1/*
2 * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25#include <CoreFoundation/CoreFoundation.h>
26#include <Security/SecCertificate.h>
27#include <Security/SecCertificatePriv.h>
28#include <Security/SecInternal.h>
29#include <Security/SecPolicyPriv.h>
30#include <Security/SecTrust.h>
31#include <stdlib.h>
32#include <sys/socket.h>
33#include <sys/types.h>
34#include <netinet/in.h>
35#include <arpa/inet.h>
36#include <netdb.h>
37#include <unistd.h>
38#include <string.h>
39
40#include "si-67-sectrust-blacklist/Global Trustee.cer.h"
41#include "si-67-sectrust-blacklist/login.yahoo.com.1.cer.h"
42#include "si-67-sectrust-blacklist/UTN-USERFirst-Hardware.cer.h"
43#include "si-67-sectrust-blacklist/login.yahoo.com.2.cer.h"
44#include "si-67-sectrust-blacklist/addons.mozilla.org.cer.h"
45#include "si-67-sectrust-blacklist/login.yahoo.com.cer.h"
46#include "si-67-sectrust-blacklist/login.live.com.cer.h"
47#include "si-67-sectrust-blacklist/mail.google.com.cer.h"
48#include "si-67-sectrust-blacklist/login.skype.com.cer.h"
49#include "si-67-sectrust-blacklist/www.google.com.cer.h"
50
51#include "Security_regressions.h"
52
53static void validate_one_cert(uint8_t *data, size_t len, int chain_length, SecTrustResultType trust_result)
54{
55    SecTrustRef trust;
56	SecCertificateRef cert;
57    SecPolicyRef policy = SecPolicyCreateSSL(false, NULL);
58    CFArrayRef certs;
59
60	isnt(cert = SecCertificateCreateWithBytes(NULL, data, len),
61		NULL, "create cert");
62    certs = CFArrayCreate(NULL, (const void **)&cert, 1, NULL);
63    ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
64        "create trust with single cert");
65	//CFDateRef date = CFDateCreate(NULL, 1301008576);
66    //ok_status(SecTrustSetVerifyDate(trust, date), "set date");
67    //CFRelease(date);
68
69	SecTrustResultType trustResult;
70    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
71	is(SecTrustGetCertificateCount(trust), chain_length, "cert count");
72    is_status(trustResult, trust_result, "correct trustResult");
73    CFRelease(trust);
74    CFRelease(policy);
75    CFRelease(certs);
76    CFRelease(cert);
77}
78
79static void tests(void)
80{
81    validate_one_cert(Global_Trustee_cer, sizeof(Global_Trustee_cer), 3, kSecTrustResultFatalTrustFailure);
82    validate_one_cert(login_yahoo_com_1_cer, sizeof(login_yahoo_com_1_cer), 3, kSecTrustResultFatalTrustFailure);
83    /* this is the root, which isn't ok for ssl and fails here, but at the
84       same time it proves that kSecTrustResultFatalTrustFailure isn't
85       returned for policy failures that aren't blacklisting */
86    validate_one_cert(login_yahoo_com_2_cer, sizeof(login_yahoo_com_2_cer), 3, kSecTrustResultFatalTrustFailure);
87    validate_one_cert(addons_mozilla_org_cer, sizeof(addons_mozilla_org_cer), 3, kSecTrustResultFatalTrustFailure);
88    validate_one_cert(login_yahoo_com_cer, sizeof(login_yahoo_com_cer), 3, kSecTrustResultFatalTrustFailure);
89    validate_one_cert(login_live_com_cer, sizeof(login_live_com_cer), 3, kSecTrustResultFatalTrustFailure);
90    validate_one_cert(mail_google_com_cer, sizeof(mail_google_com_cer), 3, kSecTrustResultFatalTrustFailure);
91    validate_one_cert(login_skype_com_cer, sizeof(login_skype_com_cer), 3, kSecTrustResultFatalTrustFailure);
92    validate_one_cert(www_google_com_cer, sizeof(www_google_com_cer), 3, kSecTrustResultFatalTrustFailure);
93}
94
95static int ping_host(char *host_name){
96
97    struct sockaddr_in pin;
98    struct hostent *nlp_host;
99    int sd;
100    int port;
101
102    port=80;
103
104    while ((nlp_host=gethostbyname(host_name))==0){
105        printf("Resolve Error!\n");
106    }
107
108    bzero(&pin,sizeof(pin));
109    pin.sin_family=AF_INET;
110    pin.sin_addr.s_addr=htonl(INADDR_ANY);
111    pin.sin_addr.s_addr=((struct in_addr *)(nlp_host->h_addr))->s_addr;
112    pin.sin_port=htons(port);
113
114    sd=socket(AF_INET,SOCK_STREAM,0);
115
116    if (connect(sd,(struct sockaddr*)&pin,sizeof(pin))==-1){
117        close(sd);
118        return 0;
119    }
120    else{
121        close(sd);
122        return 1;
123    }
124}
125
126int si_67_sectrust_blacklist(int argc, char *const *argv)
127{
128    char *hosts[] = {
129        "EVSecure-ocsp.verisign.com",
130        "EVIntl-ocsp.verisign.com",
131        "EVIntl-aia.verisign.com",
132        "ocsp.comodoca.com",
133        "crt.comodoca.com",
134    };
135
136    int host_cnt = 0;
137    for (host_cnt = 0; host_cnt < 5; host_cnt ++)
138        if(ping_host(hosts[host_cnt]) == 0){
139            printf("Ping specific server failed, check the network!\n");
140            return 0;
141        }
142	plan_tests(45);
143
144	tests();
145
146	return 0;
147}
148