[apple/security.git] / OSX / sec / securityd / SecTrustServer.h

/*
 * Copyright (c) 2008-2009,2012-2014,2017 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 *
 * SecTrustServer.h - certificate trust evaluation engine
 *
 *
 */

#ifndef _SECURITY_SECTRUSTSERVER_H_
#define _SECURITY_SECTRUSTSERVER_H_

#include <CoreFoundation/CFString.h>

#include <Security/SecTrust.h>
#include <Security/SecBasePriv.h> /* For errSecWaitForCallback. */
#include <securityd/SecCertificateServer.h>
#include <securityd/SecCertificateSource.h>
#include <mach/port.h>

__BEGIN_DECLS

/* CRLs only implemented for macOS for legacy compatibility purposes using
 * ocspd's (legacy) interfaces */
#define ENABLE_CRLS TARGET_OS_OSX

typedef struct SecPathBuilder *SecPathBuilderRef;

typedef struct OpaqueSecPVC *SecPVCRef;

struct OpaqueSecPVC {
    SecPathBuilderRef builder;
    CFArrayRef policies;
    CFDictionaryRef callbacks;
    CFIndex policyIX;
    bool require_revocation_response;

    CFArrayRef leafDetails;
    SecTrustResultType leafResult;

    CFArrayRef details;
    SecTrustResultType result;
};

/* Completion callback. */
typedef void(*SecPathBuilderCompleted)(const void *userData,
    CFArrayRef chain, CFArrayRef details, CFDictionaryRef info,
    SecTrustResultType result);

/* Returns a new trust path builder and policy evaluation engine instance. */
SecPathBuilderRef SecPathBuilderCreate(CFDataRef clientAuditToken,
    CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly,
    bool keychainsAllowed, CFArrayRef policies, CFArrayRef ocspResponse,
    CFArrayRef signedCertificateTimestamps, CFArrayRef trustedLogs,
    CFAbsoluteTime verifyTime, CFArrayRef accessGroups, CFArrayRef exceptions,
    SecPathBuilderCompleted completed, const void *userData);

/* Returns true if it's ok to perform network operations for this builder. */
bool SecPathBuilderCanAccessNetwork(SecPathBuilderRef builder);

/* Disable or enable network access for this builder if allow is false
   network access will be disabled. */
void SecPathBuilderSetCanAccessNetwork(SecPathBuilderRef builder, bool allow);

/* Get the stapled SCTs */
CFArrayRef SecPathBuilderCopySignedCertificateTimestamps(SecPathBuilderRef builder);
CFArrayRef SecPathBuilderCopyOCSPResponses(SecPathBuilderRef builder);
CFArrayRef SecPathBuilderCopyTrustedLogs(SecPathBuilderRef builder);

CFSetRef SecPathBuilderGetAllPaths(SecPathBuilderRef builder);
SecCertificatePathVCRef SecPathBuilderGetPath(SecPathBuilderRef builder);
SecCertificatePathVCRef SecPathBuilderGetBestPath(SecPathBuilderRef builder);
CFAbsoluteTime SecPathBuilderGetVerifyTime(SecPathBuilderRef builder);
CFIndex SecPathBuilderGetCertificateCount(SecPathBuilderRef builder);
SecCertificateRef SecPathBuilderGetCertificateAtIndex(SecPathBuilderRef builder, CFIndex ix);
CFArrayRef SecPathBuilderGetExceptions(SecPathBuilderRef builder);
bool SecPathBuilderHasTemporalParentChecks(SecPathBuilderRef builder);

/* Returns the isAnchored status of the path. The path builder sets isAnchored
 * based solely on whether the terminating cert has some sort of trust setting
 * on it. This check does NOT reflect whether that anchor is actually trusted,
 * as trust in an anchor is contextual to the policy being validated. */
bool SecPathBuilderIsAnchored(SecPathBuilderRef builder);
bool SecPathBuilderIsAnchorSource(SecPathBuilderRef builder, SecCertificateSourceRef source);
SecCertificateSourceRef SecPathBuilderGetAppAnchorSource(SecPathBuilderRef builder);

CFIndex SecPathBuilderGetPVCCount(SecPathBuilderRef builder);
SecPVCRef SecPathBuilderGetPVCAtIndex(SecPathBuilderRef builder, CFIndex ix);

/* Returns the first PVC that passed */
SecPVCRef SecPathBuilderGetResultPVC(SecPathBuilderRef builder);

void SecPathBuilderSetResultInPVCs(SecPathBuilderRef builder, CFStringRef key,
                                   CFIndex ix, CFTypeRef result, bool force);

/* This is a pre-decrement operation */
unsigned int SecPathBuilderDecrementAsyncJobCount(SecPathBuilderRef builder);
void SecPathBuilderSetAsyncJobCount(SecPathBuilderRef builder, unsigned int jobCount);

CFMutableDictionaryRef SecPathBuilderGetInfo(SecPathBuilderRef builder);

/* Enable revocation checking if the rest of the policy checks succeed. */
CFStringRef SecPathBuilderGetRevocationMethod(SecPathBuilderRef builder);
void SecPathBuilderSetRevocationMethod(SecPathBuilderRef builder, CFStringRef method);

/* Require a online revocation response for the chain. */
bool SecPathBuilderGetCheckRevocationOnline(SecPathBuilderRef builder);
void SecPathBuilderSetCheckRevocationOnline(SecPathBuilderRef builder);

/* Only do networking for revocation if the chain is trusted */
bool SecPathBuilderGetCheckRevocationIfTrusted(SecPathBuilderRef builder);
void SecPathBuilderSetCheckRevocationIfTrusted(SecPathBuilderRef builder);

/* Core of the trust evaluation engine, this will invoke the completed
   callback and return false if the evaluation completed, or return true if
   the evaluation is still waiting for some external event (usually the
   network). */
bool SecPathBuilderStep(SecPathBuilderRef builder);

/* Return the dispatch queue to be used by this builder. */
dispatch_queue_t SecPathBuilderGetQueue(SecPathBuilderRef builder);

/* Return the client audit token associated with this path builder,
   which caller must release, or NULL if there is no external client. */
CFDataRef SecPathBuilderCopyClientAuditToken(SecPathBuilderRef builder);

/* Evaluate trust and call evaluated when done. */
void SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, CFArrayRef chain, CFErrorRef error));

/* Synchronously invoke SecTrustServerEvaluateBlock. */
SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error);

/* TrustAnalytics builder types */
typedef CF_OPTIONS(uint8_t, TA_SCTSource) {
    TA_SCTEmbedded  = 1 << 0,
    TA_SCT_OCSP     = 1 << 1,
    TA_SCT_TLS      = 1 << 2,
};

typedef CF_OPTIONS(uint8_t, TAValidStatus) {
    TAValidDefinitelyOK          = 1 << 0,
    TAValidProbablyOK            = 1 << 1,
    TAValidProbablyRevoked       = 1 << 2,
    TAValidDefinitelyRevoked     = 1 << 3,
    TAValidDateConstrainedOK     = 1 << 4,
    TAValidDateContrainedRevoked = 1 << 5,
};

typedef struct {
    uint64_t start_time;
    // Certificate Transparency
    TA_SCTSource sct_sources;
    uint32_t number_scts;
    uint32_t number_trusted_scts;
    size_t total_sct_size;
    // CAIssuer
    bool ca_issuer_cache_hit;
    bool ca_issuer_network;
    uint32_t ca_issuer_fetches;
    uint64_t ca_issuer_fetch_time;
    uint32_t ca_issuer_fetch_failed;
    bool ca_issuer_unsupported_data;
    bool ca_issuer_multiple_certs;
    // OCSP
    bool ocsp_no_check;
    bool ocsp_cache_hit;
    bool ocsp_network;
    uint32_t ocsp_fetches;
    uint64_t ocsp_fetch_time;
    uint32_t ocsp_fetch_failed;
    bool ocsp_validation_failed;
#if ENABLE_CRLS
    // CRLs
    bool crl_client;
    bool crl_cert;
    uint32_t crl_fetches;
    uint64_t crl_fetch_time;
    uint32_t crl_fetch_failed;
#endif
    // Valid
    TAValidStatus valid_status;
    bool valid_trigger_ocsp;
    bool valid_require_ct;
} TrustAnalyticsBuilder;

TrustAnalyticsBuilder *SecPathBuilderGetAnalyticsData(SecPathBuilderRef builder);

__END_DECLS

#endif /* !_SECURITY_SECTRUSTSERVER_H_ */
Commit	Line	Data
b1ab9ed8	1	/*
866f8763	2	* Copyright (c) 2008-2009,2012-2014,2017 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
b1ab9ed8 A	4	* @APPLE_LICENSE_HEADER_START@
d8f41ccd	5	*
b1ab9ed8 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
d8f41ccd	12	*
b1ab9ed8 A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
d8f41ccd	20	*
b1ab9ed8 A	21	* @APPLE_LICENSE_HEADER_END@
	22	*
	23	* SecTrustServer.h - certificate trust evaluation engine
	24	*
b1ab9ed8 A	25	*
	26	*/
	27
	28	#ifndef _SECURITY_SECTRUSTSERVER_H_
	29	#define _SECURITY_SECTRUSTSERVER_H_
	30
	31	#include <CoreFoundation/CFString.h>
	32
b1ab9ed8 A	33	#include <Security/SecTrust.h>
b1ab9ed8 A	34	#include <Security/SecBasePriv.h> /* For errSecWaitForCallback. */
866f8763 A	35	#include <securityd/SecCertificateServer.h>
866f8763 A	36	#include <securityd/SecCertificateSource.h>
b1ab9ed8 A	37	#include <mach/port.h>
b1ab9ed8 A	38
427c49bc	39	__BEGIN_DECLS
b1ab9ed8	40
ecaf5866 A	41	/* CRLs only implemented for macOS for legacy compatibility purposes using
	42	* ocspd's (legacy) interfaces */
	43	#define ENABLE_CRLS TARGET_OS_OSX
	44
b1ab9ed8 A	45	typedef struct SecPathBuilder *SecPathBuilderRef;
b1ab9ed8 A	46
866f8763 A	47	typedef struct OpaqueSecPVC *SecPVCRef;
	48
	49	struct OpaqueSecPVC {
	50	SecPathBuilderRef builder;
	51	CFArrayRef policies;
	52	CFDictionaryRef callbacks;
	53	CFIndex policyIX;
	54	bool require_revocation_response;
	55
	56	CFArrayRef leafDetails;
	57	SecTrustResultType leafResult;
	58
	59	CFArrayRef details;
	60	SecTrustResultType result;
	61	};
	62
8a50f688	63	/* Completion callback. */
b1ab9ed8	64	typedef void(SecPathBuilderCompleted)(const void userData,
ecaf5866	65	CFArrayRef chain, CFArrayRef details, CFDictionaryRef info,
b1ab9ed8 A	66	SecTrustResultType result);
	67
	68	/* Returns a new trust path builder and policy evaluation engine instance. */
5c19dc3a A	69	SecPathBuilderRef SecPathBuilderCreate(CFDataRef clientAuditToken,
5c19dc3a A	70	CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly,
fa7225c8	71	bool keychainsAllowed, CFArrayRef policies, CFArrayRef ocspResponse,
5c19dc3a	72	CFArrayRef signedCertificateTimestamps, CFArrayRef trustedLogs,
866f8763	73	CFAbsoluteTime verifyTime, CFArrayRef accessGroups, CFArrayRef exceptions,
b1ab9ed8 A	74	SecPathBuilderCompleted completed, const void *userData);
	75
	76	/* Returns true if it's ok to perform network operations for this builder. */
	77	bool SecPathBuilderCanAccessNetwork(SecPathBuilderRef builder);
	78
	79	/* Disable or enable network access for this builder if allow is false
	80	network access will be disabled. */
	81	void SecPathBuilderSetCanAccessNetwork(SecPathBuilderRef builder, bool allow);
	82
5c19dc3a A	83	/* Get the stapled SCTs */
	84	CFArrayRef SecPathBuilderCopySignedCertificateTimestamps(SecPathBuilderRef builder);
	85	CFArrayRef SecPathBuilderCopyOCSPResponses(SecPathBuilderRef builder);
	86	CFArrayRef SecPathBuilderCopyTrustedLogs(SecPathBuilderRef builder);
	87
ecaf5866	88	CFSetRef SecPathBuilderGetAllPaths(SecPathBuilderRef builder);
866f8763 A	89	SecCertificatePathVCRef SecPathBuilderGetPath(SecPathBuilderRef builder);
	90	SecCertificatePathVCRef SecPathBuilderGetBestPath(SecPathBuilderRef builder);
	91	CFAbsoluteTime SecPathBuilderGetVerifyTime(SecPathBuilderRef builder);
	92	CFIndex SecPathBuilderGetCertificateCount(SecPathBuilderRef builder);
	93	SecCertificateRef SecPathBuilderGetCertificateAtIndex(SecPathBuilderRef builder, CFIndex ix);
	94	CFArrayRef SecPathBuilderGetExceptions(SecPathBuilderRef builder);
8a50f688	95	bool SecPathBuilderHasTemporalParentChecks(SecPathBuilderRef builder);
866f8763 A	96
	97	/* Returns the isAnchored status of the path. The path builder sets isAnchored
	98	* based solely on whether the terminating cert has some sort of trust setting
	99	* on it. This check does NOT reflect whether that anchor is actually trusted,
	100	* as trust in an anchor is contextual to the policy being validated. */
	101	bool SecPathBuilderIsAnchored(SecPathBuilderRef builder);
	102	bool SecPathBuilderIsAnchorSource(SecPathBuilderRef builder, SecCertificateSourceRef source);
ecaf5866	103	SecCertificateSourceRef SecPathBuilderGetAppAnchorSource(SecPathBuilderRef builder);
866f8763 A	104
	105	CFIndex SecPathBuilderGetPVCCount(SecPathBuilderRef builder);
	106	SecPVCRef SecPathBuilderGetPVCAtIndex(SecPathBuilderRef builder, CFIndex ix);
	107
ecaf5866 A	108	/* Returns the first PVC that passed */
	109	SecPVCRef SecPathBuilderGetResultPVC(SecPathBuilderRef builder);
	110
866f8763	111	void SecPathBuilderSetResultInPVCs(SecPathBuilderRef builder, CFStringRef key,
ecaf5866	112	CFIndex ix, CFTypeRef result, bool force);
866f8763 A	113
	114	/* This is a pre-decrement operation */
	115	unsigned int SecPathBuilderDecrementAsyncJobCount(SecPathBuilderRef builder);
	116	void SecPathBuilderSetAsyncJobCount(SecPathBuilderRef builder, unsigned int jobCount);
	117
	118	CFMutableDictionaryRef SecPathBuilderGetInfo(SecPathBuilderRef builder);
	119
	120	/* Enable revocation checking if the rest of the policy checks succeed. */
	121	CFStringRef SecPathBuilderGetRevocationMethod(SecPathBuilderRef builder);
	122	void SecPathBuilderSetRevocationMethod(SecPathBuilderRef builder, CFStringRef method);
	123
	124	/* Require a online revocation response for the chain. */
	125	bool SecPathBuilderGetCheckRevocationOnline(SecPathBuilderRef builder);
	126	void SecPathBuilderSetCheckRevocationOnline(SecPathBuilderRef builder);
	127
29734401 A	128	/* Only do networking for revocation if the chain is trusted */
	129	bool SecPathBuilderGetCheckRevocationIfTrusted(SecPathBuilderRef builder);
	130	void SecPathBuilderSetCheckRevocationIfTrusted(SecPathBuilderRef builder);
	131
b1ab9ed8 A	132	/* Core of the trust evaluation engine, this will invoke the completed
	133	callback and return false if the evaluation completed, or return true if
	134	the evaluation is still waiting for some external event (usually the
	135	network). */
	136	bool SecPathBuilderStep(SecPathBuilderRef builder);
	137
427c49bc A	138	/* Return the dispatch queue to be used by this builder. */
427c49bc A	139	dispatch_queue_t SecPathBuilderGetQueue(SecPathBuilderRef builder);
b1ab9ed8	140
5c19dc3a A	141	/* Return the client audit token associated with this path builder,
	142	which caller must release, or NULL if there is no external client. */
	143	CFDataRef SecPathBuilderCopyClientAuditToken(SecPathBuilderRef builder);
	144
427c49bc	145	/* Evaluate trust and call evaluated when done. */
ecaf5866	146	void SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, CFArrayRef chain, CFErrorRef error));
427c49bc A	147
427c49bc A	148	/* Synchronously invoke SecTrustServerEvaluateBlock. */
ecaf5866 A	149	SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef details, CFDictionaryRef info, CFArrayRef chain, CFErrorRef error);
	150
	151	/* TrustAnalytics builder types */
	152	typedef CF_OPTIONS(uint8_t, TA_SCTSource) {
	153	TA_SCTEmbedded = 1 << 0,
	154	TA_SCT_OCSP = 1 << 1,
	155	TA_SCT_TLS = 1 << 2,
	156	};
	157
	158	typedef CF_OPTIONS(uint8_t, TAValidStatus) {
	159	TAValidDefinitelyOK = 1 << 0,
	160	TAValidProbablyOK = 1 << 1,
	161	TAValidProbablyRevoked = 1 << 2,
	162	TAValidDefinitelyRevoked = 1 << 3,
	163	TAValidDateConstrainedOK = 1 << 4,
	164	TAValidDateContrainedRevoked = 1 << 5,
	165	};
b1ab9ed8	166
ecaf5866 A	167	typedef struct {
	168	uint64_t start_time;
	169	// Certificate Transparency
	170	TA_SCTSource sct_sources;
	171	uint32_t number_scts;
	172	uint32_t number_trusted_scts;
	173	size_t total_sct_size;
	174	// CAIssuer
	175	bool ca_issuer_cache_hit;
	176	bool ca_issuer_network;
	177	uint32_t ca_issuer_fetches;
	178	uint64_t ca_issuer_fetch_time;
	179	uint32_t ca_issuer_fetch_failed;
	180	bool ca_issuer_unsupported_data;
	181	bool ca_issuer_multiple_certs;
	182	// OCSP
	183	bool ocsp_no_check;
	184	bool ocsp_cache_hit;
	185	bool ocsp_network;
	186	uint32_t ocsp_fetches;
	187	uint64_t ocsp_fetch_time;
	188	uint32_t ocsp_fetch_failed;
	189	bool ocsp_validation_failed;
	190	#if ENABLE_CRLS
	191	// CRLs
	192	bool crl_client;
	193	bool crl_cert;
	194	uint32_t crl_fetches;
	195	uint64_t crl_fetch_time;
	196	uint32_t crl_fetch_failed;
	197	#endif
	198	// Valid
	199	TAValidStatus valid_status;
	200	bool valid_trigger_ocsp;
	201	bool valid_require_ct;
	202	} TrustAnalyticsBuilder;
	203
	204	TrustAnalyticsBuilder *SecPathBuilderGetAnalyticsData(SecPathBuilderRef builder);
b1ab9ed8	205
427c49bc	206	__END_DECLS
b1ab9ed8 A	207
b1ab9ed8 A	208	#endif /* !_SECURITY_SECTRUSTSERVER_H_ */