Home Explore Help
Sign In
mirror
/
Alamofire
mirror of https://github.com/Alamofire/Alamofire.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Add tests around certificate pinning without validating certificate chain.

Christian Noon 10 years ago
parent
a1ea73189b
commit
b8f30a9ed6
1 changed files with 176 additions and 4 deletions
Split View Show Diff Stats
  1. 176 4
      Tests/ServerTrustPolicyTests.swift

+ 176 - 4
Tests/ServerTrustPolicyTests.swift
View File 

@@ -414,7 +414,7 @@ class ServerTrustPolicyExplorationSSLPolicyValidationTestCase: ServerTrustPolicy
 
 
 class ServerTrustPolicyPerformDefaultEvaluationTestCase: ServerTrustPolicyTestCase {
 
 
-    // MARK: Without Host Validation
 
+    // MARK: Do NOT Validate Host
 
 
     func testThatValidCertificateChainPassesEvaluationWithoutHostValidation() {
 
         // Given
 
@@ -485,7 +485,7 @@ class ServerTrustPolicyPerformDefaultEvaluationTestCase: ServerTrustPolicyTestCa
 
         XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
 
     }
 
 
-    // MARK: With Host Validation
 
+    // MARK: Validate Host
 
 
     func testThatValidCertificateChainPassesEvaluationWithHostValidation() {
 
         // Given
 
@@ -575,7 +575,7 @@ class ServerTrustPolicyPerformDefaultEvaluationTestCase: ServerTrustPolicyTestCa
 
 
 class ServerTrustPolicyPinCertificatesTestCase: ServerTrustPolicyTestCase {
 
 
-    // MARK: Without Host Validation
 
+    // MARK: Validate Certificate Chain Without Validating Host
 
 
     func testThatPinnedLeafCertificatePassesEvaluationWithoutHostValidation() {
 
         // Given
 
@@ -703,7 +703,7 @@ class ServerTrustPolicyPinCertificatesTestCase: ServerTrustPolicyTestCase {
 
         XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
 
     }
 
 
-    // MARK: With Host Validation
 
+    // MARK: Validate Certificate Chain and Host
 
 
     func testThatPinnedLeafCertificatePassesEvaluationWithHostValidation() {
 
         // Given
 
@@ -830,6 +830,178 @@ class ServerTrustPolicyPinCertificatesTestCase: ServerTrustPolicyTestCase {
 
         // Then
 
         XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
 
     }
 
+
 
+    // MARK: Do NOT Validate Certificate Chain or Host
 
+
 
+    func testThatPinnedLeafCertificateWithoutCertificateChainValidationPassesEvaluation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.LeafValidDNSName.trust
 
+        let certificates = [TestCertificates.LeafValidDNSName]
 
+        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(
 
+            certificates: certificates,
 
+            validateCertificateChain: false,
 
+            validateHost: false
 
+        )
 
+
 
+        // When
 
+        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)
 
+
 
+        // Then
 
+        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
 
+    }
 
+
 
+    func testThatPinnedIntermediateCertificateWithoutCertificateChainValidationPassesEvaluation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.LeafValidDNSName.trust
 
+        let certificates = [TestCertificates.IntermediateCA2]
 
+        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(
 
+            certificates: certificates,
 
+            validateCertificateChain: false,
 
+            validateHost: false
 
+        )
 
+
 
+        // When
 
+        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)
 
+
 
+        // Then
 
+        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
 
+    }
 
+
 
+    func testThatPinnedRootCertificateWithoutCertificateChainValidationPassesEvaluation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.LeafValidDNSName.trust
 
+        let certificates = [TestCertificates.RootCA]
 
+        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(
 
+            certificates: certificates,
 
+            validateCertificateChain: false,
 
+            validateHost: false
 
+        )
 
+
 
+        // When
 
+        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)
 
+
 
+        // Then
 
+        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
 
+    }
 
+
 
+    func testThatPinningLeafCertificateNotInCertificateChainWithoutCertificateChainValidationFailsEvaluation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.LeafValidDNSName.trust
 
+        let certificates = [TestCertificates.LeafSignedByCA2]
 
+        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(
 
+            certificates: certificates,
 
+            validateCertificateChain: false,
 
+            validateHost: false
 
+        )
 
+
 
+        // When
 
+        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)
 
+
 
+        // Then
 
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
 
+    }
 
+
 
+    func testThatPinningIntermediateCertificateNotInCertificateChainWithoutCertificateChainValidationFailsEvaluation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.LeafValidDNSName.trust
 
+        let certificates = [TestCertificates.IntermediateCA1]
 
+        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(
 
+            certificates: certificates,
 
+            validateCertificateChain: false,
 
+            validateHost: false
 
+        )
 
+
 
+        // When
 
+        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)
 
+
 
+        // Then
 
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
 
+    }
 
+
 
+    func testThatPinningExpiredLeafCertificateWithoutCertificateChainValidationPassesEvaluation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.LeafExpired.trust
 
+        let certificates = [TestCertificates.LeafExpired]
 
+        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(
 
+            certificates: certificates,
 
+            validateCertificateChain: false,
 
+            validateHost: false
 
+        )
 
+
 
+        // When
 
+        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)
 
+
 
+        // Then
 
+        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
 
+    }
 
+
 
+    func testThatPinningIntermediateCertificateWithExpiredLeafCertificateWithoutCertificateChainValidationPassesEvaluation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.LeafExpired.trust
 
+        let certificates = [TestCertificates.IntermediateCA2]
 
+        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(
 
+            certificates: certificates,
 
+            validateCertificateChain: false,
 
+            validateHost: false
 
+        )
 
+
 
+        // When
 
+        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)
 
+        
+        // Then
 
+        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
 
+    }
 
+
 
+    func testThatPinningRootCertificateWithExpiredLeafCertificateWithoutCertificateChainValidationPassesEvaluation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.LeafExpired.trust
 
+        let certificates = [TestCertificates.RootCA]
 
+        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(
 
+            certificates: certificates,
 
+            validateCertificateChain: false,
 
+            validateHost: false
 
+        )
 
+
 
+        // When
 
+        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)
 
+
 
+        // Then
 
+        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
 
+    }
 
+
 
+    func testThatPinningMultipleCertificatesWithoutCertificateChainValidationPassesEvaluation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.LeafExpired.trust
 
+
 
+        let certificates = [
 
+            TestCertificates.LeafMultipleDNSNames, // not in certificate chain
 
+            TestCertificates.LeafSignedByCA1,      // not in certificate chain
 
+            TestCertificates.LeafExpired,          // in certificate chain 👍🏼👍🏼
 
+            TestCertificates.LeafWildcard,         // not in certificate chain
 
+            TestCertificates.LeafDNSNameAndURI,    // not in certificate chain
 
+        ]
 
+
 
+        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(
 
+            certificates: certificates,
 
+            validateCertificateChain: false,
 
+            validateHost: false
 
+        )
 
+
 
+        // When
 
+        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)
 
+
 
+        // Then
 
+        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
 
+    }
 
 }
 
 
 // MARK: -