Added new server trust policy: Revocation

Source/ServerTrustPolicy.swift

@@ -102,13 +102,18 @@ extension URLSession {
 ///                             Applications are encouraged to always validate the host and require a valid certificate
 ///                             chain in production environments.
 ///
+/// - performRevokedEvaluation: Uses the default server trust evaluation while allowing you to control whether to
+///                             validate the host provided by the challenge. And this option also check status of revoked
+///                             server certificate.
+///
 /// - disableEvaluation:        Disables all evaluation which in turn will always consider any server trust as valid.
 ///
 /// - customEvaluation:         Uses the associated closure to evaluate the validity of the server trust.
 public enum ServerTrustPolicy {
     case performDefaultEvaluation(validateHost: Bool)
     case pinCertificates(certificates: [SecCertificate], validateCertificateChain: Bool, validateHost: Bool)
     case pinPublicKeys(publicKeys: [SecKey], validateCertificateChain: Bool, validateHost: Bool)
+    case performRevokedEvaluation(validateHost: Bool, revocationFlags: CFOptionFlags)
     case disableEvaluation
     case customEvaluation((_ serverTrust: SecTrust, _ host: String) -> Bool)
 
@@ -214,6 +219,12 @@ public enum ServerTrustPolicy {
                     }
                 }
             }
+        case let .performRevokedEvaluation(validateHost, revocationFlags):
+            let policyDefault = SecPolicyCreateSSL(true, validateHost ? host as CFString : nil)
+            let policyRevoked = SecPolicyCreateRevocation(revocationFlags)
+            SecTrustSetPolicies(serverTrust, [policyDefault, policyRevoked] as CFTypeRef)
+
+            serverTrustIsValid = trustIsValid(serverTrust)
         case .disableEvaluation:
             serverTrustIsValid = true
         case let .customEvaluation(closure):

Tests/ServerTrustPolicyTests.swift

@@ -1325,6 +1325,173 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
     }
 }
 
+// MARK: - Server Revoke Policy Tests -
+
+class ServerTrustPolicyPerformRevokedEvaluationTestCase: ServerTrustPolicyTestCase {
+
+    // MARK: Do NOT Validate Host
+
+    func testThatValidCertificateChainPassesEvaluationWithoutHostValidation() {
+        // Given
+        let host = "test.alamofire.org"
+        let serverTrust = TestTrusts.leafValidDNSName.trust
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(validateHost: false, revocationFlags: kSecRevocationRequirePositiveResponse)
+
+        // When
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
+
+        // Then
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
+    }
+
+    func testThatNonAnchoredRootCertificateChainFailsEvaluationWithoutHostValidation() {
+        // Given
+        let host = "test.alamofire.org"
+        let serverTrust = TestTrusts.trustWithCertificates([
+            TestCertificates.leafValidDNSName,
+            TestCertificates.intermediateCA2
+            ])
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(validateHost: false, revocationFlags: kSecRevocationRequirePositiveResponse)
+
+        // When
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
+
+        // Then
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
+    }
+
+    func testThatMissingDNSNameLeafCertificatePassesEvaluationWithoutHostValidation() {
+        // Given
+        let host = "test.alamofire.org"
+        let serverTrust = TestTrusts.leafMissingDNSNameAndURI.trust
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(validateHost: false, revocationFlags: kSecRevocationRequirePositiveResponse)
+
+        // When
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
+
+        // Then
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
+    }
+
+    func testThatExpiredCertificateChainFailsEvaluationWithoutHostValidation() {
+        // Given
+        let host = "test.alamofire.org"
+        let serverTrust = TestTrusts.leafExpired.trust
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(validateHost: false, revocationFlags: kSecRevocationRequirePositiveResponse)
+
+        // When
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
+
+        // Then
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
+    }
+
+    func testThatMissingIntermediateCertificateInChainFailsEvaluationWithoutHostValidation() {
+        // Given
+        let host = "test.alamofire.org"
+        let serverTrust = TestTrusts.leafValidDNSNameMissingIntermediate.trust
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(validateHost: false, revocationFlags: kSecRevocationRequirePositiveResponse)
+
+        // When
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
+
+        // Then
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
+    }
+
+    // MARK: Validate Host
+
+    func testThatValidCertificateChainPassesEvaluationWithHostValidation() {
+        // Given
+        let host = "test.alamofire.org"
+        let serverTrust = TestTrusts.leafValidDNSName.trust
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(validateHost: true, revocationFlags: kSecRevocationRequirePositiveResponse)
+
+        // When
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
+
+        // Then
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
+    }
+
+    func testThatNonAnchoredRootCertificateChainFailsEvaluationWithHostValidation() {
+        // Given
+        let host = "test.alamofire.org"
+        let serverTrust = TestTrusts.trustWithCertificates([
+            TestCertificates.leafValidDNSName,
+            TestCertificates.intermediateCA2
+            ])
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(validateHost: true, revocationFlags: kSecRevocationRequirePositiveResponse)
+
+        // When
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
+
+        // Then
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
+    }
+
+    func testThatMissingDNSNameLeafCertificateFailsEvaluationWithHostValidation() {
+        // Given
+        let host = "test.alamofire.org"
+        let serverTrust = TestTrusts.leafMissingDNSNameAndURI.trust
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(validateHost: true, revocationFlags: kSecRevocationRequirePositiveResponse)
+
+        // When
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
+
+        // Then
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
+    }
+
+    func testThatWildcardedLeafCertificateChainPassesEvaluationWithHostValidation() {
+        // Given
+        let host = "test.alamofire.org"
+        let serverTrust = TestTrusts.leafWildcard.trust
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(validateHost: true, revocationFlags: kSecRevocationRequirePositiveResponse)
+
+        // When
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
+
+        // Then
+        XCTAssertFalse(serverTrustIsValid, "server trust should pass evaluation")
+    }
+
+    func testThatExpiredCertificateChainFailsEvaluationWithHostValidation() {
+        // Given
+        let host = "test.alamofire.org"
+        let serverTrust = TestTrusts.leafExpired.trust
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(validateHost: true, revocationFlags: kSecRevocationRequirePositiveResponse)
+
+        // When
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
+
+        // Then
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
+    }
+
+    func testThatMissingIntermediateCertificateInChainFailsEvaluationWithHostValidation() {
+        // Given
+        let host = "test.alamofire.org"
+        let serverTrust = TestTrusts.leafValidDNSNameMissingIntermediate.trust
+        let serverTrustPolicy = ServerTrustPolicy.performRevokedEvaluation(validateHost: true, revocationFlags: kSecRevocationRequirePositiveResponse)
+
+        // When
+        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
+        let serverTrustIsValid = serverTrustPolicy.evaluate(serverTrust, forHost: host)
+
+        // Then
+        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
+    }
+}
+
 // MARK: -
 
 class ServerTrustPolicyDisableEvaluationTestCase: ServerTrustPolicyTestCase {