void Trust_FullChain(SecTrust trust, SecPolicy policy, X509CertificateCollection certs)
{
// that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that
trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc));
SecTrustResult trust_result = SecTrustResult.Unspecified;
var ios9 = TestRuntime.CheckXcodeVersion(7, 0);
var ios10 = TestRuntime.CheckXcodeVersion(8, 0);
var ios11 = TestRuntime.CheckXcodeVersion(9, 0);
if (ios10)
{
trust_result = SecTrustResult.FatalTrustFailure;
}
// iOS9 is not fully happy with the basic constraints: `SecTrustEvaluate [root AnchorTrusted BasicContraints]`
else if (ios9)
{
trust_result = SecTrustResult.RecoverableTrustFailure;
}
var result = Evaluate(trust, true);
Assert.That(result, Is.EqualTo(trust_result), "Evaluate");
// Evalute must be called prior to Count (Apple documentation)
Assert.That(trust.Count, Is.EqualTo(3), "Count");
using (SecCertificate sc1 = trust [0]) {
// seems the leaf gets an extra one
Assert.That(CFGetRetainCount(sc1.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc1)");
Assert.That(sc1.SubjectSummary, Is.EqualTo("mail.google.com"), "SubjectSummary(sc1)");
}
using (SecCertificate sc2 = trust [1]) {
Assert.That(CFGetRetainCount(sc2.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc2)");
Assert.That(sc2.SubjectSummary, Is.EqualTo("Thawte SGC CA"), "SubjectSummary(sc2)");
}
using (SecCertificate sc3 = trust [2]) {
Assert.That(CFGetRetainCount(sc3.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc3)");
Assert.That(sc3.SubjectSummary, Is.EqualTo("Class 3 Public Primary Certification Authority"), "SubjectSummary(sc3)");
}
if (TestRuntime.CheckXcodeVersion(5, 0))
{
Assert.That(trust.GetTrustResult(), Is.EqualTo(trust_result), "GetTrustResult");
trust.SetAnchorCertificates(certs);
Assert.That(trust.GetCustomAnchorCertificates().Length, Is.EqualTo(certs.Count), "GetCustomAnchorCertificates");
if (ios11)
{
trust_result = SecTrustResult.Unspecified;
}
else
{
trust_result = SecTrustResult.Invalid;
}
// since we modified the `trust` instance it's result was invalidated (marked as unspecified on iOS 11)
Assert.That(trust.GetTrustResult(), Is.EqualTo(trust_result), "GetTrustResult-2");
}
}
public void Ctor_Identity_Certificates()
{
TestRuntime.AssertSystemVersion(ApplePlatform.iOS, 7, 0, throwIfOtherPlatform: false);
TestRuntime.AssertSystemVersion(ApplePlatform.MacOSX, 10, 10, throwIfOtherPlatform: false);
using (var id = IdentityTest.GetIdentity())
using (var trust = new SecTrust(id.Certificate, SecPolicy.CreateBasicX509Policy()))
using (var peer = new MCPeerID("me")) {
SecCertificate [] certs = new SecCertificate [trust.Count];
for (int i = 0; i < trust.Count; i++)
{
certs [i] = trust [i];
}
using (var s = new MCSession(peer, id, certs, MCEncryptionPreference.Required)) {
Assert.AreSame(s.MyPeerID, peer, "MyPeerID");
// it's a self-signed certificate that's used for the identity
// so it's not added twice to the collection being returned
Assert.That(s.SecurityIdentity.Count, Is.EqualTo((nuint)1), "SecurityIdentity");
Assert.That(s.SecurityIdentity.GetItem <SecIdentity> (0).Handle, Is.EqualTo(certs [0].Handle), "SecurityIdentity");
Assert.That(s.EncryptionPreference, Is.EqualTo(MCEncryptionPreference.Required), "EncryptionPreference");
Assert.That(s.ConnectedPeers, Is.Empty, "ConnectedPeers");
}
}
}
public void Trust_Leaf_Only()
{
X509Certificate x = new X509Certificate(CertificateTest.mail_google_com);
using (var policy = SecPolicy.CreateSslPolicy(true, "mail.google.com"))
using (var trust = new SecTrust(x, policy)) {
Assert.That(CFGetRetainCount(trust.Handle), Is.EqualTo((nint)1), "RetainCount(trust)");
Assert.That(CFGetRetainCount(policy.Handle), Is.EqualTo((nint)2), "RetainCount(policy)");
// that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that
trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc));
// the system was able to construct the chain based on the single certificate
Assert.That(Evaluate(trust, true), Is.EqualTo(SecTrustResult.RecoverableTrustFailure), "Evaluate");
if (TestRuntime.CheckXcodeVersion(5, 0))
{
Assert.True(trust.NetworkFetchAllowed, "NetworkFetchAllowed-1");
trust.NetworkFetchAllowed = false;
Assert.False(trust.NetworkFetchAllowed, "NetworkFetchAllowed-2");
trust.SetPolicy(policy);
var policies = trust.GetPolicies();
Assert.That(policies.Length, Is.EqualTo(1), "Policies.Length");
Assert.That(policies [0].Handle, Is.EqualTo(policy.Handle), "Handle");
}
}
}
public void Timestamps()
{
TestRuntime.AssertXcodeVersion(10, 1); // old API exposed publicly
X509Certificate2Collection certs = new X509Certificate2Collection();
certs.Add(new X509Certificate2(CertificateTest.mail_google_com));
certs.Add(new X509Certificate2(CertificateTest.thawte_sgc_ca));
certs.Add(new X509Certificate2(CertificateTest.verisign_class3_root));
using (var policy = SecPolicy.CreateSslPolicy(true, "mail.google.com"))
using (var trust = new SecTrust(certs, policy)) {
var a = new NSArray <NSData> ();
var e = trust.SetSignedCertificateTimestamps(a);
Assert.That(e, Is.EqualTo(SecStatusCode.Success), "1");
a = null;
e = trust.SetSignedCertificateTimestamps(null);
Assert.That(e, Is.EqualTo(SecStatusCode.Success), "2");
var i = new NSData [0];
e = trust.SetSignedCertificateTimestamps(i);
Assert.That(e, Is.EqualTo(SecStatusCode.Success), "3");
i = null;
e = trust.SetSignedCertificateTimestamps(i);
Assert.That(e, Is.EqualTo(SecStatusCode.Success), "4");
}
}
public void Client_Leaf_Only()
{
X509Certificate x = new X509Certificate(CertificateTest.mail_google_com);
using (var policy = SecPolicy.CreateSslPolicy(false, null))
using (var trust = new SecTrust(x, policy)) {
// that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that
trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc));
// a host name is not meaningful for client certificates
Assert.That(Evaluate(trust, true), Is.EqualTo(SecTrustResult.RecoverableTrustFailure), "Evaluate");
if (TestRuntime.CheckXcodeVersion(5, 0))
{
// by default there's no *custom* anchors
Assert.Null(trust.GetCustomAnchorCertificates(), "GetCustomAnchorCertificates");
using (var results = trust.GetResult()) {
Assert.That(CFGetRetainCount(results.Handle), Is.EqualTo((nint)1), "RetainCount");
SecTrustResult value = (SecTrustResult)(int)(NSNumber)results [SecTrustResultKey.ResultValue];
Assert.That(value, Is.EqualTo(SecTrustResult.RecoverableTrustFailure), "ResultValue");
}
}
}
}
public void InstallCertificate(string certificate)
{
if (certificate.StartsWith("http", StringComparison.CurrentCulture))
{
OpenUrlExternally(certificate);
}
//THIS CASE DOESN"T WORK YET, WE CAN ONLY ADD THE CERT TO THE KEYCHAIN BUT NOT PROMPT FOR TRUST
else
{
NSData certData = NSData.FromUrl(new NSUrl(certificate));
SecCertificate secCertificate = new SecCertificate(certData);
SecRecord secRecord = new SecRecord(SecKind.Certificate);
secRecord.SetValueRef(secCertificate);
SecPolicy policy = SecPolicy.CreateSslPolicy(true, "applocker.navy.mil");
SecTrust secTrust = new SecTrust(secCertificate, policy);
//SecTrustResult results = secTrust.GetTrustResult();
SecStatusCode code = SecKeyChain.Add(secRecord);
Console.WriteLine(code);
}
}
public void NoHostName()
{
X509Certificate x = new X509Certificate(CertificateTest.mail_google_com);
// a null host name means "*" (accept any name) which is not stated in Apple documentation
using (var policy = SecPolicy.CreateSslPolicy(true, null))
using (var trust = new SecTrust(x, policy)) {
// that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that
trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc));
Assert.That(Evaluate(trust, true), Is.EqualTo(SecTrustResult.RecoverableTrustFailure), "Evaluate");
if (TestRuntime.CheckXcodeVersion(5, 0))
{
using (var rev = SecPolicy.CreateRevocationPolicy(SecRevocation.UseAnyAvailableMethod)) {
List <SecPolicy> list = new List <SecPolicy> ()
{
policy, rev
};
trust.SetPolicies(list);
var policies = trust.GetPolicies();
Assert.That(policies.Length, Is.EqualTo(2), "Policies.Length");
}
}
}
}
void Trust_Leaf_Only(SecTrust trust, SecPolicy policy)
{
Assert.That(CFGetRetainCount(trust.Handle), Is.EqualTo((nint)1), "RetainCount(trust)");
Assert.That(CFGetRetainCount(policy.Handle), Is.EqualTo((nint)2), "RetainCount(policy)");
// that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that
trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc));
// the system was able to construct the chain based on the single certificate
var expectedTrust = SecTrustResult.RecoverableTrustFailure;
#if __MACOS__
if (!TestRuntime.CheckSystemVersion(PlatformName.MacOSX, 10, 9))
{
expectedTrust = SecTrustResult.Unspecified;
}
#endif
Assert.That(Evaluate(trust, true), Is.EqualTo(expectedTrust), "Evaluate");
#if __MACOS__
var hasNetworkFetchAllowed = TestRuntime.CheckSystemVersion(PlatformName.MacOSX, 10, 9);
#else
var hasNetworkFetchAllowed = TestRuntime.CheckXcodeVersion(5, 0);
#endif
if (hasNetworkFetchAllowed)
{
Assert.True(trust.NetworkFetchAllowed, "NetworkFetchAllowed-1");
trust.NetworkFetchAllowed = false;
Assert.False(trust.NetworkFetchAllowed, "NetworkFetchAllowed-2");
trust.SetPolicy(policy);
var policies = trust.GetPolicies();
Assert.That(policies.Length, Is.EqualTo(1), "Policies.Length");
Assert.That(policies [0].Handle, Is.EqualTo(policy.Handle), "Handle");
}
}
public void Basic_Leaf_Only()
{
X509Certificate x = new X509Certificate(CertificateTest.mail_google_com);
using (var policy = SecPolicy.CreateBasicX509Policy())
using (var trust = new SecTrust(x, policy)) {
// that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that
trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc));
// SSL certs are a superset of the basic X509 profile
SecTrustResult result = SecTrustResult.RecoverableTrustFailure;
Assert.That(Evaluate(trust, result == SecTrustResult.RecoverableTrustFailure), Is.EqualTo(result), "Evaluate");
if (TestRuntime.CheckXcodeVersion(5, 0))
{
// call GetPolicies without a SetPolicy / SetPolicies
var policies = trust.GetPolicies();
Assert.That(policies.Length, Is.EqualTo(1), "Policies.Length");
using (var data = new NSData()) {
// we do not have an easy way to get the response but the API accepts an empty NSData
trust.SetOCSPResponse(data);
}
}
}
}
SecTrust GetTrust()
{
X509Certificate x = new X509Certificate(CertificateTest.mail_google_com);
using (var policy = SecPolicy.CreateBasicX509Policy())
return(new SecTrust(x, policy));
}
public void Ctor_Identity_Certificates()
{
if (!TestRuntime.CheckSystemAndSDKVersion(7, 0))
{
Assert.Ignore("requires iOS7+");
}
using (var id = IdentityTest.GetIdentity())
using (var trust = new SecTrust(id.Certificate, SecPolicy.CreateBasicX509Policy()))
using (var peer = new MCPeerID("me")) {
SecCertificate [] certs = new SecCertificate [trust.Count];
for (int i = 0; i < trust.Count; i++)
{
certs [i] = trust [i];
}
using (var s = new MCSession(peer, id, certs, MCEncryptionPreference.Required)) {
Assert.AreSame(s.MyPeerID, peer, "MyPeerID");
// it's a self-signed certificate that's used for the identity
// so it's not added twice to the collection being returned
Assert.That(s.SecurityIdentity.Count, Is.EqualTo(1), "SecurityIdentity");
Assert.That(s.SecurityIdentity.GetItem <SecIdentity> (0).Handle, Is.EqualTo(certs [0].Handle), "SecurityIdentity");
Assert.That(s.EncryptionPreference, Is.EqualTo(MCEncryptionPreference.Required), "EncryptionPreference");
Assert.That(s.ConnectedPeers, Is.Empty, "ConnectedPeers");
}
}
}
void Trust_NoRoot(SecTrust trust, SecPolicy policy)
{
// that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that
trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc));
// iOS9 is not fully happy with the basic constraints: `SecTrustEvaluate [root AnchorTrusted BasicContraints]`
// so it returns RecoverableTrustFailure and that affects the Count of trust later (it does not add to what we provided)
var ios9 = TestRuntime.CheckXcodeVersion(7, 0);
var result = Evaluate(trust, ios9);
Assert.That(result, Is.EqualTo(ios9 ? SecTrustResult.RecoverableTrustFailure : SecTrustResult.Unspecified), "Evaluate");
// Evalute must be called prior to Count (Apple documentation)
Assert.That(trust.Count, Is.EqualTo(ios9 ? 2 : 3), "Count");
using (SecKey pkey = trust.GetPublicKey()) {
Assert.That(CFGetRetainCount(pkey.Handle), Is.GreaterThanOrEqualTo((nint)1), "RetainCount(pkey)");
}
if (TestRuntime.CheckXcodeVersion(12, 0))
{
using (SecKey key = trust.GetKey()) {
Assert.That(key.BlockSize, Is.EqualTo(128), "BlockSize");
Assert.That(CFGetRetainCount(key.Handle), Is.GreaterThanOrEqualTo((nint)1), "RetainCount(key)");
}
}
if (TestRuntime.CheckXcodeVersion(10, 0))
{
Assert.False(trust.Evaluate(out var error), "Evaluate");
Assert.NotNull(error, "error");
}
}
public void Trust2_FullChain()
{
X509Certificate2Collection certs = new X509Certificate2Collection();
certs.Add(new X509Certificate2(CertificateTest.api_imgur_com));
certs.Add(new X509Certificate2(CertificateTest.geotrust_dv_ssl_ca));
certs.Add(new X509Certificate2(CertificateTest.geotrust_global_root));
using (var policy = SecPolicy.CreateSslPolicy(true, "api.imgur.com"))
using (var trust = new SecTrust(certs, policy)) {
// that certificate stopped being valid on August 3rd, 2013 so we validate it with a date earlier than that
trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc));
Assert.That(Evaluate(trust), Is.EqualTo(SecTrustResult.Unspecified), "Evaluate");
// Evalute must be called prior to Count (Apple documentation)
Assert.That(trust.Count, Is.EqualTo(3), "Count");
using (SecCertificate sc1 = trust [0]) {
// seems the leaf gets an extra one
Assert.That(CFGetRetainCount(sc1.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc1)");
Assert.That(sc1.SubjectSummary, Is.EqualTo("api.imgur.com"), "SubjectSummary(sc1)");
}
using (SecCertificate sc2 = trust [1]) {
Assert.That(CFGetRetainCount(sc2.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc2)");
Assert.That(sc2.SubjectSummary, Is.EqualTo("GeoTrust DV SSL CA"), "SubjectSummary(sc2)");
}
using (SecCertificate sc3 = trust [2]) {
Assert.That(CFGetRetainCount(sc3.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc3)");
Assert.That(sc3.SubjectSummary, Is.EqualTo("GeoTrust Global CA"), "SubjectSummary(sc3)");
}
}
}
public void HostName_Leaf_Only()
{
X509Certificate x = new X509Certificate(CertificateTest.mail_google_com);
// a bad hostname (mismatched) is recoverable (e.g. if you change policy)
using (var policy = SecPolicy.CreateSslPolicy(true, "mail.xamarin.com"))
using (var trust = new SecTrust(x, policy)) {
// that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that
trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc));
Assert.That(Evaluate(trust, true), Is.EqualTo(SecTrustResult.RecoverableTrustFailure), "Evaluate");
if (TestRuntime.CheckXcodeVersion(5, 0))
{
Assert.That(trust.GetTrustResult(), Is.EqualTo(SecTrustResult.RecoverableTrustFailure), "GetTrustResult");
using (var a = NSArray.FromNSObjects(policy))
trust.SetPolicies(a);
var policies = trust.GetPolicies();
Assert.That(policies.Length, Is.EqualTo(1), "Policies.Length");
Assert.That(policies [0].Handle, Is.EqualTo(policy.Handle), "Handle");
var trust_result = SecTrustResult.Invalid;
if (TestRuntime.CheckXcodeVersion(9, 0))
{
trust_result = SecTrustResult.RecoverableTrustFailure; // Result not invalidated starting with Xcode 9 beta 3.
}
// since we modified the `trust` instance it's result was invalidated
Assert.That(trust.GetTrustResult(), Is.EqualTo(trust_result), "GetTrustResult-2");
}
}
}
public void Trust2_Leaf_Only()
{
X509Certificate2 x = new X509Certificate2(CertificateTest.api_imgur_com);
using (var policy = SecPolicy.CreateSslPolicy(true, "api.imgur.com"))
using (var trust = new SecTrust(x, policy)) {
// that certificate stopped being valid on August 3rd, 2013 so we validate it with a date earlier than that
trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc));
Assert.That(CFGetRetainCount(trust.Handle), Is.EqualTo((nint)1), "RetainCount(trust)");
Assert.That(CFGetRetainCount(policy.Handle), Is.EqualTo((nint)2), "RetainCount(policy)");
// the system was able to construct the chain based on the single certificate
#if __WATCHOS__
Assert.That(Evaluate(trust), Is.EqualTo(SecTrustResult.RecoverableTrustFailure), "Evaluate");
// Evalute must be called prior to Count (Apple documentation)
Assert.That(trust.Count, Is.EqualTo(1), "Count");
#else
Assert.That(Evaluate(trust), Is.EqualTo(SecTrustResult.Unspecified), "Evaluate");
// Evalute must be called prior to Count (Apple documentation)
Assert.That(trust.Count, Is.EqualTo(3), "Count");
#endif
using (NSData data = trust.GetExceptions()) {
Assert.That(CFGetRetainCount(data.Handle), Is.EqualTo((nint)1), "RetainCount(data)");
Assert.False(trust.SetExceptions(null), "SetExceptions(null)");
Assert.True(trust.SetExceptions(data), "SetExceptions");
}
}
}
void CreatePolicy (NSString oid, NSString propertyOid = null)
{
string name = oid + ".";
using (var policy = SecPolicy.CreatePolicy (oid, null)) {
Assert.That (CFGetRetainCount (policy.Handle), Is.EqualTo ((nint) 1), name + "RetainCount");
Assert.That (policy.GetProperties ().Values [0].ToString (), Is.EqualTo ((string) (propertyOid ?? oid)), name + "SecPolicyOid");
}
}
public void INativeObjects()
{
using (var policy = SecPolicy.CreateSslPolicy(true, "mail.xamarin.com")) {
using (var a = NSArray.FromObjects(policy)) {
var b = NSArray.ArrayFromHandle <SecPolicy> (a.Handle);
Assert.AreNotSame(a, b);
}
}
}
public void Trust_Leaf_Only()
{
X509Certificate x = new X509Certificate(CertificateTest.mail_google_com);
using (var policy = SecPolicy.CreateSslPolicy(true, "mail.google.com"))
using (var trust = new SecTrust(x, policy)) {
Trust_Leaf_Only(trust, policy);
}
}
public void CreateUnknownPolicy()
{
TestRuntime.AssertXcodeVersion(5, 0);
using (var oid = new NSString("1.2.3.4")) {
Assert.Throws <ArgumentException> (delegate {
SecPolicy.CreatePolicy(oid, null);
});
}
}
public void CreateUnknownPolicy ()
{
TestRuntime.AssertXcodeVersion (5, 0);
TestRuntime.AssertSystemVersion (PlatformName.MacOSX, 10, 9, throwIfOtherPlatform: false);
using (var oid = new NSString ("1.2.3.4")) {
Assert.Throws<ArgumentException> (delegate {
SecPolicy.CreatePolicy (oid, null);
});
}
}
public void Trust2_NoRoot()
{
X509Certificate2Collection certs = new X509Certificate2Collection();
certs.Add(new X509Certificate2(CertificateTest.mail_google_com));
certs.Add(new X509Certificate2(CertificateTest.thawte_sgc_ca));
using (var policy = SecPolicy.CreateSslPolicy(true, "mail.google.com"))
using (var trust = new SecTrust(certs, policy)) {
Trust_NoRoot(trust, policy);
}
}
public void Trust2_FullChain()
{
X509Certificate2Collection certs = new X509Certificate2Collection();
certs.Add(new X509Certificate2(CertificateTest.mail_google_com));
certs.Add(new X509Certificate2(CertificateTest.thawte_sgc_ca));
certs.Add(new X509Certificate2(CertificateTest.verisign_class3_root));
using (var policy = SecPolicy.CreateSslPolicy(true, "mail.google.com"))
using (var trust = new SecTrust(certs, policy)) {
Trust_FullChain(trust, policy, certs);
}
}
public void CreateUnknownPolicy()
{
if (!TestRuntime.CheckSystemAndSDKVersion(7, 0))
{
Assert.Inconclusive("requires iOS7");
}
using (var oid = new NSString("1.2.3.4")) {
Assert.Throws <ArgumentException> (delegate {
SecPolicy.CreatePolicy(oid, null);
});
}
}
public void Encrypt_New()
{
using (SecPolicy p = SecPolicy.CreateBasicX509Policy())
using (SecTrust t = new SecTrust(c, p)) {
// getting the public key won't (always) work if evaluate was not called
t.Evaluate();
using (SecKey pubkey = t.GetPublicKey()) {
byte[] plain = new byte [20];
byte[] secret;
Assert.That(pubkey.Encrypt(SecPadding.PKCS1, plain, out secret), Is.EqualTo(SecStatusCode.Success), "Encrypt");
Assert.That(secret.Length, Is.EqualTo(128), "secret.Length");
}
}
}
public void Encrypt_Old()
{
// the old API was not working but the crash was fixed, still you need to provide an adequatly sized buffer
using (SecPolicy p = SecPolicy.CreateBasicX509Policy())
using (SecTrust t = new SecTrust(c, p)) {
// getting the public key won't (always) work if evaluate was not called
t.Evaluate();
using (SecKey pubkey = t.GetPublicKey()) {
byte[] plain = new byte [20];
byte[] cipher = new byte [pubkey.BlockSize];
Assert.That(pubkey.Encrypt(SecPadding.PKCS1, plain, cipher), Is.EqualTo(SecStatusCode.Success), "Encrypt");
}
}
}
public void RevocationPolicy()
{
TestRuntime.AssertXcodeVersion(5, 0);
using (var policy = SecPolicy.CreateRevocationPolicy(SecRevocation.UseAnyAvailableMethod | SecRevocation.RequirePositiveResponse)) {
Assert.That(policy.Handle, Is.Not.EqualTo(IntPtr.Zero), "Handle");
Assert.That(CFGetRetainCount(policy.Handle), Is.EqualTo((nint)1), "RetainCount");
using (var properties = policy.GetProperties()) {
Assert.That(properties.Handle, Is.Not.EqualTo(IntPtr.Zero), "Properties.Handle");
Assert.That(CFGetRetainCount(properties.Handle), Is.EqualTo((nint)1), "Properties.RetainCount");
Assert.That(properties.Count, Is.EqualTo((nuint)1), "Count");
Assert.That(properties [SecPolicyPropertyKey.Oid].ToString(), Is.EqualTo("1.2.840.113635.100.1.21"), "SecPolicyOid");
}
}
}
public void SslServerNoHost ()
{
using (var policy = SecPolicy.CreateSslPolicy (true, null)) {
Assert.That (policy.Handle, Is.Not.EqualTo (IntPtr.Zero), "Handle");
Assert.That (CFGetRetainCount (policy.Handle), Is.EqualTo ((nint) 1), "RetainCount");
if (TestRuntime.CheckXcodeVersion (5, 0)) {
using (var properties = policy.GetProperties ()) {
Assert.That (properties.Handle, Is.Not.EqualTo (IntPtr.Zero), "Properties.Handle");
Assert.That (CFGetRetainCount (properties.Handle), Is.EqualTo ((nint) 1), "Properties.RetainCount");
Assert.That (properties.Count, Is.EqualTo ((nuint) 1), "Count");
Assert.That (properties [SecPolicyPropertyKey.Oid].ToString (), Is.EqualTo ("1.2.840.113635.100.1.3"), "SecPolicyOid");
}
}
}
}
public void BasicX509Policy()
{
using (var policy = SecPolicy.CreateBasicX509Policy()) {
Assert.That(policy.Handle, Is.Not.EqualTo(IntPtr.Zero), "Handle");
Assert.That(CFGetRetainCount(policy.Handle), Is.EqualTo((nint)1), "RetainCount");
if (TestRuntime.CheckSystemAndSDKVersion(7, 0))
{
using (var properties = policy.GetProperties()) {
Assert.That(properties.Handle, Is.Not.EqualTo(IntPtr.Zero), "Properties.Handle");
Assert.That(CFGetRetainCount(properties.Handle), Is.EqualTo((nint)1), "Properties.RetainCount");
Assert.That(properties.Count, Is.EqualTo((nuint)1), "Count");
Assert.That(properties [SecPolicyPropertyKey.Oid].ToString(), Is.EqualTo("1.2.840.113635.100.1.2"), "SecPolicyOid");
}
}
}
}
public void Trust_FullChain()
{
X509CertificateCollection certs = new X509CertificateCollection();
certs.Add(new X509Certificate(CertificateTest.mail_google_com));
certs.Add(new X509Certificate(CertificateTest.thawte_sgc_ca));
certs.Add(new X509Certificate(CertificateTest.verisign_class3_root));
using (var policy = SecPolicy.CreateSslPolicy(true, "mail.google.com"))
using (var trust = new SecTrust(certs, policy)) {
// that certificate stopped being valid on September 30th, 2013 so we validate it with a date earlier than that
trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc));
// iOS9 is not fully happy with the basic constraints: `SecTrustEvaluate [root AnchorTrusted BasicContraints]`
var ios9 = TestRuntime.CheckiOSSystemVersion(9, 0);
var result = Evaluate(trust, ios9);
Assert.That(result, Is.EqualTo(ios9 ? SecTrustResult.RecoverableTrustFailure : SecTrustResult.Unspecified), "Evaluate");
// Evalute must be called prior to Count (Apple documentation)
Assert.That(trust.Count, Is.EqualTo(3), "Count");
using (SecCertificate sc1 = trust [0]) {
// seems the leaf gets an extra one
Assert.That(CFGetRetainCount(sc1.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc1)");
Assert.That(sc1.SubjectSummary, Is.EqualTo("mail.google.com"), "SubjectSummary(sc1)");
}
using (SecCertificate sc2 = trust [1]) {
Assert.That(CFGetRetainCount(sc2.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc2)");
Assert.That(sc2.SubjectSummary, Is.EqualTo("Thawte SGC CA"), "SubjectSummary(sc2)");
}
using (SecCertificate sc3 = trust [2]) {
Assert.That(CFGetRetainCount(sc3.Handle), Is.GreaterThanOrEqualTo((nint)2), "RetainCount(sc3)");
Assert.That(sc3.SubjectSummary, Is.EqualTo("Class 3 Public Primary Certification Authority"), "SubjectSummary(sc3)");
}
if (TestRuntime.CheckSystemAndSDKVersion(7, 0))
{
Assert.That(trust.GetTrustResult(), Is.EqualTo(ios9 ? SecTrustResult.RecoverableTrustFailure : SecTrustResult.Unspecified), "GetTrustResult");
trust.SetAnchorCertificates(certs);
Assert.That(trust.GetCustomAnchorCertificates().Length, Is.EqualTo(certs.Count), "GetCustomAnchorCertificates");
// since we modified the `trust` instance it's result was invalidated
Assert.That(trust.GetTrustResult(), Is.EqualTo(SecTrustResult.Invalid), "GetTrustResult");
}
}
}
public void Trust2_NoRoot()
{
X509Certificate2Collection certs = new X509Certificate2Collection();
certs.Add(new X509Certificate2(CertificateTest.api_imgur_com));
certs.Add(new X509Certificate2(CertificateTest.geotrust_dv_ssl_ca));
using (var policy = SecPolicy.CreateSslPolicy(true, "api.imgur.com"))
using (var trust = new SecTrust(certs, policy)) {
// that certificate stopped being valid on August 3rd, 2013 so we validate it with a date earlier than that
trust.SetVerifyDate(new DateTime(635108745218945450, DateTimeKind.Utc));
Assert.That(Evaluate(trust), Is.EqualTo(SecTrustResult.Unspecified), "Evaluate");
// Evalute must be called prior to Count (Apple documentation)
Assert.That(trust.Count, Is.EqualTo(3), "Count");
using (SecKey pkey = trust.GetPublicKey()) {
Assert.That(CFGetRetainCount(pkey.Handle), Is.GreaterThanOrEqualTo((nint)1), "RetainCount(pkey)");
}
}
}