, 512, 512, YES},
+ {@"ECDSA SHA2 512 (tampered data)", ecdsa_pub_key, ecdsa_priv_key, message, bad_message, kSecDigestSHA2, kSecDigestSHA2, 512, 512, NO},
+
+ {@"ECDSA SHA2 0", ecdsa_pub_key, ecdsa_priv_key, message, message, kSecDigestSHA2, kSecDigestSHA2, 0, 0, YES},
+ {@"ECDSA SHA2 0 (tampered data)", ecdsa_pub_key, ecdsa_priv_key, message, bad_message, kSecDigestSHA2, kSecDigestSHA2, 0, 0, NO},
+
+ {@"Basic DSA", dsa_pub_key, dsa_priv_key, message, message, NULL, NULL, 0, 0, YES},
+ {@"Basic DSA (tampered data)", dsa_pub_key, dsa_priv_key, message, bad_message, NULL, NULL, 0, 0, NO},
+ // only SHA1 is supported, so no mismatched digest algo test is available
+
+ {@"DSA SHA1", dsa_pub_key, dsa_priv_key, message, message, kSecDigestSHA1, kSecDigestSHA1, 0, 0, YES},
+ {@"DSA SHA1 (tampered data)", dsa_pub_key, dsa_priv_key, message, bad_message, kSecDigestSHA1, kSecDigestSHA1, 0, 0, NO},
+ };
+
+ free(tmp_dir);
+
+ int i;
+ for(i = 0; i < sizeof(sv_tests)/sizeof(sv_test); i++)
+ {
+ CFStringRef input_cases[] = {kSecInputIsPlainText, kSecInputIsDigest};
+ //CFStringRef input_cases[] = {kSecInputIsPlainText, kSecInputIsDigest, kSecInputIsRaw};
+ const int ilim = sizeof(input_cases)/sizeof(input_cases[0]);
+ int ii = 0, ij = 0;
+ for(; ii < ilim; ++ii)
+ {
+ for(ij = 0; ij < ilim; ++ij)
+ {
+ err = NULL;
+ struct sv_test *tst = sv_tests + i;
+ NSString *tname = [NSString stringWithFormat:@"%@ %@ %@", tst->name, input_cases[ii], input_cases[ij]];
+
+ CFStringRef sign_input_is = input_cases[ii];
+ CFStringRef verify_input_is = input_cases[ij];
+
+ if (sign_input_is != kSecInputIsPlainText && tst->dalgo_sign == NULL) {
+ continue;
+ }
+ if (verify_input_is != kSecInputIsPlainText && tst->dalgo_verify == NULL) {
+ continue;
+ }
+
+ if ((sign_input_is == kSecInputIsRaw || verify_input_is == kSecInputIsRaw) && [tst->name rangeOfString:@"RSA"].location == NSNotFound) {
+ // we can only synthesize these tests for RSA
+ NSLog(@"No %@ test", tname);
+ continue;
+ }
+
+ STAssertNotNil((id)tst->pub_key, @"Have pub_key for %@", tname);
+ STAssertNotNil((id)tst->priv_key, @"Have priv_key for %@", tname);
+
+ if (tst->pub_key == nil || tst->priv_key == nil) {
+ continue;
+ }
+
+ SecTransformRef sign = SecSignTransformCreate(tst->priv_key, &err);
+ STAssertNil((NSError *)err, @"creating sign for %@", tname);
+ STAssertNotNil((id)sign, @"Creating sign for %@", tname);
+
+ if (sign == NULL) {
+ continue;
+ }
+
+ SecTransformRef verify = SecVerifyTransformCreate(tst->pub_key, NULL, &err);
+ STAssertNotNil((id)verify, @"Creating verify for %@", tname);
+ STAssertNil((NSError *)err, @"Creating verify for %@", tname);
+
+ if (verify == NULL) {
+ continue;
+ }
+
+ SecTransformRef sign_digest = NULL;
+ SecTransformRef verify_digest = NULL;
+ SecTransformRef sign2 = NULL;
+
+ if (tst->dalgo_sign)
+ {
+ SecTransformSetAttribute(sign, kSecDigestTypeAttribute, tst->dalgo_sign, &err);
+ STAssertNil((NSError *)err, @"Setting sign's digest type for %@", tname);
+ SecTransformSetAttribute(sign, kSecDigestLengthAttribute, [NSNumber numberWithInt:tst->dlen_sign], &err);
+ STAssertNil((NSError *)err, @"Setting sign's digest length for %@", tname);
+
+ if (sign_input_is == kSecInputIsDigest)
+ {
+ sign_digest = SecDigestTransformCreate(tst->dalgo_sign, tst->dlen_sign, &err);
+ STAssertNotNil((id)sign_digest, @"Create sign's %@-%d digest transform (for %@)", tst->dalgo_sign, tst->dlen_sign, tname);
+ STAssertNil((NSError *)err, @"Making sign's digester (for %@) - err=%@", tname, err);
+
+ SecTransformSetAttribute(sign, kSecInputIsAttributeName, sign_input_is, &err);
+ STAssertNil((NSError *)err, @"Setting sign's InputIs (for %@) - err=%@", tname, err);
+ }
+ }
+
+ if (tst->dalgo_verify) {
+ SecTransformSetAttribute(verify, kSecDigestTypeAttribute, tst->dalgo_verify, &err);
+ STAssertNil((NSError *)err, @"Setting verify's digest type for %@", tname);
+ SecTransformSetAttribute(verify, kSecDigestLengthAttribute, [NSNumber numberWithInt:tst->dlen_verify], &err);
+ STAssertNil((NSError *)err, @"Setting verify's digest length for %@", tname);
+
+ if (verify_input_is == kSecInputIsDigest) {
+ verify_digest = SecDigestTransformCreate(tst->dalgo_verify, tst->dlen_verify, &err);
+ STAssertNotNil((id)verify_digest, @"Create verify's %@-%d digest transform (for %@)", tst->dalgo_verify, tst->dlen_verify, tname);
+ STAssertNil((NSError *)err, @"Making verify's digester (for %@) - err=%@", tname, err);
+
+ SecTransformSetAttribute(verify, kSecInputIsAttributeName, verify_input_is, &err);
+ STAssertNil((NSError *)err, @"Setting verify's InputIs (for %@) - err=%@", tname, err);
+ }
+ }
+
+ SecGroupTransformRef group = SecTransformCreateGroupTransform();
+ SecTransformSetAttribute(sign_digest ? sign_digest : sign, kSecTransformInputAttributeName, tst->msg_sign, (CFErrorRef *)&err);
+ if (sign_digest) {
+ STAssertNil((NSError *)err, @"Setting sign's digest's input for %@", tname);
+ SecTransformConnectTransforms(sign_digest, kSecTransformOutputAttributeName,
+ sign, kSecTransformInputAttributeName, group, NULL);
+ } else {
+ STAssertNil((NSError *)err, @"Setting sign's input for %@", tname);
+ }
+
+
+ SecTransformSetAttribute(verify_digest ? verify_digest : verify, kSecTransformInputAttributeName, tst->msg_verify, (CFErrorRef *)&err);
+ if (verify_digest) {
+ STAssertNil((NSError *)err, @"Setting verify's digest's input for %@", tname);
+ SecTransformConnectTransforms(verify_digest, kSecTransformOutputAttributeName,
+ verify, kSecTransformInputAttributeName, group, NULL);
+ } else {
+ STAssertNil((NSError *)err, @"Setting verify's input for %@", tname);
+ }
+
+ SecTransformConnectTransforms(sign2 ? sign2 : sign, kSecTransformOutputAttributeName, verify, kSecSignatureAttributeName, group, NULL);
+
+ dispatch_group_enter(dg);
+ dispatch_queue_t temp_q = dispatch_queue_create(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0);
+ SecTransformExecuteAsync(sign, temp_q,
+ ^(CFTypeRef message, CFErrorRef error, Boolean isFinal)
+ {
+ if (message)
+ {
+ if (tst->pass)
+ {
+ STAssertTrue(message == kCFBooleanTrue, @"Failed to verify proper signature %@; message = %@", tname, message);
+ } else
+ {
+ STAssertTrue(message == kCFBooleanFalse, @"Failed to detect tampering %@; message = %@", tname, message);
+ }
+ }
+
+ STAssertNil((NSError *)err, @"Executed ok for %@ (err=%@)", tname, error);
+
+ if (isFinal)
+ {
+ dispatch_group_leave(dg);
+ }
+ });
+
+ CFRelease(sign);
+ CFRelease(verify);
+ CFRelease(group);
+ }
+ }
+ }
+
+ struct raw_test {
+ SecKeyRef pub, priv;
+ NSString *name;
+ } raw_tests[] = {
+ {rsa_pub_key, rsa_priv_key, @"RSA raw test"},
+ {dsa_pub_key, dsa_priv_key, @"DSA raw test"},
+ {ecdsa_pub_key, ecdsa_priv_key, @"ECDSA raw test"},
+ };
+
+ for(i = 0; i < sizeof(raw_tests)/sizeof(raw_tests[0]); ++i) {
+ raw_test *t = raw_tests + i;
+ SecTransformRef tee = SecNullTransformCreate();
+ const char *raw_bytes = "some bytes";
+ CFDataRef bytes = CFDataCreate(NULL, (UInt8*)raw_bytes, strlen(raw_bytes));
+ CFErrorRef err = NULL;
+
+ SecTransformRef sign = SecSignTransformCreate(t->priv, &err);
+ STAssertNil((id)err, @"%@ test sign create err=%@", t->name, err);
+
+ SecTransformRef verify = SecVerifyTransformCreate(t->pub, NULL, &err);
+ STAssertNil((id)err, @"%@ test verify create err=%@", t->name, err);
+
+ SecGroupTransformRef group = SecTransformCreateGroupTransform();
+ SecTransformConnectTransforms(sign, kSecTransformOutputAttributeName, verify, kSecSignatureAttributeName, group, &err);
+ SecTransformConnectTransforms(tee, kSecTransformOutputAttributeName, sign, kSecTransformInputAttributeName, group, &err);
+ SecTransformConnectTransforms(tee, kSecTransformOutputAttributeName, verify, kSecTransformInputAttributeName, group, &err);
+ SecTransformSetAttribute(tee, kSecTransformInputAttributeName, bytes, &err);
+ STAssertNil((id)err, @"%@ setup error=%@", t->name, err);
+ CFRetain(group);
+ dispatch_group_async(dg, dispatch_queue_create(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
+ CFErrorRef xerr = NULL;
+ CFTypeRef result = SecTransformExecute(group, &xerr);
+ CFRelease(group);
+
+ if (result) {
+ STAssertTrue(result == kCFBooleanTrue, @"%@ sign result=%@", t->name, result);
+ } else {
+ STFail(@"%@ no result", t->name);
+ }
+ STAssertNil((id)err, @"%@ execute error=%@", t->name, xerr);
+ });
+ CFRelease(group);
+ }
+
+ // Test some things we want to fail for:
+
+ SecTransformRef tee = SecNullTransformCreate();
+ SecTransformSetAttribute(tee, kSecTransformInputAttributeName, message, NULL);
+ SecTransformRef vrfy = SecVerifyTransformCreate(ecdsa_pub_key, NULL, NULL);
+
+ SecGroupTransformRef group = SecTransformCreateGroupTransform();
+ SecTransformConnectTransforms(tee, kSecTransformOutputAttributeName, vrfy, kSecSignatureAttributeName, group, NULL);
+ SecTransformSetAttribute(vrfy, kSecDigestTypeAttribute, CFSTR("No such type"), NULL);
+ SecTransformSetAttribute(vrfy, kSecTransformInputAttributeName, message, NULL);
+ err = NULL;
+ CFTypeRef no_result = SecTransformExecute(group, (CFErrorRef*)&err);
+ CFRelease(group);
+
+ STAssertNil((id)no_result, @"No result from nonexistent digest");
+ STAssertErrorHas((id)err, @"[Ii]nvalid digest algorithm", @"Error message describes nature of error (%@)", err);
+ STAssertErrorHas((id)err, @"ECDSA signature", @"Error is not overly general (%@)", err);
+ STAssertErrorHas((id)err, @"ECDSA signature", @"Error is not overly general (%@)", err);
+ STAssertErrorHas((id)err, @"SHA1.*SHA2", @"Error describes valid algorithms (%@)", err);
+ CFRelease(vrfy);
+
+ // It would be awesome if we supported all the digests, and this test went away.
+ vrfy = SecVerifyTransformCreate(dsa_pub_key, message, NULL);
+ tee = SecNullTransformCreate();
+
+ group = SecTransformCreateGroupTransform();
+ SecTransformConnectTransforms(vrfy, kSecSignatureAttributeName, tee, kSecTransformOutputAttributeName, group, NULL);
+ SecTransformConnectTransforms(tee, kSecTransformOutputAttributeName, vrfy, kSecTransformInputAttributeName, group, NULL);
+ SecTransformSetAttribute(vrfy, kSecDigestTypeAttribute, kSecDigestSHA2, NULL);
+ SecTransformSetAttribute(tee, kSecTransformInputAttributeName, message, NULL);
+ err = NULL;
+ no_result = SecTransformExecute(group, (CFErrorRef*)&err);
+ CFRelease(group);
+
+ STAssertNil((id)no_result, @"No result from invalid digest");
+ STAssertErrorHas((id)err, @"[Ii]nvalid digest algorithm", @"Error message gives problem statement (%@)", err);
+ STAssertErrorHas((id)err, @"[^A-Z]DSA signature", @"Error is not overly general (%@)", err);
+ STAssertErrorHas((id)err, @"SHA1", @"Correct algorithm is named (%@)", err);
+
+ dispatch_group_wait(dg, DISPATCH_TIME_FOREVER);
+}
+
+static BOOL keyWithBytes(CFDataRef keyData, SecKeyRef* key, CFTypeRef keyClass) {
+ CFErrorRef errorRef=NULL;
+ CFMutableDictionaryRef parameters;
+ parameters = CFDictionaryCreateMutable(kCFAllocatorDefault, 10, NULL, NULL);
+
+ /*
+ kSecAttrKeyClass values:
+ kSecAttrKeyClassPublic
+ kSecAttrKeyClassPrivate
+ kSecAttrKeyClassSymmetric
+ */
+ CFDictionaryAddValue(parameters, kSecAttrKeyClass, keyClass);
+ CFDictionaryAddValue(parameters, kSecAttrIsPermanent, kCFBooleanFalse); /* also means we have raw bits */
+ CFDictionaryAddValue(parameters, kSecAttrKeyType, kSecAttrKeyTypeRSA); /* also means we have raw bits */
+ *key = SecKeyCreateFromData(parameters, keyData, &errorRef);
+ CFRelease(parameters);
+ return (key != NULL);
+}
+
+-(void)testVerifyWithKeyFromBytes {
+ /*
+ static const uint8_t original_pubKeyData[] =
+ {
+ 0x30, 0x48, 0x02, 0x41, 0x00, 0xd1, 0x4d, 0x1c, 0xe6, 0xbd, 0xd6, 0x8c, 0x4b, 0x77, 0x1e, 0x9f,
+ 0xbc, 0xe1, 0xf6, 0x96, 0xf2, 0x55, 0xa2, 0xdc, 0x28, 0x36, 0x39, 0xf4, 0xec, 0x5b, 0x85, 0x9b,
+ 0x3c, 0x7f, 0x98, 0xe0, 0xed, 0x49, 0xf5, 0x44, 0xb1, 0x87, 0xa8, 0xf6, 0x7f, 0x55, 0xc0, 0x39,
+ 0xf0, 0xe7, 0xcc, 0x9c, 0x84, 0xde, 0x7d, 0x9a, 0x87, 0x38, 0xf2, 0x4b, 0x11, 0x6f, 0x63, 0x90,
+ 0xfc, 0x72, 0x2c, 0x86, 0xa3, 0x02, 0x03, 0x01, 0x00, 0x01
+ }; */
+
+ // openssl genrsa -out /tmp/rsa512.pem
+ // openssl rsa -inform PEM -in /tmp/rsa512.pem -outform DER -out /tmp/rsa512.der
+ // hexdump -C /tmp/rsa512.der | cut -c10-58 | tr -s ' ' ' ' | sed -e 's/ /, 0x/g' -e 's/$/,/' | cut -c3-|pbcopy
+ static const uint8_t pubKeyData[] = {
+ 0x30, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
+ 0x00, 0x03, 0x4b, 0x00, 0x30, 0x48, 0x02, 0x41, 0x00, 0xbf, 0xd5, 0xce, 0x43, 0x59, 0xd5, 0xf8,
+ 0x41, 0xb2, 0xe1, 0x16, 0x02, 0x2a, 0x16, 0xcb, 0xef, 0x49, 0xea, 0x98, 0x71, 0xf8, 0xfb, 0x94,
+ 0x23, 0x12, 0xf7, 0xbc, 0x80, 0xd0, 0x8b, 0xfd, 0x29, 0xb8, 0xfc, 0x2c, 0x3d, 0x13, 0x6f, 0x37,
+ 0xef, 0xa7, 0x1e, 0xf9, 0x4c, 0x3d, 0x38, 0x3a, 0x2f, 0x6b, 0xa8, 0x16, 0x00, 0x27, 0x5a, 0xbe,
+ 0x3d, 0x61, 0xdd, 0x18, 0x45, 0x22, 0xdb, 0x1a, 0xff, 0x02, 0x03, 0x01, 0x00, 0x01,
+ };
+ static const uint8_t signatureData[] =
+ {
+ 0xbc, 0x76, 0x2a, 0x50, 0x4e, 0x17, 0x0b, 0xa9, 0x31, 0x3b, 0xc5, 0xb0, 0x4d, 0x2a, 0x01, 0x9a,
+ 0xbb, 0x5e, 0x7b, 0x6e, 0x90, 0x2f, 0xaf, 0x3f, 0x40, 0xdb, 0xb0, 0xfc, 0x49, 0xcf, 0xbb, 0xb6,
+ 0x08, 0xf0, 0xbb, 0x04, 0x5f, 0x89, 0x0b, 0x10, 0x47, 0x06, 0x93, 0xb3, 0xb7, 0x0b, 0x4e, 0x17,
+ 0xe9, 0xb1, 0x55, 0x94, 0x63, 0x30, 0x0b, 0xa3, 0xb1, 0x28, 0xba, 0xe8, 0xef, 0xb4, 0xbd, 0xc5
+ };
+
+ const char *raw_data = "Data to verify";
+ CFDataRef data = CFDataCreate(NULL, (UInt8*) raw_data, strlen(raw_data));
+
+ SecKeyRef key;
+ CFDataRef cfkeybytes;
+ CFErrorRef error;
+ cfkeybytes = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, pubKeyData, sizeof(pubKeyData),kCFAllocatorNull);
+
+ if(keyWithBytes(cfkeybytes, &key, kSecAttrKeyClassPublic)){
+ CFDataRef signature = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, signatureData, sizeof(signatureData),kCFAllocatorNull);
+ SecTransformRef vt = SecVerifyTransformCreate(key,signature,&error);
+ SecTransformSetAttribute(vt, kSecTransformDebugAttributeName, @"YES", NULL);
+ SecTransformSetAttribute(vt, kSecTransformInputAttributeName, data, &error);
+ CFBooleanRef signature_ok = (CFBooleanRef) SecTransformExecute(vt, &error);
+
+ CFRelease(vt);
+ CFRelease(key);
+ CFRelease(signature);
+ CFRelease(data);
+ CFRelease(cfkeybytes);
+
+ NSLog(@"STE result %@, err=%@", signature_ok, error);
+ STAssertNil((id)error, @"Error from SecTransformExecute: %@", error);
+ } else {
+ STFail(@"Can't get SecKeyCreateFromData to work");
+ }
+}
+
+-(void)testAESAndCastKeysFromBytes {
+ CFErrorRef err = NULL;
+ struct tcase {
+ const char *name;
+ CFTypeRef key_type;
+ NSData *key_data;
+ };
+ const char *aes_kbytes = "0123456789012345";
+ const char *cast_kbytes = "01234567";
+
+ struct tcase cases[] = {
+ {"AES", kSecAttrKeyTypeAES, [NSData dataWithBytes:aes_kbytes length:strlen(aes_kbytes)]},
+ {"CAST", kSecAttrKeyTypeCAST, [NSData dataWithBytes:cast_kbytes length:strlen(cast_kbytes)]},
+ };
+
+ int i;
+ for(i = 0; i < sizeof(cases)/sizeof(cases[0]); ++i) {
+ NSDictionary *parm = [NSDictionary dictionaryWithObjectsAndKeys:
+ (id)kSecAttrKeyClassSymmetric, kSecAttrKeyClass,
+ (id)cases[i].key_type, kSecAttrKeyType,
+ (id)kCFBooleanFalse, kSecAttrIsPermanent,
+ NULL];
+
+ SecKeyRef k = SecKeyCreateFromData((CFDictionaryRef)parm, (CFDataRef)cases[i].key_data, (CFErrorRef *)&err);
+ STAssertNotNil((id)k, @"%s SecKeyCreateFromData didn't", cases[i].name);
+ STAssertNil((id)err, @"%s SecKeyCreateFromData err=%@", err);
+
+ SecTransformRef et = SecEncryptTransformCreate(k, &err);
+ STAssertNotNil((id)et, @"No %s EncryptTransform created", cases[i].name);
+ STAssertNil((id)err, @"Error from %s SecEncryptTransformCreate err=%@", cases[i].name, err);
+
+ SecTransformRef dt = SecDecryptTransformCreate(k, &err);
+ STAssertNotNil((id)dt, @"No %s DecryptTransform created", cases[i].name);
+ STAssertNil((id)err, @"Error from %s SecDecryptTransformCreate err=%@", cases[i].name, err);
+
+ if (k) {
+ BOOL rt_ok = RoundTrip(CFSTR("/usr/share/dict/propernames"), et, dt, YES);
+ CFRelease(et);
+ CFRelease(dt);
+ STAssertTrue(rt_ok, @"%s's round trip", cases[i].name);
+ }
+ }
+}
+
+-(void)testDispatchAsumptions {
+ // Failures here don't directly indicate we have a bug. It would indicate that
+ // either dispatch has one, or that we rely on something dispatch never promised
+ // and has changed.
+
+ dispatch_semaphore_t pre_sem = dispatch_semaphore_create(0);
+ dispatch_semaphore_t post_sem = dispatch_semaphore_create(0);
+ __block bool pre_wait_works = false;
+
+ dispatch_after(dispatch_time(DISPATCH_TIME_NOW, 0.1 * NSEC_PER_SEC), dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(void){
+ STAssertTrue(0 == dispatch_semaphore_wait(pre_sem, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC)), @"semaphore signal prior to wait pre-wakes");
+ pre_wait_works = true;
+ dispatch_semaphore_signal(post_sem);
+ });
+ dispatch_semaphore_signal(pre_sem);
+ STAssertTrue(0 == dispatch_semaphore_wait(post_sem, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC)), @"signal after wait wakes");
+ STAssertTrue(pre_wait_works, @"pre-wait worked");
+
+
+}
+
+// Build a group containing 3 subgroups, G1 which has 2 encoders, G2 and G3 which have one
+// decoder each. Exports and attributes are hooked up so execution results in a CFData
+// with the same contents as input_data. "self" is used by the STAssert macros.
+// The various transforms are assigned names: G1, G2, G3, E64, EZLIB, DZLIB, D64.
+static SecTransformRef build_nested_groups(id self, CFDataRef input_data) {
+ SecGroupTransformRef outer = SecTransformCreateGroupTransform();
+ SecGroupTransformRef g1 = SecTransformCreateGroupTransform();
+ SecGroupTransformRef g2 = SecTransformCreateGroupTransform();
+ SecGroupTransformRef g3 = SecTransformCreateGroupTransform();
+
+ CFErrorRef err = NULL;
+
+ SecTransformSetAttribute(outer, kSecTransformTransformName, CFSTR("OUTER"), &err);
+ STAssertNil((id)err, @"Can't set outer's name: %@", err);
+ SecTransformSetAttribute(g1, kSecTransformTransformName, CFSTR("G1"), &err);
+ STAssertNil((id)err, @"Can't set g1's name: %@", err);
+ SecTransformSetAttribute(g2, kSecTransformTransformName, CFSTR("G2"), &err);
+ STAssertNil((id)err, @"Can't set g2's name: %@", err);
+ SecTransformSetAttribute(g3, kSecTransformTransformName, CFSTR("G3"), &err);
+ STAssertNil((id)err, @"Can't set g3's name: %@", err);
+
+ SecTransformRef e64 = SecEncodeTransformCreate(kSecBase64Encoding, &err);
+ STAssertNil((id)err, @"Expected err to be nil, got: %@", err);
+ STAssertNotNil((id)e64, @"Could not make Encode64 transform");
+ SecTransformSetAttribute(e64, kSecTransformTransformName, CFSTR("E64"), NULL);
+ SecTransformRef ezlib = SecEncodeTransformCreate(kSecZLibEncoding, &err);
+ STAssertNil((id)err, @"Expected err to be nil, got: %@", err);
+ STAssertNotNil((id)ezlib, @"Could not make Encode ZLib transform");
+ SecTransformSetAttribute(ezlib, kSecTransformTransformName, CFSTR("EZLIB"), NULL);
+
+ SecTransformConnectTransforms(e64, kSecTransformOutputAttributeName, ezlib, kSecTransformInputAttributeName, g1, &err);
+ STAssertNil((id)err, @"Can't connect e64 to ezlib: %@", err);
+ SecTransformConnectTransforms(g1, kSecTransformInputAttributeName, e64, kSecTransformInputAttributeName, g1, &err);
+ STAssertNil((id)err, @"Can't connect g1's input to e64's input: %@", err);
+ SecTransformConnectTransforms(ezlib, kSecTransformOutputAttributeName, g1, kSecTransformOutputAttributeName, g1, &err);
+ STAssertNil((id)err, @"Can't connect ezlib's output to g1's output: %@", err);
+
+ SecTransformRef dzlib = SecDecodeTransformCreate(kSecZLibEncoding, &err);
+ STAssertNil((id)err, @"Expected err to be nil, got: %@", err);
+ STAssertNotNil((id)dzlib, @"Could not make Decode ZLib transform");
+ SecTransformSetAttribute(dzlib, kSecTransformTransformName, CFSTR("dzlib"), NULL);
+ SecTransformRef d64 = SecDecodeTransformCreate(kSecBase64Encoding, &err);
+ STAssertNil((id)err, @"Expected err to be nil, got: %@", err);
+ STAssertNotNil((id)d64, @"Could not make Decode64 transform");
+ SecTransformSetAttribute(dzlib, kSecTransformTransformName, CFSTR("D64"), NULL);
+
+ // putting just one transform in g2 and g3
+ SecTransformConnectTransforms(g2, kSecTransformInputAttributeName, dzlib, kSecTransformInputAttributeName, g2, &err);
+ STAssertNil((id)err, @"Can't connect g2's input to dzlib's input: %@", err);
+ SecTransformConnectTransforms(dzlib, kSecTransformOutputAttributeName, g2, kSecTransformOutputAttributeName, g2, &err);
+ STAssertNil((id)err, @"Can't connect dzlib's output to g2's output: %@", err);
+
+ SecTransformConnectTransforms(g3, kSecTransformInputAttributeName, d64, kSecTransformInputAttributeName, g3, &err);
+ STAssertNil((id)err, @"Can't connect g2's input to d64's input: %@", err);
+ SecTransformConnectTransforms(d64, kSecTransformOutputAttributeName, g3, kSecTransformOutputAttributeName, g3, &err);
+ STAssertNil((id)err, @"Can't connect d64's output to g2's output: %@", err);
+
+ SecTransformConnectTransforms(g1, kSecTransformOutputAttributeName, g2, kSecTransformInputAttributeName, outer, &err);
+ STAssertNil((id)err, @"Can't connect g1 to g2 (dzlib): %@", err);
+ SecTransformConnectTransforms(g2, kSecTransformOutputAttributeName, g3, kSecTransformInputAttributeName, outer, &err);
+ STAssertNil((id)err, @"Can't connect g2 (dzlib) to g3 (d64): %@", err);
+
+ SecTransformSetAttribute(g1, kSecTransformInputAttributeName, input_data, &err);
+ STAssertNil((id)err, @"Can't set g1's input: %@", err);
+
+
+ CFRelease(e64);
+ CFRelease(ezlib);
+ CFRelease(dzlib);
+ CFRelease(d64);
+ CFRelease(g1);
+ CFRelease(g2);
+ CFRelease(g3);
+ return outer;
+}
+
+-(void)testGroupsInGroups {
+ UInt8 original_bytes[] = "'Twas brillig and the...was that smiley toads? Something with chives? Aw heck!";
+ CFDataRef original = CFDataCreate(NULL, original_bytes, sizeof(original_bytes));
+
+ // Test executing the top group, a sub group, and a non-group member.
+ for (NSString *name in [NSArray arrayWithObjects:@"OUTER", @"G1", @"D64", nil]) {
+ CFErrorRef err = NULL;
+ SecGroupTransformRef outer = build_nested_groups(self, original);
+ SecTransformRef start_at = SecTransformFindByName(outer, (CFStringRef)name);
+ STAssertNotNil((id)start_at, @"Expected to find %@", name);
+
+ CFDataRef output = (CFDataRef)SecTransformExecute(start_at, &err);
+ STAssertNil((id)err, @"Can't execute directly created nested transform starting at %@: %@", start_at, err);
+ STAssertEqualObjects((id)output, (id)original, @"Output and original should match (started at %@)", start_at);
+ CFRelease(outer);
+ if (err) {
+ CFRelease(err);
+ }
+ }
+
+ {
+ SecGroupTransformRef bad_outer = build_nested_groups(self, original);
+ SecTransformRef d64 = SecTransformFindByName(bad_outer, CFSTR("D64"));
+ STAssertNotNil((id)d64, @"Expected to find d64");
+ CFErrorRef err = NULL;
+ // d64 is in a group in bad_outer, we set things up to fail
+ // and later expect execute to fail because of it.
+ SecTransformSetAttribute(d64, kSecDecodeTypeAttribute, CFSTR("NOT valid"), &err);
+ if (err) {
+ // It can fail right away
+ ErrorHas((NSError*)err, @"Unsupported decode type");
+ } else {
+ // Or later (see below)
+ STAssertNil((id)err, @"Expected to set decode type: %@", err);
+ }
+
+ SecTransformRef e64 = SecTransformFindByName(bad_outer, CFSTR("E64"));
+ STAssertNotNil((id)e64, @"Expected to find e64");
+ CFStringRef any = CFSTR("ANY");
+ // e64 and d64 aren't in the same groups, but they are in outer.
+ // There should be no way to (directly) connect them, so try all
+ // 4 groups and make sure none work.
+ for (NSString *group_name in [NSArray arrayWithObjects:@"OUTER", @"G1", @"G2", @"G3", nil]) {
+ SecTransformRef connect_in = SecTransformFindByName(bad_outer, (CFStringRef)group_name);
+ STAssertNotNil((id)connect_in, @"Expected to find %@", group_name);
+ err = NULL;
+ SecTransformConnectTransforms(d64, any, e64, any, bad_outer, &err);
+ STAssertNotNil((id)err, @"Expected error on cross group connect (in %@)", group_name);
+ if (err) {
+ STAssertEquals(CFErrorGetCode(err), (CFIndex)kSecTransformErrorInvalidConnection, @"error code (in %@)", group_name);
+ STAssertEqualObjects((id)CFErrorGetDomain(err), (id)kSecTransformErrorDomain, @"error domain (in %@)", group_name);
+ CFRelease(err);
+ err = NULL;
+ }
+
+ // While we are here, make sure we can't set a non-exported group attribute
+ SecTransformSetAttribute((SecTransformRef)connect_in, CFSTR("nobody-exports-me"), CFSTR("VALUE"), &err);
+ STAssertNotNil((id)err, @"Expected an error setting a non-exported attribute on %@", connect_in);
+ // Make sure this is the error we expect, not something unrelated to our transgression
+ ErrorHas((NSError*)err, @"non-exported attribute");
+ // Error should have the name of the offending attribute
+ ErrorHas((NSError*)err, @"nobody-exports-me");
+ if (err) {
+ CFRelease(err);
+ err = NULL;
+ }
+ }
+
+ CFTypeRef no_result = SecTransformExecute(bad_outer, &err);
+ STAssertNotNil((id)err, @"Expected error");
+ ErrorHas((NSError*)err, @"Unsupported decode type");
+ STAssertNil((id)no_result, @"Expected no result, got: %@", no_result);
+ CFRelease(bad_outer);
+
+ // Make sure we can't connect to or from non-exported group attributes
+ bad_outer = build_nested_groups(self, original);
+ STAssertNotNil((id)bad_outer, @"Expected to build nested transform");
+ SecTransformRef g1 = SecTransformFindByName(bad_outer, CFSTR("G1"));
+ STAssertNotNil((id)g1, @"Expected to find g1");
+ SecTransformRef appendix = SecNullTransformCreate();
+ SecTransformConnectTransforms(appendix, kSecTransformOutputAttributeName, g1, CFSTR("NONE"), bad_outer, &err);
+ STAssertNotNil((id)err, @"Expected to fail connecting appendix to g1, but didn't");
+ ErrorHas((NSError*)err, @"non-exported attribute");
+ if (err) {
+ CFRelease(err);
+ err = NULL;
+ }
+ SecTransformConnectTransforms(g1, CFSTR("DOES_NOT_EXIST"), appendix, kSecTransformInputAttributeName, bad_outer, &err);
+ STAssertNotNil((id)err, @"Expected to fail connecting g1 to appendix, but didn't");
+ ErrorHas((NSError*)err, @"non-exported attribute");
+ if (err) {
+ CFRelease(err);
+ err = NULL;
+ }
+
+ CFRelease(bad_outer);
+ CFRelease(appendix);
+ }
+}
+
+// 10080968 covers this case. It isn't a regression (it was impossible to create nested groups
+// until recently), but it needs to be addressed before we ship.
+-(void)disabledUntilPR_10080968_testExternalizeGroupsInGroups {
+ CFErrorRef err = NULL;
+ UInt8 original_bytes[] = "Sic Semper Tyrannosaurus!";
+ CFDataRef original = CFDataCreate(NULL, original_bytes, sizeof(original_bytes));
+
+ SecGroupTransformRef outer = build_nested_groups(self, original);
+ NSLog(@"outer=%@", SecTransformDotForDebugging(outer));
+ SecTransformRef d64 = SecTransformFindByName(outer, CFSTR("D64"));
+ STAssertNotNil((id)d64, @"Expected to find d64");
+
+ CFDictionaryRef freezeDriedNestedGroups = SecTransformCopyExternalRepresentation(d64);
+ STAssertNotNil((id)freezeDriedNestedGroups, @"Expected to externalize group");
+
+ SecTransformRef outer2 = SecTransformCreateFromExternalRepresentation(freezeDriedNestedGroups, &err);
+ STAssertNil((id)err, @"Can't create nested group err: %@", err);
+ STAssertNotNil((id)outer2, @"Expected transform fron xrep: %@", freezeDriedNestedGroups);
+ NSLog(@"outer2=%@", SecTransformDotForDebugging(outer2));
+
+ CFTypeRef output2 = SecTransformExecute(outer2, &err);
+ STAssertNil((id)err, @"Can't execute outer2: %@", err);
+ STAssertEqualObjects((id)output2, (id)original, @"Output2 and original should match");
+}
+
+static NSString *CopyLeakLine()
+{
+ static char os_build[16];
+ static dispatch_once_t get_os_build_once;
+ static BOOL broken_leaks_command = NO;
+
+ dispatch_once(&get_os_build_once, ^{
+ int mib[] = { CTL_KERN, KERN_OSVERSION };
+ size_t bufsz = sizeof(os_build);
+ sysctl(mib, 2, os_build, &bufsz, NULL, 0);
+
+ if (4 == sizeof(char*) && 0 == strcmp(os_build, "12A75")) {
+ // 12A75's leaks command was badly broken for 32 bit.
+ // Running it suspends otest, and it is too hard to
+ // recover.
+ broken_leaks_command = YES;
+ }
+ });
+
+ if (broken_leaks_command) {
+ return [NSString stringWithFormat:@"Leaks command is broken in %s", os_build];
+ }
+
+ NSRegularExpression *matchLeaksLine = [NSRegularExpression regularExpressionWithPattern:@"^Process \\d+: \\d+ leaks for \\d+ total leaked bytes.$" options:NSRegularExpressionAnchorsMatchLines error:NULL];
+
+ char *leak_command = NULL;
+ NSString *fname = [NSString stringWithFormat:@"/tmp/L%d-%d", getpid(), (int)arc4random()];
+ asprintf(&leak_command, "(/usr/bin/leaks %d >%s || (echo OOPS; kill -CONT %d))", getpid(), [fname UTF8String], getpid());
+ system(leak_command);
+ free(leak_command);
+ NSString *output = [NSString stringWithContentsOfFile:fname encoding:NSUTF8StringEncoding error:NULL];
+ NSTextCheckingResult *result = [matchLeaksLine firstMatchInString:output options:0 range:NSMakeRange(0, [output length])];
+ if (result.range.location == NSNotFound) {
+ return NULL;
+ }
+ NSRange matchRange = result.range;
+ return [output substringWithRange:matchRange];
+}
+
+-(void)testAAASimpleLeakTest {
+ NSString *starting_leaks = CopyLeakLine();
+ STAssertNotNil(starting_leaks, @"Found initial leaks");
+ for(int i = 0; i < 10; i++) {
+ CFRelease(SecTransformCreateGroupTransform());
+ }
+
+ NSString *current_leaks = NULL;
+
+ // Some of the destruction is async, so if they don't pan out the same, a little sleep and retry
+ // can legitimately fix it.
+ for(int i = 0; i < 10; i++) {
+ current_leaks = CopyLeakLine();
+ if ([current_leaks isEqualToString:starting_leaks]) {
+ break;
+ } else {
+ sleep(1);
+ }
+ }
+
+ STAssertNotNil(current_leaks, @"Found current leaks");
+ STAssertEqualObjects(current_leaks, starting_leaks, @"Expected no new leaks");
+}
+
+-(void)testAAASimpleishLeakTest {
+ NSLog(@"pid=%d", getpid());
+ NSString *starting_leaks = CopyLeakLine();
+ STAssertNotNil(starting_leaks, @"Found initial leaks");
+ CFErrorRef err = NULL;
+
+ // Derived from Matt Wright's 10242560 test.c
+ int fd = open("/dev/random", O_RDONLY);
+ SecTransformRef b64encode = SecEncodeTransformCreate(kSecBase64Encoding, NULL);
+ const int buffer_size = 1024;
+ void *buffer = malloc(buffer_size);
+ // For this test, ignore short reads
+ read(fd, buffer, buffer_size);
+ CFDataRef data = CFDataCreateWithBytesNoCopy(NULL, (UInt8*)buffer, buffer_size, kCFAllocatorMalloc);
+ SecTransformSetAttribute(b64encode, kSecTransformInputAttributeName, data, &err);
+ STAssertNil((id)err, @"Expected no SecTransformSetAttribute error, got: %@", err);
+ CFRelease(data);
+ CFTypeRef output = SecTransformExecute(b64encode, &err);
+ STAssertNotNil((id)output, @"Expected result");
+ STAssertNil((id)err, @"Expected no execute error, got: %@", err);
+ CFRelease(output);
+ CFRelease(b64encode);
+
+ NSString *current_leaks = NULL;
+
+ // Some of the destruction is async, so if they don't pan out the same, a little sleep and retry
+ // can legitimately fix it.
+ for(int i = 0; i < 10; i++) {
+ current_leaks = CopyLeakLine();
+ if ([current_leaks isEqualToString:starting_leaks]) {
+ break;
+ } else {
+ sleep(1);
+ }
+ }
+
+ STAssertNotNil(current_leaks, @"Found current leaks");
+ STAssertEqualObjects(current_leaks, starting_leaks, @"Expected no new leaks");
+}
+
+@end
projects / apple / security.git / blobdiff