1/* 2 * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24 25#include <CoreFoundation/CoreFoundation.h> 26#include <Security/SecCertificate.h> 27#include <Security/SecCertificatePriv.h> 28#include <Security/SecInternal.h> 29#include <Security/SecPolicyPriv.h> 30#include <Security/SecTrust.h> 31#include <stdlib.h> 32#include <sys/socket.h> 33#include <sys/types.h> 34#include <netinet/in.h> 35#include <arpa/inet.h> 36#include <netdb.h> 37#include <unistd.h> 38#include <string.h> 39 40#include "si-67-sectrust-blacklist/Global Trustee.cer.h" 41#include "si-67-sectrust-blacklist/login.yahoo.com.1.cer.h" 42#include "si-67-sectrust-blacklist/UTN-USERFirst-Hardware.cer.h" 43#include "si-67-sectrust-blacklist/login.yahoo.com.2.cer.h" 44#include "si-67-sectrust-blacklist/addons.mozilla.org.cer.h" 45#include "si-67-sectrust-blacklist/login.yahoo.com.cer.h" 46#include "si-67-sectrust-blacklist/login.live.com.cer.h" 47#include "si-67-sectrust-blacklist/mail.google.com.cer.h" 48#include "si-67-sectrust-blacklist/login.skype.com.cer.h" 49#include "si-67-sectrust-blacklist/www.google.com.cer.h" 50 51#include "Security_regressions.h" 52 53static void validate_one_cert(uint8_t *data, size_t len, int chain_length, SecTrustResultType trust_result) 54{ 55 SecTrustRef trust; 56 SecCertificateRef cert; 57 SecPolicyRef policy = SecPolicyCreateSSL(false, NULL); 58 CFArrayRef certs; 59 60 isnt(cert = SecCertificateCreateWithBytes(NULL, data, len), 61 NULL, "create cert"); 62 certs = CFArrayCreate(NULL, (const void **)&cert, 1, NULL); 63 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), 64 "create trust with single cert"); 65 //CFDateRef date = CFDateCreate(NULL, 1301008576); 66 //ok_status(SecTrustSetVerifyDate(trust, date), "set date"); 67 //CFRelease(date); 68 69 SecTrustResultType trustResult; 70 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); 71 is(SecTrustGetCertificateCount(trust), chain_length, "cert count"); 72 is_status(trustResult, trust_result, "correct trustResult"); 73 CFRelease(trust); 74 CFRelease(policy); 75 CFRelease(certs); 76 CFRelease(cert); 77} 78 79static void tests(void) 80{ 81 validate_one_cert(Global_Trustee_cer, sizeof(Global_Trustee_cer), 3, kSecTrustResultFatalTrustFailure); 82 validate_one_cert(login_yahoo_com_1_cer, sizeof(login_yahoo_com_1_cer), 3, kSecTrustResultFatalTrustFailure); 83 /* this is the root, which isn't ok for ssl and fails here, but at the 84 same time it proves that kSecTrustResultFatalTrustFailure isn't 85 returned for policy failures that aren't blacklisting */ 86 validate_one_cert(login_yahoo_com_2_cer, sizeof(login_yahoo_com_2_cer), 3, kSecTrustResultFatalTrustFailure); 87 validate_one_cert(addons_mozilla_org_cer, sizeof(addons_mozilla_org_cer), 3, kSecTrustResultFatalTrustFailure); 88 validate_one_cert(login_yahoo_com_cer, sizeof(login_yahoo_com_cer), 3, kSecTrustResultFatalTrustFailure); 89 validate_one_cert(login_live_com_cer, sizeof(login_live_com_cer), 3, kSecTrustResultFatalTrustFailure); 90 validate_one_cert(mail_google_com_cer, sizeof(mail_google_com_cer), 3, kSecTrustResultFatalTrustFailure); 91 validate_one_cert(login_skype_com_cer, sizeof(login_skype_com_cer), 3, kSecTrustResultFatalTrustFailure); 92 validate_one_cert(www_google_com_cer, sizeof(www_google_com_cer), 3, kSecTrustResultFatalTrustFailure); 93} 94 95static int ping_host(char *host_name){ 96 97 struct sockaddr_in pin; 98 struct hostent *nlp_host; 99 int sd; 100 int port; 101 102 port=80; 103 104 while ((nlp_host=gethostbyname(host_name))==0){ 105 printf("Resolve Error!\n"); 106 } 107 108 bzero(&pin,sizeof(pin)); 109 pin.sin_family=AF_INET; 110 pin.sin_addr.s_addr=htonl(INADDR_ANY); 111 pin.sin_addr.s_addr=((struct in_addr *)(nlp_host->h_addr))->s_addr; 112 pin.sin_port=htons(port); 113 114 sd=socket(AF_INET,SOCK_STREAM,0); 115 116 if (connect(sd,(struct sockaddr*)&pin,sizeof(pin))==-1){ 117 close(sd); 118 return 0; 119 } 120 else{ 121 close(sd); 122 return 1; 123 } 124} 125 126int si_67_sectrust_blacklist(int argc, char *const *argv) 127{ 128 char *hosts[] = { 129 "EVSecure-ocsp.verisign.com", 130 "EVIntl-ocsp.verisign.com", 131 "EVIntl-aia.verisign.com", 132 "ocsp.comodoca.com", 133 "crt.comodoca.com", 134 }; 135 136 int host_cnt = 0; 137 for (host_cnt = 0; host_cnt < 5; host_cnt ++) 138 if(ping_host(hosts[host_cnt]) == 0){ 139 printf("Ping specific server failed, check the network!\n"); 140 return 0; 141 } 142 plan_tests(45); 143 144 tests(); 145 146 return 0; 147} 148