1.1 --- a/BLIP/BLIPTest.m Sun Jul 13 10:42:50 2008 -0700
1.2 +++ b/BLIP/BLIPTest.m Wed Apr 22 16:45:39 2009 -0700
1.3 @@ -19,10 +19,13 @@
1.4 #import "Logging.h"
1.5 #import "Test.h"
1.6
1.7 -#define HAVE_KEYCHAIN_FRAMEWORK 0
1.8 -#if HAVE_KEYCHAIN_FRAMEWORK
1.9 -#import <Keychain/Keychain.h>
1.10 -#endif
1.11 +#import <Security/Security.h>
1.12 +#import <SecurityInterface/SFChooseIdentityPanel.h>
1.13 +
1.14 +@interface TCPEndpoint ()
1.15 ++ (NSString*) describeCert: (SecCertificateRef)cert;
1.16 ++ (NSString*) describeIdentity: (SecIdentityRef)identity;
1.17 +@end
1.18
1.19
1.20 #define kListenerHost @"localhost"
1.21 @@ -31,20 +34,41 @@
1.22 #define kNBatchedMessages 20
1.23 #define kUseCompression YES
1.24 #define kUrgentEvery 4
1.25 -#define kClientRequiresSSL NO
1.26 -#define kClientUsesSSLCert NO
1.27 -#define kListenerRequiresSSL NO
1.28 -#define kListenerRequiresClientCert NO
1.29 #define kListenerCloseAfter 50
1.30 #define kClientAcceptCloseRequest YES
1.31
1.32 +#define kListenerUsesSSL YES // Does the listener (server) use an SSL connection?
1.33 +#define kListenerRequiresClientCert YES // Does the listener require clients to have an SSL cert?
1.34 +#define kClientRequiresSSL YES // Does the client require the listener to use SSL?
1.35 +#define kClientUsesSSLCert YES // Does the client use an SSL cert?
1.36 +
1.37 +
1.38 +static SecIdentityRef ChooseIdentity( NSString *prompt ) {
1.39 + NSMutableArray *identities = [NSMutableArray array];
1.40 + SecKeychainRef kc;
1.41 + SecKeychainCopyDefault(&kc);
1.42 + SecIdentitySearchRef search;
1.43 + SecIdentitySearchCreate(kc, CSSM_KEYUSE_ANY, &search);
1.44 + SecIdentityRef identity;
1.45 + while (SecIdentitySearchCopyNext(search, &identity) == noErr)
1.46 + [identities addObject: (id)identity];
1.47 + Log(@"Found %u identities -- prompting '%@'", identities.count, prompt);
1.48 + if (identities.count > 0) {
1.49 + SFChooseIdentityPanel *panel = [SFChooseIdentityPanel sharedChooseIdentityPanel];
1.50 + if ([panel runModalForIdentities: identities message: prompt] == NSOKButton) {
1.51 + Log(@"Using SSL identity: %@", panel.identity);
1.52 + return panel.identity;
1.53 + }
1.54 + }
1.55 + return NULL;
1.56 +}
1.57
1.58 static SecIdentityRef GetClientIdentity(void) {
1.59 - return NULL; // Make this return a valid identity to test client-side certs
1.60 + return ChooseIdentity(@"Choose an identity for the BLIP Client Test:");
1.61 }
1.62
1.63 static SecIdentityRef GetListenerIdentity(void) {
1.64 - return NULL; // Make this return a valid identity to test client-side certs
1.65 + return ChooseIdentity(@"Choose an identity for the BLIP Listener Test:");
1.66 }
1.67
1.68
1.69 @@ -75,15 +99,11 @@
1.70 [self release];
1.71 return nil;
1.72 }
1.73 - if( kClientRequiresSSL ) {
1.74 - _conn.SSLProperties = $mdict({kTCPPropertySSLAllowsAnyRoot, $true});
1.75 - if( kClientUsesSSLCert ) {
1.76 - SecIdentityRef clientIdentity = GetClientIdentity();
1.77 - if( clientIdentity ) {
1.78 - [_conn setSSLProperty: $array((id)clientIdentity)
1.79 - forKey: kTCPPropertySSLCertificates];
1.80 - }
1.81 - }
1.82 + if( kClientUsesSSLCert ) {
1.83 + [_conn setPeerToPeerIdentity: GetClientIdentity()];
1.84 + } else if( kClientRequiresSSL ) {
1.85 + _conn.SSLProperties = $mdict({kTCPPropertySSLAllowsAnyRoot, $true},
1.86 + {(id)kCFStreamSSLPeerName, [NSNull null]});
1.87 }
1.88 _conn.delegate = self;
1.89 Log(@"** Opening connection...");
1.90 @@ -148,22 +168,20 @@
1.91 }
1.92 - (BOOL) connection: (TCPConnection*)connection authorizeSSLPeer: (SecCertificateRef)peerCert
1.93 {
1.94 -#if HAVE_KEYCHAIN_FRAMEWORK
1.95 - Certificate *cert = peerCert ?[Certificate certificateWithCertificateRef: peerCert] :nil;
1.96 - Log(@"** %@ authorizeSSLPeer: %@",self,cert);
1.97 -#else
1.98 - Log(@"** %@ authorizeSSLPeer: %@",self,peerCert);
1.99 -#endif
1.100 + Log(@"** %@ authorizeSSLPeer: %@",self, [TCPEndpoint describeCert:peerCert]);
1.101 return peerCert != nil;
1.102 }
1.103 - (void) connection: (TCPConnection*)connection failedToOpen: (NSError*)error
1.104 {
1.105 - Log(@"** %@ failedToOpen: %@",connection,error);
1.106 + Warn(@"** %@ failedToOpen: %@",connection,error);
1.107 CFRunLoopStop(CFRunLoopGetCurrent());
1.108 }
1.109 - (void) connectionDidClose: (TCPConnection*)connection
1.110 {
1.111 - Log(@"** %@ didClose",connection);
1.112 + if (connection.error)
1.113 + Warn(@"** %@ didClose: %@", connection,connection.error);
1.114 + else
1.115 + Log(@"** %@ didClose", connection);
1.116 setObj(&_conn,nil);
1.117 [NSObject cancelPreviousPerformRequestsWithTarget: self];
1.118 CFRunLoopStop(CFRunLoopGetCurrent());
1.119 @@ -188,7 +206,7 @@
1.120 const UInt8 *bytes = body.bytes;
1.121 for( size_t i=0; i<size; i++ )
1.122 AssertEq(bytes[i],i % 256);
1.123 - AssertEq(size,sizeObj.intValue);
1.124 + AssertEq(size,sizeObj.unsignedIntValue);
1.125 }
1.126 Assert(sizeObj);
1.127 [_pending removeObjectForKey: $object(response.number)];
1.128 @@ -207,9 +225,7 @@
1.129
1.130
1.131 TestCase(BLIPConnection) {
1.132 -#if HAVE_KEYCHAIN_FRAMEWORK
1.133 - [Keychain setUserInteractionAllowed: YES];
1.134 -#endif
1.135 + SecKeychainSetUserInteractionAllowed(true);
1.136 BLIPConnectionTester *tester = [[BLIPConnectionTester alloc] init];
1.137 CAssert(tester);
1.138
1.139 @@ -244,12 +260,11 @@
1.140 _listener.delegate = self;
1.141 _listener.pickAvailablePort = YES;
1.142 _listener.bonjourServiceType = @"_bliptest._tcp";
1.143 - if( kListenerRequiresSSL ) {
1.144 - SecIdentityRef listenerIdentity = GetListenerIdentity();
1.145 - Assert(listenerIdentity);
1.146 - _listener.SSLProperties = $mdict({kTCPPropertySSLCertificates, $array((id)listenerIdentity)},
1.147 - {kTCPPropertySSLAllowsAnyRoot,$true},
1.148 - {kTCPPropertySSLClientSideAuthentication, $object(kTCPTryAuthenticate)});
1.149 + if( kListenerUsesSSL ) {
1.150 + [_listener setPeerToPeerIdentity: GetListenerIdentity()];
1.151 + if (!kListenerRequiresClientCert)
1.152 + [_listener setSSLProperty: $object(kTCPTryAuthenticate)
1.153 + forKey: kTCPPropertySSLClientSideAuthentication];
1.154 }
1.155 Assert( [_listener open] );
1.156 Log(@"%@ is listening...",self);
1.157 @@ -293,12 +308,7 @@
1.158 }
1.159 - (BOOL) connection: (TCPConnection*)connection authorizeSSLPeer: (SecCertificateRef)peerCert
1.160 {
1.161 -#if HAVE_KEYCHAIN_FRAMEWORK
1.162 - Certificate *cert = peerCert ?[Certificate certificateWithCertificateRef: peerCert] :nil;
1.163 - Log(@"** %@ authorizeSSLPeer: %@",connection,cert);
1.164 -#else
1.165 - Log(@"** %@ authorizeSSLPeer: %@",self,peerCert);
1.166 -#endif
1.167 + Log(@"** %@ authorizeSSLPeer: %@",self, [TCPEndpoint describeCert:peerCert]);
1.168 return peerCert != nil || ! kListenerRequiresClientCert;
1.169 }
1.170 - (void) connection: (TCPConnection*)connection failedToOpen: (NSError*)error
1.171 @@ -307,7 +317,10 @@
1.172 }
1.173 - (void) connectionDidClose: (TCPConnection*)connection
1.174 {
1.175 - Log(@"** %@ didClose",connection);
1.176 + if (connection.error)
1.177 + Warn(@"** %@ didClose: %@", connection,connection.error);
1.178 + else
1.179 + Log(@"** %@ didClose", connection);
1.180 [connection release];
1.181 }
1.182 - (void) connection: (BLIPConnection*)connection receivedRequest: (BLIPRequest*)request
1.183 @@ -322,7 +335,7 @@
1.184
1.185 AssertEqual([request valueOfProperty: @"Content-Type"], @"application/octet-stream");
1.186 Assert([request valueOfProperty: @"User-Agent"] != nil);
1.187 - AssertEq([[request valueOfProperty: @"Size"] intValue], size);
1.188 + AssertEq((size_t)[[request valueOfProperty: @"Size"] intValue], size);
1.189
1.190 [request respondWithData: body contentType: request.contentType];
1.191
1.192 @@ -351,9 +364,7 @@
1.193 EnableLogTo(BLIP,YES);
1.194 EnableLogTo(PortMapper,YES);
1.195 EnableLogTo(Bonjour,YES);
1.196 -#if HAVE_KEYCHAIN_FRAMEWORK
1.197 - [Keychain setUserInteractionAllowed: YES];
1.198 -#endif
1.199 + SecKeychainSetUserInteractionAllowed(true);
1.200 BLIPTestListener *listener = [[BLIPTestListener alloc] init];
1.201
1.202 [[NSRunLoop currentRunLoop] run];