[apple/security.git] / OSX / sec / securityd / SecPolicyServer.h

/*
 * Copyright (c) 2008-2010,2012-2015 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

/*!
    @header SecPolicyServer
    The functions provided in SecPolicyServer.h provide an interface to
    trust policies dealing with certificate revocation.
*/

#ifndef _SECURITY_SECPOLICYSERVER_H_
#define _SECURITY_SECPOLICYSERVER_H_

#include <Security/SecPolicyInternal.h>
#include <Security/SecTrustSettings.h>

#include <securityd/policytree.h>
#include <securityd/SecTrustServer.h>

__BEGIN_DECLS

typedef struct OpaqueSecPVC *SecPVCRef;

struct OpaqueSecPVC {
    SecPathBuilderRef builder;

    /* @@@ Duplicated from builder, remove. */
	CFArrayRef policies;
	CFAbsoluteTime verifyTime;

    SecCertificatePathRef path;
    CFArrayRef details;
    CFMutableDictionaryRef info;
    policy_tree_t valid_policy_tree;
    CFDictionaryRef callbacks;
    CFIndex policyIX;

    void *rvcs;
    unsigned int asyncJobCount;

    CFStringRef check_revocation;
    bool response_required;
    bool online_revocation;
    bool optionally_ev;
    bool is_ev;
    bool is_ct;
    bool is_ct_whitelisted;
    bool is_allowlisted;
    bool result;
};

void SecPVCInit(SecPVCRef pvc, SecPathBuilderRef builder, CFArrayRef policies,
    CFAbsoluteTime verifyTime);
void SecPVCDelete(SecPVCRef pvc);
void SecPVCSetPath(SecPVCRef pvc, SecCertificatePathRef path,
    CF_CONSUMED CFArrayRef details);
SecPolicyRef SecPVCGetPolicy(SecPVCRef pv);
CFAbsoluteTime SecPVCGetVerifyTime(SecPVCRef pv);
CFIndex SecPVCGetCertificateCount(SecPVCRef pv);
SecCertificateRef SecPVCGetCertificateAtIndex(SecPVCRef pv, CFIndex ix);
bool SecPVCIsCertificateAtIndexSelfIssued(SecPVCRef pvc, CFIndex ix);
bool SecPVCIsAnchored(SecPVCRef pvc);

/* Set the string result as the reason for the sub policy check key
   failing.  The policy check function should continue processing if
   this function returns true. */
bool SecPVCSetResult(SecPVCRef pv, CFStringRef key, CFIndex ix,
	CFTypeRef result);
bool SecPVCSetResultForced(SecPVCRef pvc,
	CFStringRef key, CFIndex ix, CFTypeRef result, bool force);

/* Enable revocation checking if the rest of the policy checks succeed. */
void SecPVCSetCheckRevocation(SecPVCRef pvc, CFStringRef method);

/* Require a revocation response for the leaf certificate. */
void SecPVCSetCheckRevocationResponseRequired(SecPVCRef pvc);

/* Require a online revocation response for the chain. */
void SecPVCSetCheckRevocationOnline(SecPVCRef pvc);

/* Run static leaf checks on the path in pvc. */
bool SecPVCLeafChecks(SecPVCRef pvc);

/* Run static parent checks on the path in pvc. */
bool SecPVCParentCertificateChecks(SecPVCRef pvc, CFIndex ix);

/* Check whether an intermediate certificates key has been blacklisted. */
bool SecPVCBlackListedKeyChecks(SecPVCRef pvc, CFIndex ix);

/* Check whether an intermediate certificates key has been gray listed. */
bool SecPVCGrayListedKeyChecks(SecPVCRef pvc, CFIndex ix);

/* Run dynamic checks on the complete path in pvc.  Return true if the
   operation is complete, returns false if an async backgroup request was
   scheduled.  Upon completion of the async background job
   SecPathBuilderStep() should be called. */
bool SecPVCPathChecks(SecPVCRef pvc);

/* Return 0 if any certs revocation checking failed, the earliest date on
   which one of the used revocation validation tokens (ocsp response or
   crl) expires.  */
CFAbsoluteTime SecPVCGetEarliestNextUpdate(SecPVCRef pvc);

typedef void (*SecPolicyCheckFunction)(SecPVCRef pv, CFStringRef key);

/*
    Used by SecTrust to verify if a particular certificate chain matches
	this policy.  Returns true if the policy accepts the certificate chain.
*/
bool SecPolicyValidate(SecPolicyRef policy, SecPVCRef pvc, CFStringRef key);

void SecPolicyServerInitalize(void);

/* True iff certificate could be an extended validation (EV) certificate. */
bool SecPolicySubscriberCertificateCouldBeEV(SecCertificateRef certificate);

void SecEVPolicyToAnchorDigestsInit(void);

SecTrustSettingsResult SecPVCGetTrustSettingsResult(SecPVCRef pvc, SecCertificateRef certificate, CFArrayRef constraints);

bool SecPVCCheckUsageConstraints(SecPVCRef pvc);

bool SecPVCCheckIssuerDateConstraints(SecPVCRef pvc);

__END_DECLS

#endif /* !_SECURITY_SECPOLICYSERVER_H_ */
Commit	Line	Data
b1ab9ed8	1	/*
5c19dc3a	2	* Copyright (c) 2008-2010,2012-2015 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
b1ab9ed8 A	4	* @APPLE_LICENSE_HEADER_START@
5c19dc3a	5	*
b1ab9ed8 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
5c19dc3a	12	*
b1ab9ed8 A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
5c19dc3a	20	*
b1ab9ed8 A	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*!
	25	@header SecPolicyServer
	26	The functions provided in SecPolicyServer.h provide an interface to
	27	trust policies dealing with certificate revocation.
	28	*/
	29
	30	#ifndef _SECURITY_SECPOLICYSERVER_H_
	31	#define _SECURITY_SECPOLICYSERVER_H_
	32
	33	#include <Security/SecPolicyInternal.h>
fa7225c8	34	#include <Security/SecTrustSettings.h>
b1ab9ed8 A	35
	36	#include <securityd/policytree.h>
	37	#include <securityd/SecTrustServer.h>
	38
427c49bc	39	__BEGIN_DECLS
b1ab9ed8 A	40
	41	typedef struct OpaqueSecPVC *SecPVCRef;
	42
	43	struct OpaqueSecPVC {
	44	SecPathBuilderRef builder;
	45
	46	/* @@@ Duplicated from builder, remove. */
	47	CFArrayRef policies;
	48	CFAbsoluteTime verifyTime;
	49
5c19dc3a A	50	SecCertificatePathRef path;
5c19dc3a A	51	CFArrayRef details;
b1ab9ed8 A	52	CFMutableDictionaryRef info;
	53	policy_tree_t valid_policy_tree;
	54	CFDictionaryRef callbacks;
	55	CFIndex policyIX;
	56
	57	void *rvcs;
	58	unsigned int asyncJobCount;
	59
fa7225c8	60	CFStringRef check_revocation;
5c19dc3a	61	bool response_required;
6b200bc3	62	bool online_revocation;
b1ab9ed8 A	63	bool optionally_ev;
b1ab9ed8 A	64	bool is_ev;
5c19dc3a	65	bool is_ct;
fa7225c8	66	bool is_ct_whitelisted;
3a7be6fd	67	bool is_allowlisted;
5c19dc3a	68	bool result;
b1ab9ed8 A	69	};
	70
	71	void SecPVCInit(SecPVCRef pvc, SecPathBuilderRef builder, CFArrayRef policies,
	72	CFAbsoluteTime verifyTime);
	73	void SecPVCDelete(SecPVCRef pvc);
	74	void SecPVCSetPath(SecPVCRef pvc, SecCertificatePathRef path,
d8f41ccd	75	CF_CONSUMED CFArrayRef details);
b1ab9ed8 A	76	SecPolicyRef SecPVCGetPolicy(SecPVCRef pv);
	77	CFAbsoluteTime SecPVCGetVerifyTime(SecPVCRef pv);
	78	CFIndex SecPVCGetCertificateCount(SecPVCRef pv);
	79	SecCertificateRef SecPVCGetCertificateAtIndex(SecPVCRef pv, CFIndex ix);
6b200bc3	80	bool SecPVCIsCertificateAtIndexSelfIssued(SecPVCRef pvc, CFIndex ix);
b1ab9ed8 A	81	bool SecPVCIsAnchored(SecPVCRef pvc);
	82
	83	/* Set the string result as the reason for the sub policy check key
	84	failing. The policy check function should continue processing if
	85	this function returns true. */
	86	bool SecPVCSetResult(SecPVCRef pv, CFStringRef key, CFIndex ix,
	87	CFTypeRef result);
	88	bool SecPVCSetResultForced(SecPVCRef pvc,
	89	CFStringRef key, CFIndex ix, CFTypeRef result, bool force);
	90
	91	/* Enable revocation checking if the rest of the policy checks succeed. */
fa7225c8	92	void SecPVCSetCheckRevocation(SecPVCRef pvc, CFStringRef method);
b1ab9ed8	93
5c19dc3a A	94	/* Require a revocation response for the leaf certificate. */
	95	void SecPVCSetCheckRevocationResponseRequired(SecPVCRef pvc);
	96
6b200bc3 A	97	/* Require a online revocation response for the chain. */
	98	void SecPVCSetCheckRevocationOnline(SecPVCRef pvc);
	99
b1ab9ed8 A	100	/* Run static leaf checks on the path in pvc. */
	101	bool SecPVCLeafChecks(SecPVCRef pvc);
	102
	103	/* Run static parent checks on the path in pvc. */
	104	bool SecPVCParentCertificateChecks(SecPVCRef pvc, CFIndex ix);
	105
	106	/* Check whether an intermediate certificates key has been blacklisted. */
	107	bool SecPVCBlackListedKeyChecks(SecPVCRef pvc, CFIndex ix);
5c19dc3a	108
427c49bc A	109	/* Check whether an intermediate certificates key has been gray listed. */
427c49bc A	110	bool SecPVCGrayListedKeyChecks(SecPVCRef pvc, CFIndex ix);
b1ab9ed8 A	111
	112	/* Run dynamic checks on the complete path in pvc. Return true if the
	113	operation is complete, returns false if an async backgroup request was
	114	scheduled. Upon completion of the async background job
	115	SecPathBuilderStep() should be called. */
	116	bool SecPVCPathChecks(SecPVCRef pvc);
	117
	118	/* Return 0 if any certs revocation checking failed, the earliest date on
	119	which one of the used revocation validation tokens (ocsp response or
	120	crl) expires. */
	121	CFAbsoluteTime SecPVCGetEarliestNextUpdate(SecPVCRef pvc);
	122
	123	typedef void (*SecPolicyCheckFunction)(SecPVCRef pv, CFStringRef key);
	124
	125	/*
	126	Used by SecTrust to verify if a particular certificate chain matches
	127	this policy. Returns true if the policy accepts the certificate chain.
	128	*/
	129	bool SecPolicyValidate(SecPolicyRef policy, SecPVCRef pvc, CFStringRef key);
	130
b1ab9ed8 A	131	void SecPolicyServerInitalize(void);
	132
	133	/* True iff certificate could be an extended validation (EV) certificate. */
	134	bool SecPolicySubscriberCertificateCouldBeEV(SecCertificateRef certificate);
	135
427c49bc A	136	void SecEVPolicyToAnchorDigestsInit(void);
427c49bc A	137
fa7225c8 A	138	SecTrustSettingsResult SecPVCGetTrustSettingsResult(SecPVCRef pvc, SecCertificateRef certificate, CFArrayRef constraints);
	139
	140	bool SecPVCCheckUsageConstraints(SecPVCRef pvc);
5c19dc3a	141
b04fe171 A	142	bool SecPVCCheckIssuerDateConstraints(SecPVCRef pvc);
b04fe171 A	143
427c49bc	144	__END_DECLS
b1ab9ed8 A	145
b1ab9ed8 A	146	#endif /* !_SECURITY_SECPOLICYSERVER_H_ */