secstaticcode_integration.m
1 // 2 // secstaticcode_integration.m 3 // secsecstaticcodeapitest 4 // 5 // Copyright 2021 Apple Inc. All rights reserved. 6 // 7 #import <Foundation/Foundation.h> 8 #import <Security/Security.h> 9 #import <Security/SecStaticCode.h> 10 11 #import "secstaticcode.h" 12 #import "codesigning_tests_shared.h" 13 14 static void 15 RevokedBinaryTraversalTest(NSURL *contentRoot) 16 { 17 NSDictionary<NSString *, NSNumber *> *gTestPaths = @{ 18 // This resource file has a bad signature that will fail validation, but not in a fatal way. 19 @"traversal/KV-badsig.app": @(errSecSuccess), 20 // These are all hiding revoked binaries in various places for different types of discovery. 21 @"traversal/KV-badfile.app": @(CSSMERR_TP_CERT_REVOKED), 22 @"traversal/KV-badlink.app": @(CSSMERR_TP_CERT_REVOKED), 23 @"traversal/KV-badspot.app": @(CSSMERR_TP_CERT_REVOKED), 24 }; 25 26 TEST_START("kSecCSEnforceRevocationChecks finds revoked binaries inside bundles"); 27 28 for (NSString *path in gTestPaths.allKeys) { 29 SecStaticCodeRef codeRef = NULL; 30 OSStatus status; 31 32 NSNumber *expected = gTestPaths[path]; 33 INFO(@"Test case: %@, %@", path, expected); 34 35 NSURL *url = [contentRoot URLByAppendingPathComponent:path]; 36 status = SecStaticCodeCreateWithPath((__bridge CFURLRef)url, kSecCSDefaultFlags, &codeRef); 37 TEST_CASE_EXPR_JUMP(status == errSecSuccess, lb_next); 38 39 status = SecStaticCodeCheckValidity(codeRef, kSecCSEnforceRevocationChecks, NULL); 40 INFO(@"validation result: %d", status); 41 TEST_CASE(status == expected.integerValue, "validation succeeds with expected result"); 42 43 lb_next: 44 if (codeRef) { 45 CFRelease(codeRef); 46 } 47 } 48 return; 49 } 50 51 int 52 run_integration_tests(const char *root) 53 { 54 NSURL *url = [NSURL fileURLWithPath:[NSString stringWithUTF8String:root]]; 55 NSLog(@"Running integration test with content root: %@", url); 56 57 RevokedBinaryTraversalTest(url); 58 return 0; 59 }