]> git.saurik.com Git - apple/security.git/blame - OSX/libsecurity_cssm/lib/certextensions.h
projects / apple / security.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Security-57740.31.2.tar.gz
[apple/security.git] / OSX / libsecurity_cssm / lib / certextensions.h
CommitLineData
b1ab9ed8 1/*
d8f41ccd 2 * Copyright (c) 2000-2004,2011,2014 Apple Inc. All Rights Reserved.
b1ab9ed8
A		 3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * CertExtensions.h -- X.509 Cert Extensions as C structs
24 */
25
26#ifndef _CERT_EXTENSIONS_H_
27#define _CERT_EXTENSIONS_H_
28
29#include <Security/cssmtype.h>
30
fa7225c8
A		 31#pragma clang diagnostic push
32#pragma clang diagnostic ignored "-Wdeprecated-declarations"
33
b1ab9ed8
A		 34/***
35 *** Structs for declaring extension-specific data.
36 ***/
37
38/*
39 * GeneralName, used in AuthorityKeyID, SubjectAltName, and
40 * IssuerAltName.
41 *
42 * For now, we just provide explicit support for the types which are
43 * represented as IA5Strings, OIDs, and octet strings. Constructed types
44 * such as EDIPartyName and x400Address are not explicitly handled
45 * right now and must be encoded and decoded by the caller. (See exception
46 * for Name and OtherName, below). In those cases the CE_GeneralName.name.Data field
47 * represents the BER contents octets; CE_GeneralName.name.Length is the
48 * length of the contents; the tag of the field is not needed - the BER
49 * encoding uses context-specific implicit tagging. The berEncoded field
50 * is set to CSSM_TRUE in these case. Simple types have berEncoded = CSSM_FALSE.
51 *
52 * In the case of a GeneralName in the form of a Name, we parse the Name
53 * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the
54 * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to
55 * sizeof(CSSM_X509_NAME). In this case berEncoded is false.
56 *
57 * In the case of a GeneralName in the form of a OtherName, we parse the fields
58 * into a CE_OtherName and place a pointer to the CE_OtherName in the
59 * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to
60 * sizeof(CE_OtherName). In this case berEncoded is false.
61 *
62 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
63 *
64 * GeneralName ::= CHOICE {
65 * otherName [0] OtherName
66 * rfc822Name [1] IA5String,
67 * dNSName [2] IA5String,
68 * x400Address [3] ORAddress,
69 * directoryName [4] Name,
70 * ediPartyName [5] EDIPartyName,
71 * uniformResourceIdentifier [6] IA5String,
72 * iPAddress [7] OCTET STRING,
73 * registeredID [8] OBJECT IDENTIFIER}
74 *
75 * OtherName ::= SEQUENCE {
76 * type-id OBJECT IDENTIFIER,
77 * value [0] EXPLICIT ANY DEFINED BY type-id }
78 *
79 * EDIPartyName ::= SEQUENCE {
80 * nameAssigner [0] DirectoryString OPTIONAL,
81 * partyName [1] DirectoryString }
82 */
83typedef enum __CE_GeneralNameType {
84 GNT_OtherName = 0,
85 GNT_RFC822Name,
86 GNT_DNSName,
87 GNT_X400Address,
88 GNT_DirectoryName,
89 GNT_EdiPartyName,
90 GNT_URI,
91 GNT_IPAddress,
92 GNT_RegisteredID
93} CE_GeneralNameType;
94
95typedef struct __CE_OtherName {
96 CSSM_OID typeId;
97 CSSM_DATA value; // unparsed, BER-encoded
98} CE_OtherName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
99
100typedef struct __CE_GeneralName {
101 CE_GeneralNameType nameType; // GNT_RFC822Name, etc.
102 CSSM_BOOL berEncoded;
103 CSSM_DATA name;
104} CE_GeneralName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
105
106typedef struct __CE_GeneralNames {
107 uint32 numNames;
108 CE_GeneralName *generalName;
109} CE_GeneralNames DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
110
111/*
112 * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
113 *
114 * AuthorityKeyIdentifier ::= SEQUENCE {
115 * keyIdentifier [0] KeyIdentifier OPTIONAL,
116 * authorityCertIssuer [1] GeneralNames OPTIONAL,
117 * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
118 *
119 * KeyIdentifier ::= OCTET STRING
120 *
121 * CSSM OID = CSSMOID_AuthorityKeyIdentifier
122 */
123typedef struct __CE_AuthorityKeyID {
124 CSSM_BOOL keyIdentifierPresent;
125 CSSM_DATA keyIdentifier;
126 CSSM_BOOL generalNamesPresent;
127 CE_GeneralNames *generalNames;
128 CSSM_BOOL serialNumberPresent;
129 CSSM_DATA serialNumber;
130} CE_AuthorityKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
131
132/*
133 * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
134 * SubjectKeyIdentifier ::= KeyIdentifier
135 *
136 * CSSM OID = CSSMOID_SubjectKeyIdentifier
137 */
138typedef CSSM_DATA CE_SubjectKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
139
140/*
141 * id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
142 *
143 * KeyUsage ::= BIT STRING {
144 * digitalSignature (0),
145 * nonRepudiation (1),
146 * keyEncipherment (2),
147 * dataEncipherment (3),
148 * keyAgreement (4),
149 * keyCertSign (5),
150 * cRLSign (6),
151 * encipherOnly (7),
152 * decipherOnly (8) }
153 *
154 * CSSM OID = CSSMOID_KeyUsage
155 *
156 */
157typedef uint16 CE_KeyUsage DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
158
159#define CE_KU_DigitalSignature 0x8000
160#define CE_KU_NonRepudiation 0x4000
161#define CE_KU_KeyEncipherment 0x2000
162#define CE_KU_DataEncipherment 0x1000
163#define CE_KU_KeyAgreement 0x0800
164#define CE_KU_KeyCertSign 0x0400
165#define CE_KU_CRLSign 0x0200
166#define CE_KU_EncipherOnly 0x0100
167#define CE_KU_DecipherOnly 0x0080
168
169/*
170 * id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 }
171 *
172 * -- reasonCode ::= { CRLReason }
173 *
174 * CRLReason ::= ENUMERATED {
175 * unspecified (0),
176 * keyCompromise (1),
177 * cACompromise (2),
178 * affiliationChanged (3),
179 * superseded (4),
180 * cessationOfOperation (5),
181 * certificateHold (6),
182 * removeFromCRL (8) }
183 *
184 * CSSM OID = CSSMOID_CrlReason
185 *
186 */
187typedef uint32 CE_CrlReason DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
188
189#define CE_CR_Unspecified 0
190#define CE_CR_KeyCompromise 1
191#define CE_CR_CACompromise 2
192#define CE_CR_AffiliationChanged 3
193#define CE_CR_Superseded 4
194#define CE_CR_CessationOfOperation 5
195#define CE_CR_CertificateHold 6
196#define CE_CR_RemoveFromCRL 8
197
198/*
199 * id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
200 *
201 * SubjectAltName ::= GeneralNames
202 *
203 * CSSM OID = CSSMOID_SubjectAltName
204 *
205 * GeneralNames defined above.
206 */
207
208/*
209 * id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
210 *
211 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId*
212 *
213 * KeyPurposeId ::= OBJECT IDENTIFIER
214 *
215 * CSSM OID = CSSMOID_ExtendedKeyUsage
216 */
217typedef struct __CE_ExtendedKeyUsage {
218 uint32 numPurposes;
219 CSSM_OID_PTR purposes; // in Intel pre-encoded format
220} CE_ExtendedKeyUsage;
221
222/*
223 * id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
224 *
225 * BasicConstraints ::= SEQUENCE {
226 * cA BOOLEAN DEFAULT FALSE,
227 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
228 *
229 * CSSM OID = CSSMOID_BasicConstraints
230 */
231typedef struct __CE_BasicConstraints {
232 CSSM_BOOL cA;
233 CSSM_BOOL pathLenConstraintPresent;
234 uint32 pathLenConstraint;
235} CE_BasicConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
236
237/*
238 * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
239 *
240 * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
241 *
242 * PolicyInformation ::= SEQUENCE {
243 * policyIdentifier CertPolicyId,
244 * policyQualifiers SEQUENCE SIZE (1..MAX) OF
245 * PolicyQualifierInfo OPTIONAL }
246 *
247 * CertPolicyId ::= OBJECT IDENTIFIER
248 *
249 * PolicyQualifierInfo ::= SEQUENCE {
250 * policyQualifierId PolicyQualifierId,
251 * qualifier ANY DEFINED BY policyQualifierId }
252 *
253 * -- policyQualifierIds for Internet policy qualifiers
254 *
255 * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
256 * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
257 * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
258 *
259 * PolicyQualifierId ::=
260 * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
261 *
262 * Qualifier ::= CHOICE {
263 * cPSuri CPSuri,
264 * userNotice UserNotice }
265 *
266 * CPSuri ::= IA5String
267 *
268 * UserNotice ::= SEQUENCE {
269 * noticeRef NoticeReference OPTIONAL,
270 * explicitText DisplayText OPTIONAL}
271 *
272 * NoticeReference ::= SEQUENCE {
273 * organization DisplayText,
274 * noticeNumbers SEQUENCE OF INTEGER }
275 *
276 * DisplayText ::= CHOICE {
277 * visibleString VisibleString (SIZE (1..200)),
278 * bmpString BMPString (SIZE (1..200)),
279 * utf8String UTF8String (SIZE (1..200)) }
280 *
281 * CSSM OID = CSSMOID_CertificatePolicies
282 *
283 * We only support down to the level of Qualifier, and then only the CPSuri
284 * choice. UserNotice is transmitted to and from this library as a raw
285 * CSSM_DATA containing the BER-encoded UserNotice sequence.
286 */
287
288typedef struct __CE_PolicyQualifierInfo {
289 CSSM_OID policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
290 CSSM_DATA qualifier; // CSSMOID_QT_CPS: IA5String contents
291 // CSSMOID_QT_UNOTICE : Sequence contents
292} CE_PolicyQualifierInfo DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
293
294typedef struct __CE_PolicyInformation {
295 CSSM_OID certPolicyId;
296 uint32 numPolicyQualifiers; // size of *policyQualifiers;
297 CE_PolicyQualifierInfo *policyQualifiers;
298} CE_PolicyInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
299
300typedef struct __CE_CertPolicies {
301 uint32 numPolicies; // size of *policies;
302 CE_PolicyInformation *policies;
303} CE_CertPolicies DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
304
305/*
306 * netscape-cert-type, a bit string.
307 *
308 * CSSM OID = CSSMOID_NetscapeCertType
309 *
310 * Bit fields defined in oidsattr.h: CE_NCT_SSL_Client, etc.
311 */
312typedef uint16 CE_NetscapeCertType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
313
314/*
315 * CRLDistributionPoints.
316 *
317 * id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 }
318 *
319 * cRLDistributionPoints ::= {
320 * CRLDistPointsSyntax }
321 *
322 * CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
323 *
324 * NOTE: RFC 2459 claims that the tag for the optional DistributionPointName
325 * is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be -
326 * because the underlying type also uses an implicit tag for distinguish
327 * between CHOICEs.
328 *
329 * DistributionPoint ::= SEQUENCE {
330 * distributionPoint [0] DistributionPointName OPTIONAL,
331 * reasons [1] ReasonFlags OPTIONAL,
332 * cRLIssuer [2] GeneralNames OPTIONAL }
333 *
334 * DistributionPointName ::= CHOICE {
335 * fullName [0] GeneralNames,
336 * nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
337 *
338 * ReasonFlags ::= BIT STRING {
339 * unused (0),
340 * keyCompromise (1),
341 * cACompromise (2),
342 * affiliationChanged (3),
343 * superseded (4),
344 * cessationOfOperation (5),
345 * certificateHold (6) }
346 *
347 * CSSM OID = CSSMOID_CrlDistributionPoints
348 */
349
350/*
351 * Note that this looks similar to CE_CrlReason, but that's an enum and this
352 * is an OR-able bit string.
353 */
354typedef uint8 CE_CrlDistReasonFlags DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
355
356#define CE_CD_Unspecified 0x80
357#define CE_CD_KeyCompromise 0x40
358#define CE_CD_CACompromise 0x20
359#define CE_CD_AffiliationChanged 0x10
360#define CE_CD_Superseded 0x08
361#define CE_CD_CessationOfOperation 0x04
362#define CE_CD_CertificateHold 0x02
363
364typedef enum __CE_CrlDistributionPointNameType {
365 CE_CDNT_FullName,
366 CE_CDNT_NameRelativeToCrlIssuer
367} CE_CrlDistributionPointNameType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
368
369typedef struct __CE_DistributionPointName {
370 CE_CrlDistributionPointNameType nameType;
371 union {
372 CE_GeneralNames *fullName;
373 CSSM_X509_RDN_PTR rdn;
374 } dpn;
375} CE_DistributionPointName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
376
377/*
378 * The top-level CRLDistributionPoint.
379 * All fields are optional; NULL pointers indicate absence.
380 */
381typedef struct __CE_CRLDistributionPoint {
382 CE_DistributionPointName *distPointName;
383 CSSM_BOOL reasonsPresent;
384 CE_CrlDistReasonFlags reasons;
385 CE_GeneralNames *crlIssuer;
386} CE_CRLDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
387
388typedef struct __CE_CRLDistPointsSyntax {
389 uint32 numDistPoints;
390 CE_CRLDistributionPoint *distPoints;
391} CE_CRLDistPointsSyntax DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
392
393/*
394 * Authority Information Access and Subject Information Access.
395 *
396 * CSSM OID = CSSMOID_AuthorityInfoAccess
397 * CSSM OID = CSSMOID_SubjectInfoAccess
398 *
399 * SubjAuthInfoAccessSyntax ::=
400 * SEQUENCE SIZE (1..MAX) OF AccessDescription
401 *
402 * AccessDescription ::= SEQUENCE {
403 * accessMethod OBJECT IDENTIFIER,
404 * accessLocation GeneralName }
405 */
406typedef struct __CE_AccessDescription {
407 CSSM_OID accessMethod;
408 CE_GeneralName accessLocation;
409} CE_AccessDescription DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
410
411typedef struct __CE_AuthorityInfoAccess {
412 uint32 numAccessDescriptions;
413 CE_AccessDescription *accessDescriptions;
414} CE_AuthorityInfoAccess DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
415
416/*
417 * Qualified Certificate Statement support, per RFC 3739.
418 *
419 * First, NameRegistrationAuthorities, a component of
420 * SemanticsInformation; it's the same as a GeneralNames -
421 * a sequence of GeneralName.
422 */
423typedef CE_GeneralNames CE_NameRegistrationAuthorities DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
424
425/*
426 * SemanticsInformation, identified as the qcType field
427 * of a CE_QC_Statement for statementId value id-qcs-pkixQCSyntax-v2.
428 * Both fields optional; at least one must be present.
429 */
430typedef struct __CE_SemanticsInformation {
431 CSSM_OID *semanticsIdentifier;
432 CE_NameRegistrationAuthorities *nameRegistrationAuthorities;
433} CE_SemanticsInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
434
435/*
436 * One Qualified Certificate Statement.
437 * The statementId OID is required; zero or one of {semanticsInfo,
438 * otherInfo} can be valid, depending on the value of statementId.
439 * For statementId id-qcs-pkixQCSyntax-v2 (CSSMOID_OID_QCS_SYNTAX_V2),
440 * the semanticsInfo field may be present; otherwise, DER-encoded
441 * information may be present in otherInfo. Both semanticsInfo and
442 * otherInfo are optional.
443 */
444typedef struct __CE_QC_Statement {
445 CSSM_OID statementId;
446 CE_SemanticsInformation *semanticsInfo;
447 CSSM_DATA *otherInfo;
448} CE_QC_Statement DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
449
450/*
451 * The top-level Qualified Certificate Statements extension.
452 */
453typedef struct __CE_QC_Statements {
454 uint32 numQCStatements;
455 CE_QC_Statement *qcStatements;
456} CE_QC_Statements DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
457
458/*** CRL extensions ***/
459
460/*
461 * cRLNumber, an integer.
462 *
463 * CSSM OID = CSSMOID_CrlNumber
464 */
465typedef uint32 CE_CrlNumber;
466
467/*
468 * deltaCRLIndicator, an integer.
469 *
470 * CSSM OID = CSSMOID_DeltaCrlIndicator
471 */
472typedef uint32 CE_DeltaCrl;
473
474/*
475 * IssuingDistributionPoint
476 *
477 * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
478 *
479 * issuingDistributionPoint ::= SEQUENCE {
480 * distributionPoint [0] DistributionPointName OPTIONAL,
481 * onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
482 * onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
483 * onlySomeReasons [3] ReasonFlags OPTIONAL,
484 * indirectCRL [4] BOOLEAN DEFAULT FALSE }
485 *
486 * CSSM OID = CSSMOID_IssuingDistributionPoint
487 */
488typedef struct __CE_IssuingDistributionPoint {
489 CE_DistributionPointName *distPointName; // optional
490 CSSM_BOOL onlyUserCertsPresent;
491 CSSM_BOOL onlyUserCerts;
492 CSSM_BOOL onlyCACertsPresent;
493 CSSM_BOOL onlyCACerts;
494 CSSM_BOOL onlySomeReasonsPresent;
495 CE_CrlDistReasonFlags onlySomeReasons;
496 CSSM_BOOL indirectCrlPresent;
497 CSSM_BOOL indirectCrl;
498} CE_IssuingDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
499
500/*
501 * NameConstraints
502 *
503 * id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
504 *
505 * NameConstraints ::= SEQUENCE {
506 * permittedSubtrees [0] GeneralSubtrees OPTIONAL,
507 * excludedSubtrees [1] GeneralSubtrees OPTIONAL }
508 *
509 * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
510 *
511 * GeneralSubtree ::= SEQUENCE {
512 * base GeneralName,
513 * minimum [0] BaseDistance DEFAULT 0,
514 * maximum [1] BaseDistance OPTIONAL }
515 *
516 * BaseDistance ::= INTEGER (0..MAX)
517 */
518typedef struct __CE_GeneralSubtree {
519 CE_GeneralNames *base;
520 uint32 minimum; // default=0
521 CSSM_BOOL maximumPresent;
522 uint32 maximum; // optional
523} CE_GeneralSubtree DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
524
525typedef struct __CE_GeneralSubtrees {
526 uint32 numSubtrees;
527 CE_GeneralSubtree *subtrees;
528} CE_GeneralSubtrees DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
529
530typedef struct __CE_NameConstraints {
531 CE_GeneralSubtrees *permitted; // optional
532 CE_GeneralSubtrees *excluded; // optional
533} CE_NameConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
534
535/*
536 * PolicyMappings
537 *
538 * id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
539 *
540 * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
541 * issuerDomainPolicy CertPolicyId,
542 * subjectDomainPolicy CertPolicyId }
543 *
544 * Note that both issuer and subject policy OIDs are required,
545 * and are stored by value in this structure.
546 */
547typedef struct __CE_PolicyMapping {
548 CSSM_OID issuerDomainPolicy;
549 CSSM_OID subjectDomainPolicy;
550} CE_PolicyMapping DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
551
552typedef struct __CE_PolicyMappings {
553 uint32 numPolicyMappings;
554 CE_PolicyMapping *policyMappings;
555} CE_PolicyMappings DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
556
557/*
558 * PolicyConstraints
559 *
560 * id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
561 *
562 * PolicyConstraints ::= SEQUENCE {
563 * requireExplicitPolicy [0] SkipCerts OPTIONAL,
564 * inhibitPolicyMapping [1] SkipCerts OPTIONAL }
565 *
566 * SkipCerts ::= INTEGER (0..MAX)
567 */
568typedef struct __CE_PolicyConstraints {
569 CSSM_BOOL requireExplicitPolicyPresent;
570 uint32 requireExplicitPolicy; // optional
571 CSSM_BOOL inhibitPolicyMappingPresent;
572 uint32 inhibitPolicyMapping; // optional
573} CE_PolicyConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
574
575/*
576 * InhibitAnyPolicy, an integer.
577 *
578 * CSSM OID = CSSMOID_InhibitAnyPolicy
579 */
580typedef uint32 CE_InhibitAnyPolicy DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
581
582/*
583 * An enumerated list identifying one of the above per-extension
584 * structs.
585 */
586typedef enum __CE_DataType {
587 DT_AuthorityKeyID, // CE_AuthorityKeyID
588 DT_SubjectKeyID, // CE_SubjectKeyID
589 DT_KeyUsage, // CE_KeyUsage
590 DT_SubjectAltName, // implies CE_GeneralName
591 DT_IssuerAltName, // implies CE_GeneralName
592 DT_ExtendedKeyUsage, // CE_ExtendedKeyUsage
593 DT_BasicConstraints, // CE_BasicConstraints
594 DT_CertPolicies, // CE_CertPolicies
595 DT_NetscapeCertType, // CE_NetscapeCertType
596 DT_CrlNumber, // CE_CrlNumber
597 DT_DeltaCrl, // CE_DeltaCrl
598 DT_CrlReason, // CE_CrlReason
599 DT_CrlDistributionPoints, // CE_CRLDistPointsSyntax
600 DT_IssuingDistributionPoint,// CE_IssuingDistributionPoint
601 DT_AuthorityInfoAccess, // CE_AuthorityInfoAccess
602 DT_Other, // unknown, raw data as a CSSM_DATA
603 DT_QC_Statements, // CE_QC_Statements
604 DT_NameConstraints, // CE_NameConstraints
605 DT_PolicyMappings, // CE_PolicyMappings
606 DT_PolicyConstraints, // CE_PolicyConstraints
607 DT_InhibitAnyPolicy // CE_InhibitAnyPolicy
608} CE_DataType;
609
610/*
611 * One unified representation of all the cert and CRL extensions we know about.
612 */
613typedef union {
614 CE_AuthorityKeyID authorityKeyID;
615 CE_SubjectKeyID subjectKeyID;
616 CE_KeyUsage keyUsage;
617 CE_GeneralNames subjectAltName;
618 CE_GeneralNames issuerAltName;
619 CE_ExtendedKeyUsage extendedKeyUsage;
620 CE_BasicConstraints basicConstraints;
621 CE_CertPolicies certPolicies;
622 CE_NetscapeCertType netscapeCertType;
623 CE_CrlNumber crlNumber;
624 CE_DeltaCrl deltaCrl;
625 CE_CrlReason crlReason;
626 CE_CRLDistPointsSyntax crlDistPoints;
627 CE_IssuingDistributionPoint issuingDistPoint;
628 CE_AuthorityInfoAccess authorityInfoAccess;
629 CE_QC_Statements qualifiedCertStatements;
630 CE_NameConstraints nameConstraints;
631 CE_PolicyMappings policyMappings;
632 CE_PolicyConstraints policyConstraints;
633 CE_InhibitAnyPolicy inhibitAnyPolicy;
634 CSSM_DATA rawData; // unknown, not decoded
635} CE_Data DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
636
637typedef struct __CE_DataAndType {
638 CE_DataType type;
639 CE_Data extension;
640 CSSM_BOOL critical;
641} CE_DataAndType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
642
fa7225c8
A		 643#pragma clang diagnostic pop
644
b1ab9ed8 645#endif /* _CERT_EXTENSIONS_H_ */
mirror of Security