1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
|
/*
* (C) 1999-2019 Jack Lloyd
* (C) 2019 René Meusel
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
#include "tests.h"
#if defined(BOTAN_HAS_CERTSTOR_MACOS)
#include <botan/certstor_macos.h>
#include <botan/ber_dec.h>
#include <botan/der_enc.h>
#include <botan/hex.h>
namespace Botan_Tests {
namespace {
Botan::X509_DN read_dn(const std::string hex)
{
Botan::X509_DN dn;
Botan::BER_Decoder decoder(Botan::hex_decode(hex));
dn.decode_from(decoder);
return dn;
}
Botan::X509_DN get_dn()
{
// Public key fingerprint of "DST Root CA X3"
// This certificate is in the standard "System Roots" of any macOS setup,
// serves as the trust root of botan.randombit.net and expires on
// Thursday, 30. September 2021 at 16:01:15 Central European Summer Time
return read_dn("303f31243022060355040a131b4469676974616c205369676e6174757265"
"20547275737420436f2e311730150603550403130e44535420526f6f7420"
"4341205833");
}
std::vector<uint8_t> get_key_id()
{
// this is the same as the public key SHA1
return Botan::hex_decode("c4a7b1a47b2c71fadbe14b9075ffc41560858910");
}
Botan::X509_DN get_unknown_dn()
{
// thats a D-Trust "Test Certificate". It should be fairly likely that
// _nobody_ will _ever_ have that in their system keychain
// CN: D-TRUST Limited Basic Test PU CA 1-4 2016
return read_dn("305b310b300906035504061302444531153013060355040a0c0c442d5472"
"75737420476d62483135303306035504030c2c442d5452555354204c696d"
"6974656420426173696320526f6f74205465737420505520434120312032"
"303135");
}
Botan::X509_DN get_skewed_dn()
{
// This DN contains ASN.1 PrintableString fields that are not 'normalized'
// according to Apple's idea of a normalized PrintableString field:
// (1) It has leading and trailing white space
// (2) It contains multiple spaces between 'words'
return read_dn("304b312a3028060355040a132120204469676974616c2020205369676e61"
"7475726520547275737420436f2e2020311d301b06035504031314202044"
"5354202020526f6f742043412058332020");
}
std::vector<uint8_t> get_unknown_key_id()
{
// this is the same as the public key SHA1
return Botan::hex_decode("785c0b67b536eeacbb2b27cf9123301abe7ab09a");
}
Test::Result open_certificate_store()
{
Test::Result result("macOS Certificate Store - Open Keychain");
try
{
result.start_timer();
Botan::Certificate_Store_MacOS unused;
result.end_timer();
}
catch(std::exception& e)
{
result.test_failure(e.what());
}
result.test_success();
return result;
}
Test::Result find_certificate_by_pubkey_sha1()
{
Test::Result result("macOS Certificate Store - Find Certificate by SHA1(pubkey)");
try
{
result.start_timer();
Botan::Certificate_Store_MacOS certstore;
auto cert = certstore.find_cert_by_pubkey_sha1(get_key_id());
result.end_timer();
if(result.test_not_null("found certificate", cert.get()))
{
auto cns = cert->subject_dn().get_attribute("CN");
result.test_is_eq("exactly one CN", cns.size(), 1ul);
result.test_eq("CN", cns.front(), "DST Root CA X3");
}
}
catch(std::exception& e)
{
result.test_failure(e.what());
}
result.test_throws("on invalid SHA1 hash data", [&]
{
Botan::Certificate_Store_MacOS certstore;
certstore.find_cert_by_pubkey_sha1({});
});
return result;
}
Test::Result find_cert_by_subject_dn()
{
Test::Result result("macOS Certificate Store - Find Certificate by subject DN");
try
{
auto dn = get_dn();
result.start_timer();
Botan::Certificate_Store_MacOS certstore;
auto cert = certstore.find_cert(dn, std::vector<uint8_t>());
result.end_timer();
if(result.test_not_null("found certificate", cert.get()))
{
auto cns = cert->subject_dn().get_attribute("CN");
result.test_is_eq("exactly one CN", cns.size(), 1ul);
result.test_eq("CN", cns.front(), "DST Root CA X3");
}
}
catch(std::exception& e)
{
result.test_failure(e.what());
}
return result;
}
Test::Result find_cert_by_subject_dn_and_key_id()
{
Test::Result result("macOS Certificate Store - Find Certificate by subject DN and key ID");
try
{
auto dn = get_dn();
result.start_timer();
Botan::Certificate_Store_MacOS certstore;
auto cert = certstore.find_cert(dn, get_key_id());
result.end_timer();
if(result.test_not_null("found certificate", cert.get()))
{
auto cns = cert->subject_dn().get_attribute("CN");
result.test_is_eq("exactly one CN", cns.size(), 1ul);
result.test_eq("CN", cns.front(), "DST Root CA X3");
}
}
catch(std::exception& e)
{
result.test_failure(e.what());
}
return result;
}
Test::Result find_certs_by_subject_dn_and_key_id()
{
Test::Result result("macOS Certificate Store - Find Certificates by subject DN and key ID");
try
{
auto dn = get_dn();
result.start_timer();
Botan::Certificate_Store_MacOS certstore;
auto certs = certstore.find_all_certs(dn, get_key_id());
result.end_timer();
if(result.confirm("result not empty", !certs.empty()) &&
result.test_eq("exactly one certificate", certs.size(), 1))
{
auto cns = certs.front()->subject_dn().get_attribute("CN");
result.test_is_eq("exactly one CN", cns.size(), 1ul);
result.test_eq("CN", cns.front(), "DST Root CA X3");
}
}
catch(std::exception& e)
{
result.test_failure(e.what());
}
return result;
}
Test::Result find_all_subjects()
{
Test::Result result("macOS Certificate Store - Find all Certificate Subjects");
try
{
result.start_timer();
Botan::Certificate_Store_MacOS certstore;
auto subjects = certstore.all_subjects();
result.end_timer();
if(result.confirm("result not empty", !subjects.empty()))
{
auto dn = get_dn();
auto needle = std::find_if(subjects.cbegin(),
subjects.cend(),
[=](const Botan::X509_DN &subject)
{
return subject == dn;
});
if(result.confirm("found expected certificate", needle != subjects.end()))
{
result.confirm("expected certificate", *needle == dn);
}
}
}
catch(std::exception& e)
{
result.test_failure(e.what());
}
return result;
}
Test::Result no_certificate_matches()
{
Test::Result result("macOS Certificate Store - can deal with no matches (regression test)");
try
{
auto dn = get_unknown_dn();
auto kid = get_unknown_key_id();
result.start_timer();
Botan::Certificate_Store_MacOS certstore;
auto certs = certstore.find_all_certs(dn, kid);
auto cert = certstore.find_cert(dn, kid);
auto pubk_cert = certstore.find_cert_by_pubkey_sha1(kid);
result.end_timer();
result.confirm("find_all_certs did not find the dummy", certs.empty());
result.confirm("find_cert did not find the dummy", !cert);
result.confirm("find_cert_by_pubkey_sha1 did not find the dummy", !pubk_cert);
}
catch(std::exception& e)
{
result.test_failure(e.what());
}
return result;
}
Test::Result certificate_matching_with_dn_normalization()
{
Test::Result result("macOS Certificate Store - normalization of X.509 DN (regression test)");
try
{
auto dn = get_skewed_dn();
result.start_timer();
Botan::Certificate_Store_MacOS certstore;
auto certs = certstore.find_all_certs(dn, std::vector<uint8_t>());
auto cert = certstore.find_cert(dn, std::vector<uint8_t>());
result.end_timer();
if(result.confirm("find_all_certs did find the skewed DN", !certs.empty()) &&
result.confirm("find_cert did find the skewed DN", cert != nullptr))
{
result.test_eq("it is the correct cert", certs.front()->subject_dn().get_first_attribute("CN"), "DST Root CA X3");
result.test_eq("it is the correct cert", cert->subject_dn().get_first_attribute("CN"), "DST Root CA X3");
}
}
catch(std::exception& e)
{
result.test_failure(e.what());
}
return result;
}
class Certstor_macOS_Tests final : public Test
{
public:
std::vector<Test::Result> run() override
{
std::vector<Test::Result> results;
results.push_back(open_certificate_store());
results.push_back(find_certificate_by_pubkey_sha1());
results.push_back(find_cert_by_subject_dn());
results.push_back(find_cert_by_subject_dn_and_key_id());
results.push_back(find_certs_by_subject_dn_and_key_id());
results.push_back(find_all_subjects());
results.push_back(no_certificate_matches());
results.push_back(certificate_matching_with_dn_normalization());
return results;
}
};
BOTAN_REGISTER_TEST("certstor_macos", Certstor_macOS_Tests);
}
}
#endif
|
