Home Explore Help
Sign In
mirror
/
Alamofire
mirror of https://github.com/Alamofire/Alamofire.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Added server trust policy tests for revoked evaluation with varied host validation.

WataruSuzuki 9 years ago
parent
52fc15e1c9
commit
e8282c9857
1 changed files with 200 additions and 0 deletions
Split View Show Diff Stats
  1. 200 0
      Tests/ServerTrustPolicyTests.swift

+ 200 - 0
Tests/ServerTrustPolicyTests.swift
View File 

@@ -579,6 +579,206 @@ class ServerTrustPolicyPerformDefaultEvaluationTestCase: ServerTrustPolicyTestCa
 
 
 // MARK: -
 
 
+class ServerTrustPolicyPerformRevokedEvaluationTestCase: ServerTrustPolicyTestCase {
 
+
 
+    // MARK: Do NOT Validate Host
 
+
 
+    func testThatValidCertificateChainPassesEvaluationWithoutHostValidation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.leafValidDNSName.trust
 
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(
 
+            validateHost: false,
 
+            revocationFlags: kSecRevocationUseAnyAvailableMethod
 
+        )
 
+
 
+        // When
 
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
 
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
 
+
 
+        // Then
 
+        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
 
+    }
 
+
 
+    func testThatNonAnchoredRootCertificateChainFailsEvaluationWithoutHostValidation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.trustWithCertificates([
 
+            TestCertificates.leafValidDNSName,
 
+            TestCertificates.intermediateCA2
 
+        ])
 
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(
 
+            validateHost: false,
 
+            revocationFlags: kSecRevocationUseAnyAvailableMethod
 
+        )
 
+
 
+        // When
 
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
 
+
 
+        // Then
 
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
 
+    }
 
+
 
+    func testThatMissingDNSNameLeafCertificatePassesEvaluationWithoutHostValidation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.leafMissingDNSNameAndURI.trust
 
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(
 
+            validateHost: false,
 
+            revocationFlags: kSecRevocationUseAnyAvailableMethod
 
+        )
 
+
 
+        // When
 
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
 
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
 
+
 
+        // Then
 
+        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
 
+    }
 
+
 
+    func testThatExpiredCertificateChainFailsEvaluationWithoutHostValidation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.leafExpired.trust
 
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(
 
+            validateHost: false,
 
+            revocationFlags: kSecRevocationUseAnyAvailableMethod
 
+        )
 
+
 
+        // When
 
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
 
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
 
+
 
+        // Then
 
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
 
+    }
 
+
 
+    func testThatMissingIntermediateCertificateInChainFailsEvaluationWithoutHostValidation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.leafValidDNSNameMissingIntermediate.trust
 
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(
 
+            validateHost: false,
 
+            revocationFlags: kSecRevocationUseAnyAvailableMethod
 
+        )
 
+
 
+        // When
 
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
 
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
 
+
 
+        // Then
 
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
 
+    }
 
+
 
+    // MARK: Validate Host
 
+
 
+    func testThatValidCertificateChainPassesEvaluationWithHostValidation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.leafValidDNSName.trust
 
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(
 
+            validateHost: true,
 
+            revocationFlags: kSecRevocationUseAnyAvailableMethod
 
+        )
 
+
 
+        // When
 
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
 
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
 
+
 
+        // Then
 
+        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
 
+    }
 
+
 
+    func testThatNonAnchoredRootCertificateChainFailsEvaluationWithHostValidation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.trustWithCertificates([
 
+            TestCertificates.leafValidDNSName,
 
+            TestCertificates.intermediateCA2
 
+        ])
 
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(
 
+            validateHost: true,
 
+            revocationFlags: kSecRevocationUseAnyAvailableMethod
 
+        )
 
+
 
+        // When
 
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
 
+
 
+        // Then
 
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
 
+    }
 
+
 
+    func testThatMissingDNSNameLeafCertificateFailsEvaluationWithHostValidation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.leafMissingDNSNameAndURI.trust
 
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(
 
+            validateHost: true,
 
+            revocationFlags: kSecRevocationUseAnyAvailableMethod
 
+        )
 
+
 
+        // When
 
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
 
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
 
+
 
+        // Then
 
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
 
+    }
 
+
 
+    func testThatWildcardedLeafCertificateChainPassesEvaluationWithHostValidation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.leafWildcard.trust
 
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(
 
+            validateHost: true,
 
+            revocationFlags: kSecRevocationUseAnyAvailableMethod
 
+        )
 
+
 
+        // When
 
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
 
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
 
+
 
+        // Then
 
+        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
 
+    }
 
+
 
+    func testThatExpiredCertificateChainFailsEvaluationWithHostValidation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.leafExpired.trust
 
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(
 
+            validateHost: true,
 
+            revocationFlags: kSecRevocationUseAnyAvailableMethod
 
+        )
 
+
 
+        // When
 
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
 
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
 
+
 
+        // Then
 
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
 
+    }
 
+
 
+    func testThatMissingIntermediateCertificateInChainFailsEvaluationWithHostValidation() {
 
+        // Given
 
+        let host = "test.alamofire.org"
 
+        let serverTrust = TestTrusts.leafValidDNSNameMissingIntermediate.trust
 
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(
 
+            validateHost: true,
 
+            revocationFlags: kSecRevocationUseAnyAvailableMethod
 
+        )
 
+
 
+        // When
 
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
 
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
 
+
 
+        // Then
 
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
 
+    }
 
+}
 
+
 
+// MARK: -
 
+
 
 class ServerTrustPolicyPinCertificatesTestCase: ServerTrustPolicyTestCase {
 
 
     // MARK: Validate Certificate Chain Without Validating Host