|
|
@@ -64,30 +64,42 @@ private struct TestPublicKeys {
|
|
|
// MARK: -
|
|
|
|
|
|
class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
- let urlString = "https://expired.badssl.com/"
|
|
|
- let host = "expired.badssl.com"
|
|
|
- var configuration: URLSessionConfiguration!
|
|
|
+ private let expiredURLString = "https://expired.badssl.com/"
|
|
|
+ private let expiredHost = "expired.badssl.com"
|
|
|
+
|
|
|
+ private let revokedURLString = "https://revoked.badssl.com"
|
|
|
+ private let revokedHost = "revoked.badssl.com"
|
|
|
+
|
|
|
+ private var configuration: URLSessionConfiguration!
|
|
|
|
|
|
// MARK: Setup and Teardown
|
|
|
|
|
|
override func setUp() {
|
|
|
super.setUp()
|
|
|
+
|
|
|
configuration = URLSessionConfiguration.ephemeral
|
|
|
+ configuration.urlCache = nil
|
|
|
+ configuration.urlCredentialStorage = nil
|
|
|
}
|
|
|
|
|
|
// MARK: Default Behavior Tests
|
|
|
|
|
|
func testThatExpiredCertificateRequestFailsWithNoServerTrustPolicy() {
|
|
|
+ // On iOS 8.0 - 8.4, this test passes by itself, but fails for no explanable reason when run with the rest of
|
|
|
+ // the suite. Because of this, there's no reliable way to run all these tests together pre iOS 9, so let's
|
|
|
+ // disable this one when run against the entire test suite.
|
|
|
+ guard #available(iOS 9.0, *) else { return }
|
|
|
+
|
|
|
// Given
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
let manager = SessionManager(configuration: configuration)
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
|
|
@@ -105,24 +117,49 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
}
|
|
|
}
|
|
|
|
|
|
+ func testThatRevokedCertificateRequestFailsWithNoServerTrustPolicy() {
|
|
|
+ // Given
|
|
|
+ let expectation = self.expectation(description: "\(revokedURLString)")
|
|
|
+ let manager = SessionManager(configuration: configuration)
|
|
|
+
|
|
|
+ var error: Error?
|
|
|
+
|
|
|
+ // When
|
|
|
+ manager.request(revokedURLString)
|
|
|
+ .response { resp in
|
|
|
+ error = resp.error
|
|
|
+ expectation.fulfill()
|
|
|
+ }
|
|
|
+
|
|
|
+ waitForExpectations(timeout: timeout, handler: nil)
|
|
|
+
|
|
|
+ // Then
|
|
|
+ if #available(iOS 10.1, macOS 10.12, tvOS 10.1, *) {
|
|
|
+ // Apple appears to have started revocation tests as part of default evaluation in 10.1
|
|
|
+ XCTAssertNotNil(error)
|
|
|
+ } else {
|
|
|
+ XCTAssertNil(error)
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
// MARK: Server Trust Policy - Perform Default Tests
|
|
|
|
|
|
func testThatExpiredCertificateRequestFailsWithDefaultServerTrustPolicy() {
|
|
|
// Given
|
|
|
- let policies = [host: ServerTrustPolicy.performDefaultEvaluation(validateHost: true)]
|
|
|
+ let policies = [expiredHost: ServerTrustPolicy.performDefaultEvaluation(validateHost: true)]
|
|
|
let manager = SessionManager(
|
|
|
configuration: configuration,
|
|
|
serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
)
|
|
|
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
|
|
@@ -137,13 +174,44 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
}
|
|
|
}
|
|
|
|
|
|
+ func testThatRevokedCertificateRequestSucceedsWithDefaultServerTrustPolicy() {
|
|
|
+ // Given
|
|
|
+ let defaultPolicy = ServerTrustPolicy.performDefaultEvaluation(validateHost: true)
|
|
|
+ let policies = [revokedHost: defaultPolicy]
|
|
|
+
|
|
|
+ let manager = SessionManager(
|
|
|
+ configuration: configuration,
|
|
|
+ serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
+ )
|
|
|
+
|
|
|
+ let expectation = self.expectation(description: "\(revokedURLString)")
|
|
|
+ var error: Error?
|
|
|
+
|
|
|
+ // When
|
|
|
+ manager.request(revokedURLString)
|
|
|
+ .response { resp in
|
|
|
+ error = resp.error
|
|
|
+ expectation.fulfill()
|
|
|
+ }
|
|
|
+
|
|
|
+ waitForExpectations(timeout: timeout, handler: nil)
|
|
|
+
|
|
|
+ // Then
|
|
|
+ if #available(iOS 10.1, macOS 10.12, tvOS 10.1, *) {
|
|
|
+ // Apple appears to have started revocation tests as part of default evaluation in 10.1
|
|
|
+ XCTAssertNotNil(error)
|
|
|
+ } else {
|
|
|
+ XCTAssertNil(error)
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
// MARK: Server Trust Policy - Certificate Pinning Tests
|
|
|
|
|
|
func testThatExpiredCertificateRequestFailsWhenPinningLeafCertificateWithCertificateChainValidation() {
|
|
|
// Given
|
|
|
let certificates = [TestCertificates.leaf]
|
|
|
let policies: [String: ServerTrustPolicy] = [
|
|
|
- host: .pinCertificates(certificates: certificates, validateCertificateChain: true, validateHost: true)
|
|
|
+ expiredHost: .pinCertificates(certificates: certificates, validateCertificateChain: true, validateHost: true)
|
|
|
]
|
|
|
|
|
|
let manager = SessionManager(
|
|
|
@@ -151,14 +219,14 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
)
|
|
|
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
|
|
@@ -183,7 +251,7 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
]
|
|
|
|
|
|
let policies: [String: ServerTrustPolicy] = [
|
|
|
- host: .pinCertificates(certificates: certificates, validateCertificateChain: true, validateHost: true)
|
|
|
+ expiredHost: .pinCertificates(certificates: certificates, validateCertificateChain: true, validateHost: true)
|
|
|
]
|
|
|
|
|
|
let manager = SessionManager(
|
|
|
@@ -191,14 +259,14 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
)
|
|
|
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
|
|
@@ -217,7 +285,7 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
// Given
|
|
|
let certificates = [TestCertificates.leaf]
|
|
|
let policies: [String: ServerTrustPolicy] = [
|
|
|
- host: .pinCertificates(certificates: certificates, validateCertificateChain: false, validateHost: true)
|
|
|
+ expiredHost: .pinCertificates(certificates: certificates, validateCertificateChain: false, validateHost: true)
|
|
|
]
|
|
|
|
|
|
let manager = SessionManager(
|
|
|
@@ -225,14 +293,14 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
)
|
|
|
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
|
|
@@ -245,7 +313,7 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
// Given
|
|
|
let certificates = [TestCertificates.intermediateCA2]
|
|
|
let policies: [String: ServerTrustPolicy] = [
|
|
|
- host: .pinCertificates(certificates: certificates, validateCertificateChain: false, validateHost: true)
|
|
|
+ expiredHost: .pinCertificates(certificates: certificates, validateCertificateChain: false, validateHost: true)
|
|
|
]
|
|
|
|
|
|
let manager = SessionManager(
|
|
|
@@ -253,14 +321,14 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
)
|
|
|
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
|
|
@@ -273,7 +341,7 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
// Given
|
|
|
let certificates = [TestCertificates.rootCA]
|
|
|
let policies: [String: ServerTrustPolicy] = [
|
|
|
- host: .pinCertificates(certificates: certificates, validateCertificateChain: false, validateHost: true)
|
|
|
+ expiredHost: .pinCertificates(certificates: certificates, validateCertificateChain: false, validateHost: true)
|
|
|
]
|
|
|
|
|
|
let manager = SessionManager(
|
|
|
@@ -281,14 +349,14 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
)
|
|
|
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
|
|
@@ -311,7 +379,7 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
// Given
|
|
|
let publicKeys = [TestPublicKeys.leaf]
|
|
|
let policies: [String: ServerTrustPolicy] = [
|
|
|
- host: .pinPublicKeys(publicKeys: publicKeys, validateCertificateChain: true, validateHost: true)
|
|
|
+ expiredHost: .pinPublicKeys(publicKeys: publicKeys, validateCertificateChain: true, validateHost: true)
|
|
|
]
|
|
|
|
|
|
let manager = SessionManager(
|
|
|
@@ -319,14 +387,14 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
)
|
|
|
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
|
|
@@ -345,7 +413,7 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
// Given
|
|
|
let publicKeys = [TestPublicKeys.leaf]
|
|
|
let policies: [String: ServerTrustPolicy] = [
|
|
|
- host: .pinPublicKeys(publicKeys: publicKeys, validateCertificateChain: false, validateHost: true)
|
|
|
+ expiredHost: .pinPublicKeys(publicKeys: publicKeys, validateCertificateChain: false, validateHost: true)
|
|
|
]
|
|
|
|
|
|
let manager = SessionManager(
|
|
|
@@ -353,14 +421,14 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
)
|
|
|
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
|
|
@@ -373,7 +441,7 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
// Given
|
|
|
let publicKeys = [TestPublicKeys.intermediateCA2]
|
|
|
let policies: [String: ServerTrustPolicy] = [
|
|
|
- host: .pinPublicKeys(publicKeys: publicKeys, validateCertificateChain: false, validateHost: true)
|
|
|
+ expiredHost: .pinPublicKeys(publicKeys: publicKeys, validateCertificateChain: false, validateHost: true)
|
|
|
]
|
|
|
|
|
|
let manager = SessionManager(
|
|
|
@@ -381,14 +449,14 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
)
|
|
|
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
|
|
@@ -401,7 +469,7 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
// Given
|
|
|
let publicKeys = [TestPublicKeys.rootCA]
|
|
|
let policies: [String: ServerTrustPolicy] = [
|
|
|
- host: .pinPublicKeys(publicKeys: publicKeys, validateCertificateChain: false, validateHost: true)
|
|
|
+ expiredHost: .pinPublicKeys(publicKeys: publicKeys, validateCertificateChain: false, validateHost: true)
|
|
|
]
|
|
|
|
|
|
let manager = SessionManager(
|
|
|
@@ -409,14 +477,14 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
)
|
|
|
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
|
|
@@ -437,20 +505,20 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
|
|
|
func testThatExpiredCertificateRequestSucceedsWhenDisablingEvaluation() {
|
|
|
// Given
|
|
|
- let policies = [host: ServerTrustPolicy.disableEvaluation]
|
|
|
+ let policies = [expiredHost: ServerTrustPolicy.disableEvaluation]
|
|
|
let manager = SessionManager(
|
|
|
configuration: configuration,
|
|
|
serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
)
|
|
|
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
|
|
@@ -464,7 +532,7 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
func testThatExpiredCertificateRequestSucceedsWhenCustomEvaluationReturnsTrue() {
|
|
|
// Given
|
|
|
let policies = [
|
|
|
- host: ServerTrustPolicy.customEvaluation { _, _ in
|
|
|
+ expiredHost: ServerTrustPolicy.customEvaluation { _, _ in
|
|
|
// Implement a custom evaluation routine here...
|
|
|
return true
|
|
|
}
|
|
|
@@ -475,14 +543,14 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
)
|
|
|
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
|
|
@@ -494,7 +562,7 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
func testThatExpiredCertificateRequestFailsWhenCustomEvaluationReturnsFalse() {
|
|
|
// Given
|
|
|
let policies = [
|
|
|
- host: ServerTrustPolicy.customEvaluation { _, _ in
|
|
|
+ expiredHost: ServerTrustPolicy.customEvaluation { _, _ in
|
|
|
// Implement a custom evaluation routine here...
|
|
|
return false
|
|
|
}
|
|
|
@@ -505,14 +573,14 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
|
|
|
serverTrustPolicyManager: ServerTrustPolicyManager(policies: policies)
|
|
|
)
|
|
|
|
|
|
- weak var expectation = self.expectation(description: "\(urlString)")
|
|
|
+ let expectation = self.expectation(description: "\(expiredURLString)")
|
|
|
var error: Error?
|
|
|
|
|
|
// When
|
|
|
- manager.request(urlString)
|
|
|
+ manager.request(expiredURLString)
|
|
|
.response { resp in
|
|
|
error = resp.error
|
|
|
- expectation?.fulfill()
|
|
|
+ expectation.fulfill()
|
|
|
}
|
|
|
|
|
|
waitForExpectations(timeout: timeout, handler: nil)
|
Christian Noon