]> git.saurik.com Git - apple/security.git/blob - cssm/certextensions.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59306.80.4.tar.gz
[apple/security.git] / cssm / certextensions.h
1 /*
2 * Copyright (c) 2000-2009,2011,2012,2014,2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * CertExtensions.h -- X.509 Cert Extensions as C structs
24 */
25
26 #ifndef _CERT_EXTENSIONS_H_
27 #define _CERT_EXTENSIONS_H_
28
29 #include <Security/SecBase.h>
30
31 #if SEC_OS_OSX
32
33 #include <Security/cssmtype.h>
34 #include <Security/x509defs.h> /* CSSM_X509_RDN_PTR */
35 #pragma clang diagnostic push
36 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
37
38 #else /* SEC_OS_IPHONE */
39
40 #include <stdbool.h>
41 #include <libDER/libDER.h>
42
43 #endif /* SEC_OS_IPHONE */
44
45 /***
46 *** Structs for declaring extension-specific data.
47 ***/
48
49 /*
50 * GeneralName, used in AuthorityKeyID, SubjectAltName, and
51 * IssuerAltName.
52 *
53 * For now, we just provide explicit support for the types which are
54 * represented as IA5Strings, OIDs, and octet strings. Constructed types
55 * such as EDIPartyName and x400Address are not explicitly handled
56 * right now and must be encoded and decoded by the caller. (See exception
57 * for Name and OtherName, below). In those cases the SecECGeneralName.name.Data / CE_GeneralName.name.Data field
58 * represents the BER contents octets; SecCEGeneralName.name.Length / CE_GeneralName.name.Length is the
59 * length of the contents; the tag of the field is not needed - the BER
60 * encoding uses context-specific implicit tagging. The berEncoded field
61 * is set to true / CSSM_TRUE in these case. Simple types have berEncoded = false / CSSM_FALSE.
62 *
63 * In the case of a GeneralName in the form of a Name, we parse the Name
64 * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the
65 * CE_GeneralName.name.Data field. SecCEGeneralName.name.Length / CE_GeneralName.name.Length is set to
66 * sizeof(CSSM_X509_NAME). In this case berEncoded is false.
67 *
68 * In the case of a GeneralName in the form of a OtherName, we parse the fields
69 * into a CE_OtherName and place a pointer to the SecCEOtherName / CE_OtherName in the
70 * SecCEGeneralName.name.Data / CE_GeneralName.name.Data field. SecCEGeneralName.name.Length / CE_GeneralName.name.Length is set to
71 * sizeof(SecCEOtherName) / sizeof(CE_OtherName). In this case berEncoded is false.
72 *
73 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
74 *
75 * GeneralName ::= CHOICE {
76 * otherName [0] OtherName
77 * rfc822Name [1] IA5String,
78 * dNSName [2] IA5String,
79 * x400Address [3] ORAddress,
80 * directoryName [4] Name,
81 * ediPartyName [5] EDIPartyName,
82 * uniformResourceIdentifier [6] IA5String,
83 * iPAddress [7] OCTET STRING,
84 * registeredID [8] OBJECT IDENTIFIER}
85 *
86 * OtherName ::= SEQUENCE {
87 * type-id OBJECT IDENTIFIER,
88 * value [0] EXPLICIT ANY DEFINED BY type-id }
89 *
90 * EDIPartyName ::= SEQUENCE {
91 * nameAssigner [0] DirectoryString OPTIONAL,
92 * partyName [1] DirectoryString }
93 */
94
95 typedef enum __CE_GeneralNameType {
96 GNT_OtherName = 0,
97 GNT_RFC822Name,
98 GNT_DNSName,
99 GNT_X400Address,
100 GNT_DirectoryName,
101 GNT_EdiPartyName,
102 GNT_URI,
103 GNT_IPAddress,
104 GNT_RegisteredID
105 } CE_GeneralNameType;
106
107 #define SecCEGeneralNameType CE_GeneralNameType
108
109 #if SEC_OS_OSX
110
111 typedef struct __CE_OtherName {
112 CSSM_OID typeId;
113 CSSM_DATA value; // unparsed, BER-encoded
114 } CE_OtherName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
115
116 typedef struct __CE_GeneralName {
117 CE_GeneralNameType nameType; // GNT_RFC822Name, etc.
118 CSSM_BOOL berEncoded;
119 CSSM_DATA name;
120 } CE_GeneralName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
121
122 typedef struct __CE_GeneralNames {
123 uint32 numNames;
124 CE_GeneralName *generalName;
125 } CE_GeneralNames DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
126
127 #elif SEC_OS_IPHONE
128
129 typedef struct {
130 DERItem typeId;
131 DERItem value; // unparsed, BER-encoded
132 } SecCEOtherName;
133
134 typedef struct {
135 SecCEGeneralNameType nameType; // GNT_RFC822Name, etc.
136 bool berEncoded;
137 DERItem name;
138 } SecCEGeneralName;
139
140 typedef struct {
141 uint32_t numNames;
142 SecCEGeneralName *generalName;
143 } SecCEGeneralNames;
144
145 #endif /* SEC_OS_IPHONE */
146
147 /*
148 * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
149 *
150 * AuthorityKeyIdentifier ::= SEQUENCE {
151 * keyIdentifier [0] KeyIdentifier OPTIONAL,
152 * authorityCertIssuer [1] GeneralNames OPTIONAL,
153 * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
154 *
155 * KeyIdentifier ::= OCTET STRING
156 *
157 * CSSM OID = CSSMOID_AuthorityKeyIdentifier
158 */
159 #if SEC_OS_OSX
160 typedef struct __CE_AuthorityKeyID {
161 CSSM_BOOL keyIdentifierPresent;
162 CSSM_DATA keyIdentifier;
163 CSSM_BOOL generalNamesPresent;
164 CE_GeneralNames *generalNames;
165 CSSM_BOOL serialNumberPresent;
166 CSSM_DATA serialNumber;
167 } CE_AuthorityKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
168 #elif SEC_OS_IPHONE
169 typedef struct {
170 bool keyIdentifierPresent;
171 DERItem keyIdentifier;
172 bool generalNamesPresent;
173 SecCEGeneralNames *generalNames;
174 bool serialNumberPresent;
175 DERItem serialNumber;
176 } SecCEAuthorityKeyID;
177 #endif /* SEC_OS_IPHONE */
178
179 /*
180 * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
181 * SubjectKeyIdentifier ::= KeyIdentifier
182 *
183 * CSSM OID = CSSMOID_SubjectKeyIdentifier
184 */
185 #if SEC_OS_OSX
186 typedef CSSM_DATA CE_SubjectKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
187 #elif SEC_OS_IPHONE
188 typedef DERItem SecCESubjectKeyID;
189 #endif /* SEC_OS_IPHONE */
190
191 /*
192 * id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
193 *
194 * KeyUsage ::= BIT STRING {
195 * digitalSignature (0),
196 * nonRepudiation (1),
197 * keyEncipherment (2),
198 * dataEncipherment (3),
199 * keyAgreement (4),
200 * keyCertSign (5),
201 * cRLSign (6),
202 * encipherOnly (7),
203 * decipherOnly (8) }
204 *
205 * CSSM OID = CSSMOID_KeyUsage
206 *
207 */
208 #if SEC_OS_OSX
209 typedef uint16 CE_KeyUsage DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
210 #elif SEC_OS_IPHONE
211 typedef uint16_t SecCEKeyUsage;
212 #endif /* SEC_OS_IPHONE */
213
214 #if SEC_OS_OSX
215 #define CE_KU_DigitalSignature 0x8000
216 #define CE_KU_NonRepudiation 0x4000
217 #define CE_KU_KeyEncipherment 0x2000
218 #define CE_KU_DataEncipherment 0x1000
219 #define CE_KU_KeyAgreement 0x0800
220 #define CE_KU_KeyCertSign 0x0400
221 #define CE_KU_CRLSign 0x0200
222 #define CE_KU_EncipherOnly 0x0100
223 #define CE_KU_DecipherOnly 0x0080
224 #else /* SEC_OS_IPHONE */
225 #define SecCEKU_DigitalSignature 0x8000
226 #define SecCEKU_NonRepudiation 0x4000
227 #define SecCEKU_KeyEncipherment 0x2000
228 #define SecCEKU_DataEncipherment 0x1000
229 #define SecCEKU_KeyAgreement 0x0800
230 #define SecCEKU_KeyCertSign 0x0400
231 #define SecCEKU_CRLSign 0x0200
232 #define SecCEKU_EncipherOnly 0x0100
233 #define SecCEKU_DecipherOnly 0x0080
234 #endif /* SEC_OS_IPHONE */
235
236 /*
237 * id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 }
238 *
239 * -- reasonCode ::= { CRLReason }
240 *
241 * CRLReason ::= ENUMERATED {
242 * unspecified (0),
243 * keyCompromise (1),
244 * cACompromise (2),
245 * affiliationChanged (3),
246 * superseded (4),
247 * cessationOfOperation (5),
248 * certificateHold (6),
249 * removeFromCRL (8) }
250 *
251 * CSSM OID = CSSMOID_CrlReason
252 *
253 */
254 #if SEC_OS_OSX
255 typedef uint32 CE_CrlReason DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
256 #elif SEC_OS_IPHONE
257 typedef uint32_t SecCECrlReason;
258 #endif /* SEC_OS_IPHONE */
259
260 #if SEC_OS_OSX
261 #define CE_CR_Unspecified 0
262 #define CE_CR_KeyCompromise 1
263 #define CE_CR_CACompromise 2
264 #define CE_CR_AffiliationChanged 3
265 #define CE_CR_Superseded 4
266 #define CE_CR_CessationOfOperation 5
267 #define CE_CR_CertificateHold 6
268 #define CE_CR_RemoveFromCRL 8
269 #elif SEC_OS_IPHONE
270 #define SecCECR_Unspecified 0
271 #define SecCECR_KeyCompromise 1
272 #define SecCECR_CACompromise 2
273 #define SecCECR_AffiliationChanged 3
274 #define SecCECR_Superseded 4
275 #define SecCECR_CessationOfOperation 5
276 #define SecCECR_CertificateHold 6
277 #define SecCECR_RemoveFromCRL 8
278 #endif /* SEC_OS_IPHONE */
279
280 /*
281 * id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
282 *
283 * SubjectAltName ::= GeneralNames
284 *
285 * CSSM OID = CSSMOID_SubjectAltName
286 *
287 * GeneralNames defined above.
288 */
289
290 /*
291 * id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
292 *
293 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId*
294 *
295 * KeyPurposeId ::= OBJECT IDENTIFIER
296 *
297 * CSSM OID = CSSMOID_ExtendedKeyUsage
298 */
299 #if SEC_OS_OSX
300 typedef struct __CE_ExtendedKeyUsage {
301 uint32 numPurposes;
302 CSSM_OID_PTR purposes; // in Intel pre-encoded format
303 } CE_ExtendedKeyUsage;
304
305 #elif SEC_OS_IPHONE
306
307 typedef struct {
308 uint32_t numPurposes;
309 DERItem *purposes; // in Intel pre-encoded format
310 } SecCEExtendedKeyUsage;
311 #endif /* SEC_OS_IPHONE */
312
313 /*
314 * id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
315 *
316 * BasicConstraints ::= SEQUENCE {
317 * cA BOOLEAN DEFAULT FALSE,
318 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
319 *
320 * CSSM OID = CSSMOID_BasicConstraints
321 */
322 #if SEC_OS_OSX
323 typedef struct __CE_BasicConstraints {
324 CSSM_BOOL cA;
325 CSSM_BOOL pathLenConstraintPresent;
326 uint32 pathLenConstraint;
327 } CE_BasicConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
328
329 #elif SEC_OS_IPHONE
330
331 typedef struct {
332 bool present;
333 bool critical;
334 bool isCA;
335 bool pathLenConstraintPresent;
336 uint32_t pathLenConstraint;
337 } SecCEBasicConstraints;
338
339 typedef struct {
340 bool present;
341 bool critical;
342 bool requireExplicitPolicyPresent;
343 uint32_t requireExplicitPolicy;
344 bool inhibitPolicyMappingPresent;
345 uint32_t inhibitPolicyMapping;
346 } SecCEPolicyConstraints;
347 #endif /* SEC_OS_IPHONE */
348
349 /*
350 * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
351 *
352 * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
353 *
354 * PolicyInformation ::= SEQUENCE {
355 * policyIdentifier CertPolicyId,
356 * policyQualifiers SEQUENCE SIZE (1..MAX) OF
357 * PolicyQualifierInfo OPTIONAL }
358 *
359 * CertPolicyId ::= OBJECT IDENTIFIER
360 *
361 * PolicyQualifierInfo ::= SEQUENCE {
362 * policyQualifierId PolicyQualifierId,
363 * qualifier ANY DEFINED BY policyQualifierId }
364 *
365 * -- policyQualifierIds for Internet policy qualifiers
366 *
367 * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
368 * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
369 * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
370 *
371 * PolicyQualifierId ::=
372 * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
373 *
374 * Qualifier ::= CHOICE {
375 * cPSuri CPSuri,
376 * userNotice UserNotice }
377 *
378 * CPSuri ::= IA5String
379 *
380 * UserNotice ::= SEQUENCE {
381 * noticeRef NoticeReference OPTIONAL,
382 * explicitText DisplayText OPTIONAL}
383 *
384 * NoticeReference ::= SEQUENCE {
385 * organization DisplayText,
386 * noticeNumbers SEQUENCE OF INTEGER }
387 *
388 * DisplayText ::= CHOICE {
389 * visibleString VisibleString (SIZE (1..200)),
390 * bmpString BMPString (SIZE (1..200)),
391 * utf8String UTF8String (SIZE (1..200)) }
392 *
393 * CSSM OID = CSSMOID_CertificatePolicies
394 *
395 * We only support down to the level of Qualifier, and then only the CPSuri
396 * choice. UserNotice is transmitted to and from this library as a raw
397 * CSSM_DATA containing the BER-encoded UserNotice sequence.
398 */
399 #if SEC_OS_OSX
400
401 typedef struct __CE_PolicyQualifierInfo {
402 CSSM_OID policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
403 CSSM_DATA qualifier; // CSSMOID_QT_CPS: IA5String contents
404
405 #elif SEC_OS_IPHONE
406 #if 0
407 typedef struct {
408 DERItem policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
409 DERItem qualifier; // CSSMOID_QT_CPS: IA5String contents
410 } SecCEPolicyQualifierInfo;
411 #endif
412
413 typedef struct {
414 DERItem policyIdentifier;
415 DERItem policyQualifiers;
416 } SecCEPolicyInformation;
417
418 typedef struct {
419 bool present;
420 bool critical;
421 size_t numPolicies; // size of *policies;
422 SecCEPolicyInformation *policies;
423 } SecCECertificatePolicies;
424
425 typedef struct {
426 DERItem issuerDomainPolicy;
427 DERItem subjectDomainPolicy;
428 } SecCEPolicyMapping;
429
430 /*
431 PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
432 issuerDomainPolicy CertPolicyId,
433 subjectDomainPolicy CertPolicyId }
434 */
435 typedef struct {
436 bool present;
437 bool critical;
438 size_t numMappings; // size of *mappings;
439 SecCEPolicyMapping *mappings;
440 } SecCEPolicyMappings;
441
442 /*
443 InhibitAnyPolicy ::= SkipCerts
444 SkipCerts ::= INTEGER (0..MAX)
445 */
446 typedef struct {
447 bool present;
448 bool critical;
449 uint32_t skipCerts;
450 } SecCEInhibitAnyPolicy;
451 #endif /* SEC_OS_IPHONE */
452 // CSSMOID_QT_UNOTICE : Sequence contents
453 #if SEC_OS_OSX
454 } CE_PolicyQualifierInfo DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
455
456 typedef struct __CE_PolicyInformation {
457 CSSM_OID certPolicyId;
458 uint32 numPolicyQualifiers; // size of *policyQualifiers;
459 CE_PolicyQualifierInfo *policyQualifiers;
460 } CE_PolicyInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
461
462 typedef struct __CE_CertPolicies {
463 uint32 numPolicies; // size of *policies;
464 CE_PolicyInformation *policies;
465 } CE_CertPolicies DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
466
467 /*
468 * netscape-cert-type, a bit string.
469 *
470 * CSSM OID = CSSMOID_NetscapeCertType
471 *
472 * Bit fields defined in oidsattr.h: CE_NCT_SSL_Client, etc.
473 */
474 typedef uint16 CE_NetscapeCertType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
475
476 /*
477 * CRLDistributionPoints.
478 *
479 * id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 }
480 *
481 * cRLDistributionPoints ::= {
482 * CRLDistPointsSyntax }
483 *
484 * CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
485 *
486 * NOTE: RFC 2459 claims that the tag for the optional DistributionPointName
487 * is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be -
488 * because the underlying type also uses an implicit tag for distinguish
489 * between CHOICEs.
490 *
491 * DistributionPoint ::= SEQUENCE {
492 * distributionPoint [0] DistributionPointName OPTIONAL,
493 * reasons [1] ReasonFlags OPTIONAL,
494 * cRLIssuer [2] GeneralNames OPTIONAL }
495 *
496 * DistributionPointName ::= CHOICE {
497 * fullName [0] GeneralNames,
498 * nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
499 *
500 * ReasonFlags ::= BIT STRING {
501 * unused (0),
502 * keyCompromise (1),
503 * cACompromise (2),
504 * affiliationChanged (3),
505 * superseded (4),
506 * cessationOfOperation (5),
507 * certificateHold (6) }
508 *
509 * CSSM OID = CSSMOID_CrlDistributionPoints
510 */
511
512 /*
513 * Note that this looks similar to CE_CrlReason, but that's an enum and this
514 * is an OR-able bit string.
515 */
516 typedef uint8 CE_CrlDistReasonFlags DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
517
518 #define CE_CD_Unspecified 0x80
519 #define CE_CD_KeyCompromise 0x40
520 #define CE_CD_CACompromise 0x20
521 #define CE_CD_AffiliationChanged 0x10
522 #define CE_CD_Superseded 0x08
523 #define CE_CD_CessationOfOperation 0x04
524 #define CE_CD_CertificateHold 0x02
525
526 typedef enum __CE_CrlDistributionPointNameType {
527 CE_CDNT_FullName,
528 CE_CDNT_NameRelativeToCrlIssuer
529 } CE_CrlDistributionPointNameType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
530
531 typedef struct __CE_DistributionPointName {
532 CE_CrlDistributionPointNameType nameType;
533 union {
534 CE_GeneralNames *fullName;
535 CSSM_X509_RDN_PTR rdn;
536 } dpn;
537 } CE_DistributionPointName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
538
539 /*
540 * The top-level CRLDistributionPoint.
541 * All fields are optional; NULL pointers indicate absence.
542 */
543 typedef struct __CE_CRLDistributionPoint {
544 CE_DistributionPointName *distPointName;
545 CSSM_BOOL reasonsPresent;
546 CE_CrlDistReasonFlags reasons;
547 CE_GeneralNames *crlIssuer;
548 } CE_CRLDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
549
550 typedef struct __CE_CRLDistPointsSyntax {
551 uint32 numDistPoints;
552 CE_CRLDistributionPoint *distPoints;
553 } CE_CRLDistPointsSyntax DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
554
555 /*
556 * Authority Information Access and Subject Information Access.
557 *
558 * CSSM OID = CSSMOID_AuthorityInfoAccess
559 * CSSM OID = CSSMOID_SubjectInfoAccess
560 *
561 * SubjAuthInfoAccessSyntax ::=
562 * SEQUENCE SIZE (1..MAX) OF AccessDescription
563 *
564 * AccessDescription ::= SEQUENCE {
565 * accessMethod OBJECT IDENTIFIER,
566 * accessLocation GeneralName }
567 */
568 typedef struct __CE_AccessDescription {
569 CSSM_OID accessMethod;
570 CE_GeneralName accessLocation;
571 } CE_AccessDescription DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
572
573 typedef struct __CE_AuthorityInfoAccess {
574 uint32 numAccessDescriptions;
575 CE_AccessDescription *accessDescriptions;
576 } CE_AuthorityInfoAccess DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
577
578 /*
579 * Qualified Certificate Statement support, per RFC 3739.
580 *
581 * First, NameRegistrationAuthorities, a component of
582 * SemanticsInformation; it's the same as a GeneralNames -
583 * a sequence of GeneralName.
584 */
585 typedef CE_GeneralNames CE_NameRegistrationAuthorities DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
586
587 /*
588 * SemanticsInformation, identified as the qcType field
589 * of a CE_QC_Statement for statementId value id-qcs-pkixQCSyntax-v2.
590 * Both fields optional; at least one must be present.
591 */
592 typedef struct __CE_SemanticsInformation {
593 CSSM_OID *semanticsIdentifier;
594 CE_NameRegistrationAuthorities *nameRegistrationAuthorities;
595 } CE_SemanticsInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
596
597 /*
598 * One Qualified Certificate Statement.
599 * The statementId OID is required; zero or one of {semanticsInfo,
600 * otherInfo} can be valid, depending on the value of statementId.
601 * For statementId id-qcs-pkixQCSyntax-v2 (CSSMOID_OID_QCS_SYNTAX_V2),
602 * the semanticsInfo field may be present; otherwise, DER-encoded
603 * information may be present in otherInfo. Both semanticsInfo and
604 * otherInfo are optional.
605 */
606 typedef struct __CE_QC_Statement {
607 CSSM_OID statementId;
608 CE_SemanticsInformation *semanticsInfo;
609 CSSM_DATA *otherInfo;
610 } CE_QC_Statement DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
611
612 /*
613 * The top-level Qualified Certificate Statements extension.
614 */
615 typedef struct __CE_QC_Statements {
616 uint32 numQCStatements;
617 CE_QC_Statement *qcStatements;
618 } CE_QC_Statements DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
619
620 /*** CRL extensions ***/
621
622 /*
623 * cRLNumber, an integer.
624 *
625 * CSSM OID = CSSMOID_CrlNumber
626 */
627 typedef uint32 CE_CrlNumber;
628
629 /*
630 * deltaCRLIndicator, an integer.
631 *
632 * CSSM OID = CSSMOID_DeltaCrlIndicator
633 */
634 typedef uint32 CE_DeltaCrl;
635
636 /*
637 * IssuingDistributionPoint
638 *
639 * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
640 *
641 * issuingDistributionPoint ::= SEQUENCE {
642 * distributionPoint [0] DistributionPointName OPTIONAL,
643 * onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
644 * onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
645 * onlySomeReasons [3] ReasonFlags OPTIONAL,
646 * indirectCRL [4] BOOLEAN DEFAULT FALSE }
647 *
648 * CSSM OID = CSSMOID_IssuingDistributionPoint
649 */
650 typedef struct __CE_IssuingDistributionPoint {
651 CE_DistributionPointName *distPointName; // optional
652 CSSM_BOOL onlyUserCertsPresent;
653 CSSM_BOOL onlyUserCerts;
654 CSSM_BOOL onlyCACertsPresent;
655 CSSM_BOOL onlyCACerts;
656 CSSM_BOOL onlySomeReasonsPresent;
657 CE_CrlDistReasonFlags onlySomeReasons;
658 CSSM_BOOL indirectCrlPresent;
659 CSSM_BOOL indirectCrl;
660 } CE_IssuingDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
661
662 /*
663 * NameConstraints
664 *
665 * id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
666 *
667 * NameConstraints ::= SEQUENCE {
668 * permittedSubtrees [0] GeneralSubtrees OPTIONAL,
669 * excludedSubtrees [1] GeneralSubtrees OPTIONAL }
670 *
671 * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
672 *
673 * GeneralSubtree ::= SEQUENCE {
674 * base GeneralName,
675 * minimum [0] BaseDistance DEFAULT 0,
676 * maximum [1] BaseDistance OPTIONAL }
677 *
678 * BaseDistance ::= INTEGER (0..MAX)
679 */
680 typedef struct __CE_GeneralSubtree {
681 CE_GeneralNames *base;
682 uint32 minimum; // default=0
683 CSSM_BOOL maximumPresent;
684 uint32 maximum; // optional
685 } CE_GeneralSubtree DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
686
687 typedef struct __CE_GeneralSubtrees {
688 uint32 numSubtrees;
689 CE_GeneralSubtree *subtrees;
690 } CE_GeneralSubtrees DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
691
692 typedef struct __CE_NameConstraints {
693 CE_GeneralSubtrees *permitted; // optional
694 CE_GeneralSubtrees *excluded; // optional
695 } CE_NameConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
696
697 /*
698 * PolicyMappings
699 *
700 * id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
701 *
702 * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
703 * issuerDomainPolicy CertPolicyId,
704 * subjectDomainPolicy CertPolicyId }
705 *
706 * Note that both issuer and subject policy OIDs are required,
707 * and are stored by value in this structure.
708 */
709 typedef struct __CE_PolicyMapping {
710 CSSM_OID issuerDomainPolicy;
711 CSSM_OID subjectDomainPolicy;
712 } CE_PolicyMapping DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
713
714 typedef struct __CE_PolicyMappings {
715 uint32 numPolicyMappings;
716 CE_PolicyMapping *policyMappings;
717 } CE_PolicyMappings DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
718
719 /*
720 * PolicyConstraints
721 *
722 * id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
723 *
724 * PolicyConstraints ::= SEQUENCE {
725 * requireExplicitPolicy [0] SkipCerts OPTIONAL,
726 * inhibitPolicyMapping [1] SkipCerts OPTIONAL }
727 *
728 * SkipCerts ::= INTEGER (0..MAX)
729 */
730 typedef struct __CE_PolicyConstraints {
731 CSSM_BOOL requireExplicitPolicyPresent;
732 uint32 requireExplicitPolicy; // optional
733 CSSM_BOOL inhibitPolicyMappingPresent;
734 uint32 inhibitPolicyMapping; // optional
735 } CE_PolicyConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
736
737 /*
738 * InhibitAnyPolicy, an integer.
739 *
740 * CSSM OID = CSSMOID_InhibitAnyPolicy
741 */
742 typedef uint32 CE_InhibitAnyPolicy DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
743
744 /*
745 * An enumerated list identifying one of the above per-extension
746 * structs.
747 */
748 typedef enum __CE_DataType {
749 DT_AuthorityKeyID, // CE_AuthorityKeyID
750 DT_SubjectKeyID, // CE_SubjectKeyID
751 DT_KeyUsage, // CE_KeyUsage
752 DT_SubjectAltName, // implies CE_GeneralName
753 DT_IssuerAltName, // implies CE_GeneralName
754 DT_ExtendedKeyUsage, // CE_ExtendedKeyUsage
755 DT_BasicConstraints, // CE_BasicConstraints
756 DT_CertPolicies, // CE_CertPolicies
757 DT_NetscapeCertType, // CE_NetscapeCertType
758 DT_CrlNumber, // CE_CrlNumber
759 DT_DeltaCrl, // CE_DeltaCrl
760 DT_CrlReason, // CE_CrlReason
761 DT_CrlDistributionPoints, // CE_CRLDistPointsSyntax
762 DT_IssuingDistributionPoint,// CE_IssuingDistributionPoint
763 DT_AuthorityInfoAccess, // CE_AuthorityInfoAccess
764 DT_Other, // unknown, raw data as a CSSM_DATA
765 DT_QC_Statements, // CE_QC_Statements
766 DT_NameConstraints, // CE_NameConstraints
767 DT_PolicyMappings, // CE_PolicyMappings
768 DT_PolicyConstraints, // CE_PolicyConstraints
769 DT_InhibitAnyPolicy // CE_InhibitAnyPolicy
770 } CE_DataType;
771
772 /*
773 * One unified representation of all the cert and CRL extensions we know about.
774 */
775 typedef union {
776 CE_AuthorityKeyID authorityKeyID;
777 CE_SubjectKeyID subjectKeyID;
778 CE_KeyUsage keyUsage;
779 CE_GeneralNames subjectAltName;
780 CE_GeneralNames issuerAltName;
781 CE_ExtendedKeyUsage extendedKeyUsage;
782 CE_BasicConstraints basicConstraints;
783 CE_CertPolicies certPolicies;
784 CE_NetscapeCertType netscapeCertType;
785 CE_CrlNumber crlNumber;
786 CE_DeltaCrl deltaCrl;
787 CE_CrlReason crlReason;
788 CE_CRLDistPointsSyntax crlDistPoints;
789 CE_IssuingDistributionPoint issuingDistPoint;
790 CE_AuthorityInfoAccess authorityInfoAccess;
791 CE_QC_Statements qualifiedCertStatements;
792 CE_NameConstraints nameConstraints;
793 CE_PolicyMappings policyMappings;
794 CE_PolicyConstraints policyConstraints;
795 CE_InhibitAnyPolicy inhibitAnyPolicy;
796 CSSM_DATA rawData; // unknown, not decoded
797 } CE_Data DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
798
799 typedef struct __CE_DataAndType {
800 CE_DataType type;
801 CE_Data extension;
802 CSSM_BOOL critical;
803 } CE_DataAndType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
804
805 #endif /* SEC_OS_OSX */
806
807 #if SEC_OS_OSX
808 #pragma clang diagnostic pop
809 #endif
810
811 #endif /* _CERT_EXTENSIONS_H_ */
mirror of Security