1/*
2 * Copyright (c) 2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24#include <CoreFoundation/CoreFoundation.h>
25#include <Security/Security.h>
26#include <Security/SecCertificatePriv.h>
27//#include <Security/SecInternal.h>
28
29#include "keychain_regressions.h"
30#include "utilities/SecCFRelease.h"
31
32/* subject:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=3014267/C=US/postalCode=95131-2021/ST=California/L=San Jose/street=2211 N 1st St/O=PayPal, Inc./OU=CDN Support/CN=www.paypal.com */
33/* issuer :/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA */
34unsigned char leaf_certificate[1548]={
35    0x30,0x82,0x06,0x08,0x30,0x82,0x04,0xF0,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x08,
36    0x34,0xE4,0x53,0xD4,0x3A,0x68,0x57,0x23,0xAF,0xFB,0xB1,0x33,0xCE,0x45,0x7C,0x30,
37    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x81,
38    0xBA,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x17,
39    0x30,0x15,0x06,0x03,0x55,0x04,0x0A,0x13,0x0E,0x56,0x65,0x72,0x69,0x53,0x69,0x67,
40    0x6E,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1F,0x30,0x1D,0x06,0x03,0x55,0x04,0x0B,
41    0x13,0x16,0x56,0x65,0x72,0x69,0x53,0x69,0x67,0x6E,0x20,0x54,0x72,0x75,0x73,0x74,
42    0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x31,0x3B,0x30,0x39,0x06,0x03,0x55,0x04,
43    0x0B,0x13,0x32,0x54,0x65,0x72,0x6D,0x73,0x20,0x6F,0x66,0x20,0x75,0x73,0x65,0x20,
44    0x61,0x74,0x20,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x76,
45    0x65,0x72,0x69,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x72,0x70,0x61,0x20,
46    0x28,0x63,0x29,0x30,0x36,0x31,0x34,0x30,0x32,0x06,0x03,0x55,0x04,0x03,0x13,0x2B,
47    0x56,0x65,0x72,0x69,0x53,0x69,0x67,0x6E,0x20,0x43,0x6C,0x61,0x73,0x73,0x20,0x33,
48    0x20,0x45,0x78,0x74,0x65,0x6E,0x64,0x65,0x64,0x20,0x56,0x61,0x6C,0x69,0x64,0x61,
49    0x74,0x69,0x6F,0x6E,0x20,0x53,0x53,0x4C,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,
50    0x34,0x30,0x34,0x31,0x35,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x31,0x35,
51    0x30,0x34,0x30,0x32,0x32,0x33,0x35,0x39,0x35,0x39,0x5A,0x30,0x82,0x01,0x09,0x31,
52    0x13,0x30,0x11,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x03,
53    0x13,0x02,0x55,0x53,0x31,0x19,0x30,0x17,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,
54    0x37,0x3C,0x02,0x01,0x02,0x13,0x08,0x44,0x65,0x6C,0x61,0x77,0x61,0x72,0x65,0x31,
55    0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0F,0x13,0x14,0x50,0x72,0x69,0x76,0x61,0x74,
56    0x65,0x20,0x4F,0x72,0x67,0x61,0x6E,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x31,0x10,
57    0x30,0x0E,0x06,0x03,0x55,0x04,0x05,0x13,0x07,0x33,0x30,0x31,0x34,0x32,0x36,0x37,
58    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,
59    0x11,0x06,0x03,0x55,0x04,0x11,0x14,0x0A,0x39,0x35,0x31,0x33,0x31,0x2D,0x32,0x30,
60    0x32,0x31,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x13,0x0A,0x43,0x61,0x6C,
61    0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x11,0x30,0x0F,0x06,0x03,0x55,0x04,0x07,
62    0x14,0x08,0x53,0x61,0x6E,0x20,0x4A,0x6F,0x73,0x65,0x31,0x16,0x30,0x14,0x06,0x03,
63    0x55,0x04,0x09,0x14,0x0D,0x32,0x32,0x31,0x31,0x20,0x4E,0x20,0x31,0x73,0x74,0x20,
64    0x53,0x74,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x0A,0x14,0x0C,0x50,0x61,0x79,
65    0x50,0x61,0x6C,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x14,0x30,0x12,0x06,0x03,0x55,
66    0x04,0x0B,0x14,0x0B,0x43,0x44,0x4E,0x20,0x53,0x75,0x70,0x70,0x6F,0x72,0x74,0x31,
67    0x17,0x30,0x15,0x06,0x03,0x55,0x04,0x03,0x14,0x0E,0x77,0x77,0x77,0x2E,0x70,0x61,
68    0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,
69    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,
70    0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xBE,0xAE,0x46,0x4D,0x99,0x6E,0x6D,
71    0x6C,0x35,0x4B,0x88,0x32,0x38,0xBB,0xDC,0xD0,0x09,0x95,0xD0,0x9A,0xE4,0x36,0xE7,
72    0x9F,0x0A,0xB0,0xF2,0xD7,0xD2,0x30,0x62,0x03,0x1F,0xAD,0xC6,0xF4,0x6D,0x10,0x84,
73    0xF7,0x79,0x1B,0xBC,0x74,0xC0,0xA8,0xE3,0x82,0xFE,0xD4,0x0A,0x93,0x2E,0x3D,0x4B,
74    0x12,0x24,0xAD,0xAD,0x5F,0x5D,0xED,0x1C,0xC9,0x1C,0x6F,0x13,0x7B,0xE2,0xC1,0x25,
75    0x4E,0x46,0x5F,0x4F,0x3B,0x2E,0x5A,0xCB,0xC1,0x5A,0xB4,0x82,0xCF,0xAD,0xA3,0x65,
76    0xE8,0x86,0x33,0xB5,0xED,0x1D,0x78,0x99,0xA7,0xC7,0xD5,0xFA,0x10,0x2E,0xFB,0x11,
77    0x4E,0x23,0x58,0x06,0x96,0x87,0x71,0x75,0x51,0x73,0x8C,0x0F,0xF4,0xCA,0x7C,0x8F,
78    0x91,0x25,0x79,0x13,0xDC,0xB0,0xF0,0xDE,0x08,0x07,0x01,0x0B,0x64,0xCC,0x57,0x6A,
79    0x12,0x86,0x62,0x17,0x3E,0x5D,0xB9,0x62,0x3D,0x58,0x7B,0x2A,0x6E,0xF6,0xA6,0x30,
80    0x41,0x02,0xFC,0xEC,0x64,0x72,0x33,0xD5,0xD5,0x3F,0x6B,0x6D,0x97,0xF3,0xC1,0x61,
81    0xBF,0x38,0x3B,0xAB,0x41,0x47,0xD4,0xC2,0x03,0xD7,0x3B,0x59,0x57,0x9D,0xE1,0xA1,
82    0x2A,0xD6,0x78,0xE8,0x83,0x5D,0x3D,0xDD,0xAA,0x5D,0x17,0xFD,0x94,0xD6,0xE5,0x7A,
83    0xEF,0x02,0x63,0xC6,0xA3,0xC6,0x2D,0x5B,0x33,0x08,0x8B,0xF5,0xA5,0x03,0xB4,0xFE,
84    0xF2,0x1D,0xAB,0xBF,0x5E,0x9E,0xB8,0x78,0x39,0x20,0x2B,0x68,0x61,0x4F,0xE4,0x99,
85    0xF2,0xAA,0xC2,0x4D,0x4B,0x48,0xCB,0x68,0xC2,0x10,0x3F,0xFA,0x9A,0xBA,0xC5,0x6A,
86    0x53,0x8F,0x22,0xF3,0xD7,0xC9,0xED,0xA4,0xD5,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,
87    0x01,0xB6,0x30,0x82,0x01,0xB2,0x30,0x67,0x06,0x03,0x55,0x1D,0x11,0x04,0x60,0x30,
88    0x5E,0x82,0x0E,0x77,0x77,0x77,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,
89    0x6D,0x82,0x12,0x68,0x69,0x73,0x74,0x6F,0x72,0x79,0x2E,0x70,0x61,0x79,0x70,0x61,
90    0x6C,0x2E,0x63,0x6F,0x6D,0x82,0x0C,0x74,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,
91    0x63,0x6F,0x6D,0x82,0x0C,0x63,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,
92    0x6D,0x82,0x0E,0x74,0x6D,0x73,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,
93    0x6D,0x82,0x0C,0x74,0x6D,0x73,0x2E,0x65,0x62,0x61,0x79,0x2E,0x63,0x6F,0x6D,0x30,
94    0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,0x30,0x00,0x30,0x0E,0x06,0x03,0x55,0x1D,
95    0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,
96    0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x06,
97    0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x30,0x66,0x06,0x03,0x55,0x1D,0x20,
98    0x04,0x5F,0x30,0x5D,0x30,0x5B,0x06,0x0B,0x60,0x86,0x48,0x01,0x86,0xF8,0x45,0x01,
99    0x07,0x17,0x06,0x30,0x4C,0x30,0x23,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,
100    0x01,0x16,0x17,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F,0x64,0x2E,0x73,0x79,0x6D,
101    0x63,0x62,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x70,0x73,0x30,0x25,0x06,0x08,0x2B,0x06,
102    0x01,0x05,0x05,0x07,0x02,0x02,0x30,0x19,0x1A,0x17,0x68,0x74,0x74,0x70,0x73,0x3A,
103    0x2F,0x2F,0x64,0x2E,0x73,0x79,0x6D,0x63,0x62,0x2E,0x63,0x6F,0x6D,0x2F,0x72,0x70,
104    0x61,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xFC,0x8A,
105    0x50,0xBA,0x9E,0xB9,0x25,0x5A,0x7B,0x55,0x85,0x4F,0x95,0x00,0x63,0x8F,0xE9,0x58,
106    0x6B,0x43,0x30,0x2B,0x06,0x03,0x55,0x1D,0x1F,0x04,0x24,0x30,0x22,0x30,0x20,0xA0,
107    0x1E,0xA0,0x1C,0x86,0x1A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x61,0x2E,0x73,
108    0x79,0x6D,0x63,0x62,0x2E,0x63,0x6F,0x6D,0x2F,0x73,0x61,0x2E,0x63,0x72,0x6C,0x30,
109    0x57,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x4B,0x30,0x49,0x30,
110    0x1F,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x13,0x68,0x74,0x74,
111    0x70,0x3A,0x2F,0x2F,0x73,0x61,0x2E,0x73,0x79,0x6D,0x63,0x64,0x2E,0x63,0x6F,0x6D,
112    0x30,0x26,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x1A,0x68,0x74,
113    0x74,0x70,0x3A,0x2F,0x2F,0x73,0x61,0x2E,0x73,0x79,0x6D,0x63,0x62,0x2E,0x63,0x6F,
114    0x6D,0x2F,0x73,0x61,0x2E,0x63,0x72,0x74,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
115    0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x76,0x08,0xAB,0x64,
116    0xF6,0xF4,0x0B,0xE4,0x81,0xBD,0x59,0xB2,0x3E,0xA4,0xFC,0xF5,0x03,0x75,0x04,0x59,
117    0x6A,0xB5,0xFE,0x12,0x34,0x2A,0x04,0x9C,0x89,0xCD,0xCB,0xE1,0x3C,0x6C,0x20,0x39,
118    0xD4,0xEA,0x6F,0x27,0x34,0x7F,0x62,0x1C,0x45,0x72,0x11,0x39,0xC0,0x45,0xAA,0x2A,
119    0x35,0x5C,0xB6,0x06,0xE3,0x08,0xA7,0x8F,0x08,0xAF,0x80,0xB2,0x10,0xCE,0xA5,0x28,
120    0x5B,0x1C,0x49,0x55,0x11,0xEB,0x6B,0x2A,0x80,0xC1,0x09,0xED,0x82,0x72,0x48,0xCA,
121    0x19,0x8B,0xE5,0x34,0x94,0x3C,0x50,0x26,0x77,0x6B,0x1A,0x63,0xBA,0x6F,0x63,0xD1,
122    0x58,0xED,0x2B,0x1D,0xB7,0xA7,0x6E,0x04,0x25,0x99,0xC3,0x94,0x03,0x90,0xEC,0x0F,
123    0x4C,0x93,0x83,0x35,0x86,0xE3,0x70,0x84,0x0D,0x3C,0xCE,0xAF,0x4E,0x80,0x4A,0xD3,
124    0x91,0x3F,0x55,0x33,0x2F,0x1F,0x67,0x87,0x2F,0x09,0xA2,0x41,0xC0,0x10,0x4A,0x2C,
125    0xC4,0x88,0xA0,0x6F,0x93,0x2C,0xEF,0x38,0xD2,0x61,0xC7,0xEC,0xF3,0x37,0x7D,0xC9,
126    0x32,0xA5,0x5C,0x1E,0x48,0x0E,0x85,0x6C,0x47,0x2A,0x7F,0xC6,0x30,0x5E,0xC2,0xF6,
127    0x2E,0xDD,0xE3,0x4D,0xAC,0xFF,0xEF,0x48,0x26,0xC7,0x51,0x74,0x47,0x32,0x46,0x0B,
128    0xCD,0x7A,0x0A,0x5D,0x5B,0xC5,0x8D,0xED,0x17,0xBC,0xDE,0x09,0xBC,0xE9,0x93,0xA9,
129    0x7C,0x85,0x9C,0x88,0xA6,0x83,0xBC,0xD6,0xE5,0x1F,0x05,0x10,0xDF,0xB2,0x4F,0xA2,
130    0xC5,0x97,0x00,0x8B,0x57,0xC7,0x0D,0xE7,0xC7,0x57,0x57,0x87,0x7D,0x13,0x9F,0x5C,
131    0x5C,0xF7,0xF3,0xCD,0x00,0x89,0x0D,0x85,0x9A,0xA2,0x70,0xDA,
132};
133
134/* subject:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA */
135/* issuer :/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 */
136unsigned char CA_certificate[1512]={
137    0x30,0x82,0x05,0xE4,0x30,0x82,0x04,0xCC,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x5B,
138    0x77,0x59,0xC6,0x17,0x84,0xE1,0x5E,0xC7,0x27,0xC0,0x32,0x95,0x29,0x28,0x6B,0x30,
139    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x81,
140    0xCA,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x17,
141    0x30,0x15,0x06,0x03,0x55,0x04,0x0A,0x13,0x0E,0x56,0x65,0x72,0x69,0x53,0x69,0x67,
142    0x6E,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1F,0x30,0x1D,0x06,0x03,0x55,0x04,0x0B,
143    0x13,0x16,0x56,0x65,0x72,0x69,0x53,0x69,0x67,0x6E,0x20,0x54,0x72,0x75,0x73,0x74,
144    0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x31,0x3A,0x30,0x38,0x06,0x03,0x55,0x04,
145    0x0B,0x13,0x31,0x28,0x63,0x29,0x20,0x32,0x30,0x30,0x36,0x20,0x56,0x65,0x72,0x69,
146    0x53,0x69,0x67,0x6E,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x20,0x2D,0x20,0x46,0x6F,0x72,
147    0x20,0x61,0x75,0x74,0x68,0x6F,0x72,0x69,0x7A,0x65,0x64,0x20,0x75,0x73,0x65,0x20,
148    0x6F,0x6E,0x6C,0x79,0x31,0x45,0x30,0x43,0x06,0x03,0x55,0x04,0x03,0x13,0x3C,0x56,
149    0x65,0x72,0x69,0x53,0x69,0x67,0x6E,0x20,0x43,0x6C,0x61,0x73,0x73,0x20,0x33,0x20,
150    0x50,0x75,0x62,0x6C,0x69,0x63,0x20,0x50,0x72,0x69,0x6D,0x61,0x72,0x79,0x20,0x43,
151    0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,
152    0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x2D,0x20,0x47,0x35,0x30,0x1E,0x17,0x0D,0x30,
153    0x36,0x31,0x31,0x30,0x38,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x31,0x36,
154    0x31,0x31,0x30,0x37,0x32,0x33,0x35,0x39,0x35,0x39,0x5A,0x30,0x81,0xBA,0x31,0x0B,
155    0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x17,0x30,0x15,0x06,
156    0x03,0x55,0x04,0x0A,0x13,0x0E,0x56,0x65,0x72,0x69,0x53,0x69,0x67,0x6E,0x2C,0x20,
157    0x49,0x6E,0x63,0x2E,0x31,0x1F,0x30,0x1D,0x06,0x03,0x55,0x04,0x0B,0x13,0x16,0x56,
158    0x65,0x72,0x69,0x53,0x69,0x67,0x6E,0x20,0x54,0x72,0x75,0x73,0x74,0x20,0x4E,0x65,
159    0x74,0x77,0x6F,0x72,0x6B,0x31,0x3B,0x30,0x39,0x06,0x03,0x55,0x04,0x0B,0x13,0x32,
160    0x54,0x65,0x72,0x6D,0x73,0x20,0x6F,0x66,0x20,0x75,0x73,0x65,0x20,0x61,0x74,0x20,
161    0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x76,0x65,0x72,0x69,
162    0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x72,0x70,0x61,0x20,0x28,0x63,0x29,
163    0x30,0x36,0x31,0x34,0x30,0x32,0x06,0x03,0x55,0x04,0x03,0x13,0x2B,0x56,0x65,0x72,
164    0x69,0x53,0x69,0x67,0x6E,0x20,0x43,0x6C,0x61,0x73,0x73,0x20,0x33,0x20,0x45,0x78,
165    0x74,0x65,0x6E,0x64,0x65,0x64,0x20,0x56,0x61,0x6C,0x69,0x64,0x61,0x74,0x69,0x6F,
166    0x6E,0x20,0x53,0x53,0x4C,0x20,0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,
167    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,
168    0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0x98,0xDB,0xA0,0x55,0xEB,0x9C,0xFD,
169    0x17,0x79,0xE3,0x9A,0x6E,0x14,0x1D,0xB1,0x5B,0x98,0x23,0x87,0x16,0x6E,0x87,0x76,
170    0x9C,0xB5,0x38,0x3B,0xB5,0xA0,0x7A,0xB4,0x07,0x63,0x09,0x19,0xE6,0x2A,0x88,0x48,
171    0xA9,0xE7,0x9D,0xB6,0x30,0x5A,0x08,0x97,0x0C,0xEC,0xAA,0xE4,0x16,0x69,0x72,0x62,
172    0x23,0x9A,0xFB,0x7A,0x54,0x28,0x98,0xC5,0x0C,0x2D,0xB7,0xD7,0x22,0xB6,0xC8,0xF9,
173    0x38,0x17,0xC7,0xDD,0xDA,0x31,0x46,0x9A,0x94,0x14,0x8E,0x9E,0xEE,0x78,0xA0,0xB7,
174    0x22,0xD4,0x49,0x54,0x97,0x4D,0xE5,0x74,0x5B,0x92,0xBC,0xEC,0x6C,0x2C,0xDF,0xE7,
175    0xC1,0xB6,0x1B,0x1A,0x55,0x6B,0x66,0x08,0x03,0x7F,0x45,0xAF,0x9A,0x33,0xF1,0x10,
176    0xC0,0x6C,0x99,0x4A,0x92,0x24,0x31,0x08,0x6D,0xDD,0x02,0x3E,0x61,0x76,0x78,0x78,
177    0xB6,0xED,0x7E,0x37,0xAE,0x6C,0xF3,0x89,0xE1,0xB7,0xE1,0xDC,0x15,0xCC,0xB7,0x56,
178    0x9F,0x80,0xA0,0xB1,0x05,0x7F,0x4E,0x37,0x15,0xFF,0xB7,0x2F,0x1E,0x8F,0x06,0x38,
179    0x3F,0x50,0xB7,0x69,0x28,0xA3,0xB5,0x66,0x5F,0x36,0x1A,0x52,0x48,0x43,0x66,0x52,
180    0xDF,0xA2,0x92,0x4F,0xD3,0x18,0x60,0xBE,0xE3,0xEA,0x5E,0x19,0x71,0x05,0xBF,0x9E,
181    0x1C,0x6C,0x68,0x72,0x25,0x6F,0xB3,0x7B,0x73,0xC9,0x6D,0xBD,0x12,0xFF,0x9B,0x41,
182    0x32,0x5E,0xF4,0xE8,0x7E,0xC5,0x0B,0xA3,0x4C,0x64,0xD1,0x4E,0xBC,0x26,0x08,0x65,
183    0xFB,0x19,0x97,0x58,0x78,0xE1,0x33,0xBF,0xED,0x68,0x3E,0xB1,0x27,0x45,0x6F,0xC0,
184    0xE2,0xEC,0x97,0x69,0xF7,0x5C,0xD3,0xF7,0x51,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,
185    0x01,0xD2,0x30,0x82,0x01,0xCE,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
186    0x14,0xFC,0x8A,0x50,0xBA,0x9E,0xB9,0x25,0x5A,0x7B,0x55,0x85,0x4F,0x95,0x00,0x63,
187    0x8F,0xE9,0x58,0x6B,0x43,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,
188    0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x00,0x30,0x3D,0x06,0x03,0x55,0x1D,0x20,
189    0x04,0x36,0x30,0x34,0x30,0x32,0x06,0x04,0x55,0x1D,0x20,0x00,0x30,0x2A,0x30,0x28,
190    0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1C,0x68,0x74,0x74,0x70,
191    0x73,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x76,0x65,0x72,0x69,0x73,0x69,0x67,0x6E,
192    0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x70,0x73,0x30,0x3D,0x06,0x03,0x55,0x1D,0x1F,0x04,
193    0x36,0x30,0x34,0x30,0x32,0xA0,0x30,0xA0,0x2E,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,
194    0x2F,0x2F,0x45,0x56,0x53,0x65,0x63,0x75,0x72,0x65,0x2D,0x63,0x72,0x6C,0x2E,0x76,
195    0x65,0x72,0x69,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x70,0x63,0x61,0x33,
196    0x2D,0x67,0x35,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,
197    0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x11,0x06,0x09,0x60,0x86,0x48,0x01,0x86,
198    0xF8,0x42,0x01,0x01,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x6D,0x06,0x08,0x2B,0x06,
199    0x01,0x05,0x05,0x07,0x01,0x0C,0x04,0x61,0x30,0x5F,0xA1,0x5D,0xA0,0x5B,0x30,0x59,
200    0x30,0x57,0x30,0x55,0x16,0x09,0x69,0x6D,0x61,0x67,0x65,0x2F,0x67,0x69,0x66,0x30,
201    0x21,0x30,0x1F,0x30,0x07,0x06,0x05,0x2B,0x0E,0x03,0x02,0x1A,0x04,0x14,0x8F,0xE5,
202    0xD3,0x1A,0x86,0xAC,0x8D,0x8E,0x6B,0xC3,0xCF,0x80,0x6A,0xD4,0x48,0x18,0x2C,0x7B,
203    0x19,0x2E,0x30,0x25,0x16,0x23,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6C,0x6F,0x67,
204    0x6F,0x2E,0x76,0x65,0x72,0x69,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x76,
205    0x73,0x6C,0x6F,0x67,0x6F,0x2E,0x67,0x69,0x66,0x30,0x29,0x06,0x03,0x55,0x1D,0x11,
206    0x04,0x22,0x30,0x20,0xA4,0x1E,0x30,0x1C,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,
207    0x03,0x13,0x11,0x43,0x6C,0x61,0x73,0x73,0x33,0x43,0x41,0x32,0x30,0x34,0x38,0x2D,
208    0x31,0x2D,0x34,0x37,0x30,0x3D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,
209    0x04,0x31,0x30,0x2F,0x30,0x2D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,
210    0x86,0x21,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x45,0x56,0x53,0x65,0x63,0x75,0x72,
211    0x65,0x2D,0x6F,0x63,0x73,0x70,0x2E,0x76,0x65,0x72,0x69,0x73,0x69,0x67,0x6E,0x2E,
212    0x63,0x6F,0x6D,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,
213    0x7F,0xD3,0x65,0xA7,0xC2,0xDD,0xEC,0xBB,0xF0,0x30,0x09,0xF3,0x43,0x39,0xFA,0x02,
214    0xAF,0x33,0x31,0x33,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,
215    0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x96,0xA2,0xFA,0x7F,0xE6,0x3D,0xED,0xD4,
216    0x2B,0xCE,0xB7,0x15,0x3F,0xC0,0x72,0x03,0x5F,0x8B,0xBA,0x16,0x90,0x25,0xF7,0xC2,
217    0x83,0xD8,0xC7,0x75,0x34,0x63,0x68,0x12,0x53,0x0C,0x53,0x89,0x7B,0xC9,0x56,0x09,
218    0xA7,0xC3,0x36,0x44,0x4E,0x0E,0xD0,0x62,0x62,0xB3,0x86,0xFA,0xE8,0xA1,0x9B,0x34,
219    0x67,0x8D,0x53,0x22,0x17,0x3E,0xFD,0xAC,0xEE,0x67,0x2E,0x43,0xE2,0x5D,0x7F,0x33,
220    0x84,0xF2,0xA2,0x70,0xC0,0x6E,0x82,0x97,0xC0,0x34,0xFD,0x25,0xC6,0x23,0x7F,0xED,
221    0xE6,0xB0,0xC5,0x57,0x43,0x84,0xB2,0xDE,0x2D,0xF1,0xD0,0xF6,0x48,0x1F,0x14,0x71,
222    0x57,0xB2,0xAC,0x31,0xE1,0x97,0x24,0x23,0xC9,0x13,0x5D,0x74,0xE5,0x46,0xEF,0x09,
223    0x7C,0x9E,0xE1,0x99,0x31,0x0A,0x08,0x79,0x1B,0x8F,0x71,0x9F,0x17,0x66,0xC8,0x38,
224    0xCF,0xEE,0x8C,0x97,0xB6,0x06,0xB9,0x73,0x46,0xE4,0xD3,0x94,0xC1,0xE5,0x60,0xB5,
225    0x25,0x75,0x2D,0xD9,0x69,0x31,0xEC,0xCD,0x96,0xC3,0xA3,0x76,0xFD,0xE8,0x74,0x44,
226    0xAC,0x12,0xB9,0x4D,0xBF,0x51,0xE8,0xB9,0xD4,0x44,0x4E,0x27,0xCB,0xAE,0x20,0xD1,
227    0x7E,0x2A,0x7C,0xB6,0x63,0x47,0x9E,0x76,0xBA,0x97,0xD0,0x16,0xE7,0x0B,0x6C,0x6D,
228    0xF7,0x43,0x6F,0x33,0x0B,0x29,0x30,0x77,0xFA,0x9D,0xF9,0xF5,0x4E,0xB8,0x76,0xB3,
229    0xCD,0x18,0xB4,0xF9,0x20,0xEF,0x3D,0xDB,0xE6,0xCA,0xAD,0x9B,0xD0,0x4E,0xD2,0x87,
230    0xA9,0x0D,0xA6,0x44,0x73,0x50,0xDD,0x70,0x5B,0xED,0xAD,0x7E,0x4A,0xBC,0x22,0xD5,
231    0xA8,0x26,0xE4,0xC2,0x85,0x20,0x0D,0xD9,
232};
233
234
235
236/*
237 *  Note: this test requires Network connectivity!
238 */
239
240static void tests(void)
241{
242    SecCertificateRef leaf_cert;
243    SecCertificateRef CA_cert;
244
245    // Import certificates from byte array above
246    isnt(leaf_cert = SecCertificateCreateWithBytes(NULL, leaf_certificate, sizeof(leaf_certificate)),
247         NULL, "Leaf Cert");
248    isnt(CA_cert   = SecCertificateCreateWithBytes(NULL, CA_certificate, sizeof(CA_certificate)),
249         NULL, "CA Cert");
250
251    /*
252     *  1) Test explicit revocation with no OCSP/CRL
253     * Side note: cache is stored in /var/db/crls/ocspcache.db crlcache.db etc...
254     */
255
256    OSStatus status;
257    SecPolicyRef policy_default = SecPolicyCreateBasicX509();
258    SecPolicyRef policy_revoc = SecPolicyCreateRevocation(kSecRevocationNetworkAccessDisabled);
259
260    // Default Policies
261    CFMutableArrayRef DefaultPolicy = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
262    CFArrayAppendValue(DefaultPolicy, policy_default);
263
264    // Default Policies + explicit revocation
265    CFMutableArrayRef DefaultPolicyWithRevocation = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
266    CFArrayAppendValue(DefaultPolicyWithRevocation, policy_default);
267    CFArrayAppendValue(DefaultPolicyWithRevocation, policy_revoc);
268
269    // Valid chain of Cert (leaf + CA)
270    CFMutableArrayRef CertFullChain = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
271    CFArrayAppendValue(CertFullChain, leaf_cert);
272    CFArrayAppendValue(CertFullChain, CA_cert);
273
274    // Chain of cert minus the issuer
275    CFMutableArrayRef CertMissingIssuer = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
276    CFArrayAppendValue(CertMissingIssuer, leaf_cert);
277
278    // Free Resources since all are in arrays
279    CFReleaseSafe(leaf_cert);
280    CFReleaseSafe(CA_cert);
281    CFReleaseSafe(policy_default);
282    CFReleaseSafe(policy_revoc);
283
284    // a) First evaluate an entire EV certificate chain with default policy
285    // OCSP/CRL performed (online/from cache)
286
287    // Array of policy to add explicit revocation policy
288    {
289        SecTrustRef trust = NULL;
290        SecTrustResultType trust_result;
291
292        // Proceed to trust evaluation in two steps
293        ok_status(status = SecTrustCreateWithCertificates(CertFullChain, DefaultPolicy, &trust),
294                  "SecTrustCreateWithCertificates");
295        ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate");
296
297        // Check results
298        is_status(trust_result, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");
299        CFDictionaryRef TrustResultsDict = SecTrustCopyResult(trust);
300        CFBooleanRef ev = (CFBooleanRef)CFDictionaryGetValue(TrustResultsDict,
301                                                             kSecTrustExtendedValidation);
302        ok(ev && CFEqual(kCFBooleanTrue, ev), "extended validation succeeded");
303
304        CFReleaseNull(TrustResultsDict);
305        CFReleaseNull(trust);
306    }
307
308    // b) Set explicit revocation policy to disable network access
309    // and now expect EV marker to be dropped.
310    // Network packet logging can be used to confirm no OCSP/CRL message is sent.
311    {
312        SecTrustRef trust = NULL;
313        SecTrustResultType trust_result;
314
315        // Proceed to trust evaluation in two steps
316        ok_status(status = SecTrustCreateWithCertificates(CertFullChain, DefaultPolicyWithRevocation, &trust),
317                  "SecTrustCreateWithCertificates");
318        ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate");
319
320        // Check results
321        is_status(trust_result, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");
322        CFDictionaryRef TrustResultsDict = SecTrustCopyResult(trust);
323        CFBooleanRef ev = (CFBooleanRef)CFDictionaryGetValue(TrustResultsDict,
324                                                             kSecTrustExtendedValidation);
325        ok(!ev || (ev && CFEqual(kCFBooleanFalse, ev)), "Expect no extended validation because of lack of revocation");
326
327        CFReleaseNull(TrustResultsDict);
328        CFReleaseNull(trust);
329    }
330
331    /*
332     *  2) Test retrieving of issuer being blocked
333     */
334
335    // a) Evaluate leaf EV certificate and expect success (issuer retrieved online)
336    {
337        SecTrustRef trust = NULL;
338        SecTrustResultType trust_result;
339
340        // Proceed to trust evaluation in two steps
341        ok_status(status = SecTrustCreateWithCertificates(CertMissingIssuer, DefaultPolicy, &trust),
342                  "SecTrustCreateWithCertificates");
343        ok_status(status = SecTrustSetNetworkFetchAllowed(trust,true), "SecTrustSetNetworkFetchAllowed");
344        ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate");
345
346        // Check results
347        is_status(trust_result, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");
348        CFDictionaryRef TrustResultsDict = SecTrustCopyResult(trust);
349        CFBooleanRef ev = (CFBooleanRef)CFDictionaryGetValue(TrustResultsDict,
350                                                             kSecTrustExtendedValidation);
351        ok(ev && CFEqual(kCFBooleanTrue, ev), "extended validation succeeded");
352
353        CFReleaseNull(TrustResultsDict);
354        CFReleaseNull(trust);
355    }
356
357    // b) Set SecTrustSetNetworkFetchAllowed to false which should prevent issuer cert to be fetched
358    // and therefore cause evaluation failure.
359    {
360        SecTrustRef trust = NULL;
361        SecTrustResultType trust_result;
362
363        // Proceed to trust evaluation in two steps, forcing no network allowed
364        ok_status(status = SecTrustCreateWithCertificates(CertMissingIssuer, DefaultPolicy, &trust),
365                  "SecTrustCreateWithCertificates");
366        ok_status(status = SecTrustSetNetworkFetchAllowed(trust,false), "SecTrustSetNetworkFetchAllowed");
367        ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate");
368
369        // Check results
370        is_status(trust_result, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultProceed");
371
372        CFReleaseNull(trust);
373    }
374
375    // Free remaining resources
376    CFReleaseSafe(DefaultPolicy);
377    CFReleaseSafe(DefaultPolicyWithRevocation);
378    CFReleaseSafe(CertFullChain);
379    CFReleaseSafe(CertMissingIssuer);
380}
381
382int kc_42_trust_revocation(int argc, char *const *argv)
383{
384    plan_tests(19);
385    tests();
386
387    return 0;
388}
389
390
391