public void Client_Leaf_Only() { X509Certificate x = new X509Certificate(CertificateTest.mail_google_com); using (var policy = SecPolicy.CreateSslPolicy(false, null)) using (var trust = new SecTrust(x, policy)) { // that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc)); // a host name is not meaningful for client certificates Assert.That(Evaluate(trust, true), Is.EqualTo(SecTrustResult.RecoverableTrustFailure), "Evaluate"); if (TestRuntime.CheckXcodeVersion(5, 0)) { // by default there's no *custom* anchors Assert.Null(trust.GetCustomAnchorCertificates(), "GetCustomAnchorCertificates"); using (var results = trust.GetResult()) { Assert.That(CFGetRetainCount(results.Handle), Is.EqualTo((nint)1), "RetainCount"); SecTrustResult value = (SecTrustResult)(int)(NSNumber)results [SecTrustResultKey.ResultValue]; Assert.That(value, Is.EqualTo(SecTrustResult.RecoverableTrustFailure), "ResultValue"); } } } }
void Trust_FullChain(SecTrust trust, SecPolicy policy, X509CertificateCollection certs) { // that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc)); SecTrustResult trust_result = SecTrustResult.Unspecified; var ios9 = TestRuntime.CheckXcodeVersion(7, 0); var ios10 = TestRuntime.CheckXcodeVersion(8, 0); var ios11 = TestRuntime.CheckXcodeVersion(9, 0); if (ios10) { trust_result = SecTrustResult.FatalTrustFailure; } // iOS9 is not fully happy with the basic constraints: `SecTrustEvaluate [root AnchorTrusted BasicContraints]` else if (ios9) { trust_result = SecTrustResult.RecoverableTrustFailure; } var result = Evaluate(trust, true); Assert.That(result, Is.EqualTo(trust_result), "Evaluate"); // Evalute must be called prior to Count (Apple documentation) Assert.That(trust.Count, Is.EqualTo(3), "Count"); using (SecCertificate sc1 = trust [0]) { // seems the leaf gets an extra one Assert.That(CFGetRetainCount(sc1.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc1)"); Assert.That(sc1.SubjectSummary, Is.EqualTo("mail.google.com"), "SubjectSummary(sc1)"); } using (SecCertificate sc2 = trust [1]) { Assert.That(CFGetRetainCount(sc2.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc2)"); Assert.That(sc2.SubjectSummary, Is.EqualTo("Thawte SGC CA"), "SubjectSummary(sc2)"); } using (SecCertificate sc3 = trust [2]) { Assert.That(CFGetRetainCount(sc3.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc3)"); Assert.That(sc3.SubjectSummary, Is.EqualTo("Class 3 Public Primary Certification Authority"), "SubjectSummary(sc3)"); } if (TestRuntime.CheckXcodeVersion(5, 0)) { Assert.That(trust.GetTrustResult(), Is.EqualTo(trust_result), "GetTrustResult"); trust.SetAnchorCertificates(certs); Assert.That(trust.GetCustomAnchorCertificates().Length, Is.EqualTo(certs.Count), "GetCustomAnchorCertificates"); if (ios11) { trust_result = SecTrustResult.Unspecified; } else { trust_result = SecTrustResult.Invalid; } // since we modified the `trust` instance it's result was invalidated (marked as unspecified on iOS 11) Assert.That(trust.GetTrustResult(), Is.EqualTo(trust_result), "GetTrustResult-2"); } }
public void Trust_FullChain() { X509CertificateCollection certs = new X509CertificateCollection(); certs.Add(new X509Certificate(CertificateTest.mail_google_com)); certs.Add(new X509Certificate(CertificateTest.thawte_sgc_ca)); certs.Add(new X509Certificate(CertificateTest.verisign_class3_root)); using (var policy = SecPolicy.CreateSslPolicy(true, "mail.google.com")) using (var trust = new SecTrust(certs, policy)) { // that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc)); // iOS9 is not fully happy with the basic constraints: `SecTrustEvaluate [root AnchorTrusted BasicContraints]` var ios9 = TestRuntime.CheckiOSSystemVersion(9, 0); var result = Evaluate(trust, ios9); Assert.That(result, Is.EqualTo(ios9 ? SecTrustResult.RecoverableTrustFailure : SecTrustResult.Unspecified), "Evaluate"); // Evalute must be called prior to Count (Apple documentation) Assert.That(trust.Count, Is.EqualTo(3), "Count"); using (SecCertificate sc1 = trust [0]) { // seems the leaf gets an extra one Assert.That(CFGetRetainCount(sc1.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc1)"); Assert.That(sc1.SubjectSummary, Is.EqualTo("mail.google.com"), "SubjectSummary(sc1)"); } using (SecCertificate sc2 = trust [1]) { Assert.That(CFGetRetainCount(sc2.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc2)"); Assert.That(sc2.SubjectSummary, Is.EqualTo("Thawte SGC CA"), "SubjectSummary(sc2)"); } using (SecCertificate sc3 = trust [2]) { Assert.That(CFGetRetainCount(sc3.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc3)"); Assert.That(sc3.SubjectSummary, Is.EqualTo("Class 3 Public Primary Certification Authority"), "SubjectSummary(sc3)"); } if (TestRuntime.CheckSystemAndSDKVersion(7, 0)) { Assert.That(trust.GetTrustResult(), Is.EqualTo(ios9 ? SecTrustResult.RecoverableTrustFailure : SecTrustResult.Unspecified), "GetTrustResult"); trust.SetAnchorCertificates(certs); Assert.That(trust.GetCustomAnchorCertificates().Length, Is.EqualTo(certs.Count), "GetCustomAnchorCertificates"); // since we modified the `trust` instance it's result was invalidated Assert.That(trust.GetTrustResult(), Is.EqualTo(SecTrustResult.Invalid), "GetTrustResult"); } } }
void Trust_FullChain(SecTrust trust, SecPolicy policy, X509CertificateCollection certs) { // that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc)); SecTrustResult trust_result = SecTrustResult.Unspecified; var ios9 = TestRuntime.CheckXcodeVersion(7, 0); var ios10 = TestRuntime.CheckXcodeVersion(8, 0); var ios11 = TestRuntime.CheckXcodeVersion(9, 0); var ios13 = TestRuntime.CheckXcodeVersion(11, 0); if (ios10) { trust_result = SecTrustResult.FatalTrustFailure; } // iOS9 is not fully happy with the basic constraints: `SecTrustEvaluate [root AnchorTrusted BasicContraints]` else if (ios9) { trust_result = SecTrustResult.RecoverableTrustFailure; } var result = Evaluate(trust, true); Assert.That(result, Is.EqualTo(trust_result), "Evaluate"); // Evalute must be called prior to Count (Apple documentation) Assert.That(trust.Count, Is.EqualTo(3), "Count"); using (SecCertificate sc1 = trust [0]) { // seems the leaf gets an extra one Assert.That(CFGetRetainCount(sc1.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc1)"); Assert.That(sc1.SubjectSummary, Is.EqualTo("mail.google.com"), "SubjectSummary(sc1)"); } using (SecCertificate sc2 = trust [1]) { Assert.That(CFGetRetainCount(sc2.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc2)"); Assert.That(sc2.SubjectSummary, Is.EqualTo("Thawte SGC CA"), "SubjectSummary(sc2)"); } using (SecCertificate sc3 = trust [2]) { Assert.That(CFGetRetainCount(sc3.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc3)"); Assert.That(sc3.SubjectSummary, Is.EqualTo("Class 3 Public Primary Certification Authority"), "SubjectSummary(sc3)"); } if (TestRuntime.CheckXcodeVersion(5, 0)) { Assert.That(trust.GetTrustResult(), Is.EqualTo(trust_result), "GetTrustResult"); trust.SetAnchorCertificates(certs); Assert.That(trust.GetCustomAnchorCertificates().Length, Is.EqualTo(certs.Count), "GetCustomAnchorCertificates"); #if __MACOS__ if (TestRuntime.CheckSystemVersion(PlatformName.MacOSX, 10, 15)) { trust_result = SecTrustResult.RecoverableTrustFailure; } else if (TestRuntime.CheckSystemVersion(PlatformName.MacOSX, 10, 13)) { trust_result = SecTrustResult.Unspecified; } else if (TestRuntime.CheckSystemVersion(PlatformName.MacOSX, 10, 12)) { trust_result = SecTrustResult.Invalid; } else if (TestRuntime.CheckSystemVersion(PlatformName.MacOSX, 10, 11)) { trust_result = SecTrustResult.RecoverableTrustFailure; } else { trust_result = SecTrustResult.Unspecified; } #else if (ios13) { trust_result = SecTrustResult.RecoverableTrustFailure; } else if (ios11) { trust_result = SecTrustResult.Unspecified; } else { trust_result = SecTrustResult.Invalid; } #endif // since we modified the `trust` instance it's result was invalidated (marked as unspecified on iOS 11) Assert.That(trust.GetTrustResult(), Is.EqualTo(trust_result), "GetTrustResult-2"); } if (TestRuntime.CheckXcodeVersion(12, 0)) { // old certificate (built in our tests) was not quite up to spec and it eventually became important Assert.False(trust.Evaluate(out var error), "Evaluate"); Assert.NotNull(error, "error"); Assert.That(error.LocalizedDescription, Is.EqualTo("“mail.google.com” certificate is not standards compliant"), "desc"); } else if (TestRuntime.CheckXcodeVersion(11, 0)) { Assert.False(trust.Evaluate(out var error), "Evaluate"); Assert.NotNull(error, "error"); Assert.That(error.LocalizedDescription, Does.Contain("\"mail.google.com\",\"Thawte SGC CA\",\"Class 3 Public Primary Certification Authority\" certificates do not meet pinning requirements")); var underlyingError = (NSError)error.UserInfo [NSError.UnderlyingErrorKey]; // Error is: // Certificate 0 “mail.google.com” has errors: Key size is not permitted for this use, SSL hostname does not match name(s) in certificate, Signature hash algorithm is not permitted for this use;Certificate 1 “Thawte SGC CA” has errors: Key size is not permitted for this use, Signature hash algorithm is not permitted for this use;Certificate 2 “Class 3 Public Primary Certification Authority” has errors: Key size is not permitted for this use; // But the exact format can vary // watchOS reports this: // Certificate 0 “mail.google.com” has errors: Key size is not permitted for this use, Signature hash algorithm is not permitted for this use, SSL hostname does not match name(s) in certificate;Certificate 1 “Thawte SGC CA” has errors: Key size is not permitted for this use, Signature hash algorithm is not permitted for this use;Certificate 2 “Class 3 Public Primary Certification Authority” has errors: Key size is not permitted for this use; Assert.That(underlyingError.LocalizedDescription, Does.Contain("Certificate 0 “mail.google.com” has errors: ")); Assert.That(underlyingError.LocalizedDescription, Does.Contain("Key size is not permitted for this use")); Assert.That(underlyingError.LocalizedDescription, Does.Contain("SSL hostname does not match name(s) in certificate").Or.Contain("Signature hash algorithm is not permitted for this use")); Assert.That(underlyingError.LocalizedDescription, Does.Contain("Certificate 1 “Thawte SGC CA” has errors: Key size is not permitted for this use")); Assert.That(underlyingError.LocalizedDescription, Does.Contain("Certificate 2 “Class 3 Public Primary Certification Authority” has errors:")); } else if (TestRuntime.CheckXcodeVersion(10, 0)) { Assert.True(trust.Evaluate(out var error), "Evaluate"); Assert.Null(error, "error"); } }