1/* 2 * si-67-sectrust-blacklist.c 3 * regressions 4 * 5 * Created by Conrad Sauerwald on 3/24/11. 6 * Copyright 2011 Apple Inc. All rights reserved. 7 * 8 */ 9 10#include <CoreFoundation/CoreFoundation.h> 11#include <Security/SecCertificate.h> 12#include <Security/SecCertificatePriv.h> 13#include <Security/SecInternal.h> 14#include <Security/SecPolicyPriv.h> 15#include <Security/SecTrust.h> 16#include <stdlib.h> 17#include <unistd.h> 18 19#include "si-67-sectrust-blacklist/Global Trustee.cer.h" 20#include "si-67-sectrust-blacklist/login.yahoo.com.1.cer.h" 21#include "si-67-sectrust-blacklist/UTN-USERFirst-Hardware.cer.h" 22#include "si-67-sectrust-blacklist/login.yahoo.com.2.cer.h" 23#include "si-67-sectrust-blacklist/addons.mozilla.org.cer.h" 24#include "si-67-sectrust-blacklist/login.yahoo.com.cer.h" 25#include "si-67-sectrust-blacklist/login.live.com.cer.h" 26#include "si-67-sectrust-blacklist/mail.google.com.cer.h" 27#include "si-67-sectrust-blacklist/login.skype.com.cer.h" 28#include "si-67-sectrust-blacklist/www.google.com.cer.h" 29 30#include "Security_regressions.h" 31 32static void validate_one_cert(uint8_t *data, size_t len, int chain_length, SecTrustResultType trust_result) 33{ 34 SecTrustRef trust; 35 SecCertificateRef cert; 36 SecPolicyRef policy = SecPolicyCreateSSL(false, NULL); 37 CFArrayRef certs; 38 39 isnt(cert = SecCertificateCreateWithBytes(NULL, data, len), 40 NULL, "create cert"); 41 certs = CFArrayCreate(NULL, (const void **)&cert, 1, NULL); 42 ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), 43 "create trust with single cert"); 44 //CFDateRef date = CFDateCreate(NULL, 1301008576); 45 //ok_status(SecTrustSetVerifyDate(trust, date), "set date"); 46 //CFRelease(date); 47 48 SecTrustResultType trustResult; 49 ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); 50 is(SecTrustGetCertificateCount(trust), chain_length, "cert count"); 51 is_status(trustResult, trust_result, "correct trustResult"); 52 CFRelease(trust); 53 CFRelease(policy); 54 CFRelease(certs); 55 CFRelease(cert); 56} 57 58static void tests(void) 59{ 60 validate_one_cert(Global_Trustee_cer, sizeof(Global_Trustee_cer), 3, kSecTrustResultFatalTrustFailure); 61 validate_one_cert(login_yahoo_com_1_cer, sizeof(login_yahoo_com_1_cer), 3, kSecTrustResultFatalTrustFailure); 62 /* this is the root, which isn't ok for ssl and fails here, but at the 63 same time it proves that kSecTrustResultFatalTrustFailure isn't 64 returned for policy failures that aren't blacklisting */ 65 validate_one_cert(login_yahoo_com_2_cer, sizeof(login_yahoo_com_2_cer), 3, kSecTrustResultFatalTrustFailure); 66 validate_one_cert(addons_mozilla_org_cer, sizeof(addons_mozilla_org_cer), 3, kSecTrustResultFatalTrustFailure); 67 validate_one_cert(login_yahoo_com_cer, sizeof(login_yahoo_com_cer), 3, kSecTrustResultFatalTrustFailure); 68 validate_one_cert(login_live_com_cer, sizeof(login_live_com_cer), 3, kSecTrustResultFatalTrustFailure); 69 validate_one_cert(mail_google_com_cer, sizeof(mail_google_com_cer), 3, kSecTrustResultFatalTrustFailure); 70 validate_one_cert(login_skype_com_cer, sizeof(login_skype_com_cer), 3, kSecTrustResultFatalTrustFailure); 71 validate_one_cert(www_google_com_cer, sizeof(www_google_com_cer), 3, kSecTrustResultFatalTrustFailure); 72} 73 74int si_67_sectrust_blacklist(int argc, char *const *argv) 75{ 76 plan_tests(45); 77 78 tests(); 79 80 return 0; 81} 82