[apple/security.git] / protocol / SecProtocolMetadata.h

/*
 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

#ifndef SecProtocolMetadata_h
#define SecProtocolMetadata_h

#include <Security/SecProtocolObject.h>
#include <Security/SecProtocolTypes.h>
#include <Security/SecBase.h>
#include <Security/SecureTransport.h>

#include <dispatch/dispatch.h>
#include <os/object.h>

/*!
 * The following diagram shows how clients interact with sec_protocol_options
 * and sec_protocol_metadata when configuring and using network security protocols.
 *
 *                    +--------+
 *                    | Client |
 *                    +-+---/ \+
 *                      |    |
 *        +-------------+    +-------------+
 *        | (1) set             (2) get    |
 *        | options             metadata   |
 * +-----\ /---------------+  +------------+----------+
 * | sec_protocol_options  |  | sec_protocol_metadata |
 * +-----------------------+  +-----------------------+
 *
 * Clients configure security protocols with `sec_protocol_options` instances.
 * And they inspect protocol instances using `sec_protocol_metadata` instances.
 */

#ifndef SEC_OBJECT_IMPL
/*!
 * A `sec_protocol_metadata` instance conatins read-only properties of a connected and configured
 * security protocol. Clients use this object to read information about a protocol instance. Properties
 * include, for example, the negotiated TLS version, ciphersuite, and peer certificates.
 */
SEC_OBJECT_DECL(sec_protocol_metadata);
#endif // !SEC_OBJECT_IMPL

__BEGIN_DECLS

SEC_ASSUME_NONNULL_BEGIN

/*!
 * @function sec_protocol_metadata_get_negotiated_protocol
 *
 * @abstract
 *      Get the application protocol negotiated, e.g., via the TLS ALPN extension.
 *
 * @param metadata
 *      A `sec_protocol_metadata_t` instance.
 *
 * @return A NULL-terminated string carrying the negotiated protocol.
 */
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
const char * _Nullable
sec_protocol_metadata_get_negotiated_protocol(sec_protocol_metadata_t metadata);

/*!
 * @function sec_protocol_metadata_copy_peer_public_key
 *
 * @abstract
 *      Get the protocol instance peer's public key.
 *
 * @param metadata
 *      A `sec_protocol_metadata_t` instance.
 *
 * @return A `dispatch_data_t` containing the peer's raw public key.
 */
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
SEC_RETURNS_RETAINED _Nullable dispatch_data_t
sec_protocol_metadata_copy_peer_public_key(sec_protocol_metadata_t metadata);

/*!
 * @function sec_protocol_metadata_get_negotiated_protocol_version
 *
 * @abstract
 *      Get the negotiated TLS version.
 *
 * @param metadata
 *      A `sec_protocol_metadata_t` instance.
 *
 * @return A SSLProtocol enum of the TLS version.
 */
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
SSLProtocol
sec_protocol_metadata_get_negotiated_protocol_version(sec_protocol_metadata_t metadata);

/*!
 * @function sec_protocol_metadata_get_negotiated_ciphersuite
 *
 * @abstract
 *      Get the negotiated TLS ciphersuite.
 *
 * @param metadata
 *      A `sec_protocol_metadata_t` instance.
 *
 * @return A SSLCipherSuite.
 */
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
SSLCipherSuite
sec_protocol_metadata_get_negotiated_ciphersuite(sec_protocol_metadata_t metadata);

/*!
 * @function sec_protocol_metadata_get_early_data_accepted
 *
 * @abstract
 *      Determine if early data was accepted by the peer.
 *
 * @param metadata
 *      A `sec_protocol_metadata_t` instance.
 *
 * @return A bool indicating if early data was accepted.
 */
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
bool
sec_protocol_metadata_get_early_data_accepted(sec_protocol_metadata_t metadata);

#ifdef __BLOCKS__
/*!
 * @function sec_protocol_metadata_access_peer_certificate_chain
 *
 * @abstract
 *      Get the certificate chain of the protocol instance peer.
 *
 * @param metadata
 *      A `sec_protocol_metadata_t` instance.
 *
 * @param handler
 *      A block to invoke one or more times with sec_certificate_t objects
 *
 * @return Returns true if the peer certificates were accessible, false otherwise.
 */
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
bool
sec_protocol_metadata_access_peer_certificate_chain(sec_protocol_metadata_t metadata,
                                                    void (^handler)(sec_certificate_t certificate));

/*!
 * @function sec_protocol_metadata_copy_ocsp_response
 *
 * @abstract
 *      Get the OCSP response from the protocol instance peer.
 *
 * @param metadata
 *      A `sec_protocol_metadata_t` instance.
 *
 * @param handler
 *      A block to invoke one or more times with OCSP data
 *
 * @return Returns true if the OSCP response was accessible, false otherwise.
 */
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
bool
sec_protocol_metadata_access_ocsp_response(sec_protocol_metadata_t metadata,
                                           void (^handler)(dispatch_data_t ocsp_data));

/*!
 * @function sec_protocol_metadata_access_supported_signature_algorithms
 *
 * @abstract
 *      Get the signature algorithms supported by the peer. Clients may call this
 *      in response to a challenge block.
 *
 * @param metadata
 *      A `sec_protocol_metadata_t` instance.
 *
 * @param handler
 *      A block to invoke one or more times with OCSP data
 *
 * @return Returns true if the supported signature list was accessible, false otherwise.
 */
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
bool
sec_protocol_metadata_access_supported_signature_algorithms(sec_protocol_metadata_t metadata,
                                                            void (^handler)(uint16_t signature_algorithm));

/*!
 * @function sec_protocol_metadata_access_distinguished_names
 *
 * @abstract
 *      Get the X.509 Distinguished Names from the protocol instance peer.
 *
 * @param metadata
 *      A `sec_protocol_metadata_t` instance.
 *
 * @param handler
 *      A block to invoke one or more times with distinguished_name data
 *
 * @return Returns true if the distinguished names were accessible, false otherwise.
 */
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
bool
sec_protocol_metadata_access_distinguished_names(sec_protocol_metadata_t metadata,
                                                 void (^handler)(dispatch_data_t distinguished_name));
#endif // __BLOCKS__

/*!
 * @function sec_protocol_metadata_peers_are_equal
 *
 * @abstract
 *      Compare peer information for two `sec_protocol_metadata` instances.
 *      This comparison does not include protocol configuration options, e.g., ciphersuites.
 *
 * @param metadataA
 *      A `sec_protocol_metadata_t` instance.
 *
 * @param metadataB
 *      A `sec_protocol_metadata_t` instance.
 *
 * @return Returns true if both metadata values refer to the same peer, and false otherwise.
 */
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
bool
sec_protocol_metadata_peers_are_equal(sec_protocol_metadata_t metadataA, sec_protocol_metadata_t metadataB);

/*!
 * @function sec_protocol_metadata_challenge_parameters_are_equal
 *
 * @abstract
 *      Compare challenge-relevant information for two `sec_protocol_metadata` instances.
 *
 *      This comparison includes all information relevant to a challenge request, including:
 *      distinguished names, signature algorithms, and supported certificate types.
 *      See Section 7.4.4 of RFC5246 for more details.
 *
 * @param metadataA
 *      A `sec_protocol_metadata_t` instance.
 *
 * @param metadataB
 *      A `sec_protocol_metadata_t` instance.
 *
 * @return Returns true if both metadata values have the same challenge parameters.
 */
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
bool
sec_protocol_metadata_challenge_parameters_are_equal(sec_protocol_metadata_t metadataA, sec_protocol_metadata_t metadataB);

/*!
 * @function sec_protocol_metadata_create_secret
 *
 * @abstract
 *      Export a secret, e.g., a cryptographic key, derived from the protocol metadata using a label string.
 *
 * @param metadata
 *      A `sec_protocol_metadata_t` instance.
 *
 * @param label_len
 *      Length of the KDF label string.
 *
 * @param label
 *      KDF label string.
 *
 * @param exporter_length
 *      Length of the secret to be exported.
 *
 * @return Returns a dispatch_data_t object carrying the exported secret.
 */
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
SEC_RETURNS_RETAINED _Nullable dispatch_data_t
sec_protocol_metadata_create_secret(sec_protocol_metadata_t metadata, size_t label_len,
                                    const char *label, size_t exporter_length);

/*!
 * @function sec_protocol_metadata_create_secret_with_context
 *
 * @abstract
 *      Export a secret, e.g., a cryptographic key, derived from the protocol metadata using a label and context string.
 *
 * @param metadata
 *      A `sec_protocol_metadata_t` instance.
 *
 * @param label_len
 *      Length of the KDF label string.
 *
 * @param label
 *      KDF label string.
 *
 * @param context_len
 *      Length of the KDF context string.
 *
 * @param context
 *      Constant opaque context value
 *
 * @param exporter_length
 *      Length of the secret to be exported.
 *
 * @return Returns a dispatch_data_t object carrying the exported secret.
 */
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
SEC_RETURNS_RETAINED _Nullable dispatch_data_t
sec_protocol_metadata_create_secret_with_context(sec_protocol_metadata_t metadata, size_t label_len,
                                                 const char *label, size_t context_len,
                                                 const uint8_t *context, size_t exporter_length);

SEC_ASSUME_NONNULL_END

__END_DECLS

#endif // SecProtocolMetadata_h
Commit	Line	Data
79b9da22 A	1	/*
	2	* Copyright (c) 2018 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	#ifndef SecProtocolMetadata_h
	25	#define SecProtocolMetadata_h
	26
	27	#include <Security/SecProtocolObject.h>
	28	#include <Security/SecProtocolTypes.h>
	29	#include <Security/SecBase.h>
	30	#include <Security/SecureTransport.h>
	31
	32	#include <dispatch/dispatch.h>
	33	#include <os/object.h>
	34
	35	/*!
	36	* The following diagram shows how clients interact with sec_protocol_options
	37	* and sec_protocol_metadata when configuring and using network security protocols.
	38	*
	39	* +--------+
	40	* \| Client \|
	41	* +-+---/ \+
	42	* \| \|
	43	* +-------------+ +-------------+
	44	* \| (1) set (2) get \|
	45	* \| options metadata \|
	46	* +-----\ /---------------+ +------------+----------+
	47	* \| sec_protocol_options \| \| sec_protocol_metadata \|
	48	* +-----------------------+ +-----------------------+
	49	*
	50	* Clients configure security protocols with `sec_protocol_options` instances.
	51	* And they inspect protocol instances using `sec_protocol_metadata` instances.
	52	*/
	53
	54	#ifndef SEC_OBJECT_IMPL
	55	/*!
	56	* A `sec_protocol_metadata` instance conatins read-only properties of a connected and configured
	57	* security protocol. Clients use this object to read information about a protocol instance. Properties
	58	* include, for example, the negotiated TLS version, ciphersuite, and peer certificates.
	59	*/
	60	SEC_OBJECT_DECL(sec_protocol_metadata);
	61	#endif // !SEC_OBJECT_IMPL
	62
	63	__BEGIN_DECLS
	64
65	SEC_ASSUME_NONNULL_BEGIN
66
67	/*!
68	* @function sec_protocol_metadata_get_negotiated_protocol
69	*
70	* @abstract
71	* Get the application protocol negotiated, e.g., via the TLS ALPN extension.
72	*
73	* @param metadata
74	* A `sec_protocol_metadata_t` instance.
75	*
76	* @return A NULL-terminated string carrying the negotiated protocol.
77	*/
78	API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
79	const char * _Nullable
80	sec_protocol_metadata_get_negotiated_protocol(sec_protocol_metadata_t metadata);
81
82	/*!
83	* @function sec_protocol_metadata_copy_peer_public_key
84	*
85	* @abstract
86	* Get the protocol instance peer's public key.
87	*
88	* @param metadata
89	* A `sec_protocol_metadata_t` instance.
90	*
91	* @return A `dispatch_data_t` containing the peer's raw public key.
92	*/
93	API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
94	SEC_RETURNS_RETAINED _Nullable dispatch_data_t
95	sec_protocol_metadata_copy_peer_public_key(sec_protocol_metadata_t metadata);
96
97	/*!
98	* @function sec_protocol_metadata_get_negotiated_protocol_version
99	*
100	* @abstract
101	* Get the negotiated TLS version.
102	*
103	* @param metadata
104	* A `sec_protocol_metadata_t` instance.
105	*
106	* @return A SSLProtocol enum of the TLS version.
107	*/
108	API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
109	SSLProtocol
110	sec_protocol_metadata_get_negotiated_protocol_version(sec_protocol_metadata_t metadata);
111
112	/*!
113	* @function sec_protocol_metadata_get_negotiated_ciphersuite
114	*
115	* @abstract
116	* Get the negotiated TLS ciphersuite.
117	*
118	* @param metadata
119	* A `sec_protocol_metadata_t` instance.
120	*
121	* @return A SSLCipherSuite.
122	*/
123	API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
124	SSLCipherSuite
125	sec_protocol_metadata_get_negotiated_ciphersuite(sec_protocol_metadata_t metadata);
126
127	/*!
128	* @function sec_protocol_metadata_get_early_data_accepted
129	*
130	* @abstract
131	* Determine if early data was accepted by the peer.
132	*
133	* @param metadata
134	* A `sec_protocol_metadata_t` instance.
135	*
136	* @return A bool indicating if early data was accepted.
137	*/
138	API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
139	bool
140	sec_protocol_metadata_get_early_data_accepted(sec_protocol_metadata_t metadata);
141
142	#ifdef __BLOCKS__
143	/*!
144	* @function sec_protocol_metadata_access_peer_certificate_chain
145	*
146	* @abstract
147	* Get the certificate chain of the protocol instance peer.
148	*
149	* @param metadata
150	* A `sec_protocol_metadata_t` instance.
151	*
152	* @param handler
153	* A block to invoke one or more times with sec_certificate_t objects
154	*
155	* @return Returns true if the peer certificates were accessible, false otherwise.
156	*/
157	API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
158	bool
159	sec_protocol_metadata_access_peer_certificate_chain(sec_protocol_metadata_t metadata,
160	void (^handler)(sec_certificate_t certificate));
161
162	/*!
163	* @function sec_protocol_metadata_copy_ocsp_response
164	*
165	* @abstract
166	* Get the OCSP response from the protocol instance peer.
167	*
168	* @param metadata
169	* A `sec_protocol_metadata_t` instance.
170	*
171	* @param handler
172	* A block to invoke one or more times with OCSP data
173	*
174	* @return Returns true if the OSCP response was accessible, false otherwise.
175	*/
176	API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
177	bool
178	sec_protocol_metadata_access_ocsp_response(sec_protocol_metadata_t metadata,
179	void (^handler)(dispatch_data_t ocsp_data));
180
181	/*!
182	* @function sec_protocol_metadata_access_supported_signature_algorithms
183	*
184	* @abstract
185	* Get the signature algorithms supported by the peer. Clients may call this
186	* in response to a challenge block.
187	*
188	* @param metadata
189	* A `sec_protocol_metadata_t` instance.
190	*
191	* @param handler
192	* A block to invoke one or more times with OCSP data
193	*
194	* @return Returns true if the supported signature list was accessible, false otherwise.
195	*/
196	API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
197	bool
198	sec_protocol_metadata_access_supported_signature_algorithms(sec_protocol_metadata_t metadata,
199	void (^handler)(uint16_t signature_algorithm));
200
201	/*!
202	* @function sec_protocol_metadata_access_distinguished_names
203	*
204	* @abstract
205	* Get the X.509 Distinguished Names from the protocol instance peer.
206	*
207	* @param metadata
208	* A `sec_protocol_metadata_t` instance.
209	*
210	* @param handler
211	* A block to invoke one or more times with distinguished_name data
212	*
213	* @return Returns true if the distinguished names were accessible, false otherwise.
214	*/
215	API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
216	bool
217	sec_protocol_metadata_access_distinguished_names(sec_protocol_metadata_t metadata,
218	void (^handler)(dispatch_data_t distinguished_name));
219	#endif // __BLOCKS__
220
221	/*!
222	* @function sec_protocol_metadata_peers_are_equal
223	*
224	* @abstract
225	* Compare peer information for two `sec_protocol_metadata` instances.
226	* This comparison does not include protocol configuration options, e.g., ciphersuites.
227	*
228	* @param metadataA
229	* A `sec_protocol_metadata_t` instance.
230	*
231	* @param metadataB
232	* A `sec_protocol_metadata_t` instance.
233	*
234	* @return Returns true if both metadata values refer to the same peer, and false otherwise.
235	*/
236	API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
237	bool
238	sec_protocol_metadata_peers_are_equal(sec_protocol_metadata_t metadataA, sec_protocol_metadata_t metadataB);
239
240	/*!
241	* @function sec_protocol_metadata_challenge_parameters_are_equal
242	*
243	* @abstract
244	* Compare challenge-relevant information for two `sec_protocol_metadata` instances.
245	*
246	* This comparison includes all information relevant to a challenge request, including:
247	* distinguished names, signature algorithms, and supported certificate types.
248	* See Section 7.4.4 of RFC5246 for more details.
249	*
250	* @param metadataA
251	* A `sec_protocol_metadata_t` instance.
252	*
253	* @param metadataB
254	* A `sec_protocol_metadata_t` instance.
255	*
256	* @return Returns true if both metadata values have the same challenge parameters.
257	*/
258	API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
259	bool
260	sec_protocol_metadata_challenge_parameters_are_equal(sec_protocol_metadata_t metadataA, sec_protocol_metadata_t metadataB);
261
262	/*!
263	* @function sec_protocol_metadata_create_secret
264	*
265	* @abstract
266	* Export a secret, e.g., a cryptographic key, derived from the protocol metadata using a label string.
267	*
268	* @param metadata
269	* A `sec_protocol_metadata_t` instance.
270	*
271	* @param label_len
272	* Length of the KDF label string.
273	*
274	* @param label
275	* KDF label string.
276	*
277	* @param exporter_length
278	* Length of the secret to be exported.
279	*
280	* @return Returns a dispatch_data_t object carrying the exported secret.
281	*/
282	API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
283	SEC_RETURNS_RETAINED _Nullable dispatch_data_t
284	sec_protocol_metadata_create_secret(sec_protocol_metadata_t metadata, size_t label_len,
285	const char *label, size_t exporter_length);
286
287	/*!
288	* @function sec_protocol_metadata_create_secret_with_context
289	*
290	* @abstract
291	* Export a secret, e.g., a cryptographic key, derived from the protocol metadata using a label and context string.
292	*
293	* @param metadata
294	* A `sec_protocol_metadata_t` instance.
295	*
296	* @param label_len
297	* Length of the KDF label string.
298	*
299	* @param label
300	* KDF label string.
301	*
302	* @param context_len
303	* Length of the KDF context string.
304	*
305	* @param context
306	* Constant opaque context value
307	*
308	* @param exporter_length
309	* Length of the secret to be exported.
310	*
311	* @return Returns a dispatch_data_t object carrying the exported secret.
312	*/
313	API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
314	SEC_RETURNS_RETAINED _Nullable dispatch_data_t
315	sec_protocol_metadata_create_secret_with_context(sec_protocol_metadata_t metadata, size_t label_len,
316	const char *label, size_t context_len,
317	const uint8_t *context, size_t exporter_length);
318
319	SEC_ASSUME_NONNULL_END
320
321	__END_DECLS
322
323	#endif // SecProtocolMetadata_h