PKI library Mac trust store integration

net/cert/internal/trust_store_mac_unittest.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/internal/trust_store_mac.h"
+
+#include "base/base_paths.h"
+#include "base/files/file_util.h"
+#include "base/files/scoped_temp_dir.h"
+#include "base/path_service.h"
+#include "base/process/launch.h"
+#include "base/strings/string_split.h"
+#include "net/cert/internal/cert_errors.h"
+#include "net/cert/internal/test_helpers.h"
+#include "net/cert/pem_tokenizer.h"
+#include "net/cert/test_keychain_search_list_mac.h"
+#include "net/cert/x509_certificate.h"
+#include "net/test/test_data_directory.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+using ::testing::UnorderedElementsAreArray;
+
+namespace net {
+
+namespace {
+
+// The PEM block header used for DER certificates
+const char kCertificateHeader[] = "CERTIFICATE";
+
+// Parses a PEM encoded certificate from |file_name| and stores in |result|.
+::testing::AssertionResult ReadTestCert(
+    const std::string& file_name,
+    scoped_refptr<ParsedCertificate>* result) {
+  std::string der;
+  const PemBlockMapping mappings[] = {
+      {kCertificateHeader, &der},
+  };
+
+  ::testing::AssertionResult r = ReadTestDataFromPemFile(
+      "net/data/ssl/certificates/" + file_name, mappings);
+  if (!r)
+    return r;
+
+  CertErrors errors;
+  *result = ParsedCertificate::Create(der, {}, &errors);
+  if (!*result) {
+    return ::testing::AssertionFailure()
+           << "ParseCertificate::Create() failed:\n"
+           << errors.ToDebugString();
+  }
+  return ::testing::AssertionSuccess();
+}
+
+// Returns the DER encodings of the SecCertificates in |array|.
+std::vector<std::string> SecCertificateArrayAsDER(CFArrayRef array) {
+  std::vector<std::string> result;
+
+  for (CFIndex i = 0, item_count = CFArrayGetCount(array); i < item_count;
+       ++i) {
+    SecCertificateRef match_cert_handle = reinterpret_cast<SecCertificateRef>(
+        const_cast<void*>(CFArrayGetValueAtIndex(array, i)));
+    if (!match_cert_handle) {
+      ADD_FAILURE() << "null item " << i;
+      continue;
+    }
+    base::ScopedCFTypeRef<CFDataRef> der_data(
+        SecCertificateCopyData(match_cert_handle));
+    if (!der_data) {
+      ADD_FAILURE() << "SecCertificateCopyData error";
+      continue;
+    }
+    result.push_back(std::string(
+        reinterpret_cast<const char*>(CFDataGetBytePtr(der_data.get())),
+        CFDataGetLength(der_data.get())));
+  }
+
+  return result;
+}
+
+// Returns the DER encodings of the ParsedCertificates in |list|.
+std::vector<std::string> ParsedCertificateListAsDER(
+    ParsedCertificateList list) {
+  std::vector<std::string> result;
+  for (const auto& it : list)
+    result.push_back(it->der_cert().AsString());
+  return result;
+}
+
+}  // namespace
+
+// Test the trust store using known test certificates in a keychain.  Tests
+// that issuer searching returns the expected certificates, and that none of
+// the certificates are trusted.
+TEST(TrustStoreMacTest, MultiRootNotTrusted) {
+  std::unique_ptr<TestKeychainSearchList> test_keychain_search_list(
+      TestKeychainSearchList::Create());
+  ASSERT_TRUE(test_keychain_search_list);
+  base::FilePath keychain_path(
+      GetTestCertsDirectory().AppendASCII("multi-root.keychain"));
+  // SecKeychainOpen does not fail if the file doesn't exist, so assert it here
+  // for easier debugging.
+  ASSERT_TRUE(base::PathExists(keychain_path));
+  base::ScopedCFTypeRef<SecKeychainRef> keychain;
+  OSStatus status = SecKeychainOpen(keychain_path.MaybeAsASCII().c_str(),
+                                    keychain.InitializeInto());
+  ASSERT_EQ(errSecSuccess, status);
+  ASSERT_TRUE(keychain);
+  test_keychain_search_list->AddKeychain(keychain);
+
+  TrustStoreMac trust_store(kSecPolicyAppleSSL);
+
+  scoped_refptr<ParsedCertificate> a_by_b, b_by_c, b_by_f, c_by_d, c_by_e,
+      f_by_e, d_by_d, e_by_e;
+  ASSERT_TRUE(ReadTestCert("multi-root-A-by-B.pem", &a_by_b));
+  ASSERT_TRUE(ReadTestCert("multi-root-B-by-C.pem", &b_by_c));
+  ASSERT_TRUE(ReadTestCert("multi-root-B-by-F.pem", &b_by_f));
+  ASSERT_TRUE(ReadTestCert("multi-root-C-by-D.pem", &c_by_d));
+  ASSERT_TRUE(ReadTestCert("multi-root-C-by-E.pem", &c_by_e));
+  ASSERT_TRUE(ReadTestCert("multi-root-F-by-E.pem", &f_by_e));
+  ASSERT_TRUE(ReadTestCert("multi-root-D-by-D.pem", &d_by_d));
+  ASSERT_TRUE(ReadTestCert("multi-root-E-by-E.pem", &e_by_e));
+
+  base::ScopedCFTypeRef<CFDataRef> normalized_name_b =
+      TrustStoreMac::GetMacNormalizedIssuer(a_by_b);
+  ASSERT_TRUE(normalized_name_b);
+  base::ScopedCFTypeRef<CFDataRef> normalized_name_c =
+      TrustStoreMac::GetMacNormalizedIssuer(b_by_c);
+  ASSERT_TRUE(normalized_name_c);
+  base::ScopedCFTypeRef<CFDataRef> normalized_name_f =
+      TrustStoreMac::GetMacNormalizedIssuer(b_by_f);
+  ASSERT_TRUE(normalized_name_f);
+  base::ScopedCFTypeRef<CFDataRef> normalized_name_d =
+      TrustStoreMac::GetMacNormalizedIssuer(c_by_d);
+  ASSERT_TRUE(normalized_name_d);
+  base::ScopedCFTypeRef<CFDataRef> normalized_name_e =
+      TrustStoreMac::GetMacNormalizedIssuer(f_by_e);
+  ASSERT_TRUE(normalized_name_e);
+
+  // Test that the matching keychain items are found, even though they aren't
+  // trusted.
+  {
+    base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items =
+        TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
+            normalized_name_b.get());
+
+    EXPECT_THAT(SecCertificateArrayAsDER(scoped_matching_items),
+                UnorderedElementsAreArray(
+                    ParsedCertificateListAsDER({b_by_c, b_by_f})));
+  }
+
+  {
+    base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items =
+        TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
+            normalized_name_c.get());
+    EXPECT_THAT(SecCertificateArrayAsDER(scoped_matching_items),
+                UnorderedElementsAreArray(
+                    ParsedCertificateListAsDER({c_by_d, c_by_e})));
+  }
+
+  {
+    base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items =
+        TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
+            normalized_name_f.get());
+    EXPECT_THAT(
+        SecCertificateArrayAsDER(scoped_matching_items),
+        UnorderedElementsAreArray(ParsedCertificateListAsDER({f_by_e})));
+  }
+
+  {
+    base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items =
+        TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
+            normalized_name_d.get());
+    EXPECT_THAT(
+        SecCertificateArrayAsDER(scoped_matching_items),
+        UnorderedElementsAreArray(ParsedCertificateListAsDER({d_by_d})));
+  }
+
+  {
+    base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items =
+        TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
+            normalized_name_e.get());
+    EXPECT_THAT(
+        SecCertificateArrayAsDER(scoped_matching_items),
+        UnorderedElementsAreArray(ParsedCertificateListAsDER({e_by_e})));
+  }
+
+  // None of the certs should return any matching TrustAnchors, since the test
+  // certs in the keychain aren't trusted (unless someone manually added and
+  // trusted the test certs on the machine the test is being run on).
+  for (const auto& cert :
+       {a_by_b, b_by_c, b_by_f, c_by_d, c_by_e, f_by_e, d_by_d, e_by_e}) {
+    TrustAnchors matching_anchors;
+    trust_store.FindTrustAnchorsForCert(cert, &matching_anchors);
+    EXPECT_EQ(0u, matching_anchors.size());
+  }
+}
+
+// Test against all the certificates in the default keychains. Confirms that
+// the computed trust value matches that of SecTrustEvaluate.
+TEST(TrustStoreMacTest, SystemCerts) {
+  // Get the list of all certificates in the user & system keychains.
+  // This may include both trusted and untrusted certificates.
+  //
+  // The output contains zero or more repetitions of:
+  // "SHA-1 hash: <hash>\n<PEM encoded cert>\n"
+  std::string find_certificate_default_search_list_output;
+  ASSERT_TRUE(
+      base::GetAppOutput({"security", "find-certificate", "-a", "-p", "-Z"},
+                         &find_certificate_default_search_list_output));
+  // Get the list of all certificates in the system roots keychain.
+  // (Same details as above.)
+  std::string find_certificate_system_roots_output;
+  ASSERT_TRUE(base::GetAppOutput(
+      {"security", "find-certificate", "-a", "-p", "-Z",
+       "/System/Library/Keychains/SystemRootCertificates.keychain"},
+      &find_certificate_system_roots_output));
+
+  TrustStoreMac trust_store(kSecPolicyAppleX509Basic);
+
+  base::ScopedCFTypeRef<SecPolicyRef> sec_policy(SecPolicyCreateBasicX509());
+  ASSERT_TRUE(sec_policy);
+
+  int true_pos = 0;
+  int true_neg = 0;
+  int false_pos = 0;
+  int false_neg = 0;
+  for (const std::string& hash_and_pem : base::SplitStringUsingSubstr(
+           find_certificate_system_roots_output +
+               find_certificate_default_search_list_output,
+           "SHA-1 hash: ", base::KEEP_WHITESPACE, base::SPLIT_WANT_NONEMPTY)) {
+    std::string::size_type eol_pos = hash_and_pem.find_first_of("\r\n");
+    ASSERT_NE(std::string::npos, eol_pos);
+    // Extract the SHA-1 hash of the certificate. This isn't necessary for the
+    // test, but is a convenient identifier to use in any error messages.
+    std::string hash_text = hash_and_pem.substr(0, eol_pos);
+
+    SCOPED_TRACE(hash_text);
+    // TODO(mattm): The same cert might exist in both lists, could de-dupe
+    // before testing?
+
+    // Parse the PEM encoded text to DER bytes.
+    PEMTokenizer pem_tokenizer(hash_and_pem, {kCertificateHeader});
+    ASSERT_TRUE(pem_tokenizer.GetNext());
+    std::string cert_der(pem_tokenizer.data());
+    ASSERT_FALSE(pem_tokenizer.GetNext());
+
+    CertErrors errors;
+    // Note: don't actually need to make a ParsedCertificate here, just need
+    // the DER bytes. But parsing it here ensures the test can skip any certs
+    // that won't be returned due to parsing failures inside TrustStoreMac.
+    // The parsing options set here need to match the ones used in
+    // trust_store_mac.cc.
+    ParseCertificateOptions options;
+    // For https://crt.sh/?q=D3EEFBCBBCF49867838626E23BB59CA01E305DB7:
+    options.allow_invalid_serial_numbers = true;
+    scoped_refptr<ParsedCertificate> cert =
+        ParsedCertificate::Create(cert_der, options, &errors);
+    if (!cert) {
+      LOG(WARNING) << "ParseCertificate::Create " << hash_text << " failed:\n"
+                   << errors.ToDebugString();
+      continue;
+    }
+
+    base::ScopedCFTypeRef<SecCertificateRef> cert_handle(
+        X509Certificate::CreateOSCertHandleFromBytes(
+            cert->der_cert().AsStringPiece().data(),
+            cert->der_cert().Length()));
+    if (!cert_handle) {
+      ADD_FAILURE() << "CreateOSCertHandleFromBytes " << hash_text;
+      continue;
+    }
+    base::ScopedCFTypeRef<CFDataRef> mac_normalized_subject(
+        SecCertificateCopyNormalizedSubjectContent(cert_handle, nullptr));

[Ryan Sleevi, 2017/02/16 22:27:23]

Locked (although in practice shouldn't matter for this test, just not sure if we
should annotate it as a lock-guarded call)

It's more relevant for the SecTrust calls below, but again, it shouldn't matter
for a single-threaded test, so I'm torn :)

[mattm, 2017/02/17 00:04:19]

Well, I guess it's a good idea just for the documentation and some copy-pasta
safety.

+    if (!mac_normalized_subject) {
+      ADD_FAILURE() << "SecCertificateCopyNormalizedSubjectContent "
+                    << hash_text;
+      continue;
+    }
+
+    // Check if this cert is considered a trust anchor by TrustStoreMac.
+    TrustAnchors trust_anchors;
+    trust_store.FindTrustAnchorsByMacNormalizedSubject(mac_normalized_subject,
+                                                       &trust_anchors);
+    bool is_trust_anchor = false;
+    for (const auto& anchor : trust_anchors) {
+      ASSERT_TRUE(anchor->cert());
+      if (anchor->cert()->der_cert() == cert->der_cert())
+        is_trust_anchor = true;
+    }
+
+    // Check if this cert is considered a trust anchor by the OS.
+    base::ScopedCFTypeRef<SecTrustRef> trust;
+    ASSERT_EQ(noErr, SecTrustCreateWithCertificates(cert_handle, sec_policy,
+                                                    trust.InitializeInto()));
+    ASSERT_EQ(noErr,
+              SecTrustSetOptions(trust, kSecTrustOptionLeafIsCA |
+                                            kSecTrustOptionAllowExpiredRoot));
+
+    SecTrustResultType trust_result;
+    ASSERT_EQ(noErr, SecTrustEvaluate(trust, &trust_result));
+    bool expected_trust_anchor =
+        ((trust_result == kSecTrustResultProceed) ||
+         (trust_result == kSecTrustResultUnspecified)) &&
+        (SecTrustGetCertificateCount(trust) == 1);
+
+    EXPECT_EQ(expected_trust_anchor, is_trust_anchor);
+
+    if (expected_trust_anchor) {
+      if (is_trust_anchor) {
+        true_pos++;
+      } else {
+        false_neg++;
+      }
+    } else {
+      if (is_trust_anchor) {
+        false_pos++;
+      } else {
+        true_neg++;
+      }
+    }
+  }
+
+  LOG(INFO) << "true_pos: " << true_pos;
+  LOG(INFO) << "true_neg: " << true_neg;
+  LOG(INFO) << "false_pos: " << false_pos;
+  LOG(INFO) << "false_neg: " << false_neg;

[Ryan Sleevi, 2017/02/16 22:27:23]

Thought: This will end up logging on every test run. It seems like 307 should
handle sufficient logging for this, right? Should we delete these LOGs and the
variables because of that?

[mattm, 2017/02/17 00:04:19]

Done.

+}
+
+}  // namespace net