| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529 |
- //
- // TLSEvaluationTests.swift
- //
- // Copyright (c) 2014-2018 Alamofire Software Foundation (http://alamofire.org/)
- //
- // Permission is hereby granted, free of charge, to any person obtaining a copy
- // of this software and associated documentation files (the "Software"), to deal
- // in the Software without restriction, including without limitation the rights
- // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- // copies of the Software, and to permit persons to whom the Software is
- // furnished to do so, subject to the following conditions:
- //
- // The above copyright notice and this permission notice shall be included in
- // all copies or substantial portions of the Software.
- //
- // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- // THE SOFTWARE.
- //
- import Alamofire
- import Foundation
- import XCTest
- private struct TestCertificates {
- static let rootCA = TestCertificates.certificate(filename: "expired.badssl.com-root-ca")
- static let intermediateCA1 = TestCertificates.certificate(filename: "expired.badssl.com-intermediate-ca-1")
- static let intermediateCA2 = TestCertificates.certificate(filename: "expired.badssl.com-intermediate-ca-2")
- static let leaf = TestCertificates.certificate(filename: "expired.badssl.com-leaf")
- static func certificate(filename: String) -> SecCertificate {
- class Locator {}
- let filePath = Bundle(for: Locator.self).path(forResource: filename, ofType: "cer")!
- let data = try! Data(contentsOf: URL(fileURLWithPath: filePath))
- let certificate = SecCertificateCreateWithData(nil, data as CFData)!
- return certificate
- }
- }
- // MARK: -
- final class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
- private let expiredURLString = "https://expired.badssl.com/"
- private let expiredHost = "expired.badssl.com"
- private let revokedURLString = "https://revoked.badssl.com"
- private let revokedHost = "revoked.badssl.com"
- private var configuration: URLSessionConfiguration!
- // MARK: Setup and Teardown
- override func setUp() {
- super.setUp()
- configuration = URLSessionConfiguration.ephemeral
- configuration.urlCache = nil
- configuration.urlCredentialStorage = nil
- }
- // MARK: Default Behavior Tests
- func testThatExpiredCertificateRequestFailsWithNoServerTrustPolicy() {
- // Given
- let expectation = self.expectation(description: "\(expiredURLString)")
- let manager = Session(configuration: configuration)
- var error: AFError?
- // When
- manager.request(expiredURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- XCTAssertNotNil(error)
- if let error = error?.underlyingError as? URLError {
- XCTAssertEqual(error.code, .serverCertificateUntrusted)
- } else if let error = error?.underlyingError as NSError? {
- XCTAssertEqual(error.domain, kCFErrorDomainCFNetwork as String)
- XCTAssertEqual(error.code, Int(CFNetworkErrors.cfErrorHTTPSProxyConnectionFailure.rawValue))
- } else {
- XCTFail("error should be a URLError or NSError from CFNetwork")
- }
- }
- func disabled_testRevokedCertificateRequestBehaviorWithNoServerTrustPolicy() {
- // Disabled due to the instability of due revocation testing of default evaluation from all platforms. This
- // test is left for debugging purposes only. Should not be committed into the test suite while enabled.
- // Given
- let expectation = self.expectation(description: "\(revokedURLString)")
- let manager = Session(configuration: configuration)
- var error: Error?
- // When
- manager.request(revokedURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- if #available(iOS 10.1, macOS 10.12, tvOS 10.1, *) {
- // Apple appears to have started revocation tests as part of default evaluation in 10.1
- XCTAssertNotNil(error)
- } else {
- XCTAssertNil(error)
- }
- }
- // MARK: Server Trust Policy - Perform Default Tests
- func testThatExpiredCertificateRequestFailsWithDefaultServerTrustPolicy() {
- // Given
- let evaluators = [expiredHost: DefaultTrustEvaluator(validateHost: true)]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(expiredURLString)")
- var error: AFError?
- // When
- manager.request(expiredURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- XCTAssertNotNil(error, "error should not be nil")
- XCTAssertEqual(error?.isServerTrustEvaluationError, true)
- if case let .serverTrustEvaluationFailed(reason) = error {
- XCTAssertTrue(reason.isHostValidationFailed, "should be .hostValidationFailed")
- } else {
- XCTFail("error should be .serverTrustEvaluationFailed")
- }
- }
- func disabled_testRevokedCertificateRequestBehaviorWithDefaultServerTrustPolicy() {
- // Disabled due to the instability of due revocation testing of default evaluation from all platforms. This
- // test is left for debugging purposes only. Should not be committed into the test suite while enabled.
- // Given
- let defaultPolicy = DefaultTrustEvaluator()
- let evaluators = [revokedHost: defaultPolicy]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(revokedURLString)")
- var error: Error?
- // When
- manager.request(revokedURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- if #available(iOS 10.1, macOS 10.12, tvOS 10.1, *) {
- // Apple appears to have started revocation tests as part of default evaluation in 10.1
- XCTAssertNotNil(error)
- } else {
- XCTAssertNil(error)
- }
- }
- // MARK: Server Trust Policy - Perform Revoked Tests
- func testThatExpiredCertificateRequestFailsWithRevokedServerTrustPolicy() {
- // Given
- let policy = RevocationTrustEvaluator()
- let evaluators = [expiredHost: policy]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(expiredURLString)")
- var error: AFError?
- // When
- manager.request(expiredURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- XCTAssertNotNil(error, "error should not be nil")
- XCTAssertEqual(error?.isServerTrustEvaluationError, true)
- if case let .serverTrustEvaluationFailed(reason) = error {
- XCTAssertTrue(reason.isDefaultEvaluationFailed, "should be .defaultEvaluationFailed")
- } else {
- XCTFail("error should be .serverTrustEvaluationFailed")
- }
- }
- func testThatRevokedCertificateRequestFailsWithRevokedServerTrustPolicy() {
- // Given
- let policy = RevocationTrustEvaluator()
- let evaluators = [revokedHost: policy]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(revokedURLString)")
- var error: AFError?
- // When
- manager.request(revokedURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- XCTAssertNotNil(error, "error should not be nil")
- XCTAssertEqual(error?.isServerTrustEvaluationError, true)
- if case let .serverTrustEvaluationFailed(reason) = error {
- XCTAssertTrue(reason.isDefaultEvaluationFailed, "should be .defaultEvaluationFailed")
- } else {
- XCTFail("error should be .serverTrustEvaluationFailed")
- }
- }
- // MARK: Server Trust Policy - Certificate Pinning Tests
- func testThatExpiredCertificateRequestFailsWhenPinningLeafCertificateWithCertificateChainValidation() {
- // Given
- let certificates = [TestCertificates.leaf]
- let evaluators = [expiredHost: PinnedCertificatesTrustEvaluator(certificates: certificates)]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(expiredURLString)")
- var error: AFError?
- // When
- manager.request(expiredURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- XCTAssertNotNil(error, "error should not be nil")
- XCTAssertEqual(error?.isServerTrustEvaluationError, true)
- if case let .serverTrustEvaluationFailed(reason) = error {
- XCTAssertTrue(reason.isDefaultEvaluationFailed, "should be .defaultEvaluationFailed")
- } else {
- XCTFail("error should be .serverTrustEvaluationFailed")
- }
- }
- func testThatExpiredCertificateRequestFailsWhenPinningAllCertificatesWithCertificateChainValidation() {
- // Given
- let certificates = [TestCertificates.leaf,
- TestCertificates.intermediateCA1,
- TestCertificates.intermediateCA2,
- TestCertificates.rootCA]
- let evaluators = [expiredHost: PinnedCertificatesTrustEvaluator(certificates: certificates)]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(expiredURLString)")
- var error: AFError?
- // When
- manager.request(expiredURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- XCTAssertNotNil(error, "error should not be nil")
- XCTAssertEqual(error?.isServerTrustEvaluationError, true)
- if case let .serverTrustEvaluationFailed(reason) = error {
- XCTAssertTrue(reason.isDefaultEvaluationFailed, "should be .defaultEvaluationFailed")
- } else {
- XCTFail("error should be .serverTrustEvaluationFailed")
- }
- }
- func testThatExpiredCertificateRequestSucceedsWhenPinningLeafCertificateWithoutCertificateChainOrHostValidation() {
- // Given
- let certificates = [TestCertificates.leaf]
- let evaluators = [expiredHost: PinnedCertificatesTrustEvaluator(certificates: certificates, performDefaultValidation: false, validateHost: false)]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(expiredURLString)")
- var error: Error?
- // When
- manager.request(expiredURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- XCTAssertNil(error, "error should be nil")
- }
- func testThatExpiredCertificateRequestSucceedsWhenPinningIntermediateCACertificateWithoutCertificateChainOrHostValidation() {
- // Given
- let certificates = [TestCertificates.intermediateCA2]
- let evaluators = [expiredHost: PinnedCertificatesTrustEvaluator(certificates: certificates, performDefaultValidation: false, validateHost: false)]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(expiredURLString)")
- var error: Error?
- // When
- manager.request(expiredURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- XCTAssertNil(error, "error should be nil")
- }
- func testThatExpiredCertificateRequestSucceedsWhenPinningRootCACertificateWithoutCertificateChainValidation() {
- // Given
- let certificates = [TestCertificates.rootCA]
- let evaluators = [expiredHost: PinnedCertificatesTrustEvaluator(certificates: certificates, performDefaultValidation: false)]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(expiredURLString)")
- var error: Error?
- // When
- manager.request(expiredURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- if #available(iOS 10.1, macOS 10.12.0, tvOS 10.1, *) {
- XCTAssertNotNil(error, "error should not be nil")
- } else {
- XCTAssertNil(error, "error should be nil")
- }
- }
- // MARK: Server Trust Policy - Public Key Pinning Tests
- func testThatExpiredCertificateRequestFailsWhenPinningLeafPublicKeyWithCertificateChainValidation() {
- // Given
- let keys = [TestCertificates.leaf].af.publicKeys
- let evaluators = [expiredHost: PublicKeysTrustEvaluator(keys: keys)]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(expiredURLString)")
- var error: AFError?
- // When
- manager.request(expiredURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- XCTAssertNotNil(error, "error should not be nil")
- XCTAssertEqual(error?.isServerTrustEvaluationError, true)
- if case let .serverTrustEvaluationFailed(reason) = error {
- XCTAssertTrue(reason.isDefaultEvaluationFailed, "should be .defaultEvaluationFailed")
- } else {
- XCTFail("error should be .serverTrustEvaluationFailed")
- }
- }
- func testThatExpiredCertificateRequestSucceedsWhenPinningLeafPublicKeyWithoutCertificateChainOrHostValidation() {
- // Given
- let keys = [TestCertificates.leaf].af.publicKeys
- let evaluators = [expiredHost: PublicKeysTrustEvaluator(keys: keys, performDefaultValidation: false, validateHost: false)]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(expiredURLString)")
- var error: Error?
- // When
- manager.request(expiredURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- XCTAssertNil(error, "error should be nil")
- }
- func testThatExpiredCertificateRequestSucceedsWhenPinningIntermediateCAPublicKeyWithoutCertificateChainOrHostValidation() {
- // Given
- let keys = [TestCertificates.intermediateCA2].af.publicKeys
- let evaluators = [expiredHost: PublicKeysTrustEvaluator(keys: keys, performDefaultValidation: false, validateHost: false)]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(expiredURLString)")
- var error: Error?
- // When
- manager.request(expiredURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- XCTAssertNil(error, "error should be nil")
- }
- func testThatExpiredCertificateRequestSucceedsWhenPinningRootCAPublicKeyWithoutCertificateChainValidation() {
- // Given
- let keys = [TestCertificates.rootCA].af.publicKeys
- let evaluators = [expiredHost: PublicKeysTrustEvaluator(keys: keys, performDefaultValidation: false, validateHost: false)]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(expiredURLString)")
- var error: Error?
- // When
- manager.request(expiredURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- if #available(iOS 10.1, macOS 10.12.0, tvOS 10.1, *) {
- XCTAssertNotNil(error, "error should not be nil")
- } else {
- XCTAssertNil(error, "error should be nil")
- }
- }
- // MARK: Server Trust Policy - Disabling Evaluation Tests
- func testThatExpiredCertificateRequestSucceedsWhenDisablingEvaluation() {
- // Given
- let evaluators = [expiredHost: DisabledEvaluator()]
- let manager = Session(configuration: configuration,
- serverTrustManager: ServerTrustManager(evaluators: evaluators))
- let expectation = self.expectation(description: "\(expiredURLString)")
- var error: Error?
- // When
- manager.request(expiredURLString)
- .response { resp in
- error = resp.error
- expectation.fulfill()
- }
- waitForExpectations(timeout: timeout, handler: nil)
- // Then
- XCTAssertNil(error, "error should be nil")
- }
- }
|
