[apple/security.git] / sec / Security / SecTrustSettingsPriv.h

/*
 * Copyright (c) 2007-2008,2010 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * SecTrustSettingsPriv.h - TrustSettings SPI functions.
 */
 
#ifndef	_SECURITY_SECTRUSTSETTINGSPRIV_H_
#define _SECURITY_SECTRUSTSETTINGSPRIV_H_

#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecPolicy.h>
#include <Security/SecCertificate.h>
#include <Security/SecTrustSettings.h>

#ifdef __cplusplus
extern "C" {
#endif

/*
 * A TrustSettings Record contains the XML encoding of a CFDictionary. This dictionary
 * currently contains two name/value pairs:
 *
 * key = kTrustRecordVersion,   value = SInt32 version number
 * key = kTrustRecordTrustList, value = CFDictionary
 *
 * Each key/value pair of the CFDictionary associated with key kTrustRecordTrustList
 * consists of:
 * -- key   = the ASCII representation (with alpha characters in upper case) of the
 *            cert's SHA1 digest.
 * -- value = a CFDictionary representing one cert. 
 * 
 * Key/value pairs in the per-cert dictionary are as follows:
 *
 * -- key = kTrustRecordIssuer, value = non-normalized issuer as CFData
 * -- key = kTrustRecordSerialNumber, value = serial number as CFData
 * -- key = kTrustRecordModDate, value = CFDateRef of the last modification 
			date of the per-cert entry.
 * -- key = kTrustRecordTrustSettings, value = array of dictionaries. The
 *          dictionaries are as described in the API in SecUserTrust.h
 *			although we store the values differently (see below). 
 *			As written to disk, this key/value is always present although
 *			the usageConstraints array may be empty. 
 *
 * A usageConstraints dictionary is like so (all elements are optional). These key 
 * strings are defined in SecUserTrust.h.
 *
 * key = kSecTrustSettingsPolicy		value = policy OID as CFData
 * key = kSecTrustSettingsApplication	value = application path as CFString
 * key = kSecTrustSettingsPolicyString	value = CFString, policy-specific
 * key = kSecTrustSettingsAllowedError	value = CFNumber, an SInt32 CSSM_RETURN 
 * key = kSecTrustSettingsResult		value = CFNumber, an SInt32 SecTrustSettingsResult
 * key = kSecTrustSettingsKeyUsage		value = CFNumber, an SInt32 key usage
 * key = kSecTrustSettingsModifyDate	value = CFDate, last modification 
 */
 
/*
 * Keys in the top-level dictionary
 */
#define kTrustRecordVersion				CFSTR("trustVersion")
#define kTrustRecordTrustList			CFSTR("trustList")

/* 
 * Keys in the per-cert dictionary in the TrustedRootList record. 
 */
/* value = non-normalized issuer as CFData */
#define kTrustRecordIssuer				CFSTR("issuerName")

/* value = serial number as CFData */
#define kTrustRecordSerialNumber		CFSTR("serialNumber")

/* value = CFDateRef representation of modification date */
#define kTrustRecordModDate				CFSTR("modDate")

/* 
 * value = array of CFDictionaries as used in public API
 * Not present for a cert which has no usage Constraints (i.e.
 * "wide open" unrestricted, kSecTrustSettingsResultTrustRoot as
 * the default SecTrustSettingsResult).
 */
#define kTrustRecordTrustSettings		CFSTR("trustSettings")

/*
 * Version of the top-level dictionary.
 */
enum {
	kSecTrustRecordVersionInvalid	= 0,	/* should never be seen on disk */
	kSecTrustRecordVersionCurrent	= 1
};

/*
 * Key for the (optional) default entry in a TrustSettings record. This
 * appears in place of the cert's hash string, and corresponds to 
 * kSecTrustSettingsDefaultRootCertSetting at the public API.
 * If you change this, make sure it has characters other than those 
 * appearing in a normal cert hash string (0..9 and A..F).
 */
#define kSecTrustRecordDefaultRootCert		CFSTR("kSecTrustRecordDefaultRootCert")

/* 
 * The location of the system root keychain and its associated TrustSettings. 
 * These are immutable; this module never modifies either of them.
 */
#define SYSTEM_ROOT_STORE_PATH			"/System/Library/Keychains/SystemRootCertificates.keychain"
#define SYSTEM_TRUST_SETTINGS_PATH		"/System/Library/Keychains/SystemTrustSettings.plist"

/*
 * The local admin cert store.
 */
#define ADMIN_CERT_STORE_PATH			"/Library/Keychains/System.keychain"

/*
 * Per-user and local admin TrustSettings are stored in this directory. 
 * Per-user settings are of the form <uuid>.plist.
 */
#define TRUST_SETTINGS_PATH				"/Library/Trust Settings"
#define ADMIN_TRUST_SETTINGS			"Admin.plist"

/*
 * Additional values for the SecTrustSettingsDomain enum.
 */
enum {
	/*
	 * This indicates a TrustSettings that exists only in memory; it
	 * can't be written to disk. 
	 */
	kSecTrustSettingsDomainMemory = 100
};

typedef struct __SecTrustSettings *SecTrustSettingsRef;

CFTypeID SecTrustSettingsGetTypeID(void);
OSStatus SecTrustSettingsCreateFromExternal(SecTrustSettingsDomain domain,
    CFDataRef external, SecTrustSettingsRef *ts);
SecTrustSettingsRef SecTrustSettingsCreate(SecTrustSettingsDomain domain,
    bool create, bool trim);
CFDataRef SecTrustSettingsCopyExternal(SecTrustSettingsRef ts);
void SecTrustSettingsSet(SecCertificateRef certRef,
    CFTypeRef trustSettingsDictOrArray);

/*
 * Fundamental routine used to ascertain status of one cert.
 *
 * Returns true in *foundMatchingEntry if a trust setting matching
 * specific constraints was found for the cert. Returns true in 
 * *foundAnyEntry if any entry was found for the cert, even if it
 * did not match the specified constraints. The TP uses this to 
 * optimize for the case where a cert is being evaluated for
 * one type of usage, and then later for another type. If
 * foundAnyEntry is false, the second evaluation need not occur. 
 *
 * Returns the domain in which a setting was found in *foundDomain. 
 *
 * Allowed errors applying to the specified cert evaluation 
 * are returned in a mallocd array in *allowedErrors and must
 * be freed by caller. 
 */
OSStatus SecTrustSettingsEvaluateCertificate(
	SecCertificateRef certificate,
	SecPolicyRef policy,
	SecTrustSettingsKeyUsage	keyUsage,			/* optional */
	bool						isSelfSignedCert,	/* for checking default setting */
	/* RETURNED values */
	SecTrustSettingsDomain		*foundDomain,
	CFArrayRef					*allowedErrors,	/* RETURNED */
	SecTrustSettingsResult		*resultType,		/* RETURNED */
	bool						*foundMatchingEntry,/* RETURNED */
	bool						*foundAnyEntry);	/* RETURNED */

/*
 * Add a cert's TrustSettings to a non-persistent TrustSettings record.
 * Primarily intended for use in creating a system TrustSettings record
 * (which is itself immutable via this module). 
 * 
 * The settingsIn argument is an external representation of a TrustSettings
 * record, obtianed from this function or from 
 * SecTrustSettingsCreateExternalRepresentation().
 * If settingsIn is NULL, a new (empty) TrustSettings will be created. 
 * 
 * The certRef and trustSettingsDictOrArray arguments are as in 
 * SecTrustSettingsSetTrustSettings(). May be NULL, when e.g. creating 
 * a new and empty TrustSettings record. 
 *
 * The external representation is written to the settingOut argument,
 * which must eventually be CFReleased by the caller. 
 */
OSStatus SecTrustSettingsSetTrustSettingsExternal(
	CFDataRef			settingsIn,					/* optional */
	SecCertificateRef	certRef,					/* optional */
	CFTypeRef			trustSettingsDictOrArray,	/* optional */
	CFDataRef			*settingsOut);				/* RETURNED */

#ifdef __cplusplus
}
#endif

#endif	/* _SECURITY_SECTRUSTSETTINGSPRIV_H_ */
Commit	Line	Data
b1ab9ed8 A	1	/*
	2	* Copyright (c) 2007-2008,2010 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*
	25	* SecTrustSettingsPriv.h - TrustSettings SPI functions.
	26	*/
	27
	28	#ifndef _SECURITY_SECTRUSTSETTINGSPRIV_H_
	29	#define _SECURITY_SECTRUSTSETTINGSPRIV_H_
	30
	31	#include <CoreFoundation/CoreFoundation.h>
	32	#include <Security/SecPolicy.h>
	33	#include <Security/SecCertificate.h>
	34	#include <Security/SecTrustSettings.h>
	35
	36	#ifdef __cplusplus
	37	extern "C" {
	38	#endif
	39
	40	/*
	41	* A TrustSettings Record contains the XML encoding of a CFDictionary. This dictionary
	42	* currently contains two name/value pairs:
	43	*
	44	* key = kTrustRecordVersion, value = SInt32 version number
	45	* key = kTrustRecordTrustList, value = CFDictionary
	46	*
	47	* Each key/value pair of the CFDictionary associated with key kTrustRecordTrustList
	48	* consists of:
	49	* -- key = the ASCII representation (with alpha characters in upper case) of the
	50	* cert's SHA1 digest.
	51	* -- value = a CFDictionary representing one cert.
	52	*
	53	* Key/value pairs in the per-cert dictionary are as follows:
	54	*
	55	* -- key = kTrustRecordIssuer, value = non-normalized issuer as CFData
	56	* -- key = kTrustRecordSerialNumber, value = serial number as CFData
	57	* -- key = kTrustRecordModDate, value = CFDateRef of the last modification
	58	date of the per-cert entry.
	59	* -- key = kTrustRecordTrustSettings, value = array of dictionaries. The
	60	* dictionaries are as described in the API in SecUserTrust.h
	61	* although we store the values differently (see below).
	62	* As written to disk, this key/value is always present although
	63	* the usageConstraints array may be empty.
	64	*
65	* A usageConstraints dictionary is like so (all elements are optional). These key
66	* strings are defined in SecUserTrust.h.
67	*
68	* key = kSecTrustSettingsPolicy value = policy OID as CFData
69	* key = kSecTrustSettingsApplication value = application path as CFString
70	* key = kSecTrustSettingsPolicyString value = CFString, policy-specific
71	* key = kSecTrustSettingsAllowedError value = CFNumber, an SInt32 CSSM_RETURN
72	* key = kSecTrustSettingsResult value = CFNumber, an SInt32 SecTrustSettingsResult
73	* key = kSecTrustSettingsKeyUsage value = CFNumber, an SInt32 key usage
74	* key = kSecTrustSettingsModifyDate value = CFDate, last modification
75	*/
76
77	/*
78	* Keys in the top-level dictionary
79	*/
80	#define kTrustRecordVersion CFSTR("trustVersion")
81	#define kTrustRecordTrustList CFSTR("trustList")
82
83	/*
84	* Keys in the per-cert dictionary in the TrustedRootList record.
85	*/
86	/* value = non-normalized issuer as CFData */
87	#define kTrustRecordIssuer CFSTR("issuerName")
88
89	/* value = serial number as CFData */
90	#define kTrustRecordSerialNumber CFSTR("serialNumber")
91
92	/* value = CFDateRef representation of modification date */
93	#define kTrustRecordModDate CFSTR("modDate")
94
95	/*
96	* value = array of CFDictionaries as used in public API
97	* Not present for a cert which has no usage Constraints (i.e.
98	* "wide open" unrestricted, kSecTrustSettingsResultTrustRoot as
99	* the default SecTrustSettingsResult).
100	*/
101	#define kTrustRecordTrustSettings CFSTR("trustSettings")
102
103	/*
104	* Version of the top-level dictionary.
105	*/
106	enum {
107	kSecTrustRecordVersionInvalid = 0, /* should never be seen on disk */
108	kSecTrustRecordVersionCurrent = 1
109	};
110
111	/*
112	* Key for the (optional) default entry in a TrustSettings record. This
113	* appears in place of the cert's hash string, and corresponds to
114	* kSecTrustSettingsDefaultRootCertSetting at the public API.
115	* If you change this, make sure it has characters other than those
116	* appearing in a normal cert hash string (0..9 and A..F).
117	*/
118	#define kSecTrustRecordDefaultRootCert CFSTR("kSecTrustRecordDefaultRootCert")
119
120	/*
121	* The location of the system root keychain and its associated TrustSettings.
122	* These are immutable; this module never modifies either of them.
123	*/
124	#define SYSTEM_ROOT_STORE_PATH "/System/Library/Keychains/SystemRootCertificates.keychain"
125	#define SYSTEM_TRUST_SETTINGS_PATH "/System/Library/Keychains/SystemTrustSettings.plist"
126
127	/*
128	* The local admin cert store.
129	*/
130	#define ADMIN_CERT_STORE_PATH "/Library/Keychains/System.keychain"
131
132	/*
133	* Per-user and local admin TrustSettings are stored in this directory.
134	* Per-user settings are of the form <uuid>.plist.
135	*/
136	#define TRUST_SETTINGS_PATH "/Library/Trust Settings"
137	#define ADMIN_TRUST_SETTINGS "Admin.plist"
138
139	/*
140	* Additional values for the SecTrustSettingsDomain enum.
141	*/
142	enum {
143	/*
144	* This indicates a TrustSettings that exists only in memory; it
145	* can't be written to disk.
146	*/
147	kSecTrustSettingsDomainMemory = 100
148	};
149
150	typedef struct __SecTrustSettings *SecTrustSettingsRef;
151
152	CFTypeID SecTrustSettingsGetTypeID(void);
153	OSStatus SecTrustSettingsCreateFromExternal(SecTrustSettingsDomain domain,
154	CFDataRef external, SecTrustSettingsRef *ts);
155	SecTrustSettingsRef SecTrustSettingsCreate(SecTrustSettingsDomain domain,
156	bool create, bool trim);
157	CFDataRef SecTrustSettingsCopyExternal(SecTrustSettingsRef ts);
158	void SecTrustSettingsSet(SecCertificateRef certRef,
159	CFTypeRef trustSettingsDictOrArray);
160
161	/*
162	* Fundamental routine used to ascertain status of one cert.
163	*
164	* Returns true in *foundMatchingEntry if a trust setting matching
165	* specific constraints was found for the cert. Returns true in
166	* *foundAnyEntry if any entry was found for the cert, even if it
167	* did not match the specified constraints. The TP uses this to
168	* optimize for the case where a cert is being evaluated for
169	* one type of usage, and then later for another type. If
170	* foundAnyEntry is false, the second evaluation need not occur.
171	*
172	* Returns the domain in which a setting was found in *foundDomain.
173	*
174	* Allowed errors applying to the specified cert evaluation
175	* are returned in a mallocd array in *allowedErrors and must
176	* be freed by caller.
177	*/
178	OSStatus SecTrustSettingsEvaluateCertificate(
179	SecCertificateRef certificate,
180	SecPolicyRef policy,
181	SecTrustSettingsKeyUsage keyUsage, /* optional */
182	bool isSelfSignedCert, /* for checking default setting */
183	/* RETURNED values */
184	SecTrustSettingsDomain *foundDomain,
185	CFArrayRef allowedErrors, / RETURNED */
186	SecTrustSettingsResult resultType, / RETURNED */
187	bool foundMatchingEntry,/ RETURNED */
188	bool foundAnyEntry); / RETURNED */
189
190	/*
191	* Add a cert's TrustSettings to a non-persistent TrustSettings record.
192	* Primarily intended for use in creating a system TrustSettings record
193	* (which is itself immutable via this module).
194	*
195	* The settingsIn argument is an external representation of a TrustSettings
196	* record, obtianed from this function or from
197	* SecTrustSettingsCreateExternalRepresentation().
198	* If settingsIn is NULL, a new (empty) TrustSettings will be created.
199	*
200	* The certRef and trustSettingsDictOrArray arguments are as in
201	* SecTrustSettingsSetTrustSettings(). May be NULL, when e.g. creating
202	* a new and empty TrustSettings record.
203	*
204	* The external representation is written to the settingOut argument,
205	* which must eventually be CFReleased by the caller.
206	*/
207	OSStatus SecTrustSettingsSetTrustSettingsExternal(
208	CFDataRef settingsIn, /* optional */
209	SecCertificateRef certRef, /* optional */
210	CFTypeRef trustSettingsDictOrArray, /* optional */
211	CFDataRef settingsOut); / RETURNED */
212
213	#ifdef __cplusplus
214	}
215	#endif
216
217	#endif /* _SECURITY_SECTRUSTSETTINGSPRIV_H_ */
218