[apple/security.git] / Security / libsecurity_keychain / lib / SecPolicy.cpp

/*
 * Copyright (c) 2002-2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

#include <CoreFoundation/CFString.h>
#include <CoreFoundation/CFNumber.h>
#include <CoreFoundation/CFArray.h>
#include <Security/SecItem.h>
#include <Security/SecPolicy.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
#include <security_keychain/Policies.h>
#include <security_keychain/PolicyCursor.h>
#include "SecBridge.h"
#include "utilities/SecCFRelease.h"


// String constant declarations

#define SEC_CONST_DECL(k,v) CFTypeRef k = (CFTypeRef)(CFSTR(v));

SEC_CONST_DECL (kSecPolicyAppleX509Basic, "1.2.840.113635.100.1.2");
SEC_CONST_DECL (kSecPolicyAppleSSL, "1.2.840.113635.100.1.3");
SEC_CONST_DECL (kSecPolicyAppleSMIME, "1.2.840.113635.100.1.8");
SEC_CONST_DECL (kSecPolicyAppleEAP, "1.2.840.113635.100.1.9");
SEC_CONST_DECL (kSecPolicyAppleIPsec, "1.2.840.113635.100.1.11");
SEC_CONST_DECL (kSecPolicyAppleiChat, "1.2.840.113635.100.1.12");
SEC_CONST_DECL (kSecPolicyApplePKINITClient, "1.2.840.113635.100.1.14");
SEC_CONST_DECL (kSecPolicyApplePKINITServer, "1.2.840.113635.100.1.15");
SEC_CONST_DECL (kSecPolicyAppleCodeSigning, "1.2.840.113635.100.1.16");
SEC_CONST_DECL (kSecPolicyApplePackageSigning, "1.2.840.113635.100.1.17");
SEC_CONST_DECL (kSecPolicyAppleIDValidation, "1.2.840.113635.100.1.18");
SEC_CONST_DECL (kSecPolicyMacAppStoreReceipt, "1.2.840.113635.100.1.19");
SEC_CONST_DECL (kSecPolicyAppleTimeStamping, "1.2.840.113635.100.1.20");
SEC_CONST_DECL (kSecPolicyAppleRevocation, "1.2.840.113635.100.1.21");
SEC_CONST_DECL (kSecPolicyApplePassbookSigning, "1.2.840.113635.100.1.22");
SEC_CONST_DECL (kSecPolicyAppleMobileStore, "1.2.840.113635.100.1.23");
SEC_CONST_DECL (kSecPolicyAppleEscrowService, "1.2.840.113635.100.1.24");
SEC_CONST_DECL (kSecPolicyAppleProfileSigner, "1.2.840.113635.100.1.25");
SEC_CONST_DECL (kSecPolicyAppleQAProfileSigner, "1.2.840.113635.100.1.26");
SEC_CONST_DECL (kSecPolicyAppleTestMobileStore, "1.2.840.113635.100.1.27");
#if TARGET_OS_IPHONE
SEC_CONST_DECL (kSecPolicyAppleOTAPKISigner, "1.2.840.113635.100.1.28");
SEC_CONST_DECL (kSecPolicyAppleTestOTAPKISigner, "1.2.840.113635.100.1.29");
/* FIXME: this policy name should be deprecated and replaced with "kSecPolicyAppleIDValidationRecordSigning" */
SEC_CONST_DECL (kSecPolicyAppleIDValidationRecordSigningPolicy, "1.2.840.113625.100.1.30");
SEC_CONST_DECL (kSecPolicyAppleSMPEncryption, "1.2.840.113625.100.1.31");
SEC_CONST_DECL (kSecPolicyAppleTestSMPEncryption, "1.2.840.113625.100.1.32");
#endif
SEC_CONST_DECL (kSecPolicyAppleServerAuthentication, "1.2.840.113635.100.1.33");
SEC_CONST_DECL (kSecPolicyApplePCSEscrowService, "1.2.840.113635.100.1.34");

SEC_CONST_DECL (kSecPolicyOid, "SecPolicyOid");
SEC_CONST_DECL (kSecPolicyName, "SecPolicyName");
SEC_CONST_DECL (kSecPolicyClient, "SecPolicyClient");
SEC_CONST_DECL (kSecPolicyRevocationFlags, "SecPolicyRevocationFlags");
SEC_CONST_DECL (kSecPolicyTeamIdentifier, "SecPolicyTeamIdentifier");

SEC_CONST_DECL (kSecPolicyKU_DigitalSignature, "CE_KU_DigitalSignature");
SEC_CONST_DECL (kSecPolicyKU_NonRepudiation, "CE_KU_NonRepudiation");
SEC_CONST_DECL (kSecPolicyKU_KeyEncipherment, "CE_KU_KeyEncipherment");
SEC_CONST_DECL (kSecPolicyKU_DataEncipherment, "CE_KU_DataEncipherment");
SEC_CONST_DECL (kSecPolicyKU_KeyAgreement, "CE_KU_KeyAgreement");
SEC_CONST_DECL (kSecPolicyKU_KeyCertSign, "CE_KU_KeyCertSign");
SEC_CONST_DECL (kSecPolicyKU_CRLSign, "CE_KU_CRLSign");
SEC_CONST_DECL (kSecPolicyKU_EncipherOnly, "CE_KU_EncipherOnly");
SEC_CONST_DECL (kSecPolicyKU_DecipherOnly, "CE_KU_DecipherOnly");

// Private functions

SecPolicyRef SecPolicyCreateWithSecAsn1Oid(SecAsn1Oid *oidPtr);
extern "C" { CFArrayRef SecPolicyCopyEscrowRootCertificates(void); }

//
// CF boilerplate
//
CFTypeID
SecPolicyGetTypeID(void)
{
	BEGIN_SECAPI
	return gTypes().Policy.typeID;
	END_SECAPI1(_kCFRuntimeNotATypeID)
}


//
// Sec API bridge functions
//
OSStatus
SecPolicyGetOID(SecPolicyRef policyRef, CSSM_OID* oid)
{
	BEGIN_SECAPI
	Required(oid) = Policy::required(policyRef)->oid();
	END_SECAPI
}

OSStatus
SecPolicyGetValue(SecPolicyRef policyRef, CSSM_DATA* value)
{
	BEGIN_SECAPI
	Required(value) = Policy::required(policyRef)->value();
	END_SECAPI
}

CFDictionaryRef
SecPolicyCopyProperties(SecPolicyRef policyRef)
{
	/* can't use SECAPI macros, since this function does not return OSStatus */
	CFDictionaryRef result = NULL;
	try {
		result = Policy::required(policyRef)->properties();
	}
	catch (...) {
		if (result) {
			CFRelease(result);
			result = NULL;
		}
	};
	return result;
}

OSStatus
SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
{
	BEGIN_SECAPI
	Required(value);
	const CssmData newValue(value->Data, value->Length);
	Policy::required(policyRef)->setValue(newValue);
	END_SECAPI
}

OSStatus
SecPolicySetProperties(SecPolicyRef policyRef, CFDictionaryRef properties)
{
	BEGIN_SECAPI
	Policy::required(policyRef)->setProperties(properties);
	END_SECAPI
}

OSStatus
SecPolicyGetTPHandle(SecPolicyRef policyRef, CSSM_TP_HANDLE* tpHandle)
{
	BEGIN_SECAPI
	Required(tpHandle) = Policy::required(policyRef)->tp()->handle();
	END_SECAPI
}

OSStatus
SecPolicyCopyAll(CSSM_CERT_TYPE certificateType, CFArrayRef* policies)
{
	BEGIN_SECAPI
	Required(policies);
	CFMutableArrayRef currPolicies = NULL;
	currPolicies = CFArrayCreateMutable(NULL, 0, NULL);
	if ( currPolicies )
	{
		SecPointer<PolicyCursor> cursor(new PolicyCursor(NULL, NULL));
		SecPointer<Policy> policy;
		while ( cursor->next(policy) ) /* copies the next policy */
		{
			CFArrayAppendValue(currPolicies, policy->handle());  /* 'SecPolicyRef' appended */
			CFRelease(policy->handle()); /* refcount bumped up when appended to array */
		}
		*policies = CFArrayCreateCopy(NULL, currPolicies);
		CFRelease(currPolicies);
		CFRelease(cursor->handle());
	}
	END_SECAPI
}

OSStatus
SecPolicyCopy(CSSM_CERT_TYPE certificateType, const CSSM_OID *policyOID, SecPolicyRef* policy)
{
	Required(policy);
	Required(policyOID);

	SecPolicySearchRef srchRef = NULL;
	OSStatus ortn;

	ortn = SecPolicySearchCreate(certificateType, policyOID, NULL, &srchRef);
	if(ortn) {
		return ortn;
	}
	ortn = SecPolicySearchCopyNext(srchRef, policy);
	CFRelease(srchRef);
	return ortn;
}

/* new in 10.6 */
SecPolicyRef
SecPolicyCreateBasicX509(void)
{
	// return a SecPolicyRef object for the X.509 Basic policy
	SecPolicyRef policy = nil;
	SecPolicySearchRef policySearch = nil;
	OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, &CSSMOID_APPLE_X509_BASIC, NULL, &policySearch);
	if (!status) {
		status = SecPolicySearchCopyNext(policySearch, &policy);
	}
	if (policySearch) {
		CFRelease(policySearch);
	}
	return policy;
}

/* new in 10.6 */
SecPolicyRef
SecPolicyCreateSSL(Boolean server, CFStringRef hostname)
{
	// return a SecPolicyRef object for the SSL policy, given hostname and client options
	SecPolicyRef policy = nil;
	SecPolicySearchRef policySearch = nil;
	OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_SSL, NULL, &policySearch);
	if (!status) {
		status = SecPolicySearchCopyNext(policySearch, &policy);
	}
	if (!status && policy) {
		// set options for client-side or server-side policy evaluation
		char *strbuf = NULL;
		const char *hostnamestr = NULL;
		if (hostname) {
			hostnamestr = CFStringGetCStringPtr(hostname, kCFStringEncodingUTF8);
			if (hostnamestr == NULL) {
                CFIndex maxLen = CFStringGetMaximumSizeForEncoding(CFStringGetLength(hostname), kCFStringEncodingUTF8) + 1;
				strbuf = (char *)malloc(maxLen);
				if (CFStringGetCString(hostname, strbuf, maxLen, kCFStringEncodingUTF8)) {
					hostnamestr = strbuf;
				}
			}
		}
        uint32 hostnamelen = (hostnamestr) ? (uint32)strlen(hostnamestr) : 0;
        uint32 flags = (!server) ? CSSM_APPLE_TP_SSL_CLIENT : 0;
        CSSM_APPLE_TP_SSL_OPTIONS opts = {CSSM_APPLE_TP_SSL_OPTS_VERSION, hostnamelen, hostnamestr, flags};
        CSSM_DATA data = {sizeof(opts), (uint8*)&opts};
        SecPolicySetValue(policy, &data);

		if (strbuf) {
			free(strbuf);
		}
    }
	if (policySearch) {
		CFRelease(policySearch);
	}
	return policy;
}

SecPolicyRef
SecPolicyCreateWithSecAsn1Oid(SecAsn1Oid *oidPtr)
{
	SecPolicyRef policy = NULL;
	try {
		SecPointer<Policy> policyObj;
		PolicyCursor::policy(oidPtr, policyObj);
		policy = policyObj->handle();
	}
	catch (...) {}

	return policy;
}

/* new in 10.7 */
SecPolicyRef
SecPolicyCreateWithOID(CFTypeRef policyOID)
{
	// for now, we only accept the policy constants that are defined in SecPolicy.h
	CFStringRef oidStr = (CFStringRef)policyOID;
	CSSM_OID *oidPtr = NULL;
	SecPolicyRef policy = NULL;
	if (!oidStr) {
		return policy;
	}
	struct oidmap_entry_t {
		const CFTypeRef oidstr;
		const SecAsn1Oid *oidptr;
	};
	const oidmap_entry_t oidmap[] = {
		{ kSecPolicyAppleX509Basic, &CSSMOID_APPLE_X509_BASIC },
		{ kSecPolicyAppleSSL, &CSSMOID_APPLE_TP_SSL },
		{ kSecPolicyAppleSMIME, &CSSMOID_APPLE_TP_SMIME },
		{ kSecPolicyAppleEAP, &CSSMOID_APPLE_TP_EAP },
		{ kSecPolicyAppleIPsec, &CSSMOID_APPLE_TP_IP_SEC },
		{ kSecPolicyAppleiChat, &CSSMOID_APPLE_TP_ICHAT },
		{ kSecPolicyApplePKINITClient, &CSSMOID_APPLE_TP_PKINIT_CLIENT },
		{ kSecPolicyApplePKINITServer, &CSSMOID_APPLE_TP_PKINIT_SERVER },
		{ kSecPolicyAppleCodeSigning, &CSSMOID_APPLE_TP_CODE_SIGNING },
		{ kSecPolicyMacAppStoreReceipt, &CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT },
		{ kSecPolicyAppleIDValidation, &CSSMOID_APPLE_TP_APPLEID_SHARING },
		{ kSecPolicyAppleTimeStamping, &CSSMOID_APPLE_TP_TIMESTAMPING },
		{ kSecPolicyAppleRevocation, &CSSMOID_APPLE_TP_REVOCATION },
		{ kSecPolicyApplePassbookSigning, &CSSMOID_APPLE_TP_PASSBOOK_SIGNING },
		{ kSecPolicyAppleMobileStore, &CSSMOID_APPLE_TP_MOBILE_STORE },
		{ kSecPolicyAppleEscrowService, &CSSMOID_APPLE_TP_ESCROW_SERVICE },
		{ kSecPolicyAppleProfileSigner, &CSSMOID_APPLE_TP_PROFILE_SIGNING },
		{ kSecPolicyAppleQAProfileSigner, &CSSMOID_APPLE_TP_QA_PROFILE_SIGNING },
		{ kSecPolicyAppleTestMobileStore, &CSSMOID_APPLE_TP_TEST_MOBILE_STORE },
		{ kSecPolicyApplePCSEscrowService, &CSSMOID_APPLE_TP_PCS_ESCROW_SERVICE },
	};
	unsigned int i, oidmaplen = sizeof(oidmap) / sizeof(oidmap_entry_t);
	for (i=0; i<oidmaplen; i++) {
		CFStringRef str = (CFStringRef) oidmap[i].oidstr;
		if (CFStringCompare(str, oidStr, 0) == kCFCompareEqualTo) {
			oidPtr = (CSSM_OID*)oidmap[i].oidptr;
			break;
		}
	}
	if (CFEqual(oidStr, kSecPolicyAppleServerAuthentication)) {
		return SecPolicyCreateAppleSSLService(NULL);
	}
	if (oidPtr) {
		SecPolicySearchRef policySearch = NULL;
		OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, oidPtr, NULL, &policySearch);
		if (!status && policySearch) {
			status = SecPolicySearchCopyNext(policySearch, &policy);
			CFRelease(policySearch);
		}
		if (!policy && CFEqual(policyOID, kSecPolicyAppleRevocation)) {
			policy = SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod);
		}
		if (!policy) {
			policy = SecPolicyCreateWithSecAsn1Oid((SecAsn1Oid*)oidPtr);
		}
	}
	return policy;
}

/* new in 10.9 */
SecPolicyRef
SecPolicyCreateWithProperties(CFTypeRef policyIdentifier, CFDictionaryRef properties)
{
	SecPolicyRef policy = SecPolicyCreateWithOID(policyIdentifier);
	SecPolicySetProperties(policy, properties);

	return policy;
}

/* new in 10.9 */
SecPolicyRef
SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
{
	// return a SecPolicyRef object for the unified revocation policy
	SecAsn1Oid *oidPtr = (SecAsn1Oid*)&CSSMOID_APPLE_TP_REVOCATION;
	SecPolicyRef policy = SecPolicyCreateWithSecAsn1Oid(oidPtr);
	if (policy) {
		CSSM_DATA policyData = { (CSSM_SIZE)sizeof(CFOptionFlags), (uint8*)&revocationFlags };
		SecPolicySetValue(policy, &policyData);
	}
	return policy;
}

/* new in 10.9 ***FIXME*** TO BE REMOVED */
CFArrayRef SecPolicyCopyEscrowRootCertificates(void)
{
	return SecCertificateCopyEscrowRoots(kSecCertificateProductionEscrowRoot);
}

SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname)
{
    return SecPolicyCreateSSL(true, hostname);
}

SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname)
{
    return SecPolicyCreateSSL(true, hostname);
}

SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname)
{
    return SecPolicyCreateSSL(true, hostname);
}

SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname)
{
	// SSL server, pinned to an Apple intermediate
	SecPolicyRef policy = SecPolicyCreateSSL(true, hostname);
	if (policy) {
		// change options for policy evaluation
		char *strbuf = NULL;
		const char *hostnamestr = NULL;
		if (hostname) {
			hostnamestr = CFStringGetCStringPtr(hostname, kCFStringEncodingUTF8);
			if (hostnamestr == NULL) {
				CFIndex maxLen = CFStringGetMaximumSizeForEncoding(CFStringGetLength(hostname), kCFStringEncodingUTF8) + 1;
				strbuf = (char *)malloc(maxLen);
				if (CFStringGetCString(hostname, strbuf, maxLen, kCFStringEncodingUTF8)) {
					hostnamestr = strbuf;
				}
			}
		}
		uint32 hostnamelen = (hostnamestr) ? (uint32)strlen(hostnamestr) : 0;
		uint32 flags = 0x00000002; // 2nd-lowest bit set to require Apple intermediate pin
		CSSM_APPLE_TP_SSL_OPTIONS opts = {CSSM_APPLE_TP_SSL_OPTS_VERSION, hostnamelen, hostnamestr, flags};
		CSSM_DATA data = {sizeof(opts), (uint8*)&opts};
		SecPolicySetValue(policy, &data);
	}
	return policy;
}
#include <security_utilities/cfutilities.h>
/* New in 10.10 */
// Takes the "context" policies to extract the revocation and apply it to timeStamp.
CFArrayRef
SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray)
{
    /* can't use SECAPI macros, since this function does not return OSStatus */
    CFArrayRef resultPolicyArray=NULL;
    try {
        // Set default policy
        CFRef<CFArrayRef> policyArray = cfArrayize(policyOrArray);
        CFRef<SecPolicyRef> defaultPolicy = SecPolicyCreateWithOID(kSecPolicyAppleTimeStamping);
        CFRef<CFMutableArrayRef> appleTimeStampingPolicies = makeCFMutableArray(1,defaultPolicy.get());

        // Parse the policy and add revocation related ones
        CFIndex numPolicies = CFArrayGetCount(policyArray);
        for(CFIndex dex=0; dex<numPolicies; dex++) {
            SecPolicyRef secPol = (SecPolicyRef)CFArrayGetValueAtIndex(policyArray, dex);
            SecPointer<Policy> pol = Policy::required(SecPolicyRef(secPol));
            const CssmOid &oid = pol->oid();
            if ((oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION))
                || (oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL))
                || (oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP)))
            {
                CFArrayAppendValue(appleTimeStampingPolicies, secPol);
            }
        }
        // Transfer of ownership
        resultPolicyArray=appleTimeStampingPolicies.yield();
    }
    catch (...) {
        CFReleaseNull(resultPolicyArray);
    };
    return resultPolicyArray;
}
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2002-2014 Apple Inc. All Rights Reserved.
427c49bc	3	*
b1ab9ed8	4	* @APPLE_LICENSE_HEADER_START@
d8f41ccd	5	*
b1ab9ed8 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
d8f41ccd	12	*
b1ab9ed8 A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
d8f41ccd	20	*
b1ab9ed8 A	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	#include <CoreFoundation/CFString.h>
	25	#include <CoreFoundation/CFNumber.h>
	26	#include <CoreFoundation/CFArray.h>
	27	#include <Security/SecItem.h>
	28	#include <Security/SecPolicy.h>
	29	#include <Security/SecPolicyPriv.h>
427c49bc A	30	#include <Security/SecCertificate.h>
427c49bc A	31	#include <Security/SecCertificatePriv.h>
b1ab9ed8 A	32	#include <security_keychain/Policies.h>
	33	#include <security_keychain/PolicyCursor.h>
	34	#include "SecBridge.h"
d8f41ccd	35	#include "utilities/SecCFRelease.h"
b1ab9ed8 A	36
	37
	38	// String constant declarations
	39
	40	#define SEC_CONST_DECL(k,v) CFTypeRef k = (CFTypeRef)(CFSTR(v));
	41
	42	SEC_CONST_DECL (kSecPolicyAppleX509Basic, "1.2.840.113635.100.1.2");
	43	SEC_CONST_DECL (kSecPolicyAppleSSL, "1.2.840.113635.100.1.3");
	44	SEC_CONST_DECL (kSecPolicyAppleSMIME, "1.2.840.113635.100.1.8");
	45	SEC_CONST_DECL (kSecPolicyAppleEAP, "1.2.840.113635.100.1.9");
	46	SEC_CONST_DECL (kSecPolicyAppleIPsec, "1.2.840.113635.100.1.11");
	47	SEC_CONST_DECL (kSecPolicyAppleiChat, "1.2.840.113635.100.1.12");
	48	SEC_CONST_DECL (kSecPolicyApplePKINITClient, "1.2.840.113635.100.1.14");
	49	SEC_CONST_DECL (kSecPolicyApplePKINITServer, "1.2.840.113635.100.1.15");
	50	SEC_CONST_DECL (kSecPolicyAppleCodeSigning, "1.2.840.113635.100.1.16");
	51	SEC_CONST_DECL (kSecPolicyApplePackageSigning, "1.2.840.113635.100.1.17");
	52	SEC_CONST_DECL (kSecPolicyAppleIDValidation, "1.2.840.113635.100.1.18");
	53	SEC_CONST_DECL (kSecPolicyMacAppStoreReceipt, "1.2.840.113635.100.1.19");
	54	SEC_CONST_DECL (kSecPolicyAppleTimeStamping, "1.2.840.113635.100.1.20");
427c49bc A	55	SEC_CONST_DECL (kSecPolicyAppleRevocation, "1.2.840.113635.100.1.21");
	56	SEC_CONST_DECL (kSecPolicyApplePassbookSigning, "1.2.840.113635.100.1.22");
	57	SEC_CONST_DECL (kSecPolicyAppleMobileStore, "1.2.840.113635.100.1.23");
	58	SEC_CONST_DECL (kSecPolicyAppleEscrowService, "1.2.840.113635.100.1.24");
	59	SEC_CONST_DECL (kSecPolicyAppleProfileSigner, "1.2.840.113635.100.1.25");
	60	SEC_CONST_DECL (kSecPolicyAppleQAProfileSigner, "1.2.840.113635.100.1.26");
	61	SEC_CONST_DECL (kSecPolicyAppleTestMobileStore, "1.2.840.113635.100.1.27");
d8f41ccd A	62	#if TARGET_OS_IPHONE
	63	SEC_CONST_DECL (kSecPolicyAppleOTAPKISigner, "1.2.840.113635.100.1.28");
	64	SEC_CONST_DECL (kSecPolicyAppleTestOTAPKISigner, "1.2.840.113635.100.1.29");
	65	/* FIXME: this policy name should be deprecated and replaced with "kSecPolicyAppleIDValidationRecordSigning" */
	66	SEC_CONST_DECL (kSecPolicyAppleIDValidationRecordSigningPolicy, "1.2.840.113625.100.1.30");
	67	SEC_CONST_DECL (kSecPolicyAppleSMPEncryption, "1.2.840.113625.100.1.31");
	68	SEC_CONST_DECL (kSecPolicyAppleTestSMPEncryption, "1.2.840.113625.100.1.32");
	69	#endif
	70	SEC_CONST_DECL (kSecPolicyAppleServerAuthentication, "1.2.840.113635.100.1.33");
	71	SEC_CONST_DECL (kSecPolicyApplePCSEscrowService, "1.2.840.113635.100.1.34");
b1ab9ed8 A	72
	73	SEC_CONST_DECL (kSecPolicyOid, "SecPolicyOid");
	74	SEC_CONST_DECL (kSecPolicyName, "SecPolicyName");
	75	SEC_CONST_DECL (kSecPolicyClient, "SecPolicyClient");
427c49bc A	76	SEC_CONST_DECL (kSecPolicyRevocationFlags, "SecPolicyRevocationFlags");
427c49bc A	77	SEC_CONST_DECL (kSecPolicyTeamIdentifier, "SecPolicyTeamIdentifier");
b1ab9ed8 A	78
	79	SEC_CONST_DECL (kSecPolicyKU_DigitalSignature, "CE_KU_DigitalSignature");
	80	SEC_CONST_DECL (kSecPolicyKU_NonRepudiation, "CE_KU_NonRepudiation");
	81	SEC_CONST_DECL (kSecPolicyKU_KeyEncipherment, "CE_KU_KeyEncipherment");
	82	SEC_CONST_DECL (kSecPolicyKU_DataEncipherment, "CE_KU_DataEncipherment");
	83	SEC_CONST_DECL (kSecPolicyKU_KeyAgreement, "CE_KU_KeyAgreement");
	84	SEC_CONST_DECL (kSecPolicyKU_KeyCertSign, "CE_KU_KeyCertSign");
	85	SEC_CONST_DECL (kSecPolicyKU_CRLSign, "CE_KU_CRLSign");
	86	SEC_CONST_DECL (kSecPolicyKU_EncipherOnly, "CE_KU_EncipherOnly");
	87	SEC_CONST_DECL (kSecPolicyKU_DecipherOnly, "CE_KU_DecipherOnly");
	88
427c49bc A	89	// Private functions
	90
	91	SecPolicyRef SecPolicyCreateWithSecAsn1Oid(SecAsn1Oid *oidPtr);
	92	extern "C" { CFArrayRef SecPolicyCopyEscrowRootCertificates(void); }
	93
b1ab9ed8 A	94	//
	95	// CF boilerplate
	96	//
	97	CFTypeID
	98	SecPolicyGetTypeID(void)
	99	{
	100	BEGIN_SECAPI
	101	return gTypes().Policy.typeID;
	102	END_SECAPI1(_kCFRuntimeNotATypeID)
	103	}
	104
	105
	106	//
	107	// Sec API bridge functions
	108	//
	109	OSStatus
	110	SecPolicyGetOID(SecPolicyRef policyRef, CSSM_OID* oid)
	111	{
427c49bc A	112	BEGIN_SECAPI
427c49bc A	113	Required(oid) = Policy::required(policyRef)->oid();
b1ab9ed8 A	114	END_SECAPI
	115	}
	116
	117	OSStatus
	118	SecPolicyGetValue(SecPolicyRef policyRef, CSSM_DATA* value)
	119	{
427c49bc A	120	BEGIN_SECAPI
427c49bc A	121	Required(value) = Policy::required(policyRef)->value();
b1ab9ed8 A	122	END_SECAPI
	123	}
	124
	125	CFDictionaryRef
	126	SecPolicyCopyProperties(SecPolicyRef policyRef)
	127	{
	128	/* can't use SECAPI macros, since this function does not return OSStatus */
	129	CFDictionaryRef result = NULL;
	130	try {
	131	result = Policy::required(policyRef)->properties();
	132	}
	133	catch (...) {
	134	if (result) {
	135	CFRelease(result);
	136	result = NULL;
	137	}
	138	};
	139	return result;
	140	}
	141
	142	OSStatus
	143	SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
	144	{
	145	BEGIN_SECAPI
427c49bc A	146	Required(value);
427c49bc A	147	const CssmData newValue(value->Data, value->Length);
b1ab9ed8 A	148	Policy::required(policyRef)->setValue(newValue);
	149	END_SECAPI
	150	}
	151
	152	OSStatus
	153	SecPolicySetProperties(SecPolicyRef policyRef, CFDictionaryRef properties)
	154	{
	155	BEGIN_SECAPI
	156	Policy::required(policyRef)->setProperties(properties);
	157	END_SECAPI
	158	}
	159
	160	OSStatus
	161	SecPolicyGetTPHandle(SecPolicyRef policyRef, CSSM_TP_HANDLE* tpHandle)
	162	{
427c49bc A	163	BEGIN_SECAPI
427c49bc A	164	Required(tpHandle) = Policy::required(policyRef)->tp()->handle();
b1ab9ed8 A	165	END_SECAPI
	166	}
	167
	168	OSStatus
	169	SecPolicyCopyAll(CSSM_CERT_TYPE certificateType, CFArrayRef* policies)
	170	{
427c49bc	171	BEGIN_SECAPI
b1ab9ed8 A	172	Required(policies);
	173	CFMutableArrayRef currPolicies = NULL;
	174	currPolicies = CFArrayCreateMutable(NULL, 0, NULL);
	175	if ( currPolicies )
	176	{
	177	SecPointer<PolicyCursor> cursor(new PolicyCursor(NULL, NULL));
	178	SecPointer<Policy> policy;
	179	while ( cursor->next(policy) ) /* copies the next policy */
	180	{
	181	CFArrayAppendValue(currPolicies, policy->handle()); /* 'SecPolicyRef' appended */
	182	CFRelease(policy->handle()); /* refcount bumped up when appended to array */
	183	}
	184	*policies = CFArrayCreateCopy(NULL, currPolicies);
	185	CFRelease(currPolicies);
	186	CFRelease(cursor->handle());
	187	}
	188	END_SECAPI
	189	}
	190
	191	OSStatus
	192	SecPolicyCopy(CSSM_CERT_TYPE certificateType, const CSSM_OID policyOID, SecPolicyRef policy)
	193	{
	194	Required(policy);
	195	Required(policyOID);
427c49bc	196
b1ab9ed8 A	197	SecPolicySearchRef srchRef = NULL;
b1ab9ed8 A	198	OSStatus ortn;
427c49bc	199
b1ab9ed8 A	200	ortn = SecPolicySearchCreate(certificateType, policyOID, NULL, &srchRef);
	201	if(ortn) {
	202	return ortn;
	203	}
	204	ortn = SecPolicySearchCopyNext(srchRef, policy);
	205	CFRelease(srchRef);
	206	return ortn;
	207	}
	208
	209	/* new in 10.6 */
	210	SecPolicyRef
	211	SecPolicyCreateBasicX509(void)
	212	{
427c49bc A	213	// return a SecPolicyRef object for the X.509 Basic policy
	214	SecPolicyRef policy = nil;
	215	SecPolicySearchRef policySearch = nil;
	216	OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, &CSSMOID_APPLE_X509_BASIC, NULL, &policySearch);
	217	if (!status) {
	218	status = SecPolicySearchCopyNext(policySearch, &policy);
	219	}
b1ab9ed8 A	220	if (policySearch) {
	221	CFRelease(policySearch);
	222	}
427c49bc	223	return policy;
b1ab9ed8 A	224	}
	225
	226	/* new in 10.6 */
	227	SecPolicyRef
	228	SecPolicyCreateSSL(Boolean server, CFStringRef hostname)
	229	{
427c49bc A	230	// return a SecPolicyRef object for the SSL policy, given hostname and client options
	231	SecPolicyRef policy = nil;
	232	SecPolicySearchRef policySearch = nil;
	233	OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_SSL, NULL, &policySearch);
	234	if (!status) {
	235	status = SecPolicySearchCopyNext(policySearch, &policy);
	236	}
	237	if (!status && policy) {
	238	// set options for client-side or server-side policy evaluation
b1ab9ed8 A	239	char *strbuf = NULL;
	240	const char *hostnamestr = NULL;
	241	if (hostname) {
b1ab9ed8 A	242	hostnamestr = CFStringGetCStringPtr(hostname, kCFStringEncodingUTF8);
b1ab9ed8 A	243	if (hostnamestr == NULL) {
427c49bc A	244	CFIndex maxLen = CFStringGetMaximumSizeForEncoding(CFStringGetLength(hostname), kCFStringEncodingUTF8) + 1;
	245	strbuf = (char *)malloc(maxLen);
	246	if (CFStringGetCString(hostname, strbuf, maxLen, kCFStringEncodingUTF8)) {
b1ab9ed8 A	247	hostnamestr = strbuf;
	248	}
	249	}
	250	}
427c49bc	251	uint32 hostnamelen = (hostnamestr) ? (uint32)strlen(hostnamestr) : 0;
b1ab9ed8 A	252	uint32 flags = (!server) ? CSSM_APPLE_TP_SSL_CLIENT : 0;
	253	CSSM_APPLE_TP_SSL_OPTIONS opts = {CSSM_APPLE_TP_SSL_OPTS_VERSION, hostnamelen, hostnamestr, flags};
	254	CSSM_DATA data = {sizeof(opts), (uint8*)&opts};
	255	SecPolicySetValue(policy, &data);
427c49bc	256
b1ab9ed8 A	257	if (strbuf) {
	258	free(strbuf);
	259	}
	260	}
	261	if (policySearch) {
	262	CFRelease(policySearch);
	263	}
427c49bc A	264	return policy;
	265	}
	266
	267	SecPolicyRef
	268	SecPolicyCreateWithSecAsn1Oid(SecAsn1Oid *oidPtr)
	269	{
	270	SecPolicyRef policy = NULL;
	271	try {
	272	SecPointer<Policy> policyObj;
	273	PolicyCursor::policy(oidPtr, policyObj);
	274	policy = policyObj->handle();
	275	}
	276	catch (...) {}
	277
	278	return policy;
b1ab9ed8 A	279	}
	280
	281	/* new in 10.7 */
	282	SecPolicyRef
	283	SecPolicyCreateWithOID(CFTypeRef policyOID)
	284	{
b1ab9ed8 A	285	// for now, we only accept the policy constants that are defined in SecPolicy.h
	286	CFStringRef oidStr = (CFStringRef)policyOID;
	287	CSSM_OID *oidPtr = NULL;
	288	SecPolicyRef policy = NULL;
d8f41ccd A	289	if (!oidStr) {
	290	return policy;
	291	}
427c49bc A	292	struct oidmap_entry_t {
	293	const CFTypeRef oidstr;
	294	const SecAsn1Oid *oidptr;
b1ab9ed8	295	};
427c49bc A	296	const oidmap_entry_t oidmap[] = {
	297	{ kSecPolicyAppleX509Basic, &CSSMOID_APPLE_X509_BASIC },
	298	{ kSecPolicyAppleSSL, &CSSMOID_APPLE_TP_SSL },
	299	{ kSecPolicyAppleSMIME, &CSSMOID_APPLE_TP_SMIME },
	300	{ kSecPolicyAppleEAP, &CSSMOID_APPLE_TP_EAP },
	301	{ kSecPolicyAppleIPsec, &CSSMOID_APPLE_TP_IP_SEC },
	302	{ kSecPolicyAppleiChat, &CSSMOID_APPLE_TP_ICHAT },
	303	{ kSecPolicyApplePKINITClient, &CSSMOID_APPLE_TP_PKINIT_CLIENT },
	304	{ kSecPolicyApplePKINITServer, &CSSMOID_APPLE_TP_PKINIT_SERVER },
	305	{ kSecPolicyAppleCodeSigning, &CSSMOID_APPLE_TP_CODE_SIGNING },
	306	{ kSecPolicyMacAppStoreReceipt, &CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT },
	307	{ kSecPolicyAppleIDValidation, &CSSMOID_APPLE_TP_APPLEID_SHARING },
	308	{ kSecPolicyAppleTimeStamping, &CSSMOID_APPLE_TP_TIMESTAMPING },
	309	{ kSecPolicyAppleRevocation, &CSSMOID_APPLE_TP_REVOCATION },
	310	{ kSecPolicyApplePassbookSigning, &CSSMOID_APPLE_TP_PASSBOOK_SIGNING },
	311	{ kSecPolicyAppleMobileStore, &CSSMOID_APPLE_TP_MOBILE_STORE },
	312	{ kSecPolicyAppleEscrowService, &CSSMOID_APPLE_TP_ESCROW_SERVICE },
	313	{ kSecPolicyAppleProfileSigner, &CSSMOID_APPLE_TP_PROFILE_SIGNING },
	314	{ kSecPolicyAppleQAProfileSigner, &CSSMOID_APPLE_TP_QA_PROFILE_SIGNING },
	315	{ kSecPolicyAppleTestMobileStore, &CSSMOID_APPLE_TP_TEST_MOBILE_STORE },
d8f41ccd	316	{ kSecPolicyApplePCSEscrowService, &CSSMOID_APPLE_TP_PCS_ESCROW_SERVICE },
427c49bc A	317	};
	318	unsigned int i, oidmaplen = sizeof(oidmap) / sizeof(oidmap_entry_t);
	319	for (i=0; i<oidmaplen; i++) {
	320	CFStringRef str = (CFStringRef) oidmap[i].oidstr;
b1ab9ed8	321	if (CFStringCompare(str, oidStr, 0) == kCFCompareEqualTo) {
427c49bc	322	oidPtr = (CSSM_OID*)oidmap[i].oidptr;
b1ab9ed8 A	323	break;
	324	}
	325	}
d8f41ccd A	326	if (CFEqual(oidStr, kSecPolicyAppleServerAuthentication)) {
	327	return SecPolicyCreateAppleSSLService(NULL);
	328	}
b1ab9ed8 A	329	if (oidPtr) {
	330	SecPolicySearchRef policySearch = NULL;
	331	OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, oidPtr, NULL, &policySearch);
	332	if (!status && policySearch) {
	333	status = SecPolicySearchCopyNext(policySearch, &policy);
	334	CFRelease(policySearch);
	335	}
427c49bc A	336	if (!policy && CFEqual(policyOID, kSecPolicyAppleRevocation)) {
	337	policy = SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod);
	338	}
	339	if (!policy) {
	340	policy = SecPolicyCreateWithSecAsn1Oid((SecAsn1Oid*)oidPtr);
	341	}
b1ab9ed8 A	342	}
	343	return policy;
	344	}
427c49bc A	345
	346	/* new in 10.9 */
	347	SecPolicyRef
	348	SecPolicyCreateWithProperties(CFTypeRef policyIdentifier, CFDictionaryRef properties)
	349	{
	350	SecPolicyRef policy = SecPolicyCreateWithOID(policyIdentifier);
	351	SecPolicySetProperties(policy, properties);
	352
	353	return policy;
	354	}
	355
	356	/* new in 10.9 */
	357	SecPolicyRef
	358	SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
	359	{
	360	// return a SecPolicyRef object for the unified revocation policy
	361	SecAsn1Oid oidPtr = (SecAsn1Oid)&CSSMOID_APPLE_TP_REVOCATION;
	362	SecPolicyRef policy = SecPolicyCreateWithSecAsn1Oid(oidPtr);
d8f41ccd A	363	if (policy) {
	364	CSSM_DATA policyData = { (CSSM_SIZE)sizeof(CFOptionFlags), (uint8*)&revocationFlags };
	365	SecPolicySetValue(policy, &policyData);
	366	}
427c49bc A	367	return policy;
	368	}
	369
	370	/* new in 10.9 *FIXME* TO BE REMOVED */
	371	CFArrayRef SecPolicyCopyEscrowRootCertificates(void)
	372	{
	373	return SecCertificateCopyEscrowRoots(kSecCertificateProductionEscrowRoot);
	374	}
	375
d8f41ccd A	376	SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname)
	377	{
	378	return SecPolicyCreateSSL(true, hostname);
	379	}
	380
	381	SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname)
	382	{
	383	return SecPolicyCreateSSL(true, hostname);
	384	}
	385
	386	SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname)
	387	{
	388	return SecPolicyCreateSSL(true, hostname);
	389	}
	390
	391	SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname)
	392	{
	393	// SSL server, pinned to an Apple intermediate
	394	SecPolicyRef policy = SecPolicyCreateSSL(true, hostname);
	395	if (policy) {
	396	// change options for policy evaluation
	397	char *strbuf = NULL;
	398	const char *hostnamestr = NULL;
	399	if (hostname) {
	400	hostnamestr = CFStringGetCStringPtr(hostname, kCFStringEncodingUTF8);
	401	if (hostnamestr == NULL) {
	402	CFIndex maxLen = CFStringGetMaximumSizeForEncoding(CFStringGetLength(hostname), kCFStringEncodingUTF8) + 1;
	403	strbuf = (char *)malloc(maxLen);
	404	if (CFStringGetCString(hostname, strbuf, maxLen, kCFStringEncodingUTF8)) {
	405	hostnamestr = strbuf;
	406	}
	407	}
	408	}
	409	uint32 hostnamelen = (hostnamestr) ? (uint32)strlen(hostnamestr) : 0;
	410	uint32 flags = 0x00000002; // 2nd-lowest bit set to require Apple intermediate pin
	411	CSSM_APPLE_TP_SSL_OPTIONS opts = {CSSM_APPLE_TP_SSL_OPTS_VERSION, hostnamelen, hostnamestr, flags};
	412	CSSM_DATA data = {sizeof(opts), (uint8*)&opts};
	413	SecPolicySetValue(policy, &data);
	414	}
	415	return policy;
	416	}
	417	#include <security_utilities/cfutilities.h>
	418	/* New in 10.10 */
	419	// Takes the "context" policies to extract the revocation and apply it to timeStamp.
	420	CFArrayRef
	421	SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray)
	422	{
	423	/* can't use SECAPI macros, since this function does not return OSStatus */
	424	CFArrayRef resultPolicyArray=NULL;
	425	try {
	426	// Set default policy
	427	CFRef<CFArrayRef> policyArray = cfArrayize(policyOrArray);
	428	CFRef<SecPolicyRef> defaultPolicy = SecPolicyCreateWithOID(kSecPolicyAppleTimeStamping);
	429	CFRef<CFMutableArrayRef> appleTimeStampingPolicies = makeCFMutableArray(1,defaultPolicy.get());
	430
	431	// Parse the policy and add revocation related ones
	432	CFIndex numPolicies = CFArrayGetCount(policyArray);
	433	for(CFIndex dex=0; dex<numPolicies; dex++) {
	434	SecPolicyRef secPol = (SecPolicyRef)CFArrayGetValueAtIndex(policyArray, dex);
	435	SecPointer<Policy> pol = Policy::required(SecPolicyRef(secPol));
	436	const CssmOid &oid = pol->oid();
	437	if ((oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION))
	438	\|\| (oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL))
	439	\|\| (oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP)))
440	{
441	CFArrayAppendValue(appleTimeStampingPolicies, secPol);
442	}
443	}
444	// Transfer of ownership
445	resultPolicyArray=appleTimeStampingPolicies.yield();
446	}
447	catch (...) {
448	CFReleaseNull(resultPolicyArray);
449	};
450	return resultPolicyArray;
451	}
452
453