[apple/security.git] / libsecurity_keychain / lib / SecPolicy.h

/*
 * Copyright (c) 2002-2013 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

/*!
	@header SecPolicy
	The functions provided in SecPolicy.h provide an interface to various
	X.509 certificate trust policies.
*/

#ifndef _SECURITY_SECPOLICY_H_
#define _SECURITY_SECPOLICY_H_

#include <CoreFoundation/CFBase.h>
#include <CoreFoundation/CFDictionary.h>
#include <Security/SecBase.h>

#if defined(__cplusplus)
extern "C" {
#endif

/*!
	@enum Policy Constants
	@discussion Predefined constants used to specify a policy.
	@constant kSecPolicyAppleX509Basic
	@constant kSecPolicyAppleSSL
	@constant kSecPolicyAppleSMIME
	@constant kSecPolicyAppleEAP
	@constant kSecPolicyAppleIPsec
	@constant kSecPolicyAppleiChat
	@constant kSecPolicyApplePKINITClient
	@constant kSecPolicyApplePKINITServer
	@constant kSecPolicyAppleCodeSigning
	@constant kSecPolicyMacAppStoreReceipt
	@constant kSecPolicyAppleIDValidation
	@constant kSecPolicyAppleTimeStamping
	@constant kSecPolicyAppleRevocation
	@constant kSecPolicyApplePassbookSigning
*/
extern CFTypeRef kSecPolicyAppleX509Basic
    __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleSSL
    __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleSMIME
    __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleEAP
    __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleIPsec
    __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleiChat
    __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
extern CFTypeRef kSecPolicyApplePKINITClient
    __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern CFTypeRef kSecPolicyApplePKINITServer
    __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern CFTypeRef kSecPolicyAppleCodeSigning
    __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern CFTypeRef kSecPolicyMacAppStoreReceipt
    __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern CFTypeRef kSecPolicyAppleIDValidation
    __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleTimeStamping
    __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleRevocation
    __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern CFTypeRef kSecPolicyApplePassbookSigning
    __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);

/*!
    @enum Policy Value Constants
    @abstract Predefined property key constants used to get or set values in
        a dictionary for a policy instance.
    @discussion
        All policies will have the following read-only value:
            kSecPolicyOid       (the policy object identifier)

        Additional policy values which your code can optionally set:
            kSecPolicyName      (name which must be matched)
            kSecPolicyClient    (evaluate for client, rather than server)
            kSecPolicyRevocationFlags (only valid for a revocation policy)

    @constant kSecPolicyOid Specifies the policy OID (value is a CFStringRef)
    @constant kSecPolicyName Specifies a CFStringRef (or CFArrayRef of same)
        containing a name which must be matched in the certificate to satisfy
        this policy. For SSL/TLS, EAP, and IPSec policies, this specifies the
        server name which must match the common name of the certificate.
        For S/MIME, this specifies the RFC822 email address.
        For Passbook signing, this specifies the pass signer.
    @constant kSecPolicyClient Specifies a CFBooleanRef value that indicates
        this evaluation should be for a client certificate. If not set (or
        false), the policy evaluates the certificate as a server certificate.
    @constant kSecPolicyRevocationFlags Specifies a CFNumberRef that holds a
        kCFNumberCFIndexType bitmask value. See "Revocation Policy Constants"
        for a description of individual bits in this value.
    @constant kSecPolicyTeamIdentifier Specifies a CFStringRef containing a
        team identifier which must be matched in the certificate to satisfy
        this policy. For the Passbook signing policy, this string must match
        the Organizational Unit field of the certificate subject.
 */
extern CFTypeRef kSecPolicyOid
	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern CFTypeRef kSecPolicyName
	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern CFTypeRef kSecPolicyClient
	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern CFTypeRef kSecPolicyRevocationFlags
	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern CFTypeRef kSecPolicyTeamIdentifier
	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);


/*!
    @function SecPolicyGetTypeID
    @abstract Returns the type identifier of SecPolicy instances.
    @result The CFTypeID of SecPolicy instances.
*/
CFTypeID SecPolicyGetTypeID(void)
	__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0);

/*!
    @function SecPolicyCopyProperties
    @abstract Returns a dictionary of this policy's properties.
    @param policyRef A policy reference.
    @result A properties dictionary. See "Policy Value Constants" for a list
    of currently defined property keys. It is the caller's responsibility to
    CFRelease this reference when it is no longer needed.
    @result A result code. See "Security Error Codes" (SecBase.h).
    @discussion This function returns the properties for a policy, as set by the
    policy's construction function or by a prior call to SecPolicySetProperties.
*/
CFDictionaryRef SecPolicyCopyProperties(SecPolicyRef policyRef)
	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);

/*!
    @function SecPolicyCreateBasicX509
    @abstract Returns a policy object for the default X.509 policy.
    @result A policy object. The caller is responsible for calling CFRelease
    on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateBasicX509(void)
	__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);

/*!
    @function SecPolicyCreateSSL
    @abstract Returns a policy object for evaluating SSL certificate chains.
    @param server Passing true for this parameter creates a policy for SSL
    server certificates.
    @param hostname (Optional) If present, the policy will require the specified
    hostname to match the hostname in the leaf certificate.
    @result A policy object. The caller is responsible for calling CFRelease
    on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateSSL(Boolean server, CFStringRef hostname)
	__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);

/*!
	@enum Revocation Policy Constants
	@abstract Predefined constants which allow you to specify how revocation
	checking will be performed for a trust evaluation.
	@constant kSecRevocationOCSPMethod If this flag is set, perform revocation
	checking using OCSP (Online Certificate Status Protocol).
	@constant kSecRevocationCRLMethod If this flag is set, perform revocation
	checking using the CRL (Certificate Revocation List) method.
	@constant kSecRevocationPreferCRL If this flag is set, then CRL revocation
	checking will be preferred over OCSP (by default, OCSP is preferred.)
	Note that this flag only matters if both revocation methods are specified.
	@constant kSecRevocationRequirePositiveResponse If this flag is set, then
	the policy will fail unless a verified positive response is obtained. If
	the flag is not set, revocation checking is done on a "best attempt" basis,
	where failure to reach the server is not considered fatal.
	@constant kSecRevocationNetworkAccessDisabled If this flag is set, then
	no network access is performed; only locally cached replies are consulted.
	@constant kSecRevocationUseAnyAvailableMethod Specifies that either
	OCSP or CRL may be used, depending on the method(s) specified in the
	certificate and the value of kSecRevocationPreferCRL.
 */
enum {
	kSecRevocationOCSPMethod = (1 << 0),
	kSecRevocationCRLMethod = (1 << 1),
	kSecRevocationPreferCRL = (1 << 2),
	kSecRevocationRequirePositiveResponse = (1 << 3),
	kSecRevocationNetworkAccessDisabled = (1 << 4),
	kSecRevocationUseAnyAvailableMethod = (kSecRevocationOCSPMethod |
		kSecRevocationCRLMethod)
};

/*!
	@function SecPolicyCreateRevocation
	@abstract Returns a policy object for checking revocation of certificates.
	@result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
	@param revocationFlags Flags to specify revocation checking options.
	@discussion Use this function to create a revocation policy with behavior
	specified by revocationFlags. See the "Revocation Policy Constants" section
	for a description of these flags. Note: it is usually not necessary to
	create a revocation policy yourself unless you wish to override default
	system behavior (e.g. to force a particular method, or to disable
	revocation checking entirely.)
*/
SecPolicyRef SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);

/*!
	@function SecPolicyCreateWithProperties
	@abstract Returns a policy object based on an object identifier for the
	policy type. See the "Policy Constants" section for a list of defined
	policy object identifiers.
	@param policyIdentifier The identifier for the desired policy type.
	@param properties (Optional) A properties dictionary. See "Policy Value
	Constants" for a list of currently defined property keys.
	@result The returned policy reference, or NULL if the policy could not be
	created.
*/
SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
	CFDictionaryRef properties)
	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);


/*
 *  Legacy functions (OS X only)
 */
#if TARGET_OS_MAC && !TARGET_OS_IPHONE
#include <Security/cssmtype.h>

/*!
    @enum Policy Value Constants (OS X)
    @discussion Predefined property key constants used to get or set values in
        a dictionary for a policy instance.

        Some policy values may specify CFBooleanRef key usage constraints:
            kSecPolicyKU_DigitalSignature
            kSecPolicyKU_NonRepudiation
            kSecPolicyKU_KeyEncipherment
            kSecPolicyKU_DataEncipherment
            kSecPolicyKU_KeyAgreement
            kSecPolicyKU_KeyCertSign
            kSecPolicyKU_CRLSign
            kSecPolicyKU_EncipherOnly
            kSecPolicyKU_DecipherOnly

        kSecPolicyKU policy values define certificate-level key purposes,
        in contrast to the key-level definitions in SecItem.h

        For example, a key in a certificate might be acceptable to use for
        signing a CRL, but not for signing another certificate. In either
        case, this key would have the ability to sign (i.e. kSecAttrCanSign
        is true), but may only sign for specific purposes allowed by these
        policy constants. Similarly, a public key might have the capability
        to perform encryption or decryption, but the certificate in which it
        resides might have a decipher-only certificate policy.

        These constants correspond to values defined in RFC 5280, section
        4.2.1.3 (Key Usage) which define the purpose of a key contained in a
        certificate, in contrast to section 4.1.2.7 which define the uses that
        a key is capable of.

        Note: these constants are not available on iOS. Your code should
        avoid direct reliance on these values for making policy decisions
        and use higher level policies where possible.

    @constant kSecPolicyKU_DigitalSignature Specifies that the certificate must
        have a key usage that allows it to be used for signing.
    @constant kSecPolicyKU_NonRepudiation Specifies that the certificate must
        have a key usage that allows it to be used for non-repudiation.
    @constant kSecPolicyKU_KeyEncipherment Specifies that the certificate must
        have a key usage that allows it to be used for key encipherment.
    @constant kSecPolicyKU_DataEncipherment Specifies that the certificate must
        have a key usage that allows it to be used for data encipherment.
    @constant kSecPolicyKU_KeyAgreement Specifies that the certificate must
        have a key usage that allows it to be used for key agreement.
    @constant kSecPolicyKU_KeyCertSign Specifies that the certificate must
        have a key usage that allows it to be used for signing certificates.
    @constant kSecPolicyKU_CRLSign Specifies that the certificate must
        have a key usage that allows it to be used for signing CRLs.
    @constant kSecPolicyKU_EncipherOnly Specifies that the certificate must
        have a key usage that permits it to be used for encryption only.
    @constant kSecPolicyKU_DecipherOnly Specifies that the certificate must
        have a key usage that permits it to be used for decryption only.
 */
extern CFTypeRef kSecPolicyKU_DigitalSignature
	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern CFTypeRef kSecPolicyKU_NonRepudiation
	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern CFTypeRef kSecPolicyKU_KeyEncipherment
	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern CFTypeRef kSecPolicyKU_DataEncipherment
	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern CFTypeRef kSecPolicyKU_KeyAgreement
	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern CFTypeRef kSecPolicyKU_KeyCertSign
	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern CFTypeRef kSecPolicyKU_CRLSign
	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern CFTypeRef kSecPolicyKU_EncipherOnly
	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern CFTypeRef kSecPolicyKU_DecipherOnly
	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);

/*!
	@function SecPolicyCreateWithOID
	@abstract Returns a policy object based on an object identifier for the
	policy type. See the "Policy Constants" section for a list of defined
	policy object identifiers.
	@param policyOID The OID of the desired policy.
	@result The returned policy reference, or NULL if the policy could not be
	created.
	@discussion This function is deprecated in Mac OS X 10.9 and later;
	use SecPolicyCreateWithProperties (or a more specific policy creation
	function) instead.
*/
SecPolicyRef SecPolicyCreateWithOID(CFTypeRef policyOID)
	__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);

/*!
	@function SecPolicyGetOID
	@abstract Returns a policy's object identifier.
	@param policyRef A policy reference.
	@param oid On return, a pointer to the policy's object identifier.
	@result A result code. See "Security Error Codes" (SecBase.h).
	@discussion This function is deprecated in Mac OS X 10.7 and later;
	use SecPolicyCopyProperties instead.
*/
OSStatus SecPolicyGetOID(SecPolicyRef policyRef, CSSM_OID *oid)
	__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);

/*!
	@function SecPolicyGetValue
	@abstract Returns a policy's value.
	@param policyRef A policy reference.
	@param value On return, a pointer to the policy's value.
	@result A result code. See "Security Error Codes" (SecBase.h).
	@discussion This function is deprecated in Mac OS X 10.7 and later;
	use SecPolicyCopyProperties instead.
*/
OSStatus SecPolicyGetValue(SecPolicyRef policyRef, CSSM_DATA *value)
	__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);

/*!
	@function SecPolicySetValue
	@abstract Sets a policy's value.
	@param policyRef A policy reference.
	@param value The value to be set into the policy object, replacing any
	previous value.
	@result A result code. See "Security Error Codes" (SecBase.h).
	@discussion This function is deprecated in Mac OS X 10.7 and later. Policy
	instances should be considered read-only; in cases where your code would
	consider changing properties of a policy, it should instead create a new
	policy instance with the desired properties.
*/
OSStatus SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
	__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);

/*!
	@function SecPolicySetProperties
	@abstract Sets a policy's properties.
	@param policyRef A policy reference.
	@param properties A properties dictionary. See "Policy Value Constants"
	for a list of currently defined property keys. This dictionary replaces the
	policy's existing properties, if any. Note that the policy OID (specified
	by kSecPolicyOid) is a read-only property of the policy and cannot be set.
	@result A result code. See "Security Error Codes" (SecBase.h).
	@discussion This function is deprecated in Mac OS X 10.9 and later. Policy
	instances should be considered read-only; in cases where your code would
	consider changing properties of a policy, it should instead create a new
	policy instance with the desired properties.
*/
OSStatus SecPolicySetProperties(SecPolicyRef policyRef,
	CFDictionaryRef properties)
	__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);

/*!
	@function SecPolicyGetTPHandle
	@abstract Returns the CSSM trust policy handle for the given policy.
	@param policyRef A policy reference.
	@param tpHandle On return, a pointer to a value of type CSSM_TP_HANDLE.
	@result A result code. See "Security Error Codes" (SecBase.h).
	@discussion This function is deprecated in Mac OS X 10.7 and later.
*/
OSStatus SecPolicyGetTPHandle(SecPolicyRef policyRef, CSSM_TP_HANDLE *tpHandle)
	__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);

#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */


#if defined(__cplusplus)
}
#endif

#endif /* !_SECURITY_SECPOLICY_H_ */
Commit	Line	Data
b1ab9ed8	1	/*
427c49bc A	2	* Copyright (c) 2002-2013 Apple Inc. All Rights Reserved.
427c49bc A	3	*
b1ab9ed8	4	* @APPLE_LICENSE_HEADER_START@
427c49bc	5	*
b1ab9ed8 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
427c49bc	12	*
b1ab9ed8 A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
427c49bc	20	*
b1ab9ed8 A	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*!
427c49bc A	25	@header SecPolicy
427c49bc A	26	The functions provided in SecPolicy.h provide an interface to various
b1ab9ed8 A	27	X.509 certificate trust policies.
	28	*/
	29
	30	#ifndef _SECURITY_SECPOLICY_H_
	31	#define _SECURITY_SECPOLICY_H_
	32
	33	#include <CoreFoundation/CFBase.h>
	34	#include <CoreFoundation/CFDictionary.h>
	35	#include <Security/SecBase.h>
b1ab9ed8 A	36
	37	#if defined(__cplusplus)
	38	extern "C" {
	39	#endif
	40
	41	/*!
427c49bc A	42	@enum Policy Constants
427c49bc A	43	@discussion Predefined constants used to specify a policy.
b1ab9ed8 A	44	@constant kSecPolicyAppleX509Basic
	45	@constant kSecPolicyAppleSSL
	46	@constant kSecPolicyAppleSMIME
	47	@constant kSecPolicyAppleEAP
	48	@constant kSecPolicyAppleIPsec
	49	@constant kSecPolicyAppleiChat
	50	@constant kSecPolicyApplePKINITClient
	51	@constant kSecPolicyApplePKINITServer
	52	@constant kSecPolicyAppleCodeSigning
	53	@constant kSecPolicyMacAppStoreReceipt
	54	@constant kSecPolicyAppleIDValidation
	55	@constant kSecPolicyAppleTimeStamping
427c49bc A	56	@constant kSecPolicyAppleRevocation
427c49bc A	57	@constant kSecPolicyApplePassbookSigning
b1ab9ed8 A	58	*/
b1ab9ed8 A	59	extern CFTypeRef kSecPolicyAppleX509Basic
427c49bc	60	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
b1ab9ed8	61	extern CFTypeRef kSecPolicyAppleSSL
427c49bc	62	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
b1ab9ed8	63	extern CFTypeRef kSecPolicyAppleSMIME
427c49bc	64	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
b1ab9ed8	65	extern CFTypeRef kSecPolicyAppleEAP
427c49bc	66	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
b1ab9ed8	67	extern CFTypeRef kSecPolicyAppleIPsec
427c49bc	68	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
b1ab9ed8	69	extern CFTypeRef kSecPolicyAppleiChat
427c49bc	70	__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
b1ab9ed8 A	71	extern CFTypeRef kSecPolicyApplePKINITClient
	72	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
	73	extern CFTypeRef kSecPolicyApplePKINITServer
	74	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
	75	extern CFTypeRef kSecPolicyAppleCodeSigning
427c49bc	76	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
b1ab9ed8 A	77	extern CFTypeRef kSecPolicyMacAppStoreReceipt
	78	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
	79	extern CFTypeRef kSecPolicyAppleIDValidation
427c49bc	80	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
b1ab9ed8	81	extern CFTypeRef kSecPolicyAppleTimeStamping
427c49bc A	82	__OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_7_0);
	83	extern CFTypeRef kSecPolicyAppleRevocation
	84	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
	85	extern CFTypeRef kSecPolicyApplePassbookSigning
	86	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
b1ab9ed8 A	87
	88	/*!
	89	@enum Policy Value Constants
427c49bc	90	@abstract Predefined property key constants used to get or set values in
b1ab9ed8	91	a dictionary for a policy instance.
427c49bc	92	@discussion
b1ab9ed8 A	93	All policies will have the following read-only value:
	94	kSecPolicyOid (the policy object identifier)
	95
	96	Additional policy values which your code can optionally set:
	97	kSecPolicyName (name which must be matched)
427c49bc A	98	kSecPolicyClient (evaluate for client, rather than server)
	99	kSecPolicyRevocationFlags (only valid for a revocation policy)
	100
	101	@constant kSecPolicyOid Specifies the policy OID (value is a CFStringRef)
	102	@constant kSecPolicyName Specifies a CFStringRef (or CFArrayRef of same)
	103	containing a name which must be matched in the certificate to satisfy
	104	this policy. For SSL/TLS, EAP, and IPSec policies, this specifies the
	105	server name which must match the common name of the certificate.
	106	For S/MIME, this specifies the RFC822 email address.
	107	For Passbook signing, this specifies the pass signer.
	108	@constant kSecPolicyClient Specifies a CFBooleanRef value that indicates
	109	this evaluation should be for a client certificate. If not set (or
	110	false), the policy evaluates the certificate as a server certificate.
	111	@constant kSecPolicyRevocationFlags Specifies a CFNumberRef that holds a
	112	kCFNumberCFIndexType bitmask value. See "Revocation Policy Constants"
	113	for a description of individual bits in this value.
	114	@constant kSecPolicyTeamIdentifier Specifies a CFStringRef containing a
	115	team identifier which must be matched in the certificate to satisfy
	116	this policy. For the Passbook signing policy, this string must match
	117	the Organizational Unit field of the certificate subject.
	118	*/
	119	extern CFTypeRef kSecPolicyOid
	120	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
	121	extern CFTypeRef kSecPolicyName
	122	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
	123	extern CFTypeRef kSecPolicyClient
	124	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
	125	extern CFTypeRef kSecPolicyRevocationFlags
	126	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
	127	extern CFTypeRef kSecPolicyTeamIdentifier
	128	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
	129
	130
	131	/*!
	132	@function SecPolicyGetTypeID
	133	@abstract Returns the type identifier of SecPolicy instances.
	134	@result The CFTypeID of SecPolicy instances.
	135	*/
	136	CFTypeID SecPolicyGetTypeID(void)
	137	__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0);
	138
	139	/*!
	140	@function SecPolicyCopyProperties
	141	@abstract Returns a dictionary of this policy's properties.
	142	@param policyRef A policy reference.
	143	@result A properties dictionary. See "Policy Value Constants" for a list
	144	of currently defined property keys. It is the caller's responsibility to
	145	CFRelease this reference when it is no longer needed.
	146	@result A result code. See "Security Error Codes" (SecBase.h).
	147	@discussion This function returns the properties for a policy, as set by the
	148	policy's construction function or by a prior call to SecPolicySetProperties.
	149	*/
	150	CFDictionaryRef SecPolicyCopyProperties(SecPolicyRef policyRef)
	151	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
	152
	153	/*!
	154	@function SecPolicyCreateBasicX509
	155	@abstract Returns a policy object for the default X.509 policy.
	156	@result A policy object. The caller is responsible for calling CFRelease
	157	on this when it is no longer needed.
	158	*/
	159	SecPolicyRef SecPolicyCreateBasicX509(void)
	160	__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
	161
162	/*!
163	@function SecPolicyCreateSSL
164	@abstract Returns a policy object for evaluating SSL certificate chains.
165	@param server Passing true for this parameter creates a policy for SSL
166	server certificates.
167	@param hostname (Optional) If present, the policy will require the specified
168	hostname to match the hostname in the leaf certificate.
169	@result A policy object. The caller is responsible for calling CFRelease
170	on this when it is no longer needed.
171	*/
172	SecPolicyRef SecPolicyCreateSSL(Boolean server, CFStringRef hostname)
173	__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
174
175	/*!
176	@enum Revocation Policy Constants
177	@abstract Predefined constants which allow you to specify how revocation
178	checking will be performed for a trust evaluation.
179	@constant kSecRevocationOCSPMethod If this flag is set, perform revocation
180	checking using OCSP (Online Certificate Status Protocol).
181	@constant kSecRevocationCRLMethod If this flag is set, perform revocation
182	checking using the CRL (Certificate Revocation List) method.
183	@constant kSecRevocationPreferCRL If this flag is set, then CRL revocation
184	checking will be preferred over OCSP (by default, OCSP is preferred.)
185	Note that this flag only matters if both revocation methods are specified.
186	@constant kSecRevocationRequirePositiveResponse If this flag is set, then
187	the policy will fail unless a verified positive response is obtained. If
188	the flag is not set, revocation checking is done on a "best attempt" basis,
189	where failure to reach the server is not considered fatal.
190	@constant kSecRevocationNetworkAccessDisabled If this flag is set, then
191	no network access is performed; only locally cached replies are consulted.
192	@constant kSecRevocationUseAnyAvailableMethod Specifies that either
193	OCSP or CRL may be used, depending on the method(s) specified in the
194	certificate and the value of kSecRevocationPreferCRL.
195	*/
196	enum {
197	kSecRevocationOCSPMethod = (1 << 0),
198	kSecRevocationCRLMethod = (1 << 1),
199	kSecRevocationPreferCRL = (1 << 2),
200	kSecRevocationRequirePositiveResponse = (1 << 3),
201	kSecRevocationNetworkAccessDisabled = (1 << 4),
202	kSecRevocationUseAnyAvailableMethod = (kSecRevocationOCSPMethod \|
203	kSecRevocationCRLMethod)
204	};
205
206	/*!
207	@function SecPolicyCreateRevocation
208	@abstract Returns a policy object for checking revocation of certificates.
209	@result A policy object. The caller is responsible for calling CFRelease
210	on this when it is no longer needed.
211	@param revocationFlags Flags to specify revocation checking options.
212	@discussion Use this function to create a revocation policy with behavior
213	specified by revocationFlags. See the "Revocation Policy Constants" section
214	for a description of these flags. Note: it is usually not necessary to
215	create a revocation policy yourself unless you wish to override default
216	system behavior (e.g. to force a particular method, or to disable
217	revocation checking entirely.)
218	*/
219	SecPolicyRef SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
220	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
b1ab9ed8	221
427c49bc A	222	/*!
	223	@function SecPolicyCreateWithProperties
	224	@abstract Returns a policy object based on an object identifier for the
	225	policy type. See the "Policy Constants" section for a list of defined
	226	policy object identifiers.
	227	@param policyIdentifier The identifier for the desired policy type.
	228	@param properties (Optional) A properties dictionary. See "Policy Value
	229	Constants" for a list of currently defined property keys.
	230	@result The returned policy reference, or NULL if the policy could not be
	231	created.
	232	*/
	233	SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
	234	CFDictionaryRef properties)
	235	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
	236
	237
	238	/*
	239	* Legacy functions (OS X only)
	240	*/
	241	#if TARGET_OS_MAC && !TARGET_OS_IPHONE
	242	#include <Security/cssmtype.h>
	243
	244	/*!
	245	@enum Policy Value Constants (OS X)
	246	@discussion Predefined property key constants used to get or set values in
	247	a dictionary for a policy instance.
	248
	249	Some policy values may specify CFBooleanRef key usage constraints:
b1ab9ed8 A	250	kSecPolicyKU_DigitalSignature
	251	kSecPolicyKU_NonRepudiation
	252	kSecPolicyKU_KeyEncipherment
	253	kSecPolicyKU_DataEncipherment
	254	kSecPolicyKU_KeyAgreement
	255	kSecPolicyKU_KeyCertSign
	256	kSecPolicyKU_CRLSign
	257	kSecPolicyKU_EncipherOnly
	258	kSecPolicyKU_DecipherOnly
427c49bc A	259
	260	kSecPolicyKU policy values define certificate-level key purposes,
	261	in contrast to the key-level definitions in SecItem.h
	262
	263	For example, a key in a certificate might be acceptable to use for
	264	signing a CRL, but not for signing another certificate. In either
	265	case, this key would have the ability to sign (i.e. kSecAttrCanSign
	266	is true), but may only sign for specific purposes allowed by these
	267	policy constants. Similarly, a public key might have the capability
	268	to perform encryption or decryption, but the certificate in which it
	269	resides might have a decipher-only certificate policy.
	270
	271	These constants correspond to values defined in RFC 5280, section
	272	4.2.1.3 (Key Usage) which define the purpose of a key contained in a
	273	certificate, in contrast to section 4.1.2.7 which define the uses that
	274	a key is capable of.
	275
	276	Note: these constants are not available on iOS. Your code should
	277	avoid direct reliance on these values for making policy decisions
	278	and use higher level policies where possible.
	279
b1ab9ed8 A	280	@constant kSecPolicyKU_DigitalSignature Specifies that the certificate must
	281	have a key usage that allows it to be used for signing.
	282	@constant kSecPolicyKU_NonRepudiation Specifies that the certificate must
	283	have a key usage that allows it to be used for non-repudiation.
	284	@constant kSecPolicyKU_KeyEncipherment Specifies that the certificate must
	285	have a key usage that allows it to be used for key encipherment.
	286	@constant kSecPolicyKU_DataEncipherment Specifies that the certificate must
	287	have a key usage that allows it to be used for data encipherment.
	288	@constant kSecPolicyKU_KeyAgreement Specifies that the certificate must
	289	have a key usage that allows it to be used for key agreement.
	290	@constant kSecPolicyKU_KeyCertSign Specifies that the certificate must
	291	have a key usage that allows it to be used for signing certificates.
	292	@constant kSecPolicyKU_CRLSign Specifies that the certificate must
	293	have a key usage that allows it to be used for signing CRLs.
	294	@constant kSecPolicyKU_EncipherOnly Specifies that the certificate must
	295	have a key usage that permits it to be used for encryption only.
	296	@constant kSecPolicyKU_DecipherOnly Specifies that the certificate must
	297	have a key usage that permits it to be used for decryption only.
427c49bc	298	*/
b1ab9ed8 A	299	extern CFTypeRef kSecPolicyKU_DigitalSignature
	300	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
	301	extern CFTypeRef kSecPolicyKU_NonRepudiation
	302	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
	303	extern CFTypeRef kSecPolicyKU_KeyEncipherment
	304	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
	305	extern CFTypeRef kSecPolicyKU_DataEncipherment
	306	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
	307	extern CFTypeRef kSecPolicyKU_KeyAgreement
	308	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
	309	extern CFTypeRef kSecPolicyKU_KeyCertSign
	310	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
	311	extern CFTypeRef kSecPolicyKU_CRLSign
	312	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
	313	extern CFTypeRef kSecPolicyKU_EncipherOnly
	314	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
	315	extern CFTypeRef kSecPolicyKU_DecipherOnly
	316	__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
	317
b1ab9ed8	318	/*!
427c49bc A	319	@function SecPolicyCreateWithOID
	320	@abstract Returns a policy object based on an object identifier for the
	321	policy type. See the "Policy Constants" section for a list of defined
	322	policy object identifiers.
	323	@param policyOID The OID of the desired policy.
	324	@result The returned policy reference, or NULL if the policy could not be
	325	created.
	326	@discussion This function is deprecated in Mac OS X 10.9 and later;
	327	use SecPolicyCreateWithProperties (or a more specific policy creation
	328	function) instead.
b1ab9ed8	329	*/
427c49bc A	330	SecPolicyRef SecPolicyCreateWithOID(CFTypeRef policyOID)
427c49bc A	331	__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
b1ab9ed8 A	332
b1ab9ed8 A	333	/*!
427c49bc A	334	@function SecPolicyGetOID
	335	@abstract Returns a policy's object identifier.
	336	@param policyRef A policy reference.
	337	@param oid On return, a pointer to the policy's object identifier.
	338	@result A result code. See "Security Error Codes" (SecBase.h).
b1ab9ed8 A	339	@discussion This function is deprecated in Mac OS X 10.7 and later;
	340	use SecPolicyCopyProperties instead.
	341	*/
	342	OSStatus SecPolicyGetOID(SecPolicyRef policyRef, CSSM_OID *oid)
427c49bc	343	__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
b1ab9ed8 A	344
b1ab9ed8 A	345	/*!
427c49bc A	346	@function SecPolicyGetValue
	347	@abstract Returns a policy's value.
	348	@param policyRef A policy reference.
	349	@param value On return, a pointer to the policy's value.
	350	@result A result code. See "Security Error Codes" (SecBase.h).
b1ab9ed8 A	351	@discussion This function is deprecated in Mac OS X 10.7 and later;
	352	use SecPolicyCopyProperties instead.
	353	*/
	354	OSStatus SecPolicyGetValue(SecPolicyRef policyRef, CSSM_DATA *value)
427c49bc	355	__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
b1ab9ed8 A	356
b1ab9ed8 A	357	/*!
427c49bc A	358	@function SecPolicySetValue
	359	@abstract Sets a policy's value.
	360	@param policyRef A policy reference.
	361	@param value The value to be set into the policy object, replacing any
b1ab9ed8	362	previous value.
427c49bc A	363	@result A result code. See "Security Error Codes" (SecBase.h).
	364	@discussion This function is deprecated in Mac OS X 10.7 and later. Policy
	365	instances should be considered read-only; in cases where your code would
	366	consider changing properties of a policy, it should instead create a new
	367	policy instance with the desired properties.
b1ab9ed8 A	368	*/
b1ab9ed8 A	369	OSStatus SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
427c49bc	370	__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
b1ab9ed8 A	371
b1ab9ed8 A	372	/*!
427c49bc A	373	@function SecPolicySetProperties
	374	@abstract Sets a policy's properties.
	375	@param policyRef A policy reference.
	376	@param properties A properties dictionary. See "Policy Value Constants"
	377	for a list of currently defined property keys. This dictionary replaces the
	378	policy's existing properties, if any. Note that the policy OID (specified
	379	by kSecPolicyOid) is a read-only property of the policy and cannot be set.
	380	@result A result code. See "Security Error Codes" (SecBase.h).
	381	@discussion This function is deprecated in Mac OS X 10.9 and later. Policy
	382	instances should be considered read-only; in cases where your code would
	383	consider changing properties of a policy, it should instead create a new
	384	policy instance with the desired properties.
b1ab9ed8 A	385	*/
	386	OSStatus SecPolicySetProperties(SecPolicyRef policyRef,
	387	CFDictionaryRef properties)
427c49bc	388	__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
b1ab9ed8 A	389
b1ab9ed8 A	390	/*!
427c49bc A	391	@function SecPolicyGetTPHandle
	392	@abstract Returns the CSSM trust policy handle for the given policy.
	393	@param policyRef A policy reference.
	394	@param tpHandle On return, a pointer to a value of type CSSM_TP_HANDLE.
	395	@result A result code. See "Security Error Codes" (SecBase.h).
b1ab9ed8 A	396	@discussion This function is deprecated in Mac OS X 10.7 and later.
	397	*/
	398	OSStatus SecPolicyGetTPHandle(SecPolicyRef policyRef, CSSM_TP_HANDLE *tpHandle)
427c49bc	399	__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
b1ab9ed8	400
427c49bc	401	#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */
b1ab9ed8 A	402
	403
	404	#if defined(__cplusplus)
	405	}
	406	#endif
	407
	408	#endif /* !_SECURITY_SECPOLICY_H_ */