[apple/security.git] / libsecurity_keychain / lib / certextensionsP.h

/*
 * Copyright (c) 2000-2009 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 *
 * CertExtensions.h -- X.509 Cert Extensions as C structs
 */

#ifndef	_CERT_EXTENSIONS_H_
#define _CERT_EXTENSIONS_H_

#include <stdbool.h>
#include <libDER/libDER.h>
//#include <Security/x509defs.h>

/***
 *** Structs for declaring extension-specific data. 
 ***/

/*
 * GeneralName, used in AuthorityKeyID, SubjectAltName, and 
 * IssuerAltName. 
 *
 * For now, we just provide explicit support for the types which are
 * represented as IA5Strings, OIDs, and octet strings. Constructed types
 * such as EDIPartyName and x400Address are not explicitly handled
 * right now and must be encoded and decoded by the caller. (See exception
 * for Name and OtherName, below). In those cases the SecCEGeneralName.name.Data field 
 * represents the BER contents octets; SecCEGeneralName.name.Length is the 
 * length of the contents; the tag of the field is not needed - the BER 
 * encoding uses context-specific implicit tagging. The berEncoded field 
 * is set to true in these case. Simple types have berEncoded = false. 
 *
 * In the case of a GeneralName in the form of a Name, we parse the Name
 * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the
 * SecCEGeneralName.name.Data field. SecCEGeneralName.name.Length is set to 
 * sizeof(CSSM_X509_NAME). In this case berEncoded is false. 
 *
 * In the case of a GeneralName in the form of a OtherName, we parse the fields
 * into a SecCEOtherName and place a pointer to the SecCEOtherName in the
 * SecCEGeneralName.name.Data field. SecCEGeneralName.name.Length is set to 
 * sizeof(SecCEOtherName). In this case berEncoded is false. 
 *
 *      GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
 *
 *      GeneralName ::= CHOICE {
 *           otherName                       [0]     OtherName
 *           rfc822Name                      [1]     IA5String,
 *           dNSName                         [2]     IA5String,
 *           x400Address                     [3]     ORAddress,
 *           directoryName                   [4]     Name,
 *           ediPartyName                    [5]     EDIPartyName,
 *           uniformResourceIdentifier       [6]     IA5String,
 *           iPAddress                       [7]     OCTET STRING,
 *           registeredID                    [8]     OBJECT IDENTIFIER}
 *
 *      OtherName ::= SEQUENCE {
 *           type-id    OBJECT IDENTIFIER,
 *           value      [0] EXPLICIT ANY DEFINED BY type-id }
 *
 *      EDIPartyName ::= SEQUENCE {
 *           nameAssigner            [0]     DirectoryString OPTIONAL,
 *           partyName               [1]     DirectoryString }
 */
typedef enum {
	GNT_OtherName = 0,
	GNT_RFC822Name,
	GNT_DNSName,
	GNT_X400Address,
	GNT_DirectoryName,
	GNT_EdiPartyName,
	GNT_URI,
	GNT_IPAddress,
	GNT_RegisteredID
} SecCEGeneralNameType;

typedef struct {
	DERItem                 typeId;
	DERItem                 value;		// unparsed, BER-encoded
} SecCEOtherName;

typedef struct {
	SecCEGeneralNameType		nameType;	// GNT_RFC822Name, etc.
	bool                    berEncoded;
	DERItem                 name; 
} SecCEGeneralName;

typedef struct {
	uint32_t					numNames;
	SecCEGeneralName			*generalName;		
} SecCEGeneralNames;	

/*
 * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }
 *
 *   AuthorityKeyIdentifier ::= SEQUENCE {
 *     keyIdentifier             [0] KeyIdentifier           OPTIONAL,
 *     authorityCertIssuer       [1] GeneralNames            OPTIONAL,
 *     authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
 *
 *   KeyIdentifier ::= OCTET STRING
 *
 * CSSM OID = CSSMOID_AuthorityKeyIdentifier
 */
typedef struct {
	bool                keyIdentifierPresent;
	DERItem             keyIdentifier;
	bool                generalNamesPresent;
	SecCEGeneralNames		*generalNames;
	bool                serialNumberPresent;
	DERItem             serialNumber;
} SecCEAuthorityKeyID;

/*
 * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }
 *   SubjectKeyIdentifier ::= KeyIdentifier
 *
 * CSSM OID = CSSMOID_SubjectKeyIdentifier
 */
typedef DERItem SecCESubjectKeyID;

/*
 * id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
 *
 *     KeyUsage ::= BIT STRING {
 *          digitalSignature        (0),
 *          nonRepudiation          (1),
 *          keyEncipherment         (2),
 *          dataEncipherment        (3),
 *          keyAgreement            (4),
 *          keyCertSign             (5),
 *          cRLSign                 (6),
 *          encipherOnly            (7),
 *          decipherOnly            (8) }
 *
 * CSSM OID = CSSMOID_KeyUsage
 *
 */
typedef uint16_t SecCEKeyUsage;

#define SecCEKU_DigitalSignature	0x8000
#define SecCEKU_NonRepudiation	0x4000
#define SecCEKU_KeyEncipherment	0x2000
#define SecCEKU_DataEncipherment	0x1000
#define SecCEKU_KeyAgreement		0x0800
#define SecCEKU_KeyCertSign	 	0x0400
#define SecCEKU_CRLSign			0x0200
#define SecCEKU_EncipherOnly	 	0x0100
#define SecCEKU_DecipherOnly	 	0x0080

/*
 *  id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 }
 *
 *   -- reasonCode ::= { CRLReason }
 *
 *   CRLReason ::= ENUMERATED {
 *  	unspecified             (0),
 *      keyCompromise           (1),
 *     	cACompromise            (2),
 *    	affiliationChanged      (3),
 *   	superseded              (4),
 *  	cessationOfOperation    (5),
 * 		certificateHold         (6),
 *		removeFromCRL           (8) }
 *
 * CSSM OID = CSSMOID_CrlReason
 *
 */
typedef uint32_t SecCECrlReason;

#define SecCECR_Unspecified			0
#define SecCECR_KeyCompromise			1
#define SecCECR_CACompromise			2
#define SecCECR_AffiliationChanged	3
#define SecCECR_Superseded			4
#define SecCECR_CessationOfOperation	5
#define SecCECR_CertificateHold		6
#define SecCECR_RemoveFromCRL	 		8

/*
 * id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }
 *
 *      SubjectAltName ::= GeneralNames
 *
 * CSSM OID = CSSMOID_SubjectAltName
 *
 * GeneralNames defined above.
 */

/*
 *  id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
 *
 *   ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId*
 *
 *  KeyPurposeId ::= OBJECT IDENTIFIER
 *
 * CSSM OID = CSSMOID_ExtendedKeyUsage
 */
typedef struct {
	uint32_t		numPurposes;
	DERItem         *purposes;		// in Intel pre-encoded format
} SecCEExtendedKeyUsage;

/*
 * id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
 *
 * BasicConstraints ::= SEQUENCE {
 *       cA                      BOOLEAN DEFAULT FALSE,
 *       pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
 *
 * CSSM OID = CSSMOID_BasicConstraints
 */
typedef struct {
	bool                present;
	bool                critical;
	bool                isCA;
	bool                pathLenConstraintPresent;
	uint32_t			pathLenConstraint;
} SecCEBasicConstraints;	

typedef struct {
	bool                present;
	bool                critical;
	bool                requireExplicitPolicyPresent;
	uint32_t			requireExplicitPolicy;
	bool                inhibitPolicyMappingPresent;
	uint32_t			inhibitPolicyMapping;
} SecCEPolicyConstraints;

/*
 * id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }
 *
 *   certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
 *
 *   PolicyInformation ::= SEQUENCE {
 *        policyIdentifier   CertPolicyId,
 *        policyQualifiers   SEQUENCE SIZE (1..MAX) OF
 *                                PolicyQualifierInfo OPTIONAL }
 *
 *   CertPolicyId ::= OBJECT IDENTIFIER
 *
 *   PolicyQualifierInfo ::= SEQUENCE {
 *        policyQualifierId  PolicyQualifierId,
 *        qualifier          ANY DEFINED BY policyQualifierId } 
 *
 *   -- policyQualifierIds for Internet policy qualifiers
 *
 *   id-qt          OBJECT IDENTIFIER ::=  { id-pkix 2 }
 *   id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
 *   id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }
 *
 *   PolicyQualifierId ::=
 *        OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
 *
 *   Qualifier ::= CHOICE {
 *        cPSuri           CPSuri,
 *        userNotice       UserNotice }
 *
 *   CPSuri ::= IA5String
 *
 *   UserNotice ::= SEQUENCE {
 *        noticeRef        NoticeReference OPTIONAL,
 *        explicitText     DisplayText OPTIONAL}
 *
 *   NoticeReference ::= SEQUENCE {
 *        organization     DisplayText,
 *        noticeNumbers    SEQUENCE OF INTEGER }
 *
 *   DisplayText ::= CHOICE {
 *        visibleString    VisibleString  (SIZE (1..200)),
 *        bmpString        BMPString      (SIZE (1..200)),
 *        utf8String       UTF8String     (SIZE (1..200)) }
 *
 *  CSSM OID = CSSMOID_CertificatePolicies
 *
 * We only support down to the level of Qualifier, and then only the CPSuri
 * choice. UserNotice is transmitted to and from this library as a raw
 * CSSM_DATA containing the BER-encoded UserNotice sequence. 
 */
#if 0
typedef struct {
	DERItem     policyQualifierId;			// CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
	DERItem     qualifier;					// CSSMOID_QT_CPS: IA5String contents
											// CSSMOID_QT_UNOTICE : Sequence contents
} SecCEPolicyQualifierInfo;
#endif

typedef struct {
    DERItem policyIdentifier;
    DERItem policyQualifiers;
} SecCEPolicyInformation;

typedef struct {
	bool                    present;
	bool                    critical;
	uint32_t                numPolicies;			// size of *policies;
	SecCEPolicyInformation  *policies;
} SecCECertificatePolicies;

typedef struct {
    DERItem issuerDomainPolicy;
    DERItem subjectDomainPolicy;
} SecCEPolicyMapping;

/*
   PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
        issuerDomainPolicy      CertPolicyId,
        subjectDomainPolicy     CertPolicyId }
*/
typedef struct {
	bool                present;
	bool                critical;
	uint32_t            numMappings;			// size of *mappings;
	SecCEPolicyMapping  *mappings;
} SecCEPolicyMappings;

#if 0
typedef struct {
	bool                    present;
	bool                    critical;
	uint32_t                skipCerts;
} SecCEInhibitAnyPolicy;

/*
 * netscape-cert-type, a bit string.
 *
 * CSSM OID = CSSMOID_NetscapeCertType
 *
 * Bit fields defined in oidsattr.h: SecCENCT_SSL_Client, etc.
 */
typedef uint16_t SecCENetscapeCertType;

/*
 * CRLDistributionPoints.
 *
 *   id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-ce 31 }
 *
 *   cRLDistributionPoints ::= {
 *        CRLDistPointsSyntax }
 *
 *   CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
 *
 *   NOTE: RFC 2459 claims that the tag for the optional DistributionPointName
 *   is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be -
 *   because the underlying type also uses an implicit tag for distinguish
 *   between CHOICEs.
 *
 *   DistributionPoint ::= SEQUENCE {
 *        distributionPoint       [0]     DistributionPointName OPTIONAL,
 *        reasons                 [1]     ReasonFlags OPTIONAL,
 *        cRLIssuer               [2]     GeneralNames OPTIONAL }
 *
 *   DistributionPointName ::= CHOICE {
 *        fullName                [0]     GeneralNames,
 *        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
 *
 *   ReasonFlags ::= BIT STRING {
 *        unused                  (0),
 *        keyCompromise           (1),
 *        cACompromise            (2),
 *        affiliationChanged      (3),
 *        superseded              (4),
 *        cessationOfOperation    (5),
 *        certificateHold         (6) }
 *
 * CSSM OID = CSSMOID_CrlDistributionPoints
 */
 
/*
 * Note that this looks similar to SecCECrlReason, but that's an enum and this
 * is an OR-able bit string.
 */
typedef uint8_t SecCECrlDistReasonFlags;

#define SecCECD_Unspecified			0x80
#define SecCECD_KeyCompromise			0x40
#define SecCECD_CACompromise			0x20
#define SecCECD_AffiliationChanged	0x10
#define SecCECD_Superseded			0x08
#define SecCECD_CessationOfOperation	0x04
#define SecCECD_CertificateHold		0x02

typedef enum {
	SecCECDNT_FullName,
	SecCECDNT_NameRelativeToCrlIssuer
} SecCECrlDistributionPointNameType;

typedef struct {
	SecCECrlDistributionPointNameType		nameType;
	union {
		SecCEGeneralNames					*fullName;
		CSSM_X509_RDN_PTR				rdn;
	} dpn;
} SecCEDistributionPointName;

/*
 * The top-level CRLDistributionPoint.
 * All fields are optional; NULL pointers indicate absence. 
 */
typedef struct {
	SecCEDistributionPointName			*distPointName;
	bool                                reasonsPresent;
	SecCECrlDistReasonFlags				reasons;
	SecCEGeneralNames						*crlIssuer;
} SecCECRLDistributionPoint;

typedef struct {
	uint32_t							numDistPoints;
	SecCECRLDistributionPoint				*distPoints;
} SecCECRLDistPointsSyntax;

/* 
 * Authority Information Access and Subject Information Access.
 *
 * CSSM OID = CSSMOID_AuthorityInfoAccess
 * CSSM OID = CSSMOID_SubjectInfoAccess
 *
 * SubjAuthInfoAccessSyntax  ::=
 *		SEQUENCE SIZE (1..MAX) OF AccessDescription
 * 
 * AccessDescription  ::=  SEQUENCE {
 *		accessMethod          OBJECT IDENTIFIER,
 *		accessLocation        GeneralName  }
 */
typedef struct {
	DERItem                 accessMethod;
	SecCEGeneralName			accessLocation;
} SecCEAccessDescription;

typedef struct {
	uint32_t				numAccessDescriptions;
	SecCEAccessDescription	*accessDescriptions;
} SecCEAuthorityInfoAccess;

/*** CRL extensions ***/

/*
 * cRLNumber, an integer.
 *
 * CSSM OID = CSSMOID_CrlNumber
 */
typedef uint32_t SecCECrlNumber;

/*
 * deltaCRLIndicator, an integer.
 *
 * CSSM OID = CSSMOID_DeltaCrlIndicator
 */
typedef uint32_t SecCEDeltaCrl;

/*
 * IssuingDistributionPoint
 *
 * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
 *
 * issuingDistributionPoint ::= SEQUENCE {
 *      distributionPoint       [0] DistributionPointName OPTIONAL,
 *		onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
 *      onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
 *      onlySomeReasons         [3] ReasonFlags OPTIONAL,
 *      indirectCRL             [4] BOOLEAN DEFAULT FALSE }
 *
 * CSSM OID = CSSMOID_IssuingDistributionPoint
 */
typedef struct {
	SecCEDistributionPointName	*distPointName;		// optional
	bool                        onlyUserCertsPresent;
	bool                        onlyUserCerts;
	bool                        onlyCACertsPresent;
	bool                        onlyCACerts;
	bool                        onlySomeReasonsPresent;
	SecCECrlDistReasonFlags		onlySomeReasons;
	bool                        indirectCrlPresent;
	bool                        indirectCrl;
} SecCEIssuingDistributionPoint;

/*
 * An enumerated list identifying one of the above per-extension
 * structs.
 */
typedef enum {
	DT_AuthorityKeyID,			// SecCEAuthorityKeyID
	DT_SubjectKeyID,			// SecCESubjectKeyID
	DT_KeyUsage,				// SecCEKeyUsage
	DT_SubjectAltName,			// implies SecCEGeneralName
	DT_IssuerAltName,			// implies SecCEGeneralName
	DT_ExtendedKeyUsage,		// SecCEExtendedKeyUsage
	DT_BasicConstraints,		// SecCEBasicConstraints
	DT_CertPolicies,			// SecCECertPolicies
	DT_NetscapeCertType,		// SecCENetscapeCertType
	DT_CrlNumber,				// SecCECrlNumber
	DT_DeltaCrl,				// SecCEDeltaCrl
	DT_CrlReason,				// SecCECrlReason
	DT_CrlDistributionPoints,	// SecCECRLDistPointsSyntax
	DT_IssuingDistributionPoint,// SecCEIssuingDistributionPoint
	DT_AuthorityInfoAccess,		// SecCEAuthorityInfoAccess
	DT_Other					// unknown, raw data as a CSSM_DATA
} SecCEDataType;

/*
 * One unified representation of all the cert adn CRL extensions we know about.
 */
typedef union {
	SecCEAuthorityKeyID				authorityKeyID;
	SecCESubjectKeyID				subjectKeyID;
	SecCEKeyUsage					keyUsage;
	SecCEGeneralNames				subjectAltName;
	SecCEGeneralNames				issuerAltName;
	SecCEExtendedKeyUsage			extendedKeyUsage;
	SecCEBasicConstraints			basicConstraints;
	SecCECertPolicies				certPolicies;
	SecCENetscapeCertType			netscapeCertType;
	SecCECrlNumber					crlNumber;
	SecCEDeltaCrl					deltaCrl;
	SecCECrlReason					crlReason;
	SecCECRLDistPointsSyntax		crlDistPoints;
	SecCEIssuingDistributionPoint	issuingDistPoint;
	SecCEAuthorityInfoAccess		authorityInfoAccess;
	DERItem							rawData;			// unknown, not decoded
} SecCEData;

typedef struct {
	SecCEDataType				type;
	SecCEData					extension;
	bool						critical;
} SecCEDataAndType;
#endif /* 0 */

#endif	/* _CERT_EXTENSIONS_H_ */
Commit	Line	Data
b1ab9ed8 A	1	/*
	2	* Copyright (c) 2000-2009 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*
	23	* CertExtensions.h -- X.509 Cert Extensions as C structs
	24	*/
	25
	26	#ifndef _CERT_EXTENSIONS_H_
	27	#define _CERT_EXTENSIONS_H_
	28
	29	#include <stdbool.h>
	30	#include <libDER/libDER.h>
	31	//#include <Security/x509defs.h>
	32
	33	/***
	34	*** Structs for declaring extension-specific data.
	35	***/
	36
	37	/*
	38	* GeneralName, used in AuthorityKeyID, SubjectAltName, and
	39	* IssuerAltName.
	40	*
	41	* For now, we just provide explicit support for the types which are
	42	* represented as IA5Strings, OIDs, and octet strings. Constructed types
	43	* such as EDIPartyName and x400Address are not explicitly handled
	44	* right now and must be encoded and decoded by the caller. (See exception
	45	* for Name and OtherName, below). In those cases the SecCEGeneralName.name.Data field
	46	* represents the BER contents octets; SecCEGeneralName.name.Length is the
	47	* length of the contents; the tag of the field is not needed - the BER
	48	* encoding uses context-specific implicit tagging. The berEncoded field
	49	* is set to true in these case. Simple types have berEncoded = false.
	50	*
	51	* In the case of a GeneralName in the form of a Name, we parse the Name
	52	* into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the
	53	* SecCEGeneralName.name.Data field. SecCEGeneralName.name.Length is set to
	54	* sizeof(CSSM_X509_NAME). In this case berEncoded is false.
	55	*
	56	* In the case of a GeneralName in the form of a OtherName, we parse the fields
	57	* into a SecCEOtherName and place a pointer to the SecCEOtherName in the
	58	* SecCEGeneralName.name.Data field. SecCEGeneralName.name.Length is set to
	59	* sizeof(SecCEOtherName). In this case berEncoded is false.
	60	*
	61	* GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
	62	*
	63	* GeneralName ::= CHOICE {
	64	* otherName [0] OtherName
65	* rfc822Name [1] IA5String,
66	* dNSName [2] IA5String,
67	* x400Address [3] ORAddress,
68	* directoryName [4] Name,
69	* ediPartyName [5] EDIPartyName,
70	* uniformResourceIdentifier [6] IA5String,
71	* iPAddress [7] OCTET STRING,
72	* registeredID [8] OBJECT IDENTIFIER}
73	*
74	* OtherName ::= SEQUENCE {
75	* type-id OBJECT IDENTIFIER,
76	* value [0] EXPLICIT ANY DEFINED BY type-id }
77	*
78	* EDIPartyName ::= SEQUENCE {
79	* nameAssigner [0] DirectoryString OPTIONAL,
80	* partyName [1] DirectoryString }
81	*/
82	typedef enum {
83	GNT_OtherName = 0,
84	GNT_RFC822Name,
85	GNT_DNSName,
86	GNT_X400Address,
87	GNT_DirectoryName,
88	GNT_EdiPartyName,
89	GNT_URI,
90	GNT_IPAddress,
91	GNT_RegisteredID
92	} SecCEGeneralNameType;
93
94	typedef struct {
95	DERItem typeId;
96	DERItem value; // unparsed, BER-encoded
97	} SecCEOtherName;
98
99	typedef struct {
100	SecCEGeneralNameType nameType; // GNT_RFC822Name, etc.
101	bool berEncoded;
102	DERItem name;
103	} SecCEGeneralName;
104
105	typedef struct {
106	uint32_t numNames;
107	SecCEGeneralName *generalName;
108	} SecCEGeneralNames;
109
110	/*
111	* id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
112	*
113	* AuthorityKeyIdentifier ::= SEQUENCE {
114	* keyIdentifier [0] KeyIdentifier OPTIONAL,
115	* authorityCertIssuer [1] GeneralNames OPTIONAL,
116	* authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
117	*
118	* KeyIdentifier ::= OCTET STRING
119	*
120	* CSSM OID = CSSMOID_AuthorityKeyIdentifier
121	*/
122	typedef struct {
123	bool keyIdentifierPresent;
124	DERItem keyIdentifier;
125	bool generalNamesPresent;
126	SecCEGeneralNames *generalNames;
127	bool serialNumberPresent;
128	DERItem serialNumber;
129	} SecCEAuthorityKeyID;
130
131	/*
132	* id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
133	* SubjectKeyIdentifier ::= KeyIdentifier
134	*
135	* CSSM OID = CSSMOID_SubjectKeyIdentifier
136	*/
137	typedef DERItem SecCESubjectKeyID;
138
139	/*
140	* id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
141	*
142	* KeyUsage ::= BIT STRING {
143	* digitalSignature (0),
144	* nonRepudiation (1),
145	* keyEncipherment (2),
146	* dataEncipherment (3),
147	* keyAgreement (4),
148	* keyCertSign (5),
149	* cRLSign (6),
150	* encipherOnly (7),
151	* decipherOnly (8) }
152	*
153	* CSSM OID = CSSMOID_KeyUsage
154	*
155	*/
156	typedef uint16_t SecCEKeyUsage;
157
158	#define SecCEKU_DigitalSignature 0x8000
159	#define SecCEKU_NonRepudiation 0x4000
160	#define SecCEKU_KeyEncipherment 0x2000
161	#define SecCEKU_DataEncipherment 0x1000
162	#define SecCEKU_KeyAgreement 0x0800
163	#define SecCEKU_KeyCertSign 0x0400
164	#define SecCEKU_CRLSign 0x0200
165	#define SecCEKU_EncipherOnly 0x0100
166	#define SecCEKU_DecipherOnly 0x0080
167
168	/*
169	* id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 }
170	*
171	* -- reasonCode ::= { CRLReason }
172	*
173	* CRLReason ::= ENUMERATED {
174	* unspecified (0),
175	* keyCompromise (1),
176	* cACompromise (2),
177	* affiliationChanged (3),
178	* superseded (4),
179	* cessationOfOperation (5),
180	* certificateHold (6),
181	* removeFromCRL (8) }
182	*
183	* CSSM OID = CSSMOID_CrlReason
184	*
185	*/
186	typedef uint32_t SecCECrlReason;
187
188	#define SecCECR_Unspecified 0
189	#define SecCECR_KeyCompromise 1
190	#define SecCECR_CACompromise 2
191	#define SecCECR_AffiliationChanged 3
192	#define SecCECR_Superseded 4
193	#define SecCECR_CessationOfOperation 5
194	#define SecCECR_CertificateHold 6
195	#define SecCECR_RemoveFromCRL 8
196
197	/*
198	* id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
199	*
200	* SubjectAltName ::= GeneralNames
201	*
202	* CSSM OID = CSSMOID_SubjectAltName
203	*
204	* GeneralNames defined above.
205	*/
206
207	/*
208	* id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
209	*
210	* ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId*
211	*
212	* KeyPurposeId ::= OBJECT IDENTIFIER
213	*
214	* CSSM OID = CSSMOID_ExtendedKeyUsage
215	*/
216	typedef struct {
217	uint32_t numPurposes;
218	DERItem *purposes; // in Intel pre-encoded format
219	} SecCEExtendedKeyUsage;
220
221	/*
222	* id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
223	*
224	* BasicConstraints ::= SEQUENCE {
225	* cA BOOLEAN DEFAULT FALSE,
226	* pathLenConstraint INTEGER (0..MAX) OPTIONAL }
227	*
228	* CSSM OID = CSSMOID_BasicConstraints
229	*/
230	typedef struct {
231	bool present;
232	bool critical;
233	bool isCA;
234	bool pathLenConstraintPresent;
235	uint32_t pathLenConstraint;
236	} SecCEBasicConstraints;
237
238	typedef struct {
239	bool present;
240	bool critical;
241	bool requireExplicitPolicyPresent;
242	uint32_t requireExplicitPolicy;
243	bool inhibitPolicyMappingPresent;
244	uint32_t inhibitPolicyMapping;
245	} SecCEPolicyConstraints;
246
247	/*
248	* id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
249	*
250	* certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
251	*
252	* PolicyInformation ::= SEQUENCE {
253	* policyIdentifier CertPolicyId,
254	* policyQualifiers SEQUENCE SIZE (1..MAX) OF
255	* PolicyQualifierInfo OPTIONAL }
256	*
257	* CertPolicyId ::= OBJECT IDENTIFIER
258	*
259	* PolicyQualifierInfo ::= SEQUENCE {
260	* policyQualifierId PolicyQualifierId,
261	* qualifier ANY DEFINED BY policyQualifierId }
262	*
263	* -- policyQualifierIds for Internet policy qualifiers
264	*
265	* id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
266	* id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
267	* id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
268	*
269	* PolicyQualifierId ::=
270	* OBJECT IDENTIFIER ( id-qt-cps \| id-qt-unotice )
271	*
272	* Qualifier ::= CHOICE {
273	* cPSuri CPSuri,
274	* userNotice UserNotice }
275	*
276	* CPSuri ::= IA5String
277	*
278	* UserNotice ::= SEQUENCE {
279	* noticeRef NoticeReference OPTIONAL,
280	* explicitText DisplayText OPTIONAL}
281	*
282	* NoticeReference ::= SEQUENCE {
283	* organization DisplayText,
284	* noticeNumbers SEQUENCE OF INTEGER }
285	*
286	* DisplayText ::= CHOICE {
287	* visibleString VisibleString (SIZE (1..200)),
288	* bmpString BMPString (SIZE (1..200)),
289	* utf8String UTF8String (SIZE (1..200)) }
290	*
291	* CSSM OID = CSSMOID_CertificatePolicies
292	*
293	* We only support down to the level of Qualifier, and then only the CPSuri
294	* choice. UserNotice is transmitted to and from this library as a raw
295	* CSSM_DATA containing the BER-encoded UserNotice sequence.
296	*/
297	#if 0
298	typedef struct {
299	DERItem policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
300	DERItem qualifier; // CSSMOID_QT_CPS: IA5String contents
301	// CSSMOID_QT_UNOTICE : Sequence contents
302	} SecCEPolicyQualifierInfo;
303	#endif
304
305	typedef struct {
306	DERItem policyIdentifier;
307	DERItem policyQualifiers;
308	} SecCEPolicyInformation;
309
310	typedef struct {
311	bool present;
312	bool critical;
313	uint32_t numPolicies; // size of *policies;
314	SecCEPolicyInformation *policies;
315	} SecCECertificatePolicies;
316
317	typedef struct {
318	DERItem issuerDomainPolicy;
319	DERItem subjectDomainPolicy;
320	} SecCEPolicyMapping;
321
322	/*
323	PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
324	issuerDomainPolicy CertPolicyId,
325	subjectDomainPolicy CertPolicyId }
326	*/
327	typedef struct {
328	bool present;
329	bool critical;
330	uint32_t numMappings; // size of *mappings;
331	SecCEPolicyMapping *mappings;
332	} SecCEPolicyMappings;
333
334	#if 0
335	typedef struct {
336	bool present;
337	bool critical;
338	uint32_t skipCerts;
339	} SecCEInhibitAnyPolicy;
340
341	/*
342	* netscape-cert-type, a bit string.
343	*
344	* CSSM OID = CSSMOID_NetscapeCertType
345	*
346	* Bit fields defined in oidsattr.h: SecCENCT_SSL_Client, etc.
347	*/
348	typedef uint16_t SecCENetscapeCertType;
349
350	/*
351	* CRLDistributionPoints.
352	*
353	* id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 }
354	*
355	* cRLDistributionPoints ::= {
356	* CRLDistPointsSyntax }
357	*
358	* CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
359	*
360	* NOTE: RFC 2459 claims that the tag for the optional DistributionPointName
361	* is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be -
362	* because the underlying type also uses an implicit tag for distinguish
363	* between CHOICEs.
364	*
365	* DistributionPoint ::= SEQUENCE {
366	* distributionPoint [0] DistributionPointName OPTIONAL,
367	* reasons [1] ReasonFlags OPTIONAL,
368	* cRLIssuer [2] GeneralNames OPTIONAL }
369	*
370	* DistributionPointName ::= CHOICE {
371	* fullName [0] GeneralNames,
372	* nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
373	*
374	* ReasonFlags ::= BIT STRING {
375	* unused (0),
376	* keyCompromise (1),
377	* cACompromise (2),
378	* affiliationChanged (3),
379	* superseded (4),
380	* cessationOfOperation (5),
381	* certificateHold (6) }
382	*
383	* CSSM OID = CSSMOID_CrlDistributionPoints
384	*/
385
386	/*
387	* Note that this looks similar to SecCECrlReason, but that's an enum and this
388	* is an OR-able bit string.
389	*/
390	typedef uint8_t SecCECrlDistReasonFlags;
391
392	#define SecCECD_Unspecified 0x80
393	#define SecCECD_KeyCompromise 0x40
394	#define SecCECD_CACompromise 0x20
395	#define SecCECD_AffiliationChanged 0x10
396	#define SecCECD_Superseded 0x08
397	#define SecCECD_CessationOfOperation 0x04
398	#define SecCECD_CertificateHold 0x02
399
400	typedef enum {
401	SecCECDNT_FullName,
402	SecCECDNT_NameRelativeToCrlIssuer
403	} SecCECrlDistributionPointNameType;
404
405	typedef struct {
406	SecCECrlDistributionPointNameType nameType;
407	union {
408	SecCEGeneralNames *fullName;
409	CSSM_X509_RDN_PTR rdn;
410	} dpn;
411	} SecCEDistributionPointName;
412
413	/*
414	* The top-level CRLDistributionPoint.
415	* All fields are optional; NULL pointers indicate absence.
416	*/
417	typedef struct {
418	SecCEDistributionPointName *distPointName;
419	bool reasonsPresent;
420	SecCECrlDistReasonFlags reasons;
421	SecCEGeneralNames *crlIssuer;
422	} SecCECRLDistributionPoint;
423
424	typedef struct {
425	uint32_t numDistPoints;
426	SecCECRLDistributionPoint *distPoints;
427	} SecCECRLDistPointsSyntax;
428
429	/*
430	* Authority Information Access and Subject Information Access.
431	*
432	* CSSM OID = CSSMOID_AuthorityInfoAccess
433	* CSSM OID = CSSMOID_SubjectInfoAccess
434	*
435	* SubjAuthInfoAccessSyntax ::=
436	* SEQUENCE SIZE (1..MAX) OF AccessDescription
437	*
438	* AccessDescription ::= SEQUENCE {
439	* accessMethod OBJECT IDENTIFIER,
440	* accessLocation GeneralName }
441	*/
442	typedef struct {
443	DERItem accessMethod;
444	SecCEGeneralName accessLocation;
445	} SecCEAccessDescription;
446
447	typedef struct {
448	uint32_t numAccessDescriptions;
449	SecCEAccessDescription *accessDescriptions;
450	} SecCEAuthorityInfoAccess;
451
452	/* CRL extensions */
453
454	/*
455	* cRLNumber, an integer.
456	*
457	* CSSM OID = CSSMOID_CrlNumber
458	*/
459	typedef uint32_t SecCECrlNumber;
460
461	/*
462	* deltaCRLIndicator, an integer.
463	*
464	* CSSM OID = CSSMOID_DeltaCrlIndicator
465	*/
466	typedef uint32_t SecCEDeltaCrl;
467
468	/*
469	* IssuingDistributionPoint
470	*
471	* id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
472	*
473	* issuingDistributionPoint ::= SEQUENCE {
474	* distributionPoint [0] DistributionPointName OPTIONAL,
475	* onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
476	* onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
477	* onlySomeReasons [3] ReasonFlags OPTIONAL,
478	* indirectCRL [4] BOOLEAN DEFAULT FALSE }
479	*
480	* CSSM OID = CSSMOID_IssuingDistributionPoint
481	*/
482	typedef struct {
483	SecCEDistributionPointName *distPointName; // optional
484	bool onlyUserCertsPresent;
485	bool onlyUserCerts;
486	bool onlyCACertsPresent;
487	bool onlyCACerts;
488	bool onlySomeReasonsPresent;
489	SecCECrlDistReasonFlags onlySomeReasons;
490	bool indirectCrlPresent;
491	bool indirectCrl;
492	} SecCEIssuingDistributionPoint;
493
494	/*
495	* An enumerated list identifying one of the above per-extension
496	* structs.
497	*/
498	typedef enum {
499	DT_AuthorityKeyID, // SecCEAuthorityKeyID
500	DT_SubjectKeyID, // SecCESubjectKeyID
501	DT_KeyUsage, // SecCEKeyUsage
502	DT_SubjectAltName, // implies SecCEGeneralName
503	DT_IssuerAltName, // implies SecCEGeneralName
504	DT_ExtendedKeyUsage, // SecCEExtendedKeyUsage
505	DT_BasicConstraints, // SecCEBasicConstraints
506	DT_CertPolicies, // SecCECertPolicies
507	DT_NetscapeCertType, // SecCENetscapeCertType
508	DT_CrlNumber, // SecCECrlNumber
509	DT_DeltaCrl, // SecCEDeltaCrl
510	DT_CrlReason, // SecCECrlReason
511	DT_CrlDistributionPoints, // SecCECRLDistPointsSyntax
512	DT_IssuingDistributionPoint,// SecCEIssuingDistributionPoint
513	DT_AuthorityInfoAccess, // SecCEAuthorityInfoAccess
514	DT_Other // unknown, raw data as a CSSM_DATA
515	} SecCEDataType;
516
517	/*
518	* One unified representation of all the cert adn CRL extensions we know about.
519	*/
520	typedef union {
521	SecCEAuthorityKeyID authorityKeyID;
522	SecCESubjectKeyID subjectKeyID;
523	SecCEKeyUsage keyUsage;
524	SecCEGeneralNames subjectAltName;
525	SecCEGeneralNames issuerAltName;
526	SecCEExtendedKeyUsage extendedKeyUsage;
527	SecCEBasicConstraints basicConstraints;
528	SecCECertPolicies certPolicies;
529	SecCENetscapeCertType netscapeCertType;
530	SecCECrlNumber crlNumber;
531	SecCEDeltaCrl deltaCrl;
532	SecCECrlReason crlReason;
533	SecCECRLDistPointsSyntax crlDistPoints;
534	SecCEIssuingDistributionPoint issuingDistPoint;
535	SecCEAuthorityInfoAccess authorityInfoAccess;
536	DERItem rawData; // unknown, not decoded
537	} SecCEData;
538
539	typedef struct {
540	SecCEDataType type;
541	SecCEData extension;
542	bool critical;
543	} SecCEDataAndType;
544	#endif /* 0 */
545
546	#endif /* _CERT_EXTENSIONS_H_ */