[apple/security.git] / sec / Security / SecPolicyPriv.h

/*
 * Copyright (c) 2007-2013 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

/*!
    @header SecPolicyPriv
    The functions provided in SecPolicyPriv provide an interface to various
	X.509 certificate trust policies.
*/

#ifndef _SECURITY_SECPOLICYPRIV_H_
#define _SECURITY_SECPOLICYPRIV_H_

#include <Security/SecPolicy.h>
#include <Security/SecCertificate.h>
#include <CoreFoundation/CFArray.h>
#include <CoreFoundation/CFString.h>

__BEGIN_DECLS

/*!
	@enum Policy Constants (Private)
	@discussion Predefined constants used to specify a policy.
	@constant kSecPolicyApplePassbookSigning
	@constant kSecPolicyAppleMobileStore
	@constant kSecPolicyAppleTestMobileStore
	@constant kSecPolicyAppleEscrowService
	@constant kSecPolicyAppleProfileSigner
	@constant kSecPolicyAppleQAProfileSigner
	@constant kSecPolicyAppleOTAPKISigner
	@constant kSecPolicyAppleTestOTAPKISigner

*/
extern CFTypeRef kSecPolicyApplePassbookSigning
    __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleMobileStore
    __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleTestMobileStore 
    __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleEscrowService
    __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleProfileSigner
    __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleQAProfileSigner
    __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
#if TARGET_OS_IPHONE
extern CFTypeRef kSecPolicyAppleOTAPKISigner
    __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleTestOTAPKISigner
    __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
extern CFTypeRef kSecPolicyAppleIDValidationRecordSigningPolicy
	__OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
#endif


/*!
    @enum Policy Value Constants
    @abstract Predefined property key constants used to get or set values in
        a dictionary for a policy instance.
    @constant kSecPolicyTeamIdentifier Specifies a CFStringRef containing a
        team identifier which must be matched in the certificate to satisfy
        this policy. For the Passbook signing policy, this string must match
        the Organizational Unit field of the certificate subject.
*/
extern CFTypeRef kSecPolicyTeamIdentifier
    __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);

/*!
    @function SecPolicyCreateiPhoneActivation
    @abstract Returns a policy object for verifying iPhone Activation
    certificate chains.
    @discussion This policy is like the Basic X.509 policy with the additional
    requirements that the chain must contain exactly three certificates, the
    anchor is the Apple Inc. CA, and the subject of the first intermediate
    certificate has "Apple iPhone Certification Authority" as its only
    Common Name entry.
    @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateiPhoneActivation(void);

/*!
    @function SecPolicyCreateiPhoneDeviceCertificate
    @abstract Returns a policy object for verifying iPhone Device certificate
    chains.
    @discussion This policy is like the Basic X.509 policy with the additional
    requirements that the chain must contain exactly four certificates, the
    anchor is the Apple Inc. CA, and the subject of the first intermediate
    certificate has "Apple iPhone Device CA" as its only Common Name entry.
    @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void);

/*!
    @function SecPolicyCreateFactoryDeviceCertificate
    @abstract Returns a policy object for verifying Factory Device certificate
    chains.
    @discussion This policy is like the Basic X.509 policy with the additional
    requirements that the chain must be anchored to the factory device certificate
    issuer.
    @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void);

/*!
    @function SecPolicyCreateiAP
    @abstract Returns a policy object for verifying iAP certificate chains.
    @discussion This policy is like the Basic X.509 policy with these
	additional requirements:
	 * The leaf's NotValidBefore should be greater than 5/31/06 midnight GMT.
	 * The Common Name of the leaf begins with the characters "IPA_".
	 * No validity checking is performed for any of the certificates.
	The intended use of this policy is that the caller pass in the
	intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates().
    @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateiAP(void);

/*!
    @function SecPolicyCreateiTunesStoreURLBag
    @abstract Returns a policy object for verifying iTunes Store URL bag
    certificates.
    @discussion This policy is like the Basic X.509 policy with these
	additional requirements:
	 * The leaf's Organization is Apple Inc.
	 * The Common Name of the leaf is "iTunes Store URL Bag".
    @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void);

/*!
    @function SecPolicyCreateEAP
    @abstract Returns a policy object for verifying for 802.1x/EAP certificates.
	@param server Passing true for this parameter create a policy for EAP
	server certificates.
	@param trustedServerNames Optional; if present, the hostname in the leaf
    certificate must be in the trustedServerNames list.  Note that contrary
    to all other policies the trustedServerNames list entries can have wildcards
    whilst the certificate cannot.  This matches the existing deployments.
    @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef trustedServerNames);

/*!
    @function SecPolicyCreateIPSec
    @abstract Returns a policy object for evaluating IPSec certificate chains.
	@param server Passing true for this parameter create a policy for IPSec
	server certificates.
	@param hostname Optional; if present, the policy will require the specified
	hostname or ip address to match the hostname in the leaf certificate.
    @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef hostname);

/*!
    @function SecPolicyCreateiPhoneApplicationSigning
    @abstract Returns a policy object for evaluating signed application
    signatures.  This is for apps signed directly by the app store.
    @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void);

/*!
    @function SecPolicyCreateiPhoneProfileApplicationSigning
    @abstract Returns a policy object for evaluating signed application
    signatures.  This is meant for certificates inside a UPP or regular
    profile.  Currently it only checks for experation of the leaf and
    revocation status.
    @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void);

/*!
    @function SecPolicyCreateiPhoneProvisioningProfileSigning
    @abstract Returns a policy object for evaluating provisioning profile signatures.
    @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void);

/*!
    @function SecPolicyCreateOCSPSigner
    @abstract Returns a policy object for evaluating ocsp response signers.
    @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateOCSPSigner(void);


enum {
    kSecSignSMIMEUsage = (1 << 0),
    kSecKeyEncryptSMIMEUsage = (1 << 1),
    kSecDataEncryptSMIMEUsage = (1 << 2),
    kSecKeyExchangeDecryptSMIMEUsage = (1 << 3),
    kSecKeyExchangeEncryptSMIMEUsage = (1 << 4),
    kSecKeyExchangeBothSMIMEUsage = (1 << 5),
    kSecAnyEncryptSMIME = kSecKeyEncryptSMIMEUsage | kSecDataEncryptSMIMEUsage |
        kSecKeyExchangeDecryptSMIMEUsage | kSecKeyExchangeEncryptSMIMEUsage
};

/*!
    @function SecPolicyCreateSMIME
    @abstract Returns a policy object for evaluating S/MIME certificate chains.
	@param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage
    flags, to indicated the intended usage of this certificate.  A certificate which allows
	@param email Optional; if present, the policy will require the specified
	email to match the email in the leaf certificate.
    @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef email);

/*!
    @function SecPolicyCreateCodeSigning
    @abstract Returns a policy object for evaluating code signing certificate chains.
    @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
*/
SecPolicyRef SecPolicyCreateCodeSigning(void);

/*!
    @function SecPolicyCreateLockdownPairing
    @abstract basic x509 policy for checking lockdown pairing certificate chains.
        It explicitly allows for empty subjects
*/
SecPolicyRef SecPolicyCreateLockdownPairing(void);

/*!
 @function SecPolicyCreateURLBag
 @abstract check for private CA, eku codesigning and certificate policy that
 pertains to signing of URL bags.
 */
SecPolicyRef SecPolicyCreateURLBag(void);

/*!
 @function SecPolicyCreateOTATasking
 @abstract check for 3 long chain through Apple Certification Policy with common name
           "OTA Task Signing".
 */
SecPolicyRef SecPolicyCreateOTATasking(void);

/*!
 @function SecPolicyCreateMobileAsset
 @abstract check for 3 long chain through Apple Certification Policy with common name
           "Asset Manifest Signing".
 */
SecPolicyRef SecPolicyCreateMobileAsset(void);

/*!
 @function SecPolicyCreateAppleIDAuthorityPolicy
 @abstract check for an Apple ID identity per marker in the leaf and marker in the intermediate, rooted in the Apple CA.
 */
SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void);

/*!
 @function SecPolicyCreatePassbookCardSigner
 @abstract check rooted in the Apple CA, eku shoebox, marker shoebox and name matching
 @param cardIssuer Required; must match name in marker extension.
 @param teamIdentifier Optional; if present, the policy will require the specified
 team ID to match the organizationalUnit field in the leaf certificate's subject.
 @result A policy object. The caller is responsible for calling CFRelease
	on this when it is no longer needed.
 */
SecPolicyRef SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer,
	CFStringRef teamIdentifier);

/*!
 @function SecPolicyCreateShoeboxCardSigner
 @abstract Deprecated; use SecPolicyCreatePassbookCardSigner instead
 */
SecPolicyRef SecPolicyCreateShoeboxCardSigner(CFStringRef cardIssuer);

/*!
 @function SecPolicyCreateMobileStoreSigner
 @abstract Check for key usage of digital signature,
	check for 3 long chain through Apple System Integration 2 Certification Authority
	with a certificate policy OID of 1.2.840.113635.100.5.12 that roots to the
	Apple root
 */
SecPolicyRef SecPolicyCreateMobileStoreSigner(void);

/*!
 @function SecPolicyCreateTestMobileStoreSigner
 @abstract Check for key usage of digital signature,
	check for 3 long chain through Apple System Integration 2 Certification Authority
	with a certificate policy OID of 1.2.840.113635.100.5.12.1 that roots to the
	Apple root
 */
SecPolicyRef SecPolicyCreateTestMobileStoreSigner(void);

/*!
 @function SecPolicyCreateEscrowServiceSigner
 @abstract Check for key usage of digital signature, has a leaf marker OID of
	 1.2.840.113635.100.6.23.1 and roots to the Test Escrow Root
 */
SecPolicyRef SecPolicyCreateEscrowServiceSigner(void);

/*!
 @function SecPolicyCopyEscrowRootCertificate
 @abstract Return back the Root certificate for the Escrow service
*/
SecCertificateRef SecPolicyCopyEscrowRootCertificate(void);

/*!
 @function SecPolicyCreateConfigurationProfileSigner
 @abstract Check for key usage of digital signature, has a EKU OID of
     1.2.840.113635.100.4.16 and 
    roots to Apple Application Integration 2 Certification Authority
*/
SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void);

/*!
 @function SecPolicyCreateQAConfigurationProfileSigner
 @abstract Check for key usage of digital signature, has a EKU OID of
    1.2.840.113635.100.4.17 and 
    roots to Apple Application Integration 2 Certification Authority
*/
SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void);

#if TARGET_OS_IPHONE
/*!
 @function SecPolicyCreateOTAPKISigner
 @abstract Check for key usage of digital signature, and
    roots to Apple PKI Settings Root Certification Authority
*/
SecPolicyRef SecPolicyCreateOTAPKISigner(void);

/*!
 @function SecPolicyCreateTestOTAPKISigner
 @abstract Check for key usage of digital signature, and
    roots to Apple PKI Settings Root - TESTING
*/
SecPolicyRef SecPolicyCreateTestOTAPKISigner(void);

/*!
 @function SecPolicyCreateAppleIDValidationRecordSigningPolicy
 @abstract Check for leaf certificate contains the
	appleIDValidationRecordSigning (1 2 840 113635 100 6 25), and
	intermediate certificate contains 
	appleCertificateExtensionApplicationIntegrationIntermediate
	(1 2 840 113635 100 6 2 3) and
	appleCertificateExtensionSystemIntegration2Intermediate
	(1 2 840 113635 100 6 2 10) and roots to the Apple root
*/
SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void);

#endif

__END_DECLS

#endif /* !_SECURITY_SECPOLICYPRIV_H_ */
Commit	Line	Data
b1ab9ed8	1	/*
427c49bc A	2	* Copyright (c) 2007-2013 Apple Inc. All Rights Reserved.
427c49bc A	3	*
b1ab9ed8	4	* @APPLE_LICENSE_HEADER_START@
427c49bc	5	*
b1ab9ed8 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
427c49bc	12	*
b1ab9ed8 A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
427c49bc	20	*
b1ab9ed8 A	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*!
	25	@header SecPolicyPriv
	26	The functions provided in SecPolicyPriv provide an interface to various
	27	X.509 certificate trust policies.
	28	*/
	29
	30	#ifndef _SECURITY_SECPOLICYPRIV_H_
	31	#define _SECURITY_SECPOLICYPRIV_H_
	32
	33	#include <Security/SecPolicy.h>
427c49bc	34	#include <Security/SecCertificate.h>
b1ab9ed8 A	35	#include <CoreFoundation/CFArray.h>
	36	#include <CoreFoundation/CFString.h>
	37
427c49bc A	38	__BEGIN_DECLS
	39
	40	/*!
	41	@enum Policy Constants (Private)
	42	@discussion Predefined constants used to specify a policy.
	43	@constant kSecPolicyApplePassbookSigning
	44	@constant kSecPolicyAppleMobileStore
	45	@constant kSecPolicyAppleTestMobileStore
	46	@constant kSecPolicyAppleEscrowService
	47	@constant kSecPolicyAppleProfileSigner
	48	@constant kSecPolicyAppleQAProfileSigner
	49	@constant kSecPolicyAppleOTAPKISigner
	50	@constant kSecPolicyAppleTestOTAPKISigner
	51
	52	*/
	53	extern CFTypeRef kSecPolicyApplePassbookSigning
	54	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
	55	extern CFTypeRef kSecPolicyAppleMobileStore
	56	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
	57	extern CFTypeRef kSecPolicyAppleTestMobileStore
	58	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
	59	extern CFTypeRef kSecPolicyAppleEscrowService
	60	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
	61	extern CFTypeRef kSecPolicyAppleProfileSigner
	62	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
	63	extern CFTypeRef kSecPolicyAppleQAProfileSigner
	64	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
	65	#if TARGET_OS_IPHONE
	66	extern CFTypeRef kSecPolicyAppleOTAPKISigner
	67	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
	68	extern CFTypeRef kSecPolicyAppleTestOTAPKISigner
	69	__OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
	70	extern CFTypeRef kSecPolicyAppleIDValidationRecordSigningPolicy
	71	__OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
b1ab9ed8 A	72	#endif
b1ab9ed8 A	73
427c49bc A	74
	75	/*!
	76	@enum Policy Value Constants
	77	@abstract Predefined property key constants used to get or set values in
	78	a dictionary for a policy instance.
	79	@constant kSecPolicyTeamIdentifier Specifies a CFStringRef containing a
	80	team identifier which must be matched in the certificate to satisfy
	81	this policy. For the Passbook signing policy, this string must match
	82	the Organizational Unit field of the certificate subject.
	83	*/
	84	extern CFTypeRef kSecPolicyTeamIdentifier
	85	__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
	86
b1ab9ed8 A	87	/*!
	88	@function SecPolicyCreateiPhoneActivation
	89	@abstract Returns a policy object for verifying iPhone Activation
	90	certificate chains.
	91	@discussion This policy is like the Basic X.509 policy with the additional
	92	requirements that the chain must contain exactly three certificates, the
	93	anchor is the Apple Inc. CA, and the subject of the first intermediate
	94	certificate has "Apple iPhone Certification Authority" as its only
	95	Common Name entry.
	96	@result A policy object. The caller is responsible for calling CFRelease
	97	on this when it is no longer needed.
	98	*/
	99	SecPolicyRef SecPolicyCreateiPhoneActivation(void);
	100
	101	/*!
	102	@function SecPolicyCreateiPhoneDeviceCertificate
427c49bc	103	@abstract Returns a policy object for verifying iPhone Device certificate
b1ab9ed8 A	104	chains.
	105	@discussion This policy is like the Basic X.509 policy with the additional
	106	requirements that the chain must contain exactly four certificates, the
	107	anchor is the Apple Inc. CA, and the subject of the first intermediate
	108	certificate has "Apple iPhone Device CA" as its only Common Name entry.
	109	@result A policy object. The caller is responsible for calling CFRelease
	110	on this when it is no longer needed.
	111	*/
	112	SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void);
	113
	114	/*!
	115	@function SecPolicyCreateFactoryDeviceCertificate
427c49bc	116	@abstract Returns a policy object for verifying Factory Device certificate
b1ab9ed8 A	117	chains.
	118	@discussion This policy is like the Basic X.509 policy with the additional
	119	requirements that the chain must be anchored to the factory device certificate
	120	issuer.
	121	@result A policy object. The caller is responsible for calling CFRelease
	122	on this when it is no longer needed.
	123	*/
	124	SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void);
	125
	126	/*!
	127	@function SecPolicyCreateiAP
	128	@abstract Returns a policy object for verifying iAP certificate chains.
	129	@discussion This policy is like the Basic X.509 policy with these
	130	additional requirements:
	131	* The leaf's NotValidBefore should be greater than 5/31/06 midnight GMT.
	132	* The Common Name of the leaf begins with the characters "IPA_".
	133	* No validity checking is performed for any of the certificates.
	134	The intended use of this policy is that the caller pass in the
	135	intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates().
	136	@result A policy object. The caller is responsible for calling CFRelease
	137	on this when it is no longer needed.
	138	*/
	139	SecPolicyRef SecPolicyCreateiAP(void);
	140
	141	/*!
	142	@function SecPolicyCreateiTunesStoreURLBag
	143	@abstract Returns a policy object for verifying iTunes Store URL bag
	144	certificates.
	145	@discussion This policy is like the Basic X.509 policy with these
	146	additional requirements:
	147	* The leaf's Organization is Apple Inc.
	148	* The Common Name of the leaf is "iTunes Store URL Bag".
	149	@result A policy object. The caller is responsible for calling CFRelease
	150	on this when it is no longer needed.
	151	*/
	152	SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void);
	153
	154	/*!
	155	@function SecPolicyCreateEAP
	156	@abstract Returns a policy object for verifying for 802.1x/EAP certificates.
	157	@param server Passing true for this parameter create a policy for EAP
	158	server certificates.
	159	@param trustedServerNames Optional; if present, the hostname in the leaf
	160	certificate must be in the trustedServerNames list. Note that contrary
	161	to all other policies the trustedServerNames list entries can have wildcards
	162	whilst the certificate cannot. This matches the existing deployments.
	163	@result A policy object. The caller is responsible for calling CFRelease
	164	on this when it is no longer needed.
	165	*/
	166	SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef trustedServerNames);
	167
	168	/*!
	169	@function SecPolicyCreateIPSec
	170	@abstract Returns a policy object for evaluating IPSec certificate chains.
	171	@param server Passing true for this parameter create a policy for IPSec
	172	server certificates.
	173	@param hostname Optional; if present, the policy will require the specified
	174	hostname or ip address to match the hostname in the leaf certificate.
	175	@result A policy object. The caller is responsible for calling CFRelease
	176	on this when it is no longer needed.
	177	*/
	178	SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef hostname);
	179
	180	/*!
181	@function SecPolicyCreateiPhoneApplicationSigning
182	@abstract Returns a policy object for evaluating signed application
183	signatures. This is for apps signed directly by the app store.
184	@result A policy object. The caller is responsible for calling CFRelease
185	on this when it is no longer needed.
186	*/
187	SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void);
188
189	/*!
190	@function SecPolicyCreateiPhoneProfileApplicationSigning
191	@abstract Returns a policy object for evaluating signed application
192	signatures. This is meant for certificates inside a UPP or regular
193	profile. Currently it only checks for experation of the leaf and
194	revocation status.
195	@result A policy object. The caller is responsible for calling CFRelease
196	on this when it is no longer needed.
197	*/
198	SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void);
199
200	/*!
201	@function SecPolicyCreateiPhoneProvisioningProfileSigning
202	@abstract Returns a policy object for evaluating provisioning profile signatures.
203	@result A policy object. The caller is responsible for calling CFRelease
204	on this when it is no longer needed.
205	*/
206	SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void);
207
208	/*!
209	@function SecPolicyCreateOCSPSigner
210	@abstract Returns a policy object for evaluating ocsp response signers.
211	@result A policy object. The caller is responsible for calling CFRelease
212	on this when it is no longer needed.
213	*/
214	SecPolicyRef SecPolicyCreateOCSPSigner(void);
215
b1ab9ed8 A	216
	217	enum {
	218	kSecSignSMIMEUsage = (1 << 0),
	219	kSecKeyEncryptSMIMEUsage = (1 << 1),
	220	kSecDataEncryptSMIMEUsage = (1 << 2),
	221	kSecKeyExchangeDecryptSMIMEUsage = (1 << 3),
	222	kSecKeyExchangeEncryptSMIMEUsage = (1 << 4),
	223	kSecKeyExchangeBothSMIMEUsage = (1 << 5),
	224	kSecAnyEncryptSMIME = kSecKeyEncryptSMIMEUsage \| kSecDataEncryptSMIMEUsage \|
	225	kSecKeyExchangeDecryptSMIMEUsage \| kSecKeyExchangeEncryptSMIMEUsage
	226	};
	227
	228	/*!
	229	@function SecPolicyCreateSMIME
	230	@abstract Returns a policy object for evaluating S/MIME certificate chains.
	231	@param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage
427c49bc	232	flags, to indicated the intended usage of this certificate. A certificate which allows
b1ab9ed8 A	233	@param email Optional; if present, the policy will require the specified
	234	email to match the email in the leaf certificate.
	235	@result A policy object. The caller is responsible for calling CFRelease
	236	on this when it is no longer needed.
	237	*/
	238	SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef email);
	239
	240	/*!
	241	@function SecPolicyCreateCodeSigning
	242	@abstract Returns a policy object for evaluating code signing certificate chains.
	243	@result A policy object. The caller is responsible for calling CFRelease
	244	on this when it is no longer needed.
	245	*/
	246	SecPolicyRef SecPolicyCreateCodeSigning(void);
	247
	248	/*!
	249	@function SecPolicyCreateLockdownPairing
	250	@abstract basic x509 policy for checking lockdown pairing certificate chains.
	251	It explicitly allows for empty subjects
	252	*/
	253	SecPolicyRef SecPolicyCreateLockdownPairing(void);
	254
	255	/*!
	256	@function SecPolicyCreateURLBag
	257	@abstract check for private CA, eku codesigning and certificate policy that
	258	pertains to signing of URL bags.
	259	*/
	260	SecPolicyRef SecPolicyCreateURLBag(void);
	261
	262	/*!
	263	@function SecPolicyCreateOTATasking
	264	@abstract check for 3 long chain through Apple Certification Policy with common name
	265	"OTA Task Signing".
	266	*/
	267	SecPolicyRef SecPolicyCreateOTATasking(void);
	268
	269	/*!
	270	@function SecPolicyCreateMobileAsset
	271	@abstract check for 3 long chain through Apple Certification Policy with common name
	272	"Asset Manifest Signing".
	273	*/
	274	SecPolicyRef SecPolicyCreateMobileAsset(void);
	275
	276	/*!
427c49bc A	277	@function SecPolicyCreateAppleIDAuthorityPolicy
427c49bc A	278	@abstract check for an Apple ID identity per marker in the leaf and marker in the intermediate, rooted in the Apple CA.
b1ab9ed8 A	279	*/
	280	SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void);
	281
427c49bc A	282	/*!
	283	@function SecPolicyCreatePassbookCardSigner
	284	@abstract check rooted in the Apple CA, eku shoebox, marker shoebox and name matching
	285	@param cardIssuer Required; must match name in marker extension.
	286	@param teamIdentifier Optional; if present, the policy will require the specified
	287	team ID to match the organizationalUnit field in the leaf certificate's subject.
	288	@result A policy object. The caller is responsible for calling CFRelease
	289	on this when it is no longer needed.
	290	*/
	291	SecPolicyRef SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer,
	292	CFStringRef teamIdentifier);
	293
	294	/*!
	295	@function SecPolicyCreateShoeboxCardSigner
	296	@abstract Deprecated; use SecPolicyCreatePassbookCardSigner instead
	297	*/
	298	SecPolicyRef SecPolicyCreateShoeboxCardSigner(CFStringRef cardIssuer);
	299
	300	/*!
	301	@function SecPolicyCreateMobileStoreSigner
	302	@abstract Check for key usage of digital signature,
	303	check for 3 long chain through Apple System Integration 2 Certification Authority
	304	with a certificate policy OID of 1.2.840.113635.100.5.12 that roots to the
	305	Apple root
	306	*/
	307	SecPolicyRef SecPolicyCreateMobileStoreSigner(void);
	308
	309	/*!
	310	@function SecPolicyCreateTestMobileStoreSigner
	311	@abstract Check for key usage of digital signature,
	312	check for 3 long chain through Apple System Integration 2 Certification Authority
	313	with a certificate policy OID of 1.2.840.113635.100.5.12.1 that roots to the
	314	Apple root
	315	*/
	316	SecPolicyRef SecPolicyCreateTestMobileStoreSigner(void);
	317
	318	/*!
	319	@function SecPolicyCreateEscrowServiceSigner
	320	@abstract Check for key usage of digital signature, has a leaf marker OID of
	321	1.2.840.113635.100.6.23.1 and roots to the Test Escrow Root
	322	*/
	323	SecPolicyRef SecPolicyCreateEscrowServiceSigner(void);
	324
	325	/*!
	326	@function SecPolicyCopyEscrowRootCertificate
	327	@abstract Return back the Root certificate for the Escrow service
	328	*/
	329	SecCertificateRef SecPolicyCopyEscrowRootCertificate(void);
	330
	331	/*!
	332	@function SecPolicyCreateConfigurationProfileSigner
	333	@abstract Check for key usage of digital signature, has a EKU OID of
	334	1.2.840.113635.100.4.16 and
	335	roots to Apple Application Integration 2 Certification Authority
	336	*/
	337	SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void);
	338
	339	/*!
	340	@function SecPolicyCreateQAConfigurationProfileSigner
	341	@abstract Check for key usage of digital signature, has a EKU OID of
	342	1.2.840.113635.100.4.17 and
	343	roots to Apple Application Integration 2 Certification Authority
	344	*/
	345	SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void);
346
347	#if TARGET_OS_IPHONE
348	/*!
349	@function SecPolicyCreateOTAPKISigner
350	@abstract Check for key usage of digital signature, and
351	roots to Apple PKI Settings Root Certification Authority
352	*/
353	SecPolicyRef SecPolicyCreateOTAPKISigner(void);
354
355	/*!
356	@function SecPolicyCreateTestOTAPKISigner
357	@abstract Check for key usage of digital signature, and
358	roots to Apple PKI Settings Root - TESTING
359	*/
360	SecPolicyRef SecPolicyCreateTestOTAPKISigner(void);
361
362	/*!
363	@function SecPolicyCreateAppleIDValidationRecordSigningPolicy
364	@abstract Check for leaf certificate contains the
365	appleIDValidationRecordSigning (1 2 840 113635 100 6 25), and
366	intermediate certificate contains
367	appleCertificateExtensionApplicationIntegrationIntermediate
368	(1 2 840 113635 100 6 2 3) and
369	appleCertificateExtensionSystemIntegration2Intermediate
370	(1 2 840 113635 100 6 2 10) and roots to the Apple root
371	*/
372	SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void);
373
b1ab9ed8 A	374	#endif
b1ab9ed8 A	375
427c49bc A	376	__END_DECLS
427c49bc A	377
b1ab9ed8	378	#endif /* !_SECURITY_SECPOLICYPRIV_H_ */