[apple/security.git] / sec / Security / SecCertificatePath.h

/*
 * Copyright (c) 2007-2009 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

/*!
	@header SecCertificatePath
	CoreFoundation based certificate path object
*/

#ifndef _SECURITY_SECCERTIFICATEPATH_H_
#define _SECURITY_SECCERTIFICATEPATH_H_

#include <Security/SecCertificate.h>
#include <CoreFoundation/CFArray.h>
#include <CoreFoundation/CFDictionary.h>
#include <CoreFoundation/CFDate.h>
#include <CoreFoundation/CFError.h>
#include <xpc/xpc.h>

__BEGIN_DECLS

typedef struct SecCertificatePath *SecCertificatePathRef;

/* SecCertificatePath API functions. */
CFTypeID SecCertificatePathGetTypeID(void);

/* Create a new certificate path from an old one. */
SecCertificatePathRef SecCertificatePathCreate(SecCertificatePathRef path,
	SecCertificateRef certificate);

/* Create a new certificate path from an xpc_array of datas. */
SecCertificatePathRef SecCertificatePathCreateWithXPCArray(xpc_object_t xpc_path, CFErrorRef *error);

/* Create an array of CFDataRefs from a certificate path. */
xpc_object_t SecCertificatePathCopyXPCArray(SecCertificatePathRef path, CFErrorRef *error);

SecCertificatePathRef SecCertificatePathCopyAddingLeaf(SecCertificatePathRef path,
SecCertificateRef leaf);

/* Return a new certificate path without the first skipCount certificates. */
SecCertificatePathRef SecCertificatePathCopyFromParent(SecCertificatePathRef path, CFIndex skipCount);

/* Record the fact that we found our own root cert as our parent
   certificate. */
void SecCertificatePathSetSelfIssued(
	SecCertificatePathRef certificatePath);

void SecCertificatePathSetIsAnchored(
	SecCertificatePathRef certificatePath);

/* Return the index of the first non anchor certificate in the chain that is
   self signed counting from the leaf up.  Return -1 if there is none. */
CFIndex SecCertificatePathSelfSignedIndex(
	SecCertificatePathRef certificatePath);

Boolean SecCertificatePathIsAnchored(
	SecCertificatePathRef certificatePath);

void SecCertificatePathSetNextSourceIndex(
	SecCertificatePathRef certificatePath, CFIndex sourceIndex);

CFIndex SecCertificatePathGetNextSourceIndex(
	SecCertificatePathRef certificatePath);

CFIndex SecCertificatePathGetCount(
	SecCertificatePathRef certificatePath);

SecCertificateRef SecCertificatePathGetCertificateAtIndex(
	SecCertificatePathRef certificatePath, CFIndex ix);

/* Return the index of certificate in path or kCFNotFound if certificate is
   not in path. */
CFIndex SecCertificatePathGetIndexOfCertificate(SecCertificatePathRef path,
    SecCertificateRef certificate);

/* Return the root certificate for certificatePath.  Note that root is just
   the top of the path as far as it is constructed.  It may or may not be
   trusted or self signed.  */
SecCertificateRef SecCertificatePathGetRoot(
	SecCertificatePathRef certificatePath);

SecKeyRef SecCertificatePathCopyPublicKeyAtIndex(
	SecCertificatePathRef certificatePath, CFIndex ix);

typedef CFIndex SecPathVerifyStatus;
enum {
	kSecPathVerifiesUnknown = -1,
	kSecPathVerifySuccess = 0,
	kSecPathVerifyFailed = 1
};

SecPathVerifyStatus SecCertificatePathVerify(
	SecCertificatePathRef certificatePath);

CFIndex SecCertificatePathScore(SecCertificatePathRef certificatePath,
	CFAbsoluteTime verifyTime);


/*
Node based version is possible.  We need to make sure we extract algorithm oid and parameters in the chain.  When constructing a new path (with a new parent from a path with the child at it's head), we duplicate each child node for which we could not previously establish a public key because the parameters were missing and there was no cert with the same algorithm in the chain which does have parameters.  This is because, when extended with a different parent certificate that has different parameters for the childs algorithm, the signatures in the child chain must be reverified using the new parameters and therefore might yeild a different result.
We could allow more sharing if we stored the parameters found in the search up the chain in each node, and only duplicate the nodes if the parameters differ and then reset the isSigned status of each node with changed parameters. */

__END_DECLS

#endif /* !_SECURITY_SECCERTIFICATEPATH_H_ */
Commit	Line	Data
b1ab9ed8 A	1	/*
	2	* Copyright (c) 2007-2009 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*!
	25	@header SecCertificatePath
	26	CoreFoundation based certificate path object
	27	*/
	28
	29	#ifndef _SECURITY_SECCERTIFICATEPATH_H_
	30	#define _SECURITY_SECCERTIFICATEPATH_H_
	31
	32	#include <Security/SecCertificate.h>
	33	#include <CoreFoundation/CFArray.h>
	34	#include <CoreFoundation/CFDictionary.h>
	35	#include <CoreFoundation/CFDate.h>
427c49bc A	36	#include <CoreFoundation/CFError.h>
427c49bc A	37	#include <xpc/xpc.h>
b1ab9ed8	38
427c49bc	39	__BEGIN_DECLS
b1ab9ed8 A	40
	41	typedef struct SecCertificatePath *SecCertificatePathRef;
	42
	43	/* SecCertificatePath API functions. */
	44	CFTypeID SecCertificatePathGetTypeID(void);
	45
	46	/* Create a new certificate path from an old one. */
	47	SecCertificatePathRef SecCertificatePathCreate(SecCertificatePathRef path,
	48	SecCertificateRef certificate);
	49
427c49bc A	50	/* Create a new certificate path from an xpc_array of datas. */
427c49bc A	51	SecCertificatePathRef SecCertificatePathCreateWithXPCArray(xpc_object_t xpc_path, CFErrorRef *error);
b1ab9ed8 A	52
b1ab9ed8 A	53	/* Create an array of CFDataRefs from a certificate path. */
427c49bc	54	xpc_object_t SecCertificatePathCopyXPCArray(SecCertificatePathRef path, CFErrorRef *error);
b1ab9ed8 A	55
	56	SecCertificatePathRef SecCertificatePathCopyAddingLeaf(SecCertificatePathRef path,
	57	SecCertificateRef leaf);
	58
	59	/* Return a new certificate path without the first skipCount certificates. */
	60	SecCertificatePathRef SecCertificatePathCopyFromParent(SecCertificatePathRef path, CFIndex skipCount);
	61
	62	/* Record the fact that we found our own root cert as our parent
	63	certificate. */
	64	void SecCertificatePathSetSelfIssued(
	65	SecCertificatePathRef certificatePath);
	66
	67	void SecCertificatePathSetIsAnchored(
	68	SecCertificatePathRef certificatePath);
	69
	70	/* Return the index of the first non anchor certificate in the chain that is
	71	self signed counting from the leaf up. Return -1 if there is none. */
	72	CFIndex SecCertificatePathSelfSignedIndex(
	73	SecCertificatePathRef certificatePath);
	74
	75	Boolean SecCertificatePathIsAnchored(
	76	SecCertificatePathRef certificatePath);
	77
	78	void SecCertificatePathSetNextSourceIndex(
	79	SecCertificatePathRef certificatePath, CFIndex sourceIndex);
	80
	81	CFIndex SecCertificatePathGetNextSourceIndex(
	82	SecCertificatePathRef certificatePath);
	83
	84	CFIndex SecCertificatePathGetCount(
	85	SecCertificatePathRef certificatePath);
	86
	87	SecCertificateRef SecCertificatePathGetCertificateAtIndex(
	88	SecCertificatePathRef certificatePath, CFIndex ix);
	89
	90	/* Return the index of certificate in path or kCFNotFound if certificate is
	91	not in path. */
	92	CFIndex SecCertificatePathGetIndexOfCertificate(SecCertificatePathRef path,
	93	SecCertificateRef certificate);
	94
	95	/* Return the root certificate for certificatePath. Note that root is just
	96	the top of the path as far as it is constructed. It may or may not be
	97	trusted or self signed. */
	98	SecCertificateRef SecCertificatePathGetRoot(
	99	SecCertificatePathRef certificatePath);
	100
	101	SecKeyRef SecCertificatePathCopyPublicKeyAtIndex(
	102	SecCertificatePathRef certificatePath, CFIndex ix);
	103
	104	typedef CFIndex SecPathVerifyStatus;
	105	enum {
	106	kSecPathVerifiesUnknown = -1,
	107	kSecPathVerifySuccess = 0,
	108	kSecPathVerifyFailed = 1
	109	};
	110
	111	SecPathVerifyStatus SecCertificatePathVerify(
	112	SecCertificatePathRef certificatePath);
	113
	114	CFIndex SecCertificatePathScore(SecCertificatePathRef certificatePath,
	115	CFAbsoluteTime verifyTime);
	116
	117
	118	/*
119	Node based version is possible. We need to make sure we extract algorithm oid and parameters in the chain. When constructing a new path (with a new parent from a path with the child at it's head), we duplicate each child node for which we could not previously establish a public key because the parameters were missing and there was no cert with the same algorithm in the chain which does have parameters. This is because, when extended with a different parent certificate that has different parameters for the childs algorithm, the signatures in the child chain must be reverified using the new parameters and therefore might yeild a different result.
120	We could allow more sharing if we stored the parameters found in the search up the chain in each node, and only duplicate the nodes if the parameters differ and then reset the isSigned status of each node with changed parameters. */
121
427c49bc	122	__END_DECLS
b1ab9ed8 A	123
b1ab9ed8 A	124	#endif /* !_SECURITY_SECCERTIFICATEPATH_H_ */